pax_global_header00006660000000000000000000000064125775531150014525gustar00rootroot0000000000000052 comment=b5247d4b3791a54f27cbb1609027e45267c1067d heimdal-1.7~git20150920+dfsg/000077500000000000000000000000001257755311500154435ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/.gitignore000066400000000000000000000257171257755311500174470ustar00rootroot00000000000000# After changing this file, please run: # # git ls-files -i --exclude-standard # # to check that you haven't inadvertently ignored any tracked files. This # command should return no output. Any files listed by it are files # present in the repository but ignored by .gitignore. # General rules, with some exclusions for where they're too general. .DS_Store .deps/ .dirstamp .libs/ Makefile Makefile.in asn1_*.[cx] !/lib/asn1/asn1_gen.c !/lib/asn1/asn1_print.c !/lib/krb5/asn1_glue.c *_asn1.h !/lib/asn1/heim_asn1.h *_asn1.hx *_asn1-priv.h *_asn1-priv.hx *_asn1-template.c *_asn1-template.x *_asn1_files *_err.[ch] !/lib/com_err/com_err.[ch] *-commands.[ch] *~ *.a *.la *.lo *.o *.log *.trs *.tmp # Top-level files. /aclocal.m4 /autom4te.cache /compile /config.guess /config.log /config.status /config.sub /configure /depcomp /install-sh /libtool /ltmain.sh /missing /setupbuild.cmd /stage1.diff /stage2.diff /tags /test-driver /ylwrap /lib/libedit/aclocal.m4 /lib/libedit/autom4te.cache /lib/libedit/compile /lib/libedit/config.guess /lib/libedit/config.h /lib/libedit/config.log /lib/libedit/config.status /lib/libedit/config.sub /lib/libedit/configure /lib/libedit/depcomp /lib/libedit/install-sh /lib/libedit/libtool /lib/libedit/ltmain.sh /lib/libedit/missing /lib/libedit/setupbuild.cmd /lib/libedit/ylwrap /lib/libedit/src/common.h /lib/libedit/src/emacs.h /lib/libedit/src/fcns.c /lib/libedit/src/fcns.h /lib/libedit/src/help.c /lib/libedit/src/help.h /lib/libedit/src/vi.h /lib/libedit/stamp-h1 # Files in subdirectories. /admin/ktutil /appl/afsutil/afslog /appl/afsutil/pagsh /appl/dbutils/bsearch /appl/ftp/ftp/ftp /appl/ftp/ftpd/ftpcmd.c /appl/ftp/ftpd/ftpd /appl/ftp/ftpd/gssapi.c /appl/ftp/ftpd/security.c /appl/ftp/ftpd/security.h /appl/gssmask/gssmaestro /appl/gssmask/gssmask /appl/kf/kf /appl/kf/kfd /appl/kx/kx /appl/kx/kxd /appl/kx/rxtelnet /appl/kx/rxterm /appl/kx/tenletxr /appl/login/login /appl/login/login-protos.h /appl/otp/otp /appl/otp/otpprint /appl/popper/pop_debug /appl/popper/popper /appl/push/pfrom /appl/push/push /appl/rcp/rcp /appl/rsh/limits_conf.c /appl/rsh/login_access.c /appl/rsh/rsh /appl/rsh/rshd /appl/su/su /appl/telnet/telnet/telnet /appl/telnet/telnetd/telnetd /appl/test/gssapi_client /appl/test/gssapi_server /appl/test/http_client /appl/test/nt_gss_client /appl/test/nt_gss_server /appl/test/tcp_client /appl/test/tcp_server /appl/test/uu_client /appl/test/uu_server /appl/xnlock/xnlock /cf/libtool.m4 /cf/ltoptions.m4 /cf/ltsugar.m4 /cf/ltversion.m4 /cf/lt~obsolete.m4 /doc/Makefile.in /doc/heimdal.info /doc/hx509.info /doc/gssapi /doc/hdb /doc/hcrypto /doc/hx509 /doc/krb5 /doc/ntlm /doc/wind /doc/vars.texi /doc/doxyout /include/*.h !/include/crypto-headers.h !/include/heim_threads.h /include/bits /include/config.h.in /include/gssapi/*.h /include/kadm5/*.h /include/stamp-h1 /include/version.h.in /kadmin/add_random_users /kadmin/kadmin /kadmin/kadmind /kadmin/test_util /kcm/kcm /kcm/kcm-protos.h /kdc/digest-service /kdc/hprop /kdc/hpropd /kdc/kdc /kdc/kdc-protos.h /kdc/kdc-private.h /kdc/kdc-replay /kdc/kdc-tester /kdc/kstash /kdc/string2key /kpasswd/kpasswd /kpasswd/kpasswd-generator /kpasswd/kpasswdd /kuser/copy_cred_cache /kuser/generate-requests /kuser/heimtools /kuser/kdecode_ticket /kuser/kdestroy /kuser/kdigest /kuser/kgetcred /kuser/kimpersonate /kuser/kinit /kuser/klist /kuser/kswitch /kuser/kverify /lib/asn1/asn1_compile /lib/asn1/asn1_gen /lib/asn1/asn1_print /lib/asn1/asn1parse.c /lib/asn1/asn1parse.h /lib/asn1/check-ber /lib/asn1/check-der /lib/asn1/check-gen /lib/asn1/check-template /lib/asn1/check-timegm /lib/asn1/der-protos.h /lib/asn1/der-private.h /lib/asn1/lex.c /lib/auth/Makefile.in /lib/base/base64.c /lib/base/test_base /lib/base/test_db.json /lib/com_err/compile_et /lib/com_err/lex.c /lib/com_err/parse.c /lib/com_err/parse.h /lib/com_err/snprintf.c /lib/com_err/strlcpy.c /lib/editline/snprintf.c /lib/editline/strdup.c /lib/editline/strlcat.c /lib/editline/testit /lib/gssapi/gss /lib/gssapi/gsstool /lib/gssapi/krb5/gsskrb5-private.h /lib/gssapi/ntlm/ntlm-private.h /lib/gssapi/spnego/spnego-private.h /lib/gssapi/test_acquire_cred /lib/gssapi/test_cfx /lib/gssapi/test_context /lib/gssapi/test_cred /lib/gssapi/test_kcred /lib/gssapi/test_names /lib/gssapi/test_ntlm /lib/gssapi/test_oid /lib/hdb/hdb-protos.h /lib/hdb/hdb-private.h /lib/hdb/test_dbinfo /lib/hdb/test_hdbkeys /lib/hdb/test_hdbplugin /lib/hdb/test_mkey /lib/hx509/PKITS_data/ /lib/hx509/cert-ca.der /lib/hx509/cert-ca.pem /lib/hx509/cert-ee.pem /lib/hx509/cert-null.pem /lib/hx509/cert-proxy.der /lib/hx509/cert-sub-ca.pem /lib/hx509/cert-sub-ca2.pem /lib/hx509/cert-sub-ee.pem /lib/hx509/crl.crl /lib/hx509/data/*.srl /lib/hx509/data/*.req /lib/hx509/data/sub-ca-combined.crt /lib/hx509/ev.data /lib/hx509/ev.data.out /lib/hx509/hx509-private.h /lib/hx509/hx509-protos.h /lib/hx509/hxtool /lib/hx509/out.pem /lib/hx509/out2.pem /lib/hx509/pkcs10-request.der /lib/hx509/random-data /lib/hx509/request.out /lib/hx509/sel-gram.c /lib/hx509/sel-gram.h /lib/hx509/sel-lex.c /lib/hx509/sd /lib/hx509/sd.data /lib/hx509/sd.data.out /lib/hx509/sd.pem /lib/hx509/statfile /lib/hx509/test /lib/hx509/test-rc-file.rc /lib/hx509/test_ca /lib/hx509/test_cert /lib/hx509/test_chain /lib/hx509/test_cms /lib/hx509/test_crypto /lib/hx509/test_expr /lib/hx509/test_java_pkcs11 /lib/hx509/test_name /lib/hx509/test_nist /lib/hx509/test_nist2 /lib/hx509/test_nist_cert /lib/hx509/test_nist_pkcs12 /lib/hx509/test_pkcs11 /lib/hx509/test_query /lib/hx509/test_req /lib/hx509/test_soft_pkcs11 /lib/hx509/test_windows /lib/hx509/wca.pem /lib/hx509/wcrl.crl /lib/hx509/wdc.pem /lib/hx509/wuser.pem /lib/ipc/tc /lib/ipc/ts /lib/ipc/ts-http /lib/kadm5/default_keys /lib/kadm5/iprop-log /lib/kadm5/ipropd-master /lib/kadm5/ipropd-slave /lib/kadm5/test_pw_quality /lib/kadm5/kadm5-protos.h /lib/kadm5/kadm5-private.h /lib/kafs/resolve.c /lib/kafs/strlcpy.c /lib/kafs/strsep.c /lib/kafs/strtok_r.c /lib/krb5/aes-test /lib/krb5/config_file.c.orig /lib/krb5/config_file.c.rej /lib/krb5/derived-key-test /lib/krb5/krb5-protos.h /lib/krb5/krb5-private.h /lib/krb5/krbhst-test /lib/krb5/n-fold-test /lib/krb5/parse-name-test /lib/krb5/store-test /lib/krb5/string-to-key-test /lib/krb5/test_acl /lib/krb5/test_addr /lib/krb5/test_alname /lib/krb5/test_ap-req /lib/krb5/test_canon /lib/krb5/test_cc /lib/krb5/test_config /lib/krb5/test_config_include.out /lib/krb5/test_config_strings.out /lib/krb5/test_crypto /lib/krb5/test_crypto_wrapping /lib/krb5/test_expand_toks /lib/krb5/test_fx /lib/krb5/test_hostname /lib/krb5/test_keytab /lib/krb5/test_mem /lib/krb5/test_pac /lib/krb5/test_pkinit_dh2key /lib/krb5/test_pknistkdf /lib/krb5/test_plugin /lib/krb5/test_prf /lib/krb5/test_princ /lib/krb5/test_set_kvno0 /lib/krb5/test_store /lib/krb5/test_time /lib/krb5/test_x500 /lib/krb5/test_forward /lib/krb5/test_get_addrs /lib/krb5/test_gic /lib/krb5/test_kuserok /lib/krb5/test_renew /lib/krb5/test_rfc3961 /lib/krb5/verify_krb5_conf /lib/ntlm/heimntlm-protos.h /lib/ntlm/test_ntlm /lib/otp/ndbm_wrap.c /lib/otp/ndbm_wrap.h /lib/otp/otptest /lib/otp/snprintf.c /lib/otp/strcasecmp.c /lib/otp/strlcat.c /lib/otp/strlcpy.c /lib/otp/strlwr.c /lib/otp/strncasecmp.c /lib/roken/base64-test /lib/roken/getaddrinfo-test /lib/roken/getifaddrs-test /lib/roken/getxxyyy-test /lib/roken/glob.h /lib/roken/hex-test /lib/roken/make-roken /lib/roken/make-roken.c /lib/roken/parse_bytes-test /lib/roken/parse_reply-test /lib/roken/parse_time-test /lib/roken/resolve-test /lib/roken/rkpty /lib/roken/roken.h /lib/roken/snprintf-test /lib/roken/snprintf-test.trs /lib/roken/strpftime-test /lib/roken/test-readenv /lib/roken/tsearch-test /lib/roken/vis.h /lib/sl/getprogname.c /lib/sl/slc /lib/sl/slc-gram.c /lib/sl/slc-gram.h /lib/sl/slc-lex.c /lib/sl/snprintf.c /lib/sl/strdup.c /lib/sl/strtok_r.c /lib/sl/strupr.c /lib/sl/test_sl /lib/wind/*.pyc /lib/wind/bidi_table.c /lib/wind/bidi_table.h /lib/wind/combining_table.c /lib/wind/combining_table.h /lib/wind/errorlist_table.c /lib/wind/errorlist_table.h /lib/wind/idn-lookup /lib/wind/map_table.c /lib/wind/map_table.h /lib/wind/normalize_table.c /lib/wind/normalize_table.h /lib/wind/punycode_examples.c /lib/wind/punycode_examples.h /lib/wind/test-bidi /lib/wind/test-ldap /lib/wind/test-map /lib/wind/test-normalize /lib/wind/test-prohibited /lib/wind/test-punycode /lib/wind/test-rw /lib/wind/test-utf8 /out /po/gen-po.sh /scripts /tests/bin/setup-env /tests/can/check-can /tests/can/current-db.db /tests/can/krb5.conf /tests/can/mit-pkinit-20070607.cf /tests/can/test_can /tests/db/add-modify-delete /tests/db/check-aliases /tests/db/check-dbinfo /tests/db/current-db.db /tests/db/dbinfo.out /tests/db/have-db /tests/db/krb5.conf /tests/db/krb5.conf-sqlite /tests/db/loaddump-db /tests/db/tempfile /tests/gss/barpassword /tests/gss/check-context /tests/gss/check-gss /tests/gss/check-gssmask /tests/gss/check-ntlm /tests/gss/check-spnego /tests/gss/current-db.db /tests/gss/foopassword /tests/gss/krb5.conf /tests/gss/krb5ccfile /tests/gss/krb5ccfile-ds /tests/gss/server.keytab /tests/gss/tempfile /tests/java/KerberosInit$1.class /tests/java/KerberosInit$TestCallBackHandler.class /tests/java/KerberosInit.class /tests/java/check-kinit /tests/java/current-db.db /tests/java/foopassword /tests/java/jgssapi_server.class /tests/java/server.keytab /tests/java/krb5.conf /tests/kdc/acache.krb5 /tests/kdc/barpassword /tests/kdc/ca.crt /tests/kdc/cache.krb5 /tests/kdc/cdigest-reply /tests/kdc/check-authz /tests/kdc/check-canon /tests/kdc/check-cc /tests/kdc/check-delegation /tests/kdc/check-des /tests/kdc/check-digest /tests/kdc/check-fast /tests/kdc/check-hdb-mitdb /tests/kdc/check-iprop /tests/kdc/check-kadmin /tests/kdc/check-kdc /tests/kdc/check-kdc-weak /tests/kdc/check-keys /tests/kdc/check-kpasswdd /tests/kdc/check-pkinit /tests/kdc/check-referral /tests/kdc/check-tester /tests/kdc/check-uu /tests/kdc/current-db.db /tests/kdc/current-db.sqlite3 /tests/kdc/foopassword /tests/kdc/iprop-stats /tests/kdc/iprop.keytab /tests/kdc/ipropd.dumpfile /tests/kdc/kdc.crt /tests/kdc/kdc-tester4.json /tests/kdc/krb5-authz.conf /tests/kdc/krb5-authz2.conf /tests/kdc/krb5-canon.conf /tests/kdc/krb5-canon2.conf /tests/kdc/krb5-hdb-mitdb.conf /tests/kdc/krb5-pkinit-win.conf /tests/kdc/krb5-pkinit.conf /tests/kdc/krb5-slave.conf /tests/kdc/krb5-weak.conf /tests/kdc/krb5.conf /tests/kdc/krb5-cc.conf /tests/kdc/krb5.conf.keys /tests/kdc/localname /tests/kdc/o2cache.krb5 /tests/kdc/ocache.krb5 /tests/kdc/pkinit.crt /tests/kdc/pkinit2.crt /tests/kdc/pkinit3.crt /tests/kdc/pkinit4.crt /tests/kdc/req-kdc.der /tests/kdc/req-pkinit.der /tests/kdc/req-pkinit2.der /tests/kdc/s2digest-reply /tests/kdc/sdigest-init /tests/kdc/sdigest-reply /tests/kdc/server.keytab /tests/kdc/tempfile /tests/kdc/test-rc-file.rc /tests/ldap/check-ldap /tests/ldap/krb5.conf /tests/ldap/slapd-init /tests/plugin/check-pac /tests/plugin/current-db.db /tests/plugin/foopassword /tests/plugin/krb5.conf /tests/plugin/server.keytab /tools/heimdal-gssapi.pc /tools/heimdal-kadm-client.pc /tools/heimdal-kadm-server.pc /tools/heimdal-krb5.pc /tools/kadm-client.pc /tools/kadm-server.pc /tools/kafs.pc /tools/krb5-gssapi.pc /tools/krb5.pc /tools/krb5-config heimdal-1.7~git20150920+dfsg/.travis.yml000066400000000000000000000021571257755311500175610ustar00rootroot00000000000000language: c env: global: secure: "YKG77M7zMvJ+IeV2ziw//HcHqMqFoAzIZlE99Yw/aOn5pvMYKq6Ep7EFVhbfDu9yN0T7M5csCGQeH7/ylDlsZSRMUw72844ezMDM8e10T/lW/T/OYN7j1ZVHh3WSJgS+1D9VG6/Y0OY1Si3lb7PcOdAIU0fPJV5xQONN2+hpJeI=" before_install: - sudo apt-get update -qq - sudo apt-get install -qq bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libhesiod-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libx11-dev libxau-dev libxt-dev pkg-config python ss-dev texinfo x11proto-core-dev unzip netbase - mkdir ci-build - mkdir coverity-build - ./autogen.sh install: - cd ci-build - ../configure - make script: - if [ x${COVERITY_SCAN_BRANCH} != x1 ]; then make check; fi compiler: clang notifications: email: on_success: change on_failure: always addons: coverity_scan: project: name: "heimdal/heimdal" description: "Build submitted via Travis CI" notification_email: lha@h5l.org build_command_prepend: ../configure build_command: make branch_pattern: coverity_scan heimdal-1.7~git20150920+dfsg/ChangeLog000066400000000000000000000326751257755311500172320ustar00rootroot00000000000000 We stop writing change logs, see the source code version control systems history log instead 2008-07-28 Love Hornquist Astrand * lib/krb5/v4_glue.c: The "kaserver" part of Heimdal occasionally issues invalid AFS tokens (here "occasionally" means for certain users in certain realms). In lib/krb5/v4_glue.c, in the routine storage_to_etext the ticket is padded to a multiple of 8 bytes. If it is already a multiple of 8 bytes, 8 additional 0-bytes are added. This catches the AFS krb4 ticket decoder by surprise: unless the ticket is exactly 56 bytes, it only supports the minimum necessary padding. It detects the superfluous padding by comparing the ticket length decoded to the advertised ticket length. Hence a 7-letter userid in "cern.ch" which resulted in a ticket of 40 bytes, got "padded" to 48 bytes which the rxkad decoder rejected. From Rainer Toebbicke. 2008-07-25 Love Hörnquist Åstrand * kuser/kinit.c: add --ok-as-delegate and --windows flags * kpasswd/kpasswd-generator.c: Switch to krb5_set_password. * kuser/kinit.c: Use krb5_cc_set_config. * lib/krb5/cache.c: Add krb5_cc_[gs]et_config. 2008-07-22 Love Hörnquist Åstrand * lib/krb5/crypto.c: Allow numbers to be enctypes to as long as they are valid. 2008-07-17 Love Hörnquist Åstrand * lib/hdb/version-script.map: some random bits needed for libkadm 2008-07-15 Love Hörnquist Åstrand * lib/krb5/send_to_kdc_plugin.h: add name for send_to_kdc plugin. * lib/krb5/krbhst.c: handle KRB5_PLUGIN_NO_HANDLE for lookup plugin. * lib/krb5/send_to_kdc.c: Add support for the send_to_kdc plugin interface. * lib/krb5/Makefile.am: add send_to_kdc_plugin.h * lib/krb5/krb5_err.et: add plugin error codes 2008-07-14 Love Hornquist Astrand * lib/hdb/Makefile.am: EXTRA_DIST += version-script.map 2008-07-14 Love Hornquist Astrand * lib/krb5/krb5_{address,ccache}.3: spelling, from openbsd via janne johansson 2008-07-13 Love Hörnquist Åstrand * lib/krb5/version-script.map: add krb5_free_error_message 2008-06-21 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c: switch to krb5_set_password(). 2008-06-18 Love Hörnquist Åstrand * lib/krb5/time.c (krb5_set_real_time): handle negative usec 2008-05-31 Love Hörnquist Åstrand * lib/krb5/krb5_locl.h: Add * lib/krb5/crypto.c: Use wind_utf8ucs2_length to convert the password to utf16. 2008-05-30 Love Hörnquist Åstrand * lib/krb5/kcm.c: Add back krb5_kcmcache argument to try_door(). 2008-05-27 Love Hörnquist Åstrand * lib/krb5/error_string.c (krb5_free_error_message): constify * lib/krb5/error_string.c: Add krb5_get_error_message(). * lib/krb5/doxygen.c: krb5_cc_new_unique() is name of the creation function. 2008-04-30 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: Use the _ext api for OpenLDAP, from Honza Machacek (gentoo). 2008-04-28 Love Hörnquist Åstrand * lib/krb5/crypto.c: Use DES_set_key_unchecked(). * lib/krb5/krb5.conf.5: Document default_cc_type. * lib/krb5/cache.c: Pick up [libdefaults]default_cc_type 2008-04-27 Love Hörnquist Åstrand * kdc/kaserver.c: Use DES_set_key_unchecked(). 2008-04-21 Love Hörnquist Åstrand * doc/hx509.texi: About the pkcs11 module. * doc/hx509.texi: Pick up version from vars.texi * doc/hx509.texi: No MIT code in hx509. * hx509 now includes a pkcs11 implementation. 2008-04-20 Love Hörnquist Åstrand * lib/hdb/Makefile.am: Move OpenLDAP includes to AM_CPPFLAGS to avoid dropping other defines for the library. 2008-04-17 Love Hörnquist Åstrand * lib/krb5: add __declspec() for windows. * configure.in: Update rk_WIN32_EXPORT, add gssapi to rk_WIN32_EXPORT. * configure.in: Lets try dependency tracking for automake 1.10 and later. * configure.in: Use at least libtool-2.2. * configure.in: Use LT_INIT the right way. * lib/krb5/Makefile.am: Update make-proto usage. * configure.in: Run autoupdate, use LT_INIT(). 2008-04-15 Love Hörnquist Åstrand * lib/krb5/test_forward.c: Don't print krb5_error_code since we are using krb5_err(). * lib/krb5/ticket.c: Cast krb5_error_code to int to avoid warning. * lib/krb5/scache.c: Cast krb5_error_code to int to avoid warning. * lib/krb5/principal.c: Cast enum to int to avoid warning. * lib/krb5/pkinit.c: Cast krb5_error_code to int to avoid warning. * lib/krb5/pac.c: Cast size_t to unsigned long to avoid warning. * lib/krb5/error_string.c: Cast krb5_error_code to int to avoid warning. * lib/krb5/keytab_keyfile.c: Make num_entries an uint32 to avoid negative numbers and type warnings. * lib/krb5: cc_get_version returns an int, update. 2008-04-10 Love Hörnquist Åstrand * configure.in: Check for . 2008-04-09 Love Hörnquist Åstrand * lib/krb5/version-script.map: sort and export _krb5_pk_kdf * lib/krb5/crypto.c: Check kdf params. calculate the second half of the key. * lib/krb5/Makefile.am: Add test_pknistkdf * lib/krb5/test_pknistkdf.c: Test the new pkinit nist kdf. * lib/krb5/crypto.c: Complete _krb5_pk_kdf. * lib/krb5/crypto.c: First version of KDF in draft-ietf-krb-wg-pkinit-alg-agility-03.txt. 2008-04-08 Love Hörnquist Åstrand * doc/setup.texi: Add text about smbk5pwd overlay from Buchan Milne. * lib/krb5/krb5_locl.h: Name the pkinit type enum. * kdc/pkinit.c: Rename constants to match global header. * lib/krb5/pkinit.c: Drop krb5_pk_identity and rename constants to match global header. * kdc/pkinit.c: Pick up krb5_pk_identity from krb5_locl.h. * lib/krb5/scache.c (scc_alloc): %x is unsigned int. 2008-04-07 Love Hörnquist Åstrand * lib/krb5/version-script.map: Sort and add krb5_cc_switch. * lib/krb5/acache.c: Use unsigned where appropriate. * kcm/glue.c: Adapt to chenge to krb5_cc_ops. * kcm/acl.c: Add missing op. * kdc/connect.c: Use unsigned where appropriate. * lib/krb5/n-fold.c: Use size_t where appropriate. * lib/krb5/get_addrs.c: Use unsigned where appropriate. * lib/krb5/crypto.c: Use unsigned where appropriate. * lib/krb5/crc.c: Use unsigned where appropriate. * lib/krb5/changepw.c: simplify * lib/krb5/copy_host_realm.c: simplify * kuser/kswitch.c: Implement --principal. 2008-04-05 Love Hörnquist Åstrand * lib/krb5/cache.c: allow returning the default cc-type. * kuser/kswitch.c: Enable switching between existing caches. * lib/krb5/cache.c: Add krb5_cc_switch, to set the default credential cache. * lib/krb5/acache.c: Implement set_default. * lib/krb5/krb5.h: Extend krb5_cc_ops and add set_default to set the default cc name for a credential type. 2008-04-04 Love Hörnquist Åstrand * lib/krb5/test_cc.c: test remove * lib/krb5/fcache.c: Make the remove cred slight more atomic, now it might lose creds, but there will be no empty cache at any time. * lib/krb5/scache.c: Do credential iteration by temporary table. 2008-04-02 Love Hörnquist Åstrand * lib/krb5/acache.c: Translate ccErrInvalidCCache. * lib/krb5/scache.c: implemetation of a sqlite3 backed credential cache. * lib/krb5/test_cc.c: test acc and scc * lib/krb5/acache.c: Only release context if its in use. 2008-04-01 Love Hörnquist Åstrand * doc/setup.texi: No patching of OpenLDAP is needed, from Buchan Milne. 2008-03-30 Love Hörnquist Åstrand * lib/krb5/Makefile.am: Add scache. * lib/krb5/scache.c: initial implementation * lib/Makefile.am: sqlite * configure.in: lib/sqlite/Makefile 2008-03-26 Love Hörnquist Åstrand * lib/krb5/fcache.c: Make the storing credential an atomic write(2) to avoid signal races, bug traced by Harald Barth and Lars Malinowsky. 2008-03-25 Love Hörnquist Åstrand * lib/krb5/fcache.c: Make erase_file() do locking too. * kcm/protocol.c: Make work when moving to a non-existant cred-cache. * lib/krb5/test_cc.c: more verbose info. * lib/krb5/test_cc.c: test krb5_cc_move(). 2008-03-23 Love Hörnquist Åstrand * lib/krb5/get_cred.c: Try both kdc server referral and the old client chasing mode. * lib/krb5/get_cred.c: Don't do canonicalize by default, make add_cred() sane, make loop detection in credential fetching better. * lib/krb5/krb5_locl.h: Add flag EXTRACT_TICKET_AS_REQ. * lib/krb5/init_creds_pw.c: Tell _krb5_extract_ticket that this is an AS-REQ. * lib/krb5/get_in_tkt.c: Make server referral work. 2008-03-22 Love Hörnquist Åstrand * lib/krb5/get_in_tkt.c: check no server referral, don't use stringent length tests since encryption layer does padding for us... * kdc/kerberos5.c: Match name in ClientCanonicalizedNames with -10 * lib/krb5/principal.c (_krb5_principal_compare_PrincipalName): new function to compare a principal to a PrincipalName. * lib/krb5/init_creds_pw.c: Move client referral checking to _krb5_extract_ticket(). * lib/krb5/get_in_tkt.c: More bits for server referral. * lib/krb5/get_in_tkt.c: Make working with client referrals. * lib/krb5/get_cred.c: Try moving referrals checking into _krb5_extract_ticket(). * lib/krb5/get_in_tkt.c: Try moving referrals checking into _krb5_extract_ticket(). 2008-03-21 Love Hörnquist Åstrand * kdc/krb5tgs.c: Send SERVER-REFERRAL data in rep.padata instead of auth_data in ticket. 2008-03-20 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c: remove lost bits from using krb5_principal_set_realm * kdc/krb5tgs.c: Better referrals support, use canonicalize flag. * kdc/hprop.c: use krb5_principal_set_realm * lib/krb5/init_creds_pw.c: use krb5_principal_set_realm * lib/krb5/verify_user.c: use krb5_principal_set_realm * lib/krb5/version-script.map: add krb5_principal_set_realm * lib/krb5/principal.c: add krb5_principal_set_realm * lib/krb5/get_cred.c: Insecure tgs referrals. * lib/krb5/get_cred.c: Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ. This drop compatibility with pre 0.3d KDCs. * lib/krb5/get_cred.c: catch KRB5_GC_CANONICALIZE. * lib/krb5/krb5.h: set KRB5_GC_CANONICALIZE. * kuser/kgetcred.c: set KRB5_GC_CANONICALIZE. * kuser/kgetcred.c: Add stub --canonicalize implementation. 2008-03-19 Love Hörnquist Åstrand * doc/setup.texi: Fix sasl-regexp, from Howard Chu. 2008-03-14 Love Hörnquist Åstrand * kdc/kx509.c: Adapt to hx509_env changes. 2008-03-10 Love Hörnquist Åstrand * lib/krb5/pkinit.c: Try searchin the key by to use by first looking for for PK-INIT EKU, then the Microsoft smart card EKU and last, no special EKU at all. 2008-03-09 Love Hörnquist Åstrand * lib/krb5/acache.c: Create a new credential cache is ->get_name is called, make acc_initialize() reset the existing credential cache if needed. * lib/krb5/acache.c (acc_get_name): just return the cache_name directly instead of trying to resolve it. 2008-02-23 Love Hörnquist Åstrand * include/Makefile.am (CLEANFILES): add wind.h and wind_err.h and sort. 2008-02-11 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: Use malloc() instead of static buffer. * lib/hdb/hdb-ldap.c: Use ldap_get_values_len, from LaMont Jones via Brian May and Debian. * doc/Makefile.am: add libwind 2008-02-05 Love Hörnquist Åstrand * lib/krb5/test_renew.c: Remove extra ;, From Dennis Davis. * lib/krb5/store_emem.c: Make compile on-pre c99 compilers. From Dennis Davis. 2008-02-03 Love Hörnquist Åstrand * tools/heimdal-gssapi.pc.in: Add wind. * tools/krb5-config.in: Add wind. * lib/krb5/pac.c: Use libwind. 2008-02-01 Love Hörnquist Åstrand * lib/Makefile.am: SUBDIRS: add wind 2008-01-29 Love Hörnquist Åstrand * doc/programming.texi: See the Kerberos 5 API introduction and documentation on the Heimdal webpage. 2008-01-27 Love Hörnquist Åstrand * lib/krb5: better error strings for the keytab fetching functions * lib/krb5/verify_krb5_conf.c: Catch deprecated entries. * lib/krb5/get_cred.c: Remove support for [libdefaults]capath (not [libdefaults] capaths though). 2008-01-25 Love Hörnquist Åstrand * tools/heimdal-gssapi.pc.in: Fix caps of prefix, from Joakim Fallsjo. 2008-01-24 Love Hörnquist Åstrand * lib/krb5/fcache.c (fcc_move): more explict why the fcc_move failes, handle cross device moves. 2008-01-21 Love Hörnquist Åstrand * lib/krb5/get_for_creds.c: Use on variable less. * lib/krb5/get_for_creds.c: Try to handle ticket full and ticketless tickets better. Add doxygen comments while here. * lib/krb5/test_forward.c: Used for testing krb5_get_forwarded_creds(). * lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward * lib/krb5/Makefile.am: drop CHECK_SYMBOLS * lib/hdb/Makefile.am: drop CHECK_SYMBOLS * kdc/Makefile.am: drop CHECK_SYMBOLS 2008-01-18 Love Hörnquist Åstrand * lib/krb5/version-script.map: Add krb5_digest_probe. 2008-01-13 Love Hörnquist Åstrand * lib/krb5/pkinit.c: Replace hx509_name_to_der_name with hx509_name_binary. 2008-01-12 Love Hörnquist Åstrand * lib/krb5/Makefile.am: add missing files * Happy new year. heimdal-1.7~git20150920+dfsg/ChangeLog.1998000066400000000000000000002656071257755311500176460ustar00rootroot00000000000000Sat Dec 5 19:49:34 1998 Johan Danielsson * lib/krb5/context.c: remove ktype_is_etype * lib/krb5/crypto.c, lib/krb5/krb5.h, acconfig.h: NEW_DES3_CODE * configure.in: fix for AIX install; better tests for AIX dynamic AFS libs; `--enable-new-des3-code' Tue Dec 1 14:44:44 1998 Johan Danielsson * appl/afsutil/Makefile.am: link with extra libs for aix * kuser/Makefile.am: link with extra libs for aix Sun Nov 29 01:56:21 1998 Assar Westerlund * lib/krb5/get_addrs.c (krb5_get_all_server_addrs): add. almost the same as krb5_get_all_client_addrs except that it includes loopback addresses * kdc/connect.c (init_socket): bind to a particular address (init_sockets): get all local addresses and bind to them all * lib/krb5/addr_families.c (addr2sockaddr, print_addr): new methods (find_af, find_atype): new functions. use them. * configure.in: add hesiod Wed Nov 25 11:37:48 1998 Johan Danielsson * lib/krb5/krb5_err.et: add some codes from kerberos-revisions-03 Mon Nov 23 12:53:48 1998 Assar Westerlund * lib/kadm5/log.c: rename delete -> remove * lib/kadm5/delete_s.c: rename delete -> remove * lib/hdb/common.c: rename delete -> remove Sun Nov 22 12:26:26 1998 Assar Westerlund * configure.in: check for environ and `struct spwd' Sun Nov 22 11:42:45 1998 Johan Danielsson * kdc/kerberos5.c (as_rep): set keytype to sess_ktype if ktype_is_etype * lib/krb5/encrypt.c (krb5_keytype_to_etypes): zero terminate etypes (em): sort entries Sun Nov 22 06:54:48 1998 Assar Westerlund * lib/krb5/init_creds_pw.c: more type correctness * lib/krb5/get_cred.c: re-structure code. remove limits on ASN1 generated bits. Sun Nov 22 01:49:50 1998 Johan Danielsson * kdc/hprop.c (v4_prop): fix bogus indexing Sat Nov 21 21:39:20 1998 Assar Westerlund * lib/krb5/verify_init.c (fail_verify_is_ok): new function (krb5_verify_init_creds): if we cannot get a ticket for host/`hostname` and fail_verify_is_ok just return. use krb5_rd_req Sat Nov 21 23:12:27 1998 Assar Westerlund * lib/krb5/free.c (krb5_xfree): new function * lib/krb5/creds.c (krb5_free_creds_contents): new function * lib/krb5/context.c: more type correctness * lib/krb5/checksum.c: more type correctness * lib/krb5/auth_context.c (krb5_auth_con_init): more type correctness * lib/asn1/der_get.c (der_get_length): fix test of len (der_get_tag): more type correctness * kuser/klist.c (usage): void-ize * admin/ktutil.c (kt_remove): some more type correctness. Sat Nov 21 16:49:20 1998 Johan Danielsson * kuser/klist.c: try to list enctypes as keytypes * kuser/kinit.c: remove extra `--cache' option, add `--enctypes' to set list of enctypes to use * kadmin/load.c: load strings as hex * kadmin/dump.c: dump hex as string is possible * admin/ktutil.c: use print_version() * configure.in, acconfig.h: test for hesiod Sun Nov 15 17:28:19 1998 Johan Danielsson * lib/krb5/crypto.c: add some crypto debug code * lib/krb5/get_in_tkt.c (_krb5_extract_ticket): don't use fixed buffer when encoding ticket * lib/krb5/auth_context.c (re-)implement `krb5_auth_setenctype' * kdc/kerberos5.c: allow mis-match of tgt session key, and service session key * admin/ktutil.c: keytype -> enctype Fri Nov 13 05:35:48 1998 Assar Westerlund * lib/krb5/krb5.h (KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE): added Sat Nov 7 19:56:31 1998 Assar Westerlund * lib/krb5/get_cred.c (add_cred): add termination NULL pointer Mon Nov 2 01:15:06 1998 Assar Westerlund * lib/krb5/rd_req.c: adapt to new crypto api * lib/krb5/rd_rep.c: adapt to new crypto api * lib/krb5/rd_priv.c: adopt to new crypto api * lib/krb5/rd_cred.c: adopt to new crypto api * lib/krb5/principal.c: ENOMEM -> ERANGE * lib/krb5/mk_safe.c: cleanup and adopt to new crypto api * lib/krb5/mk_req_ext.c: adopt to new crypto api * lib/krb5/mk_req.c: get enctype from auth_context keyblock * lib/krb5/mk_rep.c: cleanup and adopt to new crypto api * lib/krb5/mk_priv.c: adopt to new crypto api * lib/krb5/keytab.c: adopt to new crypto api * lib/krb5/get_in_tkt_with_skey.c: adopt to new crypto api * lib/krb5/get_in_tkt_with_keytab.c: adopt to new crypto api * lib/krb5/get_in_tkt_pw.c: adopt to new crypto api * lib/krb5/get_in_tkt.c: adopt to new crypto api * lib/krb5/get_cred.c: adopt to new crypto api * lib/krb5/generate_subkey.c: use new crypto api * lib/krb5/context.c: rename etype functions to enctype ditto * lib/krb5/build_auth.c: use new crypto api * lib/krb5/auth_context.c: remove enctype and cksumtype from auth_context Mon Nov 2 01:15:06 1998 Assar Westerlund * kdc/connect.c (handle_udp, handle_tcp): correct type of `n' Tue Sep 15 18:41:38 1998 Johan Danielsson * admin/ktutil.c: fix printing of unrecognized keytypes Tue Sep 15 17:02:33 1998 Johan Danielsson * lib/kadm5/set_keys.c: add KEYTYPE_USE_AFS3_SALT to keytype if using AFS3 salt Tue Aug 25 23:30:52 1998 Assar Westerlund * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): care about `use_admin_kdc' * lib/krb5/changepw.c (get_kdc_address): use krb5_get_krb_admin_hst * lib/krb5/krbhst.c (krb5_get_krb_admin_hst): new function * lib/krb5/krb5.h (krb5_context_data): add `use_admin_kdc' * lib/krb5/context.c (krb5_get_use_admin_kdc, krb5_set_use_admin_kdc): new functions Tue Aug 18 22:24:12 1998 Johan Danielsson * lib/krb5/crypto.c: remove all calls to abort(); check return value from _key_schedule; (RSA_MD[45]_DES_verify): zero tmp and res; (RSA_MD5_DES3_{verify,checksum}): implement Mon Aug 17 20:18:46 1998 Assar Westerlund * kdc/kerberos4.c (swap32): conditionalize * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): new function * lib/krb5/get_host_realm.c (krb5_get_host_realm): if the hostname returned from gethostby*() isn't a FQDN, try with the original hostname * lib/krb5/get_cred.c (make_pa_tgs_req): use krb5_mk_req_internal and correct key usage * lib/krb5/crypto.c (verify_checksum): make static * admin/ktutil.c (kt_list): use krb5_enctype_to_string Sun Aug 16 20:57:56 1998 Assar Westerlund * kadmin/cpw.c (do_cpw_entry): use asprintf for the prompt * kadmin/ank.c (ank): print principal name in prompt * lib/krb5/crypto.c (hmac): always allocate space for checksum. never trust c.checksum.length (_get_derived_key): try to return the derived key Sun Aug 16 19:48:42 1998 Johan Danielsson * lib/krb5/crypto.c (hmac): fix some peculiarities and bugs (get_checksum_key): assume usage is `formatted' (create_checksum,verify_checksum): moved the guts of the krb5_* functions here, both take `formatted' key-usages (encrypt_internal_derived): fix various bogosities (derive_key): drop key_type parameter (already given by the encryption_type) * kdc/kerberos5.c (check_flags): handle case where client is NULL * kdc/connect.c (process_request): return zero after processing kerberos 4 request Sun Aug 16 18:38:15 1998 Johan Danielsson * lib/krb5/crypto.c: merge x-*.[ch] into one file * lib/krb5/cache.c: remove residual from krb5_ccache_data Fri Aug 14 16:28:23 1998 Johan Danielsson * lib/krb5/x-crypto.c (derive_key): move DES3 specific code to separate function (will eventually end up someplace else) * lib/krb5/x-crypto.c (krb5_string_to_key_derived): allocate key * configure.in, acconfig.h: test for four valued krb_put_int Thu Aug 13 23:46:29 1998 Assar Westerlund * Release 0.0t Thu Aug 13 22:40:17 1998 Assar Westerlund * lib/krb5/config_file.c (parse_binding): remove trailing whitespace Wed Aug 12 20:15:11 1998 Johan Danielsson * lib/krb5/x-checksum.c (krb5_verify_checksum): pass checksum type to krb5_create_checksum * lib/krb5/x-key.c: implement DES3_string_to_key_derived; fix a few typos Wed Aug 5 12:39:54 1998 Assar Westerlund * Release 0.0s Thu Jul 30 23:12:17 1998 Assar Westerlund * lib/krb5/mk_error.c (krb5_mk_error): realloc until you die Thu Jul 23 19:49:03 1998 Johan Danielsson * kdc/kdc_locl.h: proto for `get_des_key' * configure.in: test for four valued el_init * kuser/klist.c: keytype -> enctype * kpasswd/kpasswdd.c (change): use new `krb5_string_to_key*' * kdc/hprop.c (v4_prop, ka_convert): convert to a set of keys * kdc/kaserver.c: use `get_des_key' * kdc/524.c: use new crypto api * kdc/kerberos4.c: use new crypto api * kdc/kerberos5.c: always treat keytypes as enctypes; use new crypto api * kdc/kstash.c: adapt to new crypto api * kdc/string2key.c: adapt to new crypto api * admin/srvconvert.c: add keys for all possible enctypes * admin/ktutil.c: keytype -> enctype * lib/gssapi/init_sec_context.c: get enctype from auth_context keyblock * lib/hdb/hdb.c: remove hdb_*_keytype2key * lib/kadm5/set_keys.c: adapt to new crypto api * lib/kadm5/rename_s.c: adapt to new crypto api * lib/kadm5/get_s.c: adapt to new crypto api * lib/kadm5/create_s.c: add keys for des-cbc-crc, des-cbc-md4, des-cbc-md5, and des3-cbc-sha1 * lib/krb5/heim_err.et: error message for unsupported salt * lib/krb5/codec.c: short-circuit these functions, since they are not needed any more * lib/krb5/rd_safe.c: cleanup and adapt to new crypto api Mon Jul 13 23:00:59 1998 Assar Westerlund * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): don't advance hostent->h_addr_list, use a copy instead Mon Jul 13 15:00:31 1998 Johan Danielsson * lib/krb5/config_file.c (parse_binding, parse_section): make sure everything is ok before adding to linked list * lib/krb5/config_file.c: skip ws before checking for comment Wed Jul 8 10:45:45 1998 Johan Danielsson * lib/asn1/k5.asn1: hmac-sha1-des3 = 12 Tue Jun 30 18:08:05 1998 Assar Westerlund * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): do not close the unopened file * lib/krb5/mk_priv.c: realloc correctly * lib/krb5/get_addrs.c (find_all_addresses): init j * lib/krb5/context.c (krb5_init_context): print error if parsing of config file produced an error. * lib/krb5/config_file.c (parse_list, krb5_config_parse_file): ignore more spaces * lib/krb5/codec.c (krb5_encode_EncKrbCredPart, krb5_encode_ETYPE_INFO): initialize `ret' * lib/krb5/build_auth.c (krb5_build_authenticator): realloc correctly * lib/kadm5/set_keys.c (_kadm5_set_keys): initialize `ret' * lib/kadm5/init_c.c (get_cred_cache): try to do the right thing with default_client * kuser/kinit.c (main): initialize `ticket_life' * kdc/kerberos5.c (get_pa_etype_info): initialize `ret' (tgs_rep2): initialize `krbtgt' * kdc/connect.c (do_request): check for errors from `sendto' * kdc/524.c (do_524): initialize `ret' * kadmin/util.c (foreach_principal): don't clobber `ret' * kadmin/del.c (del_entry): don't apply on zeroth argument * kadmin/cpw.c (do_cpw_entry): initialize `ret' Sat Jun 13 04:14:01 1998 Assar Westerlund * Release 0.0r Sun Jun 7 04:13:14 1998 Assar Westerlund * lib/krb5/addr_families.c: fall-back definition of IN6_ADDR_V6_TO_V4 * configure.in: only set CFLAGS if it wasn't set look for dn_expand and res_search Mon Jun 1 21:28:07 1998 Assar Westerlund * configure.in: remove duplicate seteuid Sat May 30 00:19:51 1998 Johan Danielsson * lib/krb5/convert_creds.c: import _krb_time_to_life, to avoid runtime dependencies on libkrb with some shared library implementations Fri May 29 00:09:02 1998 Johan Danielsson * kuser/kinit_options.c: Default options for kinit. * kuser/kauth_options.c: Default options for kauth. * kuser/kinit.c: Implement lots a new options. * kdc/kerberos5.c (check_tgs_flags): make sure kdc-req-body->rtime is not NULL; set endtime to min of new starttime + old_life, and requested endtime * lib/krb5/init_creds_pw.c (get_init_creds_common): if the forwardable or proxiable flags are set in options, set the kdc-flags to the value specified, and not always to one Thu May 28 21:28:06 1998 Johan Danielsson * kdc/kerberos5.c: Optionally compare client address to addresses in ticket. * kdc/connect.c: Pass client address to as_rep() and tgs_rep(). * kdc/config.c: Add check_ticket_addresses, and allow_null_ticket_addresses variables. Tue May 26 14:03:42 1998 Johan Danielsson * lib/kadm5/create_s.c: possibly make DES keys version 4 salted * lib/kadm5/set_keys.c: check config file for kadmin/use_v4_salt before zapping version 4 salts Sun May 24 05:22:17 1998 Assar Westerlund * Release 0.0q * lib/krb5/aname_to_localname.c: new file * lib/gssapi/init_sec_context.c (repl_mutual): no output token * lib/gssapi/display_name.c (gss_display_name): zero terminate output. Sat May 23 19:11:07 1998 Assar Westerlund * lib/gssapi/display_status.c: new file * Makefile.am: send -I to aclocal * configure.in: remove duplicate setenv Sat May 23 04:55:19 1998 Johan Danielsson * kadmin/util.c (foreach_principal): Check for expression before wading through the whole database. * kadmin/kadmin.c: Pass NULL password to kadm5_*_init_with_password. * lib/kadm5/init_c.c: Implement init_with_{skey,creds}*. Make use of `password' parameter to init_with_password. * lib/kadm5/init_s.c: implement init_with_{skey,creds}* * lib/kadm5/server.c: Better arguments for kadm5_init_with_password. Sat May 16 07:10:36 1998 Assar Westerlund * kdc/hprop.c: conditionalize ka-server reading support on KASERVER_DB * configure.in: new option `--enable-kaserver-db' Fri May 15 19:39:18 1998 Johan Danielsson * lib/krb5/get_cred.c: Better error if local tgt couldn't be found. Tue May 12 21:11:02 1998 Assar Westerlund * Release 0.0p * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): only set encryption type in auth_context if it's compatible with the type of the session key Mon May 11 21:11:14 1998 Johan Danielsson * kdc/hprop.c: add support for ka-server databases * appl/ftp/ftpd: link with -lcrypt, if needed Fri May 1 07:29:52 1998 Assar Westerlund * configure.in: don't test for winsock.h Sat Apr 18 21:43:11 1998 Johan Danielsson * Release 0.0o Sat Apr 18 00:31:11 1998 Johan Danielsson * lib/krb5/sock_principal.c: Save hostname. Sun Apr 5 11:29:45 1998 Johan Danielsson * lib/krb5/mk_req_ext.c: Use same enctype as in ticket. * kdc/hprop.c (v4_prop): Check for null key. Fri Apr 3 03:54:54 1998 Johan Danielsson * lib/krb5/str2key.c: Fix DES3 string-to-key. * lib/krb5/keytab.c: Get default keytab name from context. * lib/krb5/context.c: Get `default_keytab_name' value. * kadmin/util.c (foreach_principal): Print error message if `kadm5_get_principals' fails. * kadmin/kadmind.c: Use `kadmind_loop'. * lib/kadm5/server.c: Replace several other functions with `kadmind_loop'. Sat Mar 28 09:49:18 1998 Assar Westerlund * lib/krb5/keytab.c (fkt_add_entry): use an explicit seek instead of O_APPEND * configure.in: generate ftp Makefiles * kuser/klist.c (print_cred_verbose): print IPv4-address in a portable way. * admin/srvconvert.c (srvconv): return 0 if successful Tue Mar 24 00:40:33 1998 Johan Danielsson * lib/krb5/keytab.c: MIT compatible changes: add and use sizes to keytab entries, and change default keytab to `/etc/krb5.keytab'. Mon Mar 23 23:43:59 1998 Johan Danielsson * lib/gssapi/wrap.c: Use `gss_krb5_getsomekey'. * lib/gssapi/unwrap.c: Implement and use `gss_krb5_getsomekey'. Fix bug in checking of pad. * lib/gssapi/{un,}wrap.c: Add support for just integrity protecting data. * lib/gssapi/accept_sec_context.c: Use `gssapi_krb5_verify_8003_checksum'. * lib/gssapi/8003.c: Implement `gssapi_krb5_verify_8003_checksum'. * lib/gssapi/init_sec_context.c: Zero cred, and store session key properly in auth-context. Sun Mar 22 00:47:22 1998 Johan Danielsson * lib/kadm5/delete_s.c: Check immutable bit. * kadmin/kadmin.c: Pass client name to kadm5_init. * lib/kadm5/init_c.c: Get creds for client name passed in. * kdc/hprop.c (v4_prop): Check for `changepw.kerberos'. Sat Mar 21 22:57:13 1998 Johan Danielsson * lib/krb5/mk_error.c: Verify that error_code is in the range [0,127]. * kdc/kerberos5.c: Move checking of principal flags to new function `check_flags'. Sat Mar 21 14:38:51 1998 Assar Westerlund * lib/kadm5/get_s.c (kadm5_s_get_principal): handle an empty salt * configure.in: define SunOS if running solaris Sat Mar 21 00:26:34 1998 Johan Danielsson * lib/kadm5/server.c: Unifdef test for same principal when changing password. * kadmin/util.c: If kadm5_get_principals failes, we might still be able to perform the requested opreration (for instance someone if trying to change his own password). * lib/kadm5/init_c.c: Try to get ticket via initial request, if not possible via tgt. * lib/kadm5/server.c: Check for principals changing their own passwords. * kdc/kerberos5.c (tgs_rep2): check for interesting flags on involved principals. * kadmin/util.c: Fix order of flags. Thu Mar 19 16:54:10 1998 Johan Danielsson * kdc/kerberos4.c: Return sane error code if krb_rd_req fails. Wed Mar 18 17:11:47 1998 Assar Westerlund * acconfig.h: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6 Wed Mar 18 09:58:18 1998 Johan Danielsson * lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): don't free keyseed; use correct keytab Tue Mar 10 09:56:16 1998 Assar Westerlund * acinclude.m4 (AC_KRB_IPV6): rewrote to avoid false positives Mon Mar 16 23:58:23 1998 Johan Danielsson * Release 0.0n Fri Mar 6 00:41:30 1998 Johan Danielsson * lib/gssapi/{accept_sec_context,release_cred}.c: Use krb5_kt_close/krb5_kt_resolve. * lib/krb5/principal.c (krb5_425_conv_principal_ext): Use resolver to lookup hosts, so CNAMEs can be ignored. * lib/krb5/send_to_kdc.c (krb5_sendto_kdc, send_and_recv_http): Add support for using proxy. * lib/krb5/context.c: Initialize `http_proxy' from `libdefaults/http_proxy'. * lib/krb5/krb5.h: Add `http_proxy' to context. * lib/krb5/send_to_kdc.c: Recognize `http/' and `udp/' as protocol specifications. Wed Mar 4 01:47:29 1998 Johan Danielsson * admin/ktutil.c: Implement `add' and `remove' functions. Make `--keytab' a global option. * lib/krb5/keytab.c: Implement remove with files. Add memory operations. Tue Mar 3 20:09:59 1998 Johan Danielsson * lib/krb5/keytab.c: Use function pointers. * admin: Remove kdb_edit. Sun Mar 1 03:28:42 1998 Assar Westerlund * lib/kadm5/dump_log.c: print operation names Sun Mar 1 03:04:12 1998 Assar Westerlund * configure.in: add X-tests, and {bin,...}dir appl/{kx,kauth} * lib/krb5/build_auth.c,mk_priv.c,rd_safe.c,mk_safe.c,mk_rep.c: remove arbitrary limit * kdc/hprop-common.c: use krb5_{read,write}_message * lib/kadm5/ipropd_master.c (send_diffs): more careful use krb5_{write,read}_message * lib/kadm5/ipropd_slave.c (get_creds): get credentials for `iprop/master' directly. (main): use `krb5_read_message' Sun Mar 1 02:05:11 1998 Johan Danielsson * kadmin/kadmin.c: Cleanup commands list, and add help strings. * kadmin/get.c: Add long, short, and terse (equivalent to `list') output formats. Short is the default. * kadmin/util.c: Add `include_time' flag to timeval2str. * kadmin/init.c: Max-life and max-renew can, infact, be zero. * kadmin/{cpw,del,ext,get}.c: Use `foreach_principal'. * kadmin/util.c: Add function `foreach_principal', that loops over all principals matching an expression. * kadmin/kadmin.c: Add usage string to `privileges'. * lib/kadm5/get_princs_s.c: Also try to match aganist the expression appended with `@default-realm'. * lib/krb5/principal.c: Add `krb5_unparse_name_fixed_short', that excludes the realm if it's the same as the default realm. Fri Feb 27 05:02:21 1998 Assar Westerlund * configure.in: more WFLAGS and WFLAGS_NOUNUSED added missing headers and functions error -> com_err (krb5_get_init_creds_keytab): use krb5_keytab_key_proc * lib/krb5/get_in_tkt_with_keytab.c: make `krb5_keytab_key_proc' global * lib/kadm5/marshall.c (ret_principal_ent): set `n_tl_data' * lib/hdb/ndbm.c: use `struct ndbm_db' everywhere. Fri Feb 27 04:49:24 1998 Assar Westerlund * lib/krb5/mk_priv.c (krb5_mk_priv): bump static limit to 10240. This should be fixed the correct way. * lib/kadm5/ipropd_master.c (check_acl:) truncate buf correctly (send_diffs): compare versions correctly (main): reorder handling of events * lib/kadm5/log.c (kadm5_log_previous): avoid bad type conversion Thu Feb 26 02:22:35 1998 Assar Westerlund * lib/kadm5/ipropd_{slave,master}.c: new files * lib/kadm5/log.c (kadm5_log_get_version): take an `fd' as argument * lib/krb5/krb5.h (krb5_context_data): `et_list' should be `struct et_list *' * aux/make-proto.pl: Should work with perl4 Mon Feb 16 17:20:22 1998 Johan Danielsson * lib/krb5/krb5_locl.h: Remove (it gets included via {asn1,krb5}_err.h). Thu Feb 12 03:28:40 1998 Assar Westerlund * lib/krb5/get_in_tkt.c (_krb5_extract_ticket): if time difference is larger than max_skew, return KRB5KRB_AP_ERR_SKEW * lib/kadm5/log.c (get_version): globalize * lib/kadm5/kadm5_locl.h: include * lib/asn1/Makefile.am: add PA_KEY_INFO and PA_KEY_INFO_ENTRY * kdc/kerberos5.c (get_pa_etype_info): remove gcc-ism of initializing local struct in declaration. Sat Jan 31 17:28:58 1998 Johan Danielsson * kdc/524.c: Use krb5_decode_EncTicketPart. * kdc/kerberos5.c: Check at runtime whether to use enctypes instead of keytypes. If so use the same value to encrypt ticket, and kdc-rep as well as `keytype' for session key. Fix some obvious bugs with the handling of additional tickets. * lib/krb5/rd_req.c: Use krb5_decode_EncTicketPart, and krb5_decode_Authenticator. * lib/krb5/rd_rep.c: Use krb5_decode_EncAPRepPart. * lib/krb5/rd_cred.c: Use krb5_decode_EncKrbCredPart. * lib/krb5/mk_rep.c: Make sure enc_part.etype is an encryption type, and not a key type. Use krb5_encode_EncAPRepPart. * lib/krb5/init_creds_pw.c: Use krb5_decode_PA_KEY_INFO. * lib/krb5/get_in_tkt.c: Use krb5_decode_Enc{AS,TGS}RepPart. * lib/krb5/get_for_creds.c: Use krb5_encode_EncKrbCredPart. * lib/krb5/get_cred.c: Use krb5_decode_Enc{AS,TGS}RepPart. * lib/krb5/build_auth.c: Use krb5_encode_Authenticator. * lib/krb5/codec.c: Enctype conversion stuff. * lib/krb5/context.c: Ignore KRB5_CONFIG if *not* running setuid. Get configuration for libdefaults ktype_is_etype, and default_etypes. * lib/krb5/encrypt.c: Add krb5_string_to_etype, rename krb5_convert_etype to krb5_decode_keytype, and add krb5_decode_keyblock. Fri Jan 23 00:32:09 1998 Johan Danielsson * lib/krb5/{get_in_tkt,rd_req}.c: Use krb5_convert_etype. * lib/krb5/encrypt.c: Add krb5_convert_etype function - converts from protocol keytypes (that really are enctypes) to internal representation. Thu Jan 22 21:24:36 1998 Johan Danielsson * lib/asn1/k5.asn1: Add PA-KEY-INFO structure to hold information on keys in the database; and also a new `pa-key-info' padata-type. * kdc/kerberos5.c: If pre-authentication fails, return a list of keytypes, salttypes, and salts. * lib/krb5/init_creds_pw.c: Add better support for pre-authentication, by looking at hints from the KDC. * lib/krb5/get_in_tkt.c: Add better support for specifying what pre-authentication to use. * lib/krb5/str2key.c: Merge entries for KEYTYPE_DES and KEYTYPE_DES_AFS3. * lib/krb5/krb5.h: Add pre-authentication structures. * kdc/connect.c: Don't fail if realloc(X, 0) returns NULL. Wed Jan 21 06:20:40 1998 Assar Westerlund * lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize `log_context.socket_name' and `log_context.socket_fd' * lib/kadm5/log.c (kadm5_log_flush): send a unix domain datagram to inform the possible running ipropd of an update. Wed Jan 21 01:34:09 1998 Johan Danielsson * lib/krb5/get_in_tkt.c: Return error-packet to caller. * lib/krb5/free.c (krb5_free_kdc_rep): Free krb5_kdc_rep->error. * kdc/kerberos5.c: Add some support for using enctypes instead of keytypes. * lib/krb5/get_cred.c: Fixes to send authorization-data to the KDC. * lib/krb5/build_auth.c: Only generate local subkey if there is none. * lib/krb5/krb5.h: Add krb5_authdata type. * lib/krb5/auth_context.c: Add krb5_auth_con_set{,localsub,remotesub}key. * lib/krb5/init_creds_pw.c: Return some error if prompter functions return failure. Wed Jan 21 01:16:13 1998 Assar Westerlund * kpasswd/kpasswd.c: detect bad password. use krb5_err. * kadmin/util.c (edit_entry): remove unused variables Tue Jan 20 22:58:31 1998 Assar Westerlund * kuser/kinit.c: rename `-s' to `-S' to be MIT-compatible. * lib/kadm5/kadm5_locl.h: add kadm5_log_context and kadm5_log*-functions * lib/kadm5/create_s.c (kadm5_s_create_principal): add change to log * lib/kadm5/rename_s.c (kadm5_s_rename_principal): add change to log * lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize log_context * lib/kadm5/delete_s.c (kadm5_s_delete_principal): add change to log * lib/kadm5/modify_s.c (kadm5_s_modify_principal): add change to log * lib/kadm5/randkey_s.c (kadm5_s_randkey_principal): add change to log * lib/kadm5/chpass_s.c (kadm5_s_chpass_principal): add change to log * lib/kadm5/Makefile.am: add log.c, dump_log and replay_log * lib/kadm5/replay_log.c: new file * lib/kadm5/dump_log.c: new file * lib/kadm5/log.c: new file * lib/krb5/str2key.c (get_str): initialize pad space to zero * lib/krb5/config_file.c (krb5_config_vget_next): handle c == NULL * kpasswd/kpasswdd.c: rewritten to use the kadm5 API * kpasswd/Makefile.am: link with kadm5srv * kdc/kerberos5.c (tgs_rep): initialize `i' * kadmin/kadmind.c (main): use kadm5_server_{send,recv}_sp * include/Makefile.am: added admin.h Sun Jan 18 01:41:34 1998 Johan Danielsson * lib/asn1/gen_copy.c: Don't return ENOMEM if allocating 0 bytes. * lib/krb5/mcache.c (mcc_store_cred): restore linked list if copy_creds fails. Tue Jan 6 04:17:56 1998 Assar Westerlund * lib/kadm5/server.c: add kadm5_server_{send,recv}{,_sp} * lib/kadm5/marshall.c: add kadm5_{store,ret}_principal_ent_mask. * lib/kadm5/init_c.c (kadm5_c_init_with_password_ctx): use krb5_getportbyname * kadmin/kadmind.c (main): htons correctly. moved kadm5_server_{recv,send} * kadmin/kadmin.c (main): only set admin_server if explicitly given Mon Jan 5 23:34:44 1998 Johan Danielsson * lib/hdb/ndbm.c: Implement locking of database. * kdc/kerberos5.c: Process AuthorizationData. Sat Jan 3 22:07:07 1998 Johan Danielsson * kdc/string2key.c: Use AFS string-to-key from libkrb5. * lib/krb5/get_in_tkt.c: Handle pa-afs3-salt case. * lib/krb5/krb5.h: Add value for AFS salts. * lib/krb5/str2key.c: Add support for AFS string-to-key. * lib/kadm5/rename_s.c: Use correct salt. * lib/kadm5/ent_setup.c: Always enable client. Only set max-life and max-renew if != 0. * lib/krb5/config_file.c: Add context to all krb5_config_*get_*. Thu Dec 25 17:03:25 1997 Assar Westerlund * kadmin/ank.c (ank): don't zero password if --random-key was given. Tue Dec 23 01:56:45 1997 Assar Westerlund * Release 0.0m * lib/kadm5/ent_setup.c (attr_to_flags): try to set `client' * kadmin/util.c (edit_time): only set mask if != 0 (edit_attributes): only set mask if != 0 * kadmin/init.c (init): create `default' Sun Dec 21 09:44:05 1997 Assar Westerlund * kadmin/util.c (str2deltat, str2attr, get_deltat): return value as pointer and have return value indicate success. (get_response): check NULL from fgets (edit_time, edit_attributes): new functions for reading values and offering list of answers on '?' (edit_entry): use edit_time and edit_attributes * kadmin/ank.c (add_new_key): test the return value of `krb5_parse_name' * kdc/kerberos5.c (tgs_check_authenticator): RFC1510 doesn't say that the checksum has to be keyed, even though later drafts do. Accept unkeyed checksums to be compatible with MIT. * kadmin/kadmin_locl.h: add some prototypes. * kadmin/util.c (edit_entry): return a value * appl/afsutil/afslog.c (main): return a exit code. * lib/krb5/get_cred.c (init_tgs_req): use krb5_keytype_to_enctypes * lib/krb5/encrypt.c (krb5_keytype_to_enctypes): new function. * lib/krb5/build_auth.c (krb5_build_authenticator): use krb5_{free,copy}_keyblock instead of the _contents versions Fri Dec 12 14:20:58 1997 Johan Danielsson * lib/krb5/{mk,rd}_priv.c: fix check for local/remote subkey Mon Dec 8 08:48:09 1997 Johan Danielsson * lib/krb5/context.c: don't look at KRB5_CONFIG if running setuid Sat Dec 6 10:09:40 1997 Johan Danielsson * lib/krb5/keyblock.c (krb5_free_keyblock): check for NULL keyblock Sat Dec 6 08:26:10 1997 Assar Westerlund * Release 0.0l Thu Dec 4 03:38:12 1997 Johan Danielsson * lib/krb5/send_to_kdc.c: Add TCP client support. * lib/krb5/store.c: Add k_{put,get}_int. * kadmin/ank.c: Set initial kvno to 1. * kdc/connect.c: Send version 5 TCP-reply as length+data. Sat Nov 29 07:10:11 1997 Assar Westerlund * lib/krb5/rd_req.c (krb5_rd_req): fixed obvious bug * kdc/kaserver.c (create_reply_ticket): use a random nonce in the reply packet. * kdc/connect.c (init_sockets): less reallocing. * **/*.c: changed `struct fd_set' to `fd_set' Sat Nov 29 05:12:01 1997 Johan Danielsson * lib/krb5/get_default_principal.c: More guessing. Thu Nov 20 02:55:09 1997 Johan Danielsson * lib/krb5/rd_req.c: Use principal from ticket if no server is given. Tue Nov 18 02:58:02 1997 Johan Danielsson * kuser/klist.c: Use krb5_err*(). Sun Nov 16 11:57:43 1997 Johan Danielsson * kadmin/kadmin.c: Add local `init', `load', `dump', and `merge' commands. Sun Nov 16 02:52:20 1997 Assar Westerlund * lib/krb5/mk_req_ext.c (krb5_mk_req_ext): figure out the correct `enctype' * lib/krb5/mk_req.c (krb5_mk_req): use `(*auth_context)->enctype' if set. * lib/krb5/get_cred.c: handle the case of a specific keytype * lib/krb5/build_auth.c (krb5_build_authenticator): enctype as a parameter instead of guessing it. * lib/krb5/build_ap_req.c (krb5_build_ap_req): new parameter `enctype' * appl/test/common.c (common_setup): don't use `optarg' * lib/krb5/keytab.c (krb5_kt_copy_entry_contents): new function (krb5_kt_get_entry): retrieve the latest version if kvno == 0 * lib/krb5/krb5.h: define KRB5_TC_MATCH_KEYTYPE * lib/krb5/creds.c (krb5_compare_creds): check for KRB5_TC_MATCH_KEYTYPE * lib/gssapi/8003.c (gssapi_krb5_create_8003_checksum): remove unused variable * lib/krb5/creds.c (krb5_copy_creds_contents): only free the contents if we fail. Sun Nov 16 00:32:48 1997 Johan Danielsson * kpasswd/kpasswdd.c: Get password expiration time from config file. * lib/asn1/{der_get,gen_decode}.c: Allow passing NULL size. Wed Nov 12 02:35:57 1997 Assar Westerlund * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): restructured and fixed. * lib/krb5/addr_families.c (krb5_h_addr2addr): new function. Wed Nov 12 01:36:01 1997 Johan Danielsson * lib/krb5/get_addrs.c: Fall back to hostname's addresses if other methods fail. Tue Nov 11 22:22:12 1997 Johan Danielsson * kadmin/kadmin.c: Add `-l' flag to use local database. * lib/kadm5/acl.c: Use KADM5_PRIV_ALL. * lib/kadm5: Use function pointer trampoline for easier dual use (without radiation-hardening capability). Tue Nov 11 05:15:22 1997 Assar Westerlund * lib/krb5/encrypt.c (krb5_etype_valid): new function * lib/krb5/creds.c (krb5_copy_creds_contents): zero target * lib/krb5/context.c (valid_etype): remove * lib/krb5/checksum.c: remove dead code * lib/krb5/changepw.c (send_request): free memory on error. * lib/krb5/build_ap_req.c (krb5_build_ap_req): check return value from malloc. * lib/krb5/auth_context.c (krb5_auth_con_init): free memory on failure correctly. (krb5_auth_con_setaddrs_from_fd): return error correctly. * lib/krb5/get_in_tkt_with_{keytab,skey}.c: new files Tue Nov 11 02:53:19 1997 Johan Danielsson * lib/krb5/auth_context.c: Implement auth_con_setuserkey. * lib/gssapi/init_sec_context.c: Use krb5_auth_con_getkey. * lib/krb5/keyblock.c: Rename krb5_free_keyblock to krb5_free_keyblock_contents, and reimplement krb5_free_keyblock. * lib/krb5/rd_req.c: Use auth_context->keyblock if ap_options.use_session_key. Tue Nov 11 02:35:17 1997 Assar Westerlund * lib/krb5/net_{read,write}.c: change `int fd' to `void *p_fd'. fix callers. * lib/krb5/krb5_locl.h: include and * include/Makefile.am: add xdbm.h Tue Nov 11 01:58:22 1997 Johan Danielsson * lib/krb5/get_cred.c: Implement krb5_get_cred_from_kdc. Mon Nov 10 22:41:53 1997 Johan Danielsson * lib/krb5/ticket.c: Implement copy_ticket. * lib/krb5/get_in_tkt.c: Make `options' parameter MIT-compatible. * lib/krb5/data.c: Implement free_data and copy_data. Sun Nov 9 02:17:27 1997 Johan Danielsson * lib/kadm5: Implement kadm5_get_privs, and kadm5_get_principals. * kadmin/kadmin.c: Add get_privileges function. * lib/kadm5: Rename KADM5_ACL_* -> KADM5_PRIV_* to conform with specification. * kdc/connect.c: Exit if no sockets could be bound. * kadmin/kadmind.c: Check return value from krb5_net_read(). * lib/kadm5,kadmin: Fix memory leaks. Fri Nov 7 02:45:26 1997 Johan Danielsson * lib/kadm5/create_s.c: Get some default values from `default' principal. * lib/kadm5/ent_setup.c: Add optional default entry to get some values from. Thu Nov 6 00:20:41 1997 Johan Danielsson * lib/error/compile_et.awk: Remove generated destroy_*_error_table prototype * kadmin/kadmind.c: Crude admin server. * kadmin/kadmin.c: Update to use remote protocol. * kadmin/get.c: Fix principal formatting. * lib/kadm5: Add client support. * lib/kadm5/error.c: Error code mapping. * lib/kadm5/server.c: Kadmind support function. * lib/kadm5/marshall.c: Kadm5 marshalling. * lib/kadm5/acl.c: Simple acl system. * lib/kadm5/kadm5_locl.h: Add client stuff. * lib/kadm5/init_s.c: Initialize acl. * lib/kadm5/*: Return values. * lib/kadm5/create_s.c: Correct kvno. Wed Nov 5 22:06:50 1997 Johan Danielsson * lib/krb5/log.c: Fix parsing of log destinations. Mon Nov 3 20:33:55 1997 Johan Danielsson * lib/krb5/principal.c: Reduce number of reallocs in unparse_name. Sat Nov 1 01:40:53 1997 Johan Danielsson * kadmin: Simple kadmin utility. * admin/ktutil.c: Print keytype. * lib/kadm5/get_s.c: Set correct n_key_data. * lib/kadm5/init_s.c: Add kadm5_s_init_with_password_ctx. Use master key. * lib/kadm5/destroy_s.c: Check for allocated context. * lib/kadm5/{create,chpass}_s.c: Use _kadm5_set_keys(). Sat Nov 1 00:21:00 1997 Assar Westerlund * configure.in: test for readv, writev Wed Oct 29 23:41:26 1997 Assar Westerlund * lib/krb5/warn.c (_warnerr): handle the case of an illegal error code * kdc/kerberos5.c (encode_reply): return success Wed Oct 29 18:01:59 1997 Johan Danielsson * kdc/kerberos5.c (find_etype) Return correct index of selected etype. Wed Oct 29 04:07:06 1997 Assar Westerlund * Release 0.0k * lib/krb5/context.c (krb5_init_context): support `KRB5_CONFIG' environment variable * *: use the roken_get*-macros from roken.h for the benefit of Crays. * configure.in: add --{enable,disable}-otp. check for compatible prototypes for gethostbyname, gethostbyaddr, getservbyname, and openlog (they have strange prototypes on Crays) * acinclude.m4: new macro `AC_PROTO_COMPAT' Tue Oct 28 00:11:22 1997 Johan Danielsson * kdc/connect.c: Log bad requests. * kdc/kerberos5.c: Move stuff that's in common between as_rep and tgs_rep to separate functions. * kdc/kerberos5.c: Fix user-to-user authentication. * lib/krb5/get_cred.c: Some restructuring of krb5_get_credentials: - add a kdc-options argument to krb5_get_credentials, and rename it to krb5_get_credentials_with_flags - honour the KRB5_GC_CACHED, and KRB5_GC_USER_USER options - add some more user-to-user glue * lib/krb5/rd_req.c: Move parts of krb5_verify_ap_req into a new function, krb5_decrypt_ticket, so it is easier to decrypt and check a ticket without having an ap-req. * lib/krb5/krb5.h: Add KRB5_GC_CACHED, and KRB5_GC_USER_USER flags. * lib/krb5/crc.c (crc_init_table): Check if table is already inited. Sun Oct 26 04:51:02 1997 Johan Danielsson * lib/asn1/der_get.c (der_get_length, fix_dce): Special-case indefinite encoding. * lib/asn1/gen_glue.c (generate_units): Check for empty member-list. Sat Oct 25 07:24:57 1997 Johan Danielsson * lib/error/compile_et.awk: Allow specifying table-base. Tue Oct 21 20:21:40 1997 Johan Danielsson * kdc/kerberos5.c: Check version number of krbtgt. Mon Oct 20 01:14:53 1997 Assar Westerlund * lib/krb5/prompter_posix.c (krb5_prompter_posix): implement the case of unhidden prompts. * lib/krb5/str2key.c (string_to_key_internal): return error instead of aborting. always free memory * admin/ktutil.c: add `help' command * admin/kdb_edit.c: implement new commands: add_random_key(ark), change_password(cpw), change_random_key(crk) Thu Oct 16 05:16:36 1997 Assar Westerlund * kpasswd/kpasswdd.c: change all the keys in the database * kdc: removed all unsealing, now done by the hdb layer * lib/hdb/hdb.c: new functions `hdb_create', `hdb_set_master_key' and `hdb_clear_master_key' * admin/misc.c: removed Wed Oct 15 22:47:31 1997 Assar Westerlund * kuser/klist.c: print year as YYYY iff verbose Wed Oct 15 20:02:13 1997 Johan Danielsson * kuser/klist.c: print etype from ticket Mon Oct 13 17:18:57 1997 Johan Danielsson * Release 0.0j * lib/krb5/get_cred.c: Get the subkey from mk_req so it can be used to decrypt the reply from DCE secds. * lib/krb5/auth_context.c: Add {get,set}enctype. * lib/krb5/get_cred.c: Fix for DCE secd. * lib/krb5/store.c: Store keytype twice, as MIT does. * lib/krb5/get_in_tkt.c: Use etype from reply. Fri Oct 10 00:39:48 1997 Johan Danielsson * kdc/connect.c: check for leading '/' in http request Tue Sep 30 21:50:18 1997 Assar Westerlund * Release 0.0i Mon Sep 29 15:58:43 1997 Assar Westerlund * lib/krb5/rd_req.c (krb5_rd_req): redone because we don't know the kvno or keytype before receiving the AP-REQ * lib/krb5/mk_safe.c (krb5_mk_safe): figure out what cksumtype to use from the keytype. * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): figure out what cksumtype to use from the keytype. * lib/krb5/mk_priv.c (krb5_mk_priv): figure out what etype to use from the keytype. * lib/krb5/keytab.c (krb5_kt_get_entry): check the keytype * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): figure out what etype to use from the keytype. * lib/krb5/generate_seq_number.c (krb5_generate_seq_number): handle other key types than DES * lib/krb5/encrypt.c (key_type): add `best_cksumtype' (krb5_keytype_to_cksumtype): new function * lib/krb5/build_auth.c (krb5_build_authenticator): figure out what etype to use from the keytype. * lib/krb5/auth_context.c (krb5_auth_con_init): set `cksumtype' and `enctype' to 0 * admin/extkeytab.c (ext_keytab): extract all keys * appl/telnet/telnet/commands.c: INET6_ADDRSTRLEN kludge * configure.in: check for . check for -linet6 Tue Sep 23 03:00:53 1997 Assar Westerlund * lib/krb5/encrypt.c: fix checksumtype for des3-cbc-sha1 * lib/krb5/rd_safe.c: fix check for keyed and collision-proof checksum * lib/krb5/context.c (valid_etype): remove hard-coded constants (default_etypes): include DES3 * kdc/kerberos5.c: fix check for keyed and collision-proof checksum * admin/util.c (init_des_key, set_password): DES3 keys also * lib/krb/send_to_kdc.c (krb5_sendto_kdc): no data returned means no contact? * lib/krb5/addr_families.c: fix typo in `ipv6_anyaddr' Mon Sep 22 11:44:27 1997 Johan Danielsson * kdc/kerberos5.c: Somewhat fix the etype usage. The list sent by the client is used to select wich key to encrypt the kdc rep with (in case of as-req), and with the server info to select the session key type. The server key the ticket is encrypted is based purely on the keys in the database. * kdc/string2key.c: Add keytype support. Default to version 5 keys. * lib/krb5/get_in_tkt.c: Fix a lot of etype/keytype misuse. * lib/krb5/encrypt.c: Add des3-cbc-md5, and des3-cbc-sha1. Add many *_to_* functions. * lib/krb5/str2key.c: Add des3 string-to-key. Add ktype argument to krb5_string_to_key(). * lib/krb5/checksum.c: Some cleanup, and added: - rsa-md5-des3 - hmac-sha1-des3 - keyed and collision proof flags to each checksum method - checksum<->string functions. * lib/krb5/generate_subkey.c: Use krb5_generate_random_keyblock. Sun Sep 21 15:19:23 1997 Assar Westerlund * kdc/connect.c: use new addr_families functions * kpasswd/kpasswdd.c: use new addr_families functions. Now works over IPv6 * kuser/klist.c: use correct symbols for address families * lib/krb5/sock_principal.c: use new addr_families functions * lib/krb5/send_to_kdc.c: use new addr_families functions * lib/krb5/krb5.h: add KRB5_ADDRESS_INET6 * lib/krb5/get_addrs.c: use new addr_families functions * lib/krb5/changepw.c: use new addr_families functions. Now works over IPv6 * lib/krb5/auth_context.c: use new addr_families functions * lib/krb5/addr_families.c: new file * acconfig.h: AC_SOCKADDR_IN6 -> AC_STRUCT_SOCKADDR_IN6. Updated uses. * acinclude.m4: new macro `AC_KRB_IPV6'. Use it. Sat Sep 13 23:04:23 1997 Johan Danielsson * kdc/hprop.c: Don't encrypt twice. Complain on non-convertable principals. Sat Sep 13 00:59:36 1997 Assar Westerlund * Release 0.0h * appl/telnet/telnet/commands.c: AF_INET6 support * admin/misc.c: new file * lib/krb5/context.c: new configuration variable `max_retries' * lib/krb5/get_addrs.c: fixes and better #ifdef's * lib/krb5/config_file.c: implement krb5_config_get_int * lib/krb5/auth_context.c, send_to_kdc.c, sock_principal.c: AF_INET6 support * kuser/klist.c: support for printing IPv6-addresses * kdc/connect.c: support AF_INET6 * configure.in: test for gethostbyname2 and struct sockaddr_in6 Thu Sep 11 07:25:28 1997 Assar Westerlund * lib/asn1/k5.asn1: Use `METHOD-DATA' instead of `SEQUENCE OF PA-DATA' Wed Sep 10 21:20:17 1997 Johan Danielsson * kdc/kerberos5.c: Fixes for cross-realm, including (but not limited to): - allow client to be non-existant (should probably check for "local realm") - if server isn't found and it is a request for a krbtgt, try to find a realm on the way to the requested realm - update the transited encoding iff client-realm != server-realm != tgt-realm * lib/krb5/get_cred.c: Several fixes for cross-realm. Tue Sep 9 15:59:20 1997 Johan Danielsson * kdc/string2key.c: Fix password handling. * lib/krb5/encrypt.c: krb5_key_to_string Tue Sep 9 07:46:05 1997 Assar Westerlund * lib/krb5/get_addrs.c: rewrote. Now should be able to handle aliases and IPv6 addresses * kuser/klist.c: try printing IPv6 addresses * kdc/kerberos5.c: increase the arbitrary limit from 1024 to 8192 * configure.in: check for Mon Sep 8 02:57:14 1997 Assar Westerlund * doc: fixes * admin/util.c (init_des_key): increase kvno (set_password): return -1 if `des_read_pw_string' failed * admin/mod.c (doit2): check the return value from `set_password' * admin/ank.c (doit): don't add a new entry if `set_password' failed Mon Sep 8 02:20:16 1997 Johan Danielsson * lib/krb5/verify_init.c: fix ap_req_nofail semantics * lib/krb5/transited.c: something that might resemble domain-x500-compress Mon Sep 8 01:24:42 1997 Assar Westerlund * kdc/hpropd.c (main): check number of arguments * appl/popper/pop_init.c (pop_init): check number of arguments * kpasswd/kpasswd.c (main): check number of arguments * kdc/string2key.c (main): check number of arguments * kuser/kdestroy.c (main): check number of arguments * kuser/kinit.c (main): check number of arguments * kpasswd/kpasswdd.c (main): use sigaction without SA_RESTART to break out of select when a signal arrives * kdc/main.c (main): use sigaction without SA_RESTART to break out of select when a signal arrives * kdc/kstash.c: default to HDB_DB_DIR "/m-key" * kdc/config.c (configure): add `--version'. Check the number of arguments. Handle the case of there being no specification of port numbers. * admin/util.c: seal and unseal key at appropriate places * admin/kdb_edit.c (main): parse arguments, config file and read master key iff there's one. * admin/extkeytab.c (ext_keytab): unseal key while extracting Sun Sep 7 20:41:01 1997 Assar Westerlund * lib/roken/roken.h: include * kdc/kerberos5.c (set_salt_padata): new function * appl/telnet/telnetd/telnetd.c: Rename some variables that conflict with cpp symbols on HP-UX 10.20 * change all calls of `gethostbyaddr' to cast argument 1 to `const char *' * acconfig.h: only use SGTTY on nextstep Sun Sep 7 14:33:50 1997 Johan Danielsson * kdc/kerberos5.c: Check invalid flag. Fri Sep 5 14:19:38 1997 Johan Danielsson * lib/krb5/verify_user.c: Use get_init_creds/verify_init_creds. * lib/kafs: Move functions common to krb/krb5 modules to new file, and make things more modular. * lib/krb5/krb5.h: rename STRING -> krb5_config_string, and LIST -> krb5_config_list Thu Sep 4 23:39:43 1997 Johan Danielsson * lib/krb5/get_addrs.c: Fix loopback test. Thu Sep 4 04:45:49 1997 Assar Westerlund * lib/roken/roken.h: fallback definition of `O_ACCMODE' * lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful when checking for a v4 reply Wed Sep 3 18:20:14 1997 Johan Danielsson * kdc/hprop.c: Add `--decrypt' and `--encrypt' flags. * lib/hdb/hdb.c: new {seal,unseal}_keys functions * kdc/{hprop,hpropd}.c: Add support to dump database to stdout. * kdc/hprop.c: Don't use same master key as version 4. * admin/util.c: Don't dump core if no `default' is found. Wed Sep 3 16:01:07 1997 Johan Danielsson * kdc/connect.c: Allow run time port specification. * kdc/config.c: Add flags for http support, and port specifications. Tue Sep 2 02:00:03 1997 Assar Westerlund * include/bits.c: Don't generate ifndef's in bits.h. Instead, use them when building the program. This makes it possible to include bits.h without having defined all HAVE_INT17_T symbols. * configure.in: test for sigaction * doc: updated documentation. Tue Sep 2 00:20:31 1997 Johan Danielsson * Release 0.0g Mon Sep 1 17:42:14 1997 Johan Danielsson * lib/krb5/data.c: don't return ENOMEM if len == 0 Sun Aug 31 17:15:49 1997 Johan Danielsson * lib/hdb/hdb.asn1: Include salt type in salt. * kdc/hprop.h: Change port to 754. * kdc/hpropd.c: Verify who tries to transmit a database. * appl/popper: Use getarg and krb5_log. * lib/krb5/get_port.c: Add context parameter. Now takes port in host byte order. Sat Aug 30 18:48:19 1997 Johan Danielsson * kdc/connect.c: Add timeout to select, and log about expired tcp connections. * kdc/config.c: Add `database' option. * kdc/hpropd.c: Log about duplicate entries. * lib/hdb/{db,ndbm}.c: Use common routines. * lib/hdb/common.c: Implement more generic fetch/store/delete functions. * lib/hdb/hdb.h: Add `replace' parameter to store. * kdc/connect.c: Set filedecriptor to -1 on allocated decriptor entries. Fri Aug 29 03:13:23 1997 Assar Westerlund * lib/krb5/get_in_tkt.c: extract_ticket -> _krb5_extract_ticket * aux/make-proto.pl: fix __P for stone age mode Fri Aug 29 02:45:46 1997 Johan Danielsson * lib/45/mk_req.c: implementation of krb_mk_req that uses 524 protocol * lib/krb5/init_creds_pw.c: make change_password and get_init_creds_common static * lib/krb5/krb5.h: Merge stuff from removed headerfiles. * lib/krb5/fcache.c: fcc_ops -> krb5_fcc_ops * lib/krb5/mcache.c: mcc_ops -> krb5_mcc_ops Fri Aug 29 01:45:25 1997 Johan Danielsson * lib/krb5/krb5.h: Remove all prototypes. * lib/krb5/convert_creds.c: Use `struct credentials' instead of `CREDENTIALS'. Fri Aug 29 00:08:18 1997 Assar Westerlund * lib/asn1/gen_glue.c: new file. generates 2int and int2 functions and units for bit strings. * admin/util.c: flags2int, int2flags, and flag_units are now generated by asn1_compile * lib/roken/parse_units.c: generalised `parse_units' and `unparse_units' and added new functions `parse_flags' and `unparse_flags' that use these * lib/krb5/krb5_locl.h: moved krb5_data* functions to krb5.h * admin/util.c: Use {un,}parse_flags for printing and parsing hdbflags. Thu Aug 28 03:26:12 1997 Assar Westerlund * lib/krb5/get_addrs.c: restructured * lib/krb5/warn.c (_warnerr): leak less memory * lib/hdb/hdb.c (hdb_free_entry): zero keys (hdb_check_db_format): leak less memory * lib/hdb/ndbm.c (NDBM_seq): check for valid hdb_entries implement NDBM__get, NDBM__put * lib/hdb/db.c (DB_seq): check for valid hdb_entries Thu Aug 28 02:06:58 1997 Johan Danielsson * lib/krb5/send_to_kdc.c: Don't use sendto on connected sockets. Thu Aug 28 01:13:17 1997 Assar Westerlund * kuser/kinit.1, klist.1, kdestroy.1: new man pages * kpasswd/kpasswd.1, kpasswdd.8: new man pages * kdc/kstash.8, hprop.8, hpropd.8: new man pages * admin/ktutil.8, admin/kdb_edit.8: new man pages * admin/mod.c: new file * admin/life.c: renamed gettime and puttime to getlife and putlife and moved them to life.c * admin/util.c: add print_flags, parse_flags, init_entry, set_created_by, set_modified_by, edit_entry, set_password. Use them. * admin/get.c: use print_flags * admin: removed unused stuff. use krb5_{warn,err}* * admin/ank.c: re-organized and abstracted. * admin/gettime.c: removed Thu Aug 28 00:37:39 1997 Johan Danielsson * lib/krb5/{get_cred,get_in_tkt}.c: Check for v4 reply. * lib/roken/base64.c: Add base64 functions. * kdc/connect.c lib/krb5/send_to_kdc.c: Add http support. Wed Aug 27 00:29:20 1997 Johan Danielsson * include/Makefile.am: Don't make links to built files. * admin/kdb_edit.c: Add command to set the database path. * lib/hdb: Include version number in database. Tue Aug 26 20:14:54 1997 Johan Danielsson * admin/ktutil: Merged v4 srvtab conversion. Mon Aug 25 23:02:18 1997 Assar Westerlund * lib/roken/roken.h: add F_OK * lib/gssapi/acquire_creds.c: fix typo * configure.in: call AC_TYPE_MODE_T * acinclude.m4: Add AC_TYPE_MODE_T Sun Aug 24 16:46:53 1997 Assar Westerlund * Release 0.0f Sun Aug 24 08:06:54 1997 Assar Westerlund * appl/popper/pop_pass.c: log poppers * kdc/kaserver.c: some more checks * kpasswd/kpasswd.c: removed `-p' * kuser/kinit.c: removed `-p' * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): If KDC_ERR_PREUATH_REQUIRED, add preauthentication and try again. * lib/krb5/get_in_tkt.c (krb5_get_in_cred): don't print out krb-error text * lib/gssapi/import_name.c (input_name): more names types. * admin/load.c (parse_keys): handle the case of an empty salt * kdc/kaserver.c: fix up memory deallocation * kdc/kaserver.c: quick hack at talking kaserver protocol * kdc/kerberos4.c: Make `db-fetch4' global * configure.in: add --enable-kaserver * kdc/rx.h, kdc/kerberos4.h: new header files * lib/krb5/principal.c: fix krb5_build_principal_ext & c:o Sun Aug 24 03:52:44 1997 Johan Danielsson * lib/krb5/{get_in_tkt,mk_safe,mk_priv}.c: Fix some Cray specific type conflicts. * lib/krb5/{get_cred,get_in_tkt}.c: Mask nonce to 32 bits. * lib/des/{md4,md5,sha}.c: Now works on Crays. Sat Aug 23 18:15:01 1997 Johan Danielsson * appl/afsutil/afslog.c: If no cells or files specified, get tokens for all local cells. Better test for files. Thu Aug 21 23:33:38 1997 Assar Westerlund * lib/gssapi/v1.c: new file with v1 compatibility functions. Thu Aug 21 20:36:13 1997 Johan Danielsson * lib/kafs/afskrb5.c: Don't check ticket file for afs ticket. * kdc/kerberos4.c: Check database when converting v4 principals. * kdc/kerberos5.c: Include kvno in Ticket. * lib/krb5/encrypt.c: Add kvno parameter to encrypt_EncryptedData. * kuser/klist.c: Print version number of ticket, include more flags. Wed Aug 20 21:26:58 1997 Johan Danielsson * lib/kafs/afskrb5.c (get_cred): Check cached afs tickets for expiration. Wed Aug 20 17:40:31 1997 Assar Westerlund * lib/krb5/recvauth.c (krb5_recvauth): Send a KRB-ERROR iff there's an error. * lib/krb5/sendauth.c (krb5_sendauth): correct the protocol documentation and process KRB-ERROR's Tue Aug 19 20:41:30 1997 Johan Danielsson * kdc/kerberos4.c: Fix memory leak in v4 protocol handler. Mon Aug 18 05:15:09 1997 Assar Westerlund * lib/gssapi/accept_sec_context.c: Added `gsskrb5_register_acceptor_identity' Sun Aug 17 01:40:20 1997 Assar Westerlund * lib/gssapi/accept_sec_context.c (gss_accept_sec_context): don't always pass server == NULL to krb5_rd_req. * lib/gssapi: new files: canonicalize_name.c export_name.c context_time.c compare_name.c release_cred.c acquire_cred.c inquire_cred.c, from Luke Howard * lib/krb5/config_file.c: Add netinfo support from Luke Howard * lib/editline/sysunix.c: sgtty-support from Luke Howard * lib/krb5/principal.c: krb5_sname_to_principal fix from Luke Howard Sat Aug 16 00:44:47 1997 Assar Westerlund * Release 0.0e Sat Aug 16 00:23:46 1997 Johan Danielsson * appl/afsutil/afslog.c: Use new libkafs. * lib/kafs/afskrb5.c: Get AFS tokens via 524 protocol. * lib/krb5/warn.c: Fix format string for *x type. Fri Aug 15 22:15:01 1997 Assar Westerlund * admin/get.c (get_entry): print more information about the entry * lib/des/Makefile.am: build destest, mdtest, des, rpw, speed * lib/krb5/config_file.c: new functions `krb5_config_get_time' and `krb5_config_vget_time'. Use them. Fri Aug 15 00:09:37 1997 Johan Danielsson * admin/ktutil.c: Keytab manipulation program. * lib/krb5/keytab.c: Return sane values from resolve and start_seq_get. * kdc/kerberos5.c: Fix for old clients passing 0 for `no endtime'. * lib/45/get_ad_tkt.c: Kerberos 4 get_ad_tkt using krb524_convert_creds_kdc. * lib/krb5/convert_creds.c: Implementation of krb524_convert_creds_kdc. * lib/asn1/k5.asn1: Make kdc-req-body.till OPTIONAL * kdc/524.c: A somewhat working 524-protocol module. * kdc/kerberos4.c: Add version 4 ticket encoding and encryption functions. * lib/krb5/context.c: Fix kdc_timeout. * lib/hdb/{ndbm,db}.c: Free name in close. * kdc/kerberos5.c (tgs_check_autenticator): Return error code Thu Aug 14 21:29:03 1997 Johan Danielsson * kdc/kerberos5.c (tgs_make_reply): Fix endtime in reply. * lib/krb5/store_emem.c: Fix reallocation bug. Tue Aug 12 01:29:46 1997 Assar Westerlund * appl/telnet/libtelnet/kerberos5.c, appl/popper/pop_init.c: Use `krb5_sock_to_principal'. Send server parameter to krb5_rd_req/krb5_recvauth. Set addresses in auth_context. * lib/krb5/recvauth.c: Set addresses in auth_context if there aren't any * lib/krb5/auth_context.c: New function `krb5_auth_con_setaddrs_from_fd' * lib/krb5/sock_principal.c: new function `krb5_sock_to_principal' * lib/krb5/time.c: new file with `krb5_timeofday' and `krb5_us_timeofday'. Use these functions. * kuser/klist.c: print KDC offset iff verbose * lib/krb5/get_in_tkt.c: implement KDC time offset and use it if [libdefaults]kdc_timesync is set. * lib/krb5/fcache.c: Implement version 4 of the ccache format. Mon Aug 11 05:34:43 1997 Assar Westerlund * lib/krb5/rd_rep.c (krb5_free_ap_rep_enc_part): free all memory * lib/krb5/principal.c (krb5_unparse_name): allocate memory properly * kpasswd/kpasswd.c: Use `krb5_change_password' * lib/krb5/init_creds_pw.c (init_cred): set realm of server correctly. * lib/krb5/init_creds_pw.c: support changing of password when it has expired * lib/krb5/changepw.c: new file * kuser/klist.c: use getarg * admin/init.c (init): add `kadmin/changepw' Mon Aug 11 04:30:47 1997 Johan Danielsson * lib/krb5/get_cred.c: Make get_credentials handle cross-realm. Mon Aug 11 00:03:24 1997 Assar Westerlund * lib/krb5/config_file.c: implement support for #-comments Sat Aug 9 02:21:46 1997 Johan Danielsson * kdc/hprop*.c: Add database propagation programs. * kdc/connect.c: Max request size. Sat Aug 9 00:47:28 1997 Assar Westerlund * lib/otp: resurrected from krb4 * appl/push: new program for fetching mail with POP. * appl/popper/popper.h: new include files. new fields in `POP' * appl/popper/pop_pass.c: Implement both v4 and v5. * appl/popper/pop_init.c: Implement both v4 and v5. * appl/popper/pop_debug.c: use getarg. Talk both v4 and v5 * appl/popper: Popper from krb4. * configure.in: check for inline and generate files in appl/popper, appl/push, and lib/otp Fri Aug 8 05:51:02 1997 Assar Westerlund * lib/krb5/get_cred.c: clean-up and try to free memory even when there're errors * lib/krb5/get_cred.c: adapt to new `extract_ticket' * lib/krb5/get_in_tkt.c: reorganize. check everything and try to return memory even if there are errors. * kuser/kverify.c: new file * lib/krb5/free_host_realm.c: new file * lib/krb5/principal.c (krb5_sname_to_principal): implement different nametypes. Also free memory. * lib/krb5/verify_init.c: more functionality * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): free the checksum * lib/krb5/get_in_tkt.c (extract_ticket): don't copy over the principals in creds. Should also compare them with that received from the KDC * lib/krb5/cache.c (krb5_cc_gen_new): copy the newly allocated krb5_ccache (krb5_cc_destroy): call krb5_cc_close (krb5_cc_retrieve_cred): delete the unused creds Fri Aug 8 02:30:40 1997 Johan Danielsson * lib/krb5/log.c: Allow better control of destinations of logging (like passing explicit destinations, and log-functions). Fri Aug 8 01:20:39 1997 Assar Westerlund * lib/krb5/get_default_principal.c: new file * kpasswd/kpasswdd.c: use krb5_log* Fri Aug 8 00:37:47 1997 Johan Danielsson * lib/krb5/init_creds_pw.c: Implement krb5_get_init_creds_keytab. Fri Aug 8 00:37:17 1997 Assar Westerlund * lib/krb5/init_creds_pw.c: Use `krb5_get_default_principal'. Print password expire information. * kdc/config.c: new variable `kdc_warn_pwexpire' * kpasswd/kpasswd.c: converted to getarg and get_init_creds Thu Aug 7 22:17:09 1997 Assar Westerlund * lib/krb5/mcache.c: new file * admin/gettime.c: new function puttime. Use it. * lib/krb5/keyblock.c: Added krb5_free_keyblock and krb5_copy_keyblock * lib/krb5/init_creds_pw.c: more functionality * lib/krb5/creds.c: Added krb5_free_creds_contents and krb5_copy_creds. Changed callers. * lib/krb5/config_file.c: new functions krb5_config_get and krb5_config_vget * lib/krb5/cache.c: cleanup added mcache * kdc/kerberos5.c: include last-req's of type 6 and 7, if applicable Wed Aug 6 20:38:23 1997 Johan Danielsson * lib/krb5/log.c: New parameter `log-level'. Default to `SYSLOG'. Tue Aug 5 22:53:54 1997 Assar Westerlund * lib/krb5/verify_init.c, init_creds_pw.c, init_creds.c, prompter_posix.c: the beginning of an implementation of the cygnus initial-ticket API. * lib/krb5/get_in_tkt_pw.c: make `krb5_password_key_proc' global * lib/krb5/get_in_tkt.c (krb5_get_in_cred): new function that is almost krb5_get_in_tkt but doesn't write the creds to the ccache. Small fixes in krb5_get_in_tkt * lib/krb5/get_addrs.c (krb5_get_all_client_addrs): don't include loopback. Mon Aug 4 20:20:48 1997 Johan Danielsson * kdc: Make context global. Fri Aug 1 17:23:56 1997 Assar Westerlund * Release 0.0d * lib/roken/flock.c: new file * kuser/kinit.c: check for and print expiry information in the `kdc_rep' * lib/krb5/get_in_tkt.c: Set `ret_as_reply' if != NULL * kdc/kerberos5.c: Check the valid times on client and server. Check the password expiration. Check the require_preauth flag. Send an lr_type == 6 with pw_end. Set key.expiration to min(valid_end, pw_end) * lib/hdb/hdb.asn1: new flags `require_preauth' and `change_pw' * admin/util.c, admin/load.c: handle the new flags. Fri Aug 1 16:56:12 1997 Johan Danielsson * lib/hdb: Add some simple locking. Sun Jul 27 04:44:31 1997 Johan Danielsson * lib/krb5/log.c: Add some general logging functions. * kdc/kerberos4.c: Add version 4 protocol handler. The requrement for this to work is that all involved principals has a des key in the database, and that the client has a version 4 (un-)salted key. Furthermore krb5_425_conv_principal has to do it's job, as present it's not very clever. * lib/krb5/principal.c: Quick patch to make 425_conv work somewhat. * lib/hdb/hdb.c: Add keytype->key and next key functions. Fri Jul 25 17:32:12 1997 Assar Westerlund * lib/krb5/build_auth.c (krb5_build_authenticator): don't free `cksum'. It's allocated and freed by the caller * lib/krb5/get_cred.c (krb5_get_kdc_cred): Don't free `addresses'. * kdc/kerberos5.c (tgs_rep2): make sure we also have an defined `client' to return as part of the KRB-ERROR Thu Jul 24 08:13:59 1997 Johan Danielsson * kdc/kerberos5.c: Unseal keys from database before use. * kdc/misc.c: New functions set_master_key, unseal_key and free_key. * lib/roken/getarg.c: Handle `-f arg' correctly. Thu Jul 24 01:54:43 1997 Assar Westerlund * kuser/kinit.c: implement `-l' aka `--lifetime' * lib/roken/parse_units.c, parse_time.c: new files * admin/gettime.c (gettime): use `parse_time' * kdc/kerberos5.c (as_rep): Use `METHOD-DATA' when sending KRB5KDC_ERR_PREAUTH_REQUIRED, not PA-DATA. * kpasswd/kpasswdd.c: fix freeing bug use sequence numbers set addresses in auth_context bind one socket per interface. * kpasswd/kpasswd.c: use sequence numbers * lib/krb5/rd_req.c (krb5_verify_ap_req): do abs when verifying the timestamps * lib/krb5/rd_priv.c (krb5_rd_priv): Fetch the correct session key from auth_context * lib/krb5/mk_priv.c (krb5_mk_priv): Fetch the correct session key from auth_context * lib/krb5/mk_error.c (krb5_mk_error): return an error number and not a comerr'd number. * lib/krb5/get_in_tkt.c (krb5_get_in_tkt): interpret the error number in KRB-ERROR correctly. * lib/krb5/get_cred.c (krb5_get_kdc_cred): interpret the error number in KRB-ERROR correctly. * lib/asn1/k5.asn1: Add `METHOD-DATA' * removed some memory leaks. Wed Jul 23 07:53:18 1997 Assar Westerlund * Release 0.0c * lib/krb5/rd_cred.c, get_for_creds.c: new files * lib/krb5/get_host_realm.c: try default realm as last chance * kpasswd/kpasswdd.c: updated to hdb changes * appl/telnet/libtelnet/kerberos5.c: Implement forwarding * appl/telnet/libtelnet: removed totally unused files * admin/ank.c: fix prompts and generation of random keys Wed Jul 23 04:02:32 1997 Johan Danielsson * admin/dump.c: Include salt in dump. * admin: Mostly updated for new db-format. * kdc/kerberos5.c: Update to use new db format. Better checking of flags and such. More logging. * lib/hdb/hdb.c: Use generated encode and decode functions. * lib/hdb/hdb.h: Get hdb_entry from ASN.1 generated code. * lib/krb5/get_cred.c: Get addresses from krbtgt if there are none in the reply. Sun Jul 20 16:22:30 1997 Assar Westerlund * kuser/kinit.c: break if des_read_pw_string() != 0 * kpasswd/kpasswdd.c: send a reply * kpasswd/kpasswd.c: restructured code. better report on krb-error break if des_read_pw_string() != 0 * kdc/kerberos5.c: Check `require_enc_timestamp' malloc space for starttime and renew_till * appl/telnet/libtelnet/kerberos5.c (kerberos5_is): Send a keyblock to krb5_verify_chekcsum Sun Jul 20 06:35:46 1997 Johan Danielsson * Release 0.0b * kpasswd/kpasswd.c: Avoid using non-standard struct names. Sat Jul 19 19:26:23 1997 Assar Westerlund * lib/krb5/keytab.c (krb5_kt_get_entry): check return from `krb5_kt_start_seq_get'. From Sat Jul 19 04:07:39 1997 Johan Danielsson * lib/asn1/k5.asn1: Update with more pa-data types from draft-ietf-cat-kerberos-revisions-00.txt * admin/load.c: Update to match current db-format. * kdc/kerberos5.c (as_rep): Try all valid pa-datas before giving up. Send back an empty pa-data if the client has the v4 flag set. * lib/krb5/get_in_tkt.c: Pass both version5 and version4 salted pa-data. DTRT if there is any pa-data in the reply. * lib/krb5/str2key.c: XOR with some sane value. * lib/hdb/hdb.h: Add `version 4 salted key' flag. * kuser/kinit.c: Ask for password before calling get_in_tkt. This makes it possible to call key_proc more than once. * kdc/string2key.c: Add flags to output version 5 (DES only), version 4, and AFS string-to-key of a password. * lib/asn1/gen_copy.c: copy_* functions now returns an int (0 or ENOMEM). Fri Jul 18 02:54:58 1997 Assar Westerlund * lib/krb5/get_host_realm.c (krb5_get_host_realm): do the name2name thing * kdc/misc.c: check result of hdb_open * admin/kdb_edit: updated to new sl * lib/sl: sl_func now returns an int. != 0 means to exit. * kpasswd/kpasswdd: A crude (but somewhat working) implementation of `draft-ietf-cat-kerb-chg-password-00.txt' Fri Jul 18 00:55:39 1997 Johan Danielsson * kuser/krenew.c: Crude ticket renewing program. * kdc/kerberos5.c: Rewritten flags parsing, it now might work to get forwarded and renewed tickets. * kuser/kinit.c: Add `-r' flag. * lib/krb5/get_cred.c: Move most of contents of get_creds to new function get_kdc_cred, that always contacts the kdc and doesn't save in the cache. This is a hack. * lib/krb5/get_in_tkt.c: Pass starttime and renew_till in request (a bit kludgy). * lib/krb5/mk_req_ext.c: Make an auth_context if none passed in. * lib/krb5/send_to_kdc.c: Get timeout from context. * lib/krb5/context.c: Add kdc_timeout to context struct. Thu Jul 17 20:35:45 1997 Johan Danielsson * kuser/klist.c: Print start time of ticket if available. * lib/krb5/get_host_realm.c: Return error if no realm was found. Thu Jul 17 20:28:21 1997 Assar Westerlund * kpasswd: non-working kpasswd added Thu Jul 17 00:21:22 1997 Johan Danielsson * Release 0.0a * kdc/main.c: Add -p flag to disable pa-enc-timestamp requirement. Wed Jul 16 03:37:41 1997 Johan Danielsson * kdc/kerberos5.c (tgs_rep2): Free ticket and ap_req. * lib/krb5/auth_context.c (krb5_auth_con_free): Free remote subkey. * lib/krb5/principal.c (krb5_free_principal): Check for NULL. * lib/krb5/send_to_kdc.c: Check for NULL return from gethostbyname. * lib/krb5/set_default_realm.c: Try to get realm of local host if no default realm is available. * Remove non ASN.1 principal code. Wed Jul 16 03:17:30 1997 Johan Danielsson * kdc/kerberos5.c: Split tgs_rep in smaller functions. Add better error handing. Do some logging. * kdc/log.c: Some simple logging facilities. * kdc/misc.c (db_fetch): Take a krb5_principal. * kdc/connect.c: Pass address of request to as_rep and tgs_rep. Send KRB-ERROR. * lib/krb5/mk_error.c: Add more fields. * lib/krb5/get_cred.c: Print normal error code if no e_text is available. Wed Jul 16 03:07:50 1997 Assar Westerlund * lib/krb5/get_in_tkt.c: implement `krb5_init_etype'. Change encryption type of pa_enc_timestamp to DES-CBC-MD5 * lib/krb5/context.c: recognize all encryption types actually implemented * lib/krb5/auth_context.c (krb5_auth_con_init): Change default encryption type to `DES_CBC_MD5' * lib/krb5/read_message.c, write_message.c: new files Tue Jul 15 17:14:21 1997 Assar Westerlund * lib/asn1: replaced asn1_locl.h by `der_locl.h' and `gen_locl.h'. * lib/error/compile_et.awk: generate a prototype for the `destroy_foo_error_table' function. Mon Jul 14 12:24:40 1997 Assar Westerlund * lib/krb5/krbhst.c (krb5_get_krbhst): Get all kdc's and try also with `kerberos.REALM' * kdc/kerberos5.c, lib/krb5/rd_priv.c, lib/krb5/rd_safe.c: use `max_skew' * lib/krb5/rd_req.c (krb5_verify_ap_req): record authenticator subkey * lib/krb5/build_auth.c (krb5_build_authenticator): always generate a subkey. * lib/krb5/address.c: implement `krb5_address_order' * lib/gssapi/import_name.c: Implement `gss_import_name' * lib/gssapi/external.c: Use new OID * lib/gssapi/encapsulate.c: New functions `gssapi_krb5_encap_length' and `gssapi_krb5_make_header'. Changed callers. * lib/gssapi/decapsulate.c: New function `gssaspi_krb5_verify_header'. Changed callers. * lib/asn1/gen*.c: Give tags to generated structs. Use `err' and `asprintf' * appl/test/gss_common.c: new file * appl/test/gssapi_server.c: removed all krb5 calls * appl/telnet/libtelnet/kerberos5.c: Add support for genering and verifying checksums. Also start using session subkeys. Mon Jul 14 12:08:25 1997 Johan Danielsson * lib/krb5/rd_req.c (krb5_rd_req_with_keyblock): Split up. Sun Jul 13 03:07:44 1997 Assar Westerlund * lib/krb5/rd_safe.c, mk_safe.c: made bug-compatible with MIT * lib/krb5/encrypt.c: new functions `DES_encrypt_null_ivec' and `DES_encrypt_key_ivec' * lib/krb5/checksum.c: implement rsa-md4-des and rsa-md5-des * kdc/kerberos5.c (tgs_rep): support keyed checksums * lib/krb5/creds.c: new file * lib/krb5/get_in_tkt.c: better freeing * lib/krb5/context.c (krb5_free_context): more freeing * lib/krb5/config_file.c: New function `krb5_config_file_free' * lib/error/compile_et.awk: Generate a `destroy_' function. * kuser/kinit.c, klist.c: Don't leak memory. Sun Jul 13 02:46:27 1997 Johan Danielsson * kdc/connect.c: Check filedescriptor in select. * kdc/kerberos5.c: Remove most of the most common memory leaks. * lib/krb5/rd_req.c: Free allocated data. * lib/krb5/auth_context.c (krb5_auth_con_free): Free a lot of fields. Sun Jul 13 00:32:16 1997 Assar Westerlund * appl/telnet: Conditionalize the krb4-support. * configure.in: Test for krb4 Sat Jul 12 17:14:12 1997 Assar Westerlund * kdc/kerberos5.c: check if the pre-auth was decrypted properly. set the `pre_authent' flag * lib/krb5/get_cred.c, lib/krb5/get_in_tkt.c: generate a random nonce. * lib/krb5/encrypt.c: Made `generate_random_block' global. * appl/test: Added gssapi_client and gssapi_server. * lib/krb5/data.c: Add `krb5_data_zero' * appl/test/tcp_client.c: try `mk_safe' and `mk_priv' * appl/test/tcp_server.c: try `rd_safe' and `rd_priv' Sat Jul 12 16:45:58 1997 Johan Danielsson * lib/krb5/get_addrs.c: Fix for systems that has sa_len, but returns zero length from SIOCGIFCONF. Sat Jul 12 16:38:34 1997 Assar Westerlund * appl/test: new programs * lib/krb5/rd_req.c: add address compare * lib/krb5/mk_req_ext.c: allow no checksum * lib/krb5/keytab.c (krb5_kt_ret_string): 0-terminate string * lib/krb5/address.c: fix `krb5_address_compare' Sat Jul 12 15:03:16 1997 Johan Danielsson * lib/krb5/get_addrs.c: Fix ip4 address extraction. * kuser/klist.c: Add verbose flag, and split main into smaller pieces. * lib/krb5/fcache.c: Save ticket flags. * lib/krb5/get_in_tkt.c (extract_ticket): Extract addresses and flags. * lib/krb5/krb5.h: Add ticket_flags to krb5_creds. Sat Jul 12 13:12:48 1997 Assar Westerlund * configure.in: Call `AC_KRB_PROG_LN_S' * acinclude.m4: Add `AC_KRB_PROG_LN_S' from krb4 Sat Jul 12 00:57:01 1997 Johan Danielsson * lib/krb5/get_in_tkt.c: Use union of krb5_flags and KDCOptions to pass options. Fri Jul 11 15:04:22 1997 Assar Westerlund * appl/telnet: telnet & telnetd seems to be working. * lib/krb5/config_file.c: Added krb5_config_v?get_list Fixed krb5_config_vget_next * appl/telnet/libtelnet/kerberos5.c: update to current API Thu Jul 10 14:54:39 1997 Assar Westerlund * appl/telnet/libtelnet/kerberos5.c (kerberos5_status): call `krb5_kuserok' * appl/telnet: Added. Thu Jul 10 05:09:25 1997 Johan Danielsson * lib/error/compile_et.awk: Remove usage of sub, gsub, and functions for compatibility with awk. * include/bits.c: Must use signed char. * lib/krb5/context.c: Move krb5_get_err_text, and krb5_init_ets here. * lib/error/error.c: Replace krb5_get_err_text with new function com_right. * lib/error/compile_et.awk: Avoid using static variables. * lib/error/error.c: Don't use krb5_locl.h * lib/error/error.h: Move definitions of error_table and error_list from krb5.h. * lib/error: Moved from lib/krb5. Wed Jul 9 07:42:04 1997 Johan Danielsson * lib/krb5/encrypt.c: Temporary hack to avoid des_rand_data. Wed Jul 9 06:58:00 1997 Assar Westerlund * lib/krb5/{rd,mk}_{*}.c: more checking for addresses and stuff according to pseudocode from 1510 Wed Jul 9 06:06:06 1997 Johan Danielsson * lib/hdb/hdb.c: Add hdb_etype2key. * kdc/kerberos5.c: Check authenticator. Use more general etype functions. Wed Jul 9 03:51:12 1997 Assar Westerlund * lib/asn1/k5.asn1: Made all `s_address' OPTIONAL according to draft-ietf-cat-kerberos-r-00.txt * lib/krb5/principal.c (krb5_parse_name): default to local realm if none given * kuser/kinit.c: New option `-p' and prompt Wed Jul 9 02:30:06 1997 Johan Danielsson * lib/krb5/keyblock.c: Keyblock generation functions. * lib/krb5/encrypt.c: Use functions from checksum.c. * lib/krb5/checksum.c: Move checksum functions here. Add krb5_cksumsize function. Wed Jul 9 01:15:38 1997 Assar Westerlund * lib/krb5/get_host_realm.c: implemented * lib/krb5/config_file.c: Redid part. New functions: krb5_config_v?get_next * kuser/kdestroy.c: new program * kuser/kinit.c: new flag `-f' * lib/asn1/k5.asn1: Made HostAddresses = SEQUENCE OF HostAddress * acinclude.m4: Added AC_KRB_STRUCT_SOCKADDR_SA_LEN * lib/krb5/krb5.h: krb5_addresses == HostAddresses. Changed all users. * lib/krb5/get_addrs.c: figure out all local addresses, possibly even IPv6! * lib/krb5/checksum.c: table-driven checksum Mon Jul 7 21:13:28 1997 Johan Danielsson * lib/krb5/encrypt.c: Make krb5_decrypt use the same struct as krb5_encrypt. Mon Jul 7 11:15:51 1997 Assar Westerlund * lib/roken/vsyslog.c: new file * lib/krb5/encrypt.c: add des-cbc-md4. adjust krb5_encrypt and krb5_decrypt to reality Mon Jul 7 02:46:31 1997 Johan Danielsson * lib/krb5/encrypt.c: Implement as a vector of function pointers. * lib/krb5/{decrypt,encrypt}.c: Implement des-cbc-crc, and des-cbc-md5 in separate functions. * lib/krb5/krb5.h: Add more checksum and encryption types. * lib/krb5/krb5_locl.h: Add etype to krb5_decrypt. Sun Jul 6 23:02:59 1997 Assar Westerlund * lib/krb5/[gs]et_default_realm.c, kuserok.c: new files * lib/krb5/config_file.[ch]: new c-based configuration reading stuff Wed Jul 2 23:12:56 1997 Assar Westerlund * configure.in: Set WFLAGS if using gcc Wed Jul 2 17:47:03 1997 Johan Danielsson * lib/asn1/der_put.c (der_put_int): Return size correctly. * admin/ank.c: Be compatible with the asn1 principal format. Wed Jul 1 23:52:20 1997 Johan Danielsson * lib/asn1: Now all decode_* and encode_* functions now take a final size_t* argument, that they return the size in. Return values are zero for success, and anything else (such as some ASN1_* constant) for error. Mon Jun 30 06:08:14 1997 Assar Westerlund * lib/krb5/keytab.c (krb5_kt_add_entry): change open mode to O_WRONLY | O_APPEND * lib/krb5/get_cred.c: removed stale prototype for `extract_ticket' and corrected call. * lib/asn1/gen_length.c (length_type): Make the length functions for SequenceOf non-destructive * admin/ank.c (doit): Fix reading of `y/n'. Mon Jun 16 05:41:43 1997 Assar Westerlund * lib/gssapi/wrap.c, unwrap.c: do encrypt and add sequence number * lib/gssapi/get_mic.c, verify_mic.c: Add sequence number. * lib/gssapi/accept_sec_context.c (gss_accept_sec_context): Set KRB5_AUTH_CONTEXT_DO_SEQUENCE. Verify 8003 checksum. * lib/gssapi/8003.c: New file. * lib/krb/krb5.h: Define a `krb_authenticator' as an ASN.1 Authenticator. * lib/krb5/auth_context.c: New functions `krb5_auth_setlocalseqnumber' and `krb5_auth_setremoteseqnumber' Tue Jun 10 00:35:54 1997 Johan Danielsson * lib/krb5: Preapre for use of some asn1-types. * lib/asn1/*.c (copy_*): Constness. * lib/krb5/krb5.h: Include asn1.h; krb5_data is now an octet_string. * lib/asn1/der*,gen.c: krb5_data -> octet_string, char * -> general_string * lib/asn1/libasn1.h: Moved stuff from asn1_locl.h that doesn't have anything to do with asn1_compile. * lib/asn1/asn1_locl.h: Remove der.h. Add some prototypes. Sun Jun 8 03:51:55 1997 Assar Westerlund * kdc/kerberos5.c: Fix PA-ENC-TS-ENC * kdc/connect.c(process_request): Set `new' * lib/krb5/get_in_tkt.c: Do PA-ENC-TS-ENC the correct way. * lib: Added editline,sl,roken. Mon Jun 2 00:37:48 1997 Johan Danielsson * lib/krb5/fcache.c: Move file cache from cache.c. * lib/krb5/cache.c: Allow more than one cache type. Sun Jun 1 23:45:33 1997 Johan Danielsson * admin/extkeytab.c: Merged with kdb_edit. Sun Jun 1 23:23:08 1997 Assar Westerlund * kdc/kdc.c: more support for ENC-TS-ENC * lib/krb5/get_in_tkt.c: redone to enable pre-authentication Sun Jun 1 22:45:11 1997 Johan Danielsson * lib/hdb/db.c: Merge fetch and store. * admin: Merge to one program. * lib/krb5/str2key.c: Fill in keytype and length. Sun Jun 1 16:31:23 1997 Assar Westerlund * lib/krb5/rd_safe.c, lib/krb5/rd_priv.c, lib/krb5/mk_rep.c, lib/krb5/mk_priv.c, lib/krb5/build_auth.c: Some support for KRB5_AUTH_CONTEXT_DO_SEQUENCE * lib/krb5/get_in_tkt.c (get_in_tkt): be prepared to parse an KRB_ERROR. Some support for PA_ENC_TS_ENC. * lib/krb5/auth_context.c: implemented seq_number functions * lib/krb5/generate_subkey.c, generate_seq_number.c: new files * lib/gssapi/gssapi.h: avoid including * lib/asn1/Makefile.am: SUFFIXES as a variable to make automake happy * kdc/kdc.c: preliminary PREAUTH_ENC_TIMESTAMP * configure.in: adapted to automake 1.1p Mon May 26 22:26:21 1997 Johan Danielsson * lib/krb5/principal.c: Add contexts to many functions. Thu May 15 20:25:37 1997 Johan Danielsson * lib/krb5/verify_user.c: First stab at a verify user. * lib/auth/sia/sia5.c: SIA module for Kerberos 5. Mon Apr 14 00:09:03 1997 Assar Westerlund * lib/gssapi: Enough of a gssapi-over-krb5 implementation to be able to (mostly) run gss-client and gss-server. * lib/krb5/keytab.c: implemented krb5_kt_add_entry, krb5_kt_store_principal, krb5_kt_store_keyblock * lib/des/md5.[ch], sha.[ch]: new files * lib/asn1/der_get.c (generalizedtime2time): use `timegm' * lib/asn1/timegm.c: new file * admin/extkeytab.c: new program * admin/admin_locl.h: new file * admin/Makefile.am: Added extkeytab * configure.in: moved config to include removed timezone garbage added lib/gssapi and admin * Makefile.am: Added admin Mon Mar 17 11:34:05 1997 Johan Danielsson * kdc/kdc.c: Use new copying functions, and free some data. * lib/asn1/Makefile.am: Try to not always rebuild generated files. * lib/asn1/der_put.c: Add fix_dce(). * lib/asn1/der_{get,length,put}.c: Fix include files. * lib/asn1/der_free.c: Remove unused functions. * lib/asn1/gen.c: Split into gen_encode, gen_decode, gen_free, gen_length, and gen_copy. Sun Mar 16 18:13:52 1997 Assar Westerlund * lib/krb5/sendauth.c: implemented functionality * lib/krb5/rd_rep.c: Use `krb5_decrypt' * lib/krb5/cache.c (krb5_cc_get_name): return default if `id' == NULL * lib/krb5/principal.c (krb5_free_principal): added `context' argument. Changed all callers. (krb5_sname_to_principal): new function * lib/krb5/auth_context.c (krb5_free_authenticator): add `context' argument. Changed all callers * lib/krb5/{net_write.c,net_read.c,recvauth.c}: new files * lib/asn1/gen.c: Fix encoding and decoding of BitStrings Fri Mar 14 11:29:00 1997 Assar Westerlund * configure.in: look for *dbm? * lib/asn1/gen.c: Fix filename in generated files. Check fopens. Put trailing newline in asn1_files. Fri Mar 14 05:06:44 1997 Johan Danielsson * lib/krb5/get_in_tkt.c: Fix some memory leaks. * lib/krb5/krbhst.c: Properly free hostlist. * lib/krb5/decrypt.c: CRCs are 32 bits. Fri Mar 14 04:39:15 1997 Johan Danielsson * lib/asn1/gen.c: Generate one file for each type. Fri Mar 14 04:13:47 1997 Assar Westerlund * lib/asn1/gen.c: Generate `length_FOO' functions * lib/asn1/der_length.c: new file * kuser/klist.c: renamed stime -> printable_time to avoid conflict on HP/UX Fri Mar 14 03:37:23 1997 Johan Danielsson * lib/hdb/ndbm.c: Return NOENTRY if fetch fails. Don't free datums. Don't add .db to filename. Fri Mar 14 02:49:51 1997 Johan Danielsson * kdc/dump.c: Database dump program. * kdc/ank.c: Trivial database editing program. * kdc/{kdc.c, load.c}: Use libhdb. * lib/hdb: New database routine library. * lib/krb5/error/Makefile.am: Add hdb_err. Wed Mar 12 17:41:14 1997 Johan Danielsson * kdc/kdc.c: Rewritten AS, and somewhat more working TGS support. * lib/asn1/gen.c: Generate free functions. * Some specific free functions. Wed Mar 12 12:30:13 1997 Assar Westerlund * lib/krb5/krb5_mk_req_ext.c: new file * lib/asn1/gen.c: optimize the case with a simple type * lib/krb5/get_cred.c (krb5_get_credentials): Use `mk_req_extended' and remove old code. * lib/krb5/get_in_tkt.c (decrypt_tkt): First try with an EncASRepPart, then with an EncTGSRepPart. Wed Mar 12 08:26:04 1997 Johan Danielsson * lib/krb5/store_emem.c: New resizable memory storage. * lib/krb5/{store.c, store_fd.c, store_mem.c}: Split of store.c * lib/krb5/krb5.h: Add free entry to krb5_storage. * lib/krb5/decrypt.c: Make keyblock const. Tue Mar 11 20:22:17 1997 Johan Danielsson * lib/krb5/krb5.h: Add EncTicketPart to krb5_ticket. * lib/krb5/rd_req.c: Return whole asn.1 ticket in krb5_ticket->tkt. * lib/krb5/get_in_tkt.c: TGS -> AS * kuser/kfoo.c: Print error string rather than number. * kdc/kdc.c: Some kind of non-working TGS support. Mon Mar 10 01:43:22 1997 Assar Westerlund * lib/asn1/gen.c: reduced generated code by 1/5 * lib/asn1/der_put.c: (der_put_length_and_tag): new function * lib/asn1/der_get.c (der_match_tag_and_length): new function * lib/asn1/der.h: added prototypes Mon Mar 10 01:15:43 1997 Johan Danielsson * lib/krb5/krb5.h: Include . Add prototype for krb5_rd_req_with_keyblock. * lib/krb5/rd_req.c: Add function krb5_rd_req_with_keyblock that takes a precomputed keyblock. * lib/krb5/get_cred.c: Use krb5_mk_req rather than inlined code. * lib/krb5/mk_req.c: Calculate checksum of in_data. Sun Mar 9 21:17:58 1997 Johan Danielsson * lib/krb5/error/compile_et.awk: Add a declaration of struct error_list, and multiple inclusion block to header files. Sun Mar 9 21:01:12 1997 Assar Westerlund * lib/krb5/rd_req.c: do some checks on times * lib/krb/{mk_priv.c, rd_priv.c, sendauth.c, decrypt.c, address.c}: new files * lib/krb5/auth_context.c: more code * configure.in: try to figure out timezone Sat Mar 8 11:41:07 1997 Johan Danielsson * lib/krb5/error/error.c: Try strerror if error code wasn't found. * lib/krb5/get_in_tkt.c: Remove realm parameter from krb5_get_salt. * lib/krb5/context.c: Initialize error table. * kdc: The beginnings of a kdc. Sat Mar 8 08:16:28 1997 Assar Westerlund * lib/krb5/rd_safe.c: new file * lib/krb5/checksum.c (krb5_verify_checksum): New function * lib/krb5/get_cred.c: use krb5_create_checksum * lib/krb5/checksum.c: new file * lib/krb5/store.c: no more arithmetic with void* * lib/krb5/cache.c: now seems to work again Sat Mar 8 06:58:09 1997 Johan Danielsson * lib/krb5/Makefile.am: Add asn1_glue.c and error/*.c to libkrb5. * lib/krb5/get_in_tkt.c: Moved some functions to asn1_glue.c. * lib/krb5/asn1_glue.c: Moved some asn1-stuff here. * lib/krb5/{cache,keytab}.c: Use new storage functions. * lib/krb5/krb5.h: Protypes for new storage functions. * lib/krb5/krb5.h: Make krb5_{ret,store}_* functions able to write data to more than file descriptors. Sat Mar 8 01:01:17 1997 Assar Westerlund * lib/krb5/encrypt.c: New file. * lib/krb5/Makefile.am: More -I * configure.in: Test for big endian, random, rand, setitimer * lib/asn1/gen.c: perhaps even decodes bitstrings Thu Mar 6 19:05:29 1997 Johan Danielsson * lib/krb5/config_file.y: Better return values on error. Sat Feb 8 15:59:56 1997 Assar Westerlund * lib/asn1/parse.y: ifdef HAVE_STRDUP * lib/asn1/lex.l: ifdef strdup brange-dead version of list of special characters to make stupid lex accept it. * lib/asn1/gen.c: A DER integer should really be a `unsigned' * lib/asn1/der_put.c: A DER integer should really be a `unsigned' * lib/asn1/der_get.c: A DER integer should really be a `unsigned' * lib/krb5/error/Makefile.am: It seems "$(SHELL) ./compile_et" is needed. * lib/krb/mk_rep.c, lib/krb/rd_req.c, lib/krb/store.c, lib/krb/store.h: new files. * lib/krb5/keytab.c: now even with some functionality. * lib/asn1/gen.c: changed paramater from void * to Foo * * lib/asn1/der_get.c (der_get_octet_string): Fixed bug with empty string. Sun Jan 19 06:17:39 1997 Assar Westerlund * lib/krb5/get_cred.c (krb5_get_credentials): Check for creds in cc before getting new ones. * lib/krb5/krb5.h (krb5_free_keyblock): Fix prototype. * lib/krb5/build_auth.c (krb5_build_authenticator): It seems the CRC should be stored LSW first. (?) * lib/krb5/auth_context.c: Implement `krb5_auth_con_getkey' and `krb5_free_keyblock' * lib/**/Makefile.am: Rename foo libfoo.a * include/Makefile.in: Use test instead of [ -e does not work with /bin/sh on psoriasis * configure.in: Search for awk create lib/krb/error/compile_et Tue Jan 14 03:46:26 1997 Assar Westerlund * lib/krb5/Makefile.am: replaced mit-crc.c by crc.c Wed Dec 18 00:53:55 1996 Johan Danielsson * kuser/kinit.c: Guess principal. * lib/krb5/error/compile_et.awk: Don't include krb5.h. Fix some warnings. * lib/krb5/error/asn1_err.et: Add ASN.1 error messages. * lib/krb5/mk_req.c: Get client from cache. * lib/krb5/cache.c: Add better error checking some useful return values. * lib/krb5/krb5.h: Fix krb5_auth_context. * lib/asn1/der.h: Make krb5_data compatible with krb5.h Tue Dec 17 01:32:36 1996 Johan Danielsson * lib/krb5/error: Add primitive error library. Mon Dec 16 16:30:20 1996 Johan Danielsson * lib/krb5/cache.c: Get correct address type from cache. * lib/krb5/krb5.h: Change int16 to int to be compatible with asn1. heimdal-1.7~git20150920+dfsg/ChangeLog.1999000066400000000000000000001741721257755311500176430ustar00rootroot000000000000001999-12-30 Assar Westerlund * configure.in (krb4): use `-ldes' in tests 1999-12-26 Assar Westerlund * lib/hdb/print.c (event2string): handle events without principal. From Luke Howard 1999-12-25 Assar Westerlund * Release 0.2j Tue Dec 21 18:03:17 1999 Assar Westerlund * lib/hdb/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and related systems * lib/asn1/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and related systems * include/Makefile.am (krb5-types.h): add $(EXEEXT) for cygwin and related systems 1999-12-20 Assar Westerlund * Release 0.2i 1999-12-20 Assar Westerlund * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to 6:3:1 * lib/krb5/send_to_kdc.c (send_via_proxy): free data * lib/krb5/send_to_kdc.c (send_via_proxy): new function use getaddrinfo instead of gethostbyname{,2} * lib/krb5/get_for_creds.c: use getaddrinfo instead of getnodebyname{,2} 1999-12-17 Assar Westerlund * Release 0.2h 1999-12-17 Assar Westerlund * Release 0.2g 1999-12-16 Assar Westerlund * lib/krb5/Makefile.am: bump version to 6:2:1 * lib/krb5/principal.c (krb5_sname_to_principal): handle ai_canonname not being set * lib/krb5/expand_hostname.c (krb5_expand_hostname): handle ai_canonname not being set * appl/test/uu_server.c: print messages to stderr * appl/test/tcp_server.c: print messages to stderr * appl/test/nt_gss_server.c: print messages to stderr * appl/test/gssapi_server.c: print messages to stderr * appl/test/tcp_client.c (proto): remove shadowing `context' * appl/test/common.c (client_doit): add forgotten ntohs 1999-12-13 Assar Westerlund * configure.in (VERISON): bump to 0.2g-pre 1999-12-12 Assar Westerlund * lib/krb5/principal.c (krb5_425_conv_principal_ext): be more robust and handle extra dot at the beginning of default_domain 1999-12-12 Assar Westerlund * Release 0.2f 1999-12-12 Assar Westerlund * lib/krb5/Makefile.am: bump version to 6:1:1 * lib/krb5/changepw.c (get_kdc_address): use `krb5_get_krb_changepw_hst' * lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): add * lib/krb5/get_host_realm.c: add support for _kerberos.domain (according to draft-ietf-cat-krb-dns-locate-01.txt) 1999-12-06 Assar Westerlund * Release 0.2e 1999-12-06 Assar Westerlund * lib/krb5/changepw.c (krb5_change_password): use the correct address * lib/krb5/Makefile.am: bump version to 6:0:1 * lib/asn1/Makefile.am: bump version to 1:4:0 1999-12-04 Assar Westerlund * configure.in: move AC_KRB_IPv6 to make sure it's performed before AC_BROKEN (el_init): use new feature of AC_FIND_FUNC_NO_LIBS * appl/test/uu_client.c: use client_doit * appl/test/test_locl.h (client_doit): add prototype * appl/test/tcp_client.c: use client_doit * appl/test/nt_gss_client.c: use client_doit * appl/test/gssapi_client.c: use client_doit * appl/test/common.c (client_doit): move identical code here and start using getaddrinfo * appl/kf/kf.c (doit): rewrite to use getaddrinfo * kdc/hprop.c: re-write to use getaddrinfo * lib/krb5/principal.c (krb5_sname_to_principal): use getaddrinfo * lib/krb5/expand_hostname.c (krb5_expand_hostname): use getaddrinfo * lib/krb5/changepw.c: re-write to use getaddrinfo * lib/krb5/addr_families.c (krb5_parse_address): use getaddrinfo 1999-12-03 Assar Westerlund * configure.in (BROKEN): check for freeaddrinfo, getaddrinfo, getnameinfo, gai_strerror (socklen_t): check for 1999-12-02 Johan Danielsson * lib/krb5/crypto.c: ARCFOUR_set_key -> RC4_set_key 1999-11-23 Assar Westerlund * lib/krb5/crypto.c (ARCFOUR_string_to_key): change order of bytes within unicode characters. this should probably be done in some arbitrarly complex way to do it properly and you would have to know what character encoding was used for the password and salt string. * lib/krb5/addr_families.c (ipv4_uninteresting): ignore 0.0.0.0 (INADDR_ANY) (ipv6_uninteresting): remove unused macro 1999-11-22 Johan Danielsson * lib/krb5/krb5.h: rc4->arcfour * lib/krb5/crypto.c: rc4->arcfour 1999-11-17 Assar Westerlund * lib/krb5/krb5_locl.h: add * lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_RC4 * lib/krb5/crypto.c: some code for doing RC4/MD5/HMAC which might not be totally different from some small company up in the north-west corner of the US * lib/krb5/get_addrs.c (find_all_addresses): change code to actually increment buf_size 1999-11-14 Assar Westerlund * lib/krb5/krb5.h (krb5_context_data): add `scan_interfaces' * lib/krb5/get_addrs.c (krb5_get_all_client_addrs): make interaces scanning optional * lib/krb5/context.c (init_context_from_config_file): set `scan_interfaces' * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add add_et_list.c * lib/krb5/add_et_list.c (krb5_add_et_list): new function 1999-11-12 Assar Westerlund * lib/krb5/get_default_realm.c (krb5_get_default_realm, krb5_get_default_realms): set realms if they were unset * lib/krb5/context.c (init_context_from_config_file): don't initialize default realms here. it's done lazily instead. * lib/krb5/krb5.h (KRB5_TC_*): make constants unsigned * lib/asn1/gen_glue.c (generate_2int, generate_units): make sure bit constants are unsigned * lib/asn1/gen.c (define_type): make length in sequences be unsigned. * configure.in: remove duplicate test for setsockopt test for struct tm.tm_isdst * lib/krb5/get_in_tkt.c (krb5_get_in_cred): generate preauthentication information if we get back ERR_PREAUTH_REQUIRED * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): remove preauthentication generation code. it's now in krb5_get_in_cred * configure.in (AC_BROKEN_SNPRINTF): add strptime check for struct tm.tm_gmtoff and timezone 1999-11-11 Johan Danielsson * kdc/main.c: make this work with multi-db * kdc/kdc_locl.h: make this work with multi-db * kdc/config.c: make this work with multi-db 1999-11-09 Johan Danielsson * kdc/misc.c: update for multi-database code * kdc/main.c: update for multi-database code * kdc/kdc_locl.h: update * kdc/config.c: allow us to have more than one database 1999-11-04 Assar Westerlund * Release 0.2d * lib/krb5/Makefile.am: bump version to 5:0:0 to be safe (krb5_context_data has changed and some code do (might) access fields directly) * lib/krb5/krb5.h (krb5_context_data): add `etypes_des' * lib/krb5/get_cred.c (init_tgs_req): use krb5_keytype_to_enctypes_default * lib/krb5/crypto.c (krb5_keytype_to_enctypes_default): new function * lib/krb5/context.c (set_etypes): new function (init_context_from_config_file): set both `etypes' and `etypes_des' 1999-11-02 Assar Westerlund * configure.in (VERSION): bump to 0.2d-pre 1999-10-29 Assar Westerlund * lib/krb5/principal.c (krb5_parse_name): check memory allocations 1999-10-28 Assar Westerlund * Release 0.2c * lib/krb5/dump_config.c (print_tree): check for empty tree * lib/krb5/string-to-key-test.c (tests): update the test cases with empty principals so that they actually use an empty realm and not the default. use the correct etype for 3DES * lib/krb5/Makefile.am: bump version to 4:1:0 * kdc/config.c (configure): more careful with the port string 1999-10-26 Assar Westerlund * Release 0.2b 1999-10-20 Assar Westerlund * lib/krb5/Makefile.am: bump version to 4:0:0 (krb524_convert_creds_kdc and potentially some other functions have changed prototypes) * lib/hdb/Makefile.am: bump version to 4:0:1 * lib/asn1/Makefile.am: bump version to 1:3:0 * configure.in (LIB_roken): add dbopen. getcap in roken references dbopen and with shared libraries we need to add this dependency. * lib/krb5/verify_krb5_conf.c (main): support speicifying the configuration file to test on the command line * lib/krb5/config_file.c (parse_binding): handle line with no whitespace before = (krb5_config_parse_file_debug): set lineno earlier so that we don't use it unitialized * configure.in (AM_INIT_AUTOMAKE): bump to 0.2b-pre opt*: need more include files for these tests * lib/krb5/set_default_realm.c (krb5_set_default_realm): use krb5_config_get_strings, which means that your configuration file should look like: [libdefaults] default_realm = realm1 realm2 realm3 * lib/krb5/set_default_realm.c (config_binding_to_list): fix copy-o. From Michal Vocu * kdc/config.c (configure): add a missing strdup. From Michal Vocu 1999-10-17 Assar Westerlund * Release 0.2a * configure.in: only test for db.h with using berkeley_db. remember to link with LIB_tgetent when checking for el_init. add xnlock * appl/Makefile.am: add xnlock * kdc/kerberos5.c (find_etype): support null keys * kdc/kerberos4.c (get_des_key): support null keys * lib/krb5/crypto.c (krb5_get_wrapped_length): more correct calculation 1999-10-16 Johan Danielsson * kuser/kinit.c (main): pass ccache to krb524_convert_creds_kdc 1999-10-12 Johan Danielsson * lib/krb5/crypto.c (krb5_enctype_to_keytype): remove warning 1999-10-10 Assar Westerlund * lib/krb5/mk_req.c (krb5_mk_req): use krb5_free_host_realm * lib/krb5/krb5.h (krb5_ccache_data): make `ops' const * lib/krb5/crypto.c (krb5_string_to_salttype): new function * **/*.[ch]: const-ize 1999-10-06 Assar Westerlund * lib/krb5/creds.c (krb5_compare_creds): const-ify * lib/krb5/cache.c: clean-up and comment-up * lib/krb5/copy_host_realm.c (krb5_copy_host_realm): copy all the strings * lib/krb5/verify_user.c (krb5_verify_user_lrealm): free the correct realm part * kdc/connect.c (handle_tcp): things work much better when ret is initialized 1999-10-03 Assar Westerlund * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): look at the type of the session key * lib/krb5/crypto.c (krb5_enctypes_compatible_keys): spell correctly * lib/krb5/creds.c (krb5_compare_creds): fix spelling of krb5_enctypes_compatible_keys * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): get new credentials from the KDC if the existing one doesn't have a DES session key. * lib/45/get_ad_tkt.c (get_ad_tkt): update to new krb524_convert_creds_kdc 1999-10-03 Johan Danielsson * lib/krb5/keytab_keyfile.c: make krb5_akf_ops const * lib/krb5/keytab_memory.c: make krb5_mkt_ops const * lib/krb5/keytab_file.c: make krb5_fkt_ops const 1999-10-01 Assar Westerlund * lib/krb5/config_file.c: rewritten to allow error messages * lib/krb5/Makefile.am (bin_PROGRAMS): add verify_krb5_conf (libkrb5_la_SOURCES): add config_file_netinfo.c * lib/krb5/verify_krb5_conf.c: new program for verifying that krb5.conf is corret * lib/krb5/config_file_netinfo.c: moved netinfo code here from config_file.c 1999-09-28 Assar Westerlund * kdc/hpropd.c (dump_krb4): kludge default_realm * lib/asn1/check-der.c: add test cases for Generalized time and make sure we return the correct value * lib/asn1/der_put.c: simplify by using der_put_length_and_tag * lib/krb5/verify_user.c (krb5_verify_user_lrealm): ariant of krb5_verify_user that tries in all the local realms * lib/krb5/set_default_realm.c: add support for having several default realms * lib/krb5/kuserok.c (krb5_kuserok): use `krb5_get_default_realms' * lib/krb5/get_default_realm.c (krb5_get_default_realms): add * lib/krb5/krb5.h (krb5_context_data): change `default_realm' to `default_realms' * lib/krb5/context.c: change from `default_realm' to `default_realms' * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use krb5_get_default_realms * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add copy_host_realm.c * lib/krb5/copy_host_realm.c: new file 1999-09-27 Johan Danielsson * lib/asn1/der_put.c (encode_generalized_time): encode length * lib/krb5/recvauth.c: new function `krb5_recvauth_match_version' that allows more intelligent matching of the application version 1999-09-26 Assar Westerlund * lib/asn1/asn1_print.c: add err.h * kdc/config.c (configure): use parse_bytes * appl/test/nt_gss_common.c: use the correct header file 1999-09-24 Johan Danielsson * kuser/klist.c: add a `--cache' flag * kuser/kinit.c (main): only get default value for `get_v4_tgt' if it's explicitly set in krb5.conf 1999-09-23 Assar Westerlund * lib/asn1/asn1_print.c (tag_names); add another univeral tag * lib/asn1/der.h: update universal tags 1999-09-22 Assar Westerlund * lib/asn1/asn1_print.c (loop): print length of octet string 1999-09-21 Johan Danielsson * admin/ktutil.c (kt_get): add `--help' 1999-09-21 Assar Westerlund * kuser/Makefile.am: add kdecode_ticket * kuser/kdecode_ticket.c: new debug program * appl/test/nt_gss_server.c: new program to test against `Sample * SSPI Code' in Windows 2000 RC1 SDK. * appl/test/Makefile.am: add nt_gss_client and nt_gss_server * lib/asn1/der_get.c (decode_general_string): remember to advance ret over the length-len * lib/asn1/Makefile.am: add asn1_print * lib/asn1/asn1_print.c: new program for printing DER-structures * lib/asn1/der_put.c: make functions more consistent * lib/asn1/der_get.c: make functions more consistent 1999-09-20 Johan Danielsson * kdc/kerberos5.c: be more informative in pa-data error messages 1999-09-16 Assar Westerlund * configure.in: test for strlcpy, strlcat 1999-09-14 Assar Westerlund * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): return KRB5_LIBOS_PWDINTR when interrupted * lib/krb5/get_in_tkt_pw.c (krb5_password_key_proc): check return value from des_read_pw_string * kuser/kinit.c (main): don't print any error if reading the password was interrupted * kpasswd/kpasswd.c (main): don't print any error if reading the password was interrupted * kdc/string2key.c (main): check the return value from fgets * kdc/kstash.c (main): check return value from des_read_pw_string * admin/ktutil.c (kt_add): check the return-value from fgets and overwrite the password for paranoid reasons * lib/krb5/keytab_keyfile.c (get_cell_and_realm): only remove the newline if it's there 1999-09-13 Assar Westerlund * kdc/hpropd.c (main): remove bogus error with `--print'. remove sysloging of number of principals transferred * kdc/hprop.c (ka_convert): set flags correctly for krbtgt/CELL principals (main): get rid of bogus opening of hdb database when propagating ka-server database 1999-09-12 Assar Westerlund * lib/krb5/krb5_locl.h (O_BINARY): add fallback definition * lib/krb5/krb5.h (krb5_context_data): add keytab types * configure.in: revert back awk test, not worked around in roken.awk * lib/krb5/keytab_krb4.c: remove O_BINARY * lib/krb5/keytab_keyfile.c: some support for AFS KeyFile's. From Love * lib/krb5/keytab_file.c: remove O_BINARY * lib/krb5/keytab.c: move the list of keytab types to the context * lib/krb5/fcache.c: remove O_BINARY * lib/krb5/context.c (init_context_from_config_file): register all standard cache and keytab types (krb5_free_context): free `kt_types' * lib/krb5/cache.c (krb5_cc_resolve): move the registration of the standard types of credential caches to context * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_keyfile.c 1999-09-10 Assar Westerlund * lib/krb5/keytab.c: add comments and clean-up * admin/ktutil.c: add `ktutil copy' * lib/krb5/keytab_krb4.c: new file * lib/krb5/krb5.h (krb5_kt_cursor): add a `data' field * lib/krb5/Makefile.am: add keytab_krb4.c * lib/krb5/keytab.c: add krb4 and correct some if's * admin/srvconvert.c (srvconv): move common code * lib/krb5/krb5.h (krb5_fkt_ops, krb5_mkt_ops): new variables * lib/krb5/keytab.c: move out file and memory functions * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_file.c, keytab_memory.c * lib/krb5/keytab_memory.c: new file * lib/krb5/keytab_file.c: new file * kpasswd/kpasswdd.c: move out password quality functions 1999-09-07 Assar Westerlund * lib/hdb/Makefile.am (libhdb_la_SOURCES): add keytab.c. From Love * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): check return value from `krb5_sendto_kdc' 1999-09-06 Assar Westerlund * lib/krb5/send_to_kdc.c (send_and_recv): rename to recv_loop and remove the sending of data. add a parameter `limit'. let callers send the date themselves (and preferably with net_write on tcp sockets) (send_and_recv_tcp): read first the length field and then only that many bytes 1999-09-05 Assar Westerlund * kdc/connect.c (handle_tcp): try to print warning `TCP data of strange type' less often * lib/krb5/send_to_kdc.c (send_and_recv): handle EINTR properly. return on EOF. always free data. check return value from realloc. (send_and_recv_tcp, send_and_recv_http): check advertised length against actual length 1999-09-01 Johan Danielsson * configure.in: check for sgi capabilities 1999-08-27 Johan Danielsson * lib/krb5/get_addrs.c: krb5_get_all_server_addrs shouldn't return extra addresses * kpasswd/kpasswdd.c: use HDB keytabs; change some error messages; add --realm flag * lib/krb5/address.c (krb5_append_addresses): remove duplicates 1999-08-26 Johan Danielsson * lib/hdb/keytab.c: HDB keytab backend 1999-08-25 Johan Danielsson * lib/krb5/keytab.c (krb5_kt_{start_seq_get,next_entry,end_seq_get}): check for NULL pointer 1999-08-24 Johan Danielsson * kpasswd/kpasswdd.c: add `--keytab' flag 1999-08-23 Assar Westerlund * lib/krb5/addr_families.c (IN6_ADDR_V6_TO_V4): use `s6_addr' instead of the non-standard `s6_addr32'. From Yoshinobu Inoue by way of the KAME repository 1999-08-18 Assar Westerlund * configure.in (--enable-new-des3-code): remove check for `struct addrinfo' * lib/krb5/crypto.c (etypes): remove NEW_DES3_CODE, enable des3-cbc-sha1 and keep old-des3-cbc-sha1 for backwards compatability * lib/krb5/krb5.h (krb5_enctype): des3-cbc-sha1 (with key derivation) just got assigned etype 16 by . keep the old etype at 7. 1999-08-16 Assar Westerlund * lib/krb5/sendauth.c (krb5_sendauth): only look at errno if krb5_net_read actually returns -1 * lib/krb5/recvauth.c (krb5_recvauth): only look at errno if krb5_net_read actually returns -1 * appl/kf/kf.c (proto): don't trust errno if krb5_net_read hasn't returned -1 * appl/test/tcp_server.c (proto): only trust errno if krb5_net_read actually returns -1 * appl/kf/kfd.c (proto): be more careful with the return value from krb5_net_read 1999-08-13 Assar Westerlund * lib/krb5/get_addrs.c (get_addrs_int): try the different ways sequentially instead of just one. this helps if your heimdal was built with v6-support but your kernel doesn't have it, for example. 1999-08-12 Assar Westerlund * kdc/hpropd.c: add inetd flag. default means try to figure out if stdin is a socket or not. * Makefile.am (ACLOCAL): just use `cf', this variable is only used when the current directory is $(top_srcdir) anyways and having $(top_srcdir) there breaks if it's a relative path 1999-08-09 Johan Danielsson * configure.in: check for setproctitle 1999-08-05 Assar Westerlund * lib/krb5/principal.c (krb5_sname_to_principal): remember to call freehostent * appl/test/tcp_client.c: call freehostent * appl/kf/kf.c (doit): call freehostent * appl/kf/kf.c: make v6 friendly and simplify * appl/kf/kfd.c: make v6 friendly and simplify * appl/test/tcp_server.c: simplify by using krb5_err instead of errx * appl/test/tcp_client.c: simplify by using krb5_err instead of errx * appl/test/tcp_server.c: make v6 friendly and simplify * appl/test/tcp_client.c: make v6 friendly and simplify 1999-08-04 Assar Westerlund * Release 0.1m 1999-08-04 Assar Westerlund * kuser/kinit.c (main): some more KRB4-conditionalizing * lib/krb5/get_in_tkt.c: type correctness * lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): set forwarded in flags. From Miroslav Ruda * kuser/kinit.c (main): add config file support for forwardable and krb4 support. From Miroslav Ruda * kdc/kerberos5.c (as_rep): add an empty X500-compress string as transited. (fix_transited_encoding): check length. From Miroslav Ruda * kdc/hpropd.c (dump_krb4): check the realm so that we don't dump principals in some other realm. From Miroslav Ruda (main): rename sa_len -> sin_len, sa_lan is a define on some platforms. * appl/kf/kfd.c: add regpag support. From Miroslav Ruda * appl/kf/kf.c: add `-G' and forwardable option in krb5.conf. From Miroslav Ruda * lib/krb5/config_file.c (parse_list): don't run past end of line * appl/test/gss_common.h: new prototypes * appl/test/gssapi_client.c: use gss_err instead of abort * appl/test/gss_common.c (gss_verr, gss_err): add 1999-08-03 Assar Westerlund * lib/krb5/Makefile.am (n_fold_test_LDADD): need to set this otherwise it doesn't build with shared libraries * kdc/hpropd.c: v6-ify * kdc/hprop.c: v6-ify 1999-08-01 Assar Westerlund * lib/krb5/mk_req.c (krb5_mk_req): use krb5_expand_hostname 1999-07-31 Assar Westerlund * lib/krb5/get_host_realm.c (krb5_get_host_realm_int): new function that takes a FQDN * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add exapnd_hostname.c * lib/krb5/expand_hostname.c: new file 1999-07-28 Assar Westerlund * Release 0.1l 1999-07-28 Assar Westerlund * lib/asn1/Makefile.am: bump version to 1:2:0 * lib/krb5/Makefile.am: bump version to 3:1:0 * configure.in: more inet_pton to roken * lib/krb5/principal.c (krb5_sname_to_principal): use getipnodebyname 1999-07-26 Assar Westerlund * Release 0.1k 1999-07-26 Johan Danielsson * lib/krb5/Makefile.am: bump version number (changed function signatures) * lib/hdb/Makefile.am: bump version number (changes to some function signatures) 1999-07-26 Assar Westerlund * lib/krb5/Makefile.am: bump version to 3:0:2 * lib/hdb/Makefile.am: bump version to 2:1:0 * lib/asn1/Makefile.am: bump version to 1:1:0 1999-07-26 Assar Westerlund * Release 0.1j 1999-07-26 Assar Westerlund * configure.in: rokenize inet_ntop * lib/krb5/store_fd.c: lots of changes from size_t to ssize_t * lib/krb5/store_mem.c: lots of changes from size_t to ssize_t * lib/krb5/store_emem.c: lots of changes from size_t to ssize_t * lib/krb5/store.c: lots of changes from size_t to ssize_t (krb5_ret_stringz): check return value from realloc * lib/krb5/mk_safe.c: some type correctness * lib/krb5/mk_priv.c: some type correctness * lib/krb5/krb5.h (krb5_storage): change return values of functions from size_t to ssize_t 1999-07-24 Assar Westerlund * Release 0.1i * configure.in (AC_PROG_AWK): disable. mawk seems to mishandle \# in lib/roken/roken.awk * lib/krb5/get_addrs.c (find_all_addresses): try to use SA_LEN to step over addresses if there's no `sa_lan' field * lib/krb5/sock_principal.c (krb5_sock_to_principal): simplify by using `struct sockaddr_storage' * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): simplify by using `struct sockaddr_storage' * lib/krb5/changepw.c (krb5_change_password): simplify by using `struct sockaddr_storage' * lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd): simplify by using `struct sockaddr_storage' * kpasswd/kpasswdd.c (*): simplify by using `struct sockaddr_storage' * kdc/connect.c (*): simplify by using `struct sockaddr_storage' * configure.in (sa_family_t): just test for existence (sockaddr_storage): also specify include file * configure.in (AM_INIT_AUTOMAKE): bump version to 0.1i (sa_family_t): test for (struct sockaddr_storage): test for * kdc/hprop.c (propagate_database): typo, NULL should be auth_context * lib/krb5/get_addrs.c: conditionalize on HAVE_IPV6 instead of AF_INET6 * appl/kf/kf.c (main): use warnx * appl/kf/kf.c (proto): remove shadowing context * lib/krb5/get_addrs.c (find_all_addresses): try to handle the case of getting back an `sockaddr_in6' address when sizeof(struct sockaddr_in6) > sizeof(struct sockaddr) and we have no sa_len to tell us how large the address is. This obviously doesn't work with unknown protocol types. 1999-07-24 Assar Westerlund * Release 0.1h 1999-07-23 Assar Westerlund * appl/kf/kfd.c: clean-up and more paranoia * etc/services.append: add kf * appl/kf/kf.c: rename tk_file to ccache for consistency. clean-up 1999-07-22 Assar Westerlund * lib/krb5/n-fold-test.c (main): print the correct data * appl/Makefile.am (SUBDIRS): add kf * appl/kf: new program. From Miroslav Ruda * kdc/hprop.c: declare some variables unconditionally to simplify things * kpasswd/kpasswdd.c: initialize kadm5 connection for every change (otherwise the modifier in the database doesn't get set) * kdc/hpropd.c: clean-up and re-organize * kdc/hprop.c: clean-up and re-organize * configure.in (SunOS): define to xy for SunOS x.y 1999-07-19 Assar Westerlund * configure.in (AC_BROKEN): test for copyhostent, freehostent, getipnodebyaddr, getipnodebyname 1999-07-15 Assar Westerlund * lib/asn1/check-der.c: more test cases for integers * lib/asn1/der_length.c (length_int): handle the case of the largest negative integer by not calling abs 1999-07-14 Assar Westerlund * lib/asn1/check-der.c (generic_test): check malloc return value properly * lib/krb5/Makefile.am: add string_to_key_test * lib/krb5/prog_setup.c (krb5_program_setup): always initialize the context * lib/krb5/n-fold-test.c (main): return a relevant return value * lib/krb5/krbhst.c: do SRV lookups for admin server as well. some clean-up. 1999-07-12 Assar Westerlund * configure.in: handle not building X programs 1999-07-06 Assar Westerlund * lib/krb5/addr_families.c (ipv6_parse_addr): remove duplicate variable (ipv6_sockaddr2port): fix typo * etc/services.append: beginning of a file with services * lib/krb5/cache.c (krb5_cc_resolve): fall-back to files if there's no prefix. also clean-up a little bit. * kdc/hprop.c (--kaspecials): new flag for handling special KA server entries. From "Brandon S. Allbery KF8NH" 1999-07-05 Assar Westerlund * kdc/connect.c (handle_tcp): make sure we have data before starting to look for HTTP * kdc/connect.c (handle_tcp): always do getpeername, we can't trust recvfrom to return anything sensible 1999-07-04 Assar Westerlund * lib/krb5/get_in_tkt.c (add_padat): encrypt pre-auth data with all enctypes * kpasswd/kpasswdd.c (change): fetch the salt-type from the entry * admin/srvconvert.c (srvconv): better error messages 1999-07-03 Assar Westerlund * lib/krb5/principal.c (unparse_name): error check malloc properly * lib/krb5/get_in_tkt.c (krb5_init_etype): error check malloc properly * lib/krb5/crypto.c (*): do some malloc return-value checks properly * lib/hdb/hdb.c (hdb_process_master_key): simplify by using krb5_data_alloc * lib/hdb/hdb.c (hdb_process_master_key): check return value from malloc * lib/asn1/gen_decode.c (decode_type): fix generation of decoding information for TSequenceOf. * kdc/kerberos5.c (get_pa_etype_info): check return value from malloc 1999-07-02 Assar Westerlund * lib/asn1/der_copy.c (copy_octet_string): don't fail if length == 0 and malloc returns NULL 1999-06-29 Assar Westerlund * lib/krb5/addr_families.c (ipv6_parse_addr): implement 1999-06-24 Assar Westerlund * lib/krb5/rd_cred.c (krb5_rd_cred): compare the sender's address as an addrport one * lib/krb5/krb5.h (KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_IPPORT): add (krb5_auth_context): add local and remote port * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): get the local and remote address and add them to the krb-cred packet * lib/krb5/auth_context.c: save the local and remove ports in the auth_context * lib/krb5/address.c (krb5_make_addrport): create an address of type KRB5_ADDRESS_ADDRPORT from (addr, port) * lib/krb5/addr_families.c (krb5_sockaddr2port): new function for grabbing the port number out of the sockaddr 1999-06-23 Assar Westerlund * admin/srvcreate.c (srvcreate): always take the DES-CBC-MD5 key. increase possible verbosity. * lib/krb5/config_file.c (parse_list): handle blank lines at another place * kdc/connect.c (add_port_string): don't return a value * lib/kadm5/init_c.c (get_cred_cache): you cannot reuse the cred cache if the principals are different. close and NULL the old one so that we create a new one. * configure.in: move around cgywin et al (LIB_kdb): set at the end of krb4-block (krb4): test for krb_enable_debug and krb_disable_debug 1999-06-16 Assar Westerlund * kuser/kdestroy.c (main): try to destroy v4 ticket even if the destruction of the v5 one fails * lib/krb5/crypto.c (DES3_postproc): new version that does the right thing (*): don't put and recover length in 3DES encoding other small fixes 1999-06-15 Assar Westerlund * lib/krb5/get_default_principal.c: rewrite to use get_default_username * lib/krb5/Makefile.am: add n-fold-test * kdc/connect.c: add fallbacks for all lookups by service name (handle_tcp): break-up and clean-up 1999-06-09 Assar Westerlund * lib/krb5/addr_families.c (ipv6_uninteresting): don't consider the loopback address as uninteresting * lib/krb5/get_addrs.c: new magic flag to get loopback address if there are no other addresses. (krb5_get_all_client_addrs): use that flag 1999-06-04 Assar Westerlund * lib/krb5/crypto.c (HMAC_SHA1_DES3_checksum): don't include the length (checksum_sha1, checksum_hmac_sha1_des3): blocksize should be 64 (encrypt_internal_derived): don't include the length and don't decrease by the checksum size twice (_get_derived_key): the constant should be 5 bytes 1999-06-02 Johan Danielsson * configure.in: use KRB_CHECK_X * configure.in: check for netinet/ip.h 1999-05-31 Assar Westerlund * kpasswd/kpasswdd.c (setup_passwd_quality_check): conditionalize on RTLD_NOW 1999-05-23 Assar Westerlund * appl/test/uu_server.c: removed unused stuff * appl/test/uu_client.c: removed unused stuff 1999-05-21 Assar Westerlund * kuser/kgetcred.c (main): correct error message * lib/krb5/crypto.c (verify_checksum): call (*ct->checksum) directly, avoiding redundant lookups and memory leaks * lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd): free local and remote addresses * lib/krb5/get_default_principal.c (get_logname): also try $USERNAME * lib/asn1/Makefile.am (asn1_files): add $(EXEEXT) * lib/krb5/principal.c (USE_RESOLVER): try to define only if we have a libresolv (currently by checking for res_search) 1999-05-18 Johan Danielsson * kdc/connect.c (handle_tcp): remove %-escapes in request 1999-05-14 Assar Westerlund * Release 0.1g * admin/ktutil.c (kt_remove): -t should be -e * configure.in (CHECK_NETINET_IP_AND_TCP): use * kdc/hpropd.c: support for dumping to krb4. From Miroslav Ruda * admin/ktutil.c (kt_add): new option `--no-salt'. From Miroslav Ruda * configure.in: add cygwin and DOS tests replace sendmsg, recvmsg, and innetgr with roken versions * kuser/kgetcred.c: new program Tue May 11 14:09:33 1999 Johan Danielsson * lib/krb5/mcache.c: fix paste-o 1999-05-10 Johan Danielsson * configure.in: don't use uname 1999-05-10 Assar Westerlund * acconfig.h (KRB_PUT_INT): if we don't have KRB4 use four arguments :-) * appl/test/uu_server.c (setsockopt): cast to get rid of a warning * appl/test/tcp_server.c (setsockopt): cast to get rid of a warning * appl/test/tcp_client.c (proto): call krb5_sendauth with ccache == NULL * appl/test/gssapi_server.c (setsockopt): cast to get rid of a warning * lib/krb5/sendauth.c (krb5_sendauth): handle ccache == NULL by setting the default ccache. * configure.in (getsockopt, setsockopt): test for (AM_INIT_AUTOMAKE): bump version to 0.1g * appl/Makefile.am (SUBDIRS): add kx * lib/hdb/convert_db.c (main): handle the case of no master key 1999-05-09 Assar Westerlund * Release 0.1f * kuser/kinit.c: add --noaddresses * lib/krb5/get_in_tkt.c (init_as_req): interpret `addrs' being an empty sit of list as to not ask for any addresses. 1999-05-08 Assar Westerlund * acconfig.h (_GNU_SOURCE): define this to enable (used) extensions on glibc-based systems such as linux 1999-05-03 Assar Westerlund * lib/krb5/get_cred.c (get_cred_from_kdc_flags): allocate and free `*out_creds' properly * lib/krb5/creds.c (krb5_compare_creds): just verify that the keytypes/enctypes are compatible, not that they are the same * kuser/kdestroy.c (cache): const-correctness 1999-05-03 Johan Danielsson * lib/hdb/hdb.c (hdb_set_master_key): initialise master key version * lib/hdb/convert_db.c: add support for upgrading database versions * kdc/misc.c: add flags to fetch * kdc/kstash.c: unlink keyfile on failure, chmod to 400 * kdc/hpropd.c: add --print option * kdc/hprop.c: pass flags to hdb_foreach * lib/hdb/convert_db.c: add some flags * lib/hdb/Makefile.am: remove extra LDFLAGS, update version to 2; build prototype headers * lib/hdb/hdb_locl.h: update prototypes * lib/hdb/print.c: move printable version of entry from kadmin * lib/hdb/hdb.c: change hdb_{seal,unseal}_* to check if the key is sealed or not; add flags to hdb_foreach * lib/hdb/ndbm.c: add flags to NDBM_seq, NDBM_firstkey, and NDBM_nextkey * lib/hdb/db.c: add flags to DB_seq, DB_firstkey, and DB_nextkey * lib/hdb/common.c: add flags to _hdb_{fetch,store} * lib/hdb/hdb.h: add master_key_version to struct hdb, update prototypes * lib/hdb/hdb.asn1: make mkvno optional, update version to 2 * configure.in: --enable-netinfo * lib/krb5/config_file.c: HAVE_NETINFO_NI_H -> HAVE_NETINFO * config.sub: fix for crays * config.guess: new version from automake 1.4 * config.sub: new version from automake 1.4 Wed Apr 28 00:21:17 1999 Assar Westerlund * Release 0.1e * lib/krb5/mcache.c (mcc_get_next): get the current cursor correctly * acconfig.h: correct definition of KRB_PUT_INT for old krb4 code. From Ake Sandgren 1999-04-27 Johan Danielsson * kdc/kerberos5.c: fix arguments to decrypt_ticket 1999-04-25 Assar Westerlund * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): try to handle old DCE secd's that are not able to handle MD5 checksums by defaulting to MD4 if the keytype was DES-CBC-CRC * lib/krb5/mk_req.c (krb5_mk_req): use auth_context->keytype * lib/krb5/krb5.h (krb5_auth_context_data): add `keytype' and `cksumtype' * lib/krb5/get_cred.c (make_pa_tgs_req): remove old kludge for secd (init_tgs_req): add all supported enctypes for the keytype in `in_creds->session.keytype' if it's set * lib/krb5/crypto.c (F_PSEUDO): new flag for non-protocol encryption types (do_checksum): new function (verify_checksum): take the checksum to use from the checksum message and not from the crypto struct (etypes): add F_PSEUDO flags (krb5_keytype_to_enctypes): new function * lib/krb5/auth_context.c (krb5_auth_con_init): initalize keytype and cksumtype (krb5_auth_setcksumtype, krb5_auth_getcksumtype): implement (krb5_auth_setkeytype, krb5_auth_getkeytype): implement (krb5_auth_setenctype): comment out, it's rather bogus anyway Sun Apr 25 16:55:50 1999 Johan Danielsson * lib/krb5/krb5_locl.h: fix for stupid aix warnings * lib/krb5/fcache.c (erase_file): don't malloc Sat Apr 24 18:35:21 1999 Johan Danielsson * kdc/config.c: pass context to krb5_config_file_free * kuser/kinit.c: add `--fcache-version' to set cache version to create * kuser/klist.c: print cache version if verbose * lib/krb5/transited.c (krb5_domain_x500_decode): don't abort * lib/krb5/principal.c: abort -> krb5_abortx * lib/krb5/mk_rep.c: abort -> krb5_abortx * lib/krb5/config_file.c: abort -> krb5_abortx * lib/krb5/context.c (init_context_from_config_file): init fcache_version; add krb5_{get,set}_fcache_version * lib/krb5/keytab.c: add support for reading (and writing?) old version keytabs * lib/krb5/cache.c: add krb5_cc_get_version * lib/krb5/fcache.c: add support for reading and writing old version cache files * lib/krb5/store_mem.c (krb5_storage_from_mem): zero flags * lib/krb5/store_emem.c (krb5_storage_emem): zero flags * lib/krb5/store_fd.c (krb5_storage_from_fd): zero flags * lib/krb5/store.c: add flags to change how various fields are stored, used for old cache version support * lib/krb5/krb5.h: add support for reading and writing old version cache files, and keytabs Wed Apr 21 00:09:26 1999 Assar Westerlund * configure.in: fix test for readline.h remember to link with $LIB_tgetent when trying linking with readline * lib/krb5/init_creds_pw.c (get_init_creds_common): if start_time is given, request a postdated ticket. * lib/krb5/data.c (krb5_data_free): free data as long as it's not NULL Tue Apr 20 20:18:14 1999 Assar Westerlund * kpasswd/Makefile.am (kpasswdd_LDADD): add LIB_dlopen * lib/krb5/krb5.h (KRB5_VERIFY_AP_REQ_IGNORE_INVALID): add * lib/krb5/rd_req.c (krb5_decrypt_ticket): add `flags` and KRB5_VERIFY_AP_REQ_IGNORE_INVALID for ignoring that the ticket is invalid Tue Apr 20 12:42:08 1999 Johan Danielsson * kpasswd/kpasswdd.c: don't try to load library by default; get library and function name from krb5.conf * kpasswd/sample_passwd_check.c: sample password checking functions Mon Apr 19 22:22:19 1999 Assar Westerlund * lib/krb5/store.c (krb5_storage_to_data, krb5_ret_data): use krb5_data_alloc and be careful with checking allocation and sizes. * kuser/klist.c (--tokens): conditionalize on KRB4 * kuser/kinit.c (renew_validate): set all flags (main): fix cut-n-paste error when setting start-time * kdc/kerberos5.c (check_tgs_flags): starttime of a validate ticket should be > than current time (*): send flags to krb5_verify_ap_req and krb5_decrypt_ticket * kuser/kinit.c (renew_validate): use the client realm instead of the local realm when renewing tickets. * lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): compat function (krb5_get_forwarded_creds): correct freeing of out_creds * kuser/kinit.c (renew_validate): hopefully fix up freeing of memory * configure.in: do all the krb4 tests with "$krb4" != "no" * lib/krb5/keyblock.c (krb5_free_keyblock_contents): don't zero keyvalue if it's NULL. noticed by Ake Sandgren * lib/krb5/get_in_tkt.c (add_padata): loop over all enctypes instead of just taking the first one. fix all callers. From "Brandon S. Allbery KF8NH" * kdc/kdc_locl.h (enable_kaserver): declaration * kdc/hprop.c (ka_convert): print the failing principal. AFS 3.4a creates krbtgt.REALMOFCELL as NOTGS+NOSEAL, work around. From "Brandon S. Allbery KF8NH" * kdc/hpropd.c (open_socket): stupid cast to get rid of a warning * kdc/connect.c (add_standard_ports, process_request): look at enable_kaserver. From "Brandon S. Allbery KF8NH" * kdc/config.c: new flag --kaserver and config file option enable-kaserver. From "Brandon S. Allbery KF8NH" Mon Apr 19 12:32:04 1999 Johan Danielsson * configure.in: check for dlopen, and dlfcn.h * kpasswd/kpasswdd.c: add support for dlopen:ing password quality check library * configure.in: add appl/su Sun Apr 18 15:46:53 1999 Johan Danielsson * lib/krb5/cache.c: add krb5_cc_get_type that returns type of a cache Fri Apr 16 17:58:51 1999 Assar Westerlund * configure.in: LIB_kdb: -L should be before -lkdb test for prototype of strsep Thu Apr 15 11:34:38 1999 Johan Danielsson * lib/krb5/Makefile.am: update version * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use ALLOC_SEQ * lib/krb5/fcache.c: add some support for reading and writing old cache formats; (fcc_store_cred): use krb5_store_creds; (fcc_read_cred): use krb5_ret_creds * lib/krb5/store_mem.c (krb5_storage_from_mem): check malloc, initialize host_byteorder * lib/krb5/store_fd.c (krb5_storage_from_fd): initialize host_byteorder * lib/krb5/store_emem.c (krb5_storage_emem): initialize host_byteorder * lib/krb5/store.c (krb5_storage_set_host_byteorder): add; (krb5_store_int32,krb5_ret_int32,krb5_store_int16,krb5_ret_int16): check host_byteorder flag; (krb5_store_creds): add; (krb5_ret_creds): add * lib/krb5/krb5.h (krb5_storage): add `host_byteorder' flag for storage of numbers * lib/krb5/heim_err.et: add `host not found' error * kdc/connect.c: don't use data after clearing decriptor * lib/krb5/auth_context.c: abort -> krb5_abortx * lib/krb5/warn.c: add __attribute__; add *abort functions * configure.in: check for __attribute__ * kdc/connect.c: log bogus requests Tue Apr 13 18:38:05 1999 Johan Danielsson * lib/kadm5/create_s.c (kadm5_s_create_principal): create v4 salts for all DES keys 1999-04-12 Assar Westerlund * lib/krb5/get_cred.c (init_tgs_req): re-structure a little bit * lib/krb5/get_cred.c (init_tgs_req): some more error checking * lib/krb5/generate_subkey.c (krb5_generate_subkey): check return value from malloc Sun Apr 11 03:47:23 1999 Johan Danielsson * lib/krb5/krb5.conf.5: update to reality * lib/krb5/krb5_425_conv_principal.3: update to reality 1999-04-11 Assar Westerlund * lib/krb5/get_host_realm.c: handle more than one realm for a host * kpasswd/kpasswd.c (main): use krb5_program_setup and print_version * kdc/string2key.c (main): use krb5_program_setup and print_version Sun Apr 11 02:35:58 1999 Johan Danielsson * lib/krb5/principal.c (krb5_524_conv_principal): make it actually work, and check built-in list of host-type first-components * lib/krb5/krbhst.c: lookup SRV-records to find a kdc for a realm * lib/krb5/context.c: add srv_* flags to context * lib/krb5/principal.c: add default v4_name_convert entries * lib/krb5/krb5.h: add srv_* flags to context Sat Apr 10 22:52:28 1999 Johan Danielsson * kadmin/kadmin.c: complain about un-recognised commands * admin/ktutil.c: complain about un-recognised commands Sat Apr 10 15:41:49 1999 Assar Westerlund * kadmin/load.c (doit): fix error message * lib/krb5/crypto.c (encrypt_internal): free checksum if lengths fail to match. (krb5_get_wrapped_length): new function * configure.in: security/pam_modules.h: check for * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): kludge around `ret_as_reply' semantics by only freeing it when ret == 0 Fri Apr 9 20:24:04 1999 Assar Westerlund * kuser/klist.c (print_cred_verbose): handle the case of a bad enctype * configure.in: test for more header files (LIB_roken): set Thu Apr 8 15:01:59 1999 Johan Danielsson * configure.in: fixes for building w/o krb4 * ltmain.sh: update to libtool 1.2d * ltconfig: update to libtool 1.2d Wed Apr 7 23:37:26 1999 Assar Westerlund * kdc/hpropd.c: fix some error messages to be more understandable. * kdc/hprop.c (ka_dump): remove unused variables * appl/test/tcp_server.c: remove unused variables * appl/test/gssapi_server.c: remove unused variables * appl/test/gssapi_client.c: remove unused variables Wed Apr 7 14:05:15 1999 Johan Danielsson * lib/krb5/context.c (krb5_get_err_text): long -> krb5_error_code * kuser/klist.c: make it compile w/o krb4 * kuser/kdestroy.c: make it compile w/o krb4 * admin/ktutil.c: fix {srv,key}2{srv,key}tab confusion; add help strings Mon Apr 5 16:13:46 1999 Johan Danielsson * configure.in: test for MIPS ABI; new test_package Thu Apr 1 11:00:40 1999 Johan Danielsson * include/Makefile.am: clean krb5-private.h * Release 0.1d * kpasswd/kpasswdd.c (doit): pass context to krb5_get_all_client_addrs * kdc/connect.c (init_sockets): pass context to krb5_get_all_server_addrs * lib/krb5/get_in_tkt.c (init_as_req): pass context to krb5_get_all_client_addrs * lib/krb5/get_cred.c (get_cred_kdc_la): pass context to krb5_get_all_client_addrs * lib/krb5/get_addrs.c (get_addrs_int): add extra host addresses * lib/krb5/krb5.h: add support for adding an extra set of addresses * lib/krb5/context.c: add support for adding an extra set of addresses * lib/krb5/addr_families.c: add krb5_parse_address * lib/krb5/address.c: krb5_append_addresses * lib/krb5/config_file.c (parse_binding): don't zap everything after first whitespace * kuser/kinit.c (renew_validate): don't allocate out * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): don't allocate out_creds * lib/krb5/get_cred.c (get_cred_kdc, get_cred_kdc_la): make out_creds pointer; (krb5_get_kdc_cred): allocate out_creds; (get_cred_from_kdc_flags): free more memory * lib/krb5/crypto.c (encrypt_internal): free checksum * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): free reply, and ticket * kuser/Makefile.am: remove kfoo * lib/Makefile.am: add auth * lib/kadm5/iprop.h: getarg.h * lib/kadm5/replay_log.c: use getarg * lib/kadm5/ipropd_slave.c: use getarg * lib/kadm5/ipropd_master.c: use getarg * lib/kadm5/dump_log.c: use getarg * kpasswd/kpasswdd.c: use getarg * Makefile.am.common: make a more working check-local target * lib/asn1/main.c: use getargs Mon Mar 29 20:19:57 1999 Johan Danielsson * kuser/klist.c (print_cred_verbose): use krb5_print_address * lib/kadm5/server.c: k_{put,get}_int -> _krb5_{put,get}_int * lib/krb5/addr_families.c (krb5_print_address): handle unknown address types; (ipv6_print_addr): print in 16-bit groups (as it should) * lib/krb5/crc.c: crc_{init_table,update} -> _krb5_crc_{init_table,update} * lib/krb5/crypto.c: k_{put,get}_int -> _krb5_{put,get}_int crc_{init_table,update} -> _krb5_crc_{init_table,update} * lib/krb5/send_to_kdc.c: k_{put,get}_int -> _krb5_{put,get}_int * lib/krb5/store.c: k_{put,get}_int -> _krb5_{put,get}_int * lib/krb5/krb5_locl.h: include krb5-private.h * kdc/connect.c (addr_to_string): use krb5_print_address * lib/krb5/addr_families.c (krb5_print_address): int -> size_t * lib/krb5/addr_families.c: add support for printing ipv6 addresses, either with inet_ntop, or ugly for-loop * kdc/524.c: check that the ticket came from a valid address; use the address of the connection as the address to put in the v4 ticket (if this address is AF_INET) * kdc/connect.c: pass addr to do_524 * kdc/kdc_locl.h: prototype for do_524 Sat Mar 27 17:48:31 1999 Johan Danielsson * configure.in: check for OSF C2; bind/bitypes.h, getudbnam, setlim; check for auth modules; siad.h, getpwnam_r; lib/auth/Makefile, lib/auth/sia/Makefile * lib/krb5/crypto.c: n_fold -> _krb5_n_fold * lib/krb5/n-fold.c: n_fold -> _krb5_n_fold Thu Mar 25 04:35:21 1999 Assar Westerlund * lib/kadm5/set_keys.c (_kadm5_set_keys): free salt when zapping it * lib/kadm5/free.c (kadm5_free_principal_ent): free `key_data' * lib/hdb/ndbm.c (NDBM_destroy): clear master key * lib/hdb/db.c (DB_destroy): clear master key (DB_open): check malloc * kdc/connect.c (init_sockets): free addresses * kadmin/kadmin.c (main): make code more consistent. always free configuration information. * kadmin/init.c (create_random_entry): free the entry Wed Mar 24 04:02:03 1999 Assar Westerlund * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): re-organize the code to always free `kdc_reply' * lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful about freeing memory * lib/krb5/fcache.c (fcc_destroy): don't call fcc_close * lib/krb5/crypto.c (krb5_crypto_destroy): free `crypto' * lib/hdb/hdb_locl.h: try db_185.h first in case db.h is a DB 2.0 header * configure.in (db_185.h): check for * admin/srvcreate.c: new file. contributed by Daniel Kouril * admin/ktutil.c: srvcreate: new command * kuser/klist.c: add support for printing AFS tokens * kuser/kdestroy.c: add support for destroying v4 tickets and AFS tokens. based on code by Love * kuser/Makefile.am (kdestroy_LDADD, klist_LDADD): more libraries * configure.in: sys/ioccom.h: test for * kuser/klist.c (main): don't print `no ticket file' with --test. From: Love * kpasswd/kpasswdd.c (doit): more braces to make gcc happy * kdc/connect.c (init_socket): get rid of a stupid warning * include/bits.c (my_strupr): cast away some stupid warnings Tue Mar 23 14:34:44 1999 Johan Danielsson * lib/krb5/get_host_realm.c (krb5_get_host_realm): no infinite loops, please Tue Mar 23 00:00:45 1999 Assar Westerlund * lib/kadm5/Makefile.am (install_build_headers): recover from make rewriting the names of the headers kludge to help solaris make * lib/krb5/Makefile.am: kludge to help solaris make * lib/hdb/Makefile.am: kludge to help solaris make * configure.in (LIB_kdb): make sure there's a -L option in here by adding $(LIB_krb4) * lib/asn1/gen_glue.c (generate_2int, generate_int2): int -> unsigned * configure.in (SunOS): set to a number KRB4, KRB5 conditionals: remove the `dnl' to work around an automake flaw Sun Mar 21 15:08:49 1999 Johan Danielsson * lib/krb5/get_default_realm.c: char* -> krb5_realm Sun Mar 21 14:08:30 1999 Johan Danielsson * include/bits.c: * lib/krb5/Makefile.am: create krb5-private.h Sat Mar 20 00:08:59 1999 Assar Westerlund * configure.in (gethostname): remove duplicate Fri Mar 19 14:48:03 1999 Johan Danielsson * lib/hdb/Makefile.am: add version-info * lib/gssapi/Makefile.am: add version-info * lib/asn1/Makefile.am: use $(x:y=z) make syntax; move check-der to check_PROGRAMS * lib/Makefile.am: add 45 * lib/kadm5/Makefile.am: split in client and server libraries (breaks shared libraries otherwise) Thu Mar 18 11:33:30 1999 Johan Danielsson * include/kadm5/Makefile.am: clean a lot of header files (since automake lacks a clean-hook) * include/Makefile.am: clean a lot of header files (since automake lacks a clean-hook) * lib/kadm5/Makefile.am: fix build-installation of headers * lib/krb5/Makefile.am: remove include_dir hack * lib/hdb/Makefile.am: remove include_dir hack * lib/asn1/Makefile.am: remove include_dir hack * include/Makefile.am: remove include_dir hack * doc/whatis.texi: define sub for html * configure.in: LIB_kdb, have_err_h, have_fnmatch_h, have_glob_h * lib/asn1/Makefile.am: der.h * kpasswd/kpasswdd.c: admin.h -> kadm5/admin.h * kdc/Makefile.am: remove junk * kadmin/Makefile.am: sl.a -> sl.la * appl/afsutil/Makefile.am: remove EXTRA_bin_PROGRAMS * admin/Makefile.am: sl.a -> sl.la * configure.in: condition KRB5; AC_CHECK_XAU * Makefile.am: include Makefile.am.common * include/kadm5/Makefile.am: include Makefile.am.common; don't install headers from here * include/Makefile.am: include Makefile.am.common; don't install headers from here * doc/Makefile.am: include Makefile.am.common * lib/krb5/Makefile.am: include Makefile.am.common * lib/kadm5/Makefile.am: include Makefile.am.common * lib/hdb/Makefile.am: include Makefile.am.common * lib/gssapi/Makefile.am: include Makefile.am.common * lib/asn1/Makefile.am: include Makefile.am.common * lib/Makefile.am: include Makefile.am.common * lib/45/Makefile.am: include Makefile.am.common * kuser/Makefile.am: include Makefile.am.common * kpasswd/Makefile.am: include Makefile.am.common * kdc/Makefile.am: include Makefile.am.common * kadmin/Makefile.am: include Makefile.am.common * appl/test/Makefile.am: include Makefile.am.common * appl/afsutil/Makefile.am: include Makefile.am.common * appl/Makefile.am: include Makefile.am.common * admin/Makefile.am: include Makefile.am.common Wed Mar 17 03:04:38 1999 Assar Westerlund * lib/krb5/store.c (krb5_store_stringz): braces fix * lib/kadm5/get_s.c (kadm5_s_get_principal): braces fix * lib/kadm5/ent_setup.c (_kadm5_setup_entry): braces fix * kdc/connect.c (loop): braces fix * lib/krb5/config_file.c: cast to unsigned char to make is* happy * lib/krb5/log.c (krb5_addlog_dest): more braces to make gcc happy * lib/krb5/crypto.c (krb5_verify_checksum): rename C -> cksum to be consistent * kadmin/util.c (timeval2str): more braces to make gcc happy * kadmin/load.c: cast in is* to get rid of stupid warning * kadmin/dump.c (append_hex): cast in isalnum to get rid of stupid warning * kdc/kaserver.c: malloc checks and fixes * lib/krb5/get_host_realm.c (krb5_get_host_realm): include leading dot (if any) when looking up realms. Fri Mar 12 13:57:56 1999 Johan Danielsson * lib/krb5/get_host_realm.c: add dns support * lib/krb5/set_default_realm.c: use krb5_free_host_realm * lib/krb5/free_host_realm.c: check for NULL realmlist * lib/krb5/context.c: don't print warning if there is no krb5.conf Wed Mar 10 19:29:46 1999 Johan Danielsson * configure.in: use AC_WFLAGS Mon Mar 8 11:49:43 1999 Johan Danielsson * Release 0.1c * kuser/klist.c: use print_version * kuser/kdestroy.c: use print_version * kdc/hpropd.c: use print_version * kdc/hprop.c: use print_version * kdc/config.c: use print_version * kadmin/kadmind.c: use print_version * kadmin/kadmin.c: use print_version * appl/test/common.c: use print_version * appl/afsutil/afslog.c: use print_version Mon Mar 1 10:49:14 1999 Johan Danielsson * lib/krb5/get_addrs.c: SOCKADDR_HAS_SA_LEN -> HAVE_STRUCT_SOCKADDR_SA_LEN * configure.in, acconfig.h, cf/*: update to automake 1.4/autoconf 2.13 Sun Feb 28 18:19:20 1999 Johan Danielsson * lib/asn1/gen.c: make `BIT STRING's unsigned * lib/asn1/{symbol.h,gen.c}: add TUInteger type * lib/krb5/verify_user.c (krb5_verify_user): pass prompter to krb5_get_init_creds_password * lib/krb5/fcache.c (fcc_gen_new): implement Sat Feb 27 22:41:23 1999 Johan Danielsson * doc/install.texi: krb4 is now automatically detected * doc/misc.texi: update procedure to set supported encryption types * doc/setup.texi: change some silly wordings Sat Feb 27 22:17:30 1999 Johan Danielsson * lib/krb5/keytab.c (fkt_remove_entry): make this work * admin/ktutil.c: add minimally working `get' command Sat Feb 27 19:44:49 1999 Johan Danielsson * lib/hdb/convert_db.c: more typos * include/Makefile.am: remove EXTRA_DATA (as of autoconf 2.13/automake 1.4) * appl/Makefile.am: OTP_dir Fri Feb 26 17:37:00 1999 Johan Danielsson * doc/setup.texi: add kadmin section * lib/asn1/check-der.c: fix printf warnings Thu Feb 25 11:16:49 1999 Johan Danielsson * configure.in: -O does not belong in WFLAGS Thu Feb 25 11:05:57 1999 Johan Danielsson * lib/asn1/der_put.c: fix der_put_int Tue Feb 23 20:35:12 1999 Johan Danielsson * configure.in: use AC_BROKEN_GLOB Mon Feb 22 15:12:44 1999 Johan Danielsson * configure.in: check for glob Mon Feb 22 11:32:42 1999 Johan Danielsson * Release 0.1b Sat Feb 20 15:48:06 1999 Johan Danielsson * lib/hdb/convert_db.c: convert DES3 keys to des3-cbc-sha1, and des3-cbc-md5 * lib/krb5/crypto.c (DES3_string_to_key): make this actually do what the draft said it should * lib/hdb/convert_db.c: little program for database conversion * lib/hdb/db.c (DB_open): try to open database w/o .db extension * lib/hdb/ndbm.c (NDBM_open): add test for database format * lib/hdb/db.c (DB_open): add test for database format * lib/asn1/gen_glue.c (generate_2int): don't depend on flags being unsigned * lib/hdb/hdb.c: change `hdb_set_master_key' to take an EncryptionKey, and add a new function `hdb_set_master_keyfile' to do what `hdb_set_master_key' used to do * kdc/kstash.c: add `--convert-file' option to change keytype of existing master key file Fri Feb 19 07:04:14 1999 Assar Westerlund * Release 0.1a Sat Feb 13 17:12:53 1999 Assar Westerlund * lib/krb5/mk_safe.c (krb5_mk_safe): sizeof(buf) -> buf_size, buf is now a `u_char *' * lib/krb5/get_in_tkt.c (krb5_init_etype): etypes are now `int' * lib/krb5/get_host_realm.c (krb5_get_host_realm): constize orig_host (krb5_salttype_to_string): new function (RSA_MD5_DES_verify, RSA_MD5_DES3_verify): initialize ret * lib/gssapi/init_sec_context.c (init_auth): remove unnecessary gssapi_krb5_init. ask for KEYTYPE_DES credentials * kadmin/get.c (print_entry_long): print the keytypes and salts available for the principal * configure.in (WFLAGS): add `-O' to catch unitialized variables and such (gethostname, mkstemp, getusershell, inet_aton): more tests * lib/hdb/hdb.h: update prototypes * configure.in: homogenize broken detection with krb4 * lib/kadm5/init_c.c (kadm5_c_init_with_context): remove unused `error' * lib/asn1/Makefile.am (check-der): add * lib/asn1/gen.c (define_type): map ASN1 Integer to `int' instead of `unsigned' * lib/asn1/der_length.c (length_unsigned): new function (length_int): handle signed integers * lib/asn1/der_put.c (der_put_unsigned): new function (der_put_int): handle signed integers * lib/asn1/der_get.c (der_get_unsigned): new function (der_get_int): handle signed integers * lib/asn1/der.h: all integer functions take `int' instead of `unsigned' * lib/asn1/lex.l (filename): unused. remove. * lib/asn1/check-der.c: new test program for der encoding and decoding. Mon Feb 1 04:09:06 1999 Assar Westerlund * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): only call gethostbyname2 with AF_INET6 if we actually have IPv6. From "Brandon S. Allbery KF8NH" * lib/krb5/changepw.c (get_kdc_address): dito Sun Jan 31 06:26:36 1999 Assar Westerlund * kdc/connect.c (parse_prots): always bind to AF_INET, there are v6-implementations without support for `mapped V4 addresses'. From Jun-ichiro itojun Hagino Sat Jan 30 22:38:27 1999 Assar Westerlund * Release 0.0u Sat Jan 30 13:43:02 1999 Assar Westerlund * lib/krb5/Makefile.am: explicit rules for *.et files * lib/kadm5/init_c.c (get_kadm_ticket): only remove creds if krb5_get_credentials was succesful. (get_new_cache): return better error codes and return earlier. (get_cred_cache): only delete default_client if it's different from client (kadm5_c_init_with_context): return a more descriptive error. * kdc/kerberos5.c (check_flags): handle NULL client or server * lib/krb5/sendauth.c (krb5_sendauth): return the error in `ret_error' iff != NULL * lib/krb5/rd_error.c (krb5_free_error, krb5_free_error_contents): new functions * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): more type-correctness * lib/krb5/krb5.h (krb5_error): typedef to KRB_ERROR * lib/krb5/init_creds_pw.c: KRB5_TGS_NAME: use * lib/krb5/get_cred.c: KRB5_TGS_NAME: use * lib/kafs/afskrb5.c (afslog_uid_int): update to changes * lib/kadm5/rename_s.c (kadm5_s_rename_principal): call remove instead of rename, but shouldn't this just call rename? * lib/kadm5/get_s.c (kadm5_s_get_principal): always return an error if the principal wasn't found. * lib/hdb/ndbm.c (NDBM_seq): unseal key * lib/hdb/db.c (DB_seq): unseal key * lib/asn1/Makefile.am: added explicit rules for asn1_err.[ch] * kdc/hprop.c (v4_prop): add krbtgt/THISREALM@OTHERREALM when finding cross-realm tgts in the v4 database * kadmin/mod.c (mod_entry): check the number of arguments. check that kadm5_get_principal worked. * lib/krb5/keytab.c (fkt_remove_entry): remove KRB5_KT_NOTFOUND if we weren't able to remove it. * admin/ktutil.c: less drive-by-deleting. From Love * kdc/connect.c (parse_ports): copy the string before mishandling it with strtok_r * kdc/kerberos5.c (tgs_rep2): print the principal with mismatching kvnos * kadmin/kadmind.c (main): convert `debug_port' to network byte order * kadmin/kadmin.c: allow specification of port number. * lib/kadm5/kadm5_locl.h (kadm5_client_context): add `kadmind_port'. * lib/kadm5/init_c.c (_kadm5_c_init_context): move up initalize_kadm5_error_table_r. allow specification of port number. From Love * kuser/klist.c: add option -t | --test heimdal-1.7~git20150920+dfsg/ChangeLog.2000000066400000000000000000001214501257755311500176000ustar00rootroot000000000000002000-12-31 Assar Westerlund * lib/krb5/test_get_addrs.c (main): handle krb5_init_context failure consistently * lib/krb5/string-to-key-test.c (main): handle krb5_init_context failure consistently * lib/krb5/prog_setup.c (krb5_program_setup): handle krb5_init_context failure consistently * lib/hdb/convert_db.c (main): handle krb5_init_context failure consistently * kuser/kverify.c (main): handle krb5_init_context failure consistently * kuser/klist.c (main): handle krb5_init_context failure consistently * kuser/kinit.c (main): handle krb5_init_context failure consistently * kuser/kgetcred.c (main): handle krb5_init_context failure consistently * kuser/kdestroy.c (main): handle krb5_init_context failure consistently * kuser/kdecode_ticket.c (main): handle krb5_init_context failure consistently * kuser/generate-requests.c (generate_requests): handle krb5_init_context failure consistently * kpasswd/kpasswd.c (main): handle krb5_init_context failure consistently * kpasswd/kpasswd-generator.c (generate_requests): handle krb5_init_context failure consistently * kdc/main.c (main): handle krb5_init_context failure consistently * appl/test/uu_client.c (proto): handle krb5_init_context failure consistently * appl/kf/kf.c (main): handle krb5_init_context failure consistently * admin/ktutil.c (main): handle krb5_init_context failure consistently * admin/get.c (kt_get): more error checking 2000-12-29 Assar Westerlund * lib/asn1/asn1_print.c (loop): check for length longer than data. inspired by lha@stacken.kth.se 2000-12-16 Johan Danielsson * admin/ktutil.8: reflect recent changes * admin/copy.c: don't copy an entry that already exists in the keytab, and warn if the keyblock differs 2000-12-15 Johan Danielsson * admin/Makefile.am: merge srvconvert and srvcreate with copy * admin/copy.c: merge srvconvert and srvcreate with copy * lib/krb5/Makefile.am: always build keytab_krb4.c * lib/krb5/context.c: always register the krb4 keytab functions * lib/krb5/krb5.h: declare krb4_ftk_ops * lib/krb5/keytab_krb4.c: We don't really need to include krb.h here, since we only use the principal size macros, so define these here. Theoretically someone could have a krb4 system where these values are != 40, but this is unlikely, and krb5_524_conv_principal also assume they are 40. 2000-12-13 Johan Danielsson * lib/krb5/krb5.h: s/krb5_donot_reply/krb5_donot_replay/ * lib/krb5/replay.c: fix query-replace-o from MD5 API change, and the struct is called krb5_donot_replay 2000-12-12 Assar Westerlund * admin/srvconvert.c (srvconvert): do not use data after free:ing it 2000-12-11 Assar Westerlund * Release 0.3d 2000-12-11 Assar Westerlund * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 14:0:0 * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 6:3:0 * lib/krb5/Makefile.am (libkrb5_la_LIBADD): add library dependencies 2000-12-10 Johan Danielsson * lib/krb5/auth_context.c: implement krb5_auth_con_{get,set}rcache 2000-12-08 Assar Westerlund * lib/krb5/krb5.h (krb5_enctype): add ETYPE_DES3_CBC_NONE_IVEC as a new pseudo-type * lib/krb5/crypto.c (DES_AFS3_CMU_string_to_key): always treat cell names as lower case (krb5_encrypt_ivec, krb5_decrypt_ivec): new functions that allow an explicit ivec to be specified. fix all sub-functions. (DES3_CBC_encrypt_ivec): new function that takes an explicit ivec 2000-12-06 Johan Danielsson * lib/krb5/Makefile.am: actually build replay cache code * lib/krb5/replay.c: implement krb5_get_server_rcache * kpasswd/kpasswdd.c: de-pointerise auth_context parameter to krb5_mk_rep * lib/krb5/recvauth.c: de-pointerise auth_context parameter to krb5_mk_rep * lib/krb5/mk_rep.c: auth_context should not be a pointer * lib/krb5/auth_context.c: implement krb5_auth_con_genaddrs, and make setaddrs_from_fd use that * lib/krb5/krb5.h: add some more KRB5_AUTH_CONTEXT_* flags 2000-12-05 Johan Danielsson * lib/krb5/Makefile.am: add kerberos.8 manpage * lib/krb5/cache.c: check for NULL remove_cred function * lib/krb5/fcache.c: pretend that empty files are non-existant * lib/krb5/get_addrs.c (find_all_addresses): use getifaddrs, from Jason Thorpe 2000-12-01 Assar Westerlund * configure.in: remove configure-time generation of krb5-config * tools/Makefile.am: add generation of krb5-config at make-time instead of configure-time * tools/krb5-config.in: add --prefix and --exec-prefix 2000-11-30 Assar Westerlund * tools/Makefile.am: add krb5-config.1 * tools/krb5-config.in: add kadm-client and kadm5-server as libraries 2000-11-29 Assar Westerlund * tools/krb5-config.in: add --prefix, --exec-prefix and gssapi 2000-11-29 Johan Danielsson * configure.in: add roken/Makefile here, since it can't live in rk_ROKEN 2000-11-16 Assar Westerlund * configure.in: use the libtool -rpath, do not rely on ld understanding -rpath * configure.in: fix the -Wl stuff for krb4 linking add some gratuitous extra options when linking with an existing libdes 2000-11-15 Assar Westerlund * lib/hdb/hdb.c (hdb_next_enctype2key): const-ize a little bit * lib/Makefile.am (SUBDIRS): try to only build des when needed * kuser/klist.c: print key versions numbers of v4 tickets in verbose mode * kdc/kerberos5.c (tgs_rep2): adapt to new krb5_verify_ap_req2 * appl/test/gss_common.c (read_token): remove unused variable * configure.in (krb4): add -Wl (MD4Init et al): look for these in more libraries (getmsg): only run test if we have the function (AC_OUTPUT): create tools/krb5-config * tools/krb5-config.in: new script for storing flags to use * Makefile.am (SUBDIRS): add tools * lib/krb5/get_cred.c (make_pa_tgs_req): update to new krb5_mk_req_internal * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): allow different usages for the encryption. change callers * lib/krb5/rd_req.c (decrypt_authenticator): add an encryption `usage'. also try the old (and wrong) usage of KRB5_KU_AP_REQ_AUTH for backwards compatibility (krb5_verify_ap_req2): new function for specifying the usage different from the default (KRB5_KU_AP_REQ_AUTH) * lib/krb5/build_auth.c (krb5_build_authenticator): add a `usage' parameter to permit the generation of authenticators with different crypto usage * lib/krb5/mk_req.c (krb5_mk_req_exact): new function that takes a krb5_principal (krb5_mk_req): use krb5_mk_req_exact * lib/krb5/mcache.c (mcc_close): free data (mcc_destroy): don't free data 2000-11-13 Assar Westerlund * lib/hdb/ndbm.c: handle both ndbm.h and gdbm/ndbm.h * lib/hdb/hdb.c: handle both ndbm.h and gdbm/ndbm.h 2000-11-12 Johan Danielsson * kdc/hpropd.8: remove extra .Xc 2000-10-27 Johan Danielsson * kuser/kinit.c: fix v4 fallback lifetime calculation 2000-10-10 Johan Danielsson * kdc/524.c: fix log messge 2000-10-08 Assar Westerlund * lib/krb5/changepw.c (krb5_change_password): check for fd's being too large to select on * kpasswd/kpasswdd.c (add_new_tcp): check for the socket fd being too large to select on * kdc/connect.c (add_new_tcp): check for the socket fd being too large to selct on * kdc/connect.c (loop): check that the socket fd is not too large to select on * lib/krb5/send_to_kdc.c (recv_loop): check `fd' for being too large to be able to select on * kdc/kaserver.c (do_authenticate): check for time skew 2000-10-01 Assar Westerlund * kdc/524.c (set_address): allocate memory for storing addresses in if the original request had an empty set of addresses * kdc/524.c (set_address): fix bad return of pointer to automatic data * config.sub: update to version 2000-09-11 (aka 1.181) from subversions.gnu.org * config.guess: update to version 2000-09-05 (aka 1.156) from subversions.gnu.org plus some minor tweaks 2000-09-20 Assar Westerlund * Release 0.3c 2000-09-19 Assar Westerlund * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to 13:1:0 * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 6:2:0 2000-09-17 Assar Westerlund * lib/krb5/rd_req.c (krb5_decrypt_ticket): plug some memory leak (krb5_rd_req): try not to return an allocated auth_context on error * lib/krb5/log.c (krb5_vlog_msg): fix const-ness 2000-09-10 Assar Westerlund * kdc/524.c: re-organize * kdc/kerberos5.c (tgs_rep2): try to avoid leaking auth_context * kdc/kerberos4.c (valid_princ): check return value of functions (encode_v4_ticket): add some const * kdc/misc.c (db_fetch): check malloc (free_ent): new function * lib/krb5/log.c (krb5_vlog_msg): log just the format string it we fail to allocate the actual string to log, should at least provide some hint as to where things went wrong 2000-09-10 Johan Danielsson * kdc/log.c: use DEFAULT_LOG_DEST * kdc/config.c: use _PATH_KDC_CONF * kdc/kdc_locl.h: add macro constants for kdc.conf, and kdc.log 2000-09-09 Assar Westerlund * lib/krb5/crypto.c (_key_schedule): re-use an existing schedule 2000-09-06 Johan Danielsson * configure.in: fix dpagaix test 2000-09-05 Assar Westerlund * configure.in: with_dce -> enable_dce. noticed by Ake Sandgren 2000-09-01 Johan Danielsson * kdc/kstash.8: update manual page * kdc/kstash.c: fix typo, and remove unused option * lib/krb5/kerberos.7: short kerberos intro page 2000-08-27 Assar Westerlund * include/bits.c: add __attribute__ for gcc's pleasure * lib/hdb/keytab.c: re-write to delay the opening of the database till it's known which principal is being sought, thereby allowing the usage of multiple databases, however they need to be specified in /etc/krb5.conf since all the programs using this keytab do not read kdc.conf * appl/test/test_locl.h (keytab): add * appl/test/common.c: add --keytab * lib/krb5/crypto.c: remove trailing commas (KRB5_KU_USAGE_SEQ): renamed from KRB5_KU_USAGE_MIC 2000-08-26 Assar Westerlund * lib/krb5/send_to_kdc.c (send_via_proxy): handle `http://' at the beginning of the proxy specification. use getaddrinfo correctly (krb5_sendto): always return a return code * lib/krb5/krb5.h (KRB5_KU_USAGE_MIC): rename to KRB5_KU_USAGE_SEQ * lib/krb5/auth_context.c (krb5_auth_con_free): handle auth_context == NULL 2000-08-23 Assar Westerlund * kdc/kerberos5.c (find_type): make sure of always setting `ret_etype' correctly. clean-up structure some 2000-08-23 Johan Danielsson * lib/krb5/mcache.c: implement resolve 2000-08-18 Assar Westerlund * kuser/kdecode_ticket.c: check return value from krb5_crypto_init * kdc/kerberos5.c, kdc/524.c: check return value from krb5_crypto_init * lib/krb5/*.c: check return value from krb5_crypto_init 2000-08-16 Assar Westerlund * Release 0.3b 2000-08-16 Assar Westerlund * lib/krb5/Makefile.am: bump version to 13:0:0 * lib/hdb/Makefile.am: set version to 6:1:0 * configure.in: do getmsg testing the same way as in krb4 * lib/krb5/config_file.c (krb5_config_parse_file_debug): make sure of closing the file on error * lib/krb5/crypto.c (encrypt_internal_derived): free the checksum after use * lib/krb5/warn.c (_warnerr): initialize args to make third, purify et al happy 2000-08-13 Assar Westerlund * kdc/kerberos5.c: re-write search for keys code. loop over all supported enctypes in order, looping over all keys of each type, and picking the one with the v5 default salt preferably 2000-08-10 Assar Westerlund * appl/test/gss_common.c (enet_read): add and use * lib/krb5/krb5.h (heimdal_version, heimdal_long_version): make const * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): add comment on checksum type selection * lib/krb5/context.c (krb5_init_context): do not leak memory on failure (default_etypes): prefer arcfour-hmac-md5 to des-cbc-md5 * lib/krb5/principal.c: add fnmatch.h 2000-08-09 Assar Westerlund * configure.in: call AC_PROG_CC and AC_PROG_CPP to make sure later checks that should require them don't fail * acconfig.h: add HAVE_UINT17_T 2000-08-09 Johan Danielsson * kdc/mit_dump.c: handle all sorts of weird MIT salt types 2000-08-08 Johan Danielsson * doc/setup.texi: port 212 -> 2121 * lib/krb5/principal.c: krb5_principal_match 2000-08-04 Johan Danielsson * lib/asn1/der_get.c: add comment on *why* DCE sometimes used BER encoding * kpasswd/Makefile.am: link with pidfile library * kpasswd/kpasswdd.c: write a pid file * kpasswd/kpasswd_locl.h: util.h * kdc/Makefile.am: link with pidfile library * kdc/main.c: write a pid file * kdc/headers.h: util.h 2000-08-04 Assar Westerlund * lib/krb5/principal.c (krb5_425_conv_principal_ext): always put hostnames in lower case (default_v4_name_convert): add imap 2000-08-03 Assar Westerlund * lib/krb5/crc.c (_krb5_crc_update): const-ize (finally) 2000-07-31 Johan Danielsson * configure.in: check for uint*_t * include/bits.c: define uint*_t 2000-07-29 Assar Westerlund * kdc/kerberos5.c (check_tgs_flags): set endtime correctly when renewing, From Derrick J Brashear 2000-07-28 Assar Westerlund * Release 0.3a 2000-07-27 Assar Westerlund * kdc/hprop.c (dump_database): write an empty message to signal end of dump 2000-07-26 Assar Westerlund * lib/krb5/changepw.c (krb5_change_password): try to be more careful when not to resend * lib/hdb/db3.c: always create a cursor with db3. From Derrick J Brashear 2000-07-25 Johan Danielsson * lib/hdb/Makefile.am: bump version to 6:0:0 * lib/asn1/Makefile.am: bump version to 3:0:1 * lib/krb5/Makefile.am: bump version to 12:0:1 * lib/krb5/krb5_config.3: manpage * lib/krb5/krb5_appdefault.3: manpage * lib/krb5/appdefault.c: implementation of the krb5_appdefault set of functions 2000-07-23 Assar Westerlund * lib/krb5/init_creds_pw.c (change_password): reset forwardable and proxiable. copy preauthentication list correctly from supplied options * kdc/hpropd.c (main): check that the ticket was for `hprop/' for paranoid reasons * lib/krb5/sock_principal.c (krb5_sock_to_principal): look in aliases for the real name 2000-07-22 Johan Danielsson * doc/setup.texi: say something about starting kadmind from the command line 2000-07-22 Assar Westerlund * kpasswd/kpasswdd.c: use kadm5_s_chpass_principal_cond instead of mis-doing it here * lib/krb5/changepw.c (krb5_change_password): make timeout 1 + 2^{0,1,...}. also keep track if we got an old packet back and then just wait without sending a new packet * lib/krb5/changepw.c: use a datagram socket and remove the sequence numbers * lib/krb5/changepw.c (krb5_change_password): clarify an expression, avoiding a warning 2000-07-22 Johan Danielsson * kuser/klist.c: make -a and -n aliases for -v * lib/krb5/write_message.c: ws * kdc/hprop-common.c: nuke extra definitions of krb5_read_priv_message et.al * lib/krb5/read_message.c (krb5_read_message): return error if EOF 2000-07-20 Assar Westerlund * kpasswd/kpasswd.c: print usage consistently * kdc/hprop.h (HPROP_KEYTAB): use HDB for the keytab * kdc/hpropd.c: add --keytab * kdc/hpropd.c: don't care what principal we recvauth as * lib/krb5/get_cred.c: be more careful of not returning creds at all when an error is returned * lib/krb5/fcache.c (fcc_gen_new): do mkstemp correctly 2000-07-19 Johan Danielsson * fix-export: use autoreconf * configure.in: remove stuff that belong in roken, and remove some obsolete constructs 2000-07-18 Johan Danielsson * configure.in: fix some typos * appl/Makefile.am: dceutil*s* * missing: update to missing from automake 1.4a 2000-07-17 Johan Danielsson * configure.in: try to get xlc flags from ibmcxx.cfg use conditional for X use readline cf macro * configure.in: subst AIX compiler flags 2000-07-15 Johan Danielsson * configure.in: pass sixth parameter to test-package; use some newer autoconf constructs * ltmain.sh: update to libtool 1.3c * ltconfig: update to libtool 1.3c * configure.in: update this to newer auto*/libtool * appl/Makefile.am: use conditional for dce * lib/Makefile.am: use conditional for dce 2000-07-11 Johan Danielsson * lib/krb5/write_message.c: krb5_write_{priv,save}_message * lib/krb5/read_message.c: krb5_read_{priv,save}_message * lib/krb5/convert_creds.c: try port kerberos/88 if no response on krb524/4444 * lib/krb5/convert_creds.c: use krb5_sendto * lib/krb5/send_to_kdc.c: add more generic krb5_sendto that send to a port at arbitrary list of hosts 2000-07-10 Johan Danielsson * doc/misc.texi: language; say something about kadmin del_enctype 2000-07-10 Assar Westerlund * appl/kf/Makefile.am: actually install 2000-07-08 Assar Westerlund * configure.in (AM_INIT_AUTOMAKE): bump to 0.3a-pre (AC_ROKEN): roken is now at 10 * lib/krb5/string-to-key-test.c: add a arcfour-hmac-md5 test case * kdc/Makefile.am (INCLUDES): add ../lib/krb5 * configure.in: update for standalone roken * lib/Makefile.am (SUBDIRS): make roken conditional * kdc/hprop.c: update to new hdb_seal_keys_mkey * lib/hdb/mkey.c (_hdb_unseal_keys_int, _hdb_seal_keys_int): rename and export them * kdc/headers.h: add krb5_locl.h (since we just use some stuff from there) 2000-07-08 Johan Danielsson * kuser/klist.1: update for -f and add some more text for -v * kuser/klist.c: use rtbl to format cred listing, add -f and -s * lib/krb5/crypto.c: fix type in des3-cbc-none * lib/hdb/mkey.c: add key usage * kdc/kstash.c: remove writing of old keyfile, and treat --convert-file as just reading and writing the keyfile without asking for a new key * lib/hdb/mkey.c (read_master_encryptionkey): handle old keytype based files, and convert the key to cfb64 * lib/hdb/mkey.c (hdb_read_master_key): set mkey to NULL before doing anything else * lib/krb5/send_to_kdc.c: use krb5_eai_to_heim_errno * lib/krb5/get_for_creds.c: use krb5_eai_to_heim_errno * lib/krb5/changepw.c: use krb5_eai_to_heim_errno * lib/krb5/addr_families.c: use krb5_eai_to_heim_errno * lib/krb5/eai_to_heim_errno.c: convert getaddrinfo error codes to something that can be passed to get_err_text 2000-07-07 Assar Westerlund * lib/hdb/hdb.c (hdb_next_enctype2key): make sure of skipping `*key' * kdc/kerberos4.c (get_des_key): rewrite some, be more careful 2000-07-06 Assar Westerlund * kdc/kerberos5.c (as_rep): be careful as to now overflowing when calculating the end of lifetime of a ticket. * lib/krb5/context.c (default_etypes): add ETYPE_ARCFOUR_HMAC_MD5 * lib/hdb/db3.c: only use a cursor when needed, from Derrick J Brashear * lib/krb5/crypto.c: introduce the `special' encryption methods that are not like all other encryption methods and implement arcfour-hmac-md5 2000-07-05 Johan Danielsson * kdc/mit_dump.c: set initial master key version number to 0 instead of 1; if we lated bump the mkvno we don't risk using the wrong key to decrypt * kdc/hprop.c: only get master key if we're actually going to use it; enable reading of MIT krb5 dump files * kdc/mit_dump.c: read MIT krb5 dump files * lib/hdb/mkey.c (read_master_mit): fix this * kdc/kstash.c: make this work with the new mkey code * lib/hdb/Makefile.am: add mkey.c, and bump version number * lib/hdb/hdb.h: rewrite master key handling * lib/hdb/mkey.c: rewrite master key handling * lib/krb5/crypto.c: add some more pseudo crypto types * lib/krb5/krb5.h: change some funny etypes to use negative numbers, and add some more 2000-07-04 Assar Westerlund * lib/krb5/krbhst.c (get_krbhst): only try SRV lookup if there are none in the configuration file 2000-07-02 Assar Westerlund * lib/krb5/keytab_keyfile.c (akf_add_entry): remove unused variable * kpasswd/kpasswd-generator.c: new test program * kpasswd/Makefile.am: add kpasswd-generator * include/Makefile.am (CLEANFILES): add rc4.h * kuser/generate-requests.c: new test program * kuser/Makefile.am (noinst_PROGRAMS): add generate-requests 2000-07-01 Assar Westerlund * configure.in: add --enable-dce and related stuff * appl/Makefile.am (SUBDIRS): add $(APPL_dce) 2000-06-29 Assar Westerlund * kdc/kerberos4.c (get_des_key): fix thinkos/typos 2000-06-29 Johan Danielsson * admin/purge.c: use parse_time to parse age * lib/krb5/log.c (krb5_vlog_msg): use krb5_format_time * admin/list.c: add printing of timestamp and key data; some cleanup * lib/krb5/time.c (krb5_format_time): new function to format time * lib/krb5/context.c (init_context_from_config_file): init date_fmt, also do some cleanup * lib/krb5/krb5.h: add date_fmt to context 2000-06-28 Johan Danielsson * kdc/{kerberos4,kaserver,524}.c (get_des_key): change to return v4 or afs keys if possible 2000-06-25 Johan Danielsson * kdc/hprop.c (ka_convert): allow using null salt, and treat 0 pw_expire as never (from Derrick Brashear) 2000-06-24 Johan Danielsson * kdc/connect.c (add_standard_ports): only listen to port 750 if serving v4 requests 2000-06-22 Assar Westerlund * lib/asn1/lex.l: fix includes, and lex stuff * lib/asn1/lex.h (error_message): update prototype (yylex): add * lib/asn1/gen_length.c (length_type): fail on malloc error * lib/asn1/gen_decode.c (decode_type): fail on malloc error 2000-06-21 Assar Westerlund * lib/krb5/get_for_creds.c: be more compatible with MIT code. From Daniel Kouril * lib/krb5/rd_cred.c: be more compatible with MIT code. From Daniel Kouril * kdc/kerberos5.c (get_pa_etype_info): do not set salttype if it's vanilla pw-salt, that keeps win2k happy. also do the malloc check correctly. From Daniel Kouril 2000-06-21 Johan Danielsson * kdc/hprop.c: add hdb keytabs 2000-06-20 Johan Danielsson * lib/krb5/principal.c: back out rev. 1.64 2000-06-19 Johan Danielsson * kdc/kerberos5.c: pa_* -> KRB5_PADATA_* * kdc/hpropd.c: add realm override flag * kdc/v4_dump.c: code for reading krb4 dump files * kdc/hprop.c: generalize source database handing, add support for non-standard local realms (from by Daniel Kouril and Miroslav Ruda ), and support for using different ports (requested by the Czechs, but implemented differently) * lib/krb5/get_cred.c: pa_* -> KRB5_PADATA_* * lib/krb5/get_in_tkt.c: pa_* -> KRB5_PADATA_* * lib/krb5/krb5.h: use some definitions from asn1.h * lib/hdb/hdb.asn1: use new import syntax * lib/asn1/k5.asn1: use distinguished value integers * lib/asn1/gen_length.c: support for distinguished value integers * lib/asn1/gen_encode.c: support for distinguished value integers * lib/asn1/gen_decode.c: support for distinguished value integers * lib/asn1/gen.c: support for distinguished value integers * lib/asn1/lex.l: add support for more standards like import statements * lib/asn1/parse.y: add support for more standards like import statements, and distinguished value integers 2000-06-11 Assar Westerlund * lib/krb5/get_for_creds.c (add_addrs): ignore addresses of unknown type * lib/krb5/get_for_creds.c (add_addrs): zero memory before starting to copy memory 2000-06-10 Assar Westerlund * lib/krb5/test_get_addrs.c: test program for get_addrs * lib/krb5/get_addrs.c (find_all_addresses): remember to add in the size of ifr->ifr_name when using SA_LEN. noticed by Ken Raeburn 2000-06-07 Assar Westerlund * configure.in: add db3 detection stuff do not use streamsptys on HP-UX 11 * lib/hdb/hdb.h (HDB): add dbc for db3 * kdc/connect.c (add_standard_ports): also listen on krb524 aka 4444 * etc/services.append (krb524): add * lib/hdb/db3.c: add berkeley db3 interface. contributed by Derrick J Brashear * lib/hdb/hdb.h (struct HDB): add 2000-06-07 Johan Danielsson * kdc/524.c: if 524 is not enabled, just generate error reply and exit * kdc/kerberos4.c: if v4 is not enabled, just generate error reply and exit * kdc/connect.c: only listen to port 4444 if 524 is enabled * kdc/config.c: add options to enable/disable v4 and 524 requests 2000-06-06 Johan Danielsson * kdc/524.c: handle non-existant server principals (from Daniel Kouril) 2000-06-03 Assar Westerlund * admin/ktutil.c: print name when failing to open keytab * kuser/kinit.c: try also to fallback to v4 when no KDC is found 2000-05-28 Assar Westerlund * kuser/klist.c: continue even we have no v5 ccache. make showing your krb4 tickets the default (if build with krb4 support) * kuser/kinit.c: add a fallback that tries to get a v4 ticket if built with krb4 support and we got back a version error from the KDC 2000-05-23 Johan Danielsson * lib/krb5/keytab_keyfile.c: make this actually work 2000-05-19 Assar Westerlund * lib/krb5/store_emem.c (emem_store): make it write-compatible * lib/krb5/store_fd.c (fd_store): make it write-compatible * lib/krb5/store_mem.c (mem_store): make it write-compatible * lib/krb5/krb5.h (krb5_storage): make store write-compatible 2000-05-18 Assar Westerlund * configure.in: add stdio.h in dbopen test 2000-05-16 Assar Westerlund * Release 0.2t 2000-05-16 Assar Westerlund * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 11:1:0 * lib/krb5/fcache.c: fix second lseek * lib/krb5/principal.c (krb5_524_conv_principal): fix typo 2000-05-15 Assar Westerlund * Release 0.2s 2000-05-15 Assar Westerlund * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 11:0:0 * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): set version to 4:2:1 * lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump to 2:0:0 * lib/krb5/principal.c (krb5_524_conv_principal): comment-ize, and simplify string copying 2000-05-12 Assar Westerlund * lib/krb5/fcache.c (scrub_file): new function (erase_file): re-write, use scrub_file * lib/krb5/krb5.h (KRB5_DEFAULT_CCFILE_ROOT): add * configure.in (dbopen): add header files * lib/krb5/krb5.h (krb5_key_usage): add some more * lib/krb5/fcache.c (erase_file): try to detect symlink games. also call revoke. * lib/krb5/changepw.c (krb5_change_password): remember to close the socket on error * kdc/main.c (main): also call sigterm on SIGTERM 2000-05-06 Assar Westerlund * lib/krb5/config_file.c (krb5_config_vget_string_default, krb5_config_get_string_default): add 2000-04-25 Assar Westerlund * lib/krb5/fcache.c (fcc_initialize): just forget about over-writing the old cred cache. it's too much of a hazzle trying to do this safely. 2000-04-11 Assar Westerlund * lib/krb5/crypto.c (krb5_get_wrapped_length): rewrite into different parts for the derived and non-derived cases * lib/krb5/crypto.c (krb5_get_wrapped_length): the padding should be done after having added confounder and checksum 2000-04-09 Assar Westerlund * lib/krb5/get_addrs.c (find_all_addresses): apperently solaris can return EINVAL when the buffer is too small. cope. * lib/asn1/Makefile.am (gen_files): add asn1_UNSIGNED.x * lib/asn1/gen_locl.h (filename): add prototype (init_generate): const-ize * lib/asn1/gen.c (filename): new function clean-up a little bit. * lib/asn1/parse.y: be more tolerant in ranges * lib/asn1/lex.l: count lines correctly. (error_message): print filename in messages 2000-04-08 Assar Westerlund * lib/krb5/rd_safe.c (krb5_rd_safe): increment sequence number after comparing * lib/krb5/rd_priv.c (krb5_rd_priv): increment sequence number after comparing * lib/krb5/mk_safe.c (krb5_mk_safe): make `tmp_seq' unsigned * lib/krb5/mk_priv.c (krb5_mk_priv): make `tmp_seq' unsigned * lib/krb5/generate_seq_number.c (krb5_generate_seq_number): make `seqno' be unsigned * lib/krb5/mk_safe.c (krb5_mk_safe): increment local sequence number after the fact and only increment it if we were successful * lib/krb5/mk_priv.c (krb5_mk_priv): increment local sequence number after the fact and only increment it if we were successful * lib/krb5/krb5.h (krb5_auth_context_data): make sequence number unsigned * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): `in_tkt_service' can be NULL 2000-04-06 Assar Westerlund * lib/asn1/parse.y: regonize INTEGER (0..UNIT_MAX). (DOTDOT): add * lib/asn1/lex.l (DOTDOT): add * lib/asn1/k5.asn1 (UNSIGNED): add. use UNSIGNED for all sequence numbers. * lib/asn1/gen_length.c (length_type): add TUInteger * lib/asn1/gen_free.c (free_type): add TUInteger * lib/asn1/gen_encode.c (encode_type, generate_type_encode): add TUInteger * lib/asn1/gen_decode.c (decode_type, generate_type_decode): add TUInteger * lib/asn1/gen_copy.c (copy_type): add TUInteger * lib/asn1/gen.c (define_asn1): add TUInteger * lib/asn1/der_put.c (encode_unsigned): add * lib/asn1/der_length.c (length_unsigned): add * lib/asn1/der_get.c (decode_unsigned): add * lib/asn1/der.h (decode_unsigned, encode_unsigned, length_unsigned): add prototypes * lib/asn1/k5.asn1: update pre-authentication types * lib/krb5/krb5_err.et: add some error codes from pkinit 2000-04-05 Assar Westerlund * lib/hdb/hdb.c: add support for hdb methods (aka back-ends). include ldap. * lib/hdb/hdb-ldap.c: tweak the ifdef to OPENLDAP * lib/hdb/Makefile.am: add hdb-ldap.c and openldap * kdc/Makefile.am, kpasswd/Makefile.am, kadmin/Makefile.am: add * configure.in: bump version to 0.2s-pre add options and testing for (open)ldap 2000-04-04 Assar Westerlund * configure.in (krb4): fix the krb_mk_req test 2000-04-03 Assar Westerlund * configure.in (krb4): add test for const arguments to krb_mk_req * lib/45/mk_req.c (krb_mk_req): conditionalize const-ness of arguments 2000-04-03 Assar Westerlund * Release 0.2r 2000-04-03 Assar Westerlund * lib/krb5/Makefile.am: set version to 10:0:0 * lib/45/mk_req.c (krb_mk_req): const-ize the arguments 2000-03-30 Assar Westerlund * lib/krb5/principal.c (krb5_425_conv_principal_ext): add some comments. add fall-back on adding the realm name in lower case. 2000-03-29 Assar Westerlund * kdc/connect.c: remember to repoint all descr->sa to _ss after realloc as this might have moved the memory around. problem discovered and diagnosed by Brandon S. Allbery 2000-03-27 Assar Westerlund * configure.in: recognize solaris 2.8 * config.guess, config.sub: update to current version from :pserver:anoncvs@subversions.gnu.org:/home/cvs * lib/krb5/init_creds_pw.c (print_expire): do not assume anything about the size of time_t, i.e. make it 64-bit happy 2000-03-13 Assar Westerlund * kuser/klist.c: add support for display v4 tickets 2000-03-11 Assar Westerlund * kdc/kaserver.c (do_authenticate, do_getticket): call check_flags * kdc/kerberos4.c (do_version4): call check_flags. * kdc/kerberos5.c (check_flags): make global 2000-03-10 Assar Westerlund * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): evil hack to avoid recursion 2000-03-04 Assar Westerlund * kuser/kinit.c: add `krb4_get_tickets' per realm. add --anonymous * lib/krb5/krb5.h (krb5_get_init_creds_opt): add `anonymous' and KRB5_GET_INIT_CREDS_OPT_ANONYMOUS * lib/krb5/init_creds_pw.c (get_init_creds_common): set request_anonymous flag appropriatly * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_anonymous): add * lib/krb5/get_in_tkt.c (_krb5_extract_ticket): new parameter to determine whetever to ignore client name of not. always copy client name from kdc. fix callers. * kdc: add support for anonymous tickets * kdc/string2key.8: add man-page for string2key 2000-03-03 Assar Westerlund * kdc/hpropd.c (dump_krb4): get expiration date from `valid_end' and not `pw_end' * kdc/kadb.h (ka_entry): fix name pw_end -> valid_end. add some more fields * kdc/hprop.c (v4_prop): set the `valid_end' from the v4 expiration date instead of the `pw_expire' (ka_convert): set `valid_end' from ka expiration data and `pw_expire' from pw_change + pw_expire (main): add a default database for ka dumping 2000-02-28 Assar Westerlund * lib/krb5/context.c (init_context_from_config_file): change rfc2052 default to no. 2782 says that underscore should be used. 2000-02-24 Assar Westerlund * lib/krb5/fcache.c (fcc_initialize, fcc_store_cred): verify that stores and close succeed * lib/krb5/store.c (krb5_store_creds): check to see that the stores are succesful. 2000-02-23 Assar Westerlund * Release 0.2q 2000-02-22 Assar Westerlund * lib/krb5/Makefile.am: set version to 9:2:0 * lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): copy the correct hostname * kdc/connect.c (add_new_tcp): use the correct entries in the descriptor table * kdc/connect.c: initialize `descr' uniformly and correctly 2000-02-20 Assar Westerlund * Release 0.2p 2000-02-19 Assar Westerlund * lib/krb5/Makefile.am: set version to 9:1:0 * lib/krb5/expand_hostname.c (krb5_expand_hostname): make sure that realms is filled in even when getaddrinfo fails or does not return any canonical name * kdc/connect.c (descr): add sockaddr and string representation (*): re-write to use the above mentioned 2000-02-16 Assar Westerlund * lib/krb5/addr_families.c (krb5_parse_address): use krb5_sockaddr2address to copy the result from getaddrinfo. 2000-02-14 Assar Westerlund * Release 0.2o 2000-02-13 Assar Westerlund * lib/krb5/Makefile.am: set version to 9:0:0 * kdc/kaserver.c (do_authenticate): return the kvno of the server and not the client. Thanks to Brandon S. Allbery KF8NH and Chaskiel M Grundman for debugging. * kdc/kerberos4.c (do_version4): if an tgs-req is received with an old kvno, return an error reply and write a message in the log. 2000-02-12 Assar Westerlund * appl/test/gssapi_server.c (proto): with `--fork', create a child and send over/receive creds with export/import_sec_context * appl/test/gssapi_client.c (proto): with `--fork', create a child and send over/receive creds with export/import_sec_context * appl/test/common.c: add `--fork' / `-f' (only used by gssapi) 2000-02-11 Assar Westerlund * kdc/kdc_locl.h: remove keyfile add explicit_addresses * kdc/connect.c (init_sockets): pay attention to explicit_addresses some more comments. better error messages. * kdc/config.c: add some comments. remove --key-file. add --addresses. * lib/krb5/context.c (krb5_set_extra_addresses): const-ize and use proper abstraction 2000-02-07 Johan Danielsson * lib/krb5/changepw.c: use roken_getaddrinfo_hostspec 2000-02-07 Assar Westerlund * Release 0.2n 2000-02-07 Assar Westerlund * lib/krb5/Makefile.am: set version to 8:0:0 * lib/krb5/keytab.c (krb5_kt_default_name): use strlcpy (krb5_kt_add_entry): set timestamp 2000-02-06 Assar Westerlund * lib/krb5/krb5.h: add macros for accessing krb5_realm * lib/krb5/time.c (krb5_timeofday): use `krb5_timestamp' instead of `int32_t' * lib/krb5/replay.c (checksum_authenticator): update to new API for md5 * lib/krb5/krb5.h: remove des.h, it's not needed and applications should not have to make sure to find it. 2000-02-03 Assar Westerlund * lib/krb5/rd_req.c (get_key_from_keytab): rename parameter to `out_key' to avoid conflicting with label. reported by Sean Doran 2000-02-02 Assar Westerlund * lib/krb5/expand_hostname.c: remember to lower-case host names. bug reported by * kdc/kerberos4.c (do_version4): look at check_ticket_addresses and emulate that by setting krb_ignore_ip_address (not a great interface but it doesn't seem like the time to go around fixing libkrb stuff now) 2000-02-01 Johan Danielsson * kuser/kinit.c: change --noaddresses into --no-addresses 2000-01-28 Assar Westerlund * kpasswd/kpasswd.c (main): make sure the ticket is not forwardable and not proxiable 2000-01-26 Assar Westerlund * lib/krb5/crypto.c: update to pseudo-standard APIs for md4,md5,sha. some changes to libdes calls to make them more portable. 2000-01-21 Assar Westerlund * lib/krb5/verify_init.c (krb5_verify_init_creds): make sure to clean up the correct creds. 2000-01-16 Assar Westerlund * lib/krb5/principal.c (append_component): change parameter to `const char *'. check malloc * lib/krb5/principal.c (append_component, va_ext_princ, va_princ): const-ize * lib/krb5/mk_req.c (krb5_mk_req): make `service' and `hostname' const * lib/krb5/principal.c (replace_chars): also add space here * lib/krb5/principal.c: (quotable_chars): add space 2000-01-12 Assar Westerlund * kdc/kerberos4.c (do_version4): check if preauth was required and bail-out if so since there's no way that could be done in v4. Return NULL_KEY as an error to the client (which is non-obvious, but what can you do?) 2000-01-09 Assar Westerlund * lib/krb5/principal.c (krb5_sname_to_principal): use krb5_expand_hostname_realms * lib/krb5/mk_req.c (krb5_km_req): use krb5_expand_hostname_realms * lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): new variant of krb5_expand_hostname that tries until it expands into something that's digestable by krb5_get_host_realm, returning also the result from that function. 2000-01-08 Assar Westerlund * Release 0.2m 2000-01-08 Assar Westerlund * configure.in: replace AC_C_BIGENDIAN with KRB_C_BIGENDIAN * lib/krb5/Makefile.am: bump version to 7:1:0 * lib/krb5/principal.c (krb5_sname_to_principal): use krb5_expand_hostname * lib/krb5/expand_hostname.c (krb5_expand_hostname): handle ai_canonname being set in any of the addresses returnedby getaddrinfo. glibc apparently returns the reverse lookup of every address in ai_canonname. 2000-01-06 Assar Westerlund * Release 0.2l 2000-01-06 Assar Westerlund * lib/krb5/Makefile.am: set version to 7:0:0 * lib/krb5/principal.c (krb5_sname_to_principal): remove `hp' * lib/hdb/Makefile.am: set version to 4:1:1 * kdc/hpropd.c (dump_krb4): use `krb5_get_default_realms' * lib/krb5/get_in_tkt.c (add_padata): change types to make everything work out (krb5_get_in_cred): remove const to make types match * lib/krb5/crypto.c (ARCFOUR_string_to_key): correct signature * lib/krb5/principal.c (krb5_sname_to_principal): handle not getting back a canonname 2000-01-06 Assar Westerlund * Release 0.2k 2000-01-06 Assar Westerlund * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): advance colon so that we actually parse the port number. based on a patch from Leif Johansson 2000-01-02 Assar Westerlund * admin/purge.c: remove all non-current and old entries from a keytab * admin: break up ktutil.c into files * admin/ktutil.c (list): support --verbose (also listning time stamps) (kt_add, kt_get): set timestamp in newly created entries (kt_change): add `change' command * admin/srvconvert.c (srvconv): set timestamp in newly created entries * lib/krb5/keytab_keyfile.c (akf_next_entry): set timetsamp, always go the a predicatble position on error * lib/krb5/keytab.c (krb5_kt_copy_entry_contents): copy timestamp * lib/krb5/keytab_file.c (fkt_add_entry): store timestamp (fkt_next_entry_int): return timestamp * lib/krb5/krb5.h (krb5_keytab_entry): add timestamp heimdal-1.7~git20150920+dfsg/ChangeLog.2001000066400000000000000000001061331257755311500176020ustar00rootroot000000000000002001-12-20 Johan Danielsson * lib/krb5/crypto.c: use our own des string-to-key function, since the one from openssl sometimes generates wrong output 2001-12-05 Jacques Vidrine * lib/hdb/mkey.c: fix a bug in which kstash would crash if there were no /etc/krb5.conf 2001-11-09 Johan Danielsson * lib/krb5/krb5_verify_user.3: sort references (from Thomas Klausner) * lib/krb5/krb5_principal_get_realm.3: add section to reference (from Thomas Klausner) * lib/krb5/krb5_krbhst_init.3: sort references (from Thomas Klausner) * lib/krb5/krb5_keytab.3: white space fixes (from Thomas Klausner) * lib/krb5/krb5_get_krbhst.3: remove extra white space (from Thomas Klausner) * lib/krb5/krb5_get_all_client_addrs.3: add section to reference (from Thomas Klausner) 2001-10-29 Jacques Vidrine * admin/get.c: fix a bug in which a reference to a data structure on the stack was being kept after the containing function's lifetime, resulting in a segfault during `ktutil get'. 2001-10-22 Assar Westerlund * lib/krb5/crypto.c: make all high-level encrypting and decrypting functions check the return value of the underlying function and handle errors more consistently. noted by Sam Hartman 2001-10-21 Assar Westerlund * lib/krb5/crypto.c (enctype_arcfour_hmac_md5): actually use a non-keyed checksum when it should be non-keyed 2001-09-29 Assar Westerlund * kuser/kinit.1: add the kauth alias * kuser/kinit.c: allow specification of afslog in krb5.conf, noted by jhutz@cs.cmu.edu 2001-09-27 Assar Westerlund * lib/asn1/gen.c: remove the need for libasn1.h, also make generated files include all files from IMPORTed modules * lib/krb5/krb5.h (KRB5_KPASSWD_*): set correct values * kpasswd/kpasswd.c: improve error message printing * lib/krb5/changepw.c (krb5_passwd_result_to_string): add change to use sequence numbers connect the udp socket so that we can figure out the local address 2001-09-25 Assar Westerlund * lib/asn1: implement OBJECT IDENTIFIER and ENUMERATED 2001-09-20 Johan Danielsson * lib/krb5/principal.c (krb5_425_conv_principal_ext): try using lower case realm as domain, but only when given a verification function 2001-09-20 Assar Westerlund * lib/asn1/der_put.c (der_put_length): do not even try writing anything when len == 0 2001-09-18 Johan Danielsson * kdc/hpropd.c: add realm override option * lib/krb5/set_default_realm.c (krb5_set_default_realm): make realm parameter const * kdc/hprop.c: more free's * lib/krb5/init_creds_pw.c (krb5_get_init_creds_keytab): free key proc data * lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): free addrinfo * lib/hdb/mkey.c (hdb_set_master_keyfile): clear error string when not returning error 2001-09-16 Assar Westerlund * lib/krb5/appdefault.c (krb5_appdefault_{boolean,string,time): make realm const * lib/krb5/crypto.c: use des functions to avoid generating warnings with openssl's prototypes 2001-09-05 Johan Danielsson * configure.in: check for termcap.h * lib/asn1/lex.l: add another undef ECHO to keep AIX lex happy 2001-09-03 Assar Westerlund * lib/krb5/addr_families.c (krb5_print_address): handle snprintf returning < 0. noticed by hin@stacken.kth.se 2001-09-03 Assar Westerlund * Release 0.4e 2001-09-02 Johan Danielsson * kuser/Makefile.am: install kauth as a symlink to kinit * kuser/kinit.c: get v4_tickets by default * lib/asn1/Makefile.am: fix for broken automake 2001-08-31 Johan Danielsson * lib/hdb/hdb-ldap.c: some pretty much untested changes from Luke Howard * kuser/kinit.1: remove references to kauth * kuser/Makefile.am: kauth is no more * kuser/kinit.c: use appdefaults for everything. defaults are now as in kauth. * lib/krb5/appdefault.c: also check libdefaults, and realms/realm * lib/krb5/context.c (krb5_free_context): free more stuff 2001-08-30 Johan Danielsson * lib/krb5/verify_krb5_conf.c: do some checks of the values in the file * lib/krb5/krb5.conf.5: remove srv_try_txt, fix spelling * lib/krb5/context.c: don't init srv_try_txt, since it isn't used anymore 2001-08-29 Jacques Vidrine * configure.in: Check for already-installed com_err. 2001-08-28 Assar Westerlund * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set versoin to 18:2:1 2001-08-24 Assar Westerlund * kuser/Makefile.am: remove CHECK_LOCAL - non bin programs require no special treatment now * kuser/generate-requests.c: parse arguments in a useful way * kuser/kverify.c: add --help/--verify 2001-08-22 Assar Westerlund * configure.in: bump prereq to 2.52 remove unused test_LIB_KRB4 * configure.in: re-write the handling of crypto libraries. try to use the one of openssl's libcrypto or krb4's libdes that has all the required functionality (md4, md5, sha1, des, rc4). if there is no such library, the included lib/des is built. * kdc/headers.h: include libutil.h if it exists * kpasswd/kpasswd_locl.h: include libutil.h if it exists * kdc/kerberos4.c (get_des_key): check for null keys even if is_server 2001-08-21 Assar Westerlund * lib/asn1/asn1_print.c: print some size_t correctly * configure.in: remove extra space after -L check for libutil.h 2001-08-17 Johan Danielsson * kdc/kdc_locl.h: fix prototype for get_des_key * kdc/kaserver.c: fix call to get_des_key * kdc/524.c: fix call to get_des_key * kdc/kerberos4.c (get_des_key): if getting a key for a server, return any des-key not just keys that can be string-to-keyed by the client 2001-08-10 Assar Westerlund * Release 0.4d 2001-08-10 Assar Westerlund * configure.in: check for openpty * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 7:4:0 2001-08-08 Assar Westerlund * configure.in: just add -L (if required) from krb4 when testing for libdes/libcrypto 2001-08-04 Assar Westerlund * lib/krb5/Makefile.am (man_MANS): add some missing man pages * fix-export: fix the sed expression for finding the man pages 2001-07-31 Assar Westerlund * kpasswd/kpasswd-generator.c (main): implement --version and --help * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): update version to 18:1:1 2001-07-27 Assar Westerlund * lib/krb5/context.c (init_context_from_config_file): check parsing of addresses 2001-07-26 Assar Westerlund * lib/krb5/sock_principal.c (krb5_sock_to_principal): rename sa_len -> salen to avoid the macro that's defined on irix. noted by "Jacques A. Vidrine" 2001-07-24 Johan Danielsson * lib/krb5/addr_families.c: add support for type KRB5_ADDRESS_ADDRPORT * lib/krb5/addr_families.c (krb5_address_order): complain about unsuppored address types 2001-07-23 Johan Danielsson * admin/get.c: don't open connection to server until we loop over the principals, at that time we know the realm of the (first) principal and we can default to that admin server * admin: add a rename command 2001-07-19 Assar Westerlund * kdc/hprop.c (usage): clarify a tiny bit 2001-07-19 Assar Westerlund * Release 0.4c 2001-07-19 Assar Westerlund * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to 18:0:1 * lib/krb5/get_for_creds.c (krb5_fwd_tgt_creds): make it behave the same way as the MIT function * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 7:3:0 * lib/krb5/sock_principal.c (krb5_sock_to_principal): use getnameinfo * lib/krb5/krbhst.c (srv_find_realm): handle port numbers consistenly in local byte order * lib/krb5/get_default_realm.c (krb5_get_default_realm): set an error string * kuser/kinit.c (renew_validate): invert condition correctly. get v4 tickets if we succeed renewing * lib/krb5/principal.c (krb5_principal_get_type): add (default_v4_name_convert): add "smtp" 2001-07-13 Assar Westerlund * configure.in: remove make-print-version from LIBOBJS, it's no longer in lib/roken but always built in lib/vers 2001-07-12 Johan Danielsson * lib/hdb/mkey.c: more set_error_string 2001-07-12 Assar Westerlund * lib/hdb/Makefile.am (libhdb_la_LIBADD): add required library dependencies * lib/asn1/Makefile.am (libasn1_la_LIBADD): add required library dependencies 2001-07-11 Johan Danielsson * kdc/hprop.c: remove v4 master key handling; remove old v4-db and ka-db flags; add defaults for v4_realm and afs_cell 2001-07-09 Assar Westerlund * lib/krb5/sock_principal.c (krb5_sock_to_principal): copy hname before calling krb5_sname_to_principal. from "Jacques A. Vidrine" 2001-07-08 Johan Danielsson * lib/krb5/context.c: use krb5_copy_addresses instead of copy_HostAddresses 2001-07-06 Assar Westerlund * configure.in (LIB_des_a, LIB_des_so): add these so that they can be used by lib/auth/sia * kuser/kinit.c: re-do some of the v4 fallbacks: look at get-tokens flag do not print extra errors do not try to do 524 if we got tickets from a v4 server 2001-07-03 Assar Westerlund * lib/krb5/replay.c (krb5_get_server_rcache): cast argument to printf * lib/krb5/get_addrs.c (find_all_addresses): call free_addresses on ignore_addresses correctly * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags): change to take a const realm * lib/krb5/principal.c (krb5_425_conv_principal_ext): if the instance is the first component of the local hostname, the converted host should be the long hostname. from 2001-07-02 Johan Danielsson * lib/krb5/Makefile.am: address.c is no more; add a couple of manpages * lib/krb5/krb5_timeofday.3: new manpage * lib/krb5/krb5_get_all_client_addrs.3: new manpage * lib/krb5/get_in_tkt.c (init_as_req): treat no addresses as wildcard * lib/krb5/get_cred.c (get_cred_kdc_la): treat no addresses as wildcard * lib/krb5/get_addrs.c: don't include client addresses that match ignore_addresses * lib/krb5/context.c: initialise ignore_addresses * lib/krb5/addr_families.c: add new `arange' fake address type, that matches more than one address; this required some internal changes to many functions, so all of address.c got moved here (wasn't much left there) * lib/krb5/krb5.h: add list of ignored addresses to context 2001-07-03 Assar Westerlund * Release 0.4b 2001-07-03 Assar Westerlund * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 17:0:0 * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): set version to 7:2:0 2001-07-03 Assar Westerlund * Release 0.4a 2001-07-02 Johan Danielsson * kuser/kinit.c: make this compile without krb4 support * lib/krb5/write_message.c: remove priv parameter from write_safe_message; don't know why it was there in the first place * doc/install.texi: remove kaserver switches, it's always compiled in now * kdc/hprop.c: always include kadb support * kdc/kaserver.c: always include kaserver support 2001-07-02 Assar Westerlund * kpasswd/kpasswdd.c (doit): make failing to bind a socket a non-fatal error, and abort if no sockets were bound 2001-07-01 Assar Westerlund * lib/krb5/krbhst.c: remember the real port number when falling back from kpasswd -> kadmin, and krb524 -> kdc 2001-06-29 Assar Westerlund * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if no_addresses is set, do not add any local addresses to KRB_CRED * kuser/kinit.c: remove extra clearing of password and some redundant code 2001-06-29 Johan Danielsson * kuser/kinit.c: move ticket conversion code to separate function, and call that from a couple of places, like when renewing a ticket; also add a flag for just converting a ticket * lib/krb5/init_creds_pw.c: set renew-life to some sane value * kdc/524.c: don't send more data than required 2001-06-24 Assar Westerlund * lib/krb5/store_fd.c (krb5_storage_from_fd): check malloc returns * lib/krb5/keytab_any.c (any_resolve); improving parsing of ANY: (any_start_seq_get): remove a double free (any_next_entry): iterate over all (sub) keytabs and avoid leave data around to be freed again * kdc/kdc_locl.h: add a define for des_new_random_key when using openssl's libcrypto * configure.in: move v6 tests down * lib/krb5/krb5.h (krb5_context_data): remove srv_try_rfc2052 * update to libtool 1.4 and autoconf 2.50 2001-06-22 Johan Danielsson * lib/hdb/hdb.c: use krb5_add_et_list 2001-06-21 Johan Danielsson * lib/hdb/Makefile.am: add generation number * lib/hdb/common.c: add generation number code * lib/hdb/hdb.asn1: add generation number * lib/hdb/print.c: use krb5_storage to make it more dynamic 2001-06-21 Assar Westerlund * lib/krb5/krb5.conf.5: update to changed names used by krb5_get_init_creds_opt_set_default_flags * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags): make the appdefault keywords have the same names * configure.in: only add -L and -R to the krb4 libdir if we are actually using it * lib/krb5/krbhst.c (fallback_get_hosts): do not copy trailing dot of hostname add some comments * lib/krb5/krbhst.c: use getaddrinfo instead of dns_lookup when testing for kerberos.REALM. this allows reusing that information when actually contacting the server and thus avoids one DNS lookup 2001-06-20 Johan Danielsson * lib/krb5/krb5.h: include k524_err.h * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): don't test for keytype, the server will do this for us if it has anything to complain about * lib/krb5/context.c: add protocol compatible krb524 error codes * lib/krb5/Makefile.am: add protocol compatible krb524 error codes * lib/krb5/k524_err.et: add protocol compatible krb524 error codes * lib/krb5/krb5_principal_get_realm.3: manpage * lib/krb5/principal.c: add functions `krb5_principal_get_realm' and `krb5_principal_get_comp_string' that returns parts of a principal; this is a replacement for the internal `krb5_princ_realm' and `krb5_princ_component' macros that everyone seem to use 2001-06-19 Assar Westerlund * kuser/kinit.c (main): dereference result from krb5_princ_realm. from Thomas Nystrom 2001-06-18 Johan Danielsson * lib/krb5/mk_req.c (krb5_mk_req_exact): free creds when done * lib/krb5/crypto.c (krb5_string_to_key_derived): fix memory leak * lib/krb5/krbhst.c (config_get_hosts): free hostlist * kuser/kinit.c: free principal 2001-06-18 Assar Westerlund * lib/krb5/send_to_kdc.c (krb5_sendto): remove an extra freeaddrinfo * lib/krb5/convert_creds.c (krb524_convert_creds_kdc_ccache): remove some unused variables * lib/krb5/krbhst.c (admin_get_next): spell kerberos correctly * kdc/kerberos5.c: update to new krb5_auth_con* names * kdc/hpropd.c: update to new krb5_auth_con* names * lib/krb5/rd_req.c (krb5_rd_req): use krb5_auth_con* functions and remove some comments * lib/krb5/rd_safe.c (krb5_rd_safe): pick the keys in the right order: remote - local - session * lib/krb5/rd_rep.c (krb5_rd_rep): save the remote sub key in the auth_context * lib/krb5/rd_priv.c (krb5_rd_priv): pick keys in the correct order: remote - local - session * lib/krb5/mk_safe.c (krb5_mk_safe): pick keys in the right order, local - remote - session 2001-06-18 Johan Danielsson * lib/krb5/convert_creds.c: use starttime instead of authtime, from Chris Chiappa * lib/krb5/convert_creds.c: make krb524_convert_creds_kdc match the MIT function by the same name; add krb524_convert_creds_kdc_ccache that does what the old version did * admin/list.c (do_list): make sure list of keys is NULL terminated; similar to patch sent by Chris Chiappa 2001-06-18 Assar Westerlund * lib/krb5/mcache.c (mcc_remove_cred): use krb5_free_creds_contents * lib/krb5/auth_context.c: name function krb5_auth_con more consistenly * lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): use renamed krb5_auth_con_getauthenticator * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): update to use krb5_krbhst API * lib/krb5/changepw.c (krb5_change_password): update to use krb5_krbhst API * lib/krb5/send_to_kdc.c: update to use krb5_krbhst API * lib/krb5/krbhst.c (krb5_krbhst_get_addrinfo): add set def_port in krb5_krbhst_info (krb5_krbhst_free): free everything * lib/krb5/krb5.h (KRB5_VERIFY_NO_ADDRESSES): add (krb5_krbhst_info): add def_port (default port for this service) * lib/krb5/krbhst-test.c: make it more verbose and useful * lib/krb5/krbhst.c: remove some more memory leaks do not try any dns operations if there is local configuration admin: fallback to kerberos.REALM 524: fallback to kdcs kpasswd: fallback to admin add some comments * configure.in: remove initstate and setstate, they should be in cf/roken-frag.m4 * lib/krb5/Makefile.am (noinst_PROGRAMS): add krbhst-test * lib/krb5/krbhst-test.c: new program for testing krbhst * lib/krb5/krbhst.c (common_init): remove memory leak (main): move test program into krbhst-test 2001-06-17 Johan Danielsson * lib/krb5/krb5_krbhst_init.3: manpage * lib/krb5/krb5_get_krbhst.3: manpage 2001-06-16 Johan Danielsson * lib/krb5/krb5.h: add opaque krb5_krbhst_handle type * lib/krb5/krbhst.c: change void* to krb5_krbhst_handle * lib/krb5/krb5.h: types for new krbhst api * lib/krb5/krbhst.c: implement a new api that looks up one host at a time, instead of making a list of hosts 2001-06-09 Johan Danielsson * configure.in: test for initstate and setstate * lib/krb5/krbhst.c: remove rfc2052 support 2001-06-08 Johan Danielsson * fix some manpages for broken mdoc.old grog test 2001-05-28 Assar Westerlund * lib/krb5/krb5.conf.5: add [appdefaults] * lib/krb5/init_creds_pw.c: remove configuration reading that is now done in krb5_get_init_creds_opt_set_default_flags * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags): add reading of libdefaults versions of these and add no_addresses * lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear error string when preauth was required and we retry 2001-05-25 Assar Westerlund * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): call krb5_get_krb524hst * lib/krb5/krbhst.c (krb5_get_krb524hst): add and restructure the support functions 2001-05-22 Assar Westerlund * kdc/kerberos5.c (tgs_rep2): alloc and free csec and cusec properly 2001-05-17 Assar Westerlund * Release 0.3f 2001-05-17 Assar Westerlund * lib/krb5/Makefile.am: bump version to 16:0:0 * lib/hdb/Makefile.am: bump version to 7:1:0 * lib/asn1/Makefile.am: bump version to 5:0:0 * lib/krb5/keytab_krb4.c: add SRVTAB as an alias for krb4 * lib/krb5/codec.c: remove dead code 2001-05-17 Johan Danielsson * kdc/config.c: actually check the ticket addresses 2001-05-15 Assar Westerlund * lib/krb5/rd_error.c (krb5_error_from_rd_error): use correct parenthesis * lib/krb5/eai_to_heim_errno.c (krb5_eai_to_heim_errno): add `errno' (called system_error) to allow callers to make sure they pass the current and relevant value. update callers 2001-05-14 Johan Danielsson * lib/krb5/verify_user.c: krb5_verify_user_opt * lib/krb5/krb5.h: verify_opt * kdc/kerberos5.c: pass context to krb5_domain_x500_decode 2001-05-14 Assar Westerlund * kpasswd/kpasswdd.c: adapt to new address functions * kdc/kerberos5.c: adapt to changing address functions use LR_TYPE * kdc/connect.c: adapt to changing address functions * kdc/config.c: new krb5_config_parse_file * kdc/524.c: new krb5_sockaddr2address * lib/krb5/*: add some krb5_{set,clear}_error_string * lib/asn1/k5.asn1 (LR_TYPE): add * lib/asn1/Makefile.am (gen_files): add asn1_LR_TYPE.x 2001-05-11 Assar Westerlund * kdc/kerberos5.c (tsg_rep): fix typo in variable name * kpasswd/kpasswd-generator.c (nop_prompter): update prototype * lib/krb5/init_creds_pw.c: update to new prompter, use prompter types and send two prompts at once when changning password * lib/krb5/prompter_posix.c (krb5_prompter_posix): add name * lib/krb5/krb5.h (krb5_prompt): add type (krb5_prompter_fct): add anem * lib/krb5/cache.c (krb5_cc_next_cred): transpose last two paramaters to krb5_cc_next_cred (as MIT does, and not as they document). From "Jacques A. Vidrine" 2001-05-11 Johan Danielsson * lib/krb5/Makefile.am: store-test * lib/krb5/store-test.c: simple bit storage test * lib/krb5/store.c: add more byteorder storage flags * lib/krb5/krb5.h: add more byteorder storage flags * kdc/kerberos5.c: don't use NULL where we mean 0 * kdc/kerberos5.c: put referral test code in separate function, and test for KRB5_NT_SRV_INST 2001-05-10 Assar Westerlund * admin/list.c (do_list): do not close the keytab if opening it failed * admin/list.c (do_list): always print complete names. print everything to stdout. * admin/list.c: print both v5 and v4 list by default * admin/remove.c (kt_remove): reorganize some. open the keytab (defaulting to the modify one). * admin/purge.c (kt_purge): reorganize some. open the keytab (defaulting to the modify one). correct usage strings * admin/list.c (kt_list): reorganize some. open the keytab * admin/get.c (kt_get): reorganize some. open the keytab (defaulting to the modify one) * admin/copy.c (kt_copy): default to modify key name. re-organise * admin/change.c (kt_change): reorganize some. open the keytab (defaulting to the modify one) * admin/add.c (kt_add): reorganize some. open the keytab (defaulting to the modify one) * admin/ktutil.c (main): do not open the keytab, let every sub-function handle it * kdc/config.c (configure): call free_getarg_strings * lib/krb5/get_in_tkt.c (krb5_get_in_cred): set error strings for a few more errors * lib/krb5/get_host_realm.c (krb5_get_host_realm_int): make `use_dns' parameter boolean * lib/krb5/krb5.h (krb5_context_data): add default_keytab_modify * lib/krb5/context.c (init_context_from_config_file): set default_keytab_modify * lib/krb5/krb5_locl.h (KEYTAB_DEFAULT): change to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab (KEYTAB_DEFAULT_MODIFY): add * lib/krb5/keytab.c (krb5_kt_default_modify_name): add (krb5_kt_resolve): set error string for failed keytab type 2001-05-08 Assar Westerlund * lib/krb5/crypto.c (encryption_type): make field names more consistent (create_checksum): separate usage and type (krb5_create_checksum): add a separate type parameter (encrypt_internal): only free once on mismatched checksum length * lib/krb5/send_to_kdc.c (krb5_sendto_kdc2): try to tell what realm we didn't manage to reach any KDC for in the error string * lib/krb5/generate_seq_number.c (krb5_generate_seq_number): free the entire subkey. from 2001-05-07 Johan Danielsson * lib/krb5/keytab_keyfile.c (akf_start_seq_get): return KT_NOTFOUND if the file is empty 2001-05-07 Assar Westerlund * lib/krb5/fcache.c: call krb5_set_error_string when open fails fatally * lib/krb5/keytab_file.c: call krb5_set_error_string when open fails fatally * lib/krb5/warn.c (_warnerr): print error_string in context in preference to error string derived from error code * kuser/kinit.c (main): try to print the error string * lib/krb5/get_in_tkt.c (krb5_get_in_cred): set some sensible error strings for errors * lib/krb5/krb5.h (krb5_context_data): add error_string and error_buf * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add error_string.c * lib/krb5/error_string.c: new file 2001-05-02 Johan Danielsson * lib/krb5/time.c: krb5_string_to_deltat * lib/krb5/sock_principal.c: one less data copy * lib/krb5/eai_to_heim_errno.c: conversion function for h_errno's * lib/krb5/get_default_principal.c: change this slightly * lib/krb5/crypto.c: make checksum_types into an array of pointers * lib/krb5/convert_creds.c: make sure we always use a des-cbc-crc ticket 2001-04-29 Assar Westerlund * kdc/kerberos5.c (tgs_rep2): return a reference to a krbtgt for the right realm if we fail to find a non-krbtgt service in the database and the second component does a succesful non-dns lookup to get the real realm (which has to be different from the originally-supplied realm). this should help windows 2000 clients that always start their lookups in `their' realm and do not have any idea of how to map hostnames into realms * kdc/kerberos5.c (is_krbtgt): rename to get_krbtgt_realm 2001-04-27 Johan Danielsson * lib/krb5/get_host_realm.c (krb5_get_host_realm_int): add extra parameter to request use of dns or not 2001-04-25 Assar Westerlund * admin/get.c (kt_get): allow specification of encryption types * lib/krb5/verify_init.c (krb5_verify_init_creds): do not try to close an unopened ccache, noted by * lib/krb5/krb5.h (krb5_any_ops): add declaration * lib/krb5/context.c (init_context_from_config_file): register krb5_any_ops * lib/krb5/keytab_any.c: new file, implementing union of keytabs * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_any.c * lib/krb5/init_creds_pw.c (get_init_creds_common): handle options == NULL. noted by 2001-04-19 Johan Danielsson * lib/krb5/rd_cred.c: set ret_creds to NULL before doing anything else, from Jacques Vidrine 2001-04-18 Johan Danielsson * lib/hdb/libasn1.h: asn1.h -> krb5_asn1.h * lib/asn1/Makefile.am: add asn1_ENCTYPE.x * lib/krb5/krb5.h: adapt to asn1 changes * lib/asn1/k5.asn1: move enctypes here * lib/asn1/libasn1.h: rename asn1.h to krb5_asn1.h to avoid conflicts * lib/asn1/Makefile.am: rename asn1.h to krb5_asn1.h to avoid conflicts * lib/asn1/lex.l: use strtol to parse constants 2001-04-06 Johan Danielsson * kuser/kinit.c: add simple support for running commands 2001-03-26 Assar Westerlund * lib/hdb/hdb-ldap.c: change order of includes to allow it to work with more versions of openldap * kdc/kerberos5.c (tgs_rep2): try to set sec and usec in error replies (*): update callers of krb5_km_error (check_tgs_flags): handle renews requesting non-renewable tickets * lib/krb5/mk_error.c (krb5_mk_error): allow specifying both ctime and cusec * lib/krb5/krb5.h (krb5_checksum, krb5_keyusage): add compatibility names * lib/krb5/crypto.c (create_checksum): change so that `type == 0' means pick from the `crypto' (context) and otherwise use that type. this is not a large change in practice and allows callers to specify the exact checksum algorithm to use 2001-03-13 Assar Westerlund * lib/krb5/get_cred.c (get_cred_kdc): add support for falling back to KRB5_KU_AP_REQ_AUTH when KRB5_KU_TGS_REQ_AUTH gives `bad integrity'. this helps for talking to old (pre 0.3d) KDCs 2001-03-12 Assar Westerlund * lib/krb5/crypto.c (krb5_derive_key): new function, used by derived-key-test.c * lib/krb5/string-to-key-test.c: add new test vectors posted by Ken Raeburn in to ietf-krb-wg@anl.gov * lib/krb5/n-fold-test.c: more test vectors from same source * lib/krb5/derived-key-test.c: more tests from same source 2001-03-06 Assar Westerlund * acconfig.h: include roken_rename.h when appropriate 2001-03-06 Assar Westerlund * lib/krb5/krb5.h (krb5_enctype): remove trailing comma 2001-03-04 Assar Westerlund * lib/krb5/krb5.h (krb5_enctype): add ENCTYPE_* aliases for compatibility with MIT krb5 2001-03-02 Assar Westerlund * kuser/kinit.c (main): only request a renewable ticket when explicitly requested. it still gets a renewable one if the renew life is specified * kuser/kinit.c (renew_validate): treat -1 as flags not being set 2001-02-28 Johan Danielsson * lib/krb5/context.c (krb5_init_ets): use krb5_add_et_list 2001-02-27 Johan Danielsson * lib/krb5/get_cred.c: implement krb5_get_cred_from_kdc_opt 2001-02-25 Assar Westerlund * configure.in: do not use -R when testing for des functions 2001-02-14 Assar Westerlund * configure.in: test for lber.h when trying to link against openldap to handle openldap v1, from Sumit Bose 2001-02-19 Assar Westerlund * lib/asn1/libasn1.h: add string.h (for memset) 2001-02-15 Assar Westerlund * lib/krb5/warn.c (_warnerr): add printf attributes * lib/krb5/send_to_kdc.c (krb5_sendto): loop over all address returned by getaddrinfo before trying the next kdc. from thorpej@netbsd.org * lib/krb5/krb5.conf.5: fix default_realm in example * kdc/connect.c: fix a few kdc_log format types * configure.in: try to handle libdes/libcrypto ont requiring -L 2001-02-10 Assar Westerlund * lib/asn1/gen_decode.c (generate_type_decode): zero the data at the beginning of the generated function, and add a label `fail' that the code jumps to in case of errors that frees all allocated data 2001-02-07 Assar Westerlund * configure.in: aix dce: fix misquotes, from Ake Sandgren * configure.in (dpagaix_LDFLAGS): try to add export file 2001-02-05 Assar Westerlund * lib/krb5/krb5_keytab.3: new man page, contributed by * kdc/kaserver.c: update to new db_fetch4 2001-02-05 Assar Westerlund * Release 0.3e 2001-01-30 Assar Westerlund * kdc/hprop.c (v4_get_masterkey): check kdb_verify_master_key properly (kdb_prop): decrypt key properly * kdc/hprop.c: handle building with KRB4 always try to decrypt v4 data with the master key leave it up to the v5 how to encrypt with that master key * kdc/kstash.c: include file name in error messages * kdc/hprop.c: fix a typo and check some more return values * lib/hdb/hdb-ldap.c (LDAP__lookup_princ): call ldap_search_s correctly. From Jacques Vidrine * kdc/misc.c (db_fetch): HDB_ERR_NOENTRY makes more sense than ENOENT * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to 15:0:0 * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 7:0:0 * lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump version to 4:0:2 * kdc/misc.c (db_fetch): return an error code. change callers to look at this and try to print it in log messages * lib/krb5/crypto.c (decrypt_internal_derived): check that there's enough data 2001-01-29 Assar Westerlund * kdc/hprop.c (realm_buf): move it so it becomes properly conditional on KRB4 * lib/hdb/mkey.c (hdb_unseal_keys_mkey, hdb_seal_keys_mkey, hdb_unseal_keys, hdb_seal_keys): check that we have the correct master key and that we manage to decrypt the key properly, returning an error code. fix all callers to check return value. * tools/krb5-config.in: use @LIB_des_appl@ * tools/Makefile.am (krb5-config): add LIB_des_appl * configure.in (LIB_des): set correctly (LIB_des_appl): add for the use by krb5-config.in * lib/krb5/store_fd.c (fd_fetch, fd_store): use net_{read,write} to make sure of not dropping data when doing it over a socket. (this might break when used with ordinary files on win32) * lib/hdb/hdb_err.et (NO_MKEY): add * kdc/kerberos5.c (as_rep): be paranoid and check krb5_enctype_to_string for failure, noted by * lib/krb5/krb5_init_context.3, lib/krb5/krb5_context.3, lib/krb5/krb5_auth_context.3: add new man pages, contributed by * use the openssl api for md4/md5/sha and handle openssl/*.h * kdc/kaserver.c (do_getticket): check length of ticket. noted by 2001-01-28 Assar Westerlund * configure.in: send -R instead of -rpath to libtool to set runtime library paths * lib/krb5/Makefile.am: remove all dependencies on libkrb 2001-01-27 Assar Westerlund * appl/rcp: add port of bsd rcp changed to use existing rsh, contributed by Richard Nyberg 2001-01-27 Johan Danielsson * lib/krb5/get_port.c: don't warn if the port name can't be found, nobody cares anyway 2001-01-26 Johan Danielsson * kdc/hprop.c: make it possible to convert a v4 dump file without having any v4 libraries; the kdb backend still require them * kdc/v4_dump.c: include shadow definition of kdb Principal, so we don't have to depend on any v4 libraries * kdc/hprop.h: include shadow definition of kdb Principal, so we don't have to depend on any v4 libraries * lib/hdb/print.c: reduce number of memory allocations * lib/hdb/mkey.c: add support for reading krb4 /.k files 2001-01-19 Assar Westerlund * lib/krb5/krb5.conf.5: document admin_server and kpasswd_server for realms document capath better * lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): preferably look at kpasswd_server before admin_server * lib/krb5/get_cred.c (get_cred_from_kdc_flags): look in [libdefaults]capath for better hint of realm to send request to. this allows the client to specify `realm routing information' in case it cannot be done at the server (which is preferred) * lib/krb5/rd_priv.c (krb5_rd_priv): handle no sequence number as zero when we were expecting a sequence number. MIT krb5 cannot generate a sequence number of zero, instead generating no sequence number * lib/krb5/rd_safe.c (krb5_rd_safe): dito 2001-01-11 Assar Westerlund * kpasswd/kpasswdd.c: add --port option 2001-01-10 Assar Westerlund * lib/krb5/appdefault.c (krb5_appdefault_string): fix condition just before returning 2001-01-09 Assar Westerlund * appl/kf/kfd.c (proto): use krb5_rd_cred2 instead of krb5_rd_cred 2001-01-05 Johan Danielsson * kuser/kinit.c: call a time `time', and not `seconds' * lib/krb5/init_creds.c: not much point in setting the anonymous flag here * lib/krb5/krb5_appdefault.3: document appdefault_time 2001-01-04 Johan Danielsson * lib/krb5/verify_user.c: use krb5_get_init_creds_opt_set_default_flags * kuser/kinit.c: use krb5_get_init_creds_opt_set_default_flags * lib/krb5/init_creds.c: new function krb5_get_init_creds_opt_set_default_flags to set options from krb5.conf * lib/krb5/rd_cred.c: make this match the MIT function * lib/krb5/appdefault.c (krb5_appdefault_string): handle NULL def_val (krb5_appdefault_time): new function 2001-01-03 Assar Westerlund * kdc/hpropd.c (main): handle EOF when reading from stdin heimdal-1.7~git20150920+dfsg/ChangeLog.2002000066400000000000000000000513441257755311500176060ustar00rootroot000000000000002002-12-19 Johan Danielsson * lib/krb5/mk_rep.c: free allocated storage; reported by Howard Chu 2002-12-08 Johan Danielsson * kdc/kdc_locl.h: remove old encrypt_v4_ticket prototype 2002-12-02 Johan Danielsson * kpasswd/kpasswdd.c (doit): initialise sa_size to size of sockaddr_storage * kdc/connect.c (init_socket): initialise sa_size to size of sockaddr_storage 2002-11-15 Johan Danielsson * lib/krb5/krb5.h: remove trailing comma in enum 2002-11-07 Johan Danielsson * kdc/524.c: implement crude b2 style (non-)conversion for use with afs * kdc/kerberos4.c: move encrypt_v4_ticket to 524.c, since that's where it's used 2002-10-21 Johan Danielsson * lib/krb5/keytab_keyfile.c: more strcspn * lib/krb5/store_emem.c (emem_store): limit how much we allocate (from Olaf Kirch) * lib/krb5/principal.c: don't allow trailing backslashes in components * kdc/connect.c: check that %-quotes are followed by two hex digits * lib/krb5/keytab_any.c: properly close the open keytabs (from Larry Greenfield) * kdc/kaserver.c: make sure life is positive (from John Godehn) 2002-10-17 Johan Danielsson * kuser/klist.c (display_tokens): allow tokens up to size of buffer (from Magnus Holmberg) 2002-09-29 Johan Danielsson * lib/krb5/changepw.c (process_reply): fix reply length check calculation (reported by various people) 2002-09-24 Johan Danielsson * lib/krb5/keytab_file.c (fkt_remove_entry): check return value from start_seq_get (from Wynn Wilkes) 2002-09-19 Johan Danielsson * lib/krb5/context.c (krb5_set_config_files): return ENXIO instead of ENOENT when "unconfigured" 2002-09-16 Jacques Vidrine * lib/krb5/kuserok.c, lib/krb5/prompter_posix.c: use strcspn to convert the newline to NUL in fgets results. 2002-09-13 Johan Danielsson * kuser/kinit.1: remove unneeded Ns * lib/krb5/krb5_appdefault.3: remove extra "application" * fix-export: remove autom4ate.cache 2002-09-10 Johan Danielsson * include/make_crypto.c: don't use function macros if possible * lib/krb5/krb5_locl.h: get limits.h for UINT_MAX * include/Makefile.am: use make_crypto to create crypto-headers.h * include/make_crypto.c: crypto header generation tool * configure.in: move crypto test to just after testing for krb4, and move roken tests to after both, this speeds up various failure cases with krb4 * lib/krb5/config_file.c: don't use NULL when we mean 0 * configure.in: we don't set package_libdir anymore, so no point in testing for it * tools/Makefile.am: subst INCLUDE_des * tools/krb5-config.in: add INCLUDE_des to cflags * configure.in: use AC_CONFIG_SRCDIR * fix-export: remove some unneeded stuff * kuser/kinit.c (do_524init): free principals 2002-09-09 Jacques Vidrine * kdc/kerberos5.c (get_pa_etype_info, fix_transited_encoding), kdc/kaserver.c (krb5_ret_xdr_data), lib/krb5/transited.c (krb5_domain_x500_decode): Validate some counts: Check that they are non-negative, and that they are small enough to avoid integer overflow when used in memory allocation calculations. Potential problem areas pointed out by Sebastian Krahmer . * lib/krb5/keytab_keyfile.c (akf_add_entry): Use O_EXCL when creating a new keyfile. 2002-09-09 Johan Danielsson * configure.in: don't try to build pam module 2002-09-05 Johan Danielsson * appl/kf/kf.c: fix warning string * lib/krb5/log.c (krb5_vlog_msg): delay message formating till we know we need it 2002-09-04 Assar Westerlund * kdc/kerberos5.c (encode_reply): correct error logging 2002-09-04 Johan Danielsson * lib/krb5/sendauth.c: close ccache if we opened it * appl/kf/kf.c: handle new protocol * appl/kf/kfd.c: use krb5_err instead of sysloging directly, handle the new protocol, and bail out if an old client tries to connect * appl/kf/kf_locl.h: we need a protocol version string * lib/hdb/hdb-ldap.c: use ASN1_MALLOC_ENCODE * kdc/kerberos5.c: use ASN1_MALLOC_ENCODE * kdc/hprop.c: set AP_OPTS_USE_SUBKEY * lib/hdb/common.c: use ASN1_MALLOC_ENCODE * lib/asn1/gen.c: add convenience macro that allocates a buffer and encoded into that * lib/krb5/get_cred.c (init_tgs_req): use in_creds->session.keytype literally instead of trying to convert to a list of enctypes (it should already be an enctype) * lib/krb5/get_cred.c (init_tgs_req): init ret 2002-09-03 Johan Danielsson * lib/asn1/k5.asn1: remove ETYPE_DES3_CBC_NONE_IVEC * lib/krb5/krb5.h: remove ENCTYPE_DES3_CBC_NONE_IVEC * lib/krb5/crypto.c: get rid of DES3_CBC_encrypt_ivec, just use zero ivec in DES3_CBC_encrypt if passed ivec is NULL * lib/krb5/Makefile.am: back out 1.144, since it will re-create krb5-protos.h at build-time, which requires perl, which is bad * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): don't blindly use the local subkey * lib/krb5/crypto.c: add function krb5_crypto_getblocksize that extracts the required blocksize from a crypto context * lib/krb5/build_auth.c: just get the length of the encoded authenticator instead of trying to grow a buffer 2002-09-03 Assar Westerlund * configure.in: add --disable-mmap option, and tests for sys/mman.h and mmap 2002-09-03 Jacques Vidrine * lib/krb5/changepw.c: verify lengths in response * lib/asn1/der_get.c (decode_integer, decode_unsigned): check for truncated integers 2002-09-02 Johan Danielsson * lib/krb5/mk_req_ext.c: generate a local subkey if AP_OPTS_USE_SUBKEY is set * lib/krb5/build_auth.c: we don't have enough information about whether to generate a local subkey here, so don't try to * lib/krb5/auth_context.c: new function krb5_auth_con_generatelocalsubkey * lib/krb5/get_in_tkt.c: only set kdc_sec_offset if looking at an initial ticket * lib/krb5/context.c (init_context_from_config_file): simplify initialisation of srv_lookup * lib/krb5/changepw.c (send_request): set AP_OPTS_USE_SUBKEY * lib/krb5/krb5.h: add AP_OPTS_USE_SUBKEY 2002-08-30 Assar Westerlund * lib/krb5/name-45-test.c: also test krb5_524_conv_principal * lib/krb5/Makefile.am (TESTS): add name-45-test * lib/krb5/name-45-test.c: add testcases for krb5_425_conv_principal 2002-08-29 Assar Westerlund * lib/krb5/parse-name-test.c: also test unparse_short functions * lib/asn1/asn1_print.c: use com_err/error_message API * lib/krb5/Makefile.am: add parse-name-test * lib/krb5/parse-name-test.c: add a program for testing parsing and unparsing principal names 2002-08-28 Assar Westerlund * kdc/config.c: add missing ifdef DAEMON 2002-08-28 Johan Danielsson * configure.in: use rk_SUNOS * kdc/config.c: add detach options * kdc/main.c: maybe detach from console? * kdc/kdc.8: markup changes * configure.in: AC_TEST_PACKAGE_NEW -> rk_TEST_PACKAGE * configure.in: use rk_TELNET, rename some other macros, and don't add -ldes to krb4 link command * kuser/kinit.1: whitespace fix (from NetBSD) * include/bits.c: we may need unistd.h for ssize_t 2002-08-26 Assar Westerlund * lib/krb5/principal.c (krb5_425_conv_principal_ext): lookup AAAA rrs before A ones when using the resolver to verify a mapping, also use getaddrinfo when resolver is not available * lib/hdb/keytab.c (find_db): const-correctness in parameters to krb5_config_get_next * lib/asn1/gen.c: include in the generated files (for memset) 2002-08-22 Assar Westerlund * lib/krb5/test_get_addrs.c, lib/krb5/krbhst-test.c: make it use getarg so that it can handle --help and --version (and thus make check can pass) * lib/asn1/check-der.c: make this build again 2002-08-22 Assar Westerlund * lib/asn1/der_get.c (der_get_int): handle len == 0. based on a patch from Love 2002-08-22 Johan Danielsson * lib/krb5/krb5.h: we seem to call KRB5KDC_ERR_KEY_EXP KRB5KDC_ERR_KEY_EXPIRED, so define the former to the latter * kdc/kdc.8: add blurb about adding and removing addresses; update kdc.conf section to match reality * configure.in: KRB_SENDAUTH_VLEN seems to always have existed, so don't define it 2002-08-21 Assar Westerlund * lib/asn1/asn1_print.c: print OIDs too, based on a patch from Love 2002-08-21 Johan Danielsson * kuser/kinit.c (do_v4_fallback): don't use krb_get_pw_in_tkt2 since it might not exist, and we don't actually care about the key 2002-08-20 Johan Danielsson * lib/krb5/krb5.conf.5: correct documentation for verify_ap_req_nofail * lib/krb5/log.c: rename syslog_data to avoid name conflicts (from Mattias Amnefelt) * kuser/klist.c (display_tokens): increase token buffer size, and add more checks of the kernel data (from Love) 2002-08-19 Johan Danielsson * fix-export: use make to parse Makefile.am instead of perl * configure.in: use argument-less AM_INIT_AUTOMAKE, now that it groks AC_INIT with package name etc. * kpasswd/kpasswdd.c: include * lib/asn1/asn1_print.c: include com_right.h * lib/krb5/addr_families.c: socklen_t -> krb5_socklen_t * include/bits.c: define krb5_socklen_t type; this should really go someplace else, but this was easy * lib/krb5/verify_krb5_conf.c: don't bail out if parsing of a file fails, just warn about it * kdc/log.c (kdc_openlog): no need for a config_file parameter * kdc/config.c: just treat kdc.conf like any other config file * lib/krb5/context.c (krb5_get_default_config_files): ignore duplicate files 2002-08-16 Johan Danielsson * lib/krb5/krb5.h: turn strings into pointers, so we can assign to them * lib/krb5/constants.c: turn strings into pointers, so we can assign to them * lib/krb5/get_addrs.c (get_addrs_int): initialise res if SCAN_INTERFACES is not set * lib/krb5/context.c: fix various borked stuff in previous commits 2002-08-16 Jacques Vidrine * lib/krb5/krbhst.c (kpasswd_get_next): if we fall back to using the `admin_server' entry for kpasswd, override the `proto' result to be UDP. 2002-08-15 Johan Danielsson * lib/krb5/auth_context.c: check return value of krb5_sockaddr2address * lib/krb5/addr_families.c: check return value of krb5_sockaddr2address * lib/krb5/context.c: get the default keytab from KRB5_KTNAME 2002-08-14 Johan Danielsson * lib/krb5/verify_krb5_conf.c: allow parsing of more than one file * lib/krb5/context.c: allow changing config files with the function krb5_set_config_files, there are also related functions krb5_get_default_config_files and krb5_free_config_files; these should work similar to their MIT counterparts * lib/krb5/config_file.c: allow the use of more than one config file by using the new function krb5_config_parse_file_multi 2002-08-12 Johan Danielsson * use sysconfdir instead of /etc * configure.in: require autoconf 2.53; rename dpagaix_LDFLAGS etc to appease automake; force sysconfdir and localstatedir to /etc and /var/heimdal for now * kdc/connect.c (addr_to_string): check return value of sockaddr2address 2002-08-09 Johan Danielsson * lib/krb5/rd_cred.c: if the remote address isn't an addrport, don't try comparing to one; this should make old clients work with new servers * lib/asn1/gen_decode.c: remove unused variable 2002-07-31 Johan Danielsson * kdc/{kerberos5,524}.c: ENOENT -> HDB_ERR_NOENTRY (from Derrick Brashear) * lib/krb5/principal.c: actually lower case the lower case instance name (spotted by Derrick Brashear) 2002-07-24 Johan Danielsson * fix-export: if DATEDVERSION is set, change the version to current date * configure.in: don't use AC_PROG_RANLIB, and use magic foo to set LTLIBOBJS 2002-07-04 Johan Danielsson * kdc/connect.c: add some cache-control-foo to the http responses (from Gombas Gabor) * lib/krb5/addr_families.c (krb5_print_address): don't copy size if ret_len == NULL 2002-06-28 Johan Danielsson * kuser/klist.c (display_tokens): don't bail out before we get EDOM (signaling the end of the tokens), the kernel can also return ENOTCONN, meaning that the index does not exist anymore (for example if the token has expired) 2002-06-06 Johan Danielsson * lib/krb5/changepw.c: make sure we return an error if there are no changepw hosts found; from Wynn Wilkes 2002-05-29 Johan Danielsson * lib/krb5/cache.c (krb5_cc_register): break out of loop when the same type is found; spotted by Wynn Wilkes 2002-05-28 Johan Danielsson * lib/krb5/keytab_file.c: check size of entry before trying to read 32-bit kvno; also fix typo in previous 2002-05-24 Johan Danielsson * include/Makefile.am: only add to INCLUDES * lib/45/mk_req.c: fix for storage change * lib/hdb/print.c: fix for storage change 2002-05-15 Johan Danielsson * kdc/kerberos5.c: don't free encrypted padata until we're really done with it 2002-05-07 Johan Danielsson * kdc/kerberos5.c: when decrypting pa-data, try all keys matching enctype * kuser/kinit.1: document -a * kuser/kinit.c: add command line switch for extra addresses 2002-04-30 Johan Danielsson * configure.in: remove some duplicate tests * configure.in: use AC_HELP_STRING 2002-04-29 Johan Danielsson * lib/krb5/crypto.c (usage2arcfour): don't abort if the usage is unknown 2002-04-25 Johan Danielsson * configure.in: use rk_DESTDIRS 2002-04-22 Johan Danielsson * lib/krb5/krb5_verify_user.3: make it clear that _lrealm modifies the principal 2002-04-19 Johan Danielsson * lib/krb5/verify_init.c: fix typo in error string 2002-04-18 Johan Danielsson * acconfig.h: remove some stuff that is defined elsewhere * lib/krb5/krb5_locl.h: include * lib/krb5/acl.c: rename acl_string parameter * lib/krb5/Makefile.am: remove __P from protos, and put parameter names in comments * kuser/klist.c: better align some headers * kdc/kerberos4.c: storage tweaks * kdc/kaserver.c: storage tweaks * kdc/524.c: storage tweaks * lib/krb5/keytab_krb4.c: storage tweaks * lib/krb5/keytab_keyfile.c: storage tweaks * lib/krb5/keytab_file.c: storage tweaks; also try to handle zero sized keytab files * lib/krb5/keytab_any.c: use KRB5_KT_END instead of KRB5_CC_END * lib/krb5/fcache.c: storage tweaks * lib/krb5/store_mem.c: make the krb5_storage opaque, and add function wrappers for store/fetch/seek, and also make the eof-code configurable * lib/krb5/store_fd.c: make the krb5_storage opaque, and add function wrappers for store/fetch/seek, and also make the eof-code configurable * lib/krb5/store_emem.c: make the krb5_storage opaque, and add function wrappers for store/fetch/seek, and also make the eof-code configurable * lib/krb5/store.c: make the krb5_storage opaque, and add function wrappers for store/fetch/seek, and also make the eof-code configurable * lib/krb5/store-int.h: make the krb5_storage opaque, and add function wrappers for store/fetch/seek, and also make the eof-code configurable * lib/krb5/krb5.h: make the krb5_storage opaque, and add function wrappers for store/fetch/seek, and also make the eof-code configurable * include/bits.c: include to get socklen_t * kdc/kerberos5.c (get_pa_etype_info): sort ETYPE-INFOs by requested KDC-REQ etypes * kdc/hpropd.c: constify * kdc/hprop.c: constify * kdc/string2key.c: constify * kdc/kdc_locl.h: make port_str const * kdc/config.c: constify * lib/krb5/config_file.c: constify * kdc/kstash.c: constify * lib/krb5/verify_user.c: remove unnecessary cast * lib/krb5/recvauth.c: constify * lib/krb5/principal.c (krb5_parse_name): const qualify * lib/krb5/mcache.c (mcc_get_name): constify return type * lib/krb5/context.c (krb5_free_context): don't try to free the ccache prefix * lib/krb5/cache.c (krb5_cc_register): don't make a copy of the prefix * lib/krb5/krb5.h: constify some struct members * lib/krb5/log.c: constify * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): const qualify * lib/krb5/get_in_tkt.c (krb5_init_etype): constify * lib/krb5/crypto.c: constify some * lib/krb5/config_file.c: constify * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): constify local variable * lib/krb5/addr_families.c (ipv4_sockaddr2port): constify 2002-04-17 Johan Danielsson * lib/krb5/verify_krb5_conf.c: add some log checking * lib/krb5/log.c (krb5_addlog_dest): reorganise syslog parsing 2002-04-16 Johan Danielsson * lib/krb5/crypto.c (krb5_crypto_init): check that the key size matches the expected length 2002-03-27 Johan Danielsson * lib/krb5/send_to_kdc.c: rename send parameter to send_data * lib/krb5/mk_error.c: rename ctime parameter to client_time 2002-03-22 Johan Danielsson * kdc/kerberos5.c (find_etype): unsigned -> krb5_enctype (from Reinoud Zandijk) 2002-03-18 Johan Danielsson * lib/asn1/k5.asn1: add the GSS-API checksum type here 2002-03-11 Assar Westerlund * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to 18:3:1 * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 7:5:0 * lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump version to 6:0:0 2002-03-10 Assar Westerlund * lib/krb5/rd_cred.c: handle addresses with port numbers * lib/krb5/keytab_file.c, lib/krb5/keytab.c: store the kvno % 256 as the byte and the complete 32 bit kvno after the end of the current keytab entry * lib/krb5/init_creds_pw.c: handle LR_PW_EXPTIME and LR_ACCT_EXPTIME in the same way * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): handle ports giving for the remote address * lib/krb5/get_cred.c: get a ticket with no addresses if no-addresses is set * lib/krb5/crypto.c: rename functions DES_* to krb5_* to avoid colliding with modern openssl * lib/krb5/addr_families.c: make all functions taking 'struct sockaddr' actually take a socklen_t instead of int and that acts as an in-out parameter (indicating the maximum length of the sockaddr to be written) * kdc/kerberos4.c: make the kvno's in the krb4 universe by the real one % 256, since they cannot only be 8 bit, and the v5 ones are actually 32 bits 2002-02-15 Johan Danielsson * lib/krb5/keytab_keyfile.c (akf_add_entry): don't create the file before we need to write to it (from Åke Sandgren) 2002-02-14 Johan Danielsson * configure.in: rk_RETSIGTYPE and rk_BROKEN_REALLOC are called via rk_ROKEN (from Gombas Gabor); find inttypes by CHECK_TYPES directly * lib/krb5/rd_safe.c: actually use the correct key (from Daniel Kouril) 2002-02-12 Johan Danielsson * lib/krb5/context.c (krb5_get_err_text): protect against NULL context 2002-02-11 Johan Danielsson * admin/ktutil.c: no need to use the "modify" keytab anymore * lib/krb5/keytab_any.c: implement add and remove * lib/krb5/keytab_krb4.c: implement add and remove * lib/krb5/store_emem.c (emem_free): clear memory before freeing (this should perhaps be selectable with a flag) 2002-02-04 Johan Danielsson * kdc/config.c (get_dbinfo): if there are database specifications in the config file, don't automatically try to use the default values (from Gombas Gabor) * lib/krb5/log.c (krb5_closelog): don't pass pointer to pointer (from Gombas Gabor) 2002-01-30 Johan Danielsson * admin/list.c: get the default keytab from krb5.conf, and list all parts of an ANY type keytab * lib/krb5/context.c: default default_keytab_modify to NULL * lib/krb5/keytab.c (krb5_kt_default_modify_name): if no modify name is specified take it from the first component of the default keytab name 2002-01-29 Johan Danielsson * lib/krb5/keytab.c: compare keytab types case insensitively 2002-01-07 Assar Westerlund * lib/krb5/crypto.c (create_checksum): make usage `unsigned' (it's not really a krb5_key_usage). From Ben Harris * lib/krb5/get_in_tkt.c: use krb5_enctype consistently. From Ben Harris * lib/krb5/crypto.c: use krb5_enctype consistently. From Ben Harris * kdc/kerberos5.c: use krb5_enctype consistently. From Ben Harris heimdal-1.7~git20150920+dfsg/ChangeLog.2003000066400000000000000000001555561257755311500176210ustar00rootroot000000000000002003-12-19 Love Hörnquist Åstrand * lib/krb5/error_string.c: protect error_string with mutex * lib/krb5/context.c: allocate and destroy mutex in krb5_context * lib/krb5/krb5.h (krb5_context_data): add mutex for error_string 2003-12-18 Love Hörnquist Åstrand * kuser/kinit.c: make -9 work again 2003-12-17 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c: try handle ts preauth better, still not good, but at least it work with older heimdal releases that doesn't send back KRB5KDC_ERR_PREAUTH_REQUIRED when preauth was sent 2003-12-16 Love Hörnquist Åstrand * lib/hdb/hdb.asn1: remove enforce-transited-policy, its no longer used 2003-12-11 Love Hörnquist Åstrand * lib/krb5/pkinit.c (_krb5_pk_create_sign): fill in NULL as parameters, required by CMS 2003-12-07 Love Hörnquist Åstrand * lib/krb5/get_in_tkt_with_keytab.c (krb5_get_in_tkt_with_keytab): avoid memory leak that snuck in when krb5_keytab_key_proc was exported, pointed out by Panases Inc * lib/krb5/keytab_file.c: do locking, found to be a problem for Panasas Inc * lib/krb5/fcache.c: internally export x{,un}lock and thus prefix them with _krb5_ * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded krb-cred * lib/krb5/krb5_auth_context.3: some text about krb5_auth_con_{add,remove}flags * lib/krb5/auth_context.c: add krb5_auth_con_addflags and krb5_auth_con_removeflags 2003-12-03 Love Hörnquist Åstrand * lib/krb5/crypto.c (decrypt_internal_derived): move up padsize to avoid memory leak 2003-12-02 Love Hörnquist Åstrand * lib/krb5/crypto.c: require cipher-text to be padded to padsize * lib/krb5/eai_to_heim_errno.c: EAI_ADDRFAMILY and EAI_NODATA is deprecated in RFC3493 * lib/krb5/verify_krb5_conf.c (check_host): don't check for EAI_NODATA, because its depricated in RFC3493 Pointed out by Hajimu UMEMOTO on heimdal-discuss 2003-12-01 Love Hörnquist Åstrand * lib/krb5/Makefile.am: move test_crypto to noinst_PROGRAMS * lib/krb5/test_crypto.c: add --version,--help * kuser/kinit.c (main): return the return value from simple_execvp 2003-11-26 Love Hörnquist Åstrand * kuser/kinit.c: don't use PKINIT DH per default since its too slow * lib/krb5/pkinit.c: tweek to make pkinit work with the fact the asn1_compile can't generate code for context tagless optionals * kdc/pkinit.c: add support for KDC side of DH PKINIT * lib/krb5/pkinit.c: clean up error handling, make enc-type work again 2003-11-25 Love Hörnquist Åstrand * kuser/kinit.c: add flag to make it work with pkinit dh * lib/krb5/pkinit.c: make PKINIT DH support work 2003-11-24 Love Hörnquist Åstrand * lib/hdb/Makefile.am (LDADD): link with LIB_dlopen * kdc/pkinit.c: clean up * lib/krb5/krb5.h: make pkinit_win2k_compatible into a flag field * lib/krb5/pkinit.c: remove most compile depencies clean up * kdc/pkinit.c: print an error and turn of pkinit if openssl failed to load * kdc/config.c: read pkinit (pki-mumble) configuration options * kdc/kerberos5.c: add pkinit support * kdc/kdc_locl.h: add prototypes for pkinit * kdc/pkinit.c: PKINIT patch from Daniel Kouril and Petr Holub, I removed the dependency on valicert asn1 parser, remove smartcard and globus support (for now). Work to be done on this: DH support, Globus support, Smartcard support, windows support (MS implements -09 of the draft), make it conform to the new draft * lib/krb5/pkinit.c: fix bugs, improve error reporting 2003-11-23 Love Hörnquist Åstrand * kuser/kinit.c: add some "struct foo;" glue for pkinit structures that isn't used * lib/krb5/pkinit.c: clean up, make remove depenency on openssl's api * lib/krb5/krb5_locl.h: add some glue for pkinit add reference counter to _krb5_get_init_creds_opt_private * lib/krb5/init_creds.c: reference count krb5_get_init_creds_opt private component to avoid copy all the data in it * lib/krb5/crypto.c (AES_string_to_key): fix memory leak * lib/krb5/init_creds_pw.c (init_cred_loop): fix memory leak * lib/krb5/heim_threads.h: include pthread.h in the pthread case 2003-11-18 Love Hörnquist Åstrand * kpasswd/kpasswdd.c (main): parse kdc.conf From: Jeffrey Hutzelman 2003-11-15 Love Hörnquist Åstrand * lib/krb5/Makefile.am (TESTS): add test_crypto * lib/krb5/test_crypto.c: time crypto operations 2003-11-14 Love Hörnquist Åstrand * doc/init-creds: spelling, Bruno Rohee 2003-11-09 Love Hörnquist Åstrand * lib/krb5/rd_req.c (krb5_verify_ap_req2): krb5_free_ticket free the ticket now, rewrite error handling to handle that * kpasswd/kpasswdd.c (process): don't free ticket, krb5_free_ticket does that now * kdc/kerberos5.c (tgs_rep2): don't free ticket, krb5_free_ticket does that now * lib/krb5/ticket.c (krb5_free_ticket): free the ticket itself to match mit behavior, pointed out by Derrick Brashear * lib/krb5/krb5_ticket.3: krb5_free_ticket free the whole ticket 2003-11-08 Love Hörnquist Åstrand * lib/krb5/padata.c: add krb5_padata_add * lib/krb5/krb5.h: krb5_context_data.pkinit_win2k_compatible * lib/krb5/Makefile.am: add pkinit.c * kuser/kinit.c: add pkinit support * lib/krb5/init_creds_pw.c: add support for pkinit * lib/krb5/krb5_locl.h: add the opaque krb5_pk_init_ctx to _krb5_get_init_creds_opt_private * lib/krb5/pkinit.c: rename krb5_pk_init_openssl_ctx to krb5_pk_init_ctx fix win2k error handling * lib/krb5/pkinit.c: PKINIT patch from Daniel Kouril and Petr Holub, I removed the dependency on valicert asn1 parser, remove smartcard and globus support (for now). Work to be done on this: DH support, Globus support, Smartcard support, windows support (MS implements -09 of the draft), verify that it conforms the new draft 2003-11-07 Love Hörnquist Åstrand * lib/asn1/der_copy.c (copy_oid): copy all components 2003-10-27 Johan Danielsson * lib/krb5/krb5.conf.5: document capaths section 2003-10-22 Johan Danielsson * kdc/kerberos5.c: make sure that the server realm and the krbtgt second component are identical; get rpath from the capaths section * kdc/kerberos5.c: change logic for when to check transited policy to a tri-state model involving per principal flags (to be implemented) * kdc/kdc_locl.h: change enforce_transited_policy to a tri-state variable * kdc/config.c: change enforce_transited_policy to a tri-state variable 2003-10-22 Love Hörnquist Åstrand * lib/krb5/transited.c (krb5_domain_x500_encode): always zero out encoding to make sure it have a defined value on failure * lib/krb5/transited.c (krb5_domain_x500_encode): if num_realms ==0, set encoding and return (avoids malloc(0)), check return value for malloc 2003-10-21 Johan Danielsson * kdc/kerberos5.c (fix_transited_encoding): always print cross-realm information 2003-10-21 Love Hörnquist Åstrand * doc/setup.texi: spelling, From: Tracy Di Marco White * kdc/kerberos5.c (fix_transited_encoding): set transited type 2003-10-21 Johan Danielsson * kdc/kdc.8: document enforce-transited-policy * kdc/kerberos5.c: always check transited policy if flag set either globally or on principal * kdc/config.c: add flag to always check transited policy * lib/hdb/hdb.asn1: add flag to enforce transited policy 2003-10-21 Love Hörnquist Åstrand * lib/krb5/transited.c (krb5_domain_x500_decode): set *num_realms to zero not num_realms * kuser/kgetcred.1: add --no-transit-check * kuser/kgetcred.c: add --no-transit-check * doc/setup.texi: describe Transit policy 2003-10-20 Johan Danielsson * kdc/kerberos5.c (fix_transited_encoding): also verify with policy, unless asked not to * lib/krb5/rd_req.c (krb5_decrypt_ticket): try to verify transited realms, unless the transited-policy-checked flag is set * lib/krb5/transited.c (krb5_domain_x500_decode): handle zero length tr data; (krb5_check_transited): new function that does more useful stuff * lib/krb5/get_cred.c: get capath info from [capaths] section 2003-10-16 Johan Danielsson * lib/krb5/fcache.c: Sleep forever waiting for lock. Previous method doesn't work well with a large number of clients accessing the cache at the same time, and there is no simple way to add a timeout to the lock. 2003-10-13 Love Hörnquist Åstrand * lib/krb5/verify_krb5_conf.c: print the error value krb5_init_context failed with * lib/krb5/config_file.c (krb5_config_parse_file_debug): punt if there is binding before a section declaration. Bug found by Arkadiusz Miskiewicz 2003-10-13 Johan Danielsson * lib/krb5/fcache.c (erase_file): revert a change in previous; if the ccache is a symlink, kdestroy should remove it * lib/krb5/fcache.c: implement locking 2003-10-12 Johan Danielsson * kuser/klist.c (print_tickets): bail out if krb5_cc_next_cred returns error other than KRB5_CC_END 2003-10-07 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c: add some help function that is common between ENC_TS and SAM2, free the etype{,2}-infos on failure, move the pa counter into krb5_get_init_creds_ctx 2003-10-06 Love Hörnquist Åstrand * kdc/kaserver.c (do_getticket): if times data is shorter then 8 byte, request is malformed. * kdc/kaserver.c (do_authenticate): if request length is less then 8 byte, its a bad request and fail. Pointed out by Marco Foglia * lib/krb5/verify_krb5_conf.c: add flag --warn-mit-syntax that warns for mit syntax is used and just ignore the mit syntax when its used * lib/krb5/verify_krb5_conf.c: parse [kdc]use_2b and [gssapi] 2003-10-04 Love Hörnquist Åstrand * lib/asn1/lex.l: add BOOLEAN * lib/asn1/parse.y: add BOOLEAN 2003-10-03 Love Hörnquist Åstrand * kuser/kinit.c: When running kinit in "fork mode" do pagsh independent of krb4, also always do krb4 setup of cc. Always try to destroy the v4 cc. - add boolean --{,no-}request-pac that will request pac or not * kuser/klist.c (check_for_tgt): set client as part of the pattern/match cred * lib/krb5/convert_creds.c (_krb5_krb_dest_tkt): unlink v4 token (get_krb4_cc_name): move out from _krb5_krb_tf_setup (_krb5_krb_tf_setup): adapt to allocated filename instead of static filename * lib/krb5/krb5-v4compat.h: add _krb5_krb_dest_tkt and TKT_ROOT * lib/krb5/init_creds_pw.c (*) send PA_PAC_REQUEST when the user have requested either use PAC or not use PAC, if the option not set from the user, leave it up to the kdc to decide. (init_creds_loop): clear error string on success * lib/krb5/init_creds.c: add krb5_get_init_creds_opt_set_paq_request break out common part of extended opt functions to require_ext_opt * lib/krb5/krb5_locl.h: add enum krb5_get_init_creds_req_pac and use it in struct _krb5_get_init_creds_opt_private * tools/kdc-log-analyze.pl: handle some more failure lines * doc/programming.texi: some diffrences between Heimdal and MIT Kerberos in the API * doc/setup.texi: add Setting up DNS * lib/krb5/rd_req.c (krb5_rd_req): always free keyblock since its alway used * lib/asn1/Makefile.am: add SAM types and PAC_REQUEST * lib/asn1/k5.asn1: add more preauth types, add PA-PAC-REQUEST * lib/asn1: add boolean support 2003-10-02 Love Hörnquist Åstrand * lib/krb5/changepw.c (setpw_send_request): free ap_req_data on failure 2003-09-30 Love Hörnquist Åstrand * appl/test/http_client.c (do_connect): use ai_protocol 0 * lib/krb5/init_creds_pw.c (init_cred_loop): handle KRB5KRB_ERR_RESPONSE_TOO_BIG and loop again, this time requesting LARGE_MSG from send to kdc, and if this is the second time bail out; try to free memory * lib/krb5/send_to_kdc.c (krb5_sendto_kdc_flags): new function, and then implement the order krb5_sendto_kdc* function with this function. * lib/krb5/krbhst.c (krb5_krbhst_init_flags): new function, use it and adapt callers (krbhst_get_default_proto): new function, returns udp, or in case large_msg was requested for the krb5_krbhst_data, use tcp. (*): if the flag KD_LARGE_MSG was set on the krb5_krbhst_data, avoid using udp, use krbhst_get_default_proto * lib/krb5/krb5.h: flags for krb5_krbhst_init_flags (and krb5_send_to_kdc_flags) 2003-09-23 Love Hörnquist Åstrand * lib/krb5/rd_req.c (krb5_rd_req): if we have a keyblock in auth context, use that * appl/test/uu_client.c: print authorization data if there are any * lib/asn1/asn1_print.c: decode IA5Stringa and UTF8String 2003-09-21 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c: use _krb5_get_init_creds_opt_copy * lib/krb5/init_creds.c: don't export krb5_get_init_creds_opt_copy * lib/hdb/Makefile.am: libhdb might depend on LIB_dlopen * kuser/kinit.c: don't get v4 tickets by default 2003-09-20 Love Hörnquist Åstrand * kpasswd/kpasswdd.c (process): remove a abort() * doc/win2k.texi: add some text about netdom.exe and trusts * TODO-1.0: gssapi rc4 done * kpasswd/kpasswdd.c: add support for Set password protocol as defined by RFC3244 -- Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols 2003-09-19 Love Hörnquist Åstrand * lib/hdb/db3.c: improve readability of ->open ifdef, check if version >= 4.1 * lib/krb5/init_creds.c (krb5_get_init_creds_opt_copy): add * lib/krb5/rd_req.c (krb5_rd_req): allow caller to pass in a key in the auth_context, they way processes that doesn't use the keytab can still pass in the key of the service (matches behavior of MIT Kerberos). 2003-09-18 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c: collect all init_creds context into a structure so it can easier be passed around, also, while here, change nonce for every request * lib/krb5/get_in_tkt.c (init_as_req): don't realloc data before the loop, add_padata() will handle that itself * lib/krb5/get_for_creds.c (add_addrs): don't increase addr->len until in contains interesting data, use right iteration counter when clearing the addresses * lib/krb5/log.c (log_realloc): increase len after realloc returns sucessfully 2003-09-12 Love Hörnquist Åstrand * lib/krb5/config_file.c: fix prototypes From: Fredrik Ljungberg 2003-09-10 Love Hörnquist Åstrand * appl/test/http_client.c: close socket when we are done, don't allow the server to restart gssapi negotiation * lib/hdb/hdb_locl.h: include for ULONG_MAX noted by Wissler Magnus on heimdal-discuss * appl/test/gssapi_client.c (proto): use select_mech * appl/test/http_client.c: use getarg * appl/test/gss_common.h: prototype for select_mech * appl/test/gss_common.c (select_mech): return the gss_OID from a mech name * appl/test/http_client.c: print both source and target * appl/test/Makefile.am: build http_client 2003-09-09 Love Hörnquist Åstrand * lib/asn1/asn1_print.c: add support for printing Enumerated * appl/test/gssapi_client.c: allow user to select mech; krb5, spnego, and no-oid * appl/test/test_locl.h: add mech * appl/test/common.c: add --mech,-m argument * appl/test/gssapi_server.c: print the mech that was used * kdc/kerberos5.c (only_older_enctype_p): check request if the client only supports old enctypes, before it used the database 2003-09-08 Love Hörnquist Åstrand * **/*.c: add context argument to krb5_get_init_creds_opt_alloc * lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): add context argument * lib/krb5/krb5_get_init_creds.3: spelling 2003-09-04 Love Hörnquist Åstrand * lib/krb5/context.c (add_file): make len argument an pointer to an integer * lib/asn1/k5.asn1: add SAM types * lib/krb5/init_creds_pw.c: break out the encrypt timestamp preauth to its function break out the pa_data_to_key_plain to its own function make more variables const 2003-09-04 Johan Danielsson * lib/krb5/krb5.conf.5: document appdefaults/{forward,encrypt} 2003-09-03 Love Hörnquist Åstrand * lib/krb5/krb5.h: Add key usage for encryption of the SAM-NONCE-OR-SAD field. * include/make_crypto.c: include in the openssl case * kdc/hprop.h: use new DES_ api * lib/krb5/krb5-v4compat.h: assume session key is a char array of length 8 * lib/krb5/prompter_posix.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ * kuser/kinit.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ * kdc/string2key.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ * kdc/kstash.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ * admin/add.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ * lib/krb5/crypto.c: switch from the des_ to the DES_ api * kdc/hprop.c: use DES_KEY_SZ instead of sizeof(des_block) * kuser/kverify.c: use krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free * kpasswd/kpasswd-generator.c: use krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free * kdc/hprop.c: use krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free compare a uint32_t with 0xffffffff instead of -1 * lib/krb5/krb5_425_conv_principal.3: fix [Gt] * kuser/kinit.c: use krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): handle password passed in though context * lib/krb5/Makefile.am (TESTS): += test_config * lib/krb5/aes-test.c: move variable thats used within a #ifdef to be defined within that #ifdef * lib/krb5/data.c (krb5_data_free): reset whole krb5_data when freeing it * lib/krb5/keyblock.c (krb5_keyblock_zero): new function, zeros out a keyblock * lib/krb5/init_creds_pw.c: rewrite/implement krb5_get_init_creds_password with new preauth handing, still it can only work with krb5-pa-enc-timestamp for preauth, but now it can handle etype-info2 * lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): allocate a opt structure (krb5_get_init_creds_opt_free): free a opt structure (krb5_get_init_creds_opt_set_pa_password): set preauth info for enc-timestamp * lib/krb5/krb5_locl.h: add struct _krb5_get_init_creds_opt_private 2003-09-02 Love Hörnquist Åstrand * lib/krb5/krb5.h: add SAM keyusage numbers, add s2k proc typedef, add a pointer to a private part of krb5_get_init_creds_opt * kdc/string2key.c (main): avoid const warning by using a extra variable 2003-08-31 Love Hörnquist Åstrand * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): reindent * lib/krb5/ticket.c (krb5_copy_ticket): free all data when failing, copy data to right memory, the later pointed out by Luke Howard. 2003-08-30 Love Hörnquist Åstrand * lib/krb5/krb5.h: cfx-01 use diffrent usage numbers 2003-08-29 Love Hörnquist Åstrand * lib/hdb/db3.c: try to include more db headers * lib/hdb/db3.c: patch for working with DB4 on heimdal-discuss From: Luke Howard 2003-08-28 Love Hörnquist Åstrand * lib/krb5/krb5.h: add KEYTYPE_ARCFOUR_56 * appl/test/gssapi_client.c: send both INT and CONF wrapped token * appl/test/gssapi_server.c: recv both INT and CONF wrapped token * lib/asn1/k5.asn1: add KRB5_NT_SMTP_NAME and KRB5_NT_ENTERPRISE 2003-08-27 Love Hörnquist Åstrand * appl/test/uu_client.c (proto): fill in client in the match cred 2003-08-26 Love Hörnquist Åstrand * lib/krb5/krb5.h: CFX uses slightly diffrent usage numbers * lib/krb5/crypto.c (usage2arcfour): simplify, only include special cases From: Luke Howard 2003-08-25 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: code rewrite from Luke Howard * lib/krb5/crypto.c (arcfour_checksum_p): return true when is arcfour, not when its not pointed out by Luke Howard * doc/ack.texi: update Luke Howard email address 2003-08-24 Love Hörnquist Åstrand * lib/krb5/krb5_encrypt.3: document: krb5_crypto_getconfoundersize, krb5_crypto_getblocksize krb5_crypto_getenctype, krb5_crypto_getpadsize * lib/krb5/crypto.c (krb5_crypto_getpadsize, krb5_crypto_getconfoundersize): added From: Luke Howard 2003-08-23 Love Hörnquist Åstrand * kdc/connect.c (handle_tcp): handle recvfrom returning 0 (connection closed) * kdc/connect.c (grow_descr): increment the size after we succeed to allocate the space * lib/krb5/krb5_create_checksum.3: text about when krb5_crypto_get_checksum_type is useful * lib/krb5/crypto.c (krb5_crypto_get_checksum_type): fix format string * lib/krb5/krb5_create_checksum.3: document krb5_crypto_get_checksum_type * lib/krb5/crypto.c: add krb5_crypto_get_checksum_type From: Luke Howard * lib/asn1/gen.c: s/UTF8String/heim_utf8_string/ in generated code From: Luke Howard 2003-08-21 Love Hörnquist Åstrand * include/make_crypto.c: include aes.h inc in the local libdes case too 2003-08-20 Johan Danielsson * lib/asn1/der_free.c: set free'd poiners to NULL * lib/asn1/gen_free.c: set free'd poiners to NULL 2003-08-20 Love Hörnquist Åstrand * lib/krb5/heim_threads.h: XXX don't use "plain" pthread support on netbsd * lib/krb5/crypto.c: Do the arcfour checksum mapping for krb5_create_checksum and krb5_verify_checksum, From: Luke Howard 2003-08-18 Love Hörnquist Åstrand * lib/krb5/test_config.c: check krb5_prepend_config_files_default and krb5_prepend_config_files * lib/krb5/context.c: add krb5_prepend_config_files and krb5_prepend_config_files_default 2003-08-17 Love Hörnquist Åstrand * lib/hdb/mkey.c (read_master_mit): krb5_ret_int16 takes a int16_t as argument * lib/krb5/parse-name-test.c: please lint (and me) * kdc/config.c (configure): remove only set variable 'e' * kdc/connect.c (init_socket): sockaddr size argument to krb5_addr2sockaddr is a krb5_addr2sockaddr * * kdc/kerberos5.c (as_rep): remove usused variable (tgs_rep2): don't use a temporary ret-variable, ret is reset later * lib/krb5/krb5_get_in_cred.3: these function will be deprecated * lib/krb5/Makefile.am: man_MANS += krb5_get_init_creds.3 * lib/krb5/krb5_get_init_creds.3: begining of documentation of krb5_get_init_creds * lib/krb5/get_in_tkt.c (krb5_get_in_tkt): for compatibility with with the mit implemtation, don't free `creds' argument when done, its up the the caller to do that, also allow a NULL ccache. 2003-08-16 Love Hörnquist Åstrand * lib/krb5/krb5.conf.5: document tgs_require_subkey * lib/asn1/Makefile.am: remove trance of generate tests files, its not really for consumption yet * lib/hdb/Makefile.am: split generated source from non generated source we make-proto.pl can generate prototypes for non generate-source only (make-proto.pl dies on asn1compile's .c files) * lib/krb5/get_cred.c (init_tgs_req): make generation of subkey optional on configuration parameter [realms]realm={tgs_require_subkey=bool} defaults to off. The RFC1510 weakly defines the correct behavior, so old DCE secd apparently required the subkey to be there, and MS will use it when its there. But the request isn't encrypted in the subkey, so you get to choose if you want to talk to a MS mdc or a old DCE secd. * kdc/kerberos5.c (*): handle krb5_unparse_name returning non-zero 2003-08-15 Love Hörnquist Åstrand * lib/krb5/principal.c (unparse_name): len can't be zero, so, don't check for that 2003-08-13 Love Hörnquist Åstrand * lib/krb5/principal.c (unparse_name): make sure there are space for a NUL, set *name to NULL when there is a failure (so caller can't get hold of a freed pointer) 2003-07-26 Love Hörnquist Åstrand * lib/krb5/kerberos.8: remove duplicate manual, from cjep@netbsd.org 2003-07-25 Love Hörnquist Åstrand * lib/krb5/cache.c: indent * lib/krb5/cache.c (krb5_cc_set_default_name): only read KRB5CCNAME when not suid 2003-07-24 Love Hörnquist Åstrand * lib/krb5/keytab_krb4.c (read_v4_entry): the des key is 8 bytes, use a char array instead of des_cblock 2003-07-23 Love Hörnquist Åstrand * kdc/kerberos5.c: add support for KRB5_PADATA_ETYPE_INFO2 * lib/krb5/crypto.c (hmac): make it return an error when out of memory, update callsites to either return error or use krb5_abortx (krb5_hmac): expose hmac 2003-07-22 Love Hörnquist Åstrand * lib/krb5/keyblock.c (krb5_keyblock_get_enctype): return enctype of keyblock * lib/krb5/Makefile.am (man_MANS): += krb5_keyblock.3 * lib/krb5/krb5_keyblock.3: some information about krb5_keyblock and related functions * lib/krb5/heim_threads.h: make the non-debug version of the mutex macros "use" the "mutex" integer so the compile wont complain about defined unused variables * lib/krb5/heim_threads.h: make thread local storage macros take a "return" argument so no functions need to be created for the no-pthread case * lib/krb5/heim_threads.h: adding RWLOCKS and [sg]etspecific * configure.in: use KRB_PTHREADS * lib/asn1/Makefile.am (gen_files): add asn1_KerberosString and sort * lib/asn1/k5.asn1 (ETYPE-INFO2-ENTRY): salt is a KerberosString * lib/krb5/krb5.3: add ticket access functions * lib/krb5/krb5_ticket.3: ditto * lib/krb5/ticket.c: ditto * lib/krb5/Makefile.am: ditto * lib/krb5/mit_glue.c: add some more krb5_c functions * lib/krb5/krb5_c_make_checksum.3: add some more krb5_c functions * lib/krb5/crypto.c (krb5_cksumtype_valid): check is checksum type is a valid one * lib/krb5/crypto.c (krb5_checksum_is_keyed): only set extented error string when there is a context (krb5_checksum_is_collision_proof): ditto 2003-07-21 Love Hörnquist Åstrand * lib/krb5/mit_glue.c (krb5_c_get_checksum): make type and data argument optional (krb5_c_{encrypt,decrypt}): return "better" error codes for invalid ivec length * lib/krb5/krb5_c_make_checksum.3: update krb5_c_get_checksum usage * lib/krb5/crypto.c (krb5_crypto_getenctype): new function * include/make_crypto.c: avoid redefining OPENSSL_DES_LIBDES_COMPATIBILITY * lib/krb5/krb5.h: add krb5_enc_data 2003-07-19 Love Hörnquist Åstrand * lib/krb5/krb5.3: add krb5_c_ functions * lib/krb5/mit_glue.c: support passing in NULL as the cipher_state/ivec * lib/krb5/aes-test.c: add test for krb5_c_encrypt_length and krb5_c_decrypt * lib/krb5/krb5_c_make_checksum.3: krb5_c encryption glue * lib/krb5/crypto.c (wrapped_length/wrapped_length_derived): when calculating the length of the encrypted data, use the keyed checksum length if the enctype supports a keyed checksum. This only matter for aes, for all other enctypes the key and unkeyed checksum have the same length. 2003-07-18 Love Hörnquist Åstrand * lib/krb5/mit_glue.c: first version of krb5_c encryption glue * doc/install.texi: update pointer to luke ldap documentation * lib/hdb/hdb.c (hdb_create): check for dynamic backend after static to avoid warning from dynamic backend when using a known static backend 2003-07-16 Love Hörnquist Åstrand * lib/krb5/cache.c: don't return value in void function 2003-07-15 Love Hörnquist Åstrand * lib/krb5/creds.c (krb5_compare_creds): if client is specified in the mcreds, check that too * lib/krb5/{keytab_file.c,principal.c,mk_error.c,krb5.h,get_cred.c}: prefix libasn1 types with heim_ * lib/asn1: prefix typedefs and structs with heim_ 2003-07-13 Love Hörnquist Åstrand * lib/hdb/hdb.c: avoid unnecessary setting of variable 2003-07-07 Love Hörnquist Åstrand * kuser/klist.c (check_for_tgt): use krb5_cc_clear_mcred * appl/test/uu_client.c (proto): use krb5_cc_clear_mcred * lib/krb5/get_cred.c (init_tgs_req): in case of error, don't free in the req_body addresses since they where pass in by caller (find_cred): use krb5_cc_clear_mcred * lib/krb5/krb5_ccache.3: document krb5_cc_clear_mcred * lib/krb5/cache.c (krb5_cc_clear_mcred): new function, clear a krb5_creds to use with krb5_cc_retrieve_cred 2003-06-30 Love Hörnquist Åstrand * lib/hdb/hdb.c (find_dynamic_method): if there isn't a prefix, don't load anything 2003-06-29 Love Hörnquist Åstrand * lib/hdb/hdb.c: Dynamic backend loading, based on patch from Luke Howard * lib/hdb/hdb.h: add struct hdb_so_method and HDB_INTERFACE_VERSION 2003-06-28 Love Hörnquist Åstrand * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): when using arcfour-hmac-md5, use an unkeyed checksum (rsa-md5), since Microsoft calculates the keyed checksum with the subkey of the authenticator. * kuser/kinit.c: write out v4 credential caches with _krb5_krb_tf_setup * lib/krb5/krb5-v4compat.h: add _krb5_krb_tf_setup * lib/krb5/convert_creds.c (_krb5_krb_tf_setup): create/append v4 credential to a new krb4 ticket file 2003-06-27 Johan Danielsson * lib/krb5/krb5_kuserok.3: put Nd argument in double quotes since it contains more than 9 words; from wiz 2003-06-25 Love Hörnquist Åstrand * lib/krb5/verify_krb5_conf.c: add missing " within #if 0, from stefan sokoll 2003-06-24 Love Hörnquist Åstrand * lib/krb5/krb5_timeofday.3: improve krb5_set_real_time text * lib/krb5/time.c: improve comment for krb5_set_real_time 2003-06-23 Johan Danielsson * kuser/kinit.1: document -A * kuser/kinit.c: add -A as an alias for --no-addresses 2003-06-22 Love Hörnquist Åstrand * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): pass in a krb5_timestamp to krb5_us_timeofday * lib/krb5/mk_error.c (krb5_mk_error): pass in a krb5_timestamp to krb5_us_timeofday * lib/krb5/time.c (krb5_set_real_time): fix comment and make it work * lib/krb5/time.c, lib/krb5/krb5_timeofday.3, lib/krb5/Makefile.am lib/krb5/test_time.c: implement krb5_set_real_time, used by SAMBA, requested by Luke Howard * lib/asn1/k5.asn1: make the aes and sha1 checksum types match draft-ietf-krb-wg-crypto-05 2003-06-21 Love Hörnquist Åstrand * lib/krb5/aes-test.c: add a test for aes kcrypto encrypted data * lib/krb5/crypto.c: clean up AES code to use a structure instead of a key array (_krb5_AES_string_to_default_iterator): set to 4096 as described in aes draft -04 (derive_key): always remove the key->schedule since its will contain the wrong (parent key) info 2003-06-18 Love Hörnquist Åstrand * lib/krb5/aes-test.c: add aes256 test vectors from Ken Raeburn * doc/setup.texi: add more kdc's to the example 2003-06-17 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: use int2HDBFlags/HDBFlags2int From: Alberto Patino , Luke Howard Pointed out by Andrew Bartlett of Samba * lib/krb5/heim_threads.h: remove freebsd comment, don't use debug pthread stubs by default * lib/krb5/Makefile.am (man_MANS): drop krb5_free_addresses.3 * lib/krb5/krb5_free_addresses.3: removed file, functions are documented in krb5_address.3 * lib/krb5/codec.c: add krb5_{de,en}code_ETYPE_INFO2 * lib/krb5/crypto.c: add _krb5_AES_string_to_default_iterator add krb5_string_to_key_salt_opaque() fix keylengh for keytype_aes256 2003-06-06 Love Hörnquist Åstrand * doc/setup.texi: Point out that slave needs /var/heimdal directory and masterkey From: Mans Nilsson , Fix spelling while here 2003-06-02 Love Hörnquist Åstrand * lib/krb5/Makefile.am, krb5_get_in_cred.3, krb5.3: add manpage for: krb5_get_in_cred, krb5_get_in_tkt, krb5_get_in_tkt_with_keytab, krb5_get_in_tkt_with_password, krb5_get_in_tkt_with_skey 2003-05-28 Assar Westerlund * lib/krb5/heim_threads.h: Fix unlock/destroy macros for the non-threaded cases to work. Fix typo. 2003-05-27 Johan Danielsson * lib/asn1/{der_put.c,der_length.c,check-der.c}: Fix encoding of "unsigned" integers. If MSB is set, we need to pad with a zero byte. 2003-05-27 Love Hörnquist Åstrand * lib/krb5/krb5_c_make_checksum.3: some more mdoc fixes * lib/hdb/hdb-ldap.c (LDAP__connect): bind sasl "EXTERNAL" to ldap connection (LDAP_store): remove superfluous argument to asprintf From Alberto Patino 2003-05-26 Love Hörnquist Åstrand * lib/krb5/*.[0-9]: pacify mdoclink * lib/krb5/krb5_ccache.3: document diffrences between mit and heimdal krb5_cc_gen_new ccache -> credential cache s/[\t ]+$// 2003-05-21 Love Hörnquist Åstrand * appl/test/gssapi_server.c (proto): start to use gss_krb5_copy_ccache * appl/test/nt_gss_server.c (proto): comment out gss_ctx_id_t groveling for now 2003-05-20 Love Hörnquist Åstrand * lib/asn1: - add parser/generate glue for UTF8String and NULL (DER primitive encode/decode functions missing) - handle parsing of DEFAULT and, ... 2003-05-16 Love Hörnquist Åstrand * lib/krb5/heim_threads.h: add missing argument to mutex_init * lib/krb5/crypto.c: protect the random initiator with a mutex * lib/krb5/mcache.c: protect the mcc_head with a mutex * lib/krb5/krb5_locl.h: include heim_threads.h * lib/krb5/heim_threads.h: wrapper macros for thread synchronization primitives 2003-05-15 Love Hörnquist Åstrand * lib/krb5/krb5_principal.3 lib/krb5/Makefile.am: Add all Kerberos principal function to one manpage, add a few more principal function to it, remove old now dup manpages * lib/krb5/krb5_build_principal.3: remove file * lib/krb5/krb5_free_principal.3: remove file * lib/krb5/krb5_sname_to_principal.3: remove file * lib/krb5/krb5_principal_get_realm.3: remove file 2003-05-14 Love Hörnquist Åstrand * lib/krb5/verify_krb5_conf.8: sort sections, from netbsd * lib/krb5/krb5_verify_user.3: .Sh EXAMPLE -> .Sh EXAMPLES, from netbsd * lib/krb5/krb5_openlog.3: .Sh EXAMPLE -> .Sh EXAMPLES, sort sections, from netbsd * lib/krb5/krb5_keytab.3: .Sh EXAMPLE -> .Sh EXAMPLES, mdoc fixes, from netbsd * lib/krb5/krb5_get_krbhst.3: .Sh EXAMPLE -> .Sh EXAMPLES, from netbsd * lib/krb5/krb5_get_all_client_addrs.3: add .Os, from NetBSD * lib/krb5/krb5_build_principal.3: sort sections, from NetBSD * lib/krb5/krb5.conf.5: .Sh EXAMPLE -> .Sh EXAMPLES, from netbsd * lib/krb5/get_default_realm.c: compatability -> compatibility, from netbsd * lib/krb5/krb5_warn.3: add copyright/license * lib/krb5/krb5_context.3: add SYNOPSIS and LIBRARY * lib/krb5/krb5.3: add RCSID * kdc/hprop.8: fix mdoc problem, from netbsd * lib/krb5/krb5_krbhst_init.3: uppercase url, from Thomas Klausner * kuser/kinit.1: setup -> set up, new sentence, new line from Thomas Klausner 2003-05-13 Love Hörnquist Åstrand * kpasswd/kpasswd.1: handle setting passwords for multiple principals at the same time * kpasswd/kpasswd.c: handle setting passwords for multiple principals at the same time * lib/krb5/changepw.c: draft-ietf-cat-kerb-chg-password-02 and rfc3244 share the response packet sure more constants now that they exists 2003-05-12 Love Hörnquist Åstrand * lib/krb5/krb5.h: some define for rfc3244 * lib/krb5/krb5.3: add krb5_change_password and krb5_set_password * kpasswd/kpasswd.1: document --admin-principal * kpasswd/kpasswd.c: use krb5_set_password * lib/krb5/krb5_set_password.3: document krb5_change_password and krb5_set_password * lib/krb5/changepw.c: implement rfc3244, partly from shadow@dementia.org * lib/asn1/Makefile.am (gen_files): asn1_ChangePasswdDataMS.x for RFC3244 * lib/asn1/k5.asn1: add ChangePasswdDataMS, for RFC3244 2003-05-08 Love Hörnquist Åstrand * kuser/kdestroy.c: destroy tokens even if there isn't v4 support * kuser/kinit.c: get token even if there isn't v4 support * kuser/klist.c: print tokens even if there isn't v4 support 2003-05-06 Johan Danielsson * lib/krb5/name-45-test.c: need to use empty krb5.conf for some tests * lib/asn1/check-gen.c: there is no \e escape sequence; replace everything with hex-codes, and cast to unsigned char* to make some compilers happy 2003-05-06 Love Hörnquist Åstrand * lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first argument to krb5_us_timeofday have correct type 2003-05-05 Assar Westerlund * include/make_crypto.c (main): include aes.h if ENABLE_AES 2003-05-05 Love Hörnquist Åstrand * make-release: when fixing a valid cvs tag from release name replace all number. to number- for all non-overlapping matches 2003-05-04 Love Hörnquist Åstrand * lib/asn1/Makefile.am: gen_files += asn1_ETYPE_INFO2.x and asn1_ETYPE_INFO2_ENTRY.x (libasn1_la_LDFLAGS): set version to 6:1:1 * doc/Makefile.am: add apps.texi * doc/setup.texi: add move forward link to applications * doc/heimdal.texi: add applications * doc/misc.texi: move afs stuff to applications add link to applications * doc/apps.texi: text about applications using kerberos move afs text here 2003-05-03 Love Hörnquist Åstrand * doc/setup.texi: add cross realm text 2003-04-29 Love Hörnquist Åstrand * lib/krb5/krb5_crypto_init.3: document krb5_enctype_to_string and krb5_string_to_enctype 2003-04-28 Love Hörnquist Åstrand * kdc/v4_dump.c (v4_prop_dump): limit strings length, from openbsd 2003-04-26 Love Hörnquist Åstrand * lib/krb5/aes-test.c: use _krb5_PKCS5_PBKDF2 * lib/krb5/crypto.c: unexport krb5_PKCS5_PBKDF2 2003-04-25 Johan Danielsson * lib/krb5/build_auth.c (krb5_build_authenticator): if the local sequence number is non-zero, don't generate a new one * lib/krb5/mk_rep.c (krb5_mk_rep): if the local sequence number is non-zero, don't generate a new one * lib/krb5/time.c (krb5_us_timeofday): make the sec parameter a krb5_timestamp * lib/krb5/mk_priv.c lib/krb5/mk_safe.c lib/krb5/rd_priv.c lib/krb5/rd_safe.c lib/krb5/rd_cred.c: implement RET_SEQUENCE and RET_TIME * lib/krb5/krb5.h (krb5_replay_data): make usec signed (matching asn1) 2003-04-24 Love Hörnquist Åstrand * doc/programming.texi: s/managment/management/, from jmc 2003-04-23 Love Hörnquist Åstrand * lib/krb5/context.c (default_etypes): also advertise that we handle aes encryption types * lib/krb5/Makefile.am: add krb5_c_ checksum related functions * lib/krb5/krb5_c_make_checksum.3: document krb5_c_ checksum related functions * lib/krb5/mit_glue.c: add compat mit krb5_c checksum related functions * lib/asn1/k5.asn1: add ETYPE-INFO2 and ETYPE-INFO2-ENTRY 2003-04-22 Love Hörnquist Åstrand * lib/krb5/krbhst.c: copy NUL too, from janj@wenf.org via openbsd 2003-04-17 Love Hörnquist Åstrand * lib/asn1/der_copy.c (copy_general_string): use strdup * lib/asn1/der_put.c: remove sprintf * lib/asn1/gen.c: remove strcpy/sprintf * lib/krb5/name-45-test.c: use a more unique name then ratatosk so that other (me) have such hosts in the local domain and the tests fails, to take hokkigai.pdc.kth.se instead * lib/krb5/test_alname.c: add --version and --help 2003-04-16 Love Hörnquist Åstrand * lib/krb5/krb5_warn.3: add krb5_get_err_text * lib/krb5/transited.c: use strlcat/strlcpy, from openbsd * lib/krb5/krbhst.c (srv_find_realm): use strlcpy, from openbsd * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use strlcpy, from openbsd * kdc/hpropd.c: s/strcat/strlcat/, inspired from openbsd * appl/kf/kfd.c: use strlcpy, from openbsd 2003-04-16 Johan Danielsson * configure.in: fix for large file support in AIX, _LARGE_FILES needs to be defined on the command line, since lex likes to include stdio.h before we get to config.h 2003-04-16 Love Hörnquist Åstrand * lib/krb5/*.3: Change .Fd #include to .In header.h, from Thomas Klausner * lib/krb5/krb5.conf.5: spelling, from Thomas Klausner 2003-04-15 Love Hörnquist Åstrand * kdc/kerberos5.c: fix some more memory leaks 2003-04-11 Love Hörnquist Åstrand * appl/kf/kf.1: spelling, from jmc 2003-04-08 Love Hörnquist Åstrand * admin/ktutil.8: typos, from jmc 2003-04-06 Love Hörnquist Åstrand * lib/krb5/krb5.3: s/kerberos/Kerberos/ * lib/krb5/krb5_data.3: s/kerberos/Kerberos/ * lib/krb5/krb5_address.3: s/kerberos/Kerberos/ * lib/krb5/krb5_ccache.3: s/kerberos/Kerberos/ * lib/krb5/krb5.conf.5: s/kerberos/Kerberos/ * kuser/kinit.1: s/kerberos/Kerberos/ * kdc/kdc.8: s/kerberos/Kerberos/ 2003-04-01 Love Hörnquist Åstrand * lib/krb5/test_alname.c: more krb5_aname_to_localname tests * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): when converting too root, make sure user is ok according to krb5_kuserok before allowing it. * lib/krb5/Makefile.am (noinst_PROGRAMS): += test_alname * lib/krb5/test_alname.c: add test for krb5_aname_to_localname * lib/krb5/crypto.c (krb5_DES_AFS3_CMU_string_to_key): used p1 instead of the "illegal" salt #~, same change as kth-krb did 1999. Problems occur with crypt() that behaves like AT&T crypt (openssl does this). Pointed out by Marcus Watts. * admin/change.c (kt_change): collect all principals we are going to change, and pick the highest kvno and use that to guess what kvno the resulting kvno is going to be. Now two ktutil change in a row works. XXX fix the protocol to pass the kvno back. 2003-03-31 Love Hörnquist Åstrand * appl/kf/kf.1: afs->AFS, from jmc 2003-03-30 Love Hörnquist Åstrand * doc/setup.texi: add description on how to turn on v4, 524 and kaserver support 2003-03-29 Love Hörnquist Åstrand * lib/krb5/verify_krb5_conf.c (appdefaults_entries): add afslog and afs-use-524 2003-03-28 Love Hörnquist Åstrand * kdc/kerberos5.c (as_rep): when the second enctype_to_string failes, remember to free memory from the first enctype_to_string * lib/krb5/crypto.c (usage2arcfour): map KRB5_KU_TICKET to 2, from Harald Joerg (enctype_arcfour_hmac_md5): disable checksum_hmac_md5_enc * lib/hdb/mkey.c (hdb_unseal_keys_mkey): truncate key to the key length when key is longer then expected length, its probably longer since the encrypted data was padded, reported by Aidan Cully * lib/krb5/crypto.c (krb5_enctype_keysize): return key size of encyption type, inspired by Aidan Cully 2003-03-27 Love Hörnquist Åstrand * lib/krb5/keytab.c (krb5_kt_get_entry): avoid printing 0 (wildcard kvno) after principal when the keytab entry isn't found, reported by Chris Chiappa 2003-03-26 Love Hörnquist Åstrand * doc/misc.texi: update 2b example to match reality (from mattiasa@e.kth.se) * doc/misc.texi: spelling and add `Configuring AFS clients' subsection 2003-03-25 Love Hörnquist Åstrand * lib/krb5/krb5.3: add krb5_free_data_contents.3 * lib/krb5/data.c: add krb5_free_data_contents for compat with MIT API * lib/krb5/krb5_data.3: add krb5_free_data_contents for compat with MIT API * lib/krb5/krb5_verify_user.3: write more about how the ccache argument should be inited when used 2003-03-25 Johan Danielsson * lib/krb5/addr_families.c (krb5_print_address): make sure print_addr is defined for the given address type; make addrports printable * kdc/string2key.c: print the used enctype for kerberos 5 keys 2003-03-25 Love Hörnquist Åstrand * lib/krb5/aes-test.c: add another arcfour test 2003-03-22 Love Hörnquist Åstrand * lib/krb5/aes-test.c: sneek in a test for arcfour-hmac-md5 2003-03-20 Love Hörnquist Åstrand * lib/krb5/krb5_ccache.3: update .Dd * lib/krb5/krb5.3: sort in krb5_data functions * lib/krb5/Makefile.am (man_MANS): += krb5_data.3 * lib/krb5/krb5_data.3: document krb5_data * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): if prompter is NULL, don't try to ask for a password to change. reported by Iain Moffat @ ufl.edu via Howard Chu 2003-03-19 Love Hörnquist Åstrand * lib/krb5/krb5_keytab.3: spelling, from * lib/krb5/krb5.conf.5: . means new line * lib/krb5/krb5.conf.5: spelling, from * lib/krb5/krb5_auth_context.3: spelling, from 2003-03-18 Love Hörnquist Åstrand * kuser/Makefile.am: INCLUDES: -I$(srcdir)/../lib/krb5 * lib/krb5/convert_creds.c: add _krb5_krb_life_to_time * lib/krb5/krb5-v4compat.h: add _krb5_krb_life_to_time * kdc/kdc_locl.h: 524 is independent of kerberos 4, so move out #ifdef KRB4 from enable_v4_cross_realm since 524 needs it * kdc/config.c: 524 is independent of kerberos 4, so move out enable_v4_cross_realm from #ifdef KRB4 since 524 needs it 2003-03-17 Assar Westerlund * kdc/kdc.8: document --kerberos4-cross-realm * kdc/kerberos4.c: pay attention to enable_v4_cross_realm * kdc/kdc_locl.h (enable_v4_cross_realm): add * kdc/524.c (encode_524_response): check the enable_v4_cross_realm flag before giving out v4 tickets for foreign v5 principals * kdc/config.c: add --enable-kerberos4-cross-realm option (default to off) 2003-03-17 Love Hörnquist Åstrand * lib/krb5/Makefile.am (man_MANS) += krb5_aname_to_localname.3 * lib/krb5/krb5_aname_to_localname.3: manpage for krb5_aname_to_localname * lib/krb5/krb5_kuserok.3: s/KRB5_USEROK/KRB5_KUSEROK/ 2003-03-16 Love Hörnquist Åstrand * lib/krb5/Makefile.am (man_MANS): add krb5_set_default_realm.3 * lib/krb5/krb5.3: add manpages from krb5_set_default_realm.3 * lib/krb5/krb5_set_default_realm.3: Manpage for krb5_free_host_realm, krb5_get_default_realm, krb5_get_default_realms, krb5_get_host_realm, and krb5_set_default_realm. * admin/ktutil.8: s/entype/enctype/, from Igor Sobrado via NetBSD * lib/krb5/krb5_keytab.3: add documention for krb5_kt_get_type * lib/krb5/keytab.c (krb5_kt_get_type): get prefix/type of keytab * lib/krb5/krb5.h (KRB5_KT_PREFIX_MAX_LEN): max length of prefix * lib/krb5/krb5_ccache.3: document krb5_cc_get_ops, add more types, add krb5_fcc_ops and krb5_mcc_ops * lib/krb5/cache.c (krb5_cc_get_ops): new function, return ops for a id 2003-03-15 Love Hörnquist Åstrand * doc/intro.texi: add reference to source code, binaries and the manual * lib/krb5/krb5.3: krb5.h isn't in krb5 directory in heimdal 2003-03-14 Love Hörnquist Åstrand * kdc/kdc.8: better/difrent english * kdc/kdc.8: . -> .\n, copyright/license * kdc/kdc.8: changed configuration file -> restart kdc * kdc/kerberos4.c: add krb4 into the most error messages written to the logfile * lib/krb5/krb5_ccache.3: add missing name of argument (krb5_context) to most functions 2003-03-13 Love Hörnquist Åstrand * lib/krb5/kuserok.c (krb5_kuserok): preserve old behviour of function and return FALSE when there isn't a local account for `luser'. * lib/krb5/krb5_kuserok.3: fix prototype, spelling and more text describing the function 2003-03-12 Love Hörnquist Åstrand * lib/krb5/cache.c (krb5_cc_default): if krb5_cc_default_name returned memory, don't return ENOMEM 2003-03-11 Love Hörnquist Åstrand * lib/krb5/krb5.3: add krb5_address stuff and sort * lib/krb5/krb5_address.3: fix krb5_addr2sockaddr description * lib/krb5/Makefile.am (man_MANS): += krb5_address.3 * lib/krb5/krb5_address.3: document types krb5_address and krb5_addresses and their helper functions 2003-03-10 Love Hörnquist Åstrand * lib/krb5/Makefile.am (man_MANS): += krb5_kuserok.3 * lib/krb5/krb5_kuserok.3: spelling, from cizzi@it.su.se * lib/krb5/Makefile.am (man_MANS): += krb5_ccache.3 * lib/krb5/krb5_ccache.3: spelling, from cizzi@it.su.se * lib/krb5/krb5.3: add more functions * lib/krb5/krb5_ccache.3: document krb5_ccache and krb5_cc functions * lib/krb5/krb5_kuserok.3: document krb5_kuserok * lib/krb5/krb5_verify_user.3: document krb5_verify_opt_set_flags(opt, KRB5_VERIFY_LREALMS) behavior * lib/krb5/krb5_verify_user.3: document krb5_verify_opt* and krb5_verify_user_opt * lib/krb5/*.[0-9]: add copyright/licenses on more manpages * kuser/kdestroy.c (main): handle that krb5_cc_default_name can return NULL * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump minor (TESTS): add test_cc * lib/krb5/test_cc.c: test some krb5_cc_default_name/krb5_cc_set_default_name combinations * lib/krb5/context.c (init_context_from_config_file): set default_cc_name to NULL (krb5_free_context): free default_cc_name if set * lib/krb5/cache.c (krb5_cc_set_default_name): new function (krb5_cc_default_name): use krb5_cc_set_default_name * lib/krb5/krb5.h (krb5_context_data): add default_cc_name 2003-02-25 Love Hörnquist Åstrand * appl/kf/kf.1: s/securly/securely/ from NetBSD 2003-02-18 Love Hörnquist Åstrand * kdc/connect.c: s/intialize/initialize, from 2003-02-17 Love Hörnquist Åstrand * configure.in: add AM_MAINTAINER_MODE 2003-02-16 Love Hörnquist Åstrand * **/*.[0-9]: add copyright/licenses on all manpages 2003-14-16 Jacques Vidrine * lib/krb5/get_in_tkt.c (init_as_req): Send only a single PA-ENC-TIMESTAMP in the AS-REQ, using the first encryption type specified by the KDC. 2003-02-15 Love Hörnquist Åstrand * fix-export: some autoconf put their version number in autom4te.cache, so remove autom4te*.cache * fix-export: make sure $1 is a directory 2003-02-04 Love Hörnquist Åstrand * kpasswd/kpasswdd.8: spelling, from jmc * kdc/kdc.8: spelling, from jmc 2003-01-31 Love Hörnquist Åstrand * kdc/hpropd.8: s/databases/a database/ s/Not/not/ * kdc/hprop.8: add missing . 2003-01-30 Love Hörnquist Åstrand * lib/krb5/krb5.conf.5: documentation for of boolean, etypes, address, write out encryption type in sentences, s/Host/host 2003-01-26 Love Hörnquist Åstrand * lib/asn1/check-gen.c: add checks for Authenticator too 2003-01-25 Love Hörnquist Åstrand * doc/setup.texi: in the hprop example, use hprop and the first component, not host * lib/krb5/get_addrs.c (find_all_addresses): address-less point-to-point might not have an address, just ignore those. Reported by Harald Barth. 2003-01-23 Love Hörnquist Åstrand * lib/krb5/verify_krb5_conf.c (check_section): when key isn't found, don't print out all known keys * lib/krb5/verify_krb5_conf.c (syslogvals): mark up where severity and facility start resp (check_log): find_value() returns -1 when key isn't found * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): make key argument a 'const void *' to avoid AES_KEY being exposed in krb5-private.h * lib/krb5/krb5.conf.5: add [kdc]use_2b * kdc/524.c (encode_524_response): its 2b not b2 * doc/misc.texi: quote @ where missing * lib/asn1/Makefile.am: add check-gen * lib/asn1/check-gen.c: add Principal check * lib/asn1/check-common.h: move generic asn1/der functions from check-der.c to here * lib/asn1/check-common.c: move generic asn1/der functions from check-der.c to here * lib/asn1/check-der.c: move out the generic asn1/der functions to a common file 2003-01-22 Love Hörnquist Åstrand * doc/misc.texi: more text about afs, how to get get your KeyFile, and how to start use 2b tokens * lib/krb5/krb5.conf.5: spelling, from Jason McIntyre 2003-01-21 Jacques Vidrine * kuser/kuser_locl.h: include crypto-headers.h for des_read_pw_string prototype 2003-01-16 Love Hörnquist Åstrand * admin/ktutil.8: document -v, --verbose * admin/get.c (kt_get): make getarg usage consistent with other other parts of ktutil * admin/copy.c (kt_copy): remove adding verbose_flag to args struct, since it will overrun the args array (from Sumit Bose) 2003-01-15 Love Hörnquist Åstrand * lib/krb5/krb5.conf.5: write more about [realms] REALM = { kdc = ... } * lib/krb5/aes-test.c: test vectors in aes-draft * lib/krb5/Makefile.am: add aes-test.c * lib/krb5/crypto.c: Add support for AES (draft-raeburn-krb-rijndael-krb-02), not enabled by default. (HMAC_SHA1_DES3_checksum): rename to SP_HMAC_SHA1_checksum and modify to support checksumtype that are have a shorter wireformat then their output block size. * lib/krb5/crypto.c (struct encryption_type): split the blocksize into blocksize and padsize, padsize is the minimum padding size. they are the same for now (enctype_*): add padsize (encrypt_internal): use padsize (encrypt_internal_derived): use padsize (wrapped_length): use padsize (wrapped_length_dervied): use padsize * lib/krb5/crypto.c: add extra `opaque' argument to string_to_key function for each enctype in preparation enctypes that uses `Encryption and Checksum Specifications for Kerberos 5' draft * lib/asn1/k5.asn1: add checksum and enctype for AES from draft-raeburn-krb-rijndael-krb-02.txt * lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_AES128, KEYTYPE_AES256 2003-01-14 Love Hörnquist Åstrand * lib/hdb/common.c (_hdb_fetch): handle error code from hdb_value2entry * kdc/Makefile.am: always include kerberos4.c and 524.c in kdc_SOURCES to support 524 * kdc/524.c: always compile in support for 524 * kdc/kdc_locl.h: move out krb/524 protos from under #ifdef KRB4 * kdc/config.c: always compile in support for 524 * kdc/connect.c: always compile in support for 524 * kdc/kerberos4.c: export encode_v4_ticket() and get_des_key() even when we build without kerberos 4, 524 needs them * lib/krb5/convert_creds.c, lib/krb5/krb5-v4compat.h: Split out Kerberos 4 help functions/structures so other parts of the source tree can use it (like the KDC) heimdal-1.7~git20150920+dfsg/ChangeLog.2004000066400000000000000000001301151257755311500176020ustar00rootroot000000000000002004-12-30 Love Hörnquist Åstrand * lib/krb5/Makefile.am (CHECK_SYMBOLS): add heim_ and pkcs7_ for now (used in pkinit) 2004-12-29 Love Hörnquist Åstrand * lib/hdb/Makefile.am: add CHECK_SYMBOLS * lib/hdb/keys.c: make all_etypes static * lib/krb5/Makefile.am: add CHECK_SYMBOLS, approve of: -com_err -version krb5_ _krb5_ __heimdal krb524_ krb4_fkt_ops * kdc/kerberos5.c: use private version of principalname * kdc/kerberos4.c: use private version of principalname * kdc/hpropd.c: use private version of principalname * kdc/524.c: use private version of principalname * lib/krb5/rd_req.c: use private version of principalname * lib/krb5/rd_cred.c: use private version of principalname * lib/krb5/init_creds_pw.c: use private version of principalname * lib/krb5/get_in_tkt.c: use private version of principalname * lib/krb5/asn1_glue.c: make principalname functions private * lib/krb5/krb5.h: add key usage for server referrals 2004-12-29 Love Hörnquist Åstrand * lib/krb5/principal.c: make default_v4_name_convert static * lib/krb5/crypto.c: make lots of crypto related variables static * lib/krb5/acache.c: make default_acc_name static 2004-12-28 Love Hörnquist Åstrand * doc/setup.texi: add some text about samba, use example.com * lib/hdb/hdb-ldap.c: Add account expiration for samba from James F. Hranicky . Add LDAP_addmod_integer and use it. 2004-12-27 Love Hörnquist Åstrand * doc/{Makefile.am,setup.texi,win2k.texi}: spelling and text fixes, from Dave Love 2004-12-18 Love Hörnquist Åstrand * lib/krb5/heim_threads.h: NetBSD 2.99.11 (any maybe 2.1) just needs pthread.h, threadlib is dead 2004-12-17 Love Hörnquist Åstrand * kdc/config.c (configure): check for deprecated enforce-transited-policy is set and fail if it is * lib/asn1/asn1_print.c: don't print garabage for octet strings 2004-12-13 Love Hörnquist Åstrand * kdc/main.c (main): catch sigpipe, we don't bother select()ing for errors * kdc/connect.c (handle_http_tcp): handle error from write(2) * doc/setup.texi: clarify credentials refreshing stuff * doc/setup.texi: add new node: Providing Kerberos credentials to servers and programs * doc/whatis.texi: fix spurious cross-reference makeinfo warning * lib/hdb/hdb-ldap.c (pos): uppercase in character 2004-12-12 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c (LDAP__bytes2hex,LDAP__hex2bytes): encode nibbels in the other order * lib/hdb/hdb-ldap.c: s/objectclass/objectClass/ check if attribute exists before we try to delete it LDAP__bytes2hex encodes in strange byte order, is this really right ? 2004-12-11 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c (LDAP_firstkey): When iterating over all entries, search for samba accounts too, From: "James F. Hranicky" * lib/hdb/hdb-ldap.c (krb5kdcentry_attrs): ask for attribute uid too * lib/hdb/hdb-ldap.c (LDAP_message2entry): if the entry is missing both krb5PrincipalName and uid, it must be broken, ignore it and return it doesn't exists. 2004-12-10 Love Hörnquist Åstrand * kdc/hpropd.8: spelling, from OpenBSD * kdc/kdc.8: use keeps for options, From OpenBSD k 2004-12-09 Love Hörnquist Åstrand * doc/setup.texi: document --random-key and the need to do backup of the master key * kdc/kstash.8: add --random-key * kdc/kstash.c: add --random-key 2004-12-08 Love Hörnquist Åstrand * lib/krb5/verify_krb5_conf.8: spelling, from openbsd * lib/krb5/krb5_init_context.3: spelling, from openbsd * lib/krb5/krb5.conf.5: spelling, from openbsd * kuser/kdestroy.1: use keeps around options, spelling, from openbsd * kpasswd/kpasswdd.8: use ., use keeps around options, from OpenBSD * kdc/hpropd.8: use keeps around options, from OpenBSD * kdc/hprop.8: use keeps around options, from OpenBSD 2004-11-30 Love Hörnquist Åstrand * lib/krb5/context.c (krb5_free_context): clear error string before destroying mutex (krb5_init_context): don't call krb5_free_context before there is a mutex initialized 2004-11-18 Love Hörnquist Åstrand * kuser/kinit.c (get_new_tickets): only complain about ticket renewable lifetime when the user asked for a specific renewable lifetime 2004-11-15 Love Hörnquist Åstrand * kdc/kerberos5.c (find_keys): log what principal is missing enctypes 2004-11-13 Love Hörnquist Åstrand * lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear pointer after freeing data * lib/krb5/init_creds_pw.c (change_password): handle old_options being NULL From Guenther Deschner on samba-technical. 2004-11-12 Love Hörnquist Åstrand * lib/krb5/krb5_get_init_creds.3: add more text describing the krb5_get_init_creds functions 2004-11-11 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c: make krb5_get_init_creds_keytab work again 2004-11-10 Love Hörnquist Åstrand * lib/hdb/hdb.asn1: use constrained integers 2004-11-09 Love Hörnquist Åstrand * lib/krb5/krb5_get_init_creds.3: add description for opt_init, opt_alloc, opt_free * lib/krb5/pkinit.c: unexport krb5_get_init_creds_opt_free_pkinit * lib/krb5/init_creds.c: unexport krb5_get_init_creds_opt_free_pkinit * lib/krb5/init_creds_pw.c: fold init_init_creds_ctx into get_init_creds_common * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if the in options NULL, just make a clean copy 2004-11-01 Love Hörnquist Åstrand * lib/krb5/sendauth.c (krb5_rd_rep): free ap_rep message earlier so we don't leak it on error 2004-10-31 Love Hörnquist Åstrand * lib/krb5/krb5.conf.5: unbreak 2b entry * lib/krb5/acache.c (make_cred_from_ccred): the address isn't a sockaddr but rather a kerberos address, deal with that. Based on bug report from Jakob Schlyter . 2004-10-30 Love Hörnquist Åstrand * kdc/connect.c: Make sure argument passed to ctype isn't signed char 2004-10-14 Love Hörnquist Åstrand * lib/krb5/pkinit.c: match new error names * lib/krb5/krb5_err.et: make error messages sane again 2004-10-13 Love Hörnquist Åstrand * lib/krb5/keytab.c: use KRB5_KT_BADNAME * lib/krb5/krb5_err.et: sync with mit krb5_err.et (require major version bump) add KRB5_DELTAT_BADFORMAT * lib/krb5/krb5.conf.5: time defaults to "s" * lib/krb5/time.c (krb5_string_to_deltat): default to "s" again, MIT's behavior was actually that it failed to parse the number (and thus used the default). Even better, ticket_lifetime (that was a consumer supposed a of the interface) was documented but never implemented, when it was implemented, people configuraiton files started to fail. Also, use KRB5_DELTAT_BADFORMAT as a failure code. * lib/asn1/k5.asn1: sync enctypes with pkinit branch * lib/asn1/parse.y (readd) support negative numbers * lib/asn1/lex.l: support hex numbers 2004-10-12 Love Hörnquist Åstrand * kdc/pkinit.c: use ETYPE_DES3_CBC_NONE_CMS * lib/krb5/crypto.c: add enctype_des3_cbc_none_cms add cms padding for rc2 don't to padding for blocksize 1 * lib/hdb/{keys.c,Makefile.am},lib/kadm5/{keys,set_keys}.c: Move keyset parsing and password based keyset generation into hdb. Requested by Andrew Bartlett for hdb-ldb backend. 2004-10-07 Love Hörnquist Åstrand * kuser/kinit.c: adapt to new signature of krb5_get_init_creds_opt_set_pkinit * lib/krb5/pkinit.c: free openssl engine deal with RecipientIdentifier -> CMSIdentifier and heim_any -> name change improve error messages * kdc/pkinit.c: free openssl engine deal with RecipientIdentifier -> CMSIdentifier and heim_any -> name change 2004-10-04 Johan Danielsson * kuser/klist.c: use rtbl_set_separator 2004-10-03 Love Hörnquist Åstrand * lib/krb5/pkinit.c: filter out dup openssl engine keys, parse user options first * lib/krb5/pkinit.c: stop using AlgorithmIdentifierNonOpt, add openssl engine support for private key * lib/krb5/crypto.c: support padding as its done in CMS * kdc/pkinit.c: improve error logging * kdc/pkinit.c: stop using AlgorithmIdentifierNonOpt 2004-09-30 Love Hörnquist Åstrand * lib/krb5/krb5.conf.5: assume minutes for time * lib/krb5/config_file.c (krb5_config_vget_time_default): use krb5_string_to_deltat * lib/krb5/appdefault.c (krb5_appdefault_time): use krb5_string_to_deltat * lib/krb5/time.c (krb5_string_to_deltat): set default unit to minute for compatibility with MIT Kerberos. 2004-09-28 Love Hörnquist Åstrand * lib/krb5/get_cred.c (get_cred_kdc_usage): retry using "large message safe" transport if we get back KRB5KRB_ERR_RESPONSE_TOO_BIG error. Idea from Guenther Deschner 2004-09-23 Johan Danielsson * admin/list.c: use rtbl * admin/ktutil-commands.in: slc source file * lib/krb5/constants.c: check /Library/Preferences/edu.mit.Kerberos on OSX 2004-09-21 Johan Danielsson * lib/krb5/time.c (krb5_format_time): check return value from localtime and strftime 2004-09-14 Johan Danielsson * kuser/kinit.c: make sure we don't always get renewable creds 2004-09-11 Love Hörnquist Åstrand * lib/krb5/acache.c: use krb5_ccapi.h * lib/krb5/krb5_ccapi.h: break out krb5 api definitions to separate (not installed) file * lib/krb5/Makefile.am: add AM_CPPFLAGS to libkrb5_la_CPPFLAGS since AM_CPPFLAGS overridden by target specific _CPPFLAGS 2004-09-08 Love Hörnquist Åstrand * lib/krb5/pkinit.c: make variable shorter, make error messages from pkinit, make freeing easier 2004-09-06 Love Hörnquist Åstrand * lib/krb5/Makefile.am: link libkrb5 with LIB_dlopen * lib/krb5/crypto.c (seed_something): avoid poking at memory that is uninitialized, make valgrind unhappy. Pointd out by abartlet@samba.org. While where, plug the fd leak. 2004-09-05 Love Hörnquist Åstrand * lib/asn1/der_get.c (decode_*): name all tag-length variables the same (decode_enumerated): check that the tag-length is not longer the length * lib/asn1/der_get.c (decode_boolean): fail if length of tag is larger then len 2004-08-31 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c (krb5_get_init_creds): kdc_reply can be set in case of failure too, free unconditionally on exit to avoid memory leak 2004-08-23 Love Hörnquist Åstrand * lib/krb5/get_cred.c (set_auth_data): set pointer to NULL after free 2004-08-20 Love Hörnquist Åstrand * lib/krb5/context.c (krb5_get_err_text): if neither of com_right nor strerror finds the error-code, return Unknown error. 2004-08-19 Johan Danielsson * lib/krb5/krb5_kuserok.3: update to reality * lib/krb5/kuserok.c: if a .k5login file exist, don't give implicit rights to anyone; also check owner/mode of .k5login 2004-08-15 Love Hörnquist Åstrand * lib/krb5/Makefile.am: man_MANS = krb5_getportbyname.3 * lib/krb5/krb5_getportbyname.3: manpage for krb5_getportbyname * lib/krb5/krb5.3: add krb5_getportbyname * lib/krb5/krb5.3: krb5_free_salt and krb5_enctype_valid * lib/krb5/krb5_encrypt.3: document krb5_enctype_valid 2004-08-13 Love Hörnquist Åstrand * kdc/kerberos5.c (get_pa_etype_info{,2}): check for dup enctypes from the client and filter them out. * lib/krb5/krb5_string_to_key.3: document krb5_free_salt 2004-08-12 Love Hörnquist Åstrand * lib/krb5/krb5_ticket.3: data needs to be freed when using krb5_ticket_get_authorization_data_type 2004-08-11 Love Hörnquist Åstrand * lib/krb5/test_cc.c: test variables in default_cc_name * lib/krb5/krb5.conf.5: explain support for varibles in [libdefaults]default_cc_name * lib/krb5/cache.c: drop ${time}, its not very useful * lib/krb5/cache.c: Add _krb5_expand_default_cc_name that expand variables in the default cc name. Supported variables now are: ${time},${uid} and ${null} * lib/krb5/krb5.conf.5: document default_cc_name * lib/krb5/cache.c (krb5_cc_set_default_name): s/libdefault/libdefaults/ 2004-08-06 Love Hörnquist Åstrand * lib/krb5/acache.c: replace magic 3 with ccapi_version_3 * lib/krb5/Makefile.am: libkrb5_la_SOURCES += acache.c * lib/krb5/krb5.h: add krb5_acc_ops * lib/krb5/acache.c: CCAPI v3 implementation, the read only support was from Magnus Ahltorp and then extended by me to support all other operations. Tested with MIT kerberos cc cache implementation on MacOS 10.3.3 * lib/krb5/cache.c (krb5_cc_set_default_name): allow setting the default cc name, this is not very useful for general purpose glue since its not possible to glue in user information (like uid), but for CCAPI it works just fine 2004-08-05 Love Hörnquist Åstrand * kuser/kgetcred.1: document --cache/-c * kuser/kgetcred.c: allow to specify what credential cache to use 2004-08-03 Love Hörnquist Åstrand * lib/krb5/Makefile.am: add krb5_eai_to_heim_errno.3 * lib/krb5/krb5_eai_to_heim_errno.3: document krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno * lib/krb5/krb5.3: add krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno 2004-07-26 Love Hörnquist Åstrand * lib/krb5/krb5_expand_hostname.3: krb5_expand_hostname_realms result should be free with krb5_free_host_realm drop krb5_get_host_realm text * lib/krb5/krb5_set_default_realm.3: krb5_get_host_realm result should be free with krb5_free_host_realm * lib/krb5/krb5_get_in_cred.3: document krb5_free_kdc_rep * lib/krb5/krb5_get_init_creds.3: remove dup krb5_get_init_creds * lib/krb5/krb5_auth_context.3: sort, add krb5_free_authenticator * lib/krb5/Makefile.am: man_MANS += krb5_rd_error * lib/krb5/krb5_rd_error.3: krb5_rd_error and friends * lib/krb5/krb5_warn.3: clarify on what string krb5_free_error_string should operate on * lib/krb5/krb5_get_credentials.3: add krb5_get_kdc_cred * lib/krb5/Makefile.am: krb5_get_credentials, krb5_get_forwarded_creds and friends * lib/krb5/krb5_get_forwarded_creds.3: krb5_get_forwarded_creds and friends * lib/krb5/krb5_get_credentials.3: krb5_get_credentials and friends 2004-07-23 Love Hörnquist Åstrand * kuser/klist.c (print_cred_verbose): keytypes are no longer, use enctype 2004-07-22 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c (LDAP_entry2mods): allow for pre-c99 compilers, From metze at samba.org 2004-07-20 Love Hörnquist Åstrand * lib/krb5/test_cc.c: more cc tests * lib/krb5/krb5_check_transited.3: document krb5_check_transited 2004-07-19 Love Hörnquist Åstrand * kdc/pkinit.c (pk_principal_from_X509): reverse test, makes principal in cert work From: Mayur Patel 2004-07-18 Love Hörnquist Åstrand * lib/krb5/Makefile.am: add krb5_verify_init_creds.3 * lib/krb5/krb5_verify_init_creds.3: add krb5_verify_init_creds 2004-07-15 Love Hörnquist Åstrand * lib/krb5/krb5_set_password.3: spelling from wiz@netbsd.org description for krb5_passwd_result_to_string 2004-07-14 Love Hörnquist Åstrand * lib/krb5/krb5_set_password.3: Remove superfluous comma; grammar fixes; split sentence in two for better understanding. From wiz@NetBSD.org. Describe krb5_set_password_using_ccache while here. * lib/krb5/krb5_set_password.3: nroff and spelling, from Jonathan Stone * lib/krb5/changepw.c (process_reply): cast ssize_t to long and print that From NetBSD via Havard Eidnes. 2004-07-09 Love Hörnquist Åstrand * configure.in: fix helpstring for hdb-openldap-module * lib/krb5/test_cc.c: don't use krb5_err on error code 0 2004-07-08 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c (LDAP_seq): try handling errors better 2004-07-02 Love Hörnquist Åstrand * lib/krb5/get_in_tkt.c (set_ptypes): make ptypes const 2004-07-01 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c (LDAP__connect): call ldap_initialize with right argument 2004-06-27 Johan Danielsson * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if the krbtgt is without addresses, default to not sending our own addrport * lib/asn1/lex.l: add support for /* */ and partial line -- comments * kuser/Makefile.am: don't install copy_cred_cache manpage 2004-06-24 Johan Danielsson * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if copying a static opt, make sure to allocate the "private" field 2004-06-24 Love * kdc/config.c: add enable_pkinit_princ_in_cert * kdc/kdc_locl.h: enable_pkinit_princ_in_cert * kdc/pkinit.c: Check certificate for Kerberos Principal in OtherName of subjectAltName Based on patch from Mayur Patel 2004-06-21 Love Hörnquist Åstrand * lib/krb5/get_cred.c (init_tgs_req): if subkey not avaible, use session key for authorization-data 2004-06-15 Love Hörnquist Åstrand * kdc/connect.c (handle_tcp): note who is what that closed the connection on us 2004-06-09 Love Hörnquist Åstrand * admin/get.c (kt_get): catch errors from krb5_parse_name 2004-06-05 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: if its the entry just contains the structural object (no samba nor heimdal object), add an aux heimdal object on to it. 2004-06-02 Love Hörnquist Åstrand * kpasswd/kpasswd.c: use krb5_set_password_using_ccache * lib/krb5/krb5_set_password.3: add krb5_set_password_using_ccache * lib/krb5/changepw.c: implement krb5_set_password_using_ccache * lib/hdb/hdb-ldap.c: Allow the objectClass to be "sambaSamAccount" or structural_object when searching for uid entries. * lib/krb5/krb5.conf.5: document [kdc]hdb-ldap-create-base * lib/hdb/hdb-ldap.c: add creation base that defaults to the search base * lib/hdb/hdb-ldap.c: indent like the rest of the code 2004-06-01 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: check return values from ldap operations and close it we get back LDAP_SERVER_DOWN. stupid ldap client lib, you should retry by yourself. * lib/hdb/hdb-ldap.c: require search base to be configured, create local context structure 2004-05-31 Love Hörnquist Åstrand * doc/setup.texi: more ldap text, partly from Tarjei Huse 2004-05-28 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: clean, indent * lib/hdb/hdb-ldap.c (LDAP_entry2mods): make sure krb5KeyVersionNumber is added on new entires 2004-05-27 Love Hörnquist Åstrand * doc/setup.texi: minor fixes, partly from Tarjei Huse * lib/krb5/krb5.conf.5: some text about dbname and realm * lib/krb5/krb5.conf.5: default value for hdb-ldap-structural-object is account 2004-05-26 Love Hörnquist Åstrand * tools/Makefile.am: use ! instead of , as sed delimiter 2004-05-25 Love Hörnquist Åstrand * lib/krb5/*.c: add KRB5_LIB_FUNCTION to all exported functions 2004-05-23 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: make samba_forwardable a krb5_boolean * lib/hdb/hdb-ldap.c: make samba forwarding a runtime configure option * lib/hdb/hdb-ldap.c (LDAP_message2entry): fix [] test From: Andrew Bartlett * lib/hdb/hdb-ldap.c (LDAP_message2entry): remove bogus length check From: Andrew Bartlett * lib/hdb/hdb-ldap.c (LDAP_message2entry): in the sambaNTPassword case, make sure ent->etypes are allocated, From: Andrew Bartlett 2004-05-14 Love Hörnquist Åstrand * kuser/kinit.c: move "setpag if (argc < 1)" to common path 2004-05-12 Love Hörnquist Åstrand * lib/krb5/verify_krb5_conf.c: pacify pre c99 compilers * fix-export: use right argument for -E 2004-05-06 Johan Danielsson * kuser/kinit.c: print some diagnostics if the exec fails 2004-04-29 Love Hörnquist Åstrand * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): use krb5_random_to_key From: Luke Howard * lib/krb5/rd_req.c (krb5_verify_ap_req2): clear the whole ticket, not just a pointer size of it From: Luke Howard 2004-04-28 Love Hörnquist Åstrand * fix-export: add -E flag where needed to make-proto 2004-04-26 Love Hörnquist Åstrand * lib/krb5/crypto.c: add set_param for RC2 * lib/krb5/pkinit.c: use krb5_oid_to_enctype and remove all oids that are no longer needed * kdc/pkinit.c: use krb5_enctype_to_oid * lib/krb5/crypto.c (krb5_oid_to_enctype): make sure oid exists before we compare with it * lib/krb5/crypto.c (krb5_crypto_get_params): check ivec length before returning it add aes-oids * lib/krb5/crypto.c: add krb5_enctype_to_oid and krb5_oid_to_enctype * kdc/pkinit.c: use krb5_crypto_set_params * lib/krb5/crypto.c: add krb5_crypto_set_params, add aes-NNN-cbc-none * lib/krb5/krb5.h: add KEYTYPE_AES192 * lib/krb5/pkinit.c: use krb5_crypto_get_params to implement kcrypto RC2 support * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype rc2-cbc XXX RC2CBCParameter is wrong because the compiler is broken * lib/krb5/krb5.h: add KEYTYPE_RC2 * lib/krb5/crypto.c: add partial CMS parameter handling, this is needed for RC2 * lib/asn1/der_cmp.c: add heim_oid_cmp and heim_octet_string_cmp * lib/asn1/Makefile.am (libasn1_la_SOURCES) += der_cmp.c * lib/asn1/der.h: add heim_oid_cmp and heim_octet_string_cmp * lib/asn1/k5.asn1: add ETYPE_AESNNN_CBC_NONE * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype rc2-cbc, XXX RC2CBCParameter is wrong because the compiler is broken 2004-04-26 Johan Danielsson * lib/krb5/config_file.c: allow parsing directly from strings with krb5_config_parse_string_multi * lib/krb5/verify_krb5_conf.c: try to resolve hostnames 2004-04-25 Johan Danielsson * lib/krb5/store_fd.c (krb5_storage_from_fd): dup the file descriptor so we don't have to keep track of it in two places * kuser/copy_cred_cache.c: krb5_cc_copy_cache_match now lives in libkrb5 * lib/krb5/krb5_{,compare_}creds.3: move krb5_compare_creds to its own manpage * replace krb5_free_creds_contents by krb5_free_cred_contents * lib/krb5/cache.c: add krb5_cc_next_cred_match() and krb5_cc_copy_cred_match() * lib/krb5/creds.c (krb5_compare_creds): add more matching options * lib/krb5/krb5.h: add more creds match flags * kuser/copy_cred_cache: add --valid-for option * lib/krb5/store.c (krb5_store_creds): set is_skey flag if length of second ticket is > 0 2004-04-25 Love Hörnquist Åstrand * lib/krb5/pkinit.c: use the right oid for pkauthdata * lib/krb5/pkinit.c: always send both win2k compat version and the ietf draft one, this is possible since microsoft use wrong/diffrent PA number. Make the configuration flag boolean configuring if NOT to send the win2k compat glue. * lib/krb5/krb5_encrypt.3: document krb5_{de,en}crypt_ivec * kuser/copy_cred_cache.1: pacify mdoclint * kdc/pkinit.c: use IV for envelopeddata encryption, patch originally from Luke Howard , tweeked by me. * lib/krb5/krb5_storage.3: document KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER * lib/krb5/krb5_data.3: document that krb5_data_free cleans the structure too * lib/krb5/pkinit.c: use IV for envelopeddata encryption, patch originally from Luke Howard , tweeked by me. 2004-04-24 Johan Danielsson * kuser/copy_cred_cache.{c,1}: add cred cache copy tool * configure.in: use rk_SYS_LARGEFILE * lib/krb5/{krb5.h,store.c,fcache.c}: Fix the cache flags bitorder issue with a storage flag instead of a separate function. 2004-04-24 Love Hörnquist Åstrand * lib/krb5/pkinit.c: move out the oid check from get_reply_key * lib/krb5/pkinit.c: uniquify error messages * lib/krb5/init_creds_pw.c: make the pkinit nonce same os the plain nonce for now * lib/krb5/pkinit.c: more w2k compat from Luke Howard add RC2 support, clean up error messages * lib/krb5/pkinit.c: remove more dependency on krb5_config->pkinit_flags * lib/krb5/pkinit.c (_krb5_pk_convert_rep): convert microsoft style answer to IETF, From Luke Howard (_krb5_pk_create_sign): ms handles NULL in param, so always send it (_krb5_pk_mk_padata): look for [realms]REALM = { win2k_pkinit = bool } * lib/krb5/pkinit.c (_krb5_pk_create_sign): always set the digestAlgorithm to sha1 (both for SignerInfo and SignedData, add new function _set_digest_alg to set it 2004-04-23 Love Hörnquist Åstrand * include/make_crypto.c: include rc2.h, and when I'm here, make aes mandatory * lib/krb5/krb5.h: add ENCTYPE_ARCFOUR_HMAC as compat glue for MIT kerberos * lib/krb5/crypto.c (krb5_crypto_init): clear return pointer on failure * lib/krb5/crypto.c (DES3_random_to_key): make it produce the right result (DES3_postproc): use DES3_random_to_key (krb5_random_to_key): check the required number of bits (not the size of the key) * lib/krb5/aes-test.c: test random to key function * lib/krb5/string-to-key-test.c: comment out the "@"/"" test for now 2004-04-22 Love Hörnquist Åstrand * lib/krb5/krb5_string_to_key.3: document that krb5_string_to_key_derived is broken for non 3des enctypes and thus deprecated * kdc/pkinit.c (generate_dh_keyblock): use the new function krb5_random_to_key * lib/krb5/crypto.c: add des and DES3 random_to_key hooks, they need special processing * lib/krb5/crypto.c (krb5_random_to_key): new function * lib/krb5/krb5_keyblock.3: document krb5_random_to_key 2004-04-21 Love Hörnquist Åstrand * kdc/pkinit.c: use the first proposed enable enctype * lib/krb5/context.c (krb5_set_default_in_tkt_etypes): use the return from krb5_enctype_valid * kdc/pkinit.c: at least try to handle diffrent enveloped enctypes 2004-04-21 Love Hörnquist Åstrand * lib/asn1/der_get.c: 1.28.2.16: (der_get_oid): handle all oid components being smaller then 127 and allocate one extra element since first byte is split to to elements. 2004-04-20 Love Hörnquist Åstrand * lib/asn1/k5.asn1: ETYPE_DIGEST_MD5_NONE, ETYPE_CRAM_MD5_NONE: private use, lukeh@padl.com 2004-04-19 Love Hörnquist Åstrand * lib/krb5/pkinit.c (build_auth_pack): use heim_integer to encode DH public key 2004-04-18 Love Hörnquist Åstrand * lib/krb5/krb5_init_context.3: add krb5_context to so its added as manpage-link too 2004-04-17 Love Hörnquist Åstrand * lib/krb5/fcache.c (fcc_remove_cred): simplistic implementation, XXX add locking * kuser/kdestroy.c: add --credential argument that just remove one credential entry out of the cache specified * kdc/pkinit.c: replace the krb5.conf configuration option that describes the mapping between principals and subject names with a file, default /var/heimdal/pki-mapping. XXX this should be pushed into HDB. XXX should add issuer too * kdc/config.c: merge certificate/private_key to a user_id 2004-04-16 Love Hörnquist Åstrand * kdc/kdc_locl.h: update prototype for pk_initialize * kuser/kinit.c: merge certificate/private_key to a user_id * kdc/pkinit.c: adapt to heim_integer changes * lib/krb5/pkinit.c: merge certificate/private_key to a user_id * kdc/pkinit.c: adapt to heim_integer changes, merge certificate/private_key to a user_id 2004-04-15 Love Hörnquist Åstrand * lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_WIN free X509_STORE 2004-04-13 Love Hörnquist Åstrand * lib/krb5/Makefile.am: define BUILD_KRB5_LIB when building libkrb5.la, add KRB5_LIB_FUNCTION proto * lib/krb5/add_et_list.c: add KRB5_LIB_FUNCTION * configure.in: export KRB5_LIB_FUNCTION when building with BUILD_KRB5_LIB * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): add error strings * lib/krb5/prompter_posix.c (krb5_prompter_posix): if some thing is printed on stderr, fflush it * lib/krb5/krb5_keyblock.3: free functions also zeros out the key * lib/krb5/krb5_get_init_creds.3: some text about krb5_prompter_posix * lib/krb5/krb5.conf.5: document hdb-ldap-structural-object * lib/krb5/cache.c: add krb5_cc_get_prefix_ops * lib/krb5/krb5_ccache.3: add krb5_cc_get_prefix_ops 2004-04-05 Love Hörnquist Åstrand * appl/test/http_client.c: support GSS_C_DELEG_FLAG and GSS_C_MUTUAL_FLAG * appl/test/http_client.c: verbose logging 2004-04-02 Love Hörnquist Åstrand * kdc/connect.c: case size_t to unsigned long for LP64 platforms 2004-04-01 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c (hdb_ldap_create): allow configuration of default structural object * tools/Makefile.am: handle sed expression breaking 2004-03-31 Love Hörnquist Åstrand * lib/krb5/krbhst.c: also lookup _kpasswd._tcp SRV-rr * lib/krb5/changepw.c: add tcp support to the set protocol, should be cleaned up to enable sharing code with krb5_sendto * kpasswd/kpasswd.c (change_password): remove extra free * lib/krb5/krb5_acl_match_file.3: try to pacify mdoc macros on osf/1 2004-03-30 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c (pa_data_add_pac_request): don't increase md->len, krb5_padata_add already does that * lib/krb5/init_creds.c: its PAC not PAQ * kuser/kinit.c: its PAC not PAQ * kdc/kerberos4.c: stop the client from renewing tickets into the future From: Jeffrey Hutzelman 2004-03-29 Love Hörnquist Åstrand * configure.in: try to handle sys/strtty.h needing sys/stream.h 2004-03-23 Love Hörnquist Åstrand * lib/krb5/send_to_kdc.c: remove function krb5_sendto_kdc2, its no longer used * kdc/kerberos5.c: s/krb5_get_host_realm_int/_&/ * lib/krb5/get_host_realm.c: unexport krb5_get_host_realm_int to external users by prefixing it with _ * lib/krb5/get_cred.c: s/krb5_mk_req_internal/_&/ * lib/krb5/mk_req_ext.c: unexport krb5_mk_req_internal to external users by prefixing it with _ 2004-03-22 Love Hörnquist Åstrand * lib/krb5/pkinit.c: add missing } 2004-03-21 Love Hörnquist Åstrand * kdc/pkinit.c: adapt to change of signature of _krb5_pk_load_openssl_id * lib/krb5/pkinit.c: (krb5_get_init_creds_opt_set_pkinit): add prompter argument and use it * kuser/kinit.c: adapt to signature change of krb5_get_init_creds_opt_set_pkinit * lib/krb5/krb5.3: add more stuff, 105 functions to go * lib/krb5/krb5_rcache.3: add krb5_get_server_rcache * lib/krb5/krb5_rcache.3: framework for replay cache manpage * lib/krb5/krb5_string_to_key.3: document string to key functions * lib/krb5/Makefile.am: man_MANS += krb5_expand_hostname.3 krb5_find_padata.3 krb5_generate_random_block.3 * lib/krb5/krb5_encrypt.3: document krb5_get_wrapped_length * lib/krb5/krb5.3: add some more, 137 to go * lib/krb5/krb5_principal.3: document krb5_get_default_principal * lib/krb5/krb5_keyblock.3: document krb5_generate_subkey * lib/krb5/krb5_generate_random_block.3: document krb5_generate_random_block * lib/krb5/krb5_find_padata.3: document padata functions * lib/krb5/krb5.3: add some more, 142 to go * lib/krb5/krb5_creds.3: drop .Pp before .Sh * lib/krb5/krb5_set_default_realm.3: document krb5_copy_host_realm * lib/krb5/krb5_expand_hostname.3: document krb5_expand_hostname and krb5_expand_hostname_realms * lib/krb5/krb5.3: add more functions, 147 to go * lib/krb5/krb5_creds.3: document krb5_creds * lib/krb5/krb5_get_init_creds.3: add more functions, some more text * lib/krb5/krb5_ticket.3: document krb5_ticket_get_authorization_data_type 2004-03-20 Love Hörnquist Åstrand * lib/krb5/aes-test.c: remove #if 0'ed code * lib/krb5/krb5.3: add keyblock functions, 177 functions to go * lib/krb5/krb5_verify_user.3: add krb5_verify_opt_set_ccache * lib/krb5/krb5_encrypt.3: document krb5_decrypt_ticket * lib/krb5/krb5_config.3: document krb5_config_free_strings and krb5_config_file_free * lib/krb5/krb5_create_checksum.3: add krb5_hmac * lib/krb5/krb5.3: add keyblock functions, 190 functions to go * lib/krb5/krb5_keyblock.3: update .Dd * lib/krb5/krb5_keyblock.3: document krb5_copy_keyblock and krb5_generate_random_keyblock * lib/krb5/krb5_init_context.3: add krb5_init_ets * lib/krb5/krb5_config.3: add more krb5_config_ functions and prototypes * lib/krb5/krb5_init_context.3: document context modifcation functions: address list, config file, use admin kdc, fcc version * lib/krb5/krb5_storage.3: document krb5_storage and related functions * lib/krb5/Makefile.am: add acl and krb524_convert_creds_kdc manpages and test_acl test program * lib/krb5/krb5.3: add error string functions and sort * lib/krb5/krb5_warn.3: document krb5_abort and error string functions * lib/krb5/krb5.3: add missing functions, only 285 left to document * lib/krb5/krb5_crypto_init.3: remove various enctype related function * lib/krb5/krb5_encrypt.3: add various enctype related function here * lib/krb5/krb5_create_checksum.3: add krb5_cksumtype_valid krb5_cksumtype_valid * lib/krb5/crypto.c: real return values for krb5_{enctype,cksumtype}_valid * lib/krb5/krb5_create_checksum.3: add some functions and descriptions * lib/krb5/krb5_c_make_checksum.3: move out non krb5_c functions * lib/krb5/krb5_auth_context.3: document krb5_auth_con_generatelocalsubkey * lib/krb5/krb5_krbhst_init.3: document krb5_krbhst_init_flags * lib/krb5/krb5_keytab.3: document krb5_kt_default_modify_name * lib/krb5/krb5_init_context.3: document krb5_add_et_list * lib/krb5/krb524_convert_creds_kdc.3: document krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache * lib/krb5/krb5_acl_match_file.3: document krb5_acl_match_* * lib/krb5/test_acl.c: test for generic acl code * lib/krb5/acl.c: plug memory leak on file matching, make it not fall over when no non matching acl, make fnmatch matching useful by switching arguments 2004-03-19 Love Hörnquist Åstrand * kdc/config.c: add --builtin-hdb command * lib/hdb/hdb.c (hdb_list_builtin): return a list of builtin backends * doc/setup.texi: include Luke Howard of PADL.COM ldap hdb documentation * doc/win2k.texi: fix bugs in examples, add more restrictions, use example.com as an example. From: Pavel Ferdan 2004-03-18 Johan Danielsson * lib/krb5/krb5.conf.5: add a bunch of Li and document [kadmin] password_lifetime; from Henry B. Hotz 2004-03-14 Love Hörnquist Åstrand * lib/krb5/mk_rep.c (krb5_mk_rep): if KRB5_AUTH_CONTEXT_USE_SUBKEY is set send subkey (generate if needed) * lib/krb5/krb5.h: add KRB5_AUTH_CONTEXT_USE_SUBKEY 2004-03-14 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: clean up error handling, plug memory leaks, and free memory in error path, assume realloc(NULL, ...) works, factor out common code, indent 2004-03-12 Love Hörnquist Åstrand * lib/krb5/verify_krb5_conf.c: understand [password_quality] spelling * kuser/kgetcred.1: document --canonicalize * kuser/kgetcred.c: add --canonicalize 2004-03-10 Love Hörnquist Åstrand * lib/krb5/fcache.c (fcc_store_cred): NULL terminate krb5_config_get_bool_default' arglist 2004-03-09 Love Hörnquist Åstrand * kdc/kerberos5.c: add missing req argument to pk_mk_pa_reply * kdc/pkinit.c (pk_mk_pa_reply): add hdb_entry * kdc/pkinit.c: pass client hdb_entry to pk_check_client * kdc/kdc_locl.h: pass client hdb_entry to pk_check_client * kuser/kinit.c: rename ca_dir to pkinit/x509_anchors since its more like that language in RFC3280 * lib/krb5/pkinit.c: rename ca_dir to pkinit/x509_anchors since its more like that language in RFC3280 * lib/krb5/krb5.conf.5: document [libdefaults]fcc-mit-ticketflags=boolean * lib/krb5/fcache.c (fcc_store_cred): use [libdefaults]fcc-mit-ticketflags=boolean to decide what format to write the fcc in. Default to mit version (aka heimdal 0.7) * lib/krb5/store.c: add _krb5_store_creds_heimdal_0_7 and _krb5_store_creds_heimdal_pre_0_7 that store the creds in just that format make krb5_store_creds default to mit format * lib/krb5/store.c (krb5_ret_creds): Runtime detect the what is the higher bits of the bitfield 2004-03-08 Love Hörnquist Åstrand * lib/krb5/store.c (krb5_store_creds): add disabled code that store the ticket flags in reverse order (bitswap32): new function * lib/krb5/store.c (krb5_ret_creds): if the higher ticket flags are set, its a mit cache, reverse the bits, bug pointed out by Sergio Gelato 2004-03-07 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: use macro for HDB * -> LDAP * * kuser/kinit.c: when running kinit with a subprocess, fetch new tickets after half the tickets lifetime * lib/hdb/hdb.c: spelling * lib/hdb/hdb-ldap.c: Intergrate Heimdal's hdb-ldap and the Samba password database. From: Andrew Bartlett * kdc/config.c: add --disable-DES * kdc/kdc.8: document --detach and --disable-DES * kdc/kerberos5.c: check if enctype is disabled before using it * lib/krb5/crypto.c: add support for disabling checksum/encryption types * tools/kdc-log-analyze.pl: add more cases * kdc/connect.c: on strange tcp error; log local port number and socket type * lib/asn1/der.h: fix prototype of encode_utf8string * lib/asn1/gen.c: catch CHOICE and generate dummy placeholder * lib/asn1/lex.l: added dummy parsing of CHOICE * lib/asn1/parse.y: added dummy parsing of CHOICE * lib/asn1/k5.asn1: drop SMTP_NAME 2004-03-06 Love Hörnquist Åstrand * lib/hdb/Makefile.am: support building ldap backend as module sort asn1 hdb files * lib/hdb/hdb.c: when building ldap as a shared module, don't include it in the list * configure.in: add --enable-hdb-openldap-module * lib/hdb/hdb-ldap.c: make ldap possible to build as a shared module * lib/hdb/mkey.c: add hdb_{,un}seal_key{,_mkey} from Andrew Bartlett * lib/krb5/crypto.c (decrypt_internal_special): do not not modify the original data test case from Ronnie Sahlberg 2004-03-03 Love Hörnquist Åstrand * lib/krb5/test_cc.c: more cc tests, mostly related to mcc behavior * lib/krb5/mcache.c (mcc_get_principal): also check for primary_principal == NULL now that that isn't used as dead flag * lib/krb5/mcache.c: don't overload the primary_principal == NULL as dead since that doesn't always work. Based on patch from Jeffrey Hutzelman , tweeked by me 2004-02-22 Love Hörnquist Åstrand * kdc/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp * lib/krb5/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp * lib/hdb/db3.c: fix all db >= 4.1 cases * doc/setup.texi: add text about hostname to realm mapping using DNS 2004-02-20 Love Hörnquist Åstrand * kdc/pkinit.c: update error codes * lib/krb5/krb5_err.et: prefix pkinit error codes with KRB5_ * lib/krb5/pkinit.c: update error codes 2004-02-19 Love Hörnquist Åstrand * lib/krb5/pkinit.c: indent, use krb5_abortx() instead of abort() * lib/krb5/init_creds_pw.c (process_pa_data_to_key): spelling * lib/krb5/store.c: handle memory allocate errors * lib/krb5/fcache.c (_krb5_xlock): handle that everything was ok, and don't put an error in the error strings then 2004-02-13 Love Hörnquist Åstrand * kdc/pkinit.c: s/heim_big_integer/heim_integer/ * lib/krb5/pkinit.c: s/heim_big_integer/heim_integer/ * kdc/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT errors * lib/krb5/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT errors * lib/krb5/heim_err.et: add HEIM_PKINIT specific errors 2004-02-12 Love Hörnquist Åstrand * configure.in: rename AC_WFLAGS to rk_WFLAGS * acinclude.m4: use m4_define, over-quote string 2004-02-11 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c (change_password): handle that printf("%.*s", 0, (void*)NULL); doesn't work on solaris 2004-02-10 Love Hörnquist Åstrand * kpasswd/kpasswd.c (change_password): handle that printf("%.*s", 0, (void*)NULL); doesn't work on solaris * lib/krb5/krb5.conf.5: don't use path's in first .Nm, it confuses some locate.updatedb, use FILES section to describe where the file is instead. 2004-02-07 Love Hörnquist Åstrand * lib/asn1/check-der.c: test for "der_length.c: Fix len_unsigned for certain negative integers, it got the length wrong" , from Panasas, Inc. * lib/asn1/der_length.c: Fix len_unsigned for certain negative integers, it got the length wrong, fix from Panasas, Inc. rename len_int and len_unsigned to _heim_\& * lib/asn1/der_locl.h: add _heim_len_unsigned, _heim_len_int 2004-02-06 Dave Love * configure.in: Check for sys/socket.h, net/if.h. Modify term.h, security/pam_appl.h tests. 2004-02-03 Love Hörnquist Åstrand * lib/asn1/check-gen.c: test for: (length_type): TSequenceOf: add up the size of all the elements, don't use just the size of the last element. * lib/krb5/aes-test.c: add "next iv" test for aes128, check decryption case too * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of the next to last block, fix decryption case too * lib/krb5/aes-test.c: add "next iv" test for aes128 * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of the next to last block * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode error * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode error * lib/krb5/get_in_tkt.c (krb5_get_in_cred): abort on internal asn1 encode error * lib/krb5/mk_priv.c (krb5_mk_priv): abort on internal asn1 encode error * lib/krb5/get_cred.c (make_pa_tgs_req): abort on internal asn1 encode error * lib/krb5/build_auth.c (krb5_build_authenticator): abort on internal asn1 encode error * lib/krb5/build_ap_req.c (krb5_build_ap_req): abort on internal asn1 encode error 2004-01-30 Love Hörnquist Åstrand * doc/setup.texi: some text about order of [capaths] realms 2004-01-25 Love Hörnquist Åstrand * lib/krb5/context.c: register WRFILE ops * lib/krb5/keytab_file.c: add krb5_wrfkt_ops/WRFILE (same as FILE) * lib/krb5/krb5.h: add krb5_wrfkt_ops * kpasswd/kpasswdd.c (change): use the right password when changing the password 2004-01-21 Love Hörnquist Åstrand * lib/krb5/fcache.c (_krb5_xlock): catch EINVAL and assume that it means that the filesystem doesn't support locking * lib/krb5/keytab.c: remove #if 0 out file locking code 2004-01-19 Love Hörnquist Åstrand * lib/asn1/gen_length.c (length_type): TSequenceOf: add up the size of all the elements, don't use just the size of the last element. 2004-01-13 Love Hörnquist Åstrand * kuser/kinit.c (renew_validate): if renewable_flag and not time specifed, use "1 month" 2004-01-08 Love Hörnquist Åstrand * lib/krb5/krb5_keyblock.3: add prototypes, describe krb5_keyblock_zero 2004-01-05 Love Hörnquist Åstrand * lib/krb5/get_for_creds.c (add_addrs): don't add same address multiple times * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): try to handle errors better for previous commit * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): If tickets are address-less, forward address-less tickets. * lib/krb5/get_cred.c: rename get_krbtgt to _krb5_get_krbtgt and export it heimdal-1.7~git20150920+dfsg/ChangeLog.2005000066400000000000000000001705141257755311500176120ustar00rootroot000000000000002005-12-15 Love Hörnquist Åstrand * kdc/kerberos5.c (tgs_make_reply): less const on hdb_entry_ex to make samba happy * fix-export: Build kdc-private.h. 2005-12-14 Love Hörnquist Åstrand * kdc/kerberos5.c (tgs_rep2): also print the principal for which the enctype was missing 2005-12-13 Love Hörnquist Åstrand * kdc/kaserver.c: Finish up transition from hdb_entry to hdb_entry_ex. * kdc/kerberos4.c: Finish up transition from hdb_entry to hdb_entry_ex. * kdc/524.c: Finish up transition from hdb_entry to hdb_entry_ex. * kdc/kerberos5.c: Finish up transition from hdb_entry with hdb_entry_ex. * lib/krb5/cache.c (krb5_cc_set_default_name): use KRB5_DEFAULT_CCNAME. * lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME, pointer to default credential cache. * lib/hdb/ndbm.c: memset hdb_entry_ex before use * lib/hdb/db3.c: memset hdb_entry_ex before use * lib/hdb/db.c: memset hdb_entry_ex before use 2005-12-12 Love Hörnquist Åstrand * lib/krb5/krb5.3: Add some more entrypoints. * lib/krb5/changepw.c: If there is a target principal, use the realm of the realm to change the password with, * kuser/kinit.c: Default to use DH when fetching keys. * lib/hdb, kdc, kadmin/load.c: Wrap hdb_entry with hdb_entry_ex, patch originally from Andrew Bartlet * lib/hdb/hdb-ldap.c: Wrap hdb_entry with hdb_entry_ex, add url support, add ldapi support. * kdc/kerberos5.c (tgs_make_reply): there are no such things a keytypes any more, just use enctypes. * kdc/kdc_locl.h: Remove private prototypes and instead include . * kdc/Makefile.am: Build kdc-private.h and depend on it. * kdc/config.c (configure): wrap line * doc/kerberos4.texi: KDC 4 support is always compiled in. * TODO: Remove some stuff that have been done. * Makefile.am: Split long line * doc/apps.texi: Spelling, From Måns Nilsson. * doc/install.texi: spelling, From Måns Nilsson 2005-12-11 Love Hörnquist Åstrand * lib/krb5/krb5_principal.3: Constify principal argument to on krb5_principal_get_ functions. * lib/krb5/principal.c: Constify principal argument to on krb5_principal_get_ functions. 2005-12-08 Love Hörnquist Åstrand * lib/hdb: drop convert_db, 0.0 to 0.1 transition was a long long time ago 2005-12-05 Love Hörnquist Åstrand * lib/krb5/test_keytab.c: more tests, From Andrew Bartlet * lib/krb5/keytab_memory.c (mkt_remove_entry): realloc can return NULL on success in the case 0 entries are allocated, From Andrew Bartlet 2005-12-02 Love Hörnquist Åstrand * lib/krb5/acl.c (acl_parse_format): tmp needs to be freed too on failure to parse format specifier. * lib/krb5/store-test.c: Free more of the allocated memory. * lib/krb5/crypto.c (krb5_derive_key): Free more of the allocated memory, this function is only used by the test program. * lib/krb5/parse-name-test.c: Free more of the allocated memory. * lib/krb5/derived-key-test.c: Free more of the allocated memory. 2005-12-01 Love Hörnquist Åstrand * doc/setup.texi: spelling, From Måns Nilsson * lib/krb5/krb5_keytab.3: Memory keytab are now named and refcounted. * lib/krb5/test_keytab.c: Test that memory keytab are refcounted. * lib/krb5/keytab_memory.c: Index by name and start reference counting on entries. 2005-11-30 Love Hörnquist Åstrand * lib/krb5/krb5.h (krb5_address_type): add KRB5_ADDRESS_NETBIOS (20) * lib/hdb/hdb.c (find_method): accept relative paths as old db format too. * lib/krb5/aes-test.c: Remove usage of krb5_enctype_to_keytype. 2005-11-29 Dave Love * kcm/connect.c (kcm_loop): Use HAVE_DOOR_CREATE, not HAVE_DOORS. 2005-11-29 Love Hörnquist Åstrand * lib/krb5/verify_krb5_conf.c (libdefaults_entries): add default_cc_name * lib/hdb/hdb.c: Only match db databases on filename starting with '/'. * lib/krb5/rd_req.c (krb5_verify_ap_re2): check timestamp in authenticator * lib/krb5/rd_req.c (check_transited): explain the TR-type 0 better and why it matters. * lib/krb5/test_cc.c: test krb5_cc_get_prefix_ops * lib/krb5/cache.c (krb5_cc_get_prefix_ops): change the behavior to return NULL when its not found, and fcc when the name starts with a '/'. Almost matches behavior in other parts of the code, but can't really do that since the name passed in to this function may only contain the prefix itself without the colon. * lib/krb5/cache.c (krb5_cc_get_prefix_ops): if there are not colon (:) in the name, its a file credential cache * lib/hdb/db3.c (hdb_db_create): use calloc to callocate memory * lib/hdb/ndbm.c (hdb_ndbm_create): use calloc to allocate memory * lib/hdb/db.c (hdb_db_create): use calloc to allocate memory 2005-11-28 Love Hörnquist Åstrand * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use session key for delegated credentials * kdc/kerberos5.c (_kdc_as_rep): add comment when we send ETYPE-INFO and ETYPE-INFO2, from Andrew Bartlett 2005-11-25 Love Hörnquist Åstrand * lib/krb5/keytab.c (krb5_kt_get_full_name): new function 2005-11-24 Love Hörnquist Åstrand * lib/krb5/test_crypto.c: Split encryption and s2k iterations to diffrent counters, 38seconds of aes256 s2k is way too long. * lib/krb5/test_crypto.c: Add timing code for s2k function. 2005-11-07 Love Hörnquist Åstrand * kdc/kerberos5.c: Print the time the principal expired, based on patch from Andrew Bartlett. 2005-11-01 Love Hörnquist Åstrand * lib/krb5/cache.c (krb5_cc_get_full_name): Add 2005-11-01 Love Hörnquist Åstrand * configure.in: Spelling, From Michael Banck 2005-10-30 Love Hörnquist Åstrand * kcm/headers.h: Maybe include . 2005-10-27 Love Hörnquist Åstrand * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): understand KRB5_AUTHDATA_IF_RELEVANT and KRB5_AUTHDATA_AND_OR (but have KRB5_AUTHDATA_KDC_ISSUED commented out for now) 2005-10-26 Love Hörnquist Åstrand * kuser/klist.c: In the list caches view, rename the Status field to Expires. * lib/krb5/krb5_encrypt.3: Fix mdoc for krb5_encrypt_EncryptedData, Johnny Lam 2005-10-25 Love Hörnquist Åstrand * appl/test/gssapi_client.c: Check return value from asprintf instead of string != NULL since it undefined behavior on Linux. From Björn Sandell 2005-10-21 Love Hörnquist Åstrand * lib/krb5/pkinit.c (_krb5_dh_group_ok): if not enough bits are generated from the DH groups, fail. * kdc/pkinit.c (get_dh_param): Pass down config so this function can check pkinit_dh_min_bits * kdc/config.c: Fill in pkinit_dh_min_bits from configuration file. * kdc/kdc.h: Add pkinit_dh_min_bits to krb5_kdc_configuration. 2005-10-20 Love Hörnquist Åstrand * lib/krb5/pkinit.c: Add option to require binding between reply and response for the win2k version of the protocol. 2005-10-19 Love Hörnquist Åstrand * doc/programming.texi: Text about Kerberos errors. * lib/krb5/pkinit.c: Try both ReplyKey and ReplyKey-Win2k for the Windows case to support the updated -09 protocol (using asChecksum). Tell KDC we support this by sending KRB5-PADATA-PK-AS-09-BINDING in the pa-data. * lib/krb5/test_cc.c: Test copy FILE -> FILE, and MEMORY -> MEMORY too. * lib/krb5/test_cc.c: Test krb5_cc_copy_cache and krb5_cc_cache_match. * lib/krb5/cache.c (krb5_cc_cache_match): add function that iterates over all credential caches for a user and returns a match. * lib/krb5/krb5_ccache.3: Add krb5_cc_start_seq_get and an example. 2005-10-18 Love Hörnquist Åstrand * doc/programming.texi: Try to explain krb5_ccache, krb5_principal and errors. 2005-10-13 Love Hörnquist Åstrand * lib/krb5/krb5_get_credentials.3: Add example how to use krb5_get_credentials. 2005-10-12 Love Hörnquist Åstrand * lib/krb5/init_creds.c: Rename private to opt_private. * lib/krb5/init_creds_pw.c: Rename private to opt_private. * lib/krb5/pkinit.c: rename element private to opt_private to make c++ picky compilers less upset. * lib/krb5/krb5.h (krb5_get_init_creds_opt): rename element private to opt_private to make c++ picky compilers less upset. 2005-10-08 Love Hörnquist Åstrand * lib/krb5/krbhst.c (_krb5_krbhost_info_move): new function (_krb5_free_krbhst_info): expose to internal use * lib/krb5/init_creds_pw.c: Prepare to pass down a krb5_krbhst_info into the pre-auth mechs * lib/krb5/pkinit.c: Inline short functions, share more code, rename COMPAT_27 to COMPAT_IETF, pass down a krb5_krbhst_info for verification of KDC info, and general cleaning up. 2005-10-07 Love Hörnquist Åstrand * lib/krb5/Makefile.am: Install krb5.moduli in sysconfdir. * lib/krb5/krb5_locl.h: rename moduli file to SYSCONFDIR "/krb5.moduli" * lib/krb5/krb5_locl.h: Add forward declaration for krb5_dh_moduli. Add define for MODULI_FILE. * kdc/pkinit.c: Removing PK-INIT-19 support. * lib/krb5/pkinit.c: Removing PK-INIT-19 support. * lib/krb5/pkinit.c (_krb5_dh_group_ok): return DH group name on success. (krb5_get_init_creds_opt_set_pkinit): use moduli file if it exists * kdc/pkinit.c: Save DH group name and print it on success. * lib/krb5/pkinit.c (_krb5_dh_group_ok): if q is zero, ignore it. * kdc/pkinit.c: Check dh group parameters from client. * lib/krb5/krb5_err.et: Match error code with pk-init-27. * lib/krb5/pkinit.c: Update error codes. Add name to group. Change return value of _krb5_dh_group_ok. * lib/krb5/pkinit.c: Add support for reading a moduli-file for DH parameters. 2005-10-06 Love Hörnquist Åstrand * kuser/klist.1: Document --list-caches * kuser/klist.c: Change short flag of --list-caches to -l (-v is already used). 2005-10-03 Love Hörnquist Åstrand * lib/krb5/kerberos.8: RFC 1510 was obsoleted by 4120. * lib/krb5/acache.c (init_ccapi): return kerberos errors, callers expect it (acc_get_cache_first): don't leak memory or abort on malloc failure 2005-10-02 Love Hörnquist Åstrand * lib/krb5/kerberos.8: Update text about Kerberos RFC's. 2005-10-01 Love Hörnquist Åstrand * kuser/klist.c: Add option --list-caches that lists the avaible caches and their status. $ klist --list-caches Principal Cache name Status lha@E.KTH.SE 2 Valid lha@SU.SE 1 Expired lha/root@SU.SE 0 Expired lha@N.L.NXS.SE Initial default ccache Expired 2005-09-30 Love Hörnquist Åstrand * lib/krb5/keytab_keyfile.c: Use all DES keys, not just des-cbc-md5, verify that they all are the same. * lib/krb5/mcache.c Implement the cache iteration functions. * lib/krb5/acache.c: Implement the cache iteration functions. * lib/krb5/test_cc.c: Test the new cache iteration functions. * lib/krb5/cache.c: Add cache iteration funcations. Add internal allocation function for the memory of a krb5_ccache, and use it. * lib/krb5/krb5.h (krb5_cc_ops): add cache iteration functions 2005-09-25 Love Hörnquist Åstrand * lib/krb5/krb5_mk_req.3: Remove leftovers, remove extra space. * kdc/kerberos5.c: More verbose PK-INIT logging. * kdc/pkinit.c: The public DH key is encoded as an INTEGER in subjectPublicKey. Don't verify OID's for now. * lib/krb5/pkinit.c: Support cached DH variable (still need to store it though), don't check the oid of the DH signedData for now. 2005-09-22 Love Hörnquist Åstrand * lib/krb5/rd_cred.c (krb5_rd_cred): try both the session key and the sender subkey. Both RFC1510 and RFC4120 say that you have to use the session key, Heimdal uses subkey. 2005-09-21 Love Hörnquist Åstrand * lib/krb5/pkinit.c: Don't check oid's too closely, they change in Windows Vista. 2005-09-20 Love Hörnquist Åstrand * lib/krb5/pkinit.c: Disable sending -19, fix parsing -27 of the protocol. * kdc/pkinit.c: Support PK-INIT-27 DH (and remove -19) * lib/krb5/pkinit.c (pk_verify_chain_standard): set cert to NULL to make sure its not freed. 2005-09-19 Love Hörnquist Åstrand * lib/krb5/crypto.c (krb5_DES_string_to_key): If the opaque length it set to 1, and content is 0x01, use the afs3 string-to-key. * kdc/kerberos5.c (make_etype_info2_entry): When its a afs3-salted key, use send the opaque, length 1 (with content set to 0x01) in ETYPE-INFO2-ENTRY. * lib/krb5/kcm.c: Remove signedness warnings. 2005-09-15 Love Hörnquist Åstrand * configure.in: Use libtool's default values for building shared/static libaries, ie remove AC_ENABLE_SHARED(no), solves building problems users have on Mac OS X. 2005-09-08 Love Hörnquist Åstrand * lib/krb5/changepw.c: Constify password. 2005-09-05 Love Hörnquist Åstrand * lib/krb5/krb5_mk_req.3: Document krb5_rd_req. * lib/krb5/Makefile.am: MAN_mans+= krb5_mk_req.3 * lib/krb5/krb5_mk_req.3: Document krb5_mk_req, krb5_mk_req_exact, krb5_mk_req_extended, krb5_rd_req, krb5_rd_req_with_keyblock, krb5_mk_rep, krb5_mk_rep_exact, krb5_mk_rep_extended, krb5_rd_rep, krb5_build_ap_req, krb5_verify_ap_req. 2005-09-01 Love Hörnquist Åstrand * kdc/kerberos5.c (make_etype_info_entry): Dont send salttype at all, use KRB5-PADATA-AFS3-SALT 2005-08-31 Love Hörnquist Åstrand * kdc/kerberos5.c (log_timestamp): endtime, not endtype 2005-08-30 Love Hörnquist Åstrand * configure.in: Check for . * kcm/connect.c (update_client_creds): in case there is no UCRED_VERSION, skip LOCAL_PEERCRED * kcm/headers.h: include 2005-08-27 Love Hörnquist Åstrand * lib/krb5/rd_req.c (check_transited): Allow empty content of type 0 because that is was Microsoft generates in their TGT. * kdc/kerberos5.c (fix_transited_encoding): Allow empty content of type 0 because that is was Microsoft enerates in their TGT. 2005-08-26 Love Hörnquist Åstrand * doc/intro.texi: RFC 4120 replaces RFC 1510 2005-08-25 Love Hörnquist Åstrand * configure.in: Add --disable-afs-support. 2005-08-23 Love Hörnquist Åstrand * lib/krb5/Makefile.am: Add test_hostname to check_PROGRAMS but not TESTS, I have no same dns to use. * lib/krb5/test_hostname.c: Testprogram for krb5_expand_hostname() and krb5_expand_hostname_realms(). * configure.in: Build KCM if we have doors or unix sockets. * lib/krb5/principal.c (krb5_425_conv_principal_ex2): Remove shadowing variable. * lib/krb5/get_host_realm.c (dns_find_realm): Fix const warnings, plug memory leak. From: Stefan Metzmacher * lib/krb5/krb5_config.3: Document what happens with NULL to krb5_config_free_strings (nothing). Mdoc nit. 2005-08-22 Love Hörnquist Åstrand * kuser/klist.c (check_for_tgt): Re-order code so it only free the credential if one was returned. * lib/krb5/test_crypto_wrapping.c: Fix printing of size_t. 2005-08-19 Love Hörnquist Åstrand * lib/hdb/dbinfo.c: provide interface to find databases * lib/hdb/mkey.c: hdb_seal_key_mkey): dont double encrypt keys 2005-08-15 Love Hörnquist Åstrand * kdc/kdc_locl.h: Update prototype for _kdc_pk_mk_pa_reply. 2005-08-13 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c: Save the request buffer so that pre-auth mechanism that needs it can verify the reply. 2005-08-12 Love Hörnquist Åstrand * lib/krb5/test_mem.c: Rename logf to avoid shadowing. * lib/krb5/krb5_keytab.3: Fix the version number for fcc-mit-ticketflags. * lib/krb5/fcache.c: Revert previous, I was confused. * lib/krb5/krb5_keytab.3: Document fcc-mit-ticketflags in COMPATIBILITY section. * lib/krb5/fcache.c (fcc_store_cred): default to MIT style ticket flags. * kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break; * lib/krb5/krb5_create_checksum.3: Update prototype for krb5_create_checksum. * kdc/pkinit.c: Make compile. * lib/krb5/pkinit.c: Implement verification of asChecksum, now client side code is using -27 of the pk-init draft. * kdc/kdc_locl.h: update prototype for _kdc_as_rep * kdc/pkinit.c: Fill in asChecksum, we now implements -27 in the KDC. * kdc/process.c: Pass down the request buffer to _kdc_as_rep(). * kdc/kerberos5.c (_kdc_as_rep): Pass down the request buffer to _kdc_pk_mk_pa_reply. 2005-08-11 Love Hörnquist Åstrand * lib/hdb/ext.c: HDB extensions access glue. * kcm/acquire.c: Use krb5_set_password instead of krb5_change_password. * configure.in: Add tests/Makefile and tests/db/Makefile. * NEWS: New ASN.1 compiler * lib/hdb/Makefile.am: Build extensions. * lib/hdb/print.c: Print extensions. * lib/hdb/hdb_err.et: Add error "Entry contains unknown mandatory extension". * lib/hdb/hdb.h: Update interface version (and indent). * lib/hdb/hdb.asn1: Add support for HDB-extension. 2005-08-10 Love Hörnquist Åstrand * lib/krb5/test_pkinit_dh2key.c: add tests vectors from "Liqiang(Larry) Zhu" * lib/hdb/mkey.c: Expose the crypto operations on the master key. * lib/krb5/test_pkinit_dh2key.c: even more bits, not done yet 2005-08-09 Love Hörnquist Åstrand * kdc/kerberos5.c (_kdc_as_rep): preserve the error code in the ENC-TS case. From: Andrew Bartlett * kdc/kerberos5.c (tgs_rep2): only needs to log "Failed to verify authenticator" once, its already done by tgs_check_authenticator(). * kdc/kerberos5.c: Indent strings. * kdc/kerberos5.c (log_timestamp): avoid shadow warnings From: Andrew Bartlett * lib/krb5/verify_user.c: Add krb5_verify_opt_alloc and krb5_verify_opt_free. * lib/krb5/krb5_verify_user.3: Document krb5_verify_opt_alloc and krb5_verify_opt_free. * lib/hdb/db3.c (DB_open): catch errors from the d->open calls instead of letting them slip though to d->cursor. Bug repport from Andrew Bartlett 2005-07-29 Love Hörnquist Åstrand * kdc/Makefile.am (kdc_LDADD): add LDADD 2005-07-28 Love Hörnquist Åstrand * kdc/kerberos5.c (_kdc_as_rep): log what enctypes was using in ENC-TS preauth, both for failure and success. * kdc/hprop.c: Use the _krb5_krb_life_to_time function from libkrb5 instead of including our own here too. * kdc/kerberos5.c: indent printf strings * lib/hdb/mkey.c (hdb_unseal_key_mkey): try to unseal key with keyusage 0 in case the key was encrypted with MIT Kerberos (old patch from Johan) 2005-07-26 Love Hörnquist Åstrand * kdc/pkinit.c: update to pkinit-27 2005-07-23 Love Hörnquist Åstrand * lib/krb5/pkinit.c: Adapt to IMPLICIT changes in CMS module. 2005-07-20 Love Hörnquist Åstrand * lib/krb5/test_pkinit_dh2key.c: framework for testing _krb5_pk_octetstring2key * kpasswd/kpasswdd.c (doit): krb5_addr2sockaddr takes a krb5_socklen_t * kdc/connect.c (de_http): sscanf takes a char *, not unsigned ditto, cast approriately * lib/krb5/crypto.c (_krb5_pk_octetstring2key): make sha1 output unsigned char to match openssl 2005-07-14 Love Hörnquist Åstrand * lib/hdb/common.c: Check encoder lengths from ASN1_MALLOC_ENCODE. 2005-07-13 Love Hörnquist Åstrand * lib/krb5/rd_cred.c (krb5_rd_cred): don't leak memory * lib/krb5/get_cred.c (krb5_get_credentials_with_flags): only call krb5_cc_retrieve_cred once, and plug memory leak. 2005-07-13 Love Hörnquist Åstrand * lib/hdb/Makefile.am: the new asn.1 compiler includes the modules name in the depend file * lib/krb5/keytab_file.c (fkt_start_seq_get_int): check return value from krb5_storage_from_fd * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): client do not contribute to the DH when the server doesn't support the cached DH request. * lib/krb5/crypto.c (_krb5_pk_octetstring2key): fix arguments 2005-07-12 Love Hörnquist Åstrand * lib/krb5/pkinit.c: clean up pk-init DH support, not finished yet; improve error reporting * lib/krb5/crypto.c (_krb5_pk_octetstring2key): string2key function used in pk-init-25 * configure.in: Use a configure switch to turn on PK-INIT, not by detecting existence of the new ASN.1 library. * lib/asn1: Much improved ASN.1 compiler from joda-choice-branch. Highlighs for the compiler is support for CHOICE and in general better support for tags. This compiler support most of what is needed for PK-INIT, LDAP, X.509, PKCS-12 and many other protocols. 2005-07-10 Love Hörnquist Åstrand * lib/asn1: make scope variables unique to avoid shadow warnings 2005-07-09 Love Hörnquist Åstrand * lib/krb5/krb5.h: comment out paramenter name in typedef functions to avoid shadow warnings * lib/krb5/crypto.c: make input data to krb5_encrypt{,_ivec} const * kuser/klist.c: If there are no addresses, print addressless instead of nothing. * lib/krb5/Makefile.am (TESTS): add test_crypto_wrapping * lib/krb5/crypto.c (wrapped_length): the underived encrypted types checksum are all unkeyed (matches the code in encrypt_internal() and encrypt_internal_special()) * lib/krb5/test_crypto_wrapping.c: ETYPE_ARCFOUR_HMAC_MD5_56 isn't not supported * lib/krb5/test_crypto_wrapping.c: test encryption wrapping * lib/krb5/test_crypto.c (time_encryption): free cleartext buffer 2005-07-08 Love Hörnquist Åstrand * configure.in: run AM_INIT_AUTOMAKE before AM_PROG_CC_C_O otherwise am_aux_dir will be expanded using ac_aux_dir before the later is set. * configure.in: check for strings.h explicitly instead of depending on AC_HEADER_STDC to check it for us 2005-07-07 Assar Westerlund * configure.in: add AM_PROG_CC_C_O for automake 1.9 2005-07-06 Love Hörnquist Åstrand * lib/krb5/keytab.c (krb5_kt_get_entry): clear error string when returning a new error * lib/krb5/keytab.c: krb5_kt_close frees all resources, even on error. * lib/krb5/verify_init.c (krb5_verify_init_creds): `entry' unused, remove From: "Henry B. Hotz" 2005-07-05 Love Hörnquist Åstrand * doc/win2k.texi: arcfour-hmac-md5 support for windows cross was added in w2k3-sp1 From David Love * doc/setup.texi: document kadmin command password-quality instead of the not installed test_pw_quality * lib/krb5/krb5_get_init_creds.3: Spelling, from David Love * fix-export: build kdc-protos.h 2005-07-01 Love Hörnquist Åstrand * kdc: prefix pkinit symbols with _kdc * kuser/kinit.c: avoid shadowing variables * kuser: s/optind/optidx/ * kdc: adapt pkinit code to libkdc split 2005-06-30 Love Hörnquist Åstrand * tools/Makefile.am: add depency on LIB_dlopen and LIB_door_create * tools/krb5-config.in: add depency on LIB_dlopen and LIB_door_create * kdc/kdc_locl.h: indent, remove dup prototypes * kdc/libkdc: don't pollute namespace, generate public headerfile * lib/krb5/principal.c: add krb5_425_conv_principal_ext2 that work just like krb5_425_conv_principal_ext but takes a context variable for the verification function * kdc/Makefile.am: there is no export script, not pretend there is * kdc: Merge in the libkdc/kdc configuration split from Andrew Bartlet * lib/krb5/crypto.c: optionally compile in support for afs string2key * configure.in: add --disable-afs-string-to-key to allow removal of support for afs string2key (and dependency on crypt) 2005-06-29 Love Hörnquist Åstrand * kdc/kerberos5.c: Add logging of all timestamps in AS-REQ and TGS-REQ, for auditing * kdc/kerberos5.c (as_req): print the supported encryption types so its possible to know what clients to update. (find_rpath): return const char * and update callers. 2005-06-28 Luke Howard * kcm/connect.c: fix arguments to kcm_log() when reporting sendmsg() error * kcm/connect.c: don't send socket address in msghdr, it returns an already connected error on Linux 2005-06-24 Love Hörnquist Åstrand * kdc/524.c: Always include . 2005-06-23 Love Hörnquist Åstrand * doc/intro.texi: no more libdes, gssapi lib is complete * lib/krb5/krb5.conf.5: Documentation for password quality control. From: "James F. Hranicky" * lib/krb5/verify_krb5_conf.c (password_quality_entries): add min_length and min_classes * kdc/kaserver.c: log the kaserver requests, avoid shadowing variables * lib/hdb/db3.c (DB_open): in case of error, close database * lib/hdb/ndbm.c (NDBM_open): in case of error, close database * lib/hdb/db.c (DB_open): in case of error, close database 2005-06-20 Love Hörnquist Åstrand * kcm/kcm.8: fix example 2005-06-17 Love Hörnquist Åstrand * lib/krb5/rd_rep.c: indent * lib/krb5/rd_rep.c (krb5_rd_rep): check if KRB5_AUTH_CONTEXT_DO_TIME set and use that as a que that timestamp should be checked, DCE-STYLE gssapi needs to be able to tweek this * kdc/string2key.c: rename optind to optidx * lib/hdb/convert_db.c: rename optind to optidx * lib/hdb/keytab.c: const poison, add a unconst where needed * lib/krb5/crypto.c (krb5_string_to_key): unconst password * lib/asn1/k5.asn1: rename pvno to krb5-pvno * lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): unconst argument * lib/krb5/verify_krb5_conf.c: rename optind to optidx * lib/krb5/transited.c: rename the temporary string variable to `str' * lib/krb5/test_crypto.c: rename optind to optidx * lib/krb5/test_alname.c: rename optind to optidx * lib/krb5/store.c: unconst argument to krb5_store (XXX this should be fixed, krb5_store doesn't need to modify its argument) * lib/krb5/send_to_kdc.c (krb5_sendto): remove shadowing unnessecery variable ret * lib/krb5/rd_cred.c (krb5_rd_cred): remove shadowing unnessecery variable len * lib/krb5/prog_setup.c: rename optind to optidx * lib/krb5/padata.c: rename variable index to idx * lib/krb5/log.c: rename variable time to timestr to avoid shadowing * lib/krb5/krbhst.c (krb5_krbhst_init_flags): rename variable to avoid shadowing * lib/krb5/krbhst-test.c: rename optind to optidx * lib/krb5/kcm.c: unconst argumen to connect, unconst argument to krb5_store (XXX this should be fixed, krb5_store doesn't need to modify its argument) * lib/krb5/init_creds_pw.c (default_s2k_func): unconst password * lib/krb5/crypto.c: rename `encrypt' to avoid shadow warning 2005-06-16 Love Hörnquist Åstrand * lib/krb5/principal.c: rename index to idx * lib/krb5/mk_error.c: use rk_UNCONST * lib/krb5/fcache.c: rename to avoid shadowing * lib/krb5/config_file.c: rename to avoid shadowing * lib/krb5/cache.c (_krb5_expand_default_cc_name): just copy the string instead of losing const * lib/krb5/addr_families.c: use rk_UNCONST to silence const warning * lib/krb5/addr_families.c: rename sin to sin4 * lib/asn1/asn1_print.c: rename optind to optidx, remove shadowed variables * lib/asn1/main.c: rename optind to optidx * lib/asn1/gen_copy.c: rename to avoid shadowing * lib/asn1/gen_locl.h: rename function filename to get_filename * lib/asn1/lex.l: use get_filename * lib/asn1/gen.c: rename function filename to get_filename * lib/krb5/acache.c: use HAVE_DLOPEN around cc_handle * configure.in: add headers and prototypes to logwtmp, logout and openpty checks * configure.in: include headerfiles and set prototype for tgetent * kdc/kerberos5.c (make_etype_info2_entry): NUL terminate the string * kdc/kerberos5.c: replace strndup with inline copy, free data on failure * lib/krb5/cache.c (_krb5_expand_default_cc_name): replace strndup with inline copy * lib/krb5/log.c: rename close and log to avoid shadow warnings * lib/krb5/get_in_tkt.c: rename index to i to avoid shadowing * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): rename two of the local `realm' to srealm to avoid shadowing * kdc/kerberos5.c (tgs_rep2): rename one of the tkey to uukey to avoid shadow warning * kdc/kerberos5.c (tgs_rep2): rename loop to nloop to avoid shadow warning 2005-06-15 Love Hörnquist Åstrand * Release 0.7, see branch 2005-06-14 Love Hörnquist Åstrand * lib/krb5/Makefile.am: TESTS += test_mem libkrb5_la_SOURCES += kcm.h * kuser/kinit.c (main): catch KRB5_CONFIG_BADFORMAT from krb5_init_context * kdc/main.c (main): catch KRB5_CONFIG_BADFORMAT from krb5_init_context * lib/krb5/verify_krb5_conf.c (main): catch KRB5_CONFIG_BADFORMAT from krb5_init_context From: Mathias Feiler * lib/krb5/verify_krb5_conf.c: Add more missig entires, from Mathias Feiler 2005-06-11 Love Hörnquist Åstrand * kdc/pkinit.c (pk_principal_from_X509): remember to free KRB5PrincipalName * lib/krb5/log.c (krb5_closelog): free all content in krb5_log_facility 2005-06-08 Love Hörnquist Åstrand * kdc/524.c: init kvno to please gcc * kdc/kaserver.c (do_authenticate): check return value from unparse_auth_args 2005-06-07 Dave Love * doc/setup.texi: Spelling. * doc/programming.texi: Spelling. 2005-06-02 Dave Love * kcm/connect.c (kcm_door_server): Make static. * kcm/kcm_locl.h (disallow_getting_krbtgt): Declare. 2005-06-02 Love Hörnquist Åstrand * kdc/mit_dump.c (mit_prop_dump): cast argument to krb5_parse_principal to avoid warning * kdc/mit_dump.c: rename KRB5_TL_MOD_PRINC to mit_KRB5_TL_MOD_PRINC to hint its a constant originating from mit codebase 2005-06-01 Love Hörnquist Åstrand * lib/krb5/store.c: If we are allocating 0 entires, avoid failing if ALLOC returns NULL * lib/krb5/verify_krb5_conf.c: Check for [kdc]v4-realm * lib/krb5/cache.c: When returning a new error code, set error string. 2005-05-31 Love Hörnquist Åstrand * lib/krb5/keytab_file.c: Adapt to changed signature of _krb5_xunlock, clear more error string where needed. * lib/krb5/fcache.c (_krb5_xunlock): catch the error and turn it into something sensable 2005-05-30 Love Hörnquist Åstrand * kdc/kerberos5.c (tgs_make_reply): copy ok-as-delegate flag from server entry to encrypted ticket flags 2005-05-30 Johan Danielsson * kdc/connect.c: rename sendlength to prependlength (which hopefully better represents its purpose), and change type to krb5_boolean * kdc/connect.c: log signal causing exit * kdc/main.c (sigterm): set exit_flag to signal causing exit; (main): trap SIGXCPU 2005-05-30 Love Hörnquist Åstrand * kcm/kcm.8: document --disallow-getting-krbtgt and --door-path * kcm/protocol.c (kcm_op_retrieve): check server for krbtgt, not client * kcm/main.c: ignore SIGPIPE * kcm/protocol.c: Add option to disallow getting krbtgt out from from KCM. KCM will do the fetching part itself. * kcm/config.c: Add option to disallow getting krbtgt out from from KCM. KCM will do the fetching part itself. 2005-05-30 Luke Howard * kcm/events.c: if credentials have expired when attempting to renew, attempt to reacquire them using initial creds 2005-05-29 Love Hörnquist Åstrand * lib/krb5/krb5_principal.3: Spelling, from Björn Sandell * doc/setup.texi: spelling, from Björn Sandell * lib/krb5/name-45-test.c: XXX don't run the test unless the machine is in kth.se or su.se because it depends on local resolver configuration. * lib/hdb/hdb.c: provde RTLD_NOW and RTLD_GLOBAL if they don't exists * kcm/connect.c: fix doors support, fix signedness warnings * kcm/config.c: add --door-path= * configure.in: comment what the "detect doors on solaris" fragment tries to do * kcm/acquire.c (generate_random_pw): fix signed-ness warnings * kcm/connect.c (update_client_creds): fix compile error in the getpeerucred case * lib/krb5/test_cc.c: change format for expantion variables in default_cc_name to %{variable} to not confuse them with shell ditto * kcm/headers.h: Maybe include . * kcm/kcm_locl.h: add extern door_path; * configure.in: detect doors using door_create * kcm/Makefile.am: add dependcy on kcm_protos.h add lib depency on LIB_door_create * lib/krb5/kcm.h: add _PATH_KCM_DOOR, default path to kcm door * lib/krb5/kcm.c: use [libdefaults]kcm_door to find the door to kcm * lib/krb5/Makefile.am: libkrb5_la_LIBADD += LIB_door_create * lib/krb5/krb5_locl.h: Maybe include , maybe include . * lib/krb5/kcm.c (kcm_send_request): add support for doing a door call to kcm * lib/asn1: prefix Der_class with ASN1_C_ to avoid problems with system headerfiles that pollute the name space * kcm/kcm.8: change format for expantion variables in default_cc_name to %{variable} to not confuse them with shell ditto * lib/krb5/krb5.conf.5: change format for expantion variables in default_cc_name to %{variable} to not confuse them with shell ditto * lib/krb5/cache.c (_krb5_expand_default_cc_name): change format for expantion variables to %{variable} to not confuse them with shell ditto * kcm/connect.c: add LOCAL_PEERCRED and experimental doors support 2005-05-27 Love Hörnquist Åstrand * appl/kf/kfd.c: case uid_t to unsigned long in printf format 2005-05-25 Love Hörnquist Åstrand * lib/krb5/krb5_auth_context.3: remove trailing space 2005-05-24 Love Hörnquist Åstrand * kcm/connect.c (do_request): use sendmsg to send the reply * fix-export: add make_proto for kcm/kcm_protos.h * kcm/kcm_locl.h: remove prototypes and add * kcm/Makefile.am (kcm_SOURCES): add headerfiles (kcm_protos.h): generate prototypes * kcm/protocol.c: fix error in last commit, use right function * kcm/headers.h: include if we have getpeerucred * configure.in: check for functions getpeerucred and getpeereid * kcm/connect.c (update_client_creds): add support for getpeerucred and getpeereid * lib/krb5/kcm.c (kcm_alloc): allow kcm socket to be configured by [libdefaults]kcm_socket=/path 2005-05-24 David Love * kcm/kcm.8: KRB5CCNAME needs an literal uid, not ${uid}, spelling 2005-05-23 Love Hörnquist Åstrand * kcm/protocol.c: Merge the description and function jumptables into one structure. Use the length of the array when checking if opcode is value, not a constant. * kcm/kcm_locl.h: struct kcm_op: jumptable structure * kcm/main.c: move declaration of detach_from_console away from here to kcm_locl.h, Don't test HAVE_DAEMON since roken supplies it. * kcm/kcm_locl.h: move declaration of detach_from_console here * kdc/config.c: Don't test HAVE_DAEMON since roken supplies it. 2005-05-23 Dave Love * kcm/config.c: Don't test HAVE_DAEMON since roken supplies it. * kdc/main.c: Don't test HAVE_DAEMON since roken supplies it. 2005-05-23 Love Hörnquist Åstrand * lib/krb5/krb5_keytab.3: document WRFILE and JAVA14 2005-05-20 Love Hörnquist Åstrand * lib/krb5/krbhst.c (srv_get_hosts): if srv_get_hosts failes, return and ignore the error * lib/krb5/krbhst.c (srv_find_realm): make sure `res' and `count' have good values * lib/krb5/test_keytab.c: tests all keytab format 2005-05-19 Love Hörnquist Åstrand * lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): non non asn1 decoding errors, fail. Make sure we free memory on error. (pk_verify_chain_standard): make sure we provide good errors. * lib/krb5/verify_krb5_conf.c: add missing options, prompted by James F. Hranicky mail to heimdal-discuss * lib/krb5/verify_krb5_conf.c: add pkinit and password quailty check options * lib/krb5/pkinit.c (pk_verify_chain_standard): store better error message in the context for certificate errors. * lib/krb5/keytab.c (krb5_kt_free_entry): zero out content of all krb5_free_x_content like functions to make sure data doesnt get reused, idea from Wynn Wilkes * configure.in: depend on automake 1.8, we don't test anything older * lib/krb5/init_creds_pw.c (process_pa_data_to_md): add comment that the caller always free out_md; remove comment about memory, it doesn't happen. (init_cred_loop): free ctx->as_req.padata when its reset (From Wynn Wilkes ), move a comment close the the code * lib/krb5/keytab_krb4.c (fkt_remove_entry): need to call krb5_kt_free_entry after each krb5_kt_next_entry. * lib/krb5/keytab_file.c (fkt_remove_entry): need to call krb5_kt_free_entry after each fkt_next_entry_int. From: Wynn Wilkes 2005-05-18 Love Hörnquist Åstrand * lib/krb5/Makefile.am: TESTS += test_keytab * lib/krb5/keytab_krb4.c (krb4_kt_remove_entry): plug memory leaks, avoid crashing on empty keytab * lib/krb5/krb5_keytab.3: document behavior of krb5_kt_remove_entry * lib/krb5/keytab_memory.c (mkt_remove_entry): check if there isn't any entries in the keytab before removing any since that leads to bad pointer arithmetic and crashing. From: Wynn Wilkes . Make the function return KRB5_KT_NOTFOUND if the entry wasn't in the keytab (just like the filebased keytab). * lib/krb5/test_keytab.c: test memory corruption in MEMORY keytab * lib/krb5{addr_families,context,creds,free,keyblock, mit_glue,rd_error}.c:zero out content of all krb5_free_x_content like functions to make sure data doesnt get reused, idea from Wynn Wilkes * lib/krb5/krb5_get_credentials.3: document KRB5_GC_EXPIRED_OK * lib/krb5/krb5.3: add krb5_cc_new_unique 2005-05-17 Love Hörnquist Åstrand * lib/krb5/fcache.c (fcc_get_first): check return value from malloc, memset the structure, make sure cursor doesn't point to freed memory on failure. From: Wynn Wilkes * lib/krb5/krb5_auth_context.3: document KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED * lib/krb5/get_cred.c: Remove expired credentials, based on patches and comments from Anders Magnusson and Wynn Wilkes * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): honor KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED and create unencrypted (ENCTYPE_NULL) credentials. for use with old mit server and java based ones as they can't handle encrypted KRB-CRED. Note that the option needs to turned on because if the consumer sends the KRB-CRED in clear bad things will happen. * lib/krb5/context.c (krb5_init_context): register krb5_javakt_ops * lib/krb5/krb5.h: KRB5_GC_EXPIRED_OK: expired credentials is ok to return from krb5_get_credentials. KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED: make forward credentials be unencrypted, for compatibility with mit kerberos and java kerberos. krb5_javakt_ops: export 2005-05-16 Love Hörnquist Åstrand * lib/krb5/keytab_file.c: Add new keytab file format JAVA14 that doesn't the use extended kvnos, as hinted, this is needed for Java's Kerberos implementation. 2005-05-10 Love Hörnquist Åstrand * lib/krb5/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 enckey, still no DH * kdc/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 enckey, still no DH * kdc/kerberos5.c (as_rep): search for pkinit-9, pkinit-19, and pkinit-25 pa-data, return empty pkinit pa-data in the PREAUTH_REQUIRED krb-error * doc/ack.texi: add pkinit people * lib/krb5/krb5_storage.3: document krb5_storage_is_flags * lib/krb5/{krb5_compare_creds.3,krb5_get_init_creds.3, krb5_krbhst_init.3,krb5_storage.3}: make more pretty, from Björn Sandell 2005-05-09 Dave Love * doc/setup.texi: Fix and clarify password quality check examples. 2005-05-09 Love Hörnquist Åstrand * lib/krb5/kuserok.c (krb5_kuserok): use POSIX_GETPWNAM_R instead of HAVE_GETPWNAM_R From: Dave Love 2005-05-07 Love Hörnquist Åstrand * lib/krb5/addr_families.c (krb5_print_address): catch when the unknown adress don't fit. From Björn Sandell 2005-05-05 Dave Love * configure.in: fix type right test, include for sys/strtty.h, not sys/ptyvar.h 2005-05-05 Love Hörnquist Åstrand * lib/krb5/krb5.conf.5: spelling 2005-05-04 Love Hörnquist Åstrand * lib/krb5/krb5.conf.5: expand on what "trailing component" means 2005-05-04 Johan Danielsson * lib/krb5/rd_cred.c: put address comparison in separate function * lib/krb5/krb5_kuserok.3: check the user's ~/.k5login.d directory for access files, all of which is handled like the regular ~/.k5login * lib/krb5/kuserok.c: check the user's ~/.k5login.d directory for access files, all of which is handled like the regular ~/.k5login 2005-05-03 Love Hörnquist Åstrand * doc/ack.texi: Clearify what version of libdes we are using and who's code in it we are using. * kcm/kcm.8: more text about usage * kcm/Makefile.am: man_MANS += kcm.8 * kcm/kcm.8: initial manpage * configure.in: if we have a $srcdir/lib/asn1/pkcs12.asn1, define PKINIT 2005-05-02 Dave Love * configure.in: sys/tty.h (for sys/ptyvar.h) might need termios.h. 2005-05-02 Love Hörnquist Åstrand * tools/krb5-config.in: add com_err to required libs * lib/krb5/pkinit.c (krb5_ui_method_read_string): use the fill in length * lib/krb5/init_creds_pw.c: Now that we fixed the signed-ness of nonce for windows, remove the code that removed the signed bit. Instead add comment that they still need to be the same (Kerberos protocol nonce and pk-init nonce) for Windows. 2005-05-02 David Love * lib/krb5/crypto.c: Don't declare des_salt &c as static with incomplete type (invalid in c89, at least). 2005-05-02 Love Hörnquist Åstrand * lib/krb5/krb5_locl.h: include 2005-05-02 David Love * kcm/connect.c (init_socket): rename variable sun to un to avoid namespace collision. (handle_stream): Cast arg of krb5_warnx. 2005-04-30 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c: if we are using PKINIT, strip of the highest bit to make windows PK-INIT happy. Also make the nonces the same, again for windows, they are using pk-init-9. XXX check if it isn't the that nonce is an unsigned variable so its just a asn1 mismatch. * kdc/pkinit.c: pass a NULL prompter data to _krb5_pk_load_openssl_id * kuser/kinit.c: krb5_get_init_creds_opt_set_pkinit * lib/krb5/pkinit.c: Pass prompter data to the prompter function, implement a UI prompter function wrapping the kerberos prompter function so that the the OpenSSL ENGINE can ask for a password when loading the private key. From: Douglas E. Engert * lib/krb5: add in test programs * configure.in: sys/ptyvar.h might need * lib/krb5/Makefile.am: use LIB_com_err for libkrb5.la 2005-04-29 Love Hörnquist Åstrand * lib/asn1/Makefile.am: use $(LIB_com_err) 2005-04-28 Love Hörnquist Åstrand * lib/krb5/context.c (krb5_set_config_files): ignore permission denied on configuration files, user might not be allowed to read /var/heimdal/kdc.conf 2005-04-26 Dave Love * lib/krb5/krb5_locl.h: define _POSIX_PTHREAD_SEMANTICS so we get posix getpwnam_r 2005-04-25 Love Hörnquist Åstrand * lib/asn1/gen_glue.c: switch the units variable to a function. gcc-4.1 needs the size of the structure if its defined as extern struct units foo_units[] an we don't want to include in the generate headerfile 2005-04-25 Love Hörnquist Åstrand * lib/hdb/hdb.schema: add EQUALITY rule for krb5ValidStart, krb5ValidEnd, krb5PasswordEnd From Howard Chu 2005-04-24 Love Hörnquist Åstrand * doc/whatis.texi: comment out docbook stuff for now * kuser/klist.c: use strlcpy * doc/ack.texi: we no longer use eay libdes, make acknowledgment still be there, but claim that we no longer use it. Mark editline to be a modified version as required by the license. * lib/krb5/pkinit.c: use the unexported oid_to_enctype function * lib/krb5/crypto.c: unexport the oid_to_enctype function, not for external consumers * kdc/Makefile.am: always add kaserver * lib/krb5/krb5_ccache.3: document krb5_cc_new_unique * lib/krb5/cache.c (krb5_cc_new_unique): new function to create a new credential cache * kdc/headers.h: don't include kerberos 4 headers here * kdc/hpropd.c: include kerberos 4 headers here * kdc/connect.c: add kaserver support independ of having krb4 support * kdc/config.c: add kaserver support unconditionally, make kdc only fail to start when there are no v4 realm configured and krb4/kaserver is turned on * kdc/kaserver.c: Use the new Kerberos 4 functions in libkrb5 and so kaserver support is always compiled in (still default disabled) * lib/krb5/v4_glue.c: simplify error handling * doc/whatis.texi: add docbook version macro of @sub * doc/heimdal.texi: change the wrapping around the Top node to ifnottex, make html generation work * lib/krb5/krb5_krbhst_init.3: spelling, from Björn Sandell * lib/krb5/krb5_get_krbhst.3: spelling, from Björn Sandell * lib/krb5/krb5_data.3: spelling, from Björn Sandell * lib/krb5/krb5_aname_to_localname.3: spelling, from Björn Sandell * lib/krb5/krb5_address.3: spelling, from Björn Sandell 2005-04-23 Love Hörnquist Åstrand * kdc/config.c: Use the new Kerberos 4 functions in libkrb5 and so kerberos 4 is always compiled in (still default disabled) * kdc/kerberos4.c: Use the new Kerberos 4 functions in libkrb5 and so kerberos 4 is always compiled in (still default disabled) * lib/krb5/krb5_locl.h: forward declaration of _krb5_krb_auth_data * lib/krb5/convert_creds.c: Move the kerberos v4 replacement functions to v4_glue.c * lib/krb5/v4_glue.c: Implement enough of kerberos 4 protocol to be a KDC, move the v4 bits over here * lib/krb5/krb5-v4compat.h: add more v4 defines 2005-04-22 Love Hörnquist Åstrand * kpasswd/kpasswdd.c: Support multi-realms databases, requires that all the realms are configured on the KDC in krb5.conf with [libdefaults]default_realm stanzas. 2005-04-21 Love Hörnquist Åstrand * kdc/kerberos5.c: spell succeeded correctly, From Sean Chittenden * lib/krb5/addr_families.c: catch two more snprintf problems 2005-04-20 Love Hörnquist Åstrand * lib/hdb/Makefile.am: this lib include com_err, add -com_err to CHECK_SYMBOLS * appl/test/http_client.c: cast ssize_t to unsigned long, fix printf format 2005-04-19 Love Hörnquist Åstrand * lib/krb5/kuserok.c: use asprintf to avoid truncating pathnames * lib/krb5/get_host_realm.c: check return value of snprintf * lib/krb5/test_addr.c: check address truncation * lib/krb5/addr_families.c: check return values from snprintf and clean up semantics of ret_len * lib/krb5/krb5_address.3: clarify what ret_len is in krb5_print_address * lib/krb5/test_kuserok.c: add --version and --help * lib/krb5/kuserok.c: use getpwnamn_r if it exists * lib/krb5/Makefile.am: noinst_PROGRAMS += test_kuserok * lib/krb5/test_kuserok.c: test program for krb5_kuserok 2005-04-18 Love Hörnquist Åstrand * lib/krb5/acache.c (acc_resolve): if open_default_ccache failed with ccErrCCacheNotFound try again with create_default_ccache, this fixes the problem where the security server apperenly haven't started yet on Mac OS X * lib/krb5/get_default_principal.c (_krb5_get_default_principal_local): add, for use of functions that in ccache layer to avoid recursive calls. * lib/hdb/hdb-ldap.c: drop , no longer use any of the is* macros in this file * include/make_crypto.c: cast to unsigned char to make sure its not negative when passing it to is* functions 2005-04-15 Love Hörnquist Åstrand * doc/programming.texi: remove manpage macro, add some more references to manpages * doc/heimdal.texi: define manpage macro * doc/setup.texi: document new password policy code * kpasswd/kpasswdd.c: add verifier libraries with kadm5_add_passwd_quality_verifier * lib/krb5/krb5_keyblock.3: document krb5_keyblock_init 2005-04-14 Love Hörnquist Åstrand * kdc/kaserver.c: AUTHENTICATE and AUTHENTICATE_V2 is almost the same, and clients (klog) can deal with that the kaserver returns the same thing for both * lib/krb5/keyblock.c: Add krb5_keyblock_init to allocate an fill in a keyblock from key data. 2005-04-12 Love Hörnquist Åstrand * configure.in: rk_WIN32_EXPORT for roken 2005-04-10 Love Hörnquist Åstrand * appl/test/gssapi_server.c: print out client principla of delegated credential 2005-04-07 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c (process_pa_data_to_key): also check for KRB5_PADATA_PK_AS_REP_19, From: Douglas Engert 2005-04-07 Love Hörnquist Åstrand * .cvsignore: ignore more generate files 2005-04-04 Love Hörnquist Åstrand * lib/asn1/check-der.c: use size_t, print size_t by casting to unsigned long * lib/krb5/test_crypto.c: print size_t by casting to unsigned long * lib/krb5/acache.c: Argument to create_new_ccache is a principal, not a credential cache name. Clean up lossage related to this problem. * lib/hdb/Makefile.am: CHECK_SYMBOLS += HDBFlags2int * lib/krb5/addr_families.c (krb5_address_prefixlen_boundary,krb5_free_address): use find_atype when we are dealing with a kerberos address type * lib/krb5/aes-test.c: size_t vs int + fix printf * lib/krb5/pkinit.c: Since the decode can't make out the diffrence between PA-PK-AS-REP-19 and PA-PK-AS-REQ-Win2k, try harder to verify both cases 2005-04-03 Love Hörnquist Åstrand * appl/test/uu_client.c: print size_t by casting to unsigned long 2005-04-01 Johan Danielsson * kdc/kerberos4.c (do_version4): check client and server max_life * kdc/kaserver.c (do_getticket): check client max_life 2005-03-31 Love * lib/krb5/verify_krb5_conf.c: const poison * lib/krb5/test_alname.c: const poison * lib/asn1/main.c: const poison * lib/krb5/test_addr.c: test parse IPv6 RANGE addresses * lib/krb5/addr_families.c: implement mask boundary for IPv6 * lib/asn1/gen.c: avoid const string warnings steming from writeable-string 2005-03-28 Love Hörnquist Åstrand * lib/krb5/Makefile.am: TESTS += test_addr * lib/krb5/test_addr.c: simple test for addresses * lib/krb5/addr_families.c: make RANGE parse prefixlen style addresses too, fix printing of RANGE addresses, add krb5_address_prefixlen_boundary * lib/krb5/krb5_keytab.3: stop memory leak in example, expand on wildcards 2005-03-26 Love Hörnquist Åstrand * lib/krb5/krb5_principal.3: spelling, from Tomas Olsson * lib/krb5/krb5_warn.3: spelling, from Tomas Olsson 2005-03-19 Love Hörnquist Åstrand * lib/krb5/acache.c: add mutex for global variables, clean up returned error codes, implement storing addresses into the ccapi * appl/test/gssapi_server.c: free memory, make error strings match * appl/test/gssapi_server.c: use print_gss_name, print server name too * appl/test/gss_common.h (print_gss_name): common code for printing gss name * appl/test/gss_common.c (print_gss_name): common code for printing gss name * appl/test/http_client.c: Make constent with rest of the gssapi test programs 2005-03-17 Love Hörnquist Åstrand * lib/hdb/keys.c: AES is enabled by default, remove ifdefs * lib/krb5/crypto.c: AES is enabled by default, remove ifdefs * lib/krb5/aes-test.c: use hex encoder from roken AES is enabled by default, remove ifdefs * kdc/kerberos5.c: AES is enabled by default, remove ifdefs 2005-03-16 Love Hörnquist Åstrand * doc/setup.texi: Add some text about modifying the database 2005-03-15 Love Hörnquist Åstrand * kuser/kinit.c: widen lifetime/renewal warning text field, also make use of unparse_time_approx, no need to be specific to the second when ticket needs to be renewed or their lifetime. * doc/heimdal.texi: copyright maintenance, drop eay, use updated UCB license * lib/krb5/crypto.c: more static and unsigned issues * lib/krb5/crypto.c: fix signedness issues, prompted by report of Magnus Ahltorp 2005-03-13 Love Hörnquist Åstrand * lib/krb5/krb5_keytab.3: more text about how to free returned resources 2005-03-10 Love Hörnquist Åstrand * lib/krb5/pkinit.c: handle the -25 generation path * lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_19 * lib/krb5/pkinit.c: fold in pk-init-25 asn1 changes 2005-03-09 Love Hörnquist Åstrand * kdc/pkinit.c: use generated oid's * lib/krb5/pkinit.c: use generated oid's 2005-03-08 Love Hörnquist Åstrand * kdc/pkinit.c: update to the asn1 structures used in -25's * lib/krb5/pkinit.c: update to the asn1 structures used in -25's 2005-03-04 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: use the newly written hex function from roken and remove the old implementation 2005-03-01 Love Hörnquist Åstrand * appl/test/http_client.c: allow specifing port to connect to 2005-02-24 Love Hörnquist Åstrand * lib/krb5/Makefile.am: bump version to 21:0:4 * lib/hdb/Makefile.am: bump version to 8:0:1 * lib/asn1/Makefile.am: bump version to 7:0:1 2005-02-23 Love Hörnquist Åstrand * lib/krb5/crypto.c (DES_string_to_key_int): must check for weak keys after doing the DES_cbc_cksum 2005-02-19 Luke Howard * lib/krb5/krbhst.c: set KD_CONFIG after calling config_get_hosts() in kpasswd_get_next() From: Wynn Wilkes 2005-02-15 Love Hörnquist Åstrand * lib/hdb/db3.c (DB_open): correct the check for O_RDONLY From: Chaskiel M Grundman 2005-02-09 Love Hörnquist Åstrand * lib/krb5/crypto.c (krb5_random_to_key): cast size_t to int to make %d work 2005-02-08 Love Hörnquist Åstrand * lib/krb5/keytab.c (krb5_kt_get_entry): tell what enctype the caller requested to provide the user with a glue what the caller was asking for. 2005-02-05 Luke Howard * lib/krb5/kcm.c: add _krb5_kcm_is_running, _krb5_kcm_noop * kcm/acquire.c: don't leak salt if keyproc called multiple times * kcm/config.c: allow KCM system ccache to be configured from krb5.conf, in the system_ccache stanza of [kcm] 2005-02-03 Love Hörnquist Åstrand * kcm/protocol.c: use -1 as the invalid pid number * kcm/connect.c: support SCM_CREDS (for NetBSD) * kcm/Makefile.am: LDADD += LIB_pidfile * kcm/connect.c: make it possible to build on systems without SO_PEERCRED (still doesn't work) * kcm/config.c: cast argument to isdigit to unsigned char * lib/krb5/krb5.conf.5: document large_msg_size * lib/krb5/context.c (init_context_from_config_file): init large_msg_size to 6000 * lib/krb5/krb5.h (krb5_context_data): add large_msg_size, threshold where we start to use transport protocols without tiny max data transport sizes. * lib/krb5/kcm.h: drop prototypes, they all live in krb5-private.h by now 2005-02-02 Luke Howard * configure.in: generate kcm/Makefile * Makefile.am: recurse into kcm/ if KCM defined * kcm: add KCM daemon 2005-02-02 Love Hörnquist Åstrand * lib/krb5/send_to_kdc.c (send_and_recv_udp): make private again * lib/krb5/kcm.c: use AF_UNIX like the rest of the codebase, add some more error strings 2005-02-02 Luke Howard * configure.in: add --enable-kcm option for Kerberos Credentials Manager (KCM) * lib/krb5/Makefile.am: add kcm.c * lib/krb5/cache.c: use cc_retrieve_cred if present rather than enumerating ccache * lib/krb5/context.c: register KCM cc_ops * lib/krb5/get_cred.c: pass all options to cc_retrieve_cred * lib/krb5/init_creds_pw.c: add krb5_get_init_creds_keyblock * lib/krb5/kcm.[ch]: add initial implementation of KCM client library * lib/krb5/krb5.h: fix cc_retrieve prototype, add KCM cc_ops * lib/krb5/send_to_kdc.c: add _krb5_send_and_recv_tcp * lib/krb5/store.c: add krb5_store_creds_tag, krb5_ret_creds_tag 2005-01-24 Luke Howard * lib/krb5/init_creds_pw.c: allow NULL in_options to be passed krb5_get_init_creds_password() * kdc/kerberos5.c: don't crash when logging no server etype support if client == NULL 2005-01-17 Love Hörnquist Åstrand * kdc/kstash.c: s/random_key/random_key_flag/, From Dave Love 2005-01-12 Love Hörnquist Åstrand * doc/apps.texi: Texinfo fixes. Text about irix 6.5 using PAM. From: Dave Love 2005-01-08 Love Hörnquist Åstrand * lib/krb5/verify_krb5_conf.c: cast argument to isdigit to unsigned char * lib/krb5/keytab_keyfile.c: cast argument to toupper to unsigned char * lib/asn1/hash.c (hashcaseadd): cast argument to toupper to unsigned char * appl/kf/kfd.c (kfd_match_version): cast argument to islower to unsigned char * lib/krb5/krb5.3: drop krb5_{checksum,enctype}_is_disabled * lib/krb5/krb5_encrypt.3: drop krb5_enctype_is_disabled, more text about krb5_enctype_valid * lib/krb5/krb5_create_checksum.3: drop krb5_checksum_is_disabled * lib/krb5/crypto.c: drop krb5_{checksum,enctype}_isdisabled * lib/krb5/context.c: krb5_enctype_is_disabled is the same thing as krb5_enctype_valid, so use the later since its older and the api doesn't really need another entry point * lib/krb5/rd_req.c: krb5_enctype_is_disabled is the same thing as krb5_enctype_valid, so use the later since its older and the api doesn't really need another entry point * kdc/kerberos5.c: krb5_enctype_is_disabled is the same thing as krb5_enctype_valid, so use the later since its older and the api doesn't really need another entry point 2005-01-05 Love Hörnquist Åstrand * kpasswd/kpasswdd.8: document --addresses, controls what addresses kpasswd should listen too * kpasswd/kpasswdd.c: add --addresses, controls what addresses kpasswd should listen too * lib/krb5/addr_families.c (krb5_parse_address): filter out dup addresses from getaddrinfo * kpasswd/kpasswd.1: document -c * kpasswd/kpasswd.c: allow specifying a credential cache to use for the admin principal * include/bits.c: constify to avoid warning with -Wwrite-string * NEWS: add 0.6.2 and 0.6.3 items * lib/krb5/krb5_keyblock.3: document krb5_generate_subkey_extended * lib/krb5/krb5_is_thread_safe.3: document function * lib/krb5/Makefile.am (man_MANS) += krb5_is_thread_safe.3 * lib/krb5/context.c (krb5_is_thread_safe): return TRUE is the library was compiled with multithreading support. If not, application must global lock the library, it it uses threads that call kerberos functions at the same time. 2005-01-05 Luke Howard * lib/krb5/auth_context.c: use krb5_generate_subkey_extended() * lib/krb5/appdefault.c: remove redundant KRB5_LIB_FUNCTION * lib/krb5/build_auth.c: support for enctype negotiation (client sends EtypeList in Authenticator authz data) * lib/krb5/context.c: mutex should be destroyed last in krb5_free_context() * lib/krb5/generate_subkey.c: add krb5_generate_subkey_extended(), set *subkey to NULL if key geneartion fails * lib/krb5/krb5.h: add KRB5_KU_PA_SERVER_REFERRAL_DATA * lib/krb5/mk_req_ext.c: support ETYPE_ARCFOUR_HMAC_MD5_56 * lib/krb5/rd_req.c: support for enctype negotiation (client sends EtypeList in Authenticator authz data) 2005-01-04 Luke Howard * lib/asn1/k5.asn1: add authorization data types for enctype negotiation implementation 2005-01-04 Love Hörnquist Åstrand * lib/krb5/changepw.c (change_password_loop): on failing to find a kdc, set result_code to KRB5_KPASSWD_HARDERROR 2005-01-01 Love Hörnquist Åstrand * doc/heimdal.texi: Happy New Year heimdal-1.7~git20150920+dfsg/ChangeLog.2006000066400000000000000000001700071257755311500176100ustar00rootroot000000000000002006-12-28 Love Hörnquist Åstrand * kdc/process.c: Handle kx509 requests. * kdc/connect.c: Listen to 9878 if kca is turned on. * kdc/headers.h: Include . * kdc/config.c: code to parse [kdc]enable-kx509 * kdc/kdc.h: add enable_kx509 * kdc/Makefile.am: add kx509.c * kdc/kx509.c: Kx509server (external certificate genration). * lib/krb5/ticket.c: add krb5_ticket_get_endtime * lib/krb5/krb5_ticket.3: Document krb5_ticket_get_endtime * kdc/digest.c: Remove , its already included in headers.h * kdc/digest.c: Return session key for the NTLMv2 case too * lib/krb5/digest.c (krb5_ntlm_rep_get_sessionkey): return value is krb5_error_code 2006-12-27 Love Hörnquist Åstrand * lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): use md5 for des-cbc-md4 and des-cbc-md5. This is for (older) windows that will be unhappy anything else. From Inna Bort-Shatsky 2006-12-26 Love Hörnquist Åstrand * kdc/digest.c: Prefix internal symbol with _kdc_. * kdc/kdc.h: add digests_allowed * kdc/digest.c: return NTLM2 targetinfo structure. * lib/krb5/digest.c: Add krb5_ntlm_init_get_targetinfo. * kdc/config.c: Parse digest acl's * kdc/kdc_locl.h: forward decl; * kdc/digest.c: Add digest acl's 2006-12-22 Love Hörnquist Åstrand * fix-export: build ntlm-private.h 2006-12-20 Love Hörnquist Åstrand * include/make_crypto.c: Include <.../hmac.h>. * kdc/digest.c: reorder to show slot here ntlmv2 code will be placed. * kdc/digest.c: Announce that we support key exchange and add bits to detect when it wasn't used. * kdc/digest.c: Add support for generating NTLM2 session security answer. 2006-12-19 Love Hörnquist Åstrand * lib/krb5/digest.c: Add sessionkey accessor functions. 2006-12-18 Love Hörnquist Åstrand * kdc/digest.c: Unwrap the NTLM session key and return it to the server. 2006-12-17 Love Hörnquist Åstrand * lib/krb5/store.c (krb5_ret_principal): Fix a bug in the malloc failure part, noticed by Arnaud Lacombe in NetBSD coverity scan. 2006-12-15 Love Hörnquist Åstrand * lib/krb5/fcache.c (fcc_get_cache_next): avoid const warning. * kdc/digest.c: Support NTLM verification, note that the KDC does no NTLM packet parsing, its all done by the client side, the KDC just calculate and verify the digest and return the result to the service. * kuser/kdigest.c: add ntlm-server-init * kuser/Makefile.am: kdigest depends on libheimntlm.la * kdc/headers.h: Include . * kdc/Makefile.am: libkdc needs libheimntlm.la * autogen.sh: just run autoreconf -i -f * lib/Makefile.am: hook in ntlm * configure.in (AC_CONFIG_FILES): add lib/ntlm/Makefile * lib/krb5/digest.c: API to authenticate ntlm requests. * lib/krb5/fcache.c: Support "iteration" of file credential caches by giving the user back the default file credential cache and only that. * lib/krb5/krb5_locl.h: Expand the default root for some of the cc type names. 2006-12-14 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c (free_paid): free the krb5_data structure too. Bug report from Stefan Metzmacher. 2006-12-12 Love Hörnquist Åstrand * kuser/kinit.c: Read the appdefault configration before we try to use the flags. Bug reported by Ingemar Nilsson. * kuser/kdigest.c: prefix digest commands with digest_ * kuser/kdigest-commands.in: prefix digest commands with digest- 2006-12-10 Love Hörnquist Åstrand * kdc/hprop.c: Return error codes on failure, improve error reporting. 2006-12-08 Love Hörnquist Åstrand * lib/krb5/pkinit.c: sprinkle more _krb5_pk_copy_error * lib/krb5/pkinit.c: Copy more hx509 error strings to krb5 error strings 2006-12-07 Love Hörnquist Åstrand * include/Makefile.am: CLEANFILES += vis.h 2006-12-06 Love Hörnquist Åstrand * kdc/kerberos5.c (_kdc_as_rep): add AD-INITAL-VERIFIED-CAS to the encrypted ticket * kdc/pkinit.c (_kdc_add_inital_verified_cas): new function, adds an empty (for now) AD_INITIAL_VERIFIED_CAS to tell the clients that we vouches for the CA. * kdc/kerberos5.c (_kdc_tkt_add_if_relevant_ad): new function. * lib/Makefile.am: Make the directories test automake conditional so automake can include directories in make dist step. * kdc/pkinit.c (_kdc_pk_rd_padata): leak less memory for ExternalPrincipalIdentifiers * kdc/pkinit.c: Parse and use PA-PK-AS-REQ.trustedCertifiers * kdc/pkinit.c: Add comment that the anchors in the signed data really should be the trust anchors of the client. * kuser/generate-requests.c: Use strcspn to remove \n from string returned by fgets. From Björn Sandell * kpasswd/kpasswd-generator.c: Use strcspn to remove \n from string returned by fgets. From Björn Sandell 2006-12-05 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: Clear errno before calling the strtol functions. From Paul Stoeber to OpenBSD by Ray Lai and Björn Sandell. * lib/krb5/config_file.c: Use strcspn to remove \n from fgets result. Prompted by change by Ray Lai of OpenBSD via Björn Sandell. * kdc/string2key.c: Use strcspn to remove \n from fgets result. Prompted by change by Ray Lai of OpenBSD via Björn Sandell. 2006-11-30 Love Hörnquist Åstrand * lib/krb5/krbhst.c (plugin_get_hosts): be more paranoid and pass in a NULLed plugin list 2006-11-29 Love Hörnquist Åstrand * lib/krb5/verify_krb5_conf.c: add more pkinit options. * lib/krb5/pkinit.c: Store what PK-INIT type we used to know reply to expect, this avoids overwriting the real PK-INIT error from just a failed requeat with a Windows PK-INIT error (that always failes). * kdc/Makefile.am: Add LIB_pkinit to pacify AIX * lib/hdb/Makefile.am: Add LIB_com_err to pacify AIX 2006-11-28 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: Make build again from the hdb_entry wrapping. Patch from Andreas Hasenack. * kdc/pkinit.c: Need better code in the DH parameter rejection case, add comment to that effect. 2006-11-27 Love Hörnquist Åstrand * kdc/krb5tgs.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG for too large packets when using datagram based transports. * kdc/process.c: Pass down datagram_reply to _kdc_tgs_rep. * lib/krb5/pkinit.c (build_auth_pack): set supportedCMSTypes. 2006-11-26 Love Hörnquist Åstrand * lib/krb5/pkinit.c: Pass down hx509_peer_info. * kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and pass in into hx509_cms_create_signed_1 via hx509_peer_info blob. * kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and pass in into hx509_cms_create_signed_1 via hx509_peer_info blob. 2006-11-24 Love Hörnquist Åstrand * lib/krb5/send_to_kdc.c: Set the large_msg_size to 1400, lets not fragment packets and avoid stupid linklayers that doesn't allow fragmented packets (unix dgram sockets on Mac OS X) 2006-11-23 Love Hörnquist Åstrand * lib/krb5/pkinit.c (_krb5_pk_create_sign): stuff down the users certs in the pool to make sure a path is returned, without this proxy certificates wont work. 2006-11-21 Love Hörnquist Åstrand * kdc/config.c: Make all pkinit options prefixed with pkinit_ * lib/krb5/log.c (krb5_get_warn_dest): return warn_dest from krb5_context * lib/krb5/krb5_warn.3: document krb5_[gs]et_warn_dest * lib/krb5/krb5.h: Drop KRB5_KU_TGS_IMPERSONATE. * kdc/krb5tgs.c: Use KRB5_KU_OTHER_CKSUM for the impersonate checksum. * lib/krb5/get_cred.c: Use KRB5_KU_OTHER_CKSUM for the impersonate checksum. 2006-11-20 Love Hörnquist Åstrand * lib/krb5/verify_user.c: Make krb5_get_init_creds_opt_free take a context argument. * lib/krb5/krb5_get_init_creds.3: Make krb5_get_init_creds_opt_free take a context argument. * lib/krb5/init_creds_pw.c: Make krb5_get_init_creds_opt_free take a context argument. * kuser/kinit.c: Make krb5_get_init_creds_opt_free take a context argument. * kpasswd/kpasswd.c: Make krb5_get_init_creds_opt_free take a context argument. * kpasswd/kpasswd-generator.c: Make krb5_get_init_creds_opt_free take a context argument. * kdc/hprop.c: Make krb5_get_init_creds_opt_free take a context argument. * lib/krb5/init_creds.c: Make krb5_get_init_creds_opt_free take a context argument. * appl/gssmask/gssmask.c: Make krb5_get_init_creds_opt_free take a context argument. 2006-11-19 Love Hörnquist Åstrand * doc/setup.texi: fix pkinit option (s/-/_/) * kdc/config.c: revert the enable-pkinit change, and make it consistant with all other other enable- options 2006-11-17 Love Hörnquist Åstrand * doc/setup.texi: Make all pkinit options prefixed with pkinit_ * kdc/config.c: Make all pkinit options prefixed with pkinit_ * kdc/pkinit.c: Make app pkinit options prefixed with pkinit_ * lib/krb5/pkinit.c: Make app pkinit options prefixed with pkinit_ * lib/krb5/mit_glue.c (krb5_c_keylengths): make compile again. * lib/krb5/mit_glue.c (krb5_c_keylengths): rename. * lib/krb5/mit_glue.c (krb5_c_keylength): mit changed the api, deal. 2006-11-13 Love Hörnquist Åstrand * lib/krb5/pac.c (fill_zeros): stop using MIN. * kuser/kinit.c: Forward decl * lib/krb5/test_plugin.c: Use NOTHERE.H5L.SE. * lib/krb5/krbhst.c: Fill in hints for picky getaddrinfo()s. * lib/krb5/test_plugin.c: Set sin_len if it exists. * lib/krb5/krbhst.c: Use plugin for the other realm locate types too. 2006-11-12 Love Hörnquist Åstrand * lib/krb5/krb5_locl.h: Add plugin api * lib/krb5/Makefile.am: Add plugin api. * lib/krb5/krbhst.c: Use the resolve plugin interface. * lib/krb5/locate_plugin.h: Add plugin interface for resolving that is API compatible with MITs version. * lib/krb5/plugin.c: Add first version of the plugin interface. * lib/krb5/test_pac.c: Test signing. * lib/krb5/pac.c: Add code to sign PACs, only arcfour for now. * lib/krb5/krb5.h: Add struct krb5_pac. 2006-11-09 Love Hörnquist Åstrand * lib/krb5/test_pac.c: PAC testing. * lib/krb5/pac.c: Sprinkle error strings. * lib/krb5/pac.c: Verify LOGON_NAME. * kdc/pkinit.c (_kdc_pk_check_client): drop client_princ as an argument * kdc/kerberos5.c (_kdc_as_rep): drop client_princ from _kdc_pk_check_client since its not valid in canonicalize case * lib/krb5/krb5_c_make_checksum.3: Document krb5_c_keylength. * lib/krb5/mit_glue.c: Add krb5_c_keylength. 2006-11-08 Love Hörnquist Åstrand * lib/krb5/pac.c: Almost enough code to do PAC parsing and verification, missing in the unix2NTTIME and ucs2 corner. The later will be adressed by finally adding libwind. * lib/krb5/krb5_init_context.3: document krb5_[gs]et_max_time_skew * kdc/hpropd.c: Remove support dumping to a kerberos 4 database. 2006-11-07 Love Hörnquist Åstrand * lib/krb5/context.c: rename krb5_[gs]et_time_wrap to krb5_[gs]et_max_time_skew * kdc/pkinit.c: Catch error string from hx509_cms_verify_signed. Check for id-pKKdcEkuOID and warn if its not there. * lib/krb5/rd_req.c: Add more krb5_rd_req_out_get functions. 2006-11-06 Love Hörnquist Åstrand * lib/krb5/krb5.h: krb5_rd_req{,_in,_out}_ctx. * lib/krb5/rd_req.c (krb5_rd_req_ctx): Add context all singing-all dancing version of the krb5_rd_req and implement krb5_rd_req and krb5_rd_req_with_keyblock using it. 2006-11-04 Love Hörnquist Åstrand * kdc/kerberos5.c (_kdc_as_rep): More verbose time skew logging. 2006-11-03 Love Hörnquist Åstrand * lib/krb5/expand_hostname.c: Rename various routines and constants from canonize to canonicalize. From Andrew Bartlett * lib/krb5/context.c: Add krb5_[gs]et_time_wrap * lib/krb5/krb5_locl.h: Rename various routines and constants from canonize to canonicalize. From Andrew Bartlett * appl/gssmask/common.c (add_list): fix alloc statement. From Alex Deiter 2006-10-25 Love Hörnquist Åstrand * include/Makefile.am: Move version.h and version.h.in to DISTCLEANFILES. 2006-10-24 Love Hörnquist Åstrand * appl/gssmask/gssmask.c: Only log when there are resources left. * appl/gssmask/gssmask.c: make compile * appl/gssmask/gssmask.c (AcquireCreds): free krb5_get_init_creds_opt 2006-10-23 Love Hörnquist Åstrand * configure.in: heimdal 0.8-RC1 2006-10-22 Love Hörnquist Åstrand * lib/krb5/digest.c: Try to not leak memory. * kdc/digest.c: Try to not leak memory. * Makefile.am: remove valgrind target, it doesn't belong here. * kuser/kinit.c: Try to not leak memory. * kuser/kgetcred.c: Try to not leak memory. * kdc/krb5tgs.c (check_KRB5SignedPath): free KRB5SignedPath on successful completion too, not just the error cases. * fix-export: Make make fix-export less verbose. * kuser/kgetcred.c: Try to not leak memory. * lib/hdb/keys.c (hdb_generate_key_set): free list of enctype when done. * lib/krb5/crypto.c: Allocate the memory we later use. * lib/krb5/test_princ.c: Try to not leak memory. * lib/krb5/test_crypto_wrapping.c: Try to not leak memory. * lib/krb5/test_cc.c: Try to not leak memory. * lib/krb5/addr_families.c (arange_free): Try to not leak memory. * lib/krb5/crypto.c (AES_string_to_key): Try to not leak memory. 2006-10-21 Love Hörnquist Åstrand * tools/heimdal-build.sh: Add --test-environment * tools/heimdal-build.sh: Add --ccache-dir * lib/hdb/Makefile.am: remove dependency on et files covert_db that now is removed 2006-10-20 Love Hörnquist Åstrand * include/Makefile.am: add gssapi to subdirs * lib/hdb/hdb-ldap.c: Make compile. * configure.in: add include/gssapi/Makefile. * include/Makefile.am: clean more files * include/make_crypto.c: Avoid creating a file called --version. * include/bits.c: Avoid creating a file called --version. * appl/test/Makefile.am: add nt_gss_common.h * doc/Makefile.am: Disable TEXI2DVI for now. * tools/Makefile.am: more files * lib/krb5/context.c (krb5_free_context): free send_to_kdc context * doc/heimdal.texi: Put Heimdal in the dircategory Security. * lib/krb5/send_to_kdc.c: Add sent_to_kdc hook, from Andrew Bartlet. * lib/krb5/krb5_locl.h: Add send_to_kdc hook. * lib/krb5/krb5.h: Add krb5_send_to_kdc_func prototype. * kcm/Makefile.am: more files * kdc/Makefile.am: more files * lib/hdb/Makefile.am: more files * lib/krb5/Makefile.am: add more files 2006-10-19 Love Hörnquist Åstrand * tools/Makefile.am: Add heimdal-build.sh to EXTRA_DIST. * configure.in: Don't check for timegm, libroken provides it for us. * lib/krb5/acache.c: Does function typecasts instead of void * type-casts. * lib/krb5/krb5.h: Remove bonus , that Love sneeked in. * configure.in: make --disable-pk-init help text also negative 2006-10-18 Love Hörnquist Åstrand * kuser/kgetcred.c: Avoid memory leak. * tools/heimdal-build.sh: Add more verbose logging, add version of script and heimdal to the mail. * lib/hdb/db3.c: Wrap function call pointer calls in (*func) to avoid macros rewriting open and close. * lib/krb5/Makefile.am: Add test_princ. * lib/krb5/principal.c: More error strings, handle realm-less printing. * lib/krb5/test_princ.c: Test principal parsing and unparsing. 2006-10-17 Love Hörnquist Åstrand * lib/krb5/get_host_realm.c (krb5_get_host_realm): make sure we don't recurse * lib/krb5/get_host_realm.c (krb5_get_host_realm): no components -> no dns. no mapping, try local realm and hope KDC knows better. * lib/krb5/krb5.h: Add flags for krb5_unparse_name_flags * lib/krb5/krb5_principal.3: Document krb5_unparse_name{_fixed,}_flags. * lib/krb5/principal.c: Add krb5_unparse_name_flags and krb5_unparse_name_fixed_flags. * lib/krb5/krb5_principal.3: Document krb5_parse_name_flags. * lib/krb5/principal.c: Add krb5_parse_name_flags. * lib/krb5/principal.c: Add krb5_parse_name_flags. * lib/krb5/krb5.h: Add krb5_parse_name_flags flags. * lib/krb5/krb5_locl.h: Hide krb5_context_data from public exposure. * lib/krb5/krb5.h: Hide krb5_context_data from public exposure. * kuser/klist.c: Use krb5_get_kdc_sec_offset. * lib/krb5/context.c: Document krb5_get_kdc_sec_offset() * lib/krb5/krb5_init_context.3: Add krb5_get_kdc_sec_offset() * lib/krb5/krb5_init_context.3: Add krb5_set_dns_canonize_hostname and krb5_get_dns_canonize_hostname * lib/krb5/verify_krb5_conf.c: add [libdefaults]dns_canonize_hostname * lib/krb5/expand_hostname.c: use dns_canonize_hostname to determin if we should talk to dns to find the canonical name of the host. * lib/krb5/krb5.h (krb5_context): add dns_canonize_hostname. * tools/heimdal-build.sh: Set status. * appl/gssmask/gssmask.c: handle more bits * kdc/kerberos5.c: Prefix asn1 primitives with der_. 2006-10-16 Love Hörnquist Åstrand * fix-export: Build lib/asn1/der-protos.h. 2006-10-14 Love Hörnquist Åstrand * appl/gssmask/Makefile.am: Add explit depenency on libroken. * kdc/krb5tgs.c: Prefix der primitives with der_. * kdc/pkinit.c: Prefix der primitives with der_. * lib/hdb/ext.c: Prefix der primitives with der_. * lib/hdb/ext.c: Prefix der primitives with der_. * lib/krb5/crypto.c: Remove workaround from when there wasn't always aes. * lib/krb5/ticket.c: Prefix der primitives with der_. * lib/krb5/digest.c: Prefix der primitives with der_. * lib/krb5/crypto.c: Prefix der primitives with der_. * lib/krb5/data.c: Prefix der primitives with der_. 2006-10-12 Love Hörnquist Åstrand * kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break. From Olga Kornievskaia. * kdc/kdc.8: document max-kdc-datagram-reply-length * include/bits.c: Include Xint64 types. 2006-10-10 Love Hörnquist Åstrand * tools/heimdal-build.sh: Add socketwrapper and cputime limit. * kdc/connect.c (loop): Log that the kdc have started. 2006-10-09 Love Hörnquist Åstrand * kdc/connect.c (do_request): tell krb5_kdc_process_request if its a datagram reply or not * kdc/kerberos5.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG error if its a datagram reply and the datagram reply length limit is reached. * kdc/process.c: Rename krb5_kdc_process_generic_request to krb5_kdc_process_request Add datagram_reply argument. * kdc/config.c: check for [kdc]max-kdc-datagram-reply-length * kdc/kdc.h (krb5_kdc_config): Add max_datagram_reply_length. * lib/hdb/keytab.c: Change || to |, From metze. * lib/hdb/keytab.c: Add back :file to sample format. * lib/hdb/keytab.c: Add more HDB_F flags to hdb_fetch. Pointed out by Andrew Bartlet. * kdc/krb5tgs.c (tgs_parse_request): set cusec, not csec from auth->cusec. 2006-10-08 Love Hörnquist Åstrand * fix-export: dist_-ify libkadm5clnt_la_SOURCES too * doc/heimdal.texi: Update (c) years. * appl/gssmask/protocol.h: Clarify protocol. * kdc/hpropd.c: Adapt to signature change of _krb5_principalname2krb5_principal. * kdc/kerberos4.c: Adapt to signature change of _krb5_principalname2krb5_principal. * kdc/connect.c (handle_vanilla_tcp): shorten length when we shorten the buffer, this matter im the PK-INIT encKey case where a checksum is done over the whole packet. Reported by Olga Kornievskaia 2006-10-07 Love Hörnquist Åstrand * include/Makefile.am: crypto-headers.h is a nodist header * lib/krb5/aes-test.c: Make argument to PKCS5_PBKDF2_HMAC_SHA1 unsigned char to make OpenSSL happy. * appl/kf/Makefile.am: Add man_MANS to EXTRA_DIST * kuser/Makefile.am: split build files into dist_ and noinst_ SOURCES * lib/hdb/Makefile.am: split build files into dist_ and noinst_ SOURCES * lib/krb5/Makefile.am: split build files into dist_ and noinst_ SOURCES * kdc/kerberos5.c: Adapt to signature change of _krb5_principalname2krb5_principal. 2006-10-06 Love Hörnquist Åstrand * lib/krb5/krbhst.c (common_init): don't try DNS when there is realm w/o a dot. * kdc/524.c: Adapt to signature change of _krb5_principalname2krb5_principal. * kdc/krb5tgs.c: Adapt to signature change of _krb5_principalname2krb5_principal. * lib/krb5/get_in_tkt.c: Adapt to signature change of _krb5_principalname2krb5_principal. * lib/krb5/rd_cred.c: Adapt to signature change of _krb5_principalname2krb5_principal. * lib/krb5/rd_req.c: Adapt to signature change of _krb5_principalname2krb5_principal. * lib/krb5/asn1_glue.c (_krb5_principalname2krb5_principal): add krb5_context to signature. * kdc/524.c (_krb5_principalname2krb5_principal): adapt to signature change * lib/hdb/keytab.c (hdb_get_entry): close and destroy the database later, the hdb_entry_ex might still contain links to the database that it expects to use. * kdc/digest.c: Make digest argument o MD5_final unsigned char to help OpenSSL. * kuser/kdigest.c: Make digest argument o MD5_final unsigned char to help OpenSSL. * appl/gssmask/common.h: Maybe include . 2006-10-05 Love Hörnquist Åstrand * appl/gssmask/common.h: disable ENABLE_PTHREAD_SUPPORT and explain why * tools/heimdal-build.sh: Another mail header. * tools/heimdal-build.sh: small fixes * fix-export: More liberal parsing of AC_INIT * tools/heimdal-build.sh: first cut 2006-10-04 Love Hörnquist Åstrand * configure.in: Call AB_INIT. * kuser/kinit.c: Add flag --pk-use-enckey. * kdc/pkinit.c: Sign the request in the encKey case. Bug reported by Olga Kornievskaia of Umich. * lib/krb5/Makefile.am: man_MANS += krb5_digest.3 * lib/krb5/krb5_digest.3: Add all protos 2006-10-03 Love Hörnquist Åstrand * lib/krb5/krb5_digest.3: Basic krb5_digest manpage. 2006-10-02 Love Hörnquist Åstrand * fix-export: build gssapi mech private files * lib/krb5/init_creds_pw.c: minimize layering and remove krb5_kdc_flags * lib/krb5/get_in_tkt.c: Always use the kdc_flags in the right bit order. * lib/krb5/init_creds_pw.c: Always use the kdc_flags in the right bit order. * kuser/kdigest.c: Don't require --kerberos-realm. * lib/krb5/digest.c (digest_request): if NULL is passed in as realm, use default realm. * fix-export: build gssapi mech private files 2006-09-26 Love Hörnquist Åstrand * appl/gssmask/gssmaestro.c: Handle FIRST_CALL in the context building, better error handling. * appl/gssmask/gssmaestro.c: switch from wrap/unwrap to encrypt/decrypt * appl/gssmask/gssmask.c: Don't announce spn if there is none. * appl/gssmask/gssmaestro.c: Check that the pre-wrapped data is the same as afterward. 2006-09-25 Love Hörnquist Åstrand * appl/gssmask/gssmaestro.c: Remove stray GSS_C_DCE_STYLE. * appl/gssmask/gssmaestro.c: Add logsocket support. 2006-09-22 Love Hörnquist Åstrand * appl/gssmask/gssmaestro.c (build_context): print the step the context exchange. 2006-09-21 Love Hörnquist Åstrand * appl/gssmask/gssmaestro.c: Add GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG to all context flags * appl/gssmask/gssmaestro.c: Add wrap and mic tests for all elements * appl/gssmask/gssmask.c: Add mic tests * appl/gssmask/gssmaestro.c: dont exit early then when context is half built. * lib/krb5/rd_req.c: disable ETypeList parsing usage for now, cfx seems broken and its not good to upgrade to a broken enctype. 2006-09-20 Love Hörnquist Åstrand * appl/gssmask/gssmask.c: Add wrap/unwrap ops * appl/gssmask/protocol.h: Add eGetVersionAndCapabilities flags * appl/gssmask/common.c: Add permutate_all (and support functions). * appl/gssmask/common.h: Add permutate_all * appl/gssmask/gssmask.c: use new flags, return moniker * appl/gssmask/gssmaestro.c: test self context building and all permutation of clients 2006-09-19 Love Hörnquist Åstrand * appl/gssmask/gssmask.c: add --logfile option, use htons() on port number * appl/gssmask/gssmaestro.c: Log port in connection message. * configure.in: Make pk-init turned on by default. 2006-09-18 Love Hörnquist Åstrand * fix-export: Build lib/hx509/{hx509-protos.h,hx509-private.h}. * kuser/Makefile.am: Add tool for printing tickets. * kuser/kimpersonate.1: Add tool for printing tickets. * kuser/kimpersonate.c: Add tool for printing tickets. * kdc/krb5tgs.c: Check the adtkt in the constrained delegation case too. 2006-09-16 Love Hörnquist Åstrand * kdc/main.c (sigterm): don't _exit, let loop() catch the signal instead. * lib/krb5/krb5_timeofday.3: Fixes from Björn Sandell. * lib/krb5/krb5_get_init_creds.3: Fixes from Björn Sandell. 2006-09-15 Love Hörnquist Åstrand * tools/krb5-config.in: Add "kafs" option. 2006-09-12 Love Hörnquist Åstrand * lib/hdb/db.c: By using full function calling conversion (*func) we avoid problem when close(fd) is overridden using a macro. * lib/krb5/cache.c: By using full function calling conversion (*func) we avoid problem when close(fd) is overridden using a macro. 2006-09-11 Love Hörnquist Åstrand * kdc/kerberos5.c: Signing outgoing tickets. * kdc/krb5tgs.c: Add signing and checking of tickets to s4u2self works securely. * lib/krb5/pkinit.c: Adapt to new signature of hx509_cms_unenvelope. 2006-09-09 Love Hörnquist Åstrand * lib/krb5/pkinit.c (pk_verify_host): set errorstrings in a sensable way 2006-09-08 Love Hörnquist Åstrand * lib/krb5/krb5_init_context.3: Prevent a font generation warning, from Jason McIntyre. 2006-09-06 Love Hörnquist Åstrand * lib/krb5/context.c (krb5_init_ets): Add the hx errortable * lib/krb5/krb5_locl.h: Include hx509_err.h. * lib/krb5/pkinit.c (_krb5_pk_verify_sign): catch the error string from the hx509 lib 2006-09-04 Love Hörnquist Åstrand * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags): fix argument to krb5_get_init_creds_opt_set_addressless. * lib/krb5/init_creds_pw.c (init_cred_loop): try to catch the error when we actually have an error to catch. * lib/krb5/init_creds_pw.c: Remove debug printfs. * kuser/kinit.c: Remove debug printf * lib/krb5/krb5_get_init_creds.3: Document krb5_get_init_creds_opt_set_addressless. * kuser/kinit.c: Use new function krb5_get_init_creds_opt_set_addressless. * lib/krb5/krb5_locl.h: use new addressless, convert pa-pac option to use the same tri-state option as the new addressless option. * lib/krb5/init_creds_pw.c: use new addressless, convert pa-pac option to use the same tri-state option as the new addressless option. * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_addressless): used to control the address-lessness of the initial tickets instead of passing in the empty set of address into krb5_get_init_creds_opt_set_addresses. 2006-09-01 Love Hörnquist Åstrand * kuser/kinit.c (renew_validate): inherit the proxiable and forwardable from the orignal ticket, pointed out by Bernard Antoine of CERN. * doc/setup.texi: More text about the acl_file entry and hdb-ldap-structural-object. From Rüdiger Ranft. * lib/krb5/krbhst.c (fallback_get_hosts): limit the fallback lookups to 5. Patch from Wesley Craig, umich.edu * configure.in: Add special tests for , include test for sys/param.h and sys/types.h * appl/test/tcp_server.c (proto): use keytab for krb5_recvauth Patch from Ingemar Nilsson 2006-08-28 Love Hörnquist Åstrand * kuser/kdigest.c (help): use sl_slc_help(). * kdc/digest.c: Catch more error, add SASL DIGEST MD5. * lib/krb5/digest.c: Catch more error. 2006-08-25 Love Hörnquist Åstrand * doc/setup.texi: language. * doc/heimdal.texi: Add last updated text. * doc/heimdal.css: make box around heimdal title * doc/heimdal.css: Inital Heimdal css for the info manual * lib/krb5/digest.c: In the case where we get a DigestError back, save the error string and code. 2006-08-24 Love Hörnquist Åstrand * kdc/kerberos5.c: Remove _kdc_find_etype(), its no longer used. * kdc/digest.c: Remove local error label and have just one exit label, set error strings properly. * kdc/digest.c: Simply the disabled-service case. Check the allow-digest flag in the HDB entry for the client. * kdc/process.c (krb5_kdc_process_generic_request): check if we got a digest request and process it. * kdc/main.c: Register hdb keytab operations. * kdc/kdc.8: document [kdc]enable-digest=boolean * kdc/Makefile.am: add digest to libkdc * kdc/digest.c: Make a return a goto to avoid freeing un-inited memory in cleanup code. * kdc/default_config.c (krb5_kdc_default_config): default to all bits set to zero. * kdc/kdc.h (krb5_kdc_configuration): Add enable_digest * kdc/headers.h: Include . * lib/krb5/context.c (krb5_kerberos_enctypes): new function, returns the list of Kerberos encryption types sorted in order of most preferred to least preferred encryption type. * kdc/misc.c (_kdc_get_preferred_key): new function, Use the order list of preferred encryption types and sort the available keys and return the most preferred key. * kdc/krb5tgs.c: Adapt to the new sigature of _kdc_find_keys(). * kdc/kerberos5.c: Handle session key etype separately from the tgt etype, now the krbtgt can be a aes-only key without the need to support not-as-good etypes for the krbtgt. 2006-08-23 Love Hörnquist Åstrand * kdc/misc.c: Change _kdc_db_fetch() to return the database pointer to if needed by the consumer. * kdc/krb5tgs.c: Change _kdc_db_fetch() to return the database pointer to if needed by the consumer. * kdc/kerberos5.c: Change _kdc_db_fetch() to return the database pointer to if needed by the consumer. * kdc/kerberos4.c: Change _kdc_db_fetch() to return the database pointer to if needed by the consumer. * kdc/kaserver.c: Change _kdc_db_fetch() to return the database pointer to if needed by the consumer. * kdc/524.c: Change _kdc_db_fetch() to return the database pointer to if needed by the consumer. * kuser/kdigest-commands.in: Add --kerberos-realm, add client request command. * lib/krb5/Makefile.am: digest.c * lib/krb5/krb5.h: Add digest glue. * lib/krb5/digest.c (krb5_digest_set_authentication_user): use krb5_principal * lib/krb5/digest.c: Add digest support to the client side. 2006-08-21 Love Hörnquist Åstrand * lib/krb5/rd_rep.c (krb5_rd_rep): free krb5_ap_rep_enc_part on error and set return pointer to NULL (krb5_free_ap_rep_enc_part): permit freeing of NULL 2006-08-18 Love Hörnquist Åstrand * kdc/{Makefile.am,kdigest.c,kdigest-commands.in}: Frontend for remote digest service in KDC * lib/krb5/krb5_storage.3: Document krb5_{ret,store}_stringnl functions. * lib/krb5/store.c: Add krb5_{ret,store}_stringnl functions, stores/retrieves a \n terminated string. * lib/krb5/krb5_locl.h: Default to address-less tickets. * lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): clear error string on error. 2006-07-20 Love Hörnquist Åstrand * lib/krb5/crypto.c: remove aes-192 (CMS) * lib/krb5/crypto.c: Remove more CMS bits. * lib/krb5/crypto.c: Remove CMS symmetric encryption support. 2006-07-13 Love Hörnquist Åstrand * kdc/pkinit.c (_kdc_pk_check_client): make it not crash when there are no acl * kdc/pkinit.c (_kdc_pk_check_client): use the acl in the kerberos database * lib/hdb/hdb.asn1: Rename HDB-Ext-PKINIT-certificate to HDB-Ext-PKINIT-hash. Add trust anchor to HDB-Ext-PKINIT-acl. * lib/hdb/Makefile.am: rename asn1_HDB_Ext_PKINIT_certificate to asn1_HDB_Ext_PKINIT_hash * lib/hdb/ext.c: Add hdb_entry_get_pkinit_hash(). 2006-07-10 Love Hörnquist Åstrand * kuser/kinit.c: If --password-file gets STDIN, read the password from the standard input. * kuser/kinit.1: Document --password-file=STDIN. * lib/krb5/krb5_string_to_key.3: Remove duplicate to. 2006-07-06 Love Hörnquist Åstrand * kdc/krb5tgs.c: (tgs_build_reply): when checking for removed principals, check the second component of the krbtgt, otherwise cross realm wont work. Prompted by report from Mattias Amnefelt. 2006-07-05 Love Hörnquist Åstrand * kdc/connect.c (handle_vanilla_tcp): use unsigned integer for for length (handle_tcp): if the high bit it set in the unknown case, send back a KRB_ERR_FIELD_TOOLONG 2006-07-03 Love Hörnquist Åstrand * appl/gssmask/gssmaestro.c: Add get_version_capa, cache target_name. * appl/gssmask/gssmask.c: use utname() to find the local hostname and version of operatingsystem * appl/gssmask/common.h: include * appl/gssmask/gssmask.c: break out creation of a client and make handleServer pthread_create compatible * appl/gssmask/gssmaestro.c: break out out the build context function 2006-07-01 Love Hörnquist Åstrand * appl/gssmask/gssmaestro.c: externalize slave handling, add GetTargetName glue * appl/gssmask/gssmaestro.c: externalize principal/password handling * lib/krb5/principal.c (krb5_parse_name): set *principal to NULL the first thing we do, so that on failure its set to a known value * appl/gssmask/gssmask.c: AcquireCreds: set principal to NULL to avoid memory corruption GetTargetName: always send a string, even though we don't have a targetname * appl/gssmask: break out common function; add gssmaestro (that only tests one context for now) 2006-06-30 Love Hörnquist Åstrand * lib/krb5/store_fd.c (krb5_storage_from_fd): don't leak fd on malloc failure * appl/gssmask/gssmask.c: split out fetching of credentials for easier reuse for pk-init testing * appl/gssmask: maggot replacement, handles context testing * lib/krb5/cache.c (krb5_cc_new_unique): use KRB5_DEFAULT_CCNAME as the default prefix 2006-06-28 Love Hörnquist Åstrand * doc/heimdal.texi: Add Doug Rabson's license 2006-06-22 Love Hörnquist Åstrand * lib/krb5/init_creds.c: Add storing and getting KRB-ERROR in the krb5_get_init_creds_opt structure. * lib/krb5/init_creds_pw.c: Save KRB-ERROR on error. * lib/krb5/krb5_locl.h (_krb5_get_init_creds_opt_private): add KRB-ERROR 2006-06-21 Love Hörnquist Åstrand * doc/setup.texi: section about verify_krb5_conf and kadmin check 2006-06-15 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c (get_init_creds_common): drop cred argument, its unused * lib/krb5/Makefile.am: install krb5_get_creds.3 * lib/krb5/krb5_get_creds.3: new file 2006-06-14 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: don't use the sambaNTPassword if there is ARCFOUR key already. Idea from Andreas Hasenack. While here, set pw change time using sambaPwdLastSet * kdc/kerberos4.c: Use enable_v4_per_principal and check the new hdb flag. * kdc/kdc.h: Add enable_v4_per_principal 2006-06-12 Love Hörnquist Åstrand * kdc/kerberos5.c (_kdc_as_rep): if kdc_time + config->kdc_warn_pwexpire is past pw_end, add expiration message. From Bernard Antoine. * kdc/default_config.c (krb5_kdc_default_config): set kdc_warn_pwexpire to 0 * kdc/kerberos5.c: indent. 2006-06-07 Love Hörnquist Åstrand * kdc/kerberos5.c: constify 2006-06-06 Love Hörnquist Åstrand * lib/krb5/get_cred.c: Allow setting additional tickets in the tgs-req * kuser/kgetcred.c: add --delegation-credential-cache * kdc/krb5tgs.c (tgs_build_reply): add constrained delegation. * kdc/krb5tgs.c: Add impersonation. * kuser/kgetcred.c: use new krb5_get_creds interface, add impersonation. * lib/krb5/get_cred.c (krb5_get_creds): add KRB5_GC_NO_TRANSIT_CHECK * lib/krb5/misc.c: Add impersonate support functions. * lib/krb5/get_cred.c: Add impersonate and new krb5_get_creds interface. * lib/hdb/hdb.asn1 (HDBFlags): add trusted-for-delegation * lib/krb5/krb5.h: Add krb5_get_creds_opt_data and some more KRB5_GC flags. 2006-06-01 Love Hörnquist Åstrand * lib/hdb/ext.c (hdb_entry_get_ConstrainedDelegACL): new function. * lib/krb5/pkinit.c: Avoid more shadowing. * kdc/connect.c (do_request): clean reply with krb5_data_zero * kdc/krb5tgs.c: Split up the reverse cross krbtgt check and local clien must exists test. * kdc/krb5tgs.c: Plug old memory leaks, unify all goto's. * kdc/krb5tgs.c: Split tgs_rep2 into tgs_parse_request and tgs_build_reply. * kdc/kerberos5.c: split out krb5 tgs req to make it easier to reorganize the code. 2006-05-29 Love Hörnquist Åstrand * lib/krb5/krb5_get_init_creds.3: spelling Björn Sandell * lib/krb5/krb5_get_in_cred.3: spelling Björn Sandell 2006-05-13 Love Hörnquist Åstrand * kpasswd/kpasswdd.c (change): select the realm based on the target principal From Gabor Gombas * lib/krb5/krb5_get_init_creds.3: Add KRB5_PROMPT_TYPE_INFO * lib/krb5/krb5.h: Add KRB5_PROMPT_TYPE_INFO 2006-05-12 Love Hörnquist Åstrand * lib/krb5/pkinit.c: Hidden field of hx509 prompter is removed. Fix a warning. * doc/setup.texi: Point to more examples, hint that you have to use openssl 0.9.8a or later. * doc/setup.texi: DIR now handles both PEM and DER. * kuser/kinit.c: Pass down prompter and password to krb5_get_init_creds_opt_set_pkinit. * lib/krb5/pkinit.c (_krb5_pk_load_id): only use password if its longer then 0 * doc/ack.texi: Add Jason McIntyre. * lib/krb5/krb5_acl_match_file.3: Various tweaks, from Jason McIntyre. 2006-05-11 Love Hörnquist Åstrand * kuser/kinit.c: Move parsing of the PK-INIT configuration file to the library so application doesn't need to deal with it. * lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit): move parsing of the configuration file to the library so application doesn't need to deal with it. * lib/krb5/pkinit.c (_krb5_pk_load_id): pass the hx509_lock to when trying to read the user certificate. * lib/krb5/pkinit.c (hx_pass_prompter): return 0 on success and 1 on failure. Pointed out by Douglas E. Engert. 2006-05-08 Love Hörnquist Åstrand * lib/krb5/crypto.c: Catches both keyed checkout w/o crypto context cases and doesn't reset the string, and corrects the grammar. * lib/krb5/crypto.c: Drop aes-cbc, rc2 and CMS padding support, its all containted in libhcrypto and libhx509 now. 2006-05-07 Love Hörnquist Åstrand * lib/krb5/pkinit.c (_krb5_pk_verify_sign): Use hx509_get_one_cert. * lib/krb5/crypto.c (create_checksum): provide a error message that a key checksum needs a key. From Andew Bartlett. 2006-05-06 Love Hörnquist Åstrand * lib/krb5/pkinit.c: Now that hcrypto supports DH, remove check for hx509 null DH. * kdc/pkinit.c: Don't call DH_check_pubkey, it doesn't exists in older OpenSSL. * doc/heimdal.texi: Add blob about imath. * doc/ack.texi: Add blob about imath. * include/make_crypto.c: Move up evp.h to please OpenSSL, from Douglas E. Engert. * kcm/acl.c: Multicache kcm interation isn't done yet, let wait with this enum. 2006-05-05 Love Hörnquist Åstrand * lib/krb5/krb5_set_default_realm.3: Spelling/mdoc from Björn Sandell * lib/krb5/krb5_rcache.3: Spelling/mdoc from Björn Sandell * lib/krb5/krb5_keytab.3: Spelling/mdoc from Björn Sandell * lib/krb5/krb5_get_in_cred.3: Spelling/mdoc from Björn Sandell * lib/krb5/krb5_expand_hostname.3: Spelling/mdoc from Björn Sandell * lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc from Björn Sandell * lib/krb5/keytab_file.c (fkt_next_entry_int): read the 32 bit kvno if the reset of the data is longer then 4 bytes in hope to be forward compatible. Pointed out by Michael B Allen. * doc/programming.texi: Add fileformats. * appl/test: Rename u_intXX_t to uintXX_t * kuser: Rename u_intXX_t to uintXX_t * kdc: Rename u_intXX_t to uintXX_t * lib/hdb: Rename u_intXX_t to uintXX_t * lib/45]: Rename u_intXX_t to uintXX_t * lib/krb5: Rename u_intXX_t to uintXX_t * lib/krb5/Makefile.am: Add test_store to TESTS * lib/krb5/pkinit.c: Catch using hx509 null DH and print a more useful error message. * lib/krb5/store.c: Rewrite the krb5_ret_u as proposed by Johan. 2006-05-04 Love Hörnquist Åstrand * kdc/kerberos4.c: Use the new unsigned integer storage types. * kdc/kaserver.c: Use the new unsigned integer storage types. Sprinkle some error handling. * lib/krb5/krb5_storage.3: Document ret and store function for the unsigned fixed size integer types. * lib/krb5/v4_glue.c: Use the new unsigned integer storage types. Fail that the address doesn't match, not the reverse. * lib/krb5/store.c: Add ret and store function for the unsigned fixed size integer types. * lib/krb5/test_store.c: Test the integer storage types. 2006-05-03 Love Hörnquist Åstrand * lib/krb5/store.c (krb5_store_principal): make it take a krb5_const_principal, indent * lib/krb5/krb5_storage.3: krb5_store_principal takes a krb5_const_principal * lib/krb5/pkinit.c: Deal with that hx509_prompt.reply is no longer a pointer. * kdc/kdc.h (krb5_kdc_configuration): add pkinit_kdc_ocsp_file * kdc/config.c: read [kdc]pki-kdc-ocsp 2006-05-02 Love Hörnquist Åstrand * kdc/pkinit.c (_kdc_pk_mk_pa_reply): send back ocsp response if it seems to be valid, simplfy the pkinit-windows DH case (it doesn't exists). 2006-05-01 Love Hörnquist Åstrand * lib/krb5/krb5_warn.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_verify_user.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_verify_init_creds.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_timeofday.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_ticket.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_rd_safe.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_rcache.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_principal.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_parse_name.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_mk_safe.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_keyblock.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_is_thread_safe.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_expand_hostname.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_check_transited.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_address.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5_acl_match_file.3: Spelling/mdoc changes, from Björn Sandell. * lib/krb5/krb5.3: Spelling, from Björn Sandell. * doc/ack.texi: add Björn 2006-04-30 Love Hörnquist Åstrand * lib/krb5/pkinit.c (cert2epi): don't include subject if its null 2006-04-29 Love Hörnquist Åstrand * lib/krb5/pkinit.c: Send over what trust anchors the client have configured. * lib/krb5/pkinit.c (pk_verify_host): set better error string, only check kdc name/address when we got a hostname/address passed in the the function. * kdc/pkinit.c (_kdc_pk_check_client): reorganize and make log when a SAN matches. 2006-04-28 Love Hörnquist Åstrand * doc/setup.texi: More options and some text about windows clients, certificate and KDCs. * doc/setup.texi: notice about pki-mappings file space sensitive * doc/setup.texi: Example pki-mapping file. * lib/krb5/pkinit.c (pk_verify_host): verify hostname/address * lib/hdb/hdb.h: Bump hdb interface version to 4. 2006-04-27 Love Hörnquist Åstrand * kuser/kdestroy.1: Document --credential=principal. * kdc/kerberos5.c (tgs_rep2): check that the client exists in the kerberos database if its local request. * kdc/{misc.c,524.c,kaserver.c,kerberos5.c}: pass down HDB_F_GET_ flags as appropriate * kdc/kerberos4.c (_kdc_db_fetch4): pass down flags though krb5_425_conv_principal_ext2 * kdc/misc.c (_kdc_db_fetch): Break out the that we request from principal from the entry and pass it in as a seprate argument. * lib/hdb/keytab.c (hdb_get_entry): Break out the that we request from principal from the entry and pass it in as a seprate argument. * lib/hdb/common.c: Break out the that we request from principal from the entry and pass it in as a seprate argument. * lib/hdb/hdb.h: Break out the that we request from principal from the entry and pass it in as a seprate argument. Add more flags to ->hdb_get(). Re-indent. 2006-04-26 Love Hörnquist Åstrand * doc/setup.texi: document pki-allow-proxy-certificate * kdc/pkinit.c: Add option [kdc]pki-allow-proxy-certificate=bool to allow using proxy certificate. * lib/krb5/pkinit.c (_krb5_pk_allow_proxy_certificates): expose hx509_verify_set_proxy_certificate * kdc/pkinit.c (_kdc_pk_check_client): Use hx509_cert_get_base_subject to get subject name of the certificate, needed for proxy certificates. * kdc/kerberos5.c: Now that find_keys speaks for it self, remove extra logging. * kdc/kerberos5.c (find_keys): add client_name and server_name argument and use them, and adapt callers. 2006-04-25 Love Hörnquist Åstrand * kuser/kinit.1: document option password-file * kuser/kinit.c: Add option password-file, read password from the first line of a file. * configure.in: make tests/kdc/Makefile * kdc/kerberos5.c: Catch the case where the client sends no encryption types or no pa-types. * lib/hdb/ext.c (hdb_replace_extension): set error message on failure, not success. * lib/hdb/keys.c (parse_key_set): handle error case better (hdb_generate_key_set): return better error 2006-04-24 Love Hörnquist Åstrand * lib/hdb/hdb.c (hdb_create): print out what we don't support * lib/krb5/principal.c: Remove a double free introduced in 1.93 * lib/krb5/log.c (log_file): reset pointer to freed memory * lib/krb5/keytab_keyfile.c (get_cell_and_realm): reset d->cell to make sure its not refereced * tools/krb5-config.in: libhcrypto might depend on libasn1, switch order * lib/krb5/recvauth.c: indent * doc/heimdal.texi: Add Setting up PK-INIT to Detailed Node Listing. * lib/krb5/pkinit.c: Pass down realm to pk_verify_host so the function can verify the certificate is from the right realm. * lib/krb5/init_creds_pw.c: Pass down realm to _krb5_pk_rd_pa_reply 2006-04-23 Love Hörnquist Åstrand * lib/krb5/pkinit.c (pk_verify_host): Add begining of finding subjectAltName_otherName pk-init-san and verifing it. * lib/krb5/sendauth.c: reindent * doc/Makefile.am: use --no-split to make one large file, mostly for html * doc/setup.texi: "document" pkinit_require_eku and pkinit_require_krbtgt_otherName * lib/krb5/pkinit.c: Add pkinit_require_eku and pkinit_require_krbtgt_otherName * doc/setup.texi: Add text about pk-init * tools/kdc-log-analyze.pl: count v5 cross realms too 2006-04-22 Love Hörnquist Åstrand * kdc/pkinit.c: Adapt to change in hx509_cms_create_signed_1. * lib/krb5/pkinit.c: Adapt to change in hx509_cms_create_signed_1. 2006-04-20 Love Hörnquist Åstrand * kdc/pkinit.c (_kdc_pk_rd_padata): use hx509_cms_unwrap_ContentInfo. * kdc/config.c: unbreak * lib/krb5/pkinit.c: Handle diffrences between libhcrypto and libcrypto. * kdc/config.c: Rename pki-chain to pki-pool to match rest of code. 2006-04-12 Love Hörnquist Åstrand * lib/krb5/rd_priv.c: Fix argument to krb5_data_zero. * kdc/config.c: Added certificate revoke information from configuration file. * kdc/pkinit.c: Added certificate revoke information. * kuser/kinit.c: Added certificate revoke information from configuration file. * lib/krb5/pkinit.c (_krb5_pk_load_id): Added certificate revoke information, ie CRL's 2006-04-10 Love Hörnquist Åstrand * lib/krb5/replay.c (krb5_rc_resolve_full): make compile again. * lib/krb5/keytab_krb4.c (krb4_kt_start_seq_get_int): make compile again. * lib/krb5/transited.c (make_path): make sure we return allocated memory Coverity, NetBSD CID#1892 * lib/krb5/transited.c (make_path): make sure we return allocated memory Coverity, NetBSD CID#1892 * lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): on protocol failure, avoid leaking memory Coverity, NetBSD CID#1900 * lib/krb5/principal.c (krb5_parse_name): remember to free realm in case of error Coverity, NetBSD CID#1883 * lib/krb5/principal.c (krb5_425_conv_principal_ext2): remove memory leak in case of weird formated dns replys. Coverity, NetBSD CID#1885 * lib/krb5/replay.c (krb5_rc_resolve_full): don't return pointer to a allocated krb5_rcache in case of error. * lib/krb5/log.c (krb5_addlog_dest): free fn in case of error Coverity, NetBSD CID#1882 * lib/krb5/keytab_krb4.c: Fix deref before NULL check, fix error handling. Coverity, NetBSD CID#2369 * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): in_creds->client should always be set, assume so. * lib/krb5/keytab_any.c (any_next_entry): restructure to make it easier to read Fixes Coverity, NetBSD CID#625 * lib/krb5/crypto.c (krb5_string_to_key_derived): deref after NULL check. Coverity NetBSD CID#2367 * lib/krb5/build_auth.c (krb5_build_authenticator): use calloc. removed check that was never really used. Coverity NetBSD CID#2370 2006-04-09 Love Hörnquist Åstrand * lib/krb5/rd_req.c (krb5_verify_ap_req2): make sure `ticket´ points to NULL in case of error, add error handling, use calloc. * kpasswd/kpasswdd.c (doit): when done, close all fd in the sockets array and free it. Coverity NetBSD CID#1916 2006-04-08 Love Hörnquist Åstrand * lib/krb5/store.c (krb5_ret_principal): fix memory leak Coverity, NetBSD CID#1695 * kdc/524.c (_kdc_do_524): Handle memory allocation failure Coverity, NetBSD CID#2752 2006-04-07 Love Hörnquist Åstrand * lib/krb5/keytab_file.c (krb5_kt_ret_principal): plug a memory leak Coverity NetBSD CID#1890 * kdc/hprop.c (main): make sure type doesn't need to be set * kdc/mit_dump.c (mit_prop_dump): close fd when done processing Coverity NetBSD CID#1955 * kdc/string2key.c (tokey): catch warnings, free memory after use. Based on Coverity NetBSD CID#1894 * kdc/hprop.c (main): remove dead code. Coverity NetBSD CID#633 2006-04-04 Love Hörnquist Åstrand * kpasswd/kpasswd-generator.c (read_words): catch empty file case, will cause PBE (division by zero) later. From Tobias Stoeckmann. 2006-04-02 Love Hörnquist Åstrand * lib/hdb/keytab.c: Remove a delta from last revision that should have gone in later. * lib/krb5/krbhst.c: fix spelling * lib/krb5/send_to_kdc.c (send_and_recv_http): don't expose freed pointer, found by IBM checker. * lib/krb5/rd_cred.c (krb5_rd_cred): don't expose freed pointer, found by IBM checker. * lib/krb5/addr_families.c (krb5_make_addrport): clear return value on error, found by IBM checker. * kdc/kerberos5.c (check_addresses): treat netbios as no addresses * kdc/{kerberos4,kaserver}.c: _kdc_check_flags takes hdb_entry_ex * kdc/kerberos5.c (_kdc_check_flags): make it take hdb_entry_ex to avoid ?:'s at callers * lib/krb5/v4_glue.c: Avoid using free memory, found by IBM checker. * lib/krb5/transited.c (expand_realm): avoid passing NULL to strlen, found by IBM checker. * lib/krb5/rd_cred.c (krb5_rd_cred): avoid a memory leak on malloc failure, found by IBM checker. * lib/krb5/krbhst.c (_krb5_krbhost_info_move): replace a strcpy with a memcpy * lib/krb5/keytab_keyfile.c (get_cell_and_realm): plug a memory leak, found by IBM checker. * lib/krb5/keytab_file.c (fkt_next_entry_int): remove a dereferencing NULL pointer, found by IBM checker. * lib/krb5/init_creds_pw.c (init_creds_init_as_req): in AS-REQ the cname must always be given, don't avoid that fact and remove a cname == NULL case. Plugs a memory leak found by IBM checker. * lib/krb5/init_creds_pw.c (default_s2k_func): avoid exposing free-ed memory on error. Found by IBM checker. * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): use calloc to avoid uninitialized memory problem. * lib/krb5/data.c (krb5_copy_data): avoid exposing free-ed memory on error. Found by IBM checker. * lib/krb5/fcache.c (fcc_gen_new): fix a use after free, found by IBM checker. * lib/krb5/config_file.c (krb5_config_vget_strings): IBM checker thought it found a memory leak, it didn't, but there was another error in the code, lets fix that instead. * lib/krb5/cache.c (_krb5_expand_default_cc_name): plug memory leak. Found by IBM checker. * lib/krb5/cache.c (_krb5_expand_default_cc_name): avoid return pointer to freed memory in the error case. Found by IBM checker. * lib/hdb/keytab.c (hdb_resolve): off by one, found by IBM checker. * lib/hdb/keys.c (hdb_generate_key_set): set ret_key_set before going into the error clause and freeing key_set. Found by IBM checker. Make sure ret == 0 after of parse error, we catch the "no entries parsed" case later. * lib/krb5/log.c (krb5_addlog_dest): make string length match strings in strcasecmp. Found by IBM checker. 2006-03-30 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c (LDAP_message2entry): in declaration set variable_name as "hdb_entry_ex" (hdb_ldap_common): change "arg" in condition (if) to "search_base" (hdb_ldapi_create): change "serach_base" to "search_base" From Alex V. Labuta. * lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit); fix prototype * kuser/kinit.c: Add pool of certificates to help certificate path building for clients sending incomplete path in the signedData. 2006-03-28 Love Hörnquist Åstrand * kdc/pkinit.c: Add pool of certificates to help certificate path building for clients sending incomplete path in the signedData. * lib/krb5/pkinit.c: Add pool of certificates to help certificate path building for clients sending incomplete path in the signedData. 2006-03-27 Love Hörnquist Åstrand * kdc/config.c: Allow passing in related certificates used to build the chain. * kdc/pkinit.c: Allow passing in related certificates used to build the chain. * kdc/kerberos5.c (log_patype): Add case for KRB5_PADATA_PA_PK_OCSP_RESPONSE. * tools/Makefile.am: Spelling * tools/krb5-config.in: Add hx509 when using PK-INIT. * tools/Makefile.am: Add hx509 when using PK-INIT. 2006-03-26 Love Hörnquist Åstrand * lib/krb5/acache.c: Use ticket flags definition, might fix Mac OS X Kerberos.app problems. * lib/krb5/krb5_ccapi.h: Add ticket flags definitions * lib/krb5/pkinit.c: Use less openssl, spell chelling. * kdc/pkinit.c (pk_mk_pa_reply_dh): encode the DH public key with asn1 wrapping * configure.in (AC_CONFIG_FILES): add lib/hx509/Makefile * lib/Makefile.am: Add hx509. * lib/krb5/Makefile.am: Add libhx509.la when PKINIT is used. * configure.in: define automake PKINIT variable * kdc/pkinit.c: Switch to hx509. * lib/krb5/pkinit.c: Switch to hx509. 2006-03-24 Love Hörnquist Åstrand * kdc/kerberos5.c (log_patypes): log the patypes requested by the client 2006-03-23 Love Hörnquist Åstrand * lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): pass down the req_buffer in the w2k case too. From Douglas E. Engert. 2006-03-19 Love Hörnquist Åstrand * lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): on failure, goto error handling. Fixes Coverity NetBSD CID 2591 by catching a failing krb5_copy_keyblock() 2006-03-17 Love Hörnquist Åstrand * lib/krb5/addr_families.c (krb5_free_addresses): reset val,len in address when free-ing. Fixes Coverity NetBSD bug #2605 (krb5_parse_address): reset val,len before possibly return errors Fixes Coverity NetBSD bug #2605 2006-03-07 Love Hörnquist Åstrand * lib/krb5/send_to_kdc.c (recv_loop): it should never happen, but make sure nbytes > 0 * lib/krb5/get_for_creds.c (add_addrs): handle the case where addr->len == 0 and n == 0, then realloc might return NULL. * lib/krb5/crypto.c (decrypt_*): handle the case where the plaintext is 0 bytes long, realloc might then return NULL. 2006-02-28 Love Hörnquist Åstrand * lib/krb5/krb5_string_to_key.3: Drop krb5_string_to_key_derived. * lib/krb5/krb5.3: Remove krb5_string_to_key_derived. * lib/krb5/crypto.c (AES_string_to_key): drop _krb5_PKCS5_PBKDF2 and use PKCS5_PBKDF2_HMAC_SHA1 instead. * lib/krb5/aes-test.c: reformat, avoid free-ing un-init'd memory * lib/krb5/aes-test.c: Only use PKCS5_PBKDF2_HMAC_SHA1. 2006-02-27 Johan Danielsson * doc/setup.texi: remove cartouches - we don't use them anywhere else, they should be around the example, not inside it, and probably shouldn't be used in html at all 2006-02-18 Love Hörnquist Åstrand * lib/krb5/krb5_warn.3: Document that applications want to use krb5_get_error_message, add example. 2006-02-16 Love Hörnquist Åstrand * lib/krb5/crypto.c (krb5_generate_random_block): check return value from RAND_bytes * lib/krb5/error_string.c: Change indentation, update (c) 2006-02-14 Love Hörnquist Åstrand * lib/krb5/pkinit.c: Make struct krb5_dh_moduli available when compiling w/o pkinit. 2006-02-13 Love Hörnquist Åstrand * lib/krb5/pkinit.c: update to new paChecksum definition, update the dhgroup handling * kdc/pkinit.c: update to new paChecksum definition, use hdb_entry_ex 2006-02-09 Love Hörnquist Åstrand * lib/krb5/krb5_locl.h: Move Configurable options to last in the file. * lib/krb5/krb5_locl.h: Wrap KRB5_ADDRESSLESS_DEFAULT with #ifndef 2006-02-03 Love Hörnquist Åstrand * kpasswd/kpasswdd.c: Send back a better error-message to the client in case the password change was rejected. * lib/krb5/krb5_warn.3: Document krb5_get_error_message. * lib/krb5/error_string.c (krb5_get_error_message): new function, and combination of krb5_get_error_string and krb5_get_err_text * lib/krb5/krb5.3: sort, and krb5_get_error_message * lib/hdb/hdb-ldap.c: Log the filter string to the error message when doing searches. * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags): Use KRB5_ADDRESSLESS_DEFAULT when checking [appdefault]no-addresses. * lib/krb5/get_cred.c (get_cred_from_kdc_flags): Use KRB5_ADDRESSLESS_DEFAULT when checking [appdefault]no-addresses. * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): Use [appdefault]no-addresses before checking if the krbtgt is address-less, use KRB5_ADDRESSLESS_DEFAULT. * lib/krb5/krb5_locl.h: Introduce KRB5_ADDRESSLESS_DEFAULT that controlls all address-less behavior. Defaults to false. 2006-02-01 Love Hörnquist Åstrand * lib/krb5/n-fold-test.c: main is not a KRB5_LIB_FUNCTION * lib/krb5/mk_priv.c (krb5_mk_priv): abort if ASN1_MALLOC_ENCODE failes to produce the matching lenghts. 2006-01-27 Love Hörnquist Åstrand * kcm/protocol.c (kcm_op_retrieve): remove unused variable 2006-01-15 Love Hörnquist Åstrand * tools/krb5-config.in: Move depenency on @LIB_dbopen@ to kadm-server, kerberos library doesn't depend on db-library. 2006-01-13 Love Hörnquist Åstrand * include/Makefile.am: Don't clean crypto headers, they now live in hcrypto/. Add hcrypto to SUBDIRS. * include/hcrypto/Makefile.am: clean installed headers * include/make_crypto.c: include crypto headers from hcrypto/ * include/make_crypto.c: Include more crypto headerfiles. Remove support for old hash names. 2006-01-02 Love Hörnquist Åstrand * kdc/misc.c (_kdc_db_fetch): use calloc to allocate the entry, from Andrew Bartlet. * Happy New Year. heimdal-1.7~git20150920+dfsg/ChangeLog.2007000066400000000000000000001112501257755311500176040ustar00rootroot000000000000002007-12-28 Love Hörnquist Åstrand * kdc/digest.c: Log probe message, add NTLM_TARGET_DOMAIN to the type2 message. 2007-12-14 Love Hörnquist Åstrand * lib/hdb/dbinfo.c: Add hdb_default_db(). * Makefile.am: Add some extra cf/*. 2007-12-12 Love Hörnquist Åstrand * kuser/kgetcred.c: Fix type of name-type. From Andy Polyakov. 2007-12-09 Love Hörnquist Åstrand * kdc/log.c: Use hdb_db_dir(). * kpasswd/kpasswdd.c: Use hdb_db_dir(). 2007-12-08 Love Hörnquist Åstrand * kdc/config.c: Use hdb_db_dir(). * kdc/kdc_locl.h: add KDC_LOG_FILE * kdc/hpropd.c: Use hdb_default_db(). * kdc/kstash.c: Use hdb_db_dir(). * kdc/pkinit.c: Adapt to hx509 changes, use hdb_db_dir(). * lib/krb5/rd_req.c: Document krb5_rd_req_in_set_pac_check. * lib/krb5/verify_krb5_conf.c: Check check_pac. * lib/krb5/rd_req.c: use KRB5_CTX_F_CHECK_PAC to init check_pac field in the krb5_rd_req_in_ctx * lib/krb5/expand_hostname.c: Adapt to changing dns_canonicalize_hostname into flags field. * lib/krb5/context.c: Adapt to changing dns_canonicalize_hostname into flags field, add check-pac as an libdefaults option. * lib/krb5/pkinit.c: Adapt to changes in hx509 interface. * doc: add doxygen documentation to hcrypto * doc/doxytmpl.dxy: generate links 2007-12-07 Love Hörnquist Åstrand * lib/krb5/Makefile.am: build_HEADERZ += heim_threads.h * lib/hdb/dbinfo.c (hdb_db_dir): Return the directory where the hdb database resides. * configure.in: Add --with-hdbdir to specify where the database is stored. * lib/krb5/crypto.c: revert previous patch, the problem is located in the RAND_file_name() function that will cause recursive nss lookups, can't fix that here. 2007-12-06 Love Hörnquist Åstrand * lib/krb5/crypto.c (krb5_generate_random_block): try to avoid the dead-lock in by not holding the lock while running RAND_file_name. Prompted by Hai Zaar. * lib/krb5/n-fold.c: spelling 2007-12-04 Love Hörnquist Åstrand * kuser/kdigest.c (digest-probe): implement command. * kuser/kdigest-commands.in (digest-probe): new command * kdc/digest.c: Implement supportedMechs request. * lib/krb5/error_string.c: Make krb5_get_error_string return an allocated string to make the function indempotent. From Zeqing (Fred) Xia. 2007-12-03 Love Hörnquist Åstrand * lib/krb5/krb5_locl.h (krb5_context_data): Flag if default_cc_name was set by the user. * lib/krb5/fcache.c (fcc_move): make sure ->version is uptodate. * kcm/acquire.c: use krb5_free_cred_contents * kuser/kimpersonate.c: use krb5_free_cred_contents * kuser/kinit.c: Use krb5_cc_move to make an atomic switch of the cred cache. * lib/krb5/cache.c: Put back code that was needed, move gen_new into new_unique. * lib/krb5/mcache.c (mcc_default_name): Remove const * lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME_KCM, redefine KRB5_DEFAULT_CCNAME to KRB5_DEFAULT_CCTYPE * lib/krb5/cache.c: Use krb5_cc_ops->default_name to get the default name. * lib/krb5/kcm.c: Implement krb5_cc_ops->default_name. * lib/krb5/mcache.c: Implement krb5_cc_ops->default_name. * lib/krb5/fcache.c: Implement krb5_cc_ops->default_name. * lib/krb5/krb5.h: Add krb5_cc_ops->default_name. * lib/krb5/acache.c: Free context when done, implement krb5_cc_ops->default_name. * lib/krb5/kcm.c: implement dummy kcm_move * lib/krb5/mcache.c: Implement the move operation. * lib/krb5/version-script.map: export krb5_cc_move * lib/krb5/cache.c: New function krb5_cc_move(). * lib/krb5/fcache.c: Implement the move operation. * lib/krb5/krb5.h: Add move to the krb5_cc_ops, causes major version bump. * lib/krb5/acache.c: Implement the move operation. Avoid using cc_set_principal() since it broken on Mac OS X 10.5.0. 2007-12-02 Love Hörnquist Åstrand * lib/krb5/krb5_ccapi.h: Drop variable names to avoid -Wshadow. 2007-11-14 Love Hörnquist Åstrand * kdc/krb5tgs.c: Should pass different key usage constants depending on whether or not optional sub-session key was passed by the client for the check of authorization data. The constant is used to derive "specific key" and its values are specified in 7.5.1 of RFC4120. Patch from Andy Polyakov. * kdc/krb5tgs.c: Don't send auth data in referrals, microsoft clients have started to not like that. Thanks to Andy Polyakov for excellent research. 2007-11-11 Love Hörnquist Åstrand * lib/krb5/creds.c: use krb5_data_cmp * lib/krb5/acache.c: use krb5_free_cred_contents * lib/krb5/test_renew.c: use krb5_free_cred_contents 2007-11-10 Love Hörnquist Åstrand * lib/krb5/acl.c: doxygen documentation * lib/krb5/addr_families.c: doxygen documentation * doc: add doxygen * lib/krb5/plugin.c: doxygen documentation * lib/krb5/kcm.c: doxygen documentation * lib/krb5/fcache.c: doxygen documentation * lib/krb5/cache.c: doxygen documentations * lib/krb5/doxygen.c: doxygen introduction * lib/krb5/error_string.c: Doxygen documentation. 2007-11-03 Love Hörnquist Åstrand * lib/krb5/test_plugin.c: expose krb5_plugin_register * lib/krb5/plugin.c: expose krb5_plugin_register * lib/krb5/version-script.map: sort, expose krb5_plugin_register 2007-10-24 Love Hörnquist Åstrand * kdc/kerberos5.c: Adding same enctype is enough one time. From Andy Polyakov and Bjorn Sandell. 2007-10-18 Love * lib/krb5/cache.c (krb5_cc_retrieve_cred): check return value from krb5_cc_start_seq_get. From Zeqing (Fred) Xia * lib/krb5/fcache.c (init_fcc): provide better error codes * kdc/kerberos5.c (get_pa_etype_info2): more paranoia, avoid sending warning about pruned etypes. * kdc/kerberos5.c (older_enctype): old windows enctypes (arcfour based) "old", this to support windows 2000 clients (unjoined to a domain). From Andy Polyakov. 2007-10-07 Love Hörnquist Åstrand * doc/setup.texi: Spelling, from Mark Peoples via Bjorn Sandell. 2007-10-04 Love Hörnquist Åstrand * kdc/krb5tgs.c: More prettier printing of enctype, from KAMADA Ken'ichi. * lib/krb5/crypto.c (krb5_enctype_to_string): make sure string is NULL on failure. 2007-10-03 Love Hörnquist Åstrand * kdc/kdc-replay.c: Catch KRB5_PROG_ATYPE_NOSUPP from krb5_addr2sockaddr and igore thte test is that case. 2007-09-29 Love Hörnquist Åstrand * lib/krb5/context.c (krb5_free_context): free default_cc_name_env, from Gunther Deschner. 2007-08-27 Love Hörnquist Åstrand * lib/krb5/{krb5.h,pac.c,test_pac.c,send_to_kdc.c,rd_req.c}: Make work with c++, reported by Hai Zaar * lib/krb5/{digest.c,krb5.h}: Make work with c++, reported by Hai Zaar 2007-08-20 Love Hörnquist Åstrand * lib/hdb/Makefile.am: EXTRA_DIST += hdb.schema 2007-07-31 Love Hörnquist Åstrand * check return value of alloc functions, from Charles Longeau * lib/krb5/principal.c: spelling. * kadmin/kadmin.8: spelling * lib/krb5/crypto.c: Check return values from alloc functions. Prompted by patch of Charles Longeau. * lib/krb5/n-fold.c: Make _krb5_n_fold return a error code. Prompted by patch of Charles Longeau. 2007-07-27 Love Hörnquist Åstrand * lib/krb5/init_creds.c: Always set the ticket options, use KRB5_ADDRESSLESS_DEFAULT as the default value, this make the unset tri-state not so useful. 2007-07-24 Love Hörnquist Åstrand * tools/heimdal-gssapi.pc.in: Add LIB_pkinit to the list of libraries. * tools/heimdal-gssapi.pc.in: pkg-config file for libgssapi in heimdal. * tools/Makefile.am: Add heimdal-gssapi.pc and install it into $(libdir)/pkgconfig 2007-07-23 Love Hörnquist Åstrand * lib/krb5/pkinit.c: Add RFC3526 modp group14 as a default. 2007-07-22 Love Hörnquist Åstrand * lib/hdb/dbinfo.c (get_dbinfo): use dbname instead of realm as key if the entry is a correct entry. * lib/krb5/get_cred.c: Make krb5_get_renewed_creds work, from Gunther Deschner. * lib/krb5/Makefile.am: Add test_renew to noinst_PROGRAMS. * lib/krb5/test_renew.c: Test for krb5_get_renewed_creds. 2007-07-21 Love Hörnquist Åstrand * lib/hdb/keys.c: Make parse_key_set handle key set string "v5", from Peter Meinecke. * kdc/kaserver.c: Don't ovewrite the error code, from Peter Meinecke. 2007-07-18 Love Hörnquist Åstrand * TODO-1.0: remove * Makefile.am: remove TODO-1.0 2007-07-17 Love Hörnquist Åstrand * Heimdal 1.0 release branch cut here * doc/hx509.texi: use version.texi * doc/heimdal.texi: use version.texi * doc/version.texi: version.texi * lib/hdb/db3.c: avoid type-punned pointer warning. * kdc/kx509.c: Use unsigned char * as argument to HMAC_Update to please OpenSSL and gcc. * kdc/digest.c: Use unsigned char * as argument to MD5_Update to please OpenSSL and gcc. 2007-07-16 Love Hörnquist Åstrand * include/Makefile.am: Add krb_err.h. * kdc/set_dbinfo.c: Print acl file too. * kdc/kerberos4.c: Error codes are just fine, remove XXX now. * lib/krb5/krb5-v4compat.h: Drop duplicate error codes. * kdc/kerberos4.c: switch to ET errors. * lib/krb5/Makefile.am: Add krb_err.h to build_HEADERZ. * lib/krb5/v4_glue.c: If its a Kerberos 4 error-code, remove the et BASE. 2007-07-15 Love Hörnquist Åstrand * lib/krb5/krb5-v4compat.h: Include "krb_err.h". * lib/krb5/v4_glue.c: return more interesting error codes. * lib/krb5/plugin.c: Prefix enum plugin_type. * lib/krb5/krb5_locl.h: Expose plugin structures. * lib/krb5/krb5.h: Add plugin structures. * lib/krb5/krb_err.et: V4 errors. * lib/krb5/version-script.map: First version of version script. 2007-07-13 Love Hörnquist Åstrand * kdc/kerberos5.c: Java 1.6 expects the name to be the same type, lets allow that for uncomplicated name-types. 2007-07-12 Love Hörnquist Åstrand * lib/krb5/v4_glue.c (_krb5_krb_rd_req): if ticket contains address 0, its ticket less and don't really care about from_addr. return better error codes. * kpasswd/kpasswdd.c: Fix pointer vs strict alias rules. 2007-07-11 Love Hörnquist Åstrand * lib/hdb/hdb-ldap.c: When using sambaNTPassword, avoid adding more then one enctype 23 to krb5EncryptionType. * lib/krb5/cache.c: Spelling. * kdc/kerberos5.c: Don't send newer enctypes in ETYPE-INFO. (get_pa_etype_info2): return the enctypes as sorted in the database 2007-07-10 Love Hörnquist Åstrand * kuser/kinit.c: krb5-v4compat.h defines prototypes for v4 (semiprivate functions) in libkrb5, don't include krb5-private.h any longer. * lib/krb5/krbhst.c: Set error string when there is no KDC for a realm. * lib/krb5/Makefile.am: New library version. * kdc/Makefile.am: New library version. * lib/krb5/krb5_locl.h: Add default_cc_name_env. * lib/krb5/cache.c (enviroment_changed): return non-zero if enviroment that will determine default krb5cc name has changed. (krb5_cc_default_name): also check if cached value is uptodate. * lib/krb5/krb5_locl.h: Drop pkinit_flags. 2007-07-05 Love Hörnquist Åstrand * configure.in: add tests/java/Makefile * lib/hdb/dbinfo.c: Add hdb_dbinfo_get_log_file. 2007-07-04 Love Hörnquist Åstrand * kdc/kerberos5.c: Improve the default salt detection to avoid returning v4 password salting to java that doesn't look at the returning padata for salting. * kdc: Split out krb5_kdc_set_dbinfo, From Andrew Bartlett 2007-07-02 Love Hörnquist Åstrand * kdc/digest.c: Try harder to provide better error message for digest messages. * lib/krb5/Makefile.am: verify_krb5_conf_OBJECTS depends on krb5-pr*.h, make -j finds this. 2007-06-28 Love Hörnquist Åstrand * kdc/digest.c: On success, print username, not ip-adress. 2007-06-26 Love Hörnquist Åstrand * lib/krb5/get_cred.c: Add krb5_get_renewed_creds. * lib/krb5/krb5_get_credentials.3: add krb5_get_renewed_creds * lib/krb5/pkinit.c: Use hx509_cms_unwrap_ContentInfo. 2007-06-25 Love Hörnquist Åstrand * doc/setup.texi: Add example for pkinit_win2k_require_binding in [kdc] section. * kdc/default_config.c: Rename require_binding to win2k_require_binding to match client configuration. * kdc/default_config.c: Add [kdc]pkinit_require_binding option. * kdc/pkinit.c (pk_mk_pa_reply_enckey): only allow non-bound reply if its not required. * kdc/default_config.c: rename pkinit_princ_in_cert and add pkinit_require_binding * kdc/kdc.h: rename pkinit_princ_in_cert and add pkinit_require_binding * kdc/pkinit.c: rename pkinit_princ_in_cert 2007-06-24 Love Hörnquist Åstrand * lib/krb5/pkinit.c: Adapt to hx509_verify_hostname change. 2007-06-21 Love Hörnquist Åstrand * kdc/krb5tgs.c: Drop unused variable. * kdc/krb5tgs.c: disable anonyous tgs requests * kdc/krb5tgs.c: Don't check PAC on cross realm for now. * kuser/kgetcred.c: Set KRB5_GC_CONSTRAINED_DELEGATION and parse nametypes. * lib/krb5/krb5_principal.3: Document krb5_parse_nametype. * lib/krb5/principal.c (krb5_parse_nametype): parse nametype and return their integer values. * lib/krb5/krb5.h (krb5_get_creds): Add KRB5_GC_CONSTRAINED_DELEGATION. * lib/krb5/get_cred.c (krb5_get_creds): if KRB5_GC_CONSTRAINED_DELEGATION is set, set both request_anonymous and constrained_delegation. 2007-06-20 Love Hörnquist Åstrand * kdc/digest.c: Return an error message instead of dropping the packet for more failure cases. * lib/krb5/krb5_principal.3: Add KRB5_PRINCIPAL_UNPARSE_DISPLAY. * appl/gssmask/gssmask.c (AcquirePKInitCreds): fail more gracefully 2007-06-18 Love Hörnquist Åstrand * lib/krb5/pac.c: make compile. * lib/krb5/pac.c (verify_checksum): memset cksum to avoid using pointer from stack. * lib/krb5/plugin.c: Don't expose free pointer. * lib/krb5/pkinit.c (_krb5_pk_load_id): fail directoy for first calloc. * lib/krb5/pkinit.c (get_reply_key*): don't expose freed memory * lib/krb5/krbhst.c: Host is static memory, don't free. * lib/krb5/crypto.c (decrypt_internal_derived): make sure length is longer then confounder + checksum. * kdc: export get_dbinfo as krb5_kdc_set_dbinfo and call from users. This to allows libkdc users to to specify their own databases * lib/krb5/pkinit.c (pk_rd_pa_reply_enckey): simplify handling of content data (and avoid leaking memory). * kdc/misc.c (_kdc_db_fetch): set error string for failures. 2007-06-15 Love Hörnquist Åstrand * kdc/pkinit.c: Use KRB5_AUTHDATA_INITIAL_VERIFIED_CAS. 2007-06-13 Love Hörnquist Åstrand * kdc/pkinit.c: tell user when they got a pk-init request with pkinit disabled. 2007-06-12 Love Hörnquist Åstrand * lib/krb5/principal.c: Rename UNPARSE_NO_QUOTE to UNPARSE_DISPLAY. * lib/krb5/krb5.h: Rename UNPARSE_NO_QUOTE to UNPARSE_DISPLAY. * lib/krb5/principal.c: Make no-quote mean replace strange chars with space. * lib/krb5/principal.c: Support KRB5_PRINCIPAL_UNPARSE_NO_QUOTE. * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_UNPARSE_NO_QUOTE. * lib/krb5/test_princ.c: Test quoteing. * lib/krb5/pkinit.c: update (c) * lib/krb5/get_cred.c: use krb5_sendto_context to talk to the KDC. * lib/krb5/send_to_kdc.c (_krb5_kdc_retry): check if the whole process needs to restart or just skip this KDC. * lib/krb5/init_creds_pw.c: Use krb5_sendto_context to talk to KDC. * lib/krb5/krb5.h: Add sendto hooks and opaque structure. * lib/krb5/krb5_rd_error.3: Update prototype. * lib/krb5/send_to_kdc.c: Add hooks for processing the reply from the server. 2007-06-11 Love Hörnquist Åstrand * lib/krb5/krb5_err.et: Some new error codes from RFC 4120. 2007-06-09 Love Hörnquist Åstrand * kdc/krb5tgs.c: Constify. * kdc/kerberos5.c: Constify. * kdc/pkinit.c: Check for KRB5-PADATA-PK-AS-09-BINDING. Constify. 2007-06-08 Love Hörnquist Åstrand * include/Makefile.am: Make krb5-types.h nodist_include_HEADERS. * kdc/Makefile.am: EXTRA_DIST += version-script.map. 2007-06-07 Love Hörnquist Åstrand * Makefile.am (print-distdir): print name of dist * kdc/pkinit.c: Break out loading of mappings file to a separate function and remove warning that it can't open the mapping file, there are now mappings in the db, maybe the users uses that instead... * lib/krb5/crypto.c: Require the raw key have the correct size and do away with the minsize. Minsize was a thing that originated from RC2, but since RC2 is done in the x509/cms subsystem now there is no need to keep that around. * lib/hdb/dbinfo.c: If there is no default dbname, also check for unset mkey_file and set it default mkey name, make backward compat stuff work. * kdc/version-script.map: add new symbols * kdc/kdc-replay.c: Also update krb5_context view of what the time is. * configure.in: add tests/can/Makefile * kdc/kdc-replay.c: Add --[version|help]. * kdc/pkinit.c: Push down the kdc time into the x509 library. * kdc/connect.c: Move up krb5_kdc_save_request so we can catch the reply data too. * kdc/kdc-replay.c: verify reply by checking asn1 class, type and tag of the reply if there is one. * kdc/process.c: Save asn1 class, type and tag of the reply if there is one. Used to verify the reply in kdc-replay. 2007-06-06 Love Hörnquist Åstrand * kdc/kdc_locl.h: extern for request_log. * kdc/Makefile.am: Add kdc-replay. * kdc/kdc-replay.c: Replay kdc messages to the KDC library. * kdc/config.c: Pick up request_log from [kdc]kdc-request-log. * kdc/connect.c: Option to save the request to disk. * kdc/process.c (krb5_kdc_save_request): save request to file. * kdc/process.c (krb5_kdc_process*): dont update _kdc_time automagicly. (krb5_kdc_update_time): set or get current kdc-time. * kdc/pkinit.c (_kdc_pk_rd_padata): accept both pkcs-7 and pkauthdata as the signeddata oid * kdc/pkinit.c (_kdc_pk_rd_padata): Try to log what went wrong. 2007-06-05 Love Hörnquist Åstrand * kdc/pkinit.c: Use oid_id_pkcs7_data for pkinit-9 encKey reply to match windows DC behavior better. 2007-06-04 Love Hörnquist Åstrand * configure.in: use test for -framework Security * appl/test/uu_server.c: Print status to stdout. * kdc/digest.c (digest ntlm): provide log entires by setting ret to an error. 2007-06-03 Love Hörnquist Åstrand * doc/hx509.texi: Indent crl-sign. * doc/hx509.texi: One more crl-sign example. * lib/krb5/test_princ.c: plug memory leaks. * lib/krb5/pac.c: plug memory leaks. * lib/krb5/test_pac.c: plug memory leaks. * lib/krb5/test_prf.c: plug memory leak. * lib/krb5/test_cc.c: plug memory leaks. * doc/hx509.texi: Simple blob about publishing CRLs. * doc/win2k.texi: drop text about enctypes. 2007-06-02 Love Hörnquist Åstrand * kdc/pkinit.c: In case of OCSP verification failure, referash every 5 min. In case of success, refreash 2 min before expiring or faster. 2007-05-31 Love Hörnquist Åstrand * lib/krb5/krb5_err.et: add error 68, WRONG_REALM * kdc/pkinit.c: Handle the ms san in a propper way, still cheat with the realm name. * kdc/kerberos5.c: If _kdc_pk_check_client failes, bail out directly and hand the error back to the client. * lib/krb5/krb5_err.et: Add missing REVOCATION_STATUS_UNAVAILABLE and fix error message for CLIENT_NAME_MISMATCH. * kdc/pkinit.c: More logging for pk-init client mismatch. * kdc/kerberos5.c: Also add a KRB5_PADATA_PK_AS_REQ_WIN for windows pk-init (-9) to make MIT clients happy. 2007-05-30 Love Hörnquist Åstrand * kdc/pkinit.c: Force des3 for win2k. * kdc/pkinit.c: Add wrapping to ContentInfo wrapping to COMPAT_WIN2K. * lib/krb5/keytab_keyfile.c: Spelling. * kdc/pkinit.c: Allow matching by MS UPN SAN, note that this delta doesn't deal with case of realm. 2007-05-16 Love Hörnquist Åstrand * lib/krb5/crypto.c (krb5_crypto_overhead): return static overhead of encryption. 2007-05-10 Dave Love * doc/win2k.texi: Update some URLs. 2007-05-13 Love Hörnquist Åstrand * kuser/kimpersonate.c: Fix version number of ticket, it should be 5 not the kvno. 2007-05-08 Love Hörnquist Åstrand * doc/setup.texi: Salting is really Encryption types and salting. 2007-05-07 Love Hörnquist Åstrand * doc/setup.texi: spelling, from Ronny Blomme * doc/win2k.texi: Fix ksetup /SetComputerPassword, from Ronny Blomme 2007-05-02 Love Hörnquist Åstrand * lib/hdb/dbinfo.c (hdb_get_dbinfo) If there are no database specified, create one and let it use the defaults. 2007-04-27 Love Hörnquist Åstrand * lib/hdb/test_dbinfo.c: test acl file * lib/hdb/test_dbinfo.c: test acl file * lib/hdb/dbinfo.c: add acl file * etc: ignore Makefile.in * Makefile.am: SUBDIRS += etc * configure.in: Add etc/Makefile. * etc/Makefile.am: make sure services.append is distributed 2007-04-24 Love Hörnquist Åstrand * kdc: rename windc_init to krb5_kdc_windc_init * kdc/version-script.map: version script for libkdc * kdc/Makefile.am: version script for libkdc 2007-04-23 Love Hörnquist Åstrand * lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): correct the order of the arguments. * lib/hdb/Makefile.am: Add and test dbinfo. * lib/hdb/hdb.h: Forward declaration for struct hdb_dbinfo; * kdc/config.c: Use krb5_kdc_get_config and just fill in what the users wanted differently. * kdc/default_config.c: Make the default configuration fetch info from the krb5.conf. 2007-04-22 Love Hörnquist Åstrand * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to determine if to send the session-key, for the second place in the function. * tools/krb5-config.in: rename des to hcrypto * kuser/Makefile.am: depend on libheimntlm * kuser/kinit.c: Add --ntlm-domain that store the ntlm cred for this domain if the Kerberos password auth worked. * kuser/klist.c: add new option --hidden that doesn't display principal that starts with @ * tools/krb5-config.in: Add heimntlm when we use gssapi. * lib/krb5/krb5_ccache.3 (krb5_cc_retrieve_cred): document what to free 'cred' with. * lib/krb5/cache.c (krb5_cc_retrieve_cred): document what to free 'cred' with. 2007-04-21 Love Hörnquist Åstrand * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to determine if to send the session-key. * kcm/client.c (kcm_ccache_new_client): make root be able to pass the name constraints, not the opposite. From Bryan Jacobs. 2007-04-20 Love Hörnquist Åstrand * kcm/acl.c: make compile again. * kcm/client.c: fix warning. * kcm: First, it allows root to ignore the naming conventions. Second, it allows root to always perform any operation on any ccache. Note that root could do this anyway with FILE ccaches. From Bryan Jacobs. * Rename libdes to libhcrypto. 2007-04-19 Love Hörnquist Åstrand * kinit: remove code that depend on kerberos 4 library * kdc: remove code that depend on kerberos 4 library * configure.in: Drop kerberos 4 support. * kdc/hpropd.c (main): free the message when done with it. * lib/krb5/pkinit.c (_krb5_get_init_creds_opt_free_pkinit): remember to free memory too. * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): free content-type when done. * configure.in: test rk_VERSIONSCRIPT 2007-04-18 Love Hörnquist Åstrand * fix-export: remove, all done by make dist now 2007-04-15 Love Hörnquist Åstrand * lib/krb5/krb5_get_credentials.3: spelling, from Jason McIntyre 2007-04-11 Love Hörnquist Åstrand * kdc/kstash.8: Spelling, from raga via Bjorn Sandell. * lib/krb5/store_mem.c: indent. * lib/krb5/recvauth.c: Set error string. * lib/krb5/rd_req.c: clear error strings. * lib/krb5/rd_cred.c: clear error string. * lib/krb5/pkinit.c: Set error strings. * lib/krb5/get_cred.c: Tell what principal we are not finding for all KRB5_CC_NOTFOUND. 2007-02-22 Love Hörnquist Åstrand * kdc/kerberos5.c: Return the same error codes as a windows KDC. * kuser/kinit.c: KRB5KDC_ERR_PREAUTH_FAILED is also a password failed. * kdc/kerberos5.c: Make handling of replying e_data more generic, from metze. * kdc/kerberos5.c: Fix (string const and shadow) warnings, from metze. * lib/krb5/pac.c: Create the PAC element in the same order as w2k3, maybe there's some broken code in windows which relies on this... From metze. * kdc/kerberos5.c: Select a session enctype from the list of the crypto systems supported enctype, is supported by the client and is one of the enctype of the enctype of the krbtgt. The later is used as a hint what enctype all KDC are supporting to make sure a newer version of KDC wont generate a session enctype that and older version of a KDC in the same realm can't decrypt. But if the KDC admin is paranoid and doesn't want to have "no the best" enctypes on the krbtgt, lets save the best pick from the client list and hope that that will work for any other KDCs. Reported by metze. * kdc/hprop.c (propagate_database): on any failure, drop the connection to the peer and try next one. 2007-02-18 Love Hörnquist Åstrand * lib/krb5/krb5_get_init_creds.3: document new options. * kdc/krb5tgs.c: Only check service key for cross realm PACs. * lib/krb5/init_creds.c: use the new merged flags field. (krb5_get_init_creds_opt_set_win2k): new function, turn on all w2k compat flags. * lib/krb5/init_creds_pw.c: use the new merged flags field. * lib/krb5/krb5_locl.h: merge all flags into one entity 2007-02-11 Dave Love * lib/krb5/krb5_aname_to_localname.3: Small fixes * lib/krb5/krb5_digest.3: Small fixes * kuser/kimpersonate.1: Small fixes 2007-02-17 Love Hörnquist Åstrand * lib/krb5/init_creds_pw.c (find_pa_data): if there is no list, there is no entry. * kdc/krb5tgs.c: Don't check PACs on cross realm requests. * lib/krb5/krb5.h: add KRB5_KU_CANONICALIZED_NAMES. * lib/krb5/init_creds_pw.c: Verify client referral data. * kdc/kerberos5.c: switch some "return ret" to "goto out". * kdc/kerberos5.c: Pass down canonicalize request to hdb layer, sign client referrals. * lib/hdb/hdb.h: Add HDB_F_CANON. * lib/hdb: add simple alias support to the database backends 2007-02-16 Love Hörnquist Åstrand * kuser/kinit.c: Add canonicalize flag. * lib/krb5/init_creds_pw.c: Use EXTRACT_TICKET_* flags, support canonicalize. * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_canonicalize): new function. * lib/krb5/get_cred.c: Use EXTRACT_TICKET_* flags. * lib/krb5/get_in_tkt.c: Use EXTRACT_TICKET_* flags. * lib/krb5/krb5_locl.h: Add EXTRACT_TICKET_* flags. 2007-02-15 Love Hörnquist Åstrand * lib/krb5/test_princ.c: test parsing enterprise-names. * lib/krb5/principal.c: Add support for parsing enterprise-names. * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_PARSE_ENTERPRISE. * lib/hdb/hdb-ldap.c: Make work again. 2007-02-11 Dave Love * kcm/client.c (kcm_ccache_new_client): Cast snprintf'ed value. 2007-02-10 Love Hörnquist Åstrand * doc/setup.texi: prune trailing space * lib/hdb/db.c: Be better at setting and clearing error string. * lib/hdb/hdb.c: Be better at setting and clearing error string. 2007-02-09 Love Hörnquist Åstrand * lib/krb5/keytab.c (krb5_kt_get_entry): Use krb5_kt_get_full_name to print out the keytab name. * doc/setup.texi: Spelling, from Guido Guenther 2007-02-08 Love Hörnquist Åstrand * lib/krb5/rd_cred.c: Plug memory leak, from Michael B Allen. 2007-02-06 Love Hörnquist Åstrand * lib/krb5/test_store.c (test_uint16): unsigned ints can't be negative 2007-02-03 Love Hörnquist Åstrand * kdc/pkinit.c: pass extra flags for detached signatures. * lib/krb5/pkinit.c: pass extra flags for detached signatures. * kdc/digest.c: Remove debug output. * kuser/kdigest.c: Add support for ms-chap-v2 client. 2007-02-02 Love Hörnquist Åstrand * kdc/digest.c: Fix ms-chap-v2 get_masterkey * kdc/digest.c: Fix ms-chap-v2 mutual response auth code. * kuser/kdigest.c: Print session key if there is one. * lib/krb5/digest.c: rename hash-a1 to session key * kdc/digest.c: Add get_master from RFC 3079 3.4 for MS-CHAP-V2 * kuser/kdigest.c: print rsp if there is one, from Klas. * kdc/digest.c: Use right size, from Klas Lindfors. * kuser/kdigest.c: Set client nonce if avaible, from Klas. * kdc/digest.c: First version from kllin. * kuser/kdigest.c: Don't restrict the type. 2007-02-01 Love Hörnquist Åstrand * kuser/kdigest-commands.in: add --client-response * kuser/kdigest.c: Print status instead of response. * kdc/digest.c: Better logging and return status = FALSE when checksum doesn't match. * kdc/digest.c: Check the digest response in the KDC. * lib/krb5/digest.c: New functions to send in requestResponse to KDC and get status of the request. * kdc/digest.c: Add support for MS-CHAP v2. * lib/hdb/hdb-ldap.c: Set hdb->hdb_db for ldap. 2007-01-31 Love Hörnquist Åstrand * fix-export: Make hx509.info too * kdc/digest.c: don't verify identifier in CHAP, its the client that chooses it. 2007-01-23 Love Hörnquist Åstrand * lib/krb5/Makefile.am: Basic test of prf. * lib/krb5/test_prf.c: Basic test of prf. * lib/krb5/mit_glue.c: Add MIT glue for Kerberos RFC 3961 PRF functions. * lib/krb5/crypto.c: Add Kerberos RFC 3961 PRF functions. * lib/krb5/krb5_data.3: Document krb5_data_cmp. * lib/krb5/data.c: Add krb5_data_cmp. 2007-01-20 Love Hörnquist Åstrand * kdc/kx509.c: Don't use C99 syntax. 2007-01-17 Love Hörnquist Åstrand * configure.in: its LIBADD_roken (and shouldn't really exist, our libtool usage it broken) * configure.in: Add an extra variable for roken, LIBADD, that should be used for library depencies. * lib/krb5/send_to_kdc.c (krb5_sendto): zero out receive buffer. * lib/krb5/krb5_init_context.3: fix mdoc errors * Heimdal 0.8 branch cut today * doc/hx509.texi: Spelling and more about proxy certificates. * configure.in: check for arc4random 2007-01-16 Love Hörnquist Åstrand * lib/krb5/send_to_kdc.c (krb5_sendto): zero receive krb5_data before starting * tools/heimdal-build.sh: make cvs keep quiet * kuser/kverify.c: Use argument as principal if passed an argument. Bug report from Douglas E. Engert 2007-01-15 Love Hörnquist Åstrand * lib/krb5/rd_req.c (krb5_rd_req_ctx): The code failed to consider the enc_tkt_in_skey case, from Douglas E. Engert. * kdc/kx509.c: Issue certificates. * kdc/config.c: Parse kx509/kca configuration. * kdc/kdc.h: add kx509 config 2007-01-14 Love Hörnquist Åstrand * kdc/kerberos5.c (_kdc_find_padata): if there is not padata, there is nothing find. * doc/hx509.texi: Examples for pk-init. * doc/hx509.texi: About extending ca lifetime and sub cas. 2007-01-13 Love Hörnquist Åstrand * doc/hx509.texi: More about certificates. 2007-01-12 Love Hörnquist Åstrand * doc/hx509.texi: add Application requirements and write about xmpp/jabber. 2007-01-11 Love Hörnquist Åstrand * doc/hx509.texi: More about issuing certificates. * doc/hx509.texi: Start of a x.509 manual. * include/Makefile.am: remove install headerfiles * lib/krb5/test_pac.c: Use more interesting data to cause more errors. * include/Makefile.am: remove install headerfiles * lib/krb5/mcache.c: MCC_CURSOR not used, remove. * lib/krb5/crypto.c: macro kcrypto_oid_enc now longer used * lib/krb5/rd_safe.c (krb5_rd_safe): set length before trying to allocate data 2007-01-10 Love Hörnquist Åstrand * doc/setup.texi: Hint about hxtool validate. * appl/test/uu_server.c: print both "server" and "client" * kdc/krb5tgs.c: Rename keys to be more obvious what they do. * kdc/kerberos5.c: Use other keys to sign PAC with. From Andrew Bartlett * kdc/windc.c: ident, spelling. * kdc/windc_plugin.h: indent. * kdc/krb5tgs.c: Pass down server entry to verify_pac function. from Andrew Bartlett * kdc/windc.c: pass down server entry to verify_pac function, from Andrew Bartlett * kdc/windc_plugin.h: pass down server entry to verify_pac function, from Andrew Bartlett * configure.in: Provide a automake symbol ENABLE_SHARED if shared libraries are built. * lib/krb5/rd_req.c (krb5_rd_req_ctx): Use the correct keyblock when verifying the PAC. From Andrew Bartlett. 2007-01-09 Love Hörnquist Åstrand * lib/krb5/test_pac.c: move around to code test on real PAC. * lib/krb5/pac.c: A tiny 2 char diffrence that make the code work for real. * lib/krb5/test_pac.c: Test more PAC (note that the values used in this test is wrong, they have to be fixed when the pac code is fixed). * doc/setup.texi: Update to new hxtool issue-certificate usage * lib/krb5/init_creds_pw.c: Make sure we don't sent both ENC-TS and PK-INIT pa data, no need to expose our password protecting our PKCS12 key. * kuser/klist.c (print_cred_verbose): include ticket length in the verbose output 2007-01-08 Love Hörnquist Åstrand * lib/krb5/acache.c (loadlib): pass RTLD_LAZY to dlopen, without it linux is unhappy. * lib/krb5/plugin.c (loadlib): pass RTLD_LAZY to dlopen, without it linux is unhappy. * lib/krb5/name-45-test.c: One of the hosts I sometimes uses is named "bar.domain", this make one of the tests pass when it shouldn't. 2007-01-05 Love Hörnquist Åstrand * doc/setup.texi: Change --key argument to --out-key. * kuser/kimpersonate.1: mangle my name 2007-01-04 Love Hörnquist Åstrand * doc/setup.texi: describe how to use hx509 to create certificates. * tools/heimdal-build.sh: Add --distcheck. * kdc/kerberos5.c: Check for KRB5_PADATA_PA_PAC_REQUEST to check if we should include the PAC in the krbtgt. * kdc/pkinit.c (_kdc_as_rep): check if krb5_generate_random_keyblock failes. * kdc/kerberos5.c (_kdc_as_rep): check if krb5_generate_random_keyblock failes. * kdc/krb5tgs.c (tgs_build_reply): check if krb5_generate_random_keyblock failes. * kdc/krb5tgs.c: Scope etype. * lib/krb5/rd_req.c: Make it possible to turn off PAC check, its default on. * lib/krb5/rd_req.c (krb5_rd_req_ctx): If there is a PAC, verify its server signature. * kdc/kerberos5.c (_kdc_as_rep): call windc client access hook. (_kdc_tkt_add_if_relevant_ad): constify in data argument. * kdc/windc_plugin.h: More comments add a client_access hook. * kdc/windc.c: Add _kdc_windc_client_access. * kdc/krb5tgs.c: rename functions after export some more pac functions. * lib/krb5/test_pac.c: export some more pac functions. * lib/krb5/pac.c: export some more pac functions. * kdc/krb5tgs.c: Resign the PAC in tgsreq if we have a PAC. * configure.in: add tests/plugin/Makefile 2007-01-03 Love Hörnquist Åstrand * kdc/krb5tgs.c: Get right key for PAC krbtgt verification. * kdc/config.c: spelling * lib/krb5/krb5.h: typedef for krb5_pac. * kdc/headers.h: Include . * kdc/Makefile.am: Include windc.c and use windc_plugin.h * kdc/krb5tgs.c: Call callbacks for emulating a Windows Domain Controller. * kdc/kerberos5.c: Call callbacks for emulating a Windows Domain Controller. Move the some of the log related stuff to its own function. * kdc/config.c: Init callbacks for emulating a Windows Domain Controller. * kdc/windc.c: Rename the init function to windc instead of pac. * kdc/windc.c: Callbacks specific to emulating a Windows Domain Controller. * kdc/windc_plugin.h: Callbacks specific to emulating a Windows Domain Controller. * lib/krb5/Makefile.am: add krb5_HEADERS to build_HEADERZ * lib/krb5/pac.c: Support all keyed checksum types. 2007-01-02 Love Hörnquist Åstrand * lib/krb5/pac.c (krb5_pac_get_types): Return list of types. * lib/krb5/test_pac.c: test krb5_pac_get_types * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA. * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA. * lib/krb5/krb5.h: Add KRB5_KRBHST_KCA. * lib/krb5/test_pac.c: test Add/remove pac buffer functions. * lib/krb5/pac.c: Add/remove pac buffer functions. * lib/krb5/pac.c: sprinkle const * lib/krb5/pac.c: rename DCHECK to CHECK * Happy New Year. heimdal-1.7~git20150920+dfsg/LICENSE000066400000000000000000000031541257755311500164530ustar00rootroot00000000000000Copyright (c) 1995 - 2014 Kungliga Tekniska Högskolan (Royal Institute of Technology, Stockholm, Sweden). All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the Institute nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Please see info documentation for the complete list of licenses. heimdal-1.7~git20150920+dfsg/Makefile.am000066400000000000000000000017361257755311500175060ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common if KCM kcm_dir = kcm endif SUBDIRS= include lib kuser kdc admin kadmin kpasswd SUBDIRS+= $(kcm_dir) appl tools tests packages etc po if HEIMDAL_DOCUMENTATION SUBDIRS+= doc endif ## ACLOCAL = @ACLOCAL@ -I cf ACLOCAL_AMFLAGS = -I cf EXTRA_DIST = \ NTMakefile \ windows \ TODO \ LICENSE \ README \ ChangeLog \ ChangeLog.1998 \ ChangeLog.1999 \ ChangeLog.2000 \ ChangeLog.2001 \ ChangeLog.2002 \ ChangeLog.2003 \ ChangeLog.2004 \ ChangeLog.2005 \ ChangeLog.2006 \ Makefile.am.common \ autogen.sh \ krb5.conf \ cf/make-proto.pl \ cf/roken-h-process.pl \ cf/install-catman.sh \ cf/ChangeLog \ cf/c-function.m4 \ cf/ChangeLog \ cf/have-pragma-weak.m4 \ cf/have-types.m4 \ cf/krb-func-getcwd-broken.m4 \ cf/krb-prog-ranlib.m4 \ cf/krb-prog-yacc.m4 \ cf/krb-sys-aix.m4 \ cf/krb-sys-nextstep.m4 \ cf/krb-version.m4 \ cf/roken.m4 \ cf/valgrind-suppressions \ cf/vararray.m4 print-distdir: @echo $(distdir) heimdal-1.7~git20150920+dfsg/Makefile.am.common000066400000000000000000000000651257755311500207670ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/cf/Makefile.am.common heimdal-1.7~git20150920+dfsg/NEWS000066400000000000000000000702101257755311500161420ustar00rootroot00000000000000Release Notes - Heimdal - Version Heimdal 1.6 Security - ... - kx509 realm-chopping security bug Feature - RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST) - New GSS APIs: . gss_localname - Allow setting what encryption types a principal should have with [kadmin] default_key_rules, see krb5.conf manpage for more info - Unify libhcrypto with LTC (libtomcrypto) - asn1_compile 64-bit INTEGER functionality - HDB key history support including --keepold kadmin password option - Improved cross-realm key rollover safety - New krb5_kuserok() plug-in interface - Improved MIT compatibility . kadm5 API . Migration from MIT KDB via "mitdb" HDB backend. . Capable of writing the HDB in MIT dump format - Improved Active Directory interoperability . Enctype selection issues for PAC and other authz-data signatures . Cross realm key rollover (kvno 0) - New [kdc] enctype negotiation configuration: . tgt-use-strongest-session-key . svc-use-strongest-session-key . preauth-use-strongest-session-key . use-strongest-server-key - Allow batch-mode kinit with password file - SIGINFO support added to kinit cmd - New kx509 configuration options: . kx509_ca . kca_service . kx509_include_pkinit_san . kx509_template - Improved Heimdal library/plugin version safety - Name canonicalization . DNS resolver searchlist - Pluggable libheimbase interface for DBs - Improve IPv6 Support - LDAP . Bind DN and password . Start TLS - klist --json - DIR credential cache type - Many more Bug fixes - Include non-loopback addresses assigned to loopback interfaces when requesting tickets with addresses - KDC 1DES session key selection (for AFS rxkad-k5 compatibility) - Keytab file descriptor and lock leak - Credential cache corruption bugs (NOTE: The FILE ccache is still not entirely safe due to the fundamentally unsafe design of POSIX file locking) - gss_pseudo_random() interop bug - Plugins are now preferentially loaded from the run-time install tree - Reauthentication after password change in init_creds_password - Memory leak in the client kadmin library - TGS client requests renewable/forwardable/proxiable when possible. - Locking issues in DB1 and DB3 HDB backends - Master HDB can remain locked while waiting for network I/O - Renewal/refresh logic when kinit is provided with a command - KDC handling of enterprise principals - Many more Acknowledgements This release of Heimdal includes contributions from: Andrew Bartlett, Andrew Tridgell, Arran Cudbard-Bell, Arvid Requate, Ben Kaduk, Dana Koch, Daniel Schepler, Eray Aslan, Fredrik Pettai, Gustavo Zacarias, Harald Barth, Howard Chu, Igor Sobrado, Ingo Schwarze, James Le Cuirot, James Lee, Jeffrey Altman, Jeffrey Clark, Jeffrey Hutzelman, Jelmer Vernooij, Ken Dreyer, Kumar Thangavelu, Landon Fuller, Linus Nordberg, Love Hörnquist Åstrand, Luke Howard, Magnus Ahltorp, Marco Molteni, Michael Meffie, Moritz Lenz, Nico Williams, Nicolas Williams, Patrik Lundin, Philip Boulain, Ragnar Sundblad, Rod Widdowson, Roland C. Dowdeswell, Ross L Richardson, Russ Allbery, Samuel Thibault, Simon Wilkinson, Stef Walter, Stefan Metzmacher, Steffen Jaeckel, Tollef Fog Heen, Tony Acero, Viktor Dukhovni Release Notes - Heimdal - Version Heimdal 1.5.3 Bug fixes - Fix leaking file descriptors in KDC - Better socket/timeout handling in libkrb5 - General bug fixes - Build fixes Release Notes - Heimdal - Version Heimdal 1.5.2 Security fixes - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege - Check that key types strictly match - denial of service Release Notes - Heimdal - Version Heimdal 1.5.1 Bug fixes - Fix building on Solaris, requires c99 - Fix building on Windows - Build system updates Release Notes - Heimdal - Version Heimdal 1.5 New features - Support GSS name extensions/attributes - SHA512 support - No Kerberos 4 support - Basic support for MIT Admin protocol (SECGSS flavor) in kadmind (extract keytab) - Replace editline with libedit Release Notes - Heimdal - Version Heimdal 1.4 New features - Support for reading MIT database file directly - KCM is polished up and now used in production - NTLM first class citizen, credentials stored in KCM - Table driven ASN.1 compiler, smaller!, not enabled by default - Native Windows client support Notes - Disabled write support NDBM hdb backend (read still in there) since it can't handle large records, please migrate to a diffrent backend (like BDB4) Release Notes - Heimdal - Version Heimdal 1.3.3 Bug fixes - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321] - Check NULL pointers before dereference them [kdc] Release Notes - Heimdal - Version Heimdal 1.3.2 Bug fixes - Don't mix length when clearing hmac (could memset too much) - More paranoid underrun checking when decrypting packets - Check the password change requests and refuse to answer empty packets - Build on OpenSolaris - Renumber AD-SIGNED-TICKET since it was stolen from US - Don't cache /dev/*random file descriptor, it doesn't get unloaded - Make C++ safe - Misc warnings Release Notes - Heimdal - Version Heimdal 1.3.1 Bug fixes - Store KDC offset in credentials - Many many more bug fixes Release Notes - Heimdal - Version Heimdal 1.3.1 New features - Make work with OpenLDAPs krb5 overlay Release Notes - Heimdal - Version Heimdal 1.3 New features - Partial support for MIT kadmind rpc protocol in kadmind - Better support for finding keytab entries when using SPN aliases in the KDC - Support BER in ASN.1 library (needed for CMS) - Support decryption in Keychain private keys - Support for new sqlite based credential cache - Try both KDC referals and the common DNS reverse lookup in GSS-API - Fix the KCM to not leak resources on failure - Add IPv6 support to iprop - Support localization of error strings in kinit/klist/kdestroy and Kerberos library - Remove Kerberos 4 support in application (still in KDC) - Deprecate DES - Support i18n password in windows domains (using UTF-8) - More complete API emulation of OpenSSL in hcrypto - Support for ECDSA and ECDH when linking with OpenSSL API changes - Support for settin friendly name on credential caches - Move to using doxygen to generate documentation. - Sprinkling __attribute__((depricated)) for old function to be removed - Support to export LAST-REQUST information in AS-REQ - Support for client deferrals in in AS-REQ - Add seek support for krb5_storage. - Support for split AS-REQ, first step for IA-KERB - Fix many memory leaks and bugs - Improved regression test - Support krb5_cccol - Switch to krb5_set_error_message - Support krb5_crypto_*_iov - Switch to use EVP for most function - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec) - Add support for GSS_C_DELEG_POLICY_FLAG - Add krb5_cc_[gs]et_config to store data in the credential caches - PTY testing application Bugfixes - Make building on AIX6 possible. - Bugfixes in LDAP KDC code to make it more stable - Make ipropd-slave reconnect when master down gown Release Notes - Heimdal - Version Heimdal 1.2.1 * Bug [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris [HEIMDAL-151] - Make canned tests work again after cert expired [HEIMDAL-152] - iprop test: use full hostname to avoid realm resolving errors [HEIMDAL-153] - ftp: Use the correct length for unmap, msync Release Notes - Heimdal - Version Heimdal 1.2 * Bug [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in gss_display_name/gss_export_name when using SPNEGO [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1 [HEIMDAL-17] - Remove support for depricated [libdefaults]capath [HEIMDAL-52] - hdb overwrite aliases for db databases [HEIMDAL-54] - Two issues which affect credentials delegation [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args [HEIMDAL-62] - Fix printing of sig_atomic_t [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241) * Improvement [HEIMDAL-67] - Fix locking and store credential in atomic writes in the FILE credential cache [HEIMDAL-106] - make compile on cygwin again [HEIMDAL-107] - Replace old random key generation in des module and use it with RAND_ function instead [HEIMDAL-115] - Better documentation and compatibility in hcrypto in regards to OpenSSL * New Feature [HEIMDAL-3] - pkinit alg agility PRF test vectors [HEIMDAL-14] - Add libwind to Heimdal [HEIMDAL-16] - Use libwind in hx509 [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to the negotiation [HEIMDAL-74] - Add support to report extended error message back in AS-REQ to support windows clients [HEIMDAL-116] - test pty based application (using rkpty) [HEIMDAL-120] - Use new OpenLDAP API (older deprecated) * Task [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ. This drop compatibility with pre 0.3d KDCs. [HEIMDAL-64] - kcm: first implementation of kcm-move-cache [HEIMDAL-65] - Failed to compile with --disable-pk-init [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some wraparound checks doesn't apply to Heimdal Changes in release 1.1 * Read-only PKCS11 provider built-in to hx509. * Documentation for hx509, hcrypto and ntlm libraries improved. * Better compatibilty with Windows 2008 Server pre-releases and Vista. * Mac OS X 10.5 support for native credential cache. * Provide pkg-config file for Heimdal (heimdal-gssapi.pc). * Bug fixes. Changes in release 1.0.2 * Ubuntu packages. * Bug fixes. Changes in release 1.0.1 * Serveral bug fixes to iprop. * Make work on platforms without dlopen. * Add RFC3526 modp group14 as default. * Handle [kdc] database = { } entries without realm = stanzas. * Make krb5_get_renewed_creds work. * Make kaserver preauth work again. * Bug fixes. Changes in release 1.0 * Add gss_pseudo_random() for mechglue and krb5. * Make session key for the krbtgt be selected by the best encryption type of the client. * Better interoperability with other PK-INIT implementations. * Inital support for Mac OS X Keychain for hx509. * Alias support for inital ticket requests. * Add symbol versioning to selected libraries on platforms that uses GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc. * New version of imath included in hcrypto. * Fix memory leaks. * Bugs fixes. Changes in release 0.8.1 * Make ASN.1 library less paranoid to with regard to NUL in string to make it inter-operate with MIT Kerberos again. * Make GSS-API library work again when using gss_acquire_cred * Add symbol versioning to libgssapi when using GNU ld. * Fix memory leaks * Bugs fixes Changes in release 0.8 * PK-INIT support. * HDB extensions support, used by PK-INIT. * New ASN.1 compiler. * GSS-API mechglue from FreeBSD. * Updated SPNEGO to support RFC4178. * Support for Cryptosystem Negotiation Extension (RFC 4537). * A new X.509 library (hx509) and related crypto functions. * A new ntlm library (heimntlm) and related crypto functions. * Updated the built-in crypto library with bignum support using imath, support for RSA and DH and renamed it to libhcrypto. * Subsystem in the KDC, digest, that will perform the digest operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL DIGEST-MD5 NTLMv1 and NTLMv2. * KDC will return the "response too big" error to force TCP retries for large (default 1400 bytes) UDP replies. This is common for PK-INIT requests. * Libkafs defaults to use 2b tokens. * Default to use the API cache on Mac OS X. * krb5_kuserok() also checks ~/.k5login.d directory for acl files, see manpage for krb5_kuserok for description. * Many, many, other updates to code and info manual and manual pages. * Bug fixes Changes in release 0.7.2 * Fix security problem in rshd that enable an attacker to overwrite and change ownership of any file that root could write. * Fix a DOS in telnetd. The attacker could force the server to crash in a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast. * Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name exists in the keytab before returning success. This allows servers to check if its even possible to use GSSAPI. * Fix receiving end of token delegation for GSS-API. It still wrongly uses subkey for sending for compatibility reasons, this will change in 0.8. * telnetd, login and rshd are now more verbose in logging failed and successful logins. * Bug fixes Changes in release 0.7.1 * Bug fixes Changes in release 0.7 * Support for KCM, a process based credential cache * Support CCAPI credential cache * SPNEGO support * AES (and the gssapi conterpart, CFX) support * Adding new and improve old documentation * Bug fixes Changes in release 0.6.6 * Fix security problem in rshd that enable an attacker to overwrite and change ownership of any file that root could write. * Fix a DOS in telnetd. The attacker could force the server to crash in a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast. Changes in release 0.6.5 * fix vulnerabilities in telnetd * unbreak Kerberos 4 and kaserver Changes in release 0.6.4 * fix vulnerabilities in telnet * rshd: encryption without a separate error socket should now work * telnet now uses appdefaults for the encrypt and forward/forwardable settings * bug fixes Changes in release 0.6.3 * fix vulnerabilities in ftpd * support for linux AFS /proc "syscalls" * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in kpasswdd * fix possible KDC denial of service * bug fixes Changes in release 0.6.2 * Fix possible buffer overrun in v4 kadmin (which now defaults to off) Changes in release 0.6.1 * Fixed ARCFOUR suppport * Cross realm vulnerability * kdc: fix denial of service attack * kdc: stop clients from renewing tickets into the future * bug fixes Changes in release 0.6 * The DES3 GSS-API mechanism has been changed to inter-operate with other GSSAPI implementations. See man page for gssapi(3) how to turn on generation of correct MIC messages. Next major release of heimdal will generate correct MIC by default. * More complete GSS-API support * Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS support in applications no longer requires Kerberos 4 libs * Kerberos 4 support in kdc defaults to turned off (includes ka and 524) * other bug fixes Changes in release 0.5.2 * kdc: add option for disabling v4 cross-realm (defaults to off) * bug fixes Changes in release 0.5.1 * kadmind: fix remote exploit * kadmind: add option to disable kerberos 4 * kdc: make sure kaserver token life is positive * telnet: use the session key if there is no subkey * fix EPSV parsing in ftp * other bug fixes Changes in release 0.5 * add --detach option to kdc * allow setting forward and forwardable option in telnet from .telnetrc, with override from command line * accept addresses with or without ports in krb5_rd_cred * make it work with modern openssl * use our own string2key function even with openssl (that handles weak keys incorrectly) * more system-specific requirements in login * do not use getlogin() to determine root in su * telnet: abort if telnetd does not support encryption * update autoconf to 2.53 * update config.guess, config.sub * other bug fixes Changes in release 0.4e * improve libcrypto and database autoconf tests * do not care about salting of server principals when serving v4 requests * some improvements to gssapi library * test for existing compile_et/libcom_err * portability fixes * bug fixes Changes in release 0.4d * fix some problems when using libcrypto from openssl * handle /dev/ptmx `unix98' ptys on Linux * add some forgotten man pages * rsh: clean-up and add man page * fix -A and -a in builtin-ls in tpd * fix building problem on Irix * make `ktutil get' more efficient * bug fixes Changes in release 0.4c * fix buffer overrun in telnetd * repair some of the v4 fallback code in kinit * add more shared library dependencies * simplify and fix hprop handling of v4 databases * fix some building problems (osf's sia and osfc2 login) * bug fixes Changes in release 0.4b * update the shared library version numbers correctly Changes in release 0.4a * corrected key used for checksum in mk_safe, unfortunately this makes it backwards incompatible * update to autoconf 2.50, libtool 1.4 * re-write dns/config lookups (krb5_krbhst API) * make order of using subkeys consistent * add man page links * add more man pages * remove rfc2052 support, now only rfc2782 is supported * always build with kaserver protocol support in the KDC (assuming KRB4 is enabled) and support for reading kaserver databases in hprop Changes in release 0.3f * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, the new keytab type that tries both of these in order (SRVTAB is also an alias for krb4:) * improve error reporting and error handling (error messages should be more detailed and more useful) * improve building with openssl * add kadmin -K, rcp -F * fix two incorrect weak DES keys * fix building of kaserver compat in KDC * the API is closer to what MIT krb5 is using * more compatible with windows 2000 * removed some memory leaks * bug fixes Changes in release 0.3e * rcp program included * fix buffer overrun in ftpd * handle omitted sequence numbers as zeroes to handle MIT krb5 that cannot generate zero sequence numbers * handle v4 /.k files better * configure/portability fixes * fixes in parsing of options to kadmin (sub-)commands * handle errors in kadmin load better * bug fixes Changes in release 0.3d * add krb5-config * fix a bug in 3des gss-api mechanism, making it compatible with the specification and the MIT implementation * make telnetd only allow a specific list of environment variables to stop it from setting `sensitive' variables * try to use an existing libdes * lib/krb5, kdc: use correct usage type for ap-req messages. This should improve compatability with MIT krb5 when using 3DES encryption types * kdc: fix memory allocation problem * update config.guess and config.sub * lib/roken: more stuff implemented * bug fixes and portability enhancements Changes in release 0.3c * lib/krb5: memory caches now support the resolve operation * appl/login: set PATH to some sane default * kadmind: handle several realms * bug fixes (including memory leaks) Changes in release 0.3b * kdc: prefer default-salted keys on v5 requests * kdc: lowercase hostnames in v4 mode * hprop: handle more types of MIT salts * lib/krb5: fix memory leak * bug fixes Changes in release 0.3a: * implement arcfour-hmac-md5 to interoperate with W2K * modularise the handling of the master key, and allow for other encryption types. This makes it easier to import a database from some other source without having to re-encrypt all keys. * allow for better control over which encryption types are created * make kinit fallback to v4 if given a v4 KDC * make klist work better with v4 and v5, and add some more MIT compatibility options * make the kdc listen on the krb524 (4444) port for compatibility with MIT krb5 clients * implement more DCE/DFS support, enabled with --enable-dce, see lib/kdfs and appl/dceutils * make the sequence numbers work correctly * bug fixes Changes in release 0.2t: * bug fixes Changes in release 0.2s: * add OpenLDAP support in hdb * login will get v4 tickets when it receives forwarded tickets * xnlock supports both v5 and v4 * repair source routing for telnet * fix building problems with krb4 (krb_mk_req) * bug fixes Changes in release 0.2r: * fix realloc memory corruption bug in kdc * `add --key' and `cpw --key' in kadmin * klist supports listing v4 tickets * update config.guess and config.sub * make v4 -> v5 principal name conversion more robust * support for anonymous tickets * new man-pages * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. * use and set expiration and not password expiration when dumping to/from ka server databases / krb4 databases * make the code happier with 64-bit time_t * follow RFC2782 and by default do not look for non-underscore SRV names Changes in release 0.2q: * bug fix in tcp-handling in kdc * bug fix in expand_hostname Changes in release 0.2p: * bug fix in `kadmin load/merge' * bug fix in krb5_parse_address Changes in release 0.2o: * gss_{import,export}_sec_context added to libgssapi * new option --addresses to kdc (for listening on an explicit set of addresses) * bug fixes in the krb4 and kaserver emulation part of the kdc * other bug fixes Changes in release 0.2n: * more robust parsing of dump files in kadmin * changed default timestamp format for log messages to extended ISO 8601 format (Y-M-DTH:M:S) * changed md4/md5/sha1 APIes to be de-facto `standard' * always make hostname into lower-case before creating principal * small bits of more MIT-compatability * bug fixes Changes in release 0.2m: * handle glibc's getaddrinfo() that returns several ai_canonname * new endian test * man pages fixes Changes in release 0.2l: * bug fixes Changes in release 0.2k: * better IPv6 test * make struct sockaddr_storage in roken work better on alphas * some missing [hn]to[hn]s fixed. * allow users to change their own passwords with kadmin (with initial tickets) * fix stupid bug in parsing KDC specification * add `ktutil change' and `ktutil purge' Changes in release 0.2j: * builds on Irix * ftpd works in passive mode * should build on cygwin * work around broken IPv6-code on OpenBSD 2.6, also add configure option --disable-ipv6 Changes in release 0.2i: * use getaddrinfo in the missing places. * fix SRV lookup for admin server * use get{addr,name}info everywhere. and implement it in terms of getipnodeby{name,addr} (which uses gethostbyname{,2} and gethostbyaddr) Changes in release 0.2h: * fix typo in kx (now compiles) Changes in release 0.2g: * lots of bug fixes: * push works * repair appl/test programs * sockaddr_storage works on solaris (alignment issues) * works better with non-roken getaddrinfo * rsh works * some non standard C constructs removed Changes in release 0.2f: * support SRV records for kpasswd * look for both _kerberos and krb5-realm when doing host -> realm mapping Changes in release 0.2e: * changed copyright notices to remove `advertising'-clause. * get{addr,name}info added to roken and used in the other code (this makes things work much better with hosts with both v4 and v6 addresses, among other things) * do pre-auth for both password and key-based get_in_tkt * support for having several databases * new command `del_enctype' in kadmin * strptime (and new strftime) add to roken * more paranoia about finding libdb * bug fixes Changes in release 0.2d: * new configuration option [libdefaults]default_etypes_des * internal ls in ftpd builds without KRB4 * kx/rsh/push/pop_debug tries v5 and v4 consistenly * build bug fixes * other bug fixes Changes in release 0.2c: * bug fixes (see ChangeLog's for details) Changes in release 0.2b: * bug fixes * actually bump shared library versions Changes in release 0.2a: * a new program verify_krb5_conf for checking your /etc/krb5.conf * add 3DES keys when changing password * support null keys in database * support multiple local realms * implement a keytab backend for AFS KeyFile's * implement a keytab backend for v4 srvtabs * implement `ktutil copy' * support password quality control in v4 kadmind * improvements in v4 compat kadmind * handle the case of having the correct cred in the ccache but with the wrong encryption type better * v6-ify the remaining programs. * internal ls in ftpd * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat * add `ank --random-password' and `cpw --random-password' in kadmin * some programs and documentation for trying to talk to a W2K KDC * bug fixes Changes in release 0.1m: * support for getting default from krb5.conf for kinit/kf/rsh/telnet. From Miroslav Ruda * v6-ify hprop and hpropd * support numeric addresses in krb5_mk_req * shadow support in login and su. From Miroslav Ruda * make rsh/rshd IPv6-aware * make the gssapi sample applications better at reporting errors * lots of bug fixes * handle systems with v6-aware libc and non-v6 kernels (like Linux with glibc 2.1) better * hide failure of ERPT in ftp * lots of bug fixes Changes in release 0.1l: * make ftp and ftpd IPv6-aware * add inet_pton to roken * more IPv6-awareness * make mini_inetd v6 aware Changes in release 0.1k: * bump shared libraries versions * add roken version of inet_ntop * merge more changes to rshd Changes in release 0.1j: * restore back to the `old' 3DES code. This was supposed to be done in 0.1h and 0.1i but I did a CVS screw-up. * make telnetd handle v6 connections Changes in release 0.1i: * start using `struct sockaddr_storage' which simplifies the code (with a fallback definition if it's not defined) * bug fixes (including in hprop and kf) * don't use mawk which seems to mishandle roken.awk * get_addrs should be able to handle v6 addresses on Linux (with the required patch to the Linux kernel -- ask within) * rshd builds with shadow passwords Changes in release 0.1h: * kf: new program for forwarding credentials * portability fixes * make forwarding credentials work with MIT code * better conversion of ka database * add etc/services.append * correct `modified by' from kpasswdd * lots of bug fixes Changes in release 0.1g: * kgetcred: new program for explicitly obtaining tickets * configure fixes * krb5-aware kx * bug fixes Changes in release 0.1f; * experimental support for v4 kadmin protokoll in kadmind * bug fixes Changes in release 0.1e: * try to handle old DCE and MIT kdcs * support for older versions of credential cache files and keytabs * postdated tickets work * support for password quality checks in kpasswdd * new flag --enable-kaserver for kdc * renew fixes * prototype su program * updated (some) manpages * support for KDC resource records * should build with --without-krb4 * bug fixes Changes in release 0.1d: * Support building with DB2 (uses 1.85-compat API) * Support krb5-realm.DOMAIN in DNS * new `ktutil srvcreate' * v4/kafs support in klist/kdestroy * bug fixes Changes in release 0.1c: * fix ASN.1 encoding of signed integers * somewhat working `ktutil get' * some documentation updates * update to Autoconf 2.13 and Automake 1.4 * the usual bug fixes Changes in release 0.1b: * some old -> new crypto conversion utils * bug fixes Changes in release 0.1a: * new crypto code * more bug fixes * make sure we ask for DES keys in gssapi * support signed ints in ASN1 * IPv6-bug fixes Changes in release 0.0u: * lots of bug fixes Changes in release 0.0t: * more robust parsing of krb5.conf * include net{read,write} in lib/roken * bug fixes Changes in release 0.0s: * kludges for parsing options to rsh * more robust parsing of krb5.conf * removed some arbitrary limits * bug fixes Changes in release 0.0r: * default options for some programs * bug fixes Changes in release 0.0q: * support for building shared libraries with libtool * bug fixes Changes in release 0.0p: * keytab moved to /etc/krb5.keytab * avoid false detection of IPv6 on Linux * Lots of more functionality in the gssapi-library * hprop can now read ka-server databases * bug fixes Changes in release 0.0o: * FTP with GSSAPI support. * Bug fixes. Changes in release 0.0n: * Incremental database propagation. * Somewhat improved kadmin ui; the stuff in admin is now removed. * Some support for using enctypes instead of keytypes. * Lots of other improvement and bug fixes, see ChangeLog for details. heimdal-1.7~git20150920+dfsg/NTMakefile000066400000000000000000000032501257755311500173450ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # !if exist("thirdparty\NTMakefile") thirdparty=thirdparty !endif SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl doc \ tools tests packages etc $(thirdparty) packages\windows\installer !include windows/NTMakefile.w32 all:: @echo Build finished succesfully heimdal-1.7~git20150920+dfsg/README000066400000000000000000000011161257755311500163220ustar00rootroot00000000000000 Heimdal is a Kerberos 5 implementation. For information how to install see . There are briefer man pages for most of the commands. Bug reports and bugs are appreciated, see more under Bug reports in the manual on how we prefer them: . For more information see the web-page at or the mailing lists: heimdal-announce@sics.se low-volume announcement heimdal-discuss@sics.se high-volume discussion send a mail to heimdal-announce-request@sics.se and heimdal-discuss-request@sics.se respectively to subscribe. heimdal-1.7~git20150920+dfsg/README.fast000066400000000000000000000006261257755311500172630ustar00rootroot00000000000000 -- in order of preference - client: support KRB5_PADATA_ENCRYPTED_CHALLENGE in lib/krb5/init_creds_pw.c - client: don't support ENC-TS in FAST - client: plugin support for fast plugins - kdc: plugin support for fast plugins partly done with "struct kdc_patypes" - kcm: support FAST armor ticket -- using PK-INIT anonymous -- using host key - client: tgs-req fast support - kdc: tgs-req fast support heimdal-1.7~git20150920+dfsg/TODO000066400000000000000000000011601257755311500161310ustar00rootroot00000000000000-*- indented-text -*- ** lib/gssapi cache delegation credentials to avoid hitting the kdc ? require time stampless tickets, and was supported in the recv'ing end with 0.6.1. make iov work for arcfour make iov work for ntlm interop test make TYPE_STREAM work ** lib/kadm5 add policies? ** lib/krb5 verify_user: handle non-secure verification failing because of host->realm mapping * windows stuff -- drop all double negation #ifndef NO_ -- got though windows specific ifdefs to minimized them -- switch to use heim-ipc for services, like the kadmin change notification socket -- Unify lib/krb5/expand_path_w32.c heimdal-1.7~git20150920+dfsg/acinclude.m4000066400000000000000000000004051257755311500176330ustar00rootroot00000000000000dnl $Id$ dnl dnl Only put things that for some reason can't live in the `cf' dnl directory in this file. dnl dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $ dnl m4_define([upcase],`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl heimdal-1.7~git20150920+dfsg/admin/000077500000000000000000000000001257755311500165335ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/admin/ChangeLog000066400000000000000000000033761257755311500203160ustar00rootroot000000000000002006-10-07 Love Hörnquist Åstrand * Makefile.am: Add man_MANS to EXTRA_DIST * Makefile.am: split build files into dist_ and noinst_ SOURCES 2005-07-07 Love Hörnquist Åstrand * ktutil.c: rename optind to optidx * list.c: make a copy of realm and admin_server to avoid un-consting avoid shadowing * get.c: make a copy of realm and admin_server to avoid un-consting avoid shadowing * change.c (change_entry): just use global context to avoid shadowing; make a copy of realm and admin_server to avoid un-consting. 2005-05-19 Love Hörnquist Åstrand * change.c (kt_change): plug memory leak from krb5_kt_remove_entry, print principal on error. 2005-05-02 Dave Love * ktutil.c (help): Don't use non-constant initializer for `fake'. 2005-04-15 Love Hörnquist Åstrand * ktutil_locl.h: include 2005-04-14 Love Hörnquist Åstrand * add.c: add option -H --hex to the add command * ktutil-commands.in: add option -H --hex to the add command * ktutil.8: document option -H --hex to the add command 2004-09-29 Love Hörnquist Åstrand * list.c: un c99'ify, from Anders.Magnusson@ltu.se 2004-09-23 Johan Danielsson * purge.c: convert to slc; don't purge keys older that a certain time, instead purge keys that have newer versions that are at least a certain age * rename.c: convert to slc * remove.c: convert to slc * get.c: convert to slc; warn if resetting disallow-all-tix * copy.c: convert to slc * change.c: convert to slc * add.c: convert to slc * list.c: convert to slc * ktutil_locl.h: convert to slc * ktutil.c: convert to slc * ktutil-commands.in: slc source file heimdal-1.7~git20150920+dfsg/admin/Makefile.am000066400000000000000000000015351257755311500205730ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common AM_CPPFLAGS += $(INCLUDE_readline) $(INCLUDE_hcrypto) man_MANS = ktutil.1 bin_PROGRAMS = ktutil dist_ktutil_SOURCES = \ add.c \ change.c \ copy.c \ destroy.c \ get.c \ ktutil.c \ ktutil_locl.h \ list.c \ purge.c \ remove.c \ rename.c nodist_ktutil_SOURCES = \ ktutil-commands.c $(ktutil_OBJECTS): ktutil-commands.h CLEANFILES = ktutil-commands.h ktutil-commands.c ktutil-commands.c ktutil-commands.h: ktutil-commands.in $(SLC) $(srcdir)/ktutil-commands.in LDADD = \ $(top_builddir)/lib/kadm5/libkadm5clnt.la \ $(top_builddir)/lib/krb5/libkrb5.la \ $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ $(top_builddir)/lib/sl/libsl.la \ $(LIB_readline) \ $(LIB_roken) EXTRA_DIST = NTMakefile ktutil-version.rc $(man_MANS) ktutil-commands.in heimdal-1.7~git20150920+dfsg/admin/NTMakefile000066400000000000000000000043631257755311500204430ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=admin cincdirs=$(cincdirs) -I$(OBJ) !include ../windows/NTMakefile.w32 SBINPROGRAMS=$(SBINDIR)\ktutil.exe KTUTIL_OBJS= \ $(OBJ)\add.obj \ $(OBJ)\change.obj \ $(OBJ)\copy.obj \ $(OBJ)\destroy.obj \ $(OBJ)\get.obj \ $(OBJ)\ktutil.obj \ $(OBJ)\ktutil-commands.obj \ $(OBJ)\list.obj \ $(OBJ)\purge.obj \ $(OBJ)\remove.obj \ $(OBJ)\rename.obj KTUTIL_LIBS= \ $(LIBHEIMDAL) \ $(LIBKADM5SRV) \ $(LIBSL) \ $(LIBROKEN) \ $(LIBVERS) $(SBINDIR)\ktutil.exe: $(KTUTIL_OBJS) $(KTUTIL_LIBS) $(OBJ)\ktutil-version.res $(EXECONLINK) $(EXEPREP) $(OBJ)\ktutil-commands.c $(OBJ)\ktutil-commands.h: ktutil-commands.in cd $(OBJ) $(CP) $(SRCDIR)\ktutil-commands.in $(OBJ) $(BINDIR)\slc.exe ktutil-commands.in cd $(SRCDIR) INCFILES=\ $(OBJ)\ktutil-commands.h all:: $(INCFILES) $(SBINPROGRAMS) clean:: -$(RM) $(SBINPROGRAMS:.exe=.*) heimdal-1.7~git20150920+dfsg/admin/add.c000066400000000000000000000113121257755311500174250ustar00rootroot00000000000000/* * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ktutil_locl.h" RCSID("$Id$"); static char * readstring(const char *prompt, char *buf, size_t len) { printf("%s", prompt); if (fgets(buf, len, stdin) == NULL) return NULL; buf[strcspn(buf, "\r\n")] = '\0'; return buf; } int kt_add(struct add_options *opt, int argc, char **argv) { krb5_error_code ret; krb5_keytab keytab; krb5_keytab_entry entry; char buf[1024]; krb5_enctype enctype; if((keytab = ktutil_open_keytab()) == NULL) return 1; memset(&entry, 0, sizeof(entry)); if(opt->principal_string == NULL) { if(readstring("Principal: ", buf, sizeof(buf)) == NULL) return 1; opt->principal_string = buf; } ret = krb5_parse_name(context, opt->principal_string, &entry.principal); if(ret) { krb5_warn(context, ret, "%s", opt->principal_string); goto out; } if(opt->enctype_string == NULL) { if(readstring("Encryption type: ", buf, sizeof(buf)) == NULL) { ret = 1; goto out; } opt->enctype_string = buf; } ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype); if(ret) { int t; if(sscanf(opt->enctype_string, "%d", &t) == 1) enctype = t; else { krb5_warn(context, ret, "%s", opt->enctype_string); goto out; } } if(opt->kvno_integer == -1) { if(readstring("Key version: ", buf, sizeof(buf)) == NULL) { ret = 1; goto out; } if(sscanf(buf, "%u", &opt->kvno_integer) != 1) goto out; } if(opt->password_string == NULL && opt->random_flag == 0) { if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: ", 1)) { ret = 1; goto out; } opt->password_string = buf; } if(opt->password_string) { if (opt->hex_flag) { size_t len; void *data; len = (strlen(opt->password_string) + 1) / 2; data = malloc(len); if (data == NULL) { krb5_warn(context, ENOMEM, "malloc"); goto out; } if ((size_t)hex_decode(opt->password_string, data, len) != len) { free(data); krb5_warn(context, ENOMEM, "hex decode failed"); goto out; } ret = krb5_keyblock_init(context, enctype, data, len, &entry.keyblock); free(data); } else if (!opt->salt_flag) { krb5_salt salt; krb5_data pw; salt.salttype = KRB5_PW_SALT; salt.saltvalue.data = NULL; salt.saltvalue.length = 0; pw.data = (void*)opt->password_string; pw.length = strlen(opt->password_string); ret = krb5_string_to_key_data_salt(context, enctype, pw, salt, &entry.keyblock); } else { ret = krb5_string_to_key(context, enctype, opt->password_string, entry.principal, &entry.keyblock); } memset (opt->password_string, 0, strlen(opt->password_string)); } else { ret = krb5_generate_random_keyblock(context, enctype, &entry.keyblock); } if(ret) { krb5_warn(context, ret, "add"); goto out; } entry.vno = opt->kvno_integer; entry.timestamp = time (NULL); ret = krb5_kt_add_entry(context, keytab, &entry); if(ret) krb5_warn(context, ret, "add"); out: krb5_kt_free_entry(context, &entry); krb5_kt_close(context, keytab); return ret != 0; } heimdal-1.7~git20150920+dfsg/admin/change.c000066400000000000000000000151421257755311500201270ustar00rootroot00000000000000/* * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ktutil_locl.h" RCSID("$Id$"); static krb5_error_code change_entry (krb5_keytab keytab, krb5_principal principal, krb5_kvno kvno, const char *realm, const char *admin_server, int server_port) { krb5_error_code ret; kadm5_config_params conf; void *kadm_handle; char *client_name; krb5_keyblock *keys; int num_keys; int i; ret = krb5_unparse_name (context, principal, &client_name); if (ret) { krb5_warn (context, ret, "krb5_unparse_name"); return ret; } memset (&conf, 0, sizeof(conf)); if(realm == NULL) realm = krb5_principal_get_realm(context, principal); conf.realm = strdup(realm); if (conf.realm == NULL) { free (client_name); krb5_set_error_message(context, ENOMEM, "malloc failed"); return ENOMEM; } conf.mask |= KADM5_CONFIG_REALM; if (admin_server) { conf.admin_server = strdup(admin_server); if (conf.admin_server == NULL) { free(client_name); free(conf.realm); krb5_set_error_message(context, ENOMEM, "malloc failed"); return ENOMEM; } conf.mask |= KADM5_CONFIG_ADMIN_SERVER; } if (server_port) { conf.kadmind_port = htons(server_port); conf.mask |= KADM5_CONFIG_KADMIND_PORT; } ret = kadm5_init_with_skey_ctx (context, client_name, keytab_string, KADM5_ADMIN_SERVICE, &conf, 0, 0, &kadm_handle); free(conf.admin_server); free(conf.realm); if (ret) { krb5_warn (context, ret, "kadm5_c_init_with_skey_ctx: %s:", client_name); free (client_name); return ret; } ret = kadm5_randkey_principal (kadm_handle, principal, &keys, &num_keys); kadm5_destroy (kadm_handle); if (ret) { krb5_warn(context, ret, "kadm5_randkey_principal: %s:", client_name); free (client_name); return ret; } free (client_name); for (i = 0; i < num_keys; ++i) { krb5_keytab_entry new_entry; new_entry.principal = principal; new_entry.timestamp = time (NULL); new_entry.vno = kvno + 1; new_entry.keyblock = keys[i]; ret = krb5_kt_add_entry (context, keytab, &new_entry); if (ret) krb5_warn (context, ret, "krb5_kt_add_entry"); krb5_free_keyblock_contents (context, &keys[i]); } return ret; } /* * loop over all the entries in the keytab (or those given) and change * their keys, writing the new keys */ struct change_set { krb5_principal principal; krb5_kvno kvno; }; int kt_change (struct change_options *opt, int argc, char **argv) { krb5_error_code ret; krb5_keytab keytab; krb5_kt_cursor cursor; krb5_keytab_entry entry; int i, j, max; struct change_set *changeset; int errors = 0; if((keytab = ktutil_open_keytab()) == NULL) return 1; j = 0; max = 0; changeset = NULL; ret = krb5_kt_start_seq_get(context, keytab, &cursor); if(ret){ krb5_warn(context, ret, "%s", keytab_string); goto out; } while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) { int add = 0; for (i = 0; i < j; ++i) { if (krb5_principal_compare (context, changeset[i].principal, entry.principal)) { if (changeset[i].kvno < entry.vno) changeset[i].kvno = entry.vno; break; } } if (i < j) { krb5_kt_free_entry (context, &entry); continue; } if (argc == 0) { add = 1; } else { for (i = 0; i < argc; ++i) { krb5_principal princ; ret = krb5_parse_name (context, argv[i], &princ); if (ret) { krb5_warn (context, ret, "%s", argv[i]); continue; } if (krb5_principal_compare (context, princ, entry.principal)) add = 1; krb5_free_principal (context, princ); } } if (add) { if (j >= max) { void *tmp; max = max(max * 2, 1); tmp = realloc (changeset, max * sizeof(*changeset)); if (tmp == NULL) { krb5_kt_free_entry (context, &entry); krb5_warnx (context, "realloc: out of memory"); ret = ENOMEM; break; } changeset = tmp; } ret = krb5_copy_principal (context, entry.principal, &changeset[j].principal); if (ret) { krb5_warn (context, ret, "krb5_copy_principal"); krb5_kt_free_entry (context, &entry); break; } changeset[j].kvno = entry.vno; ++j; } krb5_kt_free_entry (context, &entry); } krb5_kt_end_seq_get(context, keytab, &cursor); if (ret == KRB5_KT_END) { ret = 0; for (i = 0; i < j; i++) { if (verbose_flag) { char *client_name; ret = krb5_unparse_name (context, changeset[i].principal, &client_name); if (ret) { krb5_warn (context, ret, "krb5_unparse_name"); } else { printf("Changing %s kvno %d\n", client_name, changeset[i].kvno); free(client_name); } } ret = change_entry (keytab, changeset[i].principal, changeset[i].kvno, opt->realm_string, opt->admin_server_string, opt->server_port_integer); if (ret != 0) errors = 1; } } else errors = 1; for (i = 0; i < j; i++) krb5_free_principal (context, changeset[i].principal); free (changeset); out: krb5_kt_close(context, keytab); return errors; } heimdal-1.7~git20150920+dfsg/admin/copy.c000066400000000000000000000112361257755311500176540ustar00rootroot00000000000000/* * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ktutil_locl.h" RCSID("$Id$"); static krb5_boolean compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b) { if(a->keytype != b->keytype || a->keyvalue.length != b->keyvalue.length || memcmp(a->keyvalue.data, b->keyvalue.data, a->keyvalue.length) != 0) return FALSE; return TRUE; } int kt_copy (void *opt, int argc, char **argv) { krb5_error_code ret; krb5_keytab src_keytab, dst_keytab; krb5_kt_cursor cursor; krb5_keytab_entry entry, dummy; const char *from = argv[0]; const char *to = argv[1]; ret = krb5_kt_resolve (context, from, &src_keytab); if (ret) { krb5_warn (context, ret, "resolving src keytab `%s'", from); return 1; } ret = krb5_kt_resolve (context, to, &dst_keytab); if (ret) { krb5_kt_close (context, src_keytab); krb5_warn (context, ret, "resolving dst keytab `%s'", to); return 1; } ret = krb5_kt_start_seq_get (context, src_keytab, &cursor); if (ret) { krb5_warn (context, ret, "krb5_kt_start_seq_get %s", keytab_string); goto out; } if (verbose_flag) fprintf(stderr, "copying %s to %s\n", from, to); while((ret = krb5_kt_next_entry(context, src_keytab, &entry, &cursor)) == 0) { char *name_str; char *etype_str; ret = krb5_unparse_name (context, entry.principal, &name_str); if(ret) { krb5_warn(context, ret, "krb5_unparse_name"); name_str = NULL; /* XXX */ } ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str); if(ret) { krb5_warn(context, ret, "krb5_enctype_to_string"); etype_str = NULL; /* XXX */ } ret = krb5_kt_get_entry(context, dst_keytab, entry.principal, entry.vno, entry.keyblock.keytype, &dummy); if(ret == 0) { /* this entry is already in the new keytab, so no need to copy it; if the keyblocks are not the same, something is weird, so complain about that */ if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) { krb5_warnx(context, "entry with different keyvalue " "already exists for %s, keytype %s, kvno %d", name_str, etype_str, entry.vno); } krb5_kt_free_entry(context, &dummy); krb5_kt_free_entry (context, &entry); free(name_str); free(etype_str); continue; } else if(ret != KRB5_KT_NOTFOUND) { krb5_warn (context, ret, "%s: fetching %s/%s/%u", to, name_str, etype_str, entry.vno); krb5_kt_free_entry (context, &entry); free(name_str); free(etype_str); break; } if (verbose_flag) fprintf (stderr, "copying %s, keytype %s, kvno %d\n", name_str, etype_str, entry.vno); ret = krb5_kt_add_entry (context, dst_keytab, &entry); krb5_kt_free_entry (context, &entry); if (ret) { krb5_warn (context, ret, "%s: adding %s/%s/%u", to, name_str, etype_str, entry.vno); free(name_str); free(etype_str); break; } free(name_str); free(etype_str); } krb5_kt_end_seq_get (context, src_keytab, &cursor); out: krb5_kt_close (context, src_keytab); krb5_kt_close (context, dst_keytab); return ret != 0; } heimdal-1.7~git20150920+dfsg/admin/destroy.c000066400000000000000000000036651257755311500204020ustar00rootroot00000000000000/* * Copyright (c) 2009 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ktutil_locl.h" int kt_destroy (void *opt, int argc, char **argv) { krb5_error_code ret; krb5_keytab keytab; if((keytab = ktutil_open_keytab()) == NULL) return 1; ret = krb5_kt_destroy (context, keytab); if (ret) { krb5_warn (context, ret, "destroy keytab failed"); return 1; } return 0; } heimdal-1.7~git20150920+dfsg/admin/get.c000066400000000000000000000153321257755311500174620ustar00rootroot00000000000000/* * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ktutil_locl.h" RCSID("$Id$"); static void* open_kadmin_connection(char *principal, const char *realm, char *admin_server, int server_port) { static kadm5_config_params conf; krb5_error_code ret; void *kadm_handle; memset(&conf, 0, sizeof(conf)); if(realm) { conf.realm = strdup(realm); if (conf.realm == NULL) { krb5_set_error_message(context, 0, "malloc: out of memory"); return NULL; } conf.mask |= KADM5_CONFIG_REALM; } if (admin_server) { conf.admin_server = admin_server; conf.mask |= KADM5_CONFIG_ADMIN_SERVER; } if (server_port) { conf.kadmind_port = htons(server_port); conf.mask |= KADM5_CONFIG_KADMIND_PORT; } /* should get realm from each principal, instead of doing everything with the same (local) realm */ ret = kadm5_init_with_password_ctx(context, principal, NULL, KADM5_ADMIN_SERVICE, &conf, 0, 0, &kadm_handle); free(conf.realm); if(ret) { krb5_warn(context, ret, "kadm5_init_with_password"); return NULL; } return kadm_handle; } int kt_get(struct get_options *opt, int argc, char **argv) { krb5_error_code ret = 0; krb5_keytab keytab; void *kadm_handle = NULL; krb5_enctype *etypes = NULL; size_t netypes = 0; size_t i; int a, j; unsigned int failed = 0; if((keytab = ktutil_open_keytab()) == NULL) return 1; if(opt->realm_string) krb5_set_default_realm(context, opt->realm_string); if (opt->enctypes_strings.num_strings != 0) { etypes = malloc (opt->enctypes_strings.num_strings * sizeof(*etypes)); if (etypes == NULL) { krb5_warnx(context, "malloc failed"); goto out; } netypes = opt->enctypes_strings.num_strings; for(i = 0; i < netypes; i++) { ret = krb5_string_to_enctype(context, opt->enctypes_strings.strings[i], &etypes[i]); if(ret) { krb5_warnx(context, "unrecognized enctype: %s", opt->enctypes_strings.strings[i]); goto out; } } } for(a = 0; a < argc; a++){ krb5_principal princ_ent; kadm5_principal_ent_rec princ; int mask = 0; krb5_keyblock *keys; int n_keys; int created = 0; krb5_keytab_entry entry; ret = krb5_parse_name(context, argv[a], &princ_ent); if (ret) { krb5_warn(context, ret, "can't parse principal %s", argv[a]); failed++; continue; } memset(&princ, 0, sizeof(princ)); princ.principal = princ_ent; mask |= KADM5_PRINCIPAL; princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; mask |= KADM5_ATTRIBUTES; princ.princ_expire_time = 0; mask |= KADM5_PRINC_EXPIRE_TIME; if(kadm_handle == NULL) { const char *r; if(opt->realm_string != NULL) r = opt->realm_string; else r = krb5_principal_get_realm(context, princ_ent); kadm_handle = open_kadmin_connection(opt->principal_string, r, opt->admin_server_string, opt->server_port_integer); if(kadm_handle == NULL) break; } ret = kadm5_create_principal(kadm_handle, &princ, mask, "x"); if(ret == 0) created = 1; else if(ret != KADM5_DUP) { krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]); krb5_free_principal(context, princ_ent); failed++; continue; } ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys); if (ret) { krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]); krb5_free_principal(context, princ_ent); failed++; continue; } ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES); if (ret) { krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[a]); for (j = 0; j < n_keys; j++) krb5_free_keyblock_contents(context, &keys[j]); krb5_free_principal(context, princ_ent); failed++; continue; } if(!created && (princ.attributes & KRB5_KDB_DISALLOW_ALL_TIX)) krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[a]); princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); mask = KADM5_ATTRIBUTES; if(created) { princ.kvno = 1; mask |= KADM5_KVNO; } ret = kadm5_modify_principal(kadm_handle, &princ, mask); if (ret) { krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[a]); for (j = 0; j < n_keys; j++) krb5_free_keyblock_contents(context, &keys[j]); krb5_free_principal(context, princ_ent); failed++; continue; } for(j = 0; j < n_keys; j++) { int do_add = TRUE; if (netypes) { size_t k; do_add = FALSE; for (k = 0; k < netypes; ++k) if (keys[j].keytype == etypes[k]) { do_add = TRUE; break; } } if (do_add) { entry.principal = princ_ent; entry.vno = princ.kvno; entry.keyblock = keys[j]; entry.timestamp = time (NULL); ret = krb5_kt_add_entry(context, keytab, &entry); if (ret) krb5_warn(context, ret, "krb5_kt_add_entry"); } krb5_free_keyblock_contents(context, &keys[j]); } kadm5_free_principal_ent(kadm_handle, &princ); krb5_free_principal(context, princ_ent); } out: free(etypes); if (kadm_handle) kadm5_destroy(kadm_handle); krb5_kt_close(context, keytab); return ret != 0 || failed > 0; } heimdal-1.7~git20150920+dfsg/admin/ktutil-commands.in000066400000000000000000000124211257755311500221760ustar00rootroot00000000000000/* * Copyright (c) 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ command = { name = "add" option = { long = "principal" short = "p" type = "string" help = "principal to add" argument = "principal" default = "" } option = { long = "kvno" short = "V" type = "integer" help = "key version number" default = "-1" } option = { long = "enctype" short = "e" type = "string" argument = "enctype" help = "encryption type" } option = { long = "password" short = "w" type = "string" help = "password for key" } option = { long = "salt" short = "s" type = "-flag" help = "use unsalted keys" default = "1" } option = { long = "random" short = "r" type = "flag" help = "generate random key" } option = { long = "hex" short = "H" type = "flag" help = "password is a hexadecimal string" } function = "kt_add" help = "Adds a key to a keytab." max_args = "0" } command = { name = "change" option = { long = "realm" short = "r" type = "string" argument = "realm" help = "realm to use" } option = { long = "admin-server" short = "a" type = "string" argument = "host" help = "server to contact" } option = { long = "server-port" short = "s" type = "integer" argument = "port number" help = "port number on server" } function = "kt_change" argument = "[principal...]" help = "Change keys for specified principals (default all)." } command = { name = "copy" function = "kt_copy" argument = "source destination" min_args = "2" max_args = "2" help = "Copies one keytab to another." } command = { name = "get" option = { long = "principal" short = "p" type = "string" help = "admin principal" argument = "principal" } option = { long = "enctypes" short = "e" type = "strings" help = "encryption types to use" argument = "enctype" } option = { long = "realm" short = "r" type = "string" argument = "realm" help = "realm to use" } option = { long = "admin-server" short = "a" type = "string" argument = "host" help = "server to contact" } option = { long = "server-port" short = "s" type = "integer" argument = "port number" help = "port number on server" } function = "kt_get" min_args = "1" argument = "principal..." help = "Change keys for specified principals, and add them to the keytab." } command = { name = "list" option = { long = "keys" type = "flag" help = "show key values" } option = { long = "timestamp" type = "flag" help = "show timestamps" } max_args = "0" function = "kt_list" help = "Show contents of keytab." } command = { name = "purge" option = { long = "age" type = "string" help = "age to retiere" default = "1 week"; argument = "time" } max_args = "0" function = "kt_purge" help = "Remove superceded keys from keytab." } command = { name = "remove" name = "delete" option = { long = "principal" short = "p" type = "string" help = "principal to remove" argument = "principal" } option = { long = "kvno" short = "V" type = "integer" help = "key version to remove" argument = "kvno" default = "0" } option = { long = "enctype" short = "e" type = "string" help = "enctype to remove" argument = "enctype" } max_args = "0" function = "kt_remove" help = "Remove keys from keytab." } command = { name = "rename" function = "kt_rename" argument = "from to" min_args = "2" max_args = "2" help = "Renames an entry in the keytab." option = { long = "delete" type = "-flag" help = "don't delete orignal entry" } } command = { name = "destroy" function = "kt_destroy" max_args = "0" help = "Destroy (remove) the keytab." } command = { name = "help" argument = "command" max_args = "1" function = "help" } heimdal-1.7~git20150920+dfsg/admin/ktutil-version.rc000066400000000000000000000032241257755311500220610ustar00rootroot00000000000000/*********************************************************************** * Copyright (c) 2010, Secure Endpoints Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * - Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * - Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * **********************************************************************/ #define RC_FILE_TYPE VFT_APP #define RC_FILE_DESC_0409 "Kerberos Keytab Tool" #define RC_FILE_ORIG_0409 "ktutil.exe" #include "../windows/version.rc" heimdal-1.7~git20150920+dfsg/admin/ktutil.1000066400000000000000000000110121257755311500201240ustar00rootroot00000000000000.\" Copyright (c) 1997-2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" 3. Neither the name of the Institute nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $Id$ .\" .Dd April 14, 2005 .Dt KTUTIL 1 .Os HEIMDAL .Sh NAME .Nm ktutil .Nd manage Kerberos keytabs .Sh SYNOPSIS .Nm .Oo Fl k Ar keytab \*(Ba Xo .Fl Fl keytab= Ns Ar keytab .Xc .Oc .Op Fl v | Fl Fl verbose .Op Fl Fl version .Op Fl h | Fl Fl help .Ar command .Op Ar args .Sh DESCRIPTION .Nm is a program for managing keytabs. Supported options: .Bl -tag -width Ds .It Fl v , Fl Fl verbose Verbose output. .El .Pp .Ar command can be one of the following: .Bl -tag -width srvconvert .It add Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \ Oo Fl V Ar kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \ Oo Fl Fl enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \ Oo Fl Fl password= Ns Ar password Oc Oo Fl r Oc Oo Fl Fl random Oc \ Oo Fl s Oc Oo Fl Fl no-salt Oc Oo Fl H Oc Op Fl Fl hex Adds a key to the keytab. Options that are not specified will be prompted for. This requires that you know the password or the hex key of the principal to add; if what you really want is to add a new principal to the keytab, you should consider the .Ar get command, which talks to the kadmin server. .It change Oo Fl r Ar realm Oc Oo Fl Fl realm= Ns Ar realm Oc \ Oo Fl Fl a Ar host Oc Oo Fl Fl admin-server= Ns Ar host Oc \ Oo Fl Fl s Ar port Oc Op Fl Fl server-port= Ns Ar port Update one or several keys to new versions. By default, use the admin server for the realm of a keytab entry. Otherwise it will use the values specified by the options. .Pp If no principals are given, all the ones in the keytab are updated. .It copy Ar keytab-src Ar keytab-dest Copies all the entries from .Ar keytab-src to .Ar keytab-dest . .It get Oo Fl p Ar admin principal Oc \ Oo Fl Fl principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \ Oo Fl Fl enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \ Oo Fl Fl realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \ Oo Fl Fl admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \ Oo Fl Fl server-port= Ns Ar server port Oc Ar principal ... For each .Ar principal , generate a new key for it (creating it if it doesn't already exist), and put that key in the keytab. .Pp If no .Ar realm is specified, the realm to operate on is taken from the first principal. .It list Oo Fl Fl keys Oc Op Fl Fl timestamp List the keys stored in the keytab. .It remove Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \ Oo Fl V kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \ Oo Fl Fl enctype= Ns Ar enctype Oc Removes the specified key or keys. Not specifying a .Ar kvno removes keys with any version number. Not specifying an .Ar enctype removes keys of any type. .It rename Ar from-principal Ar to-principal Renames all entries in the keytab that match the .Ar from-principal to .Ar to-principal . .It purge Op Fl Fl age= Ns Ar age Removes all old versions of a key for which there is a newer version that is at least .Ar age (default one week) old. .El .Sh SEE ALSO .Xr kadmin 1 heimdal-1.7~git20150920+dfsg/admin/ktutil.c000066400000000000000000000103231257755311500202120ustar00rootroot00000000000000/* * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ktutil_locl.h" #include RCSID("$Id$"); static int help_flag; static int version_flag; int verbose_flag; char *keytab_string; static char keytab_buf[256]; static struct getargs args[] = { { "version", 0, arg_flag, &version_flag, NULL, NULL }, { "help", 'h', arg_flag, &help_flag, NULL, NULL }, { "keytab", 'k', arg_string, &keytab_string, "keytab", "keytab to operate on" }, { "verbose", 'v', arg_flag, &verbose_flag, "verbose", "run verbosely" } }; static int num_args = sizeof(args) / sizeof(args[0]); krb5_context context; krb5_keytab ktutil_open_keytab(void) { krb5_error_code ret; krb5_keytab keytab; if (keytab_string == NULL) { ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf)); if (ret) { krb5_warn(context, ret, "krb5_kt_default_name"); return NULL; } keytab_string = keytab_buf; } ret = krb5_kt_resolve(context, keytab_string, &keytab); if (ret) { krb5_warn(context, ret, "resolving keytab %s", keytab_string); return NULL; } if (verbose_flag) fprintf (stderr, "Using keytab %s\n", keytab_string); return keytab; } int help(void *opt, int argc, char **argv) { if(argc == 0) { sl_help(commands, 1, argv - 1 /* XXX */); } else { SL_cmd *c = sl_match (commands, argv[0], 0); if(c == NULL) { fprintf (stderr, "No such command: %s. " "Try \"help\" for a list of commands\n", argv[0]); } else { if(c->func) { char shelp[] = "--help"; char *fake[3]; fake[0] = argv[0]; fake[1] = shelp; fake[2] = NULL; (*c->func)(2, fake); fprintf(stderr, "\n"); } if(c->help && *c->help) fprintf (stderr, "%s\n", c->help); if((++c)->name && c->func == NULL) { int f = 0; fprintf (stderr, "Synonyms:"); while (c->name && c->func == NULL) { fprintf (stderr, "%s%s", f ? ", " : " ", (c++)->name); f = 1; } fprintf (stderr, "\n"); } } } return 0; } static void usage(int status) { arg_printusage(args, num_args, NULL, "command"); exit(status); } int main(int argc, char **argv) { int optidx = 0; krb5_error_code ret; setprogname(argv[0]); ret = krb5_init_context(&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); if(getarg(args, num_args, argc, argv, &optidx)) usage(1); if(help_flag) usage(0); if(version_flag) { print_version(NULL); exit(0); } argc -= optidx; argv += optidx; if(argc == 0) usage(1); ret = sl_command(commands, argc, argv); if(ret == -1) krb5_warnx (context, "unrecognized command: %s", argv[0]); return ret; } heimdal-1.7~git20150920+dfsg/admin/ktutil_locl.h000066400000000000000000000043611257755311500212350ustar00rootroot00000000000000/* * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * $Id$ */ #ifndef __KTUTIL_LOCL_H__ #define __KTUTIL_LOCL_H__ #include #include #include #include #include #ifdef HAVE_FCNTL_H #include #endif #ifdef HAVE_UNISTD_H #include #endif #include #include #include "crypto-headers.h" #include #include #include #include #include #include extern krb5_context context; extern int verbose_flag; extern char *keytab_string; krb5_keytab ktutil_open_keytab(void); #include "ktutil-commands.h" #endif /* __KTUTIL_LOCL_H__ */ heimdal-1.7~git20150920+dfsg/admin/list.c000066400000000000000000000120721257755311500176540ustar00rootroot00000000000000/* * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ktutil_locl.h" #include RCSID("$Id$"); static int do_list(struct list_options *opt, const char *keytab_str) { krb5_error_code ret; krb5_keytab keytab; krb5_keytab_entry entry; krb5_kt_cursor cursor; rtbl_t table; /* XXX specialcase the ANY type */ if(strncasecmp(keytab_str, "ANY:", 4) == 0) { int flag = 0; char buf[1024]; keytab_str += 4; ret = 0; while (strsep_copy((const char**)&keytab_str, ",", buf, sizeof(buf)) != -1) { if(flag) printf("\n"); if(do_list(opt, buf)) ret = 1; flag = 1; } return ret; } ret = krb5_kt_resolve(context, keytab_str, &keytab); if (ret) { krb5_warn(context, ret, "resolving keytab %s", keytab_str); return ret; } ret = krb5_kt_start_seq_get(context, keytab, &cursor); if(ret) { krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_str); krb5_kt_close(context, keytab); return ret; } printf ("%s:\n\n", keytab_str); table = rtbl_create(); rtbl_add_column_by_id(table, 0, "Vno", RTBL_ALIGN_RIGHT); rtbl_add_column_by_id(table, 1, "Type", 0); rtbl_add_column_by_id(table, 2, "Principal", 0); if (opt->timestamp_flag) rtbl_add_column_by_id(table, 3, "Date", 0); if(opt->keys_flag) rtbl_add_column_by_id(table, 4, "Key", 0); rtbl_add_column_by_id(table, 5, "Aliases", 0); rtbl_set_separator(table, " "); while(krb5_kt_next_entry(context, keytab, &entry, &cursor) == 0){ char buf[1024], *s; snprintf(buf, sizeof(buf), "%d", entry.vno); rtbl_add_column_entry_by_id(table, 0, buf); ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &s); if (ret != 0) { snprintf(buf, sizeof(buf), "unknown (%d)", entry.keyblock.keytype); rtbl_add_column_entry_by_id(table, 1, buf); } else { rtbl_add_column_entry_by_id(table, 1, s); free(s); } krb5_unparse_name_fixed(context, entry.principal, buf, sizeof(buf)); rtbl_add_column_entry_by_id(table, 2, buf); if (opt->timestamp_flag) { krb5_format_time(context, entry.timestamp, buf, sizeof(buf), FALSE); rtbl_add_column_entry_by_id(table, 3, buf); } if(opt->keys_flag) { size_t i; s = malloc(2 * entry.keyblock.keyvalue.length + 1); if (s == NULL) { krb5_warnx(context, "malloc failed"); ret = ENOMEM; goto out; } for(i = 0; i < entry.keyblock.keyvalue.length; i++) snprintf(s + 2 * i, 3, "%02x", ((unsigned char*)entry.keyblock.keyvalue.data)[i]); rtbl_add_column_entry_by_id(table, 4, s); free(s); } if (entry.aliases) { unsigned int i; struct rk_strpool *p = NULL; for (i = 0; i< entry.aliases->len; i++) { krb5_unparse_name_fixed(context, entry.principal, buf, sizeof(buf)); rk_strpoolprintf(p, "%s%s", buf, i + 1 < entry.aliases->len ? ", " : ""); } rtbl_add_column_entry_by_id(table, 5, rk_strpoolcollect(p)); } krb5_kt_free_entry(context, &entry); } ret = krb5_kt_end_seq_get(context, keytab, &cursor); rtbl_format(table, stdout); out: rtbl_destroy(table); krb5_kt_close(context, keytab); return ret; } int kt_list(struct list_options *opt, int argc, char **argv) { krb5_error_code ret; char kt[1024]; if(verbose_flag) opt->timestamp_flag = 1; if (keytab_string == NULL) { if((ret = krb5_kt_default_name(context, kt, sizeof(kt))) != 0) { krb5_warn(context, ret, "getting default keytab name"); return 1; } keytab_string = kt; } return do_list(opt, keytab_string) != 0; } heimdal-1.7~git20150920+dfsg/admin/purge.c000066400000000000000000000111671257755311500200270ustar00rootroot00000000000000/* * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ktutil_locl.h" RCSID("$Id$"); /* * keep track of the highest version for every principal. */ struct e { krb5_principal principal; int max_vno; time_t timestamp; struct e *next; }; static struct e * get_entry (krb5_principal princ, struct e *head) { struct e *e; for (e = head; e != NULL; e = e->next) if (krb5_principal_compare (context, princ, e->principal)) return e; return NULL; } static void add_entry (krb5_principal princ, int vno, time_t timestamp, struct e **head) { krb5_error_code ret; struct e *e; e = get_entry (princ, *head); if (e != NULL) { if(e->max_vno < vno) { e->max_vno = vno; e->timestamp = timestamp; } return; } e = malloc (sizeof (*e)); if (e == NULL) krb5_errx (context, 1, "malloc: out of memory"); ret = krb5_copy_principal (context, princ, &e->principal); if (ret) krb5_err (context, 1, ret, "krb5_copy_principal"); e->max_vno = vno; e->timestamp = timestamp; e->next = *head; *head = e; } static void delete_list (struct e *head) { while (head != NULL) { struct e *next = head->next; krb5_free_principal (context, head->principal); free (head); head = next; } } /* * Remove all entries that have newer versions and that are older * than `age' */ int kt_purge(struct purge_options *opt, int argc, char **argv) { krb5_error_code ret = 0; krb5_kt_cursor cursor; krb5_keytab keytab; krb5_keytab_entry entry; int age; struct e *head = NULL; time_t judgement_day; age = parse_time(opt->age_string, "s"); if(age < 0) { krb5_warnx(context, "unparasable time `%s'", opt->age_string); return 1; } if((keytab = ktutil_open_keytab()) == NULL) return 1; ret = krb5_kt_start_seq_get(context, keytab, &cursor); if(ret){ krb5_warn(context, ret, "%s", keytab_string); goto out; } while(krb5_kt_next_entry(context, keytab, &entry, &cursor) == 0) { add_entry (entry.principal, entry.vno, entry.timestamp, &head); krb5_kt_free_entry(context, &entry); } krb5_kt_end_seq_get(context, keytab, &cursor); judgement_day = time (NULL); ret = krb5_kt_start_seq_get(context, keytab, &cursor); if(ret){ krb5_warn(context, ret, "%s", keytab_string); goto out; } while(krb5_kt_next_entry(context, keytab, &entry, &cursor) == 0) { struct e *e = get_entry (entry.principal, head); if (e == NULL) { krb5_warnx (context, "ignoring extra entry"); continue; } if (entry.vno < e->max_vno && judgement_day - e->timestamp > age) { if (verbose_flag) { char *name_str; krb5_unparse_name (context, entry.principal, &name_str); printf ("removing %s vno %d\n", name_str, entry.vno); free (name_str); } ret = krb5_kt_remove_entry (context, keytab, &entry); if (ret) krb5_warn (context, ret, "remove"); } krb5_kt_free_entry(context, &entry); } ret = krb5_kt_end_seq_get(context, keytab, &cursor); delete_list (head); out: krb5_kt_close (context, keytab); return ret != 0; } heimdal-1.7~git20150920+dfsg/admin/remove.c000066400000000000000000000057451257755311500202070ustar00rootroot00000000000000/* * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ktutil_locl.h" RCSID("$Id$"); int kt_remove(struct remove_options *opt, int argc, char **argv) { krb5_error_code ret = 0; krb5_keytab_entry entry; krb5_keytab keytab; krb5_principal principal = NULL; krb5_enctype enctype = 0; if(opt->principal_string) { ret = krb5_parse_name(context, opt->principal_string, &principal); if(ret) { krb5_warn(context, ret, "%s", opt->principal_string); return 1; } } if(opt->enctype_string) { ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype); if(ret) { int t; if(sscanf(opt->enctype_string, "%d", &t) == 1) enctype = t; else { krb5_warn(context, ret, "%s", opt->enctype_string); if(principal) krb5_free_principal(context, principal); return 1; } } } if (!principal && !enctype && !opt->kvno_integer) { krb5_warnx(context, "You must give at least one of " "principal, enctype or kvno."); ret = EINVAL; goto out; } if((keytab = ktutil_open_keytab()) == NULL) { ret = 1; goto out; } entry.principal = principal; entry.keyblock.keytype = enctype; entry.vno = opt->kvno_integer; ret = krb5_kt_remove_entry(context, keytab, &entry); krb5_kt_close(context, keytab); if(ret) krb5_warn(context, ret, "remove"); out: if(principal) krb5_free_principal(context, principal); return ret != 0; } heimdal-1.7~git20150920+dfsg/admin/rename.c000066400000000000000000000071321257755311500201510ustar00rootroot00000000000000/* * Copyright (c) 2001-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ktutil_locl.h" RCSID("$Id$"); int kt_rename(struct rename_options *opt, int argc, char **argv) { krb5_error_code ret = 0; krb5_keytab_entry entry; krb5_keytab keytab; krb5_kt_cursor cursor; krb5_principal from_princ, to_princ; ret = krb5_parse_name(context, argv[0], &from_princ); if(ret != 0) { krb5_warn(context, ret, "%s", argv[0]); return 1; } ret = krb5_parse_name(context, argv[1], &to_princ); if(ret != 0) { krb5_free_principal(context, from_princ); krb5_warn(context, ret, "%s", argv[1]); return 1; } if((keytab = ktutil_open_keytab()) == NULL) { krb5_free_principal(context, from_princ); krb5_free_principal(context, to_princ); return 1; } ret = krb5_kt_start_seq_get(context, keytab, &cursor); if(ret) { krb5_kt_close(context, keytab); krb5_free_principal(context, from_princ); krb5_free_principal(context, to_princ); return 1; } while(1) { ret = krb5_kt_next_entry(context, keytab, &entry, &cursor); if(ret != 0) { if(ret != KRB5_CC_END && ret != KRB5_KT_END) krb5_warn(context, ret, "getting entry from keytab"); else ret = 0; break; } if(krb5_principal_compare(context, entry.principal, from_princ)) { krb5_free_principal(context, entry.principal); entry.principal = to_princ; ret = krb5_kt_add_entry(context, keytab, &entry); if(ret) { entry.principal = NULL; krb5_kt_free_entry(context, &entry); krb5_warn(context, ret, "adding entry"); break; } if (opt->delete_flag) { entry.principal = from_princ; ret = krb5_kt_remove_entry(context, keytab, &entry); if(ret) { entry.principal = NULL; krb5_kt_free_entry(context, &entry); krb5_warn(context, ret, "removing entry"); break; } } entry.principal = NULL; } krb5_kt_free_entry(context, &entry); } krb5_kt_end_seq_get(context, keytab, &cursor); krb5_free_principal(context, from_princ); krb5_free_principal(context, to_princ); return ret != 0; } heimdal-1.7~git20150920+dfsg/appl/000077500000000000000000000000001257755311500163775ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/Makefile.am000066400000000000000000000004701257755311500204340ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common if OTP dir_otp = otp endif if DCE dir_dce = dceutils endif SUBDIRS = \ afsutil \ dbutils \ ftp \ login \ $(dir_otp) \ gssmask \ push \ su \ test \ kf \ $(dir_dce) EXTRA_DIST = NTMakefile heimdal-1.7~git20150920+dfsg/appl/NTMakefile000066400000000000000000000027221257755311500203040ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl !include ../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/afsutil/000077500000000000000000000000001257755311500200465ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/afsutil/ChangeLog000066400000000000000000000065661257755311500216350ustar00rootroot000000000000002007-04-11 Love Hörnquist Åstrand * pagsh.1,afslog.1: - options must be lexicographically ordered; again, options without arguments must be placed before options with arguments. - manual page cross references are done using the macro `.Xr', not the macro `.Nm' (used for command names instead). From Igor Sobrado. 2006-10-07 Love Hörnquist Åstrand * Makefile.am: Add man_MANS to EXTRA_DIST 2006-01-03 Love Hörnquist Åstrand * afslog.1: Document options to allow select principal or credential cache when doing afslog. * afslog.c: Add options to allow select principal or credential cache when doing afslog. 2005-02-12 Love Hörnquist Åstrand * Makefile.am: man_MANS += pagsh.1 * pagsh.c: add --cache-type that allows the user to control the resulting credential cache type, inherit the type from the invoking process * pagsh.1: manpage for pagsh 2004-09-03 Love Hörnquist Åstrand * afslog.c: use negative string help string for arg_negative_flag Pointed out by Harald Barth 2004-07-27 Love Hörnquist Åstrand * pagsh.c: use setprogname, if we stripped off -c, try use the fallback code 2003-10-14 Johan Danielsson * pagsh.c: mkstemp formats must end in exactly six X's 2003-07-15 Love Hörnquist Åstrand * afslog.c (do_afslog): is cell is unset, set it "" for error printing * pagsh.c: unconditionally set KRBTKFILE 2003-04-23 Love Hörnquist Åstrand * afslog.c (log_func): drop the error number 2003-04-14 Love Hörnquist Åstrand * afslog.c: set kafs log function if verbose is turned on 2003-03-18 Love Hörnquist Åstrand * Makefile.am (LDADD): use LIB_kafs * afslog.1: --no-v4, --no-v5 * Makefile.am: always build afsutils now * afslog.c: make build without KRB4 2002-11-26 Johan Danielsson * afslog.c: remove plural form in help string * Makefile.am: add afslog manpage * afslog.1: manpage * afslog.c: try more files when trying to expand a cell name * afslog.c: create a list of cells to get tokens for, before actually doing anything, and try to get tokens via krb4 if krb5 fails, and give it a chance to work with krb4-only; also some bug fixes, partially from Tomas Olsson. 2002-08-23 Assar Westerlund * pagsh.c: make it handle --version/--help 2001-05-17 Assar Westerlund * afslog.c (main): call free_getarg_strings 2000-12-31 Assar Westerlund * afslog.c (main): handle krb5_init_context failure consistently 2000-12-25 Assar Westerlund * afslog.c: clarify usage strings 1999-08-04 Assar Westerlund * pagsh.c (main): use mkstemp to generate temporary file names. From Miroslav Ruda 1999-07-04 Assar Westerlund * afslog.c (expand_cell_name): terminate on #. From Miroslav Ruda 1999-06-27 Assar Westerlund * Makefile.am (bin_PROGRAMS): only include pagsh if KRB4 1999-06-26 Assar Westerlund * Makefile.am: add pagsh * pagsh.c: new file. contributed by Miroslav Ruda Sat Mar 27 12:49:43 1999 Johan Danielsson * afslog.c: cleanup option parsing heimdal-1.7~git20150920+dfsg/appl/afsutil/Makefile.am000066400000000000000000000005121257755311500221000ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common bin_PROGRAMS = afslog pagsh afslog_SOURCES = afslog.c pagsh_SOURCES = pagsh.c man_MANS = afslog.1 pagsh.1 LDADD = $(LIB_kafs) \ $(top_builddir)/lib/krb5/libkrb5.la \ $(top_builddir)/lib/asn1/libasn1.la \ $(LIB_hcrypto) \ $(LIB_roken) EXTRA_DIST = NTMakefile $(man_MANS) heimdal-1.7~git20150920+dfsg/appl/afsutil/NTMakefile000066400000000000000000000027351257755311500217570ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\afsutil !include ../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/afsutil/afslog.1000066400000000000000000000076251257755311500214150ustar00rootroot00000000000000.\" Copyright (c) 2002 - 2007 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" 3. Neither the name of the Institute nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $Id$ .\" .Dd November 26, 2002 .Dt AFSLOG 1 .Os HEIMDAL .Sh NAME .Nm afslog .Nd obtain AFS tokens .Sh SYNOPSIS .Nm .Op Fl h | Fl Fl help .Op Fl Fl no-v5 .Op Fl u | Fl Fl unlog .Op Fl v | Fl Fl verbose .Op Fl Fl version .Oo Fl c Ar cell \*(Ba Xo .Fl Fl cell= Ns Ar cell .Xc .Oc .Oo Fl k Ar realm \*(Ba Xo .Fl Fl realm= Ns Ar realm .Xc .Oc .Oo Fl P Ar principal \*(Ba Xo .Fl Fl principal= Ns Ar principal .Xc .Oc .Bk -words .Oo Fl p Ar path \*(Ba Xo .Fl Fl file= Ns Ar path .Xc .Oc .Ek .Op Ar cell | path ... .Sh DESCRIPTION .Nm obtains AFS tokens for a number of cells. What cells to get tokens for can either be specified as an explicit list, as file paths to get tokens for, or be left unspecified, in which case .Nm will use whatever magic .Xr krb_afslog 3 decides upon. .Pp Supported options: .Bl -tag -width Ds .It Fl Fl no-v5 This makes .Nm not try using Kerberos 5. .It Xo .Fl P Ar principal , .Fl Fl principal Ar principal .Xc select what Kerberos 5 principal to use. .It Fl Fl cache Ar cache select what Kerberos 5 credential cache to use. .Fl Fl principal overrides this option. .It Xo .Fl u , .Fl Fl unlog .Xc Destroy tokens instead of obtaining new. If this is specified, all other options are ignored (except for .Fl Fl help and .Fl Fl version ) . .It Xo .Fl v , .Fl Fl verbose .Xc Adds more verbosity for what is actually going on. .It Xo .Fl c Ar cell, .Fl Fl cell= Ns Ar cell .Xc This specified one or more cell names to get tokens for. .It Xo .Fl k Ar realm , .Fl Fl realm= Ns Ar realm .Xc This is the Kerberos realm the AFS servers live in, this should normally not be specified. .It Xo .Fl p Ar path , .Fl Fl file= Ns Ar path .Xc This specified one or more file paths for which tokens should be obtained. .El .Pp Instead of using .Fl c and .Fl p , you may also pass a list of cells and file paths after any other options. These arguments are considered files if they are either the strings .Do . Dc or .Dq .. or they contain a slash, or if there exists a file by that name. .Sh EXAMPLES Assuming that there is no file called .Dq openafs.org in the current directory, and that .Pa /afs/openafs.org points to that cell, the follwing should be identical: .Bd -literal -offset indent $ afslog -c openafs.org $ afslog openafs.org $ afslog /afs/openafs.org/some/file .Ed .Sh SEE ALSO .Xr krb_afslog 3 heimdal-1.7~git20150920+dfsg/appl/afsutil/afslog.c000066400000000000000000000163011257755311500214660ustar00rootroot00000000000000/* * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifdef HAVE_CONFIG_H #include RCSID("$Id$"); #endif #include #ifdef KRB5 #include #endif #include #include #include #include static int help_flag; static int version_flag; static getarg_strings cells; static char *realm; static getarg_strings files; static int unlog_flag; static int verbose; #ifdef KRB5 static char *client_string; static char *cache_string; static int use_krb5 = 1; #endif struct getargs args[] = { { "cell", 'c', arg_strings, &cells, "cells to get tokens for", "cell" }, { "file", 'p', arg_strings, &files, "files to get tokens for", "path" }, { "realm", 'k', arg_string, &realm, "realm for afs cell", "realm" }, { "unlog", 'u', arg_flag, &unlog_flag, "remove tokens", NULL }, #ifdef KRB5 { "principal",'P',arg_string,&client_string,"principal to use","principal"}, { "cache", 0, arg_string, &cache_string, "ccache to use", "cache"}, { "v5", 0, arg_negative_flag, &use_krb5, "don't use Kerberos 5", NULL }, #endif { "verbose",'v', arg_flag, &verbose, NULL, NULL }, { "version", 0, arg_flag, &version_flag, NULL, NULL }, { "help", 'h', arg_flag, &help_flag, NULL, NULL }, }; static int num_args = sizeof(args) / sizeof(args[0]); #ifdef KRB5 krb5_context context; krb5_ccache id; #endif static const char * expand_one_file(FILE *f, const char *cell) { static char buf[1024]; char *p; while (fgets (buf, sizeof(buf), f) != NULL) { if(buf[0] == '>') { for(p = buf; *p && !isspace((unsigned char)*p) && *p != '#'; p++) ; *p = '\0'; if(strncmp(buf + 1, cell, strlen(cell)) == 0) return buf + 1; } buf[0] = '\0'; } return NULL; } static const char * expand_cell_name(const char *cell) { FILE *f; const char *c; const char **fn, *fns[] = { _PATH_CELLSERVDB, _PATH_ARLA_CELLSERVDB, _PATH_OPENAFS_DEBIAN_CELLSERVDB, _PATH_ARLA_DEBIAN_CELLSERVDB, NULL }; for(fn = fns; *fn; fn++) { f = fopen(*fn, "r"); if(f == NULL) continue; c = expand_one_file(f, cell); fclose(f); if(c) return c; } return cell; } static void usage(int ecode) { arg_printusage(args, num_args, NULL, "[cell|path]..."); exit(ecode); } struct cell_list { char *cell; struct cell_list *next; } *cell_list; static int afslog_cell(const char *cell, int expand) { struct cell_list *p, **q; const char *c = cell; if(expand){ c = expand_cell_name(cell); if(c == NULL){ warnx("No cell matching \"%s\" found.", cell); return -1; } if(verbose && strcmp(c, cell) != 0) warnx("Cell \"%s\" expanded to \"%s\"", cell, c); } /* add to list of cells to get tokens for, and also remove duplicates; the actual afslog takes place later */ for(p = cell_list, q = &cell_list; p; q = &p->next, p = p->next) if(strcmp(p->cell, c) == 0) return 0; p = malloc(sizeof(*p)); if(p == NULL) return -1; p->cell = strdup(c); if(p->cell == NULL) { free(p); return -1; } p->next = NULL; *q = p; return 0; } static int afslog_file(const char *path) { char cell[64]; if(k_afs_cell_of_file(path, cell, sizeof(cell))){ warnx("No cell found for file \"%s\".", path); return -1; } if(verbose) warnx("File \"%s\" lives in cell \"%s\"", path, cell); return afslog_cell(cell, 0); } static int do_afslog(const char *cell) { int k5ret; k5ret = 0; #ifdef KRB5 if(context != NULL && id != NULL && use_krb5) { k5ret = krb5_afslog(context, id, cell, realm); if(k5ret == 0) return 0; } #endif if (cell == NULL) cell = ""; #ifdef KRB5 if (k5ret) krb5_warn(context, k5ret, "krb5_afslog(%s)", cell); #endif if (k5ret) return 1; return 0; } static void log_func(void *ctx, const char *str) { fprintf(stderr, "%s\n", str); } int main(int argc, char **argv) { int optidx = 0; int i; int num; int ret = 0; int failed = 0; struct cell_list *p; setprogname(argv[0]); if(getarg(args, num_args, argc, argv, &optidx)) usage(1); if(help_flag) usage(0); if(version_flag) { print_version(NULL); exit(0); } if(!k_hasafs()) errx(1, "AFS does not seem to be present on this machine"); if(unlog_flag){ k_unlog(); exit(0); } #ifdef KRB5 ret = krb5_init_context(&context); if (ret) { context = NULL; } else { if (client_string) { krb5_principal client; ret = krb5_parse_name(context, client_string, &client); if (ret == 0) ret = krb5_cc_cache_match(context, client, &id); if (ret) id = NULL; } if (id == NULL && cache_string) { if(krb5_cc_resolve(context, cache_string, &id) != 0) { krb5_warnx(context, "failed to open kerberos 5 cache '%s'", cache_string); id = NULL; } } if (id == NULL) if(krb5_cc_default(context, &id) != 0) id = NULL; } #endif if (verbose) kafs_set_verbose(log_func, NULL); num = 0; for(i = 0; i < files.num_strings; i++){ afslog_file(files.strings[i]); num++; } free_getarg_strings (&files); for(i = 0; i < cells.num_strings; i++){ afslog_cell(cells.strings[i], 1); num++; } free_getarg_strings (&cells); for(i = optidx; i < argc; i++){ num++; if(strcmp(argv[i], ".") == 0 || strcmp(argv[i], "..") == 0 || strchr(argv[i], '/') || access(argv[i], F_OK) == 0) afslog_file(argv[i]); else afslog_cell(argv[i], 1); } if(num == 0) { if(do_afslog(NULL)) failed++; } else for(p = cell_list; p; p = p->next) { if(verbose) warnx("Getting tokens for cell \"%s\"", p->cell); if(do_afslog(p->cell)) failed++; } return failed; } heimdal-1.7~git20150920+dfsg/appl/afsutil/pagsh.1000066400000000000000000000057141257755311500212410ustar00rootroot00000000000000.\" Copyright (c) 2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" 3. Neither the name of the Institute nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $Id$ .\" .Dd February 12, 2005 .Dt PAGSH 1 .Os Heimdal .Sh NAME .Nm pagsh .Nd creates a new credential cache sandbox .Sh SYNOPSIS .Nm .Op Fl c Ar command-string .Op Fl h | Fl Fl help .Op Fl Fl version .Op Fl Fl cache-type= Ns Ar string .Ar command [args...] .Sh DESCRIPTION Supported options: .Bl -tag -width Ds .It Xo .Fl c Ar command-string Executes command(s) contained in .Ar command-string . .Xc .It Xo .Fl Fl cache-type= Ns Ar string .Xc .It Xo .Fl h , .Fl Fl help .Xc .It Xo .Fl Fl version .Xc .El .Pp .Nm creates a new credential cache sandbox for the user to live in. If AFS is installed on the computer, the user is put in a newly created Process Authentication Group (PAG). .Pp For Kerberos 5, the credential cache type that is used is the same as the credential cache type that was used at the time of .Nm invocation. The credential cache type can be controlled by the option .Fl Fl cache-type . .Sh EXAMPLES Create a new sandbox where new credentials can be used, while the old credentials can be used by other processes. .Bd -literal -offset indent $ klist Credentials cache: FILE:/tmp/krb5cc_913 Principal: lha@E.KTH.SE Issued Expires Principal Feb 12 10:08:31 Feb 12 20:06:36 krbtgt/E.KTH.SE@E.KTH.SE $ pagsh $ klist klist: No ticket file: /tmp/krb5cc_03014a .Ed .Sh SEE ALSO .Xr afslog 1 , .Xr kinit 1 heimdal-1.7~git20150920+dfsg/appl/afsutil/pagsh.c000066400000000000000000000122371257755311500213210ustar00rootroot00000000000000/* * Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifdef HAVE_CONFIG_H #include #endif RCSID("$Id$"); #include #include #include #include #ifdef HAVE_SYS_TYPES_H #include #endif #include #ifdef HAVE_FCNTL_H #include #endif #ifdef HAVE_PWD_H #include #endif #ifdef KRB5 #include #endif #include #include #include #include #ifndef TKT_ROOT #define TKT_ROOT "/tmp/tkt" #endif static int help_flag; static int version_flag; static int c_flag; #ifdef KRB5 static char *typename_arg; #endif struct getargs getargs[] = { { NULL, 'c', arg_flag, &c_flag, NULL, NULL }, #ifdef KRB5 { "cache-type", 0, arg_string, &typename_arg, NULL, NULL }, #endif { "version", 0, arg_flag, &version_flag, NULL, NULL }, { "help", 'h', arg_flag, &help_flag, NULL, NULL }, }; static int num_args = sizeof(getargs) / sizeof(getargs[0]); static void usage(int ecode) { arg_printusage(getargs, num_args, NULL, "command [args...]"); exit(ecode); } /* * Run command with a new ticket file / credentials cache / token */ int main(int argc, char **argv) { int f; char tf[1024]; char *p; char *path; char **args; unsigned int i; int optidx = 0; setprogname(argv[0]); if(getarg(getargs, num_args, argc, argv, &optidx)) usage(1); if(help_flag) usage(0); if(version_flag) { print_version(NULL); exit(0); } argc -= optidx; argv += optidx; #ifdef KRB5 { krb5_error_code ret; krb5_context context; krb5_ccache id; const char *name; ret = krb5_init_context(&context); if (ret) /* XXX should this really call exit ? */ errx(1, "no kerberos 5 support"); ret = krb5_cc_new_unique(context, typename_arg, NULL, &id); if (ret) krb5_err(context, 1, ret, "Failed generating credential cache"); name = krb5_cc_get_name(context, id); if (name == NULL) krb5_errx(context, 1, "Generated credential cache have no name"); snprintf(tf, sizeof(tf), "%s:%s", krb5_cc_get_type(context, id), name); ret = krb5_cc_close(context, id); if (ret) krb5_err(context, 1, ret, "Failed closing credential cache"); krb5_free_context(context); esetenv("KRB5CCNAME", tf, 1); } #endif snprintf (tf, sizeof(tf), "%s_XXXXXX", TKT_ROOT); f = mkstemp (tf); if (f < 0) err(1, "mkstemp failed"); close (f); unlink (tf); esetenv("KRBTKFILE", tf, 1); i = 0; args = (char **) malloc((argc + 10)*sizeof(char *)); if (args == NULL) errx (1, "Out of memory allocating %lu bytes", (unsigned long)((argc + 10)*sizeof(char *))); if(*argv == NULL) { path = getenv("SHELL"); if(path == NULL){ struct passwd *pw = k_getpwuid(geteuid()); if (pw == NULL) errx(1, "no such user: %d", (int)geteuid()); path = strdup(pw->pw_shell); } } else { path = strdup(*argv++); } if (path == NULL) errx (1, "Out of memory copying path"); p=strrchr(path, '/'); if(p) args[i] = strdup(p+1); else args[i] = strdup(path); if (args[i++] == NULL) errx (1, "Out of memory copying arguments"); while(*argv) args[i++] = *argv++; args[i++] = NULL; if(k_hasafs()) k_setpag(); unsetenv("PAGPID"); execvp(path, args); if (errno == ENOENT || c_flag) { char **sh_args = malloc ((i + 2) * sizeof(char *)); unsigned int j; if (sh_args == NULL) errx (1, "Out of memory copying sh arguments"); for (j = 1; j < i; ++j) sh_args[j + 2] = args[j]; sh_args[0] = "sh"; sh_args[1] = "-c"; sh_args[2] = path; execv ("/bin/sh", sh_args); } err (1, "execvp"); } heimdal-1.7~git20150920+dfsg/appl/dbutils/000077500000000000000000000000001257755311500200455ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/dbutils/Makefile.am000066400000000000000000000003241257755311500221000ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common bin_PROGRAMS = bsearch bsearch_SOURCES = bsearch.c man_MANS = bsearch.1 EXTRA_DIST = NTMakefile $(man_MANS) LDADD = $(LIB_roken) $(LIB_vers) $(LIB_heimbase) heimdal-1.7~git20150920+dfsg/appl/dbutils/NTMakefile000066400000000000000000000027351257755311500217560ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\dbutils !include ../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/dbutils/bsearch.1000066400000000000000000000066661257755311500215540ustar00rootroot00000000000000.\" .\" Copyright (c) 2011, Secure Endpoints Inc. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" - Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" .\" - Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in .\" the documentation and/or other materials provided with the .\" distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS .\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT .\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS .\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE .\" COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, .\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES .\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR .\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" .Dd November 30, 2011 .Dt BSEARCH 1 .Os KTH-KRB .Sh NAME .Nm bsearch .Nd manages one-time passwords .Sh SYNOPSIS .Nm bsearch .Op Fl KVvh .Op Fl b Ar block-size .Op Fl m Ar max-cache-size .Ar file .Ar [key ...] .Sh DESCRIPTION The .Nm program performs binary searches of .Ar file which must be a sorted flat text file. .Pp Each line is a record. Each record starts with a key that is optionally followed by whitespace and a value. Whitespace may be quoted with a backslash, but newline and carriage-return characters must be quoted in some other manner (e.g., as backslash-n and backslash-r). Escapes are not interpreted nor removed. .Pp If no key arguments are given on the comman-line, then keys will be read from standard input. .Pp By default only values are printed to standard output. Use the -K option to also print keys. The exit status will be non-zero if any key lookups fail. .Pp Options are: .Bl -tag -width Ds .It Fl K Print keys. .It Fl V Don't print values. .It Fl h Print usage and exit. .It Fl v Print statistic and debug information to standard error. .Ar file A sorted flat text file. NOTE: use the "C" locale for sorting this file, as in "LC_ALL=C sort -u -o file file". .It Fl h For getting a help message. .It Fl m Set .Ar max-cache-size as the maximum cache size. If the .Ar file is smaller than this size then the whole file will be read into memory, else the program will read blocks. Defaults to 1MB. .It Fl b Set .Ar block-size as the block size for block-wise I/O. This must be a power of 2, must be no smaller than 512 and no larger than 1MB. Defaults to the .Ar file's filesystem's preferred blocksize. .El .Sh EXAMPLES .Bd -literal -offset indent $ env LC_ALL=C sort -o /tmp/words /usr/share/dict/words $ bsearch -Kv /tmp/words day Using whole-file method Key day found at offset 327695 in 12 loops and 0 reads day $ .Sh NOTES .Pp Records must not be longer than one block's size. .Pp Flat text files must be sorted in the "C" locale. In some systems the default locale may result in case-insensitive sorting by the sort command. .Sh SEE ALSO .Xr sort 1 heimdal-1.7~git20150920+dfsg/appl/dbutils/bsearch.c000066400000000000000000000131311257755311500216170ustar00rootroot00000000000000/* * Copyright (c) 2011, Secure Endpoints Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * - Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * - Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * */ #include #include #include #include #include #include #include #include #include int help_flag; int version_flag; int verbose_flag; int print_keys_flag; int no_values_flag; int block_size_int; int max_size_int; struct getargs args[] = { { "print-keys", 'K', arg_flag, &print_keys_flag, "print keys", NULL }, { "no-values", 'V', arg_flag, &no_values_flag, "don't print values", NULL }, { "verbose", 'v', arg_flag, &verbose_flag, "print statistics and informative messages", NULL }, { "help", 'h', arg_flag, &help_flag, "print usage message", NULL }, { "block-size", 'b', arg_integer, &block_size_int, "block size", "integer" }, { "max-cache-size", 'm', arg_integer, &max_size_int, "maximum cache size", "integer" }, { "version", '\0', arg_flag, &version_flag, NULL, NULL } }; static int num_args = sizeof(args) / sizeof(args[0]); static void usage(int status) { arg_printusage(args, num_args, NULL, "file [key ...]"); exit(status); } #define MAX_BLOCK_SIZE (1024 * 1024) #define DEFAULT_MAX_FILE_SIZE (1024 * 1024) int main(int argc, char **argv) { char keybuf[1024]; char *fname; char *key = keybuf; char *value; char *p; bsearch_file_handle bfh = NULL; size_t num; size_t loc; /* index where record is located or to be inserted */ size_t loops; /* number of loops/comparisons needed for lookup */ size_t reads = 0; /* number of reads needed for a lookup */ size_t failures = 0; /* number of lookup failures -- for exit status */ size_t block_size = 0; size_t max_size = 0; int optidx = 0; int blockwise; int ret = 0; setprogname(argv[0]); if (getarg(args, num_args, argc, argv, &optidx)) usage(1); if (version_flag) { print_version(NULL); return 0; } if (help_flag) usage(0); if (block_size_int != 0 && block_size_int < 512) { fprintf(stderr, "Invalid block size: too small\n"); return 1; } if (block_size_int > 0) { /* Check that block_size is a power of 2 */ num = block_size_int; while (num) { if ((num % 2) && (num >> 1)) { fprintf(stderr, "Invalid block size: must be power " "of two\n"); return 1; } num >>= 1; } if (block_size_int > MAX_BLOCK_SIZE) fprintf(stderr, "Invalid block size: too large\n"); block_size = block_size_int; } if (max_size_int < 0) usage(1); max_size = max_size_int; argc -= optind; argv += optind; if (argc == 0) usage(1); fname = argv[0]; argc--; argv++; ret = _bsearch_file_open(fname, max_size, block_size, &bfh, &reads); if (ret != 0) { perror("bsearch_file_open"); return 1; } _bsearch_file_info(bfh, &block_size, &max_size, &blockwise); if (verbose_flag && blockwise) { fprintf(stderr, "Using block-wise method with block size %lu and " "cache size %lu\n", (long unsigned)block_size, (long unsigned)max_size); } else if (verbose_flag) { fprintf(stderr, "Using whole-file method\n"); } for (;;) { loops = 0; /* reset stats */ /* Eww */ if (argc) { key = *(argv++); if (!key) break; } else { if (!fgets(keybuf, sizeof (keybuf), stdin)) break; p = strchr(key, '\n'); if (!p) break; *p = '\0'; if (!*key) continue; } ret = _bsearch_file(bfh, key, &value, &loc, &loops, &reads); if (ret != 0) { if (ret > 0) { fprintf(stderr, "Error: %s\n", strerror(ret)); _bsearch_file_close(&bfh); return 1; } if (verbose_flag) fprintf(stderr, "Key %s not found in %lu loops and %lu reads; " "insert at %lu\n", key, (long unsigned)loops, (long unsigned)reads, (long unsigned)loc); failures++; continue; } if (verbose_flag) fprintf(stderr, "Key %s found at offset %lu in %lu loops and " "%lu reads\n", key, (long unsigned)loc, (long unsigned)loops, (long unsigned)reads); if (print_keys_flag && !no_values_flag && value) printf("%s %s\n", key, value); else if (print_keys_flag) printf("%s\n", key); else if (no_values_flag && value) printf("%s\n", value); free(value); } if (failures) return 2; _bsearch_file_close(&bfh); return 0; } heimdal-1.7~git20150920+dfsg/appl/dceutils/000077500000000000000000000000001257755311500202135ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/dceutils/ChangeLog000066400000000000000000000021701257755311500217650ustar00rootroot000000000000002007-12-13 Love Hörnquist Åstrand * Makefile.am: Add missing files, from Buchan Milne. 2006-08-08 Love Hörnquist Åstrand * k5dcecon.c: Check for seteuid failure, prompted by MIT advisory. 2005-04-06 Love Hörnquist Åstrand * testpag.c: use NULL as last argument to execl, not 0 2002-08-12 Johan Danielsson * Makefile.am: rename dpagaix_LDFLAGS etc to appease automake 2001-08-24 Assar Westerlund * Makefile.am (dpagaix): make sure of using $(EXEEXT) just to please automake (this is aix-only code) 2001-02-07 Assar Westerlund * Makefile.am (dpagaix): needs to be linked with ld, add an explicit command for it. from Ake Sandgren 2000-10-02 Assar Westerlund * Makefile.am: link with roken on everything except irix, where apperently it fails. reported by Ake Sandgren 2000-07-17 Johan Danielsson * Makefile.am: set compiler flags 2000-07-01 Assar Westerlund * imported stuff from Ake Sandgren heimdal-1.7~git20150920+dfsg/appl/dceutils/Makefile.am000066400000000000000000000011551257755311500222510ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common DFSPROGS = k5dcecon if AIX AIX_DFSPROGS = dpagaix endif libexec_PROGRAMS = $(DFSPROGS) $(AIX_DFSPROGS) dpagaix_CFLAGS = $(dpagaix_cflags) dpagaix_LDFLAGS = $(dpagaix_ldflags) dpagaix_LDADD = $(dpagaix_ldadd) dpagaix$(EXEEXT): $(dpagaix_OBJECTS) ld -edpagaix -o dpagaix$(EXEEXT) $(dpagaix_OBJECTS) $(srcdir)/dfspag.exp LIB_dce = -ldce k5dcecon_SOURCES = k5dcecon.c k5dce.h dpagaix_SOURCES = dpagaix.c EXTRA_DIST = \ NTMakefile \ dfspag.exp \ README.dcedfs \ README.original \ testpag.c if IRIX LDADD = $(LIB_dce) else LDADD = $(LIB_roken) $(LIB_dce) endif heimdal-1.7~git20150920+dfsg/appl/dceutils/NTMakefile000066400000000000000000000027361257755311500221250ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\dceutils !include ../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/dceutils/README.dcedfs000066400000000000000000000044031257755311500223230ustar00rootroot00000000000000This is a set of patches and files to get a DFS ticket from a k5 ticket. This code comes from Doug Engert, Argonne Nat. Lab (See dce/README.original for more info) The files in dce are; testpag: for testing if this is at all possible. k5dfspag: included in libkrb5 k5dcecon: Creates (or searches for) the actual DFSPAG ticketfile. dpagaix: An AIX syscall stub. README.original: Original README file from Doug Engert Certain applications (rshd/telnetd) have been patched to call the functions in k5dfspag when the situation is right. They are ifdef with DCE. The patches are also originally from Doug but they where against MIT krb5 code and have been merged into heimdal by me. I will try to fix ftpd soon... There is also an ifdefs for DCE && AIX that can be used to make AIX use DCE for getting group/passwd entries. This is needed if one is running with a bare bones passwd/group file and AUTHSTATE set to DCE (This will be more or less clear to people doing this...) I have forced this on for now. k5dfspag.c is in lib/krb5 k5dfspag.c is dependent on DCE only. It is also POSIX systems only. There are defines for the location of k5dcecon and dpagaix that needs a correct configure setting. k5dcecon needs no special things for the compile except whatever is needed on the target system to compile dce programs. (On aix the dce compile flags are: -D_THREAD_SAFE -D_AIX32_THREADS=1 -D_AIX41 -D_AES_SOURCE or one can use xlc_r4 if it is version 3.6.4 or later) k5dcecon wants the following libs (on aix 4.3): -ldce (and setenv from somewhere) dpagaix is only needed on AIX (see k5dfspag.c). dpagaix needs dfspag.exp and is linked with ld -edpagaix -o dpagaix dpagaix.o dfspag.exp Hope to get this into heimdal soon :-) although I know that you will have to change some things to get it cleanly into configure. Since I don't know the structure of the code (heimdal), nor enough of configure, good enough I just won't try it myself. One more thing, to get this to work one has to put fcache_version = x in krb5.conf where x = whatever the DCE implementation understands, (usually 1 or 2). Thanks for adding that... Åke Sandgren (ake@hpc2n.umu.se) HPC2N Umeå University Sweden PS I have now added patches for configure.in and some Makefile.am's to get this all cleanly (I hope) into heimdal. heimdal-1.7~git20150920+dfsg/appl/dceutils/README.original000066400000000000000000000324471257755311500227100ustar00rootroot00000000000000KERBEROS and DCE INTEROPERABILITY ROUTINES WHAT'S NEW When k5dcecon was examining the ticket caches looking to update one with a newer TGT, it might update the wrong one for the correct user. This problem was reported by PNNL, and is now fixed. Any Kerberized application can now use a forwarded TGT to establish a DCE context, or can use a previously established DCE context. This is both a functional improvement and a performance improvement. BACKGROUND The MIT Kerberos 5 Release 1.x and DCE 1.1 can interoperate in a number of ways. This is possible because: o DCE used Kerberos 5 internally. Based on the MIT code as of beta 4 or so, with additional changes. o The DCE security server can act as a K5 KDC, as defined in RFC 1510 and responds on port 88. o On the clients, DCE and Kerberos use the same format for the ticket cache, and then can share it. The KRB5CCNAME environment variable points at the cache. o On the clients, DCE and Kerberos use the same format for the srvtab file. DCE refers to is a /krb5/v5srvtab and Kerberos as /etc/krb5.keytab. They can be symlinked. o MIT has added many options to the krb5.conf configuration file which allows newer features of Release 1.0 to be turned off to match the earlier version of Kerberos upon which DCE is based. o DCE will accept a externally obtained Kerberos TGT in place of a password when establishing a DCE context. There are some areas where they differ, including the following: o Administration of the database and the keytab files is done by the DCE routines, rather the the Kerberos kadmin. o User password changes must be done using the DCE commands. Kpasswd does not work. (But there are mods to Kerberos to use the v5passwd with DCE. o DCE goes beyond authentication only, and provides authorization via the PAC, and the dce-ptgt tickets stored in the cache. Thus a Kerberos KDC can not act as a DCE security server. o A DCE cell and Kerberos realm can cross-realm authenticate, but there can be no intermediate realms. (There are other problems in this area as well. But directly connected realms/cells do work.) o You can't link a module with the DCE library and the Kerberos library. They have conflicting routines, static data and structures. One of the main features of DCE is the Distributed File System DFS. Access to DFS requires authentication and authorization, and when one uses a Kerberized network utility such as telnet, a forwarded Kerberos ticket can be used to establish the DCE context to allow access to DFS. NEW TO THIS RELEASE This release introduces sharing of a DCE context, and PAG, and allows any Kerberized application to establish or share the context. This is made possible by using an undocumented feature of DCE which is on at least the Transarc and IBM releases of DCE 1.1. I am in the process of trying to get this contributed to the general DCE 1.2.2 release as a patch, so it could be included in other vendors products. HP has expressed interest in doing this, as well as the OpenGroup if the modification is contributed. You can help by requesting Transarc and/or IBM to submit this modification to the OpenGroup and ask your vendor to adopt this modification. The feature is a modification to the setpag() system call which will allow an authorized process to set the PAG to a specific value, and thus allow unrelated processes to share the same PAG. This then allows the Kerberized daemons such as kshd, to exec a DCE module which established the DCE context. Kshd then sets the KRB5CCNAME environment variable and then issues the setpag() to use this context. This solves the linking problem. This is done via the k5dfspag.c routine. The k5dfspag.c code is compiled with the lib/krb5/os routines and included in the libkrb5. A daemon calls krb5_dfs_pag after the krb5_kuserok has determined that the Kerberos principal and local userid pair are acceptable. This should be done early so as to give the daemon access to the home directory which may be located on DFS. If the .k5login file is used by krb5_kuserok it will need to be accessed by the daemon and will need special ACL handling. The krb5_dfs_pag routine will exec the k5dcecon module to do all the real work. Upon return, if a PAG is obtained, krb5_dfs_pag with set the PAG for the current process to the returned PAG value. It will also set the KRB5CCNAME environment as well. Under DCE the PAG value is the nnnnnnn part of the name of the cache: FILE:/opt/dcelocal/var/security/creds/dcecred_nnnnnnnn. The k5dcecon routine will attempt to use TGT which may have been forwarded, to convert it to a DCE context. If there is no TGT, an attempt will be made to join an existing PAG for the local userid, and Kerberos principal. If there are existing PAGs, and a forwarded TGT, k5dcecon will check the lifetime of the forwarded TGT, and if it is less than the lifetime of the PAG, it will just join the PAG. If it is greater, it will refresh the PAG using the forwarded TGT. This approach has the advantage of not requiring many new tickets from having to be obtained, and allows one to refresh a DCE context, or use an already established context. If the system also has AFS, the AFS krb5_afs_pag should be called after the krb5_dfs_pag, since cache pointed at via the KRB5CCNAME may have changed, such as if a DFS PAG has been joined. The AFS code does not have the capability to join an existing AFS PAG, but can use the same cache which might already had a afsx/@ service ticket. WHAT'S IN THIS RELEASE The k5prelogin, k5dcelogin, k5afslogin (with ak5log) were designed to be slipped in between telnetd or klogind and login.krb5. They would use a forwarded Kerberos ticket to establish a DCE context. They are the older programs which are included here. They work on all DCE platforms, and don't take advantage of the undocumented setpag feature. (A version of k5dcelogin is being included with DCE 1.2.2) K5dcecon is the new program which can be used to create, update or join a DCE context. k5dcecon returns KRB5CCNAME string which contains the PAG. k5dfspag.c is to be built in the MIT Kerberos 5 release 1.0 patchlevel 1 and added to the libkrb5. It will exec k5dcecon and upon return set the KRB5CCNAME and PAG. Mods to Kerberized klogind, rshd, telnetd, ftpd are available to use the k5dfspag. Testpag.c is a test programs to see if the PAG can be set. The cpwkey.c routine can be used to change a key in the DCE registry, by adding the key directly, or by setting the salt/pepper and password or by providing the key and the pepper. This could be useful when coping keys from a K4 or AFS database to DCE. It can also be used when setting a DCE to K5 cross-cell key. This program is a test program For mass inserts, it should be rewritten to read from stdin. K5dcelogin can also be called directly, much like dce_login. I use the following commands in effect do the same thing as dce_login and get a forwardable ticket, DCE context and an AFS token: #!/bin/csh # simulate a dce_login using krb5 kinit and k5dcelogin # setenv KRB5CCNAME FILE:/tmp/krb5cc_p$$ /krb5/bin/kinit -f exec /krb5/sbin/k5dcelogin /krb5/sbin/k5afslogin /bin/csh #exec /krb5/sbin/k5dcelogin /bin/csh This could be useful in a mixed cell where "AS_REQ" messages are handled by a K5 KDC, but DCE RPCs are handled by the DCE security server. TESTING THE SETPAG The krb5_dfs_pag routine relies on an undocumented feature which is in the AIX and Transarc Solaris ports of DCE and has been recently added to the SGI version. To test if this feature is present on some other DFS implementation use the testpag routine. The testpag routine attempts to set a PAG value to one you supply. It uses the afs_syscall with the afs_setpag, and passes the supplied PAG value as the next parameter. On an unmodifed system, this will be ignored, and a new will be set. You should also check that if run as a user, you cannot join a PAG owned by another user. When run as root, any PAG should be usable. On a machine with DFS running, do a dce_login to get a DCE context and PAG. ECHO the KRB5CCNAME and look at the nnnnnnnn at the end. It should look like an 8 char hex value, which may be 41ffxxxx on some systems. Su to root and unsetenv KRB5CCNAME. Do a testpag -n nnnnnnnn where nnnnnnnn is the PAG obtained for the above name. It should look like this example on an AIX 4.1.4 system: pembroke# ./testpag -n 63dc9997 calling k5dcepag newpag=63dc9997 PAG returned = 63dc9997 You will be running under a new shell with the PAG and KRB5CCNAME set. If the PAG returned is the same as the newpag, then it worked. You can further verify this by doing a DCE klist, cd to DFS and a DCE klist again. The klist should show some tickets for DFS servers. If the PAG returned is not the same, and repeated attempts show a returned PAG decremented by 1 from the previous returned PAG, then this system does not have the modification For example: # ./testpag -n 41fffff9 calling k5dcepag newpag=41fffff9 PAG returned = 41fffff8 # ./testpag -n 41fffff9 calling k5dcepag newpag=41fffff9 PAG returned = 41fffff7 In this case the syscall is ignoring the newpag parameter. Running it with -n 0 should get the next PAG value with or without this modification. If the DFS kernel extensions are not installed, you would get something like this: caliban.ctd.anl.gov% ./testpag -n 012345678 calling k5dcepag newpag=012345678 Setpag failed with a system error PAG returned = ffffffff Not a good pag value If you DFS implementation does not have this modification, you could attempt to install it yourself. But this requires source and requires modifications to the kernel extensions. At the end of this note is an untested sample using the DCE 1.2.2 source code. You can also contact your system vendor and ask for this modification. UNICOS has a similar function setppag(newpag) which can be used to set the PAG of the parent. Contact me if you are interested. HOW TO INSTALL Examine the k5dfspag.c file to make sure the DFS syscalls are correct for your platform. See the /opt/dcelocal/share/include/dcedfs/syscall.h on Solaris for example. You should build the testpag routine and make sure it works before adding all the other mods. If it fails you can still use the klogind and telnetd with the k5prelogin and k5dcelogin code. If you intend to install with a prefix other than /krb5, change: DPAGAIX and K5DCECON in k5dfspag.c; the three references in k5prelogin.c; and the DESTDIR in the Makefile. Get k5101.cdiff.xxxxxx.tar file and install the mods for ANL_DFS_PAG and ANL_DCE to the MIT Kerberos 5 source. These mods turn on some DCE related changes and the calls to krb5_dfs_pag. Symlink or copy the k5dfspag.c to the src/lib/krb5/os directory. Add the -DANL_DFS_PAG and -DANL_DCE flags to the configuration. Configure and Build the Kerberos v5. Modify the k5dce Makefile for your system. Build the k5dcecon and related programs. Install both the MIT Kerberos v5 and the k5dcecon and dpagaix if AIX. The makefile can also build k5dcelogin and k5prelogin. The install can install k5dcelogin, k5prelogin and update the links for login.krb5 -> k5prelogin and moving login.krb5 to login.k5. If you will be using the k5dcecon/k5dfspag with the Kerberos mods, you don't need k5prelogin, or the links changed, and may not need k5dcelogin. Note that Transarc has obfuscated the entries to the lib, and the 1.0.3a is different from the 1.1. You may need to build two versions of the k5dcelogin and/or k5dcecon one for each. AIX ONLY The dpagaix routine is needed for AIX because of the way they do the syscalls. The following fix.aix.libdce.mk is not needed if dce 2.1.0.21 has been installed. This PTF exposed the needed entrypoints. The fix.aix.libdce.mk is a Makefile for AIX 4.x to add the required external entry points to the libdce.a. These are needed by k5dcecon and k5dcelogin. A bug report was submitted to IBM on this, and it was rejected. But since DCE 1.2.2 will have a k5dcelogin, this should not be needed with 1.2.2 Copy /usr/lib/libdce.a to /usr/libdce.a.orig before starting. Copy the makefile to its own directory. It will create a new libdce.a which you need to copy back to /usr/lib/libdce.a You will need to reboot the machine. See the /usr/lpp/dce/examples/inst/README.AIX for a similar procedure. IBM was not responsive in a request to have these added. UNTESTED KERNEL EXTENSION FOR SETPAG *** src/file/osi/,osi_pag.c Wed Oct 2 13:03:05 1996 --- src/file/osi/osi_pag.c Mon Jul 28 13:53:13 1997 *************** *** 293,298 **** --- 293,302 ---- int code; osi_MakePreemptionRight(); + /* allow sharing of a PAG by non child processes DEE- 6/6/97 */ + if (unused && osi_GetUID(osi_getucred()) == 0) { + newpag = unused; + } else { osi_mutex_enter(&osi_pagLock); now = osi_Time(); soonest = osi_firstPagTime + *************** *** 309,314 **** --- 313,319 ---- } osi_mutex_exit(&osi_pagLock); newpag = osi_genpag(); + } osi_pcred_lock(p); credp = crcopy(osi_getucred()); code = osi_SetPagInCred(credp, newpag); Created 07/08/96 Modified 09/30/96 Modified 11/19/96 Modified 12/19/96 Modified 06/20/97 Modified 07/28/97 Modified 02/18/98 Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 heimdal-1.7~git20150920+dfsg/appl/dceutils/dfspag.exp000066400000000000000000000001051257755311500221710ustar00rootroot00000000000000#!/unix * kernel extentions used to get the pag kafs_syscall syscall heimdal-1.7~git20150920+dfsg/appl/dceutils/dpagaix.c000066400000000000000000000010041257755311500217670ustar00rootroot00000000000000/* * dpagaix.c * On AIX we need to get the kernel extentions * with the DFS kafs_syscall in it. * We might be running on a system * where DFS is not active. * So we use this dummy routine which * might not load to do the dirty work * * DCE does this with the /usr/lib/drivers/dfsloadobj * */ int dpagaix(parm1, parm2, parm3, parm4, parm5, parm6) int parm1; int parm2; int parm3; int parm4; int parm5; int parm6; { return(kafs_syscall(parm1, parm2, parm3, parm4, parm5, parm6)); } heimdal-1.7~git20150920+dfsg/appl/dceutils/k5dce.h000066400000000000000000000136731257755311500213710ustar00rootroot00000000000000/* dummy K5 routines which are needed to get this to * compile without having access ti the DCE versions * of the header files. * Thiis is very crude, and OSF needs to expose the K5 * API. */ #ifdef sun /* Transarc obfuscates these routines */ #ifdef DCE_1_1 #define krb5_init_ets _dce_PkjKqOaklP #define krb5_copy_creds _dce_LuFxPiITzD #define krb5_unparse_name _dce_LWHtAuNgRV #define krb5_get_default_realm _dce_vDruhprWGh #define krb5_build_principal _dce_qwAalSzTtF #define krb5_build_principal_ext _dce_vhafIQlejW #define krb5_build_principal_va _dce_alsqToMmuJ #define krb5_cc_default _dce_KZRshhTXhE #define krb5_cc_default_name _dce_bzJVAjHXVQ #define sec_login_krb5_add_cred _dce_ePDtOJTZvU #else /* DCE 1.0.3a */ #define krb5_init_ets _dce_BmLRpOVsBo #define krb5_copy_creds _dce_VGwSEBNwaf #define krb5_unparse_name _dce_PgAOkJoMXA #define krb5_get_default_realm _dce_plVOzStKyK #define krb5_build_principal _dce_uAKSsluIFy #define krb5_build_principal_ext _dce_tRMpPiRada #define krb5_build_principal_va _dce_SxnLejZemH #define krb5_cc_default _dce_SeKosWFnsv #define krb5_cc_default_name _dce_qJeaphJWVc #define sec_login_krb5_add_cred _dce_uHwRasumsN #endif #endif /* Define the bare minimum k5 structures which are needed * by this program. Since the krb5 includes are not supplied * with DCE, these were based on the MIT Kerberos 5 beta 3 * which should match the DCE as of 1.0.3 at least. * The tricky one is the krb5_creds, since one is allocated * by this program, and it needs access to the client principal * in it. * Note that there are no function prototypes, so there is no * compile time checking. * DEE 07/11/95 */ #define NPROTOTYPE(x) () typedef int krb5_int32; /* assuming all DCE systems are 32 bit */ typedef short krb5short; /* assuming short is 16 bit */ typedef krb5_int32 krb5_error_code; typedef unsigned char krb5_octet; typedef krb5_octet krb5_boolean; typedef krb5short krb5_keytype; /* in k5.2 it's a short */ typedef krb5_int32 krb5_flags; typedef krb5_int32 krb5_timestamp; /* is a time_t in krb5.h */ typedef char * krb5_pointer; /* pointer to unexposed data */ typedef struct _krb5_ccache { struct _krb5_cc_ops *ops; krb5_pointer data; } *krb5_ccache; typedef struct _krb5_cc_ops { char *prefix; char *(*get_name) NPROTOTYPE((krb5_ccache)); krb5_error_code (*resolve) NPROTOTYPE((krb5_ccache *, char *)); krb5_error_code (*gen_new) NPROTOTYPE((krb5_ccache *)); krb5_error_code (*init) NPROTOTYPE((krb5_ccache, krb5_principal)); krb5_error_code (*destroy) NPROTOTYPE((krb5_ccache)); krb5_error_code (*close) NPROTOTYPE((krb5_ccache)); krb5_error_code (*store) NPROTOTYPE((krb5_ccache, krb5_creds *)); krb5_error_code (*retrieve) NPROTOTYPE((krb5_ccache, krb5_flags, krb5_creds *, krb5_creds *)); krb5_error_code (*get_princ) NPROTOTYPE((krb5_ccache, krb5_principal *)); krb5_error_code (*get_first) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *)); krb5_error_code (*get_next) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *, krb5_creds *)); krb5_error_code (*end_get) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *)); krb5_error_code (*remove_cred) NPROTOTYPE((krb5_ccache, krb5_flags, krb5_creds *)); krb5_error_code (*set_flags) NPROTOTYPE((krb5_ccache, krb5_flags)); } krb5_cc_ops; typedef struct _krb5_keyblock { krb5_keytype keytype; int length; krb5_octet *contents; } krb5_keyblock; typedef struct _krb5_ticket_times { krb5_timestamp authtime; krb5_timestamp starttime; krb5_timestamp endtime; krb5_timestamp renew_till; } krb5_ticket_times; typedef krb5_pointer krb5_cc_cursor; typedef struct _krb5_data { int length; char *data; } krb5_data; typedef struct _krb5_authdata { int ad_type; int length; krb5_octet *contents; } krb5_authdata; typedef struct _krb5_creds { krb5_pointer client; krb5_pointer server; krb5_keyblock keyblock; krb5_ticket_times times; krb5_boolean is_skey; krb5_flags ticket_flags; krb5_pointer **addresses; krb5_data ticket; krb5_data second_ticket; krb5_pointer **authdata; } krb5_creds; typedef krb5_pointer krb5_principal; #define KRB5_CC_END 336760974 #define KRB5_TC_OPENCLOSE 0x00000001 /* Ticket flags */ /* flags are 32 bits; each host is responsible to put the 4 bytes representing these bits into net order before transmission */ /* #define TKT_FLG_RESERVED 0x80000000 */ #define TKT_FLG_FORWARDABLE 0x40000000 #define TKT_FLG_FORWARDED 0x20000000 #define TKT_FLG_PROXIABLE 0x10000000 #define TKT_FLG_PROXY 0x08000000 #define TKT_FLG_MAY_POSTDATE 0x04000000 #define TKT_FLG_POSTDATED 0x02000000 #define TKT_FLG_INVALID 0x01000000 #define TKT_FLG_RENEWABLE 0x00800000 #define TKT_FLG_INITIAL 0x00400000 #define TKT_FLG_PRE_AUTH 0x00200000 #define TKT_FLG_HW_AUTH 0x00100000 #ifdef PK_INIT #define TKT_FLG_PUBKEY_PREAUTH 0x00080000 #define TKT_FLG_DIGSIGN_PREAUTH 0x00040000 #define TKT_FLG_PRIVKEY_PREAUTH 0x00020000 #endif #define krb5_cc_get_principal(cache, principal) (*(cache)->ops->get_princ)(cache, principal) #define krb5_cc_set_flags(cache, flags) (*(cache)->ops->set_flags)(cache, flags) #define krb5_cc_get_name(cache) (*(cache)->ops->get_name)(cache) #define krb5_cc_start_seq_get(cache, cursor) (*(cache)->ops->get_first)(cache, cursor) #define krb5_cc_next_cred(cache, cursor, creds) (*(cache)->ops->get_next)(cache, cursor, creds) #define krb5_cc_destroy(cache) (*(cache)->ops->destroy)(cache) #define krb5_cc_end_seq_get(cache, cursor) (*(cache)->ops->end_get)(cache, cursor) /* end of k5 dummy typedefs */ heimdal-1.7~git20150920+dfsg/appl/dceutils/k5dcecon.c000066400000000000000000000462521257755311500220630ustar00rootroot00000000000000/* * (c) Copyright 1995 HEWLETT-PACKARD COMPANY * * To anyone who acknowledges that this file is provided * "AS IS" without any express or implied warranty: * permission to use, copy, modify, and distribute this * file for any purpose is hereby granted without fee, * provided that the above copyright notice and this * notice appears in all copies, and that the name of * Hewlett-Packard Company not be used in advertising or * publicity pertaining to distribution of the software * without specific, written prior permission. Hewlett- * Packard Company makes no representations about the * suitability of this software for any purpose. * */ /* * k5dcecon - Program to convert a K5 TGT to a DCE context, * for use with DFS and its PAG. * * The program is designed to be called as a sub process, * and return via stdout the name of the cache which implies * the PAG which should be used. This program itself does not * use the cache or PAG itself, so the PAG in the kernel for * this program may not be set. * * The calling program can then use the name of the cache * to set the KRB5CCNAME and PAG for itself and its children. * * If no ticket was passed, an attemplt to join an existing * PAG will be made. * * If a forwarded K5 TGT is passed in, either a new DCE * context will be created, or an existing one will be updated. * If the same ticket was already used to create an existing * context, it will be joined instead. * * Parts of this program are based on k5dceauth,c which was * given to me by HP and by the k5dcelogin.c which I developed. * A slightly different version of k5dcelogin.c, was added to * DCE 1.2.2 * * D. E. Engert 6/17/97 ANL */ #include #include #include #include #include #include #include #include #include #include #include #include "k5dce.h" #include #include #include /* #define DEBUG */ #if defined(DEBUG) #define DEEDEBUG(A) fprintf(stderr,A); fflush(stderr) #define DEEDEBUG2(A,B) fprintf(stderr,A,B); fflush(stderr) #else #define DEEDEBUG(A) #define DEEDEBUG2(A,B) #endif #ifdef __hpux #define seteuid(A) setresuid(-1,A,-1) #endif int k5dcecreate (uid_t, char *, char*, krb5_creds **); int k5dcecon (uid_t, char *, char *); int k5dcegettgt (krb5_ccache *, char *, char *, krb5_creds **); int k5dcematch (uid_t, char *, char *, off_t *, krb5_creds **); int k5dcesession (uid_t, char *, krb5_creds **, int *,krb5_flags); char *progname = "k5dcecon"; static time_t now; #ifdef notdef #ifdef _AIX /*---------------------------------------------*/ /* AIX with DCE 1.1 does not have the com_err in the libdce.a * do a half hearted job of substituting for it. */ void com_err(char *p1, int code, ...) { int lst; dce_error_string_t err_string; dce_error_inq_text(code, err_string, &lst); fprintf(stderr,"Error %d in %s: %s\n", code, p1, err_string ); } /*---------------------------------------------*/ void krb5_init_ets() { } #endif #endif /*------------------------------------------------*/ /* find a cache to use for our new pag */ /* Since there is no simple way to determine which * caches are associated with a pag, we will have * do look around and see what makes most sense on * different systems. * on a Solaris system, and in the DCE source, * the pags always start with a 41. * this is not true on the IBM, where there does not * appear to be any pattern. * * But since we are always certifing our creds when * they are received, we can us that fact, and look * at the first word of the associated data file * to see that it has a "5". If not don't use. */ int k5dcesession(luid, pname, tgt, ppag, tflags) uid_t luid; char *pname; krb5_creds **tgt; int *ppag; krb5_flags tflags; { DIR *dirp; struct dirent *direntp; off_t size; krb5_timestamp endtime; int better = 0; krb5_creds *xtgt; char prev_name[17] = ""; krb5_timestamp prev_endtime; off_t prev_size; u_long prev_pag = 0; char ccname[64] = "FILE:/opt/dcelocal/var/security/creds/"; error_status_t st; sec_login_handle_t lcontext = 0; dce_error_string_t err_string; int lst; DEEDEBUG2("k5dcesession looking for flags %8.8x\n",tflags); dirp = opendir("/opt/dcelocal/var/security/creds/"); if (dirp == NULL) { return 1; } while ( (direntp = readdir( dirp )) != NULL ) { /* * (but root has the ffffffff which we are not interested in) */ if (!strncmp(direntp->d_name,"dcecred_",8) && (strlen(direntp->d_name) == 16)) { /* looks like a cache name, lets do the stat, etc */ strcpy(ccname+38,direntp->d_name); if (!k5dcematch(luid, pname, ccname, &size, &xtgt)) { /* it's one of our caches, see if it is better * i.e. the endtime is farther, and if the endtimes * are the same, take the larger, as he who has the * most tickets wins. * it must also had the same set of flags at least * i.e. if the forwarded TGT is forwardable, this one must * be as well. */ DEEDEBUG2("Cache:%s",direntp->d_name); DEEDEBUG2(" size:%d",size); DEEDEBUG2(" flags:%8.8x",xtgt->ticket_flags); DEEDEBUG2(" %s",ctime((time_t *)&xtgt->times.endtime)); if ((xtgt->ticket_flags & tflags) == tflags ) { if (prev_name[0]) { if (xtgt->times.endtime > prev_endtime) { better = 1; } else if ((xtgt->times.endtime = prev_endtime) && (size > prev_size)){ better = 1; } } else { /* the first */ if (xtgt->times.endtime >= now) { better = 1; } } if (better) { strcpy(prev_name, direntp->d_name); prev_endtime = xtgt->times.endtime; prev_size = size; sscanf(prev_name+8,"%8X",&prev_pag); *tgt = xtgt; better = 0; } } } } } (void)closedir( dirp ); if (!prev_name[0]) return 1; /* failed to find one */ DEEDEBUG2("Best: %s\n",prev_name); if (ppag) *ppag = prev_pag; strcpy(ccname+38,prev_name); setenv("KRB5CCNAME",ccname,1); return(0); } /*----------------------------------------------*/ /* see if this cache is for this this principal */ int k5dcematch(luid, pname, ccname, sizep, tgt) uid_t luid; char *pname; char *ccname; off_t *sizep; /* size of the file */ krb5_creds **tgt; { krb5_ccache cache; struct stat stbuf; char ccdata[256]; int fd; int status; /* DEEDEBUG2("k5dcematch called: cache=%s\n",ccname+38); */ if (!strncmp(ccname,"FILE:",5)) { strcpy(ccdata,ccname+5); strcat(ccdata,".data"); /* DEEDEBUG2("Checking the .data file for %s\n",ccdata); */ if (stat(ccdata, &stbuf)) return(1); if (stbuf.st_uid != luid) return(1); if ((fd = open(ccdata,O_RDONLY)) == -1) return(1); if ((read(fd,&status,4)) != 4) { close(fd); return(1); } /* DEEDEBUG2(".data file status = %d\n", status); */ if (status != 5) return(1); if (stat(ccname+5, &stbuf)) return(1); if (stbuf.st_uid != luid) return(1); *sizep = stbuf.st_size; } return(k5dcegettgt(&cache, ccname, pname, tgt)); } /*----------------------------------------*/ /* k5dcegettgt - get the tgt from a cache */ int k5dcegettgt(pcache, ccname, pname, tgt) krb5_ccache *pcache; char *ccname; char *pname; krb5_creds **tgt; { krb5_ccache cache; krb5_cc_cursor cur; krb5_creds creds; int code; int found = 1; krb5_principal princ; char *kusername; krb5_flags flags; char *sname, *realm, *tgtname = NULL; /* Since DCE does not expose much of the Kerberos interface, * we will have to use what we can. This means setting the * KRB5CCNAME for each file we want to test * We will also not worry about freeing extra cache structures * as this this routine is also not exposed, and this should not * effect this module. * We should also free the creds contents, but that is not exposed * either. */ setenv("KRB5CCNAME",ccname,1); cache = NULL; *tgt = NULL; if (code = krb5_cc_default(pcache)) { com_err(progname, code, "while getting ccache"); goto return2; } DEEDEBUG("Got cache\n"); flags = 0; if (code = krb5_cc_set_flags(*pcache, flags)) { com_err(progname, code,"While setting flags"); goto return2; } DEEDEBUG("Set flags\n"); if (code = krb5_cc_get_principal(*pcache, &princ)) { com_err(progname, code, "While getting princ"); goto return1; } DEEDEBUG("Got principal\n"); if (code = krb5_unparse_name(princ, &kusername)) { com_err(progname, code, "While unparsing principal"); goto return1; } DEEDEBUG2("Unparsed to \"%s\"\n", kusername); DEEDEBUG2("pname is \"%s\"\n", pname); if (strcmp(kusername, pname)) { DEEDEBUG("Principals not equal\n"); goto return1; } DEEDEBUG("Principals equal\n"); realm = strchr(pname,'@'); realm++; if ((tgtname = malloc(9 + 2 * strlen(realm))) == 0) { fprintf(stderr,"Malloc failed for tgtname\n"); goto return1; } strcpy(tgtname,"krbtgt/"); strcat(tgtname,realm); strcat(tgtname,"@"); strcat(tgtname,realm); DEEDEBUG2("Getting tgt %s\n", tgtname); if (code = krb5_cc_start_seq_get(*pcache, &cur)) { com_err(progname, code, "while starting to retrieve tickets"); goto return1; } while (!(code = krb5_cc_next_cred(*pcache, &cur, &creds))) { krb5_creds *cred = &creds; if (code = krb5_unparse_name(cred->server, &sname)) { com_err(progname, code, "while unparsing server name"); continue; } if (strncmp(sname, tgtname, strlen(tgtname)) == 0) { DEEDEBUG("FOUND\n"); if (code = krb5_copy_creds(&creds, tgt)) { com_err(progname, code, "while copying TGT"); goto return1; } found = 0; break; } /* we should do a krb5_free_cred_contents(creds); */ } if (code = krb5_cc_end_seq_get(*pcache, &cur)) { com_err(progname, code, "while finishing retrieval"); goto return2; } return1: flags = KRB5_TC_OPENCLOSE; krb5_cc_set_flags(*pcache, flags); /* force a close */ return2: if (tgtname) free(tgtname); return(found); } /*------------------------------------------*/ /* Convert a forwarded TGT to a DCE context */ int k5dcecon(luid, luser, pname) uid_t luid; char *luser; char *pname; { krb5_creds *ftgt = NULL; krb5_creds *tgt = NULL; unsigned32 dfspag; boolean32 reset_passwd = 0; int lst; dce_error_string_t err_string; char *shell_prog; krb5_ccache fcache; char *ccname; char *kusername; char *urealm; char *cp; int pag; int code; krb5_timestamp endtime; /* If there is no cache to be converted, we should not be here */ if ((ccname = getenv("KRB5CCNAME")) == NULL) { DEEDEBUG("No KRB5CCNAME\n"); return(1); } if (k5dcegettgt(&fcache, ccname, pname, &ftgt)) { fprintf(stderr, "%s: Did not find TGT\n", progname); return(1); } DEEDEBUG2("flags=%x\n",ftgt->ticket_flags); if (!(ftgt->ticket_flags & TKT_FLG_FORWARDABLE)){ fprintf(stderr,"Ticket not forwardable\n"); return(0); /* but OK to continue */ } setenv("KRB5CCNAME","",1); #define TKT_ACCEPTABLE (TKT_FLG_FORWARDABLE | TKT_FLG_PROXIABLE \ | TKT_FLG_MAY_POSTDATE | TKT_FLG_RENEWABLE | TKT_FLG_HW_AUTH \ | TKT_FLG_PRE_AUTH) if (!k5dcesession(luid, pname, &tgt, &pag, (ftgt->ticket_flags & TKT_ACCEPTABLE))) { if (ftgt->times.endtime > tgt->times.endtime) { DEEDEBUG("Updating existing cache\n"); return(k5dceupdate(&ftgt, pag)); } else { DEEDEBUG("Using existing cache\n"); return(0); /* use the original one */ } } /* see if the tgts match up */ if ((code = k5dcecreate(luid, luser, pname, &ftgt))) { return (code); } /* * Destroy the Kerberos5 cred cache file. * but dont care aout the return code. */ DEEDEBUG("Destroying the old cache\n"); if ((code = krb5_cc_destroy(fcache))) { com_err(progname, code, "while destroying Kerberos5 ccache"); } return (0); } /*--------------------------------------------------*/ /* k5dceupdate - update the cache with a new TGT */ /* Assumed that the KRB5CCNAME has been set */ int k5dceupdate(krbtgt, pag) krb5_creds **krbtgt; int pag; { krb5_ccache ccache; int code; if (code = krb5_cc_default(&ccache)) { com_err(progname, code, "while opening cache for update"); return(2); } if (code = ccache->ops->init(ccache,(*krbtgt)->client)) { com_err(progname, code, "while reinitilizing cache"); return(3); } /* krb5_cc_store_cred */ if (code = ccache->ops->store(ccache, *krbtgt)) { com_err(progname, code, "while updating cache"); return(2); } sec_login_pag_new_tgt(pag, (*krbtgt)->times.endtime); return(0); } /*--------------------------------------------------*/ /* k5dcecreate - create a new DCE context */ int k5dcecreate(luid, luser, pname, krbtgt) uid_t luid; char *luser; char *pname; krb5_creds **krbtgt; { char *cp; char *urealm; char *username; char *defrealm; uid_t uid; error_status_t st; sec_login_handle_t lcontext = 0; sec_login_auth_src_t auth_src = 0; boolean32 reset_passwd = 0; int lst; dce_error_string_t err_string; setenv("KRB5CCNAME","",1); /* make sure it not misused */ uid = getuid(); DEEDEBUG2("uid=%d\n",uid); /* if run as root, change to user, so as to have the * cache created for the local user even if cross-cell * If run as a user, let standard file protection work. */ if (uid == 0) { if (seteuid(luid) < 0) goto abort; } cp = strchr(pname,'@'); *cp = '\0'; urealm = ++cp; DEEDEBUG2("basename=%s\n",cp); DEEDEBUG2("realm=%s\n",urealm); /* now build the username as a single string or a /.../cell/user * if this is a cross cell */ if ((username = malloc(7+strlen(pname)+strlen(urealm))) == 0) { fprintf(stderr,"Malloc failed for username\n"); goto abort; } if (krb5_get_default_realm(&defrealm)) { DEEDEBUG("krb5_get_default_realm failed\n"); goto abort; } if (!strcmp(urealm,defrealm)) { strcpy(username,pname); } else { strcpy(username,"/.../"); strcat(username,urealm); strcat(username,"/"); strcat(username,pname); } /* * Setup a DCE login context */ if (sec_login_setup_identity((unsigned_char_p_t)username, (sec_login_external_tgt|sec_login_proxy_cred), &lcontext, &st)) { /* * Add our TGT. */ DEEDEBUG("Adding our new TGT\n"); sec_login_krb5_add_cred(lcontext, *krbtgt, &st); if (st) { dce_error_inq_text(st, err_string, &lst); fprintf(stderr, "Error while adding credentials for %s because %s\n", username, err_string); goto abort; } DEEDEBUG("validating and certifying\n"); /* * Now "validate" and certify the identity, * usually we would pass a password here, but... * sec_login_valid_and_cert_ident * sec_login_validate_identity */ if (sec_login_validate_identity(lcontext, 0, &reset_passwd, &auth_src, &st)) { DEEDEBUG2("validate_identity st=%d\n",st); if (st) { dce_error_inq_text(st, err_string, &lst); fprintf(stderr, "Validation error for %s because %s\n", username, err_string); goto abort; } if (!sec_login_certify_identity(lcontext,&st)) { dce_error_inq_text(st, err_string, &lst); fprintf(stderr, "Credentials not certified because %s\n",err_string); } if (reset_passwd) { fprintf(stderr, "Password must be changed for %s\n", username); } if (auth_src == sec_login_auth_src_local) { fprintf(stderr, "Credentials obtained from local registry for %s\n", username); } if (auth_src == sec_login_auth_src_overridden) { fprintf(stderr, "Validated %s from local override entry, no network credentials obtained\n", username); goto abort; } /* * Actually create the cred files. */ DEEDEBUG("Ceating new cred files.\n"); sec_login_set_context(lcontext, &st); if (st) { dce_error_inq_text(st, err_string, &lst); fprintf(stderr, "Unable to set context for %s because %s\n", username, err_string); goto abort; } /* * Now free up the local context and leave the * network context with its pag */ #if 0 sec_login_release_context(&lcontext, &st); if (st) { dce_error_inq_text(st, err_string, &lst); fprintf(stderr, "Unable to release context for %s because %s\n", username, err_string); goto abort; } #endif } else { DEEDEBUG2("validate failed %d\n",st); dce_error_inq_text(st, err_string, &lst); fprintf(stderr, "Unable to validate %s because %s\n", username, err_string); goto abort; } } else { dce_error_inq_text(st, err_string, &lst); fprintf(stderr, "Unable to setup login entry for %s because %s\n", username, err_string); goto abort; } done: /* if we were root, get back to root */ DEEDEBUG2("sec_login_inq_pag %8.8x\n", sec_login_inq_pag(lcontext, &st)); if (uid == 0) { seteuid(0); } DEEDEBUG("completed\n"); return(0); abort: if (uid == 0) { seteuid(0); } DEEDEBUG("Aborting\n"); return(2); } /*-------------------------------------------------*/ main(argc, argv) int argc; char *argv[]; { int status; extern int optind; extern char *optarg; int rv; char *lusername = NULL; char *pname = NULL; int fflag = 0; struct passwd *pw; uid_t luid; uid_t myuid; char *ccname; krb5_creds *tgt = NULL; #ifdef DEBUG close(2); open("/tmp/k5dce.debug",O_WRONLY|O_CREAT|O_APPEND, 0600); #endif if (myuid = getuid()) { DEEDEBUG2("UID = %d\n",myuid); exit(33); /* must be root to run this, get out now */ } while ((rv = getopt(argc,argv,"l:p:fs")) != -1) { DEEDEBUG2("Arg = %c\n", rv); switch(rv) { case 'l': /* user name */ lusername = optarg; DEEDEBUG2("Optarg = %s\n", optarg); break; case 'p': /* principal name */ pname = optarg; DEEDEBUG2("Optarg = %s\n", optarg); break; case 'f': /* convert a forwarded TGT to a context */ fflag++; break; case 's': /* old test parameter, ignore it */ break; } } setlocale(LC_ALL, ""); krb5_init_ets(); time(&now); /* set time to check expired tickets */ /* if lusername == NULL, Then user is passed as the USER= variable */ if (!lusername) { lusername = getenv("USER"); if (!lusername) { fprintf(stderr, "USER not in environment\n"); return(3); } } if ((pw = getpwnam(lusername)) == NULL) { fprintf(stderr, "Who are you?\n"); return(44); } luid = pw->pw_uid; if (fflag) { status = k5dcecon(luid, lusername, pname); } else { status = k5dcesession(luid, pname, &tgt, NULL, 0); } if (!status) { printf("%s",getenv("KRB5CCNAME")); /* return via stdout to caller */ DEEDEBUG2("KRB5CCNAME=%s\n",getenv("KRB5CCNAME")); } DEEDEBUG2("Returning status %d\n",status); return (status); } heimdal-1.7~git20150920+dfsg/appl/dceutils/testpag.c000066400000000000000000000063371257755311500220370ustar00rootroot00000000000000/* Test the k5dcepag routine by setting a pag, and * and execing a shell under this pag. * * This allows you to join a PAG which was created * earlier by some other means. * for example k5dcecon * * Must be run as root for testing only. * */ #include #include #include #include #include #include #include #define POSIX_SETJMP #define POSIX_SIGNALS #ifdef POSIX_SIGNALS typedef struct sigaction handler; #define handler_init(H,F) (sigemptyset(&(H).sa_mask), \ (H).sa_flags=0, \ (H).sa_handler=(F)) #define handler_swap(S,NEW,OLD) sigaction(S, &NEW, &OLD) #define handler_set(S,OLD) sigaction(S, &OLD, NULL) #else typedef sigtype (*handler)(); #define handler_init(H,F) ((H) = (F)) #define handler_swap(S,NEW,OLD) ((OLD) = signal ((S), (NEW))) #define handler_set(S,OLD) (signal ((S), (OLD))) #endif typedef void sigtype; /* * We could include the dcedfs/syscall.h which should have these * numbers, but it has extra baggage. So for * simplicity sake now, we define these here. */ #define AFSCALL_SETPAG 2 #define AFSCALL_GETPAG 11 #if defined(sun) #define AFS_SYSCALL 72 #elif defined(hpux) /* assume HPUX 10 + or is it 50 */ #define AFS_SYSCALL 326 #elif defined(_AIX) #define DPAGAIX "dpagaix" /* #define DPAGAIX "/krb5/sbin/dpagaix" */ #elif defined(sgi) || defined(_sgi) #define AFS_SYSCALL 206+1000 #else #define AFS_SYSCALL (Unknown_DFS_AFS_SYSCALL) #endif static sigjmp_buf setpag_buf; static sigtype mysig() { siglongjmp(setpag_buf, 1); } int krb5_dfs_newpag(new_pag) int new_pag; { handler sa1, osa1; handler sa2, osa2; int pag = -1; handler_init (sa1, mysig); handler_init (sa2, mysig); handler_swap (SIGSYS, sa1, osa1); handler_swap (SIGSEGV, sa2, osa2); if (sigsetjmp(setpag_buf, 1) == 0) { #if defined(_AIX) int (*dpagaix)(int, int, int, int, int, int); if (dpagaix = load(DPAGAIX, 0, 0)) pag = (*dpagaix)(AFSCALL_SETPAG, new_pag, 0, 0, 0, 0); #else pag = syscall(AFS_SYSCALL,AFSCALL_SETPAG, new_pag, 0, 0, 0, 0); #endif handler_set (SIGSYS, osa1); handler_set (SIGSEGV, osa2); return(pag); } fprintf(stderr,"Setpag failed with a system error\n"); /* syscall failed! return 0 */ handler_set (SIGSYS, osa1); handler_set (SIGSEGV, osa2); return(-1); } main(argc, argv) int argc; char *argv[]; { extern int optind; extern char *optarg; int rv; int rc; unsigned int pag; unsigned int newpag = 0; char ccname[256]; int nflag = 0; while((rv = getopt(argc,argv,"n:")) != -1) { switch(rv) { case 'n': nflag++; sscanf(optarg,"%8x",&newpag); break; default: printf("Usage: k5dcepagt -n pag \n"); exit(1); } } if (nflag) { fprintf (stderr,"calling k5dcepag newpag=%8.8x\n",newpag); pag = krb5_dfs_newpag(newpag); fprintf (stderr,"PAG returned = %8.8x\n",pag); if ((pag != 0) && (pag != -1)) { sprintf (ccname, "FILE:/opt/dcelocal/var/security/creds/dcecred_%8.8x", pag); esetenv("KRB5CCNAME",ccname,1); execl("/bin/csh", "csh", NULL); } else { fprintf(stderr," Not a good pag value\n"); } } } heimdal-1.7~git20150920+dfsg/appl/ftp/000077500000000000000000000000001257755311500171705ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/ftp/ChangeLog000066400000000000000000000726411257755311500207540ustar00rootroot000000000000002008-05-29 Love Hörnquist Åstrand * ftp/ftp.c: use the correct length to munmap and use msync. 2008-05-28 Love Hörnquist Åstrand * ftp/ftp.c: Rewrite sliding window code so it doesn't have a integer overrun. * ftp/ftp.c: Try sliding mmap window over memory file (10MB window), works better with larger files (ie doesn't fail). 2008-04-10 Love Hörnquist Åstrand * ftpd/logwtmp.c: Use asl for logging ftpd wtmp messages. 2007-07-12 Love Hörnquist Åstrand * ftp/gssapi.c: Fix pointer vs strict alias rules. 2007-06-20 Love Hörnquist Åstrand * ftp/security.c: if no mech have no session, its ok, just don't call it. * ftp/security.h: provide prototype for sec_userok(). * move ksetpag after initgroups to make it work on Linux when its without syscall hooks to change sys_setgroups preserve the pag. From Alexsander Boström. 2007-06-09 Love Hörnquist Åstrand * ftpd/Makefile.am: don't clean yacc/lex files in CLEANFILES, maintainers clean will do that for us. 2006-10-07 Love Hörnquist Åstrand * ftpd/Makefile.am: Add man_MANS to EXTRA_DIST * ftp/Makefile.am: Add man_MANS to EXTRA_DIST 2006-08-08 Love Hörnquist Åstrand * ftpd/ftpd.c: Add comment by seteuid call isn't not needed. * ftpd/ftpd.c: Check return values from seteuid, prompted by MIT advisory. Thanks to Tom Yu at MIT, and Michael Calmer and Marcus Meissner at SUSE. Either of CVE-2006-3083 or CVE-2006-3084. 2006-06-27 Love Hörnquist Åstrand * ftpd/gss_userok.c (gss_userok): create a local krb5_context and use that instead of the libgssapi context (that might not exist). 2006-05-05 Love Hörnquist Åstrand * Rename u_intXX_t to uintXX_t 2006-03-23 Love Hörnquist Åstrand * ftp/ftp.1: Add undocument flags and spelling, from Ted Percival 2006-02-27 Johan Danielsson * ftpd/ftpd.8: fix grammar in --no-insecure-oob option (partly from Thomas Klausner) 2006-01-24 Love Hörnquist Åstrand * ftp/ftp.c: Indent. 2006-01-12 Johan Danielsson * ftpd/ftpd.c (pass): remove unused variable in the !OTP case 2005-10-22 Love Hörnquist Åstrand * ftpd/ls.c: Check return value from asprintf instead of string != NULL since it undefined behavior on Linux. From Björn Sandell * ftpd/gss_userok.c: Check return value from asprintf instead of string != NULL since it undefined behavior on Linux. From Björn Sandell * ftpd/ftpd.c: Check return value from asprintf instead of string != NULL since it undefined behavior on Linux. From Björn Sandell * ftp/gssapi.c: Check return value from asprintf instead of string != NULL since it undefined behavior on Linux. From Björn Sandell 2005-10-12 Johan Danielsson * ftp/ftp.1: document -x * ftp/security.h: implement cprotect (from MIT) * ftp/security.c: add -x (encrypt) option; implement cprotect (from MIT); make sure we CCC if switching to clear-text command channel * ftp/cmdtab.c: implement cprotect (from MIT) * ftp/ruserpass.c: if doing command line encryption (-x), ignore prot commands in .netrc * ftp/ftp_var.h: add -x (encrypt) option * ftp/globals.c: add -x (encrypt) option * ftp/main.c: add -x (encrypt) option 2005-07-19 Love Hörnquist Åstrand * ftpd/ftpcmd.y: Fix shadow warning. * ftp/security.c: Fix shadow warning. * ftp/security.c: Fix shadow warnings. * ftp/ruserpass.c: Fix shadow warnings. * ftp/ftp.c: Fix shadow warnings. * ftp/cmds.c: fix shadow warnings * Add Kerberos 5 klist, old patch from Tomas Nyström (remove krb4 support). Support klist in client for kerberos 5 clase. Clean up delegation of gss tokens and do afslog. 2005-07-13 Love Hörnquist Åstrand * ftp/gssapi.c (gss_adat): avoid leaking memory (gss_auth): always try next kname if there is one, independant of min_stat * ftp/gssapi.c: avoid const warning, use sin4 instead of sin to avoid shadow warning, free target_name 2005-07-09 Love Hörnquist Åstrand * ftp/security.c: keep track of if CCC was passed * ftpd/extern.h: variable to keep track of if CCC was passed * ftpd/ftpcmd.y: sprinkel check_secure, check if CCC was passed in check_secure 2005-06-02 Love Hörnquist Åstrand * ftpd/ftpd.c (filename_check): change signednes of p to avoid warning, move typecasts 2005-05-29 Love Hörnquist Åstrand * ftpd/ftpd.c: avoid 'unused variable' warnings 2005-05-10 David Love * ftpd/pathnames.h: #ifdef protect _PATH_ISSUE 2005-04-25 Love Hörnquist Åstrand * ftp/domacro.c: handle string trunctions 2005-04-24 Love Hörnquist Åstrand * ftp/security.c: use strlcat * ftp/domacro.c: use strlcpy 2005-04-20 Love Hörnquist Åstrand * ftp/security.c: cast size_t to unsigned long 2005-04-18 Love Hörnquist Åstrand * ftpd/ftpd.c (statcmd): cast argument to isdigit to unsigned char * ftp/cmds.c (mget): cast char to unsigned char to make sure its not negative when passing it to tolower 2005-04-07 Love Hörnquist Åstrand * ftp/ftp.c: fix 3 'var' might be used uninitialized warnings 2005-04-04 Love Hörnquist Åstrand * ftp/cmds.c: MacOS is also a unix that doesn't define __unix__/unix While here, rewrite this part of the function to not modify that string, but rather take a copy of it and them modify is, all this just to pacify gcc 2005-01-09 Love Hörnquist Åstrand * ftp/domacro.c: cast argument to is* to unsigned char * ftp/ftp.c: cast argument to tolower to unsigned char 2004-08-20 Love Hörnquist Åstrand * ftp/ftp.c: send ABOR protect with security layer if its there * ftpd/{ftpd_locl.h, extern.h, ftpcmd.y, ftpd.8, ftpd.c}: Remove all traces of setjmp/longjmp. Handle those command that is needed in oobhandler, those are ABOR, STAT, ENC, CONF, MIC. add options to turn off insecure OOB handling and document the option Changes inspired by openbsd and netbsd changes but quite diffrent is most places since the code no longer look and is structured the same way. 2004-08-16 Johan Danielsson * ftp/main.c: reverse help strings for --no-gss-bindings and --no-gss-delegate 2004-06-20 Love Hörnquist Åstrand * ftpd/ftpcmd.y: make cbuf 64k to handle lager tickets From: MAAAAA MOOOR 2004-03-14 Love Hörnquist Åstrand * ftpd/ftpd.c (main): setpag if there is krb4 OR krb5 support 2003-12-19 Love Hörnquist Åstrand * ftp/security.h: add ftp_do_gss_delegate * ftp/main.c (getargs): negative flag for delegating gss creds * ftp/gssapi.c (ftp_do_gss_delegate): delegate creds (default on) 2003-09-03 Love Hörnquist Åstrand * ftp/ftp.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ * ftp/cmds.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ 2003-07-19 Love Hörnquist Åstrand * ftp/security.h: add ftp_do_gss_bindings * ftp/ftp.1: fix mdoc bug * ftp/ftp.1: document --no-gss-bindings * ftp/gssapi.c: Optionally support gss bindings, client does it by default, server not. This is to make it work for clients behind NAT. * ftp/main.c (args): add gss-bindings (main): set ftp_do_gss_bindings to 1 to make client use them * ftpd/ftpd.c (args): add gss-bindings * ftpd/ftpd.8: document --gss-bindings 2003-06-13 Johan Danielsson * ftp/gssapi.c (gss_adat): fix name allocation bug 2003-05-21 Love Hörnquist Åstrand * ftpd/gss_userok.c (gss_userok): release delegated cred handle * ftp/gssapi.c (gss_adat): remove poking inside the delegated handle, also fixes problem where to much memory was allocated * ftpd/gss_userok.c (gss_userok): remove poking inside the delegated handle 2003-05-14 Love Hörnquist Åstrand * ftpd/ftpcmd.y: support afslog and afslog when compiled with krb5 2003-05-07 Love Hörnquist Åstrand * ftp/cmdtab.c: include afslog in both the krb4 and krb5 case * ftp/kauth.c: include afslog in both the krb4 and krb5 case * ftp/Makefile.am: always include auth.c 2003-05-07 Love Hörnquist Åstrand * ftpd/Makefile.am: always include auth.c * ftpd/kauth.c: do afslog in the krb5 case too 2003-04-22 Love Hörnquist Åstrand * ftp/ftp.1: replace > with \*[Gt] 2003-04-16 Love Hörnquist Åstrand * ftpd/ftpd.c: make sure argument to is* functions are unsigned 2003-04-06 Love Hörnquist Åstrand * ftpd/ftpd.8: s/kerberos/Kerberos/ 2003-03-23 Assar Westerlund * ftpd/pathnames.h (_PATH_FTPUSERS): conditionalize 2003-03-18 Love Hörnquist Åstrand * ftpd/ftpd.c (krb5_verify): always do krb5_afslog, remove setpag (its done in main) * ftpd/gss_userok.c: drop setpag * ftpd/ftpd.c (main): set afs PAG * ftpd/gss_userok.c: always try krb5_afslog, and while here do a setpag too * ftpd/ftpd_locl.h: always include kafs 2003-03-16 Love Hörnquist Åstrand * ftp/gssapi.c (gss_adat): now that gss_export_name exports a principal, bandaid with gss_display_name, and check that oid is GSS_KRB5_NT_PRINCIPAL_NAME, also free memory 2003-02-25 Love Hörnquist Åstrand * ftp/gssapi.c (gss_auth): print out the name we authenticated too 2003-02-25 Love Hörnquist Åstrand * ftpd/ls.c: use readlink with bufsize - 1, From NetBSD * ftp/ftp.1: s/utilizes/uses/ from NetBSD * ftpd/ftpd.8: s/utilize/use/ from NetBSD 2003-02-10 Assar Westerlund * ftpd/ftpd.c (accept_with_timeout): use socklen_t 2002-10-29 Johan Danielsson * ftp/main.c: reinstate -n flag (from Torbjörn Granlund) 2002-10-16 Johan Danielsson * ftp/ftp.c: fix parsing of epsv ports (from Love) 2002-09-05 Johan Danielsson * ftp/security.c (sec_vfprintf): free encoded data * ftp/gssapi.c (gss_decode): release buffer * ftp/ftp.c (active_mode): no need to allocate buffer for EPRT 2002-08-28 Johan Danielsson * ftp/ftp.c (command): clean up va_{start,end}ing (from NetBSD) 2002-08-23 Assar Westerlund * ftp/main.c: start using getarg 2002-08-22 Johan Danielsson * ftpd/ls.c: uxp/v lacks _S_IFMT, but has S_IFMT 2002-08-20 Johan Danielsson * ftp/gssapi.c: remove unused variable 2002-04-24 Johan Danielsson * ftp/ftp.c: fix buffer overrun when receiving long replies 2002-04-02 Johan Danielsson * ftpd/popen.c: make sure gl_pathc != 0 before referencing gl_pathv 2002-03-15 Johan Danielsson * ftp/gssapi.c (gss_adat): if accept_sec_context fails, syslog a reason and give a temporary error message 2002-02-28 Johan Danielsson * ftpd/ftpd.c: if builtin_ls failes, return error * ftpd/ls.c (builtin_ls): return status; also don't print fatal error messages to the output stream, instead use syslog 2001-09-14 Johan Danielsson * ftpd/ls.c: make sure we don't include . in recursive listings 2001-09-13 Johan Danielsson * ftpd/ftpd.c (dataconn): don't wait forever on accept 2001-09-04 Assar Westerlund * ftp/gssapi.c (gss_adat): leak less memory and check return value from asprintf 2001-08-28 Jacques Vidrine * ftpd/ftpd.c, ftpd/ftpd.8: On systems with IP_PORTRANGE, have ftpd use `high-numbered' ports by default. Add a -U option to get the old behavior. 2001-08-28 Johan Danielsson * ftp/gssapi.c: try using "host" if there's no "ftp" principal 2001-08-26 Johan Danielsson * ftpd/ls.c: implement -R 2001-08-08 Assar Westerlund * ftpd/ls.c: make -a and -A do the same as in ls(1) 2001-08-05 Assar Westerlund * ftpd/ftpcmd.y: add some (unsigned char) casts to is* * ftp/cmds.c: add some (unsigned char) casts to is* * ftpd/gss_userok.c (gss_userok): make argument to printf type correct 2001-08-05 Assar Westerlund * ftp/cmds.c (setpeer): __NetBSD__ is also a unix-like OS 2001-06-19 Assar Westerlund * ftpd/popen.c, ftpd/ftpd.c: try to handle GLOB_MAXPATH (FreeBSD) 2001-04-19 Johan Danielsson * ftpd/ftpd.c (do_store): call closefunc before claiming that everything went ok, if the close fails the file might not have been stored properly 2001-03-26 Assar Westerlund * ftpd/ftpd.c, ftpd/popen.c: always use GLOB_LIMIT * ftpd/popen.c (ftpd_popen): use GLOB_LIMIT if defined * ftpd/ftpd.c (send_file_list): use GLOB_LIMIT if defined 2001-02-15 Assar Westerlund * ftp/cmds.c (setpeer): handle both service names and port numbers for the second optional argument. also make parsing more robust 2001-02-07 Assar Westerlund * ftp/security.c (sec_end): only clean app_data if there is any (*): do realloc consistently 2001-02-05 Assar Westerlund * ftpd/popen.c (ftpd_popen): avoid overwriting the bounds of argv and gargv 2001-01-30 Assar Westerlund * ftpd/gss_userok.c: use gss_krb5_copy_ccache 2001-01-29 Assar Westerlund * ftpd/Makefile.am: move up LIB_otp so we do not end up picking one from /usr/athena 2001-01-25 Johan Danielsson * ftpd/ls.c: fix bug in previous; make it easier to build test version 2001-01-19 Johan Danielsson * ftpd/ls.c (lstat_file): handle case where file lives in `/' 2001-01-18 Johan Danielsson * ftpd/ftpd.c (pasv): close already open passive port 2000-12-14 Johan Danielsson * ftpd/ls.c: reverse time and size sort order (pointed out by tege) 2000-12-11 Johan Danielsson * ftpd/ftpd.c: make it possible to set list of good filename characters from command line 2000-12-10 Johan Danielsson * ftpd/ftpd.c: some spec-violating mirror software assumes that you can do things like `LIST -CF'; don't pass `--' to ls so this actually works * ftpd/ls.c: implement -1CFx flags 2000-12-08 Assar Westerlund * ftpd/gss_userok.c (gss_userok): handle getpwnam failing * ftp/gssapi.c (gss_auth): be more explicit in error message 2000-11-29 Johan Danielsson * ftpd/ftpd.8: close list 2000-11-15 Assar Westerlund * ftp/main.c: add `-l' for no line-editing * ftp/globals.c (readline): add * ftp/ftp_var.h (lineedit): add variable indicated if we should use readline 2000-11-09 Johan Danielsson * ftp/security.c (sec_read): fix bug in previous (from Jacques A. Vidrine ) 2000-11-05 Johan Danielsson * ftpd/ftpcmd.y: only allow pasv if logged in 2000-10-23 Johan Danielsson * ftpd/ftpd.c: change bad filename message slightly * common/buffer.c: HAVE_ST_BLKSIZE -> HAVE_STRUCT_STAT_ST_BLKSIZE 2000-10-08 Assar Westerlund * ftp/ftp.c (*): check that fds are not too large to select on * ftp/main.c (cmdscanner): print a newline upon EOF 2000-09-19 Assar Westerlund * ftp/security.h: add some attributes to prototypes of sec* * ftp/extern.h (command): add attributes 2000-08-31 Johan Danielsson * ftpd/ftpd.c: change redundant password message to something people can understand 2000-07-27 Assar Westerlund * ftpd/gss_userok.c (gss_userok): only do AFS iff KRB4 * ftpd/ftpd.c (krb5_verify): only do AFS stuff if KRB4 2000-07-07 Assar Westerlund * ftpd/ftpd.c: do not call setproctitle with a variable as the format string 2000-07-01 Assar Westerlund * ftpd/ftpd_locl.h: krb5.h before kafs.h * ftpd/ftpd.c (krb5_verify): static-ize * ftpd/ftpd.c (krb5_verify): conditionalize on KRB5 2000-06-21 Assar Westerlund * ftpd: support for authenticating passwords with krb5, by Daniel Kouril 2000-06-06 Johan Danielsson * ftpd/ftpcmd.y: change unix test to be negative 2000-05-18 Assar Westerlund * ftpd/ftpd.c (args): should use `debug'. From Onno van der Linden . 2000-04-25 Assar Westerlund * ftp/ftp.c (login): re-structure code so that we prompt for password for ftp/anonymous 2000-04-11 Assar Westerlund * ftp/ftp.c (login): initialize tmp before calling fgets 2000-04-02 Assar Westerlund * ftpd/ls.c: rename all st_mtime variables to avoid conflict with #define. * ftpd/ftpcmd.y: rename all st_mtime variables to avoid conflict with #define. * ftp/cmds.c: rename all st_mtime variables to avoid conflict with #define. 2000-03-26 Assar Westerlund * ftpd/ls.c, ftpd/ftpcmd.y, ftp/cmds.c: make sure to always call time, ctime, and gmtime with `time_t's. there were some types (like in lastlog) that we believed to always be time_t. this has proven wrong on Solaris 8 in 64-bit mode, where they are stored as 32-bit quantities but time_t has gone up to 64 bits 2000-03-09 Johan Danielsson * call list_file for broken usages of nlst too * ftpd/ftpd.c: call list_file for broken usages of nlst too 2000-02-07 Assar Westerlund * ftp/security.c (sec_read): more paranoia with return value from sec_get_data 2000-01-08 Assar Westerlund * ftp/ftp.c (hookup): handle ai_canonname being set in any of the addresses returnedby getaddrinfo. glibc apparently returns the reverse lookup of every address in ai_canonname. * ftp/ruserpass.c (guess_domain): dito 1999-12-21 Assar Westerlund * ftpd/ftpd.c: don't use sa_len as a parameter, it's defined on Irix 1999-12-21 Johan Danielsson * ftpd/ftpd.c (dataconn): make sure from points to actual data 1999-12-16 Assar Westerlund * ftp/ruserpass.c (guess_domain): handle ai_canonname not being set * ftp/ftp.c (hookup): handle ai_canonname not being set 1999-12-06 Assar Westerlund * ftp/krb4.c (krb4_auth): the nat-IP address might not be realm bounded. 1999-12-05 Assar Westerlund * ftpd/ftpd.c (dolog): update prototype * ftpd/ftpd.c (dolog): use getnameinfo_verified * ftpd/ftpd.c: replace inaddr2str by getnameinfo 1999-12-04 Assar Westerlund * ftp/ruserpass.c (guess_domain): re-write to use getaddrinfo * ftp/ftp.c (hookup): re-write to use getaddrinfo 1999-11-30 Assar Westerlund * ftpd/ftpd.c (getdatasock): make sure to keep the port-number of the outgoing connections. It has to be `ftp-data' or some people might get upset. * ftpd/ftpd.c (args): set correct variable when `-l' so that logging actually works 1999-11-29 Assar Westerlund * ftp/security.c (sec_login): check return value from realloc (sec_end): set app_data to NULL 1999-11-25 Assar Westerlund * ftp/krb4.c (krb4_auth): obtain the `local' address when doing NAT. also turn on passive mode. From 1999-11-20 Assar Westerlund * ftpd/ls.c (make_fileinfo): cast to allow for non-const prototypes of readlink 1999-11-12 Assar Westerlund * ftpd/ftpd.c (args): use arg_counter for `l' 1999-11-04 Assar Westerlund * ftpd/ls.c (S_ISSOCK, S_ISLNK): fallback definitions for systems that don't have them (such as ultrix) 1999-10-29 Assar Westerlund * ftpd/ls.c (make_fileinfo): cast uid's and gid's to unsigned in printf, we don't know what types they might be. (lstat_file): conditionalize the kafs part on KRB4 * ftpd/ftpd_locl.h: is needed for kafs.h 1999-10-28 Assar Westerlund * ftpd/ls.c (lstat_file): don't set st_mode, it should already be correct * ftpd/ls.c: don't use warnx to print errors * ftpd/ls.c (builtin_ls): fix typo, 'd' shouldn't imply 'f' * ftpd/ls.c (lstat_file): new function for avoiding stating AFS mount points. From Love (list_files): use `lstat_file' * ftpd/ftpd.c: some const-poisoning * ftpd/ftpd.c (args): add `-B' as an alias for `--builtin-ls' to allow for stupid inetds that only support two arguments. From Love 1999-10-26 Assar Westerlund * ftpd/ftpcmd.y (help): it's unnecessary to interpret help strings as printf commands * ftpd/ftpd.c (show_issue): don't interpret contents of /etc/issue* as printf commands. From Brian A May 1999-10-21 Johan Danielsson * ftpd/kauth.c (kauth): complain if protection level isn't `private' * ftp/krb4.c (krb4_decode): syslog failure reason * ftp/kauth.c (kauth): set private level earlier * ftp/security.c: get_command_prot; (sec_prot): partially match `command' and `data' 1999-10-18 Johan Danielsson * ftpd/ftpd.c: change `-l' flag to use arg_collect (this makes `-ll' work again) * ftpd/ftpd.c (list_file): pass filename to ls 1999-10-04 Johan Danielsson * ftpd/ftpcmd.y: FEAT 1999-10-03 Assar Westerlund * ftpd/ls.c: fall-back definitions for constans and casts for printfs 1999-10-03 Johan Danielsson * ftpd/ftpd.c (main): make this use getarg; add `list_file' * ftpd/ftpcmd.y (LIST): call list_file * ftpd/ls.c: add simple built-in ls * ftp/security.c: add `sec_vfprintf2' and `sec_fprintf2' that prints to the data stream * ftp/kauth.c (kauth): make sure we're using private protection level * ftp/security.c (set_command_prot): set command protection level * ftp/security.c: make it possible to set the command protection level with `prot' 1999-09-30 Assar Westerlund * ftpd/ftpd_locl.h: add prototype for fclose to make sunos happy 1999-08-19 Johan Danielsson * ftpd/ftpd.c (do_login): show issue-file (send_data): change handling of zero-byte files 1999-08-18 Assar Westerlund * ftp/cmds.c (getit): be more suspicious when parsing the result of MDTM. Do the comparison of timestamps correctly. 1999-08-13 Assar Westerlund * ftpd/ftpd.c (send_data): avoid calling mmap with `len == 0'. Some mmap:s rather dislike that (Solaris) and some munmap (Linux) get grumpy later. * ftp/ftp.c (copy_stream): avoid calling mmap with `len == 0'. Some mmap:s rather dislike that (Solaris) and some munmap (Linux) get grumpy later. 1999-08-03 Assar Westerlund * ftp/ftp.c (active_mode): hide failure of EPRT by setting verbose * ftp/gssapi.c (gss_auth): initialize application_data in bindings 1999-08-02 Assar Westerlund * ftpd/ftpcmd.y: save file names when doing commands that might get aborted (and longjmp:ed out of) to avoid overwriting them also remove extra closing brace 1999-08-01 Johan Danielsson * ftpd/ftpcmd.y: change `site find' to `site locate' (to match what it does, and other implementations) keep find as an alias 1999-07-28 Assar Westerlund * common/socket.c: moved to roken * common/socket.c: new file with generic socket functions * ftpd/ftpd.c: make it more AF-neutral and v6-capable * ftpd/ftpcmd.y: add EPRT and EPSV * ftpd/extern.h: update prototypes and variables * ftp/krb4.c: update to new types of addresses * ftp/gssapi.c: add support for both AF_INET and AF_INET6 addresses * ftp/ftp.c: make it more AF-neutral and v6-capable * ftp/extern.h (hookup): change prototype * common/common.h: add prototypes for functions in socket.c * common/Makefile.am (libcommon_a_SOURCES): add socket.c * ftp/gssapi.c (gss_auth): check return value from `gss_import_name' and print error messages if it fails 1999-06-15 Assar Westerlund * ftp/krb4.c (krb4_auth): type correctness 1999-06-02 Johan Danielsson * ftp/ftp.c (sendrequest): lmode != rmode 1999-05-21 Assar Westerlund * ftp/extern.h (sendrequest): update prototype * ftp/cmds.c: update calls to sendrequest and recvrequest to send "b" when appropriate * ftp/ftp.c (sendrequest): add argument for mode to open file in. 1999-05-08 Assar Westerlund * ftpd/ftpcmd.y: rename getline -> ftpd_getline * ftp/main.c (makeargv): fill in unused slots with NULL Thu Apr 8 15:06:40 1999 Johan Danielsson * ftpd/ftpd.c: remove definition of KRB_VERIFY_USER (moved to config.h) Wed Apr 7 16:15:21 1999 Johan Danielsson * ftp/gssapi.c (gss_auth): call gss_display_status to get a sane error message; return AUTH_{CONTINUE,ERROR}, where appropriate * ftp/krb4.c: return AUTH_{CONTINUE,ERROR}, where appropriate * ftp/security.c (sec_login): if mechanism returns AUTH_CONTINUE, just continue with the next mechanism, this fixes the case of having GSSAPI fail because of non-existant of expired tickets * ftp/security.h: add AUTH_{OK,CONTINUE,ERROR} Thu Apr 1 16:59:04 1999 Johan Danielsson * ftpd/Makefile.am: don't run check-local * ftp/Makefile.am: don't run check-local Mon Mar 22 22:15:18 1999 Assar Westerlund * ftpd/ftpd.c (pass): fall-back for KRB_VERIFY_SECURE * ftpd/ftpd.c (pass): 1 -> KRB_VERIFY_SECURE Thu Mar 18 12:07:09 1999 Johan Danielsson * ftpd/Makefile.am: clean ftpcmd.c * ftpd/ftpd_locl.h: remove krb5.h (breaks in ftpcmd.y) * ftpd/ftpd.c: move include of krb5.h here * ftpd/Makefile.am: include Makefile.am.common * Makefile.am: include Makefile.am.common * ftp/Makefile.am: include Makefile.am.common * common/Makefile.am: include Makefile.am.common Tue Mar 16 22:28:37 1999 Assar Westerlund * ftpd/ftpd_locl.h: add krb5.h to get heimdal_version * ftpd/ftpd.c: krb_verify_user_multiple -> krb_verify_user Thu Mar 11 14:54:59 1999 Johan Danielsson * ftp/Makefile.in: WFLAGS * ftp/ruserpass.c: add some if-braces Wed Mar 10 20:02:55 1999 Johan Danielsson * ftpd/ftpd_locl.h: remove ifdef HAVE_FNMATCH Mon Mar 8 21:29:24 1999 Johan Danielsson * ftpd/ftpd.c: re-add version in greeting message Mon Mar 1 10:49:38 1999 Johan Danielsson * ftpd/logwtmp.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_* Mon Feb 22 19:20:51 1999 Johan Danielsson * common/Makefile.in: remove glob Sat Feb 13 17:19:35 1999 Assar Westerlund * ftpd/ftpd.c (match): remove #ifdef HAVE_FNMATCH. We have a fnmatch implementation in roken and therefore always have it. * ftp/ftp.c (copy_stream): initialize `werr' Wed Jan 13 23:52:57 1999 Assar Westerlund * ftpd/ftpcmd.y: moved all check_login and check_login_no_guest to the end of the rules to ensure we don't generate several (independent) error messages. once again, having a yacc-grammar for FTP with embedded actions doesn't strike me as the most optimal way of doing it. Tue Dec 1 14:44:29 1998 Johan Danielsson * ftpd/Makefile.am: link with extra libs for aix Sun Nov 22 10:28:20 1998 Assar Westerlund * ftpd/ftpd.c (retrying): support on-the-fly decompression * ftpd/Makefile.in (WFLAGS): set * ftp/ruserpass.c (guess_domain): new function (ruserpass): use it * common/Makefile.in (WFLAGS): set * Makefile.in (WFLAGS): set Sat Nov 21 23:13:03 1998 Assar Westerlund * ftp/security.c: some more type correctness. * ftp/gssapi.c (gss_adat): more braces to shut up warnings Wed Nov 18 21:47:55 1998 Assar Westerlund * ftp/main.c (main): new option `-p' for enable passive mode. Mon Nov 2 01:57:49 1998 Assar Westerlund * ftp/ftp.c (getreply): remove extra `break' * ftp/gssapi.c (gss_auth): fixo typo(copyo?) * ftp/security.c (sec_login): fix loop and return value Tue Sep 1 16:56:42 1998 Johan Danielsson * ftp/cmds.c (quote1): fix % quoting bug Fri Aug 14 17:10:06 1998 Johan Danielsson * ftp/krb4.c: krb_put_int -> KRB_PUT_INT Tue Jun 30 18:07:15 1998 Assar Westerlund * ftp/security.c (auth): free `app_data' (sec_end): only destroy if it was initialized Tue Jun 9 21:01:59 1998 Johan Danielsson * ftp/krb4.c: pass client address to krb_rd_req Sat May 16 00:02:07 1998 Assar Westerlund * ftpd/Makefile.am: link with DBLIB Tue May 12 14:15:32 1998 Johan Danielsson * ftp/gssapi.c: Save client name for userok(). * ftpd/gss_userok.c: Userok for gssapi. Fri May 1 07:15:01 1998 Assar Westerlund * ftp/ftp.c: unifdef -DHAVE_H_ERRNO Fri Mar 27 00:46:07 1998 Johan Danielsson * Make compile w/o krb4. Thu Mar 26 03:49:12 1998 Johan Danielsson * ftp/*, ftpd/*: Changes for new framework. * ftp/gssapi.c: GSS-API backend for the new security framework. * ftp/krb4.c: Updated for new framework. * ftp/security.{c,h}: New unified security framework. heimdal-1.7~git20150920+dfsg/appl/ftp/Makefile.am000066400000000000000000000001441257755311500212230ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common SUBDIRS = common ftp ftpd EXTRA_DIST = NTMakefileheimdal-1.7~git20150920+dfsg/appl/ftp/NTMakefile000066400000000000000000000027311257755311500210750ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\ftp !include ../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/ftp/common/000077500000000000000000000000001257755311500204605ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/ftp/common/Makefile.am000066400000000000000000000002451257755311500225150ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common noinst_LIBRARIES = libcommon.a libcommon_a_SOURCES = \ sockbuf.c \ buffer.c \ common.h EXTRA_DIST = NTMakefileheimdal-1.7~git20150920+dfsg/appl/ftp/common/NTMakefile000066400000000000000000000027431257755311500223700ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\ftp\common !include ../../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/ftp/common/buffer.c000066400000000000000000000043131257755311500220760ustar00rootroot00000000000000/* * Copyright (c) 1995-2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "common.h" #include #include #include "roken.h" RCSID("$Id$"); /* * Allocate a buffer enough to handle st->st_blksize, if * there is such a field, otherwise BUFSIZ. */ void * alloc_buffer (void *oldbuf, size_t *sz, struct stat *st) { size_t new_sz; new_sz = BUFSIZ; #ifdef HAVE_STRUCT_STAT_ST_BLKSIZE if (st) new_sz = max(BUFSIZ, st->st_blksize); #endif if(new_sz > *sz) { if (oldbuf) free (oldbuf); oldbuf = malloc (new_sz); if (oldbuf == NULL) { warn ("malloc"); *sz = 0; return NULL; } *sz = new_sz; } return oldbuf; } heimdal-1.7~git20150920+dfsg/appl/ftp/common/common.h000066400000000000000000000040571257755311500221270ustar00rootroot00000000000000/* * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ #ifdef HAVE_CONFIG_H #include #endif #ifndef __COMMON_H__ #define __COMMON_H__ #include "base64.h" void set_buffer_size(int, int); #include #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_STAT_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif void *alloc_buffer (void *oldbuf, size_t *sz, struct stat *st); #endif /* __COMMON_H__ */ heimdal-1.7~git20150920+dfsg/appl/ftp/common/sockbuf.c000066400000000000000000000045451257755311500222700ustar00rootroot00000000000000/* * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "common.h" #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif RCSID("$Id$"); void set_buffer_size(int fd, int read) { #if defined(SO_RCVBUF) && defined(SO_SNDBUF) && defined(HAVE_SETSOCKOPT) int size = 4194304; int optname = read ? SO_RCVBUF : SO_SNDBUF; #ifdef HAVE_GETSOCKOPT int curr=0; socklen_t optlen; optlen = sizeof(curr); if(getsockopt(fd, SOL_SOCKET, optname, (void *)&curr, &optlen) == 0) { if(curr >= size) { /* Already large enough */ return; } } #endif /* HAVE_GETSOCKOPT */ while(size >= 131072 && setsockopt(fd, SOL_SOCKET, optname, (void *)&size, sizeof(size)) < 0) size /= 2; #endif } heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/000077500000000000000000000000001257755311500177615ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/Makefile.am000066400000000000000000000012001257755311500220060ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common WFLAGS += $(WFLAGS_LITE) AM_CPPFLAGS += -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_hcrypto) bin_PROGRAMS = ftp CHECK_LOCAL = if KRB5 krb5_sources = gssapi.c endif ftp_SOURCES = \ cmds.c \ cmdtab.c \ extern.h \ ftp.c \ ftp_locl.h \ ftp_var.h \ main.c \ pathnames.h \ ruserpass.c \ domacro.c \ globals.c \ security.c \ security.h \ kauth.c \ $(krb5_sources) EXTRA_ftp_SOURCES = gssapi.c man_MANS = ftp.1 LDADD = \ ../common/libcommon.a \ $(LIB_gssapi) \ $(LIB_krb5) \ $(LIB_hcrypto) \ $(LIB_roken) \ $(LIB_readline) EXTRA_DIST = NTMakefile $(man_MANS) heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/NTMakefile000066400000000000000000000027401257755311500216660ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\ftp\ftp !include ../../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/cmds.c000066400000000000000000001203721257755311500210600ustar00rootroot00000000000000/* * Copyright (c) 1985, 1989, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * FTP User Program -- Command Routines. */ #include "ftp_locl.h" RCSID("$Id$"); typedef void (*sighand)(int); jmp_buf jabort; char *mname; char *home = "/"; /* * `Another' gets another argument, and stores the new argc and argv. * It reverts to the top level (via main.c's intr()) on EOF/error. * * Returns false if no new arguments have been added. */ int another(int *pargc, char ***pargv, char *prompt) { int len = strlen(line), ret; if (len >= sizeof(line) - 3) { printf("sorry, arguments too long\n"); intr(0); } printf("(%s) ", prompt); line[len++] = ' '; if (fgets(&line[len], sizeof(line) - len, stdin) == NULL) intr(0); len += strlen(&line[len]); if (len > 0 && line[len - 1] == '\n') line[len - 1] = '\0'; makeargv(); ret = margc > *pargc; *pargc = margc; *pargv = margv; return (ret); } /* * Connect to peer server and * auto-login, if possible. */ void setpeer(int argc, char **argv) { char *host; u_short port; struct servent *sp; if (connected) { printf("Already connected to %s, use close first.\n", hostname); code = -1; return; } if (argc < 2) another(&argc, &argv, "to"); if (argc < 2 || argc > 3) { printf("usage: %s host-name [port]\n", argv[0]); code = -1; return; } sp = getservbyname("ftp", "tcp"); if (sp == NULL) errx(1, "You bastard. You removed ftp/tcp from services"); port = sp->s_port; if (argc > 2) { sp = getservbyname(argv[2], "tcp"); if (sp != NULL) { port = sp->s_port; } else { char *ep; port = strtol(argv[2], &ep, 0); if (argv[2] == ep) { printf("%s: bad port number-- %s\n", argv[1], argv[2]); printf ("usage: %s host-name [port]\n", argv[0]); code = -1; return; } port = htons(port); } } host = hookup(argv[1], port); if (host) { int overbose; connected = 1; /* * Set up defaults for FTP. */ strlcpy(typename, "ascii", sizeof(typename)); type = TYPE_A; curtype = TYPE_A; strlcpy(formname, "non-print", sizeof(formname)); form = FORM_N; strlcpy(modename, "stream", sizeof(modename)); mode = MODE_S; strlcpy(structname, "file", sizeof(structname)); stru = STRU_F; strlcpy(bytename, "8", sizeof(bytename)); bytesize = 8; if (autologin) login(argv[1]); #if (defined(unix) || defined(__unix__) || defined(__unix) || defined(_AIX) || defined(_CRAY) || defined(__NetBSD__) || defined(__APPLE__)) && NBBY == 8 /* * this ifdef is to keep someone form "porting" this to an incompatible * system and not checking this out. This way they have to think about it. */ overbose = verbose; if (debug == 0) verbose = -1; if (command("SYST") == COMPLETE && overbose && strlen(reply_string) > 4) { char *cp, *p; cp = strdup(reply_string + 4); if (cp == NULL) errx(1, "strdup: out of memory"); p = strchr(cp, ' '); if (p == NULL) p = strchr(cp, '\r'); if (p) { if (p[-1] == '.') p--; *p = '\0'; } printf("Remote system type is %s.\n", cp); free(cp); } if (!strncmp(reply_string, "215 UNIX Type: L8", 17)) { if (proxy) unix_proxy = 1; else unix_server = 1; /* * Set type to 0 (not specified by user), * meaning binary by default, but don't bother * telling server. We can use binary * for text files unless changed by the user. */ type = 0; strlcpy(typename, "binary", sizeof(typename)); if (overbose) printf("Using %s mode to transfer files.\n", typename); } else { if (proxy) unix_proxy = 0; else unix_server = 0; if (overbose && !strncmp(reply_string, "215 TOPS20", 10)) printf( "Remember to set tenex mode when transferring binary files from this machine.\n"); } verbose = overbose; #endif /* unix */ } } struct types { char *t_name; char *t_mode; int t_type; char *t_arg; } types[] = { { "ascii", "A", TYPE_A, 0 }, { "binary", "I", TYPE_I, 0 }, { "image", "I", TYPE_I, 0 }, { "ebcdic", "E", TYPE_E, 0 }, { "tenex", "L", TYPE_L, bytename }, { NULL, NULL, 0, NULL } }; /* * Set transfer type. */ void settype(int argc, char **argv) { struct types *p; int comret; if (argc > 2) { char *sep; printf("usage: %s [", argv[0]); sep = " "; for (p = types; p->t_name; p++) { printf("%s%s", sep, p->t_name); sep = " | "; } printf(" ]\n"); code = -1; return; } if (argc < 2) { printf("Using %s mode to transfer files.\n", typename); code = 0; return; } for (p = types; p->t_name; p++) if (strcmp(argv[1], p->t_name) == 0) break; if (p->t_name == 0) { printf("%s: unknown mode\n", argv[1]); code = -1; return; } if ((p->t_arg != NULL) && (*(p->t_arg) != '\0')) comret = command ("TYPE %s %s", p->t_mode, p->t_arg); else comret = command("TYPE %s", p->t_mode); if (comret == COMPLETE) { strlcpy(typename, p->t_name, sizeof(typename)); curtype = type = p->t_type; } } /* * Internal form of settype; changes current type in use with server * without changing our notion of the type for data transfers. * Used to change to and from ascii for listings. */ void changetype(int newtype, int show) { struct types *p; int comret, oldverbose = verbose; if (newtype == 0) newtype = TYPE_I; if (newtype == curtype) return; if (debug == 0 && show == 0) verbose = 0; for (p = types; p->t_name; p++) if (newtype == p->t_type) break; if (p->t_name == 0) { printf("ftp: internal error: unknown type %d\n", newtype); return; } if (newtype == TYPE_L && bytename[0] != '\0') comret = command("TYPE %s %s", p->t_mode, bytename); else comret = command("TYPE %s", p->t_mode); if (comret == COMPLETE) curtype = newtype; verbose = oldverbose; } char *stype[] = { "type", "", 0 }; /* * Set binary transfer type. */ /*VARARGS*/ void setbinary(int argc, char **argv) { stype[1] = "binary"; settype(2, stype); } /* * Set ascii transfer type. */ /*VARARGS*/ void setascii(int argc, char **argv) { stype[1] = "ascii"; settype(2, stype); } /* * Set tenex transfer type. */ /*VARARGS*/ void settenex(int argc, char **argv) { stype[1] = "tenex"; settype(2, stype); } /* * Set file transfer mode. */ /*ARGSUSED*/ void setftmode(int argc, char **argv) { printf("We only support %s mode, sorry.\n", modename); code = -1; } /* * Set file transfer format. */ /*ARGSUSED*/ void setform(int argc, char **argv) { printf("We only support %s format, sorry.\n", formname); code = -1; } /* * Set file transfer structure. */ /*ARGSUSED*/ void setstruct(int argc, char **argv) { printf("We only support %s structure, sorry.\n", structname); code = -1; } /* * Send a single file. */ void put(int argc, char **argv) { char *cmd; int loc = 0; char *oldargv1, *oldargv2; if (argc == 2) { argc++; argv[2] = argv[1]; loc++; } if (argc < 2 && !another(&argc, &argv, "local-file")) goto usage; if (argc < 3 && !another(&argc, &argv, "remote-file")) { usage: printf("usage: %s local-file remote-file\n", argv[0]); code = -1; return; } oldargv1 = argv[1]; oldargv2 = argv[2]; if (!globulize(&argv[1])) { code = -1; return; } /* * If "globulize" modifies argv[1], and argv[2] is a copy of * the old argv[1], make it a copy of the new argv[1]. */ if (argv[1] != oldargv1 && argv[2] == oldargv1) { argv[2] = argv[1]; } cmd = (argv[0][0] == 'a') ? "APPE" : ((sunique) ? "STOU" : "STOR"); if (loc && ntflag) { argv[2] = dotrans(argv[2]); } if (loc && mapflag) { argv[2] = domap(argv[2]); } sendrequest(cmd, argv[1], argv[2], curtype == TYPE_I ? "rb" : "r", argv[1] != oldargv1 || argv[2] != oldargv2); } /* ARGSUSED */ static RETSIGTYPE mabort(int signo) { int ointer; printf("\n"); fflush(stdout); if (mflag && fromatty) { ointer = interactive; interactive = 1; if (confirm("Continue with", mname)) { interactive = ointer; longjmp(jabort,0); } interactive = ointer; } mflag = 0; longjmp(jabort,0); } /* * Send multiple files. */ void mput(int argc, char **argv) { int i; RETSIGTYPE (*oldintr)(int); int ointer; char *tp; if (argc < 2 && !another(&argc, &argv, "local-files")) { printf("usage: %s local-files\n", argv[0]); code = -1; return; } mname = argv[0]; mflag = 1; oldintr = signal(SIGINT, mabort); setjmp(jabort); if (proxy) { char *cp, *tp2, tmpbuf[MaxPathLen]; while ((cp = remglob(argv,0)) != NULL) { if (*cp == 0) { mflag = 0; continue; } if (mflag && confirm(argv[0], cp)) { tp = cp; if (mcase) { while (*tp && !islower((unsigned char)*tp)) { tp++; } if (!*tp) { tp = cp; tp2 = tmpbuf; while ((*tp2 = *tp) != '\0') { if (isupper((unsigned char)*tp2)) { *tp2 = 'a' + *tp2 - 'A'; } tp++; tp2++; } } tp = tmpbuf; } if (ntflag) { tp = dotrans(tp); } if (mapflag) { tp = domap(tp); } sendrequest((sunique) ? "STOU" : "STOR", cp, tp, curtype == TYPE_I ? "rb" : "r", cp != tp || !interactive); if (!mflag && fromatty) { ointer = interactive; interactive = 1; if (confirm("Continue with","mput")) { mflag++; } interactive = ointer; } } } signal(SIGINT, oldintr); mflag = 0; return; } for (i = 1; i < argc; i++) { char **cpp; glob_t gl; int flags; if (!doglob) { if (mflag && confirm(argv[0], argv[i])) { tp = (ntflag) ? dotrans(argv[i]) : argv[i]; tp = (mapflag) ? domap(tp) : tp; sendrequest((sunique) ? "STOU" : "STOR", argv[i], curtype == TYPE_I ? "rb" : "r", tp, tp != argv[i] || !interactive); if (!mflag && fromatty) { ointer = interactive; interactive = 1; if (confirm("Continue with","mput")) { mflag++; } interactive = ointer; } } continue; } memset(&gl, 0, sizeof(gl)); flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE; if (glob(argv[i], flags, NULL, &gl) || gl.gl_pathc == 0) { warnx("%s: not found", argv[i]); globfree(&gl); continue; } for (cpp = gl.gl_pathv; cpp && *cpp != NULL; cpp++) { if (mflag && confirm(argv[0], *cpp)) { tp = (ntflag) ? dotrans(*cpp) : *cpp; tp = (mapflag) ? domap(tp) : tp; sendrequest((sunique) ? "STOU" : "STOR", *cpp, tp, curtype == TYPE_I ? "rb" : "r", *cpp != tp || !interactive); if (!mflag && fromatty) { ointer = interactive; interactive = 1; if (confirm("Continue with","mput")) { mflag++; } interactive = ointer; } } } globfree(&gl); } signal(SIGINT, oldintr); mflag = 0; } void reget(int argc, char **argv) { getit(argc, argv, 1, curtype == TYPE_I ? "r+wb" : "r+w"); } void get(int argc, char **argv) { char *filemode; if (restart_point) { if (curtype == TYPE_I) filemode = "r+wb"; else filemode = "r+w"; } else { if (curtype == TYPE_I) filemode = "wb"; else filemode = "w"; } getit(argc, argv, 0, filemode); } /* * Receive one file. */ int getit(int argc, char **argv, int restartit, char *filemode) { int loc = 0; int local_given = 1; char *oldargv1, *oldargv2; if (argc == 2) { argc++; local_given = 0; argv[2] = argv[1]; loc++; } if ((argc < 2 && !another(&argc, &argv, "remote-file")) || (argc < 3 && !another(&argc, &argv, "local-file"))) { printf("usage: %s remote-file [ local-file ]\n", argv[0]); code = -1; return (0); } oldargv1 = argv[1]; oldargv2 = argv[2]; if (!globulize(&argv[2])) { code = -1; return (0); } if (loc && mcase) { char *tp = argv[1], *tp2, tmpbuf[MaxPathLen]; while (*tp && !islower((unsigned char)*tp)) { tp++; } if (!*tp) { tp = argv[2]; tp2 = tmpbuf; while ((*tp2 = *tp) != '\0') { if (isupper((unsigned char)*tp2)) { *tp2 = 'a' + *tp2 - 'A'; } tp++; tp2++; } argv[2] = tmpbuf; } } if (loc && ntflag) argv[2] = dotrans(argv[2]); if (loc && mapflag) argv[2] = domap(argv[2]); if (restartit) { struct stat stbuf; int ret; ret = stat(argv[2], &stbuf); if (restartit == 1) { if (ret < 0) { warn("local: %s", argv[2]); return (0); } restart_point = stbuf.st_size; } else if (ret == 0) { int overbose; int cmdret; int yy, mo, day, hour, min, sec; struct tm *tm; time_t mtime = stbuf.st_mtime; overbose = verbose; if (debug == 0) verbose = -1; cmdret = command("MDTM %s", argv[1]); verbose = overbose; if (cmdret != COMPLETE) { printf("%s\n", reply_string); return (0); } if (sscanf(reply_string, "%*s %04d%02d%02d%02d%02d%02d", &yy, &mo, &day, &hour, &min, &sec) != 6) { printf ("bad MDTM result\n"); return (0); } tm = gmtime(&mtime); tm->tm_mon++; tm->tm_year += 1900; if ((tm->tm_year > yy) || (tm->tm_year == yy && tm->tm_mon > mo) || (tm->tm_mon == mo && tm->tm_mday > day) || (tm->tm_mday == day && tm->tm_hour > hour) || (tm->tm_hour == hour && tm->tm_min > min) || (tm->tm_min == min && tm->tm_sec > sec)) return (1); } } recvrequest("RETR", argv[2], argv[1], filemode, argv[1] != oldargv1 || argv[2] != oldargv2, local_given); restart_point = 0; return (0); } static int suspicious_filename(const char *fn) { return strstr(fn, "../") != NULL || *fn == '/'; } /* * Get multiple files. */ void mget(int argc, char **argv) { sighand oldintr; int ch, ointer; char *cp, *tp, *tp2, tmpbuf[MaxPathLen]; if (argc < 2 && !another(&argc, &argv, "remote-files")) { printf("usage: %s remote-files\n", argv[0]); code = -1; return; } mname = argv[0]; mflag = 1; oldintr = signal(SIGINT, mabort); setjmp(jabort); while ((cp = remglob(argv,proxy)) != NULL) { if (*cp == '\0') { mflag = 0; continue; } if (mflag && suspicious_filename(cp)) printf("*** Suspicious filename: %s\n", cp); if (mflag && confirm(argv[0], cp)) { tp = cp; if (mcase) { for (tp2 = tmpbuf;(ch = (unsigned char)*tp++);) *tp2++ = tolower(ch); *tp2 = '\0'; tp = tmpbuf; } if (ntflag) { tp = dotrans(tp); } if (mapflag) { tp = domap(tp); } recvrequest("RETR", tp, cp, curtype == TYPE_I ? "wb" : "w", tp != cp || !interactive, 0); if (!mflag && fromatty) { ointer = interactive; interactive = 1; if (confirm("Continue with","mget")) { mflag++; } interactive = ointer; } } } signal(SIGINT,oldintr); mflag = 0; } char * remglob(char **argv, int doswitch) { char temp[16]; static char buf[MaxPathLen]; static FILE *ftemp = NULL; static char **args; int oldverbose, oldhash; char *cp, *filemode; if (!mflag) { if (!doglob) { args = NULL; } else { if (ftemp) { fclose(ftemp); ftemp = NULL; } } return (NULL); } if (!doglob) { if (args == NULL) args = argv; if ((cp = *++args) == NULL) args = NULL; return (cp); } if (ftemp == NULL) { int fd; strlcpy(temp, _PATH_TMP_XXX, sizeof(temp)); fd = mkstemp(temp); if(fd < 0){ warn("unable to create temporary file %s", temp); return NULL; } close(fd); oldverbose = verbose, verbose = 0; oldhash = hash, hash = 0; if (doswitch) { pswitch(!proxy); } for (filemode = "w"; *++argv != NULL; filemode = "a") recvrequest ("NLST", temp, *argv, filemode, 0, 0); if (doswitch) { pswitch(!proxy); } verbose = oldverbose; hash = oldhash; ftemp = fopen(temp, "r"); unlink(temp); if (ftemp == NULL) { printf("can't find list of remote files, oops\n"); return (NULL); } } while(fgets(buf, sizeof (buf), ftemp)) { if ((cp = strchr(buf, '\n')) != NULL) *cp = '\0'; if(!interactive && suspicious_filename(buf)){ printf("Ignoring remote globbed file `%s'\n", buf); continue; } return buf; } fclose(ftemp); ftemp = NULL; return (NULL); } char * onoff(int bool) { return (bool ? "on" : "off"); } /* * Show status. */ /*ARGSUSED*/ void status(int argc, char **argv) { int i; if (connected) printf("Connected to %s.\n", hostname); else printf("Not connected.\n"); if (!proxy) { pswitch(1); if (connected) { printf("Connected for proxy commands to %s.\n", hostname); } else { printf("No proxy connection.\n"); } pswitch(0); } sec_status(); printf("Mode: %s; Type: %s; Form: %s; Structure: %s\n", modename, typename, formname, structname); printf("Verbose: %s; Bell: %s; Prompting: %s; Globbing: %s\n", onoff(verbose), onoff(bell), onoff(interactive), onoff(doglob)); printf("Store unique: %s; Receive unique: %s\n", onoff(sunique), onoff(runique)); printf("Case: %s; CR stripping: %s\n",onoff(mcase),onoff(crflag)); if (ntflag) { printf("Ntrans: (in) %s (out) %s\n", ntin,ntout); } else { printf("Ntrans: off\n"); } if (mapflag) { printf("Nmap: (in) %s (out) %s\n", mapin, mapout); } else { printf("Nmap: off\n"); } printf("Hash mark printing: %s; Use of PORT cmds: %s\n", onoff(hash), onoff(sendport)); if (macnum > 0) { printf("Macros:\n"); for (i=0; i 1) { val = atoi(argv[1]); if (val < 0) { printf("%s: bad debugging value.\n", argv[1]); code = -1; return; } } else val = !debug; debug = val; if (debug) options |= SO_DEBUG; else options &= ~SO_DEBUG; printf("Debugging %s (debug=%d).\n", onoff(debug), debug); code = debug > 0; } /* * Set current working directory * on remote machine. */ void cd(int argc, char **argv) { if (argc < 2 && !another(&argc, &argv, "remote-directory")) { printf("usage: %s remote-directory\n", argv[0]); code = -1; return; } if (command("CWD %s", argv[1]) == ERROR && code == 500) { if (verbose) printf("CWD command not recognized, trying XCWD\n"); command("XCWD %s", argv[1]); } } /* * Set current working directory * on local machine. */ void lcd(int argc, char **argv) { char buf[MaxPathLen]; if (argc < 2) argc++, argv[1] = home; if (argc != 2) { printf("usage: %s local-directory\n", argv[0]); code = -1; return; } if (!globulize(&argv[1])) { code = -1; return; } if (chdir(argv[1]) < 0) { warn("local: %s", argv[1]); code = -1; return; } if (getcwd(buf, sizeof(buf)) != NULL) printf("Local directory now %s\n", buf); else warnx("getwd: %s", buf); code = 0; } /* * Delete a single file. */ void delete(int argc, char **argv) { if (argc < 2 && !another(&argc, &argv, "remote-file")) { printf("usage: %s remote-file\n", argv[0]); code = -1; return; } command("DELE %s", argv[1]); } /* * Delete multiple files. */ void mdelete(int argc, char **argv) { sighand oldintr; int ointer; char *cp; if (argc < 2 && !another(&argc, &argv, "remote-files")) { printf("usage: %s remote-files\n", argv[0]); code = -1; return; } mname = argv[0]; mflag = 1; oldintr = signal(SIGINT, mabort); setjmp(jabort); while ((cp = remglob(argv,0)) != NULL) { if (*cp == '\0') { mflag = 0; continue; } if (mflag && confirm(argv[0], cp)) { command("DELE %s", cp); if (!mflag && fromatty) { ointer = interactive; interactive = 1; if (confirm("Continue with", "mdelete")) { mflag++; } interactive = ointer; } } } signal(SIGINT, oldintr); mflag = 0; } /* * Rename a remote file. */ void renamefile(int argc, char **argv) { if (argc < 2 && !another(&argc, &argv, "from-name")) goto usage; if (argc < 3 && !another(&argc, &argv, "to-name")) { usage: printf("%s from-name to-name\n", argv[0]); code = -1; return; } if (command("RNFR %s", argv[1]) == CONTINUE) command("RNTO %s", argv[2]); } /* * Get a directory listing * of remote files. */ void ls(int argc, char **argv) { char *cmd; if (argc < 2) argc++, argv[1] = NULL; if (argc < 3) argc++, argv[2] = "-"; if (argc > 3) { printf("usage: %s remote-directory local-file\n", argv[0]); code = -1; return; } cmd = argv[0][0] == 'n' ? "NLST" : "LIST"; if (strcmp(argv[2], "-") && !globulize(&argv[2])) { code = -1; return; } if (strcmp(argv[2], "-") && *argv[2] != '|') if (!globulize(&argv[2]) || !confirm("output to local-file:", argv[2])) { code = -1; return; } recvrequest(cmd, argv[2], argv[1], "w", 0, 1); } /* * Get a directory listing * of multiple remote files. */ void mls(int argc, char **argv) { sighand oldintr; int ointer, i; char *cmd, filemode[2], *dest; if (argc < 2 && !another(&argc, &argv, "remote-files")) goto usage; if (argc < 3 && !another(&argc, &argv, "local-file")) { usage: printf("usage: %s remote-files local-file\n", argv[0]); code = -1; return; } dest = argv[argc - 1]; argv[argc - 1] = NULL; if (strcmp(dest, "-") && *dest != '|') if (!globulize(&dest) || !confirm("output to local-file:", dest)) { code = -1; return; } cmd = argv[0][1] == 'l' ? "NLST" : "LIST"; mname = argv[0]; mflag = 1; oldintr = signal(SIGINT, mabort); setjmp(jabort); filemode[1] = '\0'; for (i = 1; mflag && i < argc-1; ++i) { *filemode = (i == 1) ? 'w' : 'a'; recvrequest(cmd, dest, argv[i], filemode, 0, 1); if (!mflag && fromatty) { ointer = interactive; interactive = 1; if (confirm("Continue with", argv[0])) { mflag ++; } interactive = ointer; } } signal(SIGINT, oldintr); mflag = 0; } /* * Do a shell escape */ /*ARGSUSED*/ void shell(int argc, char **argv) { pid_t pid; RETSIGTYPE (*old1)(int), (*old2)(int); char shellnam[40], *shellpath, *namep; int waitstatus; old1 = signal (SIGINT, SIG_IGN); old2 = signal (SIGQUIT, SIG_IGN); if ((pid = fork()) == 0) { for (pid = 3; pid < 20; pid++) close(pid); signal(SIGINT, SIG_DFL); signal(SIGQUIT, SIG_DFL); shellpath = getenv("SHELL"); if (shellpath == NULL) shellpath = _PATH_BSHELL; namep = strrchr(shellpath, '/'); if (namep == NULL) namep = shellpath; snprintf (shellnam, sizeof(shellnam), "-%s", ++namep); if (strcmp(namep, "sh") != 0) shellnam[0] = '+'; if (debug) { printf ("%s\n", shellpath); fflush (stdout); } if (argc > 1) { execl(shellpath,shellnam,"-c",altarg,(char *)0); } else { execl(shellpath,shellnam,(char *)0); } warn("%s", shellpath); code = -1; exit(1); } if (pid > 0) while (waitpid(-1, &waitstatus, 0) != pid) ; signal(SIGINT, old1); signal(SIGQUIT, old2); if (pid == -1) { warn("%s", "Try again later"); code = -1; } else { code = 0; } } /* * Send new user information (re-login) */ void user(int argc, char **argv) { char acctstr[80]; int n, aflag = 0; char tmp[256]; if (argc < 2) another(&argc, &argv, "username"); if (argc < 2 || argc > 4) { printf("usage: %s username [password] [account]\n", argv[0]); code = -1; return; } n = command("USER %s", argv[1]); if (n == CONTINUE) { if (argc < 3 ) { UI_UTIL_read_pw_string (tmp, sizeof(tmp), "Password: ", 0); argv[2] = tmp; argc++; } n = command("PASS %s", argv[2]); } if (n == CONTINUE) { if (argc < 4) { printf("Account: "); fflush(stdout); if (fgets(acctstr, sizeof(acctstr) - 1, stdin) == NULL) acctstr[0] = '\0'; acctstr[strcspn(acctstr, "\r\n")] = '\0'; argv[3] = acctstr; argc++; } n = command("ACCT %s", argv[3]); aflag++; } if (n != COMPLETE) { fprintf(stdout, "Login failed.\n"); return; } if (!aflag && argc == 4) { command("ACCT %s", argv[3]); } } /* * Print working directory. */ /*VARARGS*/ void pwd(int argc, char **argv) { int oldverbose = verbose; /* * If we aren't verbose, this doesn't do anything! */ verbose = 1; if (command("PWD") == ERROR && code == 500) { printf("PWD command not recognized, trying XPWD\n"); command("XPWD"); } verbose = oldverbose; } /* * Make a directory. */ void makedir(int argc, char **argv) { if (argc < 2 && !another(&argc, &argv, "directory-name")) { printf("usage: %s directory-name\n", argv[0]); code = -1; return; } if (command("MKD %s", argv[1]) == ERROR && code == 500) { if (verbose) printf("MKD command not recognized, trying XMKD\n"); command("XMKD %s", argv[1]); } } /* * Remove a directory. */ void removedir(int argc, char **argv) { if (argc < 2 && !another(&argc, &argv, "directory-name")) { printf("usage: %s directory-name\n", argv[0]); code = -1; return; } if (command("RMD %s", argv[1]) == ERROR && code == 500) { if (verbose) printf("RMD command not recognized, trying XRMD\n"); command("XRMD %s", argv[1]); } } /* * Send a line, verbatim, to the remote machine. */ void quote(int argc, char **argv) { if (argc < 2 && !another(&argc, &argv, "command line to send")) { printf("usage: %s line-to-send\n", argv[0]); code = -1; return; } quote1("", argc, argv); } /* * Send a SITE command to the remote machine. The line * is sent verbatim to the remote machine, except that the * word "SITE" is added at the front. */ void site(int argc, char **argv) { if (argc < 2 && !another(&argc, &argv, "arguments to SITE command")) { printf("usage: %s line-to-send\n", argv[0]); code = -1; return; } quote1("SITE ", argc, argv); } /* * Turn argv[1..argc) into a space-separated string, then prepend initial text. * Send the result as a one-line command and get response. */ void quote1(char *initial, int argc, char **argv) { int i; char buf[BUFSIZ]; /* must be >= sizeof(line) */ strlcpy(buf, initial, sizeof(buf)); for(i = 1; i < argc; i++) { if(i > 1) strlcat(buf, " ", sizeof(buf)); strlcat(buf, argv[i], sizeof(buf)); } if (command("%s", buf) == PRELIM) { while (getreply(0) == PRELIM) continue; } } void do_chmod(int argc, char **argv) { if (argc < 2 && !another(&argc, &argv, "mode")) goto usage; if (argc < 3 && !another(&argc, &argv, "file-name")) { usage: printf("usage: %s mode file-name\n", argv[0]); code = -1; return; } command("SITE CHMOD %s %s", argv[1], argv[2]); } void do_umask(int argc, char **argv) { int oldverbose = verbose; verbose = 1; if (argc == 1) command("SITE UMASK"); else command("SITE UMASK %s", argv[1]); verbose = oldverbose; } void ftp_idle(int argc, char **argv) { int oldverbose = verbose; verbose = 1; if (argc == 1) command("SITE IDLE"); else command("SITE IDLE %s", argv[1]); verbose = oldverbose; } /* * Ask the other side for help. */ void rmthelp(int argc, char **argv) { int oldverbose = verbose; verbose = 1; if (argc == 1) command("HELP"); else command("HELP %s", argv[1]); verbose = oldverbose; } /* * Terminate session and exit. */ /*VARARGS*/ void quit(int argc, char **argv) { if (connected) disconnect(0, 0); pswitch(1); if (connected) { disconnect(0, 0); } exit(0); } /* * Terminate session, but don't exit. */ void disconnect(int argc, char **argv) { if (!connected) return; command("QUIT"); if (cout) { fclose(cout); } cout = NULL; connected = 0; sec_end(); data = -1; if (!proxy) { macnum = 0; } } int confirm(char *cmd, char *file) { char buf[BUFSIZ]; if (!interactive) return (1); printf("%s %s? ", cmd, file); fflush(stdout); if (fgets(buf, sizeof buf, stdin) == NULL) return (0); return (*buf == 'y' || *buf == 'Y'); } void fatal(char *msg) { errx(1, "%s", msg); } /* * Glob a local file name specification with * the expectation of a single return value. * Can't control multiple values being expanded * from the expression, we return only the first. */ int globulize(char **cpp) { glob_t gl; int flags; if (!doglob) return (1); flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE; memset(&gl, 0, sizeof(gl)); if (glob(*cpp, flags, NULL, &gl) || gl.gl_pathc == 0) { warnx("%s: not found", *cpp); globfree(&gl); return (0); } *cpp = strdup(gl.gl_pathv[0]); /* XXX - wasted memory */ globfree(&gl); return (1); } void account(int argc, char **argv) { char acctstr[50]; if (argc > 1) { ++argv; --argc; strlcpy (acctstr, *argv, sizeof(acctstr)); while (argc > 1) { --argc; ++argv; strlcat(acctstr, *argv, sizeof(acctstr)); } } else { UI_UTIL_read_pw_string(acctstr, sizeof(acctstr), "Account:", 0); } command("ACCT %s", acctstr); } jmp_buf abortprox; static RETSIGTYPE proxabort(int sig) { if (!proxy) { pswitch(1); } if (connected) { proxflag = 1; } else { proxflag = 0; } pswitch(0); longjmp(abortprox,1); } void doproxy(int argc, char **argv) { struct cmd *c; RETSIGTYPE (*oldintr)(int); if (argc < 2 && !another(&argc, &argv, "command")) { printf("usage: %s command\n", argv[0]); code = -1; return; } c = getcmd(argv[1]); if (c == (struct cmd *) -1) { printf("?Ambiguous command\n"); fflush(stdout); code = -1; return; } if (c == 0) { printf("?Invalid command\n"); fflush(stdout); code = -1; return; } if (!c->c_proxy) { printf("?Invalid proxy command\n"); fflush(stdout); code = -1; return; } if (setjmp(abortprox)) { code = -1; return; } oldintr = signal(SIGINT, proxabort); pswitch(1); if (c->c_conn && !connected) { printf("Not connected\n"); fflush(stdout); pswitch(0); signal(SIGINT, oldintr); code = -1; return; } (*c->c_handler)(argc-1, argv+1); if (connected) { proxflag = 1; } else { proxflag = 0; } pswitch(0); signal(SIGINT, oldintr); } void setcase(int argc, char **argv) { mcase = !mcase; printf("Case mapping %s.\n", onoff(mcase)); code = mcase; } void setcr(int argc, char **argv) { crflag = !crflag; printf("Carriage Return stripping %s.\n", onoff(crflag)); code = crflag; } void setntrans(int argc, char **argv) { if (argc == 1) { ntflag = 0; printf("Ntrans off.\n"); code = ntflag; return; } ntflag++; code = ntflag; strlcpy (ntin, argv[1], 17); if (argc == 2) { ntout[0] = '\0'; return; } strlcpy (ntout, argv[2], 17); } char * dotrans(char *name) { static char new[MaxPathLen]; char *cp1, *cp2 = new; int i, ostop, found; for (ostop = 0; *(ntout + ostop) && ostop < 16; ostop++) continue; for (cp1 = name; *cp1; cp1++) { found = 0; for (i = 0; *(ntin + i) && i < 16; i++) { if (*cp1 == *(ntin + i)) { found++; if (i < ostop) { *cp2++ = *(ntout + i); } break; } } if (!found) { *cp2++ = *cp1; } } *cp2 = '\0'; return (new); } void setnmap(int argc, char **argv) { char *cp; if (argc == 1) { mapflag = 0; printf("Nmap off.\n"); code = mapflag; return; } if (argc < 3 && !another(&argc, &argv, "mapout")) { printf("Usage: %s [mapin mapout]\n",argv[0]); code = -1; return; } mapflag = 1; code = 1; cp = strchr(altarg, ' '); if (cp == NULL) { printf("Usage: %s missing space\n",argv[0]); code = -1; return; } if (proxy) { while(*++cp == ' ') continue; altarg = cp; cp = strchr(altarg, ' '); } *cp = '\0'; strlcpy(mapin, altarg, MaxPathLen); while (*++cp == ' ') continue; strlcpy(mapout, cp, MaxPathLen); } char * domap(char *name) { static char new[MaxPathLen]; char *cp1 = name, *cp2 = mapin; char *tp[9], *te[9]; int i, toks[9], toknum = 0, match = 1; for (i=0; i < 9; ++i) { toks[i] = 0; } while (match && *cp1 && *cp2) { switch (*cp2) { case '\\': if (*++cp2 != *cp1) { match = 0; } break; case '$': if (*(cp2+1) >= '1' && (*cp2+1) <= '9') { if (*cp1 != *(++cp2+1)) { toks[toknum = *cp2 - '1']++; tp[toknum] = cp1; while (*++cp1 && *(cp2+1) != *cp1); te[toknum] = cp1; } cp2++; break; } /* FALLTHROUGH */ default: if (*cp2 != *cp1) { match = 0; } break; } if (match && *cp1) { cp1++; } if (match && *cp2) { cp2++; } } if (!match && *cp1) /* last token mismatch */ { toks[toknum] = 0; } cp1 = new; *cp1 = '\0'; cp2 = mapout; while (*cp2) { match = 0; switch (*cp2) { case '\\': if (*(cp2 + 1)) { *cp1++ = *++cp2; } break; case '[': LOOP: if (*++cp2 == '$' && isdigit((unsigned char)*(cp2+1))) { if (*++cp2 == '0') { char *cp3 = name; while (*cp3) { *cp1++ = *cp3++; } match = 1; } else if (toks[toknum = *cp2 - '1']) { char *cp3 = tp[toknum]; while (cp3 != te[toknum]) { *cp1++ = *cp3++; } match = 1; } } else { while (*cp2 && *cp2 != ',' && *cp2 != ']') { if (*cp2 == '\\') { cp2++; } else if (*cp2 == '$' && isdigit((unsigned char)*(cp2+1))) { if (*++cp2 == '0') { char *cp3 = name; while (*cp3) { *cp1++ = *cp3++; } } else if (toks[toknum = *cp2 - '1']) { char *cp3=tp[toknum]; while (cp3 != te[toknum]) { *cp1++ = *cp3++; } } } else if (*cp2) { *cp1++ = *cp2++; } } if (!*cp2) { printf("nmap: unbalanced brackets\n"); return (name); } match = 1; cp2--; } if (match) { while (*++cp2 && *cp2 != ']') { if (*cp2 == '\\' && *(cp2 + 1)) { cp2++; } } if (!*cp2) { printf("nmap: unbalanced brackets\n"); return (name); } break; } switch (*++cp2) { case ',': goto LOOP; case ']': break; default: cp2--; goto LOOP; } break; case '$': if (isdigit((unsigned char)*(cp2 + 1))) { if (*++cp2 == '0') { char *cp3 = name; while (*cp3) { *cp1++ = *cp3++; } } else if (toks[toknum = *cp2 - '1']) { char *cp3 = tp[toknum]; while (cp3 != te[toknum]) { *cp1++ = *cp3++; } } break; } /* intentional drop through */ default: *cp1++ = *cp2; break; } cp2++; } *cp1 = '\0'; if (!*new) { return (name); } return (new); } void setpassive(int argc, char **argv) { passivemode = !passivemode; printf("Passive mode %s.\n", onoff(passivemode)); code = passivemode; } void setsunique(int argc, char **argv) { sunique = !sunique; printf("Store unique %s.\n", onoff(sunique)); code = sunique; } void setrunique(int argc, char **argv) { runique = !runique; printf("Receive unique %s.\n", onoff(runique)); code = runique; } /* change directory to perent directory */ void cdup(int argc, char **argv) { if (command("CDUP") == ERROR && code == 500) { if (verbose) printf("CDUP command not recognized, trying XCUP\n"); command("XCUP"); } } /* restart transfer at specific point */ void restart(int argc, char **argv) { if (argc != 2) printf("restart: offset not specified\n"); else { restart_point = atol(argv[1]); printf("restarting at %ld. %s\n", (long)restart_point, "execute get, put or append to initiate transfer"); } } /* show remote system type */ void syst(int argc, char **argv) { command("SYST"); } void macdef(int argc, char **argv) { char *tmp; int c; if (macnum == 16) { printf("Limit of 16 macros have already been defined\n"); code = -1; return; } if (argc < 2 && !another(&argc, &argv, "macro name")) { printf("Usage: %s macro_name\n",argv[0]); code = -1; return; } if (interactive) { printf("Enter macro line by line, terminating it with a null line\n"); } strlcpy(macros[macnum].mac_name, argv[1], sizeof(macros[macnum].mac_name)); if (macnum == 0) { macros[macnum].mac_start = macbuf; } else { macros[macnum].mac_start = macros[macnum - 1].mac_end + 1; } tmp = macros[macnum].mac_start; while (tmp != macbuf+4096) { if ((c = getchar()) == EOF) { printf("macdef:end of file encountered\n"); code = -1; return; } if ((*tmp = c) == '\n') { if (tmp == macros[macnum].mac_start) { macros[macnum++].mac_end = tmp; code = 0; return; } if (*(tmp-1) == '\0') { macros[macnum++].mac_end = tmp - 1; code = 0; return; } *tmp = '\0'; } tmp++; } while (1) { while ((c = getchar()) != '\n' && c != EOF) /* LOOP */; if (c == EOF || getchar() == '\n') { printf("Macro not defined - 4k buffer exceeded\n"); code = -1; return; } } } /* * get size of file on remote machine */ void sizecmd(int argc, char **argv) { if (argc < 2 && !another(&argc, &argv, "filename")) { printf("usage: %s filename\n", argv[0]); code = -1; return; } command("SIZE %s", argv[1]); } /* * get last modification time of file on remote machine */ void modtime(int argc, char **argv) { int overbose; if (argc < 2 && !another(&argc, &argv, "filename")) { printf("usage: %s filename\n", argv[0]); code = -1; return; } overbose = verbose; if (debug == 0) verbose = -1; if (command("MDTM %s", argv[1]) == COMPLETE) { int yy, mo, day, hour, min, sec; sscanf(reply_string, "%*s %04d%02d%02d%02d%02d%02d", &yy, &mo, &day, &hour, &min, &sec); /* might want to print this in local time */ printf("%s\t%02d/%02d/%04d %02d:%02d:%02d GMT\n", argv[1], mo, day, yy, hour, min, sec); } else printf("%s\n", reply_string); verbose = overbose; } /* * show status on reomte machine */ void rmtstatus(int argc, char **argv) { if (argc == 1) command("STAT"); else command("STAT %s", argv[1]); } /* * get file if modtime is more recent than current file */ void newer(int argc, char **argv) { if (getit(argc, argv, -1, curtype == TYPE_I ? "wb" : "w")) printf("Local file \"%s\" is newer than remote file \"%s\"\n", argv[2], argv[1]); } void klist(int argc, char **argv) { int ret; if(argc != 1){ printf("usage: %s\n", argv[0]); code = -1; return; } ret = command("SITE KLIST"); code = (ret == COMPLETE); } heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/cmdtab.c000066400000000000000000000216741257755311500213710ustar00rootroot00000000000000/* * Copyright (c) 1985, 1989, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ftp_locl.h" /* * User FTP -- Command Tables. */ char accounthelp[] = "send account command to remote server"; char appendhelp[] = "append to a file"; char asciihelp[] = "set ascii transfer type"; char beephelp[] = "beep when command completed"; char binaryhelp[] = "set binary transfer type"; char casehelp[] = "toggle mget upper/lower case id mapping"; char cdhelp[] = "change remote working directory"; char cduphelp[] = "change remote working directory to parent directory"; char chmodhelp[] = "change file permissions of remote file"; char connecthelp[] = "connect to remote tftp"; char crhelp[] = "toggle carriage return stripping on ascii gets"; char deletehelp[] = "delete remote file"; char debughelp[] = "toggle/set debugging mode"; char dirhelp[] = "list contents of remote directory"; char disconhelp[] = "terminate ftp session"; char domachelp[] = "execute macro"; char formhelp[] = "set file transfer format"; char globhelp[] = "toggle metacharacter expansion of local file names"; char hashhelp[] = "toggle printing `#' for each buffer transferred"; char helphelp[] = "print local help information"; char idlehelp[] = "get (set) idle timer on remote side"; char lcdhelp[] = "change local working directory"; char lshelp[] = "list contents of remote directory"; char macdefhelp[] = "define a macro"; char mdeletehelp[] = "delete multiple files"; char mdirhelp[] = "list contents of multiple remote directories"; char mgethelp[] = "get multiple files"; char mkdirhelp[] = "make directory on the remote machine"; char mlshelp[] = "list contents of multiple remote directories"; char modtimehelp[] = "show last modification time of remote file"; char modehelp[] = "set file transfer mode"; char mputhelp[] = "send multiple files"; char newerhelp[] = "get file if remote file is newer than local file "; char nlisthelp[] = "nlist contents of remote directory"; char nmaphelp[] = "set templates for default file name mapping"; char ntranshelp[] = "set translation table for default file name mapping"; char porthelp[] = "toggle use of PORT cmd for each data connection"; char prompthelp[] = "force interactive prompting on multiple commands"; char proxyhelp[] = "issue command on alternate connection"; char pwdhelp[] = "print working directory on remote machine"; char quithelp[] = "terminate ftp session and exit"; char quotehelp[] = "send arbitrary ftp command"; char receivehelp[] = "receive file"; char regethelp[] = "get file restarting at end of local file"; char remotehelp[] = "get help from remote server"; char renamehelp[] = "rename file"; char restarthelp[]= "restart file transfer at bytecount"; char rmdirhelp[] = "remove directory on the remote machine"; char rmtstatushelp[]="show status of remote machine"; char runiquehelp[] = "toggle store unique for local files"; char resethelp[] = "clear queued command replies"; char sendhelp[] = "send one file"; char passivehelp[] = "enter passive transfer mode"; char sitehelp[] = "send site specific command to remote server\n\t\tTry \"rhelp site\" or \"site help\" for more information"; char shellhelp[] = "escape to the shell"; char sizecmdhelp[] = "show size of remote file"; char statushelp[] = "show current status"; char structhelp[] = "set file transfer structure"; char suniquehelp[] = "toggle store unique on remote machine"; char systemhelp[] = "show remote system type"; char tenexhelp[] = "set tenex file transfer type"; char tracehelp[] = "toggle packet tracing"; char typehelp[] = "set file transfer type"; char umaskhelp[] = "get (set) umask on remote side"; char userhelp[] = "send new user information"; char verbosehelp[] = "toggle verbose mode"; char prothelp[] = "set protection level"; char prothelp_c[] = "set command protection level"; #if defined(KRB5) char klisthelp[] = "show remote tickets"; #endif #if defined(KRB5) char afsloghelp[] = "obtain remote AFS tokens"; #endif struct cmd cmdtab[] = { { "!", shellhelp, 0, 0, 0, shell }, { "$", domachelp, 1, 0, 0, domacro }, { "account", accounthelp, 0, 1, 1, account}, { "append", appendhelp, 1, 1, 1, put }, { "ascii", asciihelp, 0, 1, 1, setascii }, { "bell", beephelp, 0, 0, 0, setbell }, { "binary", binaryhelp, 0, 1, 1, setbinary }, { "bye", quithelp, 0, 0, 0, quit }, { "case", casehelp, 0, 0, 1, setcase }, { "cd", cdhelp, 0, 1, 1, cd }, { "cdup", cduphelp, 0, 1, 1, cdup }, { "chmod", chmodhelp, 0, 1, 1, do_chmod }, { "close", disconhelp, 0, 1, 1, disconnect }, { "cr", crhelp, 0, 0, 0, setcr }, { "delete", deletehelp, 0, 1, 1, delete }, { "debug", debughelp, 0, 0, 0, setdebug }, { "dir", dirhelp, 1, 1, 1, ls }, { "disconnect", disconhelp, 0, 1, 1, disconnect }, { "form", formhelp, 0, 1, 1, setform }, { "get", receivehelp, 1, 1, 1, get }, { "glob", globhelp, 0, 0, 0, setglob }, { "hash", hashhelp, 0, 0, 0, sethash }, { "help", helphelp, 0, 0, 1, help }, { "idle", idlehelp, 0, 1, 1, ftp_idle }, { "image", binaryhelp, 0, 1, 1, setbinary }, { "lcd", lcdhelp, 0, 0, 0, lcd }, { "ls", lshelp, 1, 1, 1, ls }, { "macdef", macdefhelp, 0, 0, 0, macdef }, { "mdelete", mdeletehelp, 1, 1, 1, mdelete }, { "mdir", mdirhelp, 1, 1, 1, mls }, { "mget", mgethelp, 1, 1, 1, mget }, { "mkdir", mkdirhelp, 0, 1, 1, makedir }, { "mls", mlshelp, 1, 1, 1, mls }, { "mode", modehelp, 0, 1, 1, setftmode }, { "modtime", modtimehelp, 0, 1, 1, modtime }, { "mput", mputhelp, 1, 1, 1, mput }, { "newer", newerhelp, 1, 1, 1, newer }, { "nmap", nmaphelp, 0, 0, 1, setnmap }, { "nlist", nlisthelp, 1, 1, 1, ls }, { "ntrans", ntranshelp, 0, 0, 1, setntrans }, { "open", connecthelp, 0, 0, 1, setpeer }, { "passive", passivehelp, 0, 0, 0, setpassive }, { "prompt", prompthelp, 0, 0, 0, setprompt }, { "proxy", proxyhelp, 0, 0, 1, doproxy }, { "sendport", porthelp, 0, 0, 0, setport }, { "put", sendhelp, 1, 1, 1, put }, { "pwd", pwdhelp, 0, 1, 1, pwd }, { "quit", quithelp, 0, 0, 0, quit }, { "quote", quotehelp, 1, 1, 1, quote }, { "recv", receivehelp, 1, 1, 1, get }, { "reget", regethelp, 1, 1, 1, reget }, { "rstatus", rmtstatushelp, 0, 1, 1, rmtstatus }, { "rhelp", remotehelp, 0, 1, 1, rmthelp }, { "rename", renamehelp, 0, 1, 1, renamefile }, { "reset", resethelp, 0, 1, 1, reset }, { "restart", restarthelp, 1, 1, 1, restart }, { "rmdir", rmdirhelp, 0, 1, 1, removedir }, { "runique", runiquehelp, 0, 0, 1, setrunique }, { "send", sendhelp, 1, 1, 1, put }, { "site", sitehelp, 0, 1, 1, site }, { "size", sizecmdhelp, 1, 1, 1, sizecmd }, { "status", statushelp, 0, 0, 1, status }, { "struct", structhelp, 0, 1, 1, setstruct }, { "system", systemhelp, 0, 1, 1, syst }, { "sunique", suniquehelp, 0, 0, 1, setsunique }, { "tenex", tenexhelp, 0, 1, 1, settenex }, { "trace", tracehelp, 0, 0, 0, settrace }, { "type", typehelp, 0, 1, 1, settype }, { "user", userhelp, 0, 1, 1, user }, { "umask", umaskhelp, 0, 1, 1, do_umask }, { "verbose", verbosehelp, 0, 0, 0, setverbose }, { "?", helphelp, 0, 0, 1, help }, { "protect", prothelp, 0, 1, 0, sec_prot }, /* what MIT uses */ { "cprotect", prothelp_c, 0, 1, 1, sec_prot_command }, #if defined(KRB5) { "klist", klisthelp, 0, 1, 0, klist }, #endif #if defined(KRB5) { "afslog", afsloghelp, 0, 1, 0, afslog }, #endif { NULL, NULL, 0, 0, 0, NULL }, }; int NCMDS = (sizeof (cmdtab) / sizeof (cmdtab[0])) - 1; heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/domacro.c000066400000000000000000000101001257755311500215410ustar00rootroot00000000000000/* * Copyright (c) 1985, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ftp_locl.h" RCSID("$Id$"); void domacro(int argc, char **argv) { int i, j, count = 2, loopflg = 0; char *cp1, *cp2, line2[200]; struct cmd *c; if (argc < 2 && !another(&argc, &argv, "macro name")) { printf("Usage: %s macro_name.\n", argv[0]); code = -1; return; } for (i = 0; i < macnum; ++i) { if (!strncmp(argv[1], macros[i].mac_name, 9)) { break; } } if (i == macnum) { printf("'%s' macro not found.\n", argv[1]); code = -1; return; } strlcpy(line2, line, sizeof(line2)); TOP: cp1 = macros[i].mac_start; while (cp1 != macros[i].mac_end) { while (isspace((unsigned char)*cp1)) { cp1++; } cp2 = line; while (*cp1 != '\0') { size_t len; switch(*cp1) { case '\\': if (line + sizeof(line) - 2 < cp2) goto out; *cp2++ = *++cp1; break; case '$': if (isdigit((unsigned char)*(cp1+1))) { j = 0; while (isdigit((unsigned char)*++cp1)) { j = 10*j + *cp1 - '0'; } cp1--; if (argc - 2 >= j) { len = sizeof(line) - (cp2 - line) - 1; if (strlcpy(cp2, argv[j+1], len) >= len) goto out; cp2 += strlen(argv[j+1]); } break; } if (*(cp1+1) == 'i') { loopflg = 1; cp1++; if (count < argc) { len = sizeof(line) - (cp2 - line) - 1; if (strlcpy(cp2, argv[count], len) >= len) goto out; cp2 += strlen(argv[count]); } break; } /* intentional drop through */ default: if (line + sizeof(line) - 2 < cp2) goto out; *cp2++ = *cp1; break; } if (*cp1 != '\0') { cp1++; } } out: *cp2 = '\0'; makeargv(); c = getcmd(margv[0]); if (c == (struct cmd *)-1) { printf("?Ambiguous command\n"); code = -1; } else if (c == 0) { printf("?Invalid command\n"); code = -1; } else if (c->c_conn && !connected) { printf("Not connected.\n"); code = -1; } else { if (verbose) { printf("%s\n",line); } (*c->c_handler)(margc, margv); if (bell && c->c_bell) { putchar('\007'); } strlcpy(line, line2, sizeof(line)); makeargv(); argc = margc; argv = margv; } if (cp1 != macros[i].mac_end) { cp1++; } } if (loopflg && ++count < argc) { goto TOP; } } heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/extern.h000066400000000000000000000127771257755311500214550ustar00rootroot00000000000000/*- * Copyright (c) 1994 The Regents of the University of California. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)extern.h 8.3 (Berkeley) 10/9/94 */ /* $Id$ */ #include #include #ifdef TIME_WITH_SYS_TIME #include #include #elif defined(HAVE_SYS_TIME_H) #include #else #include #endif #ifdef HAVE_SYS_SELECT_H #include #endif void abort_remote (FILE *); void abortpt (int); void abortrecv (int); void account (int, char **); int another (int *, char ***, char *); void blkfree (char **); void cd (int, char **); void cdup (int, char **); void changetype (int, int); void cmdabort (int); void cmdscanner (int); int command (char *fmt, ...) __attribute__ ((format (printf, 1,2))); int confirm (char *, char *); FILE *dataconn (const char *); void delete (int, char **); void disconnect (int, char **); void do_chmod (int, char **); void do_umask (int, char **); void domacro (int, char **); char *domap (char *); void doproxy (int, char **); char *dotrans (char *); int empty (fd_set *, int); void fatal (char *); void get (int, char **); struct cmd *getcmd (char *); int getit (int, char **, int, char *); int getreply (int); int globulize (char **); char *gunique (char *); void help (int, char **); char *hookup (const char *, int); void ftp_idle (int, char **); int initconn (void); void intr (int); void lcd (int, char **); int login (char *); RETSIGTYPE lostpeer (int); void ls (int, char **); void macdef (int, char **); void makeargv (void); void makedir (int, char **); void mdelete (int, char **); void mget (int, char **); void mls (int, char **); void modtime (int, char **); void mput (int, char **); char *onoff (int); void newer (int, char **); void proxtrans (char *, char *, char *); void psabort (int); void pswitch (int); void ptransfer (char *, long, struct timeval *, struct timeval *); void put (int, char **); void pwd (int, char **); void quit (int, char **); void quote (int, char **); void quote1 (char *, int, char **); void recvrequest (char *, char *, char *, char *, int, int); void reget (int, char **); char *remglob (char **, int); void removedir (int, char **); void renamefile (int, char **); void reset (int, char **); void restart (int, char **); void rmthelp (int, char **); void rmtstatus (int, char **); int ruserpassword (char *, char **, char **, char **); void sendrequest (char *, char *, char *, char *, int); void setascii (int, char **); void setbell (int, char **); void setbinary (int, char **); void setcase (int, char **); void setcr (int, char **); void setdebug (int, char **); void setform (int, char **); void setftmode (int, char **); void setglob (int, char **); void sethash (int, char **); void setnmap (int, char **); void setntrans (int, char **); void setpassive (int, char **); void setpeer (int, char **); void setport (int, char **); void setprompt (int, char **); void setrunique (int, char **); void setstruct (int, char **); void setsunique (int, char **); void settenex (int, char **); void settrace (int, char **); void settype (int, char **); void setverbose (int, char **); void shell (int, char **); void site (int, char **); void sizecmd (int, char **); char *slurpstring (void); void status (int, char **); void syst (int, char **); void tvsub (struct timeval *, struct timeval *, struct timeval *); void user (int, char **); extern jmp_buf abortprox; extern int abrtflag; extern struct cmd cmdtab[]; extern FILE *cout; extern int data; extern char *home; extern jmp_buf jabort; extern int proxy; extern char reply_string[]; extern off_t restart_point; extern int NCMDS; extern char username[32]; extern char myhostname[]; extern char *mydomain; void afslog (int, char **); void kauth (int, char **); void kdestroy (int, char **); void klist (int, char **); void krbtkfile (int, char **); heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/ftp.1000066400000000000000000000746731257755311500206550ustar00rootroot00000000000000.\" $NetBSD: ftp.1,v 1.11 1995/09/08 01:06:24 tls Exp $ .\" .\" Copyright (c) 1985, 1989, 1990, 1993 .\" The Regents of the University of California. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. All advertising materials mentioning features or use of this software .\" must display the following acknowledgement: .\" This product includes software developed by the University of .\" California, Berkeley and its contributors. .\" 4. Neither the name of the University nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" @(#)ftp.1 8.3 (Berkeley) 10/9/94 .\" .Dd March 23, 2006 .Dt FTP 1 .Os BSD 4.2 .Sh NAME .Nm ftp .Nd .Tn ARPANET file transfer program .Sh SYNOPSIS .Nm ftp .Op Fl K .Op Fl d .Op Fl g .Op Fl i .Op Fl l .Op Fl n .Op Fl p .Op Fl t .Op Fl v .Op Fl x .Op Fl Fl no-gss-bindings .Op Fl Fl no-gss-delegate .Op Ar host .Sh DESCRIPTION .Nm is the user interface to the .Tn ARPANET standard File Transfer Protocol. The program allows a user to transfer files to and from a remote network site. .Pp Modifications have been made so that it almost follows the FTP Security Extensions, RFC 2228. .Pp Options may be specified at the command line, or to the command interpreter. .Bl -tag -width flag .It Fl K Disable Kerberos authentication. .It Fl t Enables packet tracing. .It Fl v Verbose option forces .Nm ftp to show all responses from the remote server, as well as report on data transfer statistics. .It Fl n Restrains .Nm ftp from attempting \*(Lqauto-login\*(Rq upon initial connection. If auto-login is enabled, .Nm ftp will check the .Pa .netrc (see below) file in the user's home directory for an entry describing an account on the remote machine. If no entry exists, .Nm ftp will prompt for the remote machine login name (default is the user identity on the local machine), and, if necessary, prompt for a password and an account with which to login. .It Fl i Turns off interactive prompting during multiple file transfers. .It Fl p Turn on passive mode. .It Fl d Enables debugging. .It Fl g Disables file name globbing. .It Fl Fl no-gss-bindings Don't use GSS-API bindings when talking to peer. IP addresses will not be checked to ensure they match. .It Fl Fl no-gss-delegate Disable delegation of GSSAPI credentials. .It Fl l Disables command line editing. .It Fl x Encrypt command and data channel. .El .Pp The client host with which .Nm ftp is to communicate may be specified on the command line. If this is done, .Nm ftp will immediately attempt to establish a connection to an .Tn FTP server on that host; otherwise, .Nm ftp will enter its command interpreter and await instructions from the user. When .Nm ftp is awaiting commands from the user the prompt .Ql ftp\*[Gt] is provided to the user. The following commands are recognized by .Nm ftp : .Bl -tag -width Fl .It Ic \&! Op Ar command Op Ar args Invoke an interactive shell on the local machine. If there are arguments, the first is taken to be a command to execute directly, with the rest of the arguments as its arguments. .It Ic \&$ Ar macro-name Op Ar args Execute the macro .Ar macro-name that was defined with the .Ic macdef command. Arguments are passed to the macro unglobbed. .It Ic account Op Ar passwd Supply a supplemental password required by a remote system for access to resources once a login has been successfully completed. If no argument is included, the user will be prompted for an account password in a non-echoing input mode. .It Ic append Ar local-file Op Ar remote-file Append a local file to a file on the remote machine. If .Ar remote-file is left unspecified, the local file name is used in naming the remote file after being altered by any .Ic ntrans or .Ic nmap setting. File transfer uses the current settings for .Ic type , .Ic format , .Ic mode , and .Ic structure . .It Ic ascii Set the file transfer .Ic type to network .Tn ASCII . This is the default type. .It Ic bell Arrange that a bell be sounded after each file transfer command is completed. .It Ic binary Set the file transfer .Ic type to support binary image transfer. .It Ic bye Terminate the .Tn FTP session with the remote server and exit .Nm ftp . An end of file will also terminate the session and exit. .It Ic case Toggle remote computer file name case mapping during .Ic mget commands. When .Ic case is on (default is off), remote computer file names with all letters in upper case are written in the local directory with the letters mapped to lower case. .It Ic \&cd Ar remote-directory Change the working directory on the remote machine to .Ar remote-directory . .It Ic cdup Change the remote machine working directory to the parent of the current remote machine working directory. .It Ic chmod Ar mode file-name Change the permission modes of the file .Ar file-name on the remote system to .Ar mode . .It Ic close Terminate the .Tn FTP session with the remote server, and return to the command interpreter. Any defined macros are erased. .It Ic \&cr Toggle carriage return stripping during ascii type file retrieval. Records are denoted by a carriage return/linefeed sequence during ascii type file transfer. When .Ic \&cr is on (the default), carriage returns are stripped from this sequence to conform with the .Ux single linefeed record delimiter. Records on .Pf non\- Ns Ux remote systems may contain single linefeeds; when an ascii type transfer is made, these linefeeds may be distinguished from a record delimiter only when .Ic \&cr is off. .It Ic delete Ar remote-file Delete the file .Ar remote-file on the remote machine. .It Ic debug Op Ar debug-value Toggle debugging mode. If an optional .Ar debug-value is specified it is used to set the debugging level. When debugging is on, .Nm ftp prints each command sent to the remote machine, preceded by the string .Ql \-\-\*[Gt] .It Xo .Ic dir .Op Ar remote-directory .Op Ar local-file .Xc Print a listing of the directory contents in the directory, .Ar remote-directory , and, optionally, placing the output in .Ar local-file . If interactive prompting is on, .Nm ftp will prompt the user to verify that the last argument is indeed the target local file for receiving .Ic dir output. If no directory is specified, the current working directory on the remote machine is used. If no local file is specified, or .Ar local-file is .Fl , output comes to the terminal. .It Ic disconnect A synonym for .Ar close . .It Ic form Ar format Set the file transfer .Ic form to .Ar format . The default format is \*(Lqfile\*(Rq. .It Ic get Ar remote-file Op Ar local-file Retrieve the .Ar remote-file and store it on the local machine. If the local file name is not specified, it is given the same name it has on the remote machine, subject to alteration by the current .Ic case , .Ic ntrans , and .Ic nmap settings. The current settings for .Ic type , .Ic form , .Ic mode , and .Ic structure are used while transferring the file. .It Ic glob Toggle filename expansion for .Ic mdelete , .Ic mget and .Ic mput . If globbing is turned off with .Ic glob , the file name arguments are taken literally and not expanded. Globbing for .Ic mput is done as in .Xr csh 1 . For .Ic mdelete and .Ic mget , each remote file name is expanded separately on the remote machine and the lists are not merged. Expansion of a directory name is likely to be different from expansion of the name of an ordinary file: the exact result depends on the foreign operating system and ftp server, and can be previewed by doing .Ql mls remote-files \- . As a security measure, remotely globbed files that starts with .Sq / or contains .Sq ../ , will not be automatically received. If you have interactive prompting turned off, these filenames will be ignored. Note: .Ic mget and .Ic mput are not meant to transfer entire directory subtrees of files. That can be done by transferring a .Xr tar 1 archive of the subtree (in binary mode). .It Ic hash Toggle hash-sign (``#'') printing for each data block transferred. The size of a data block is 1024 bytes. .It Ic help Op Ar command Print an informative message about the meaning of .Ar command . If no argument is given, .Nm ftp prints a list of the known commands. .It Ic idle Op Ar seconds Set the inactivity timer on the remote server to .Ar seconds seconds. If .Ar seconds is omitted, the current inactivity timer is printed. .It Ic lcd Op Ar directory Change the working directory on the local machine. If no .Ar directory is specified, the user's home directory is used. .It Xo .Ic \&ls .Op Ar remote-directory .Op Ar local-file .Xc Print a listing of the contents of a directory on the remote machine. The listing includes any system-dependent information that the server chooses to include; for example, most .Ux systems will produce output from the command .Ql ls \-l . (See also .Ic nlist . ) If .Ar remote-directory is left unspecified, the current working directory is used. If interactive prompting is on, .Nm ftp will prompt the user to verify that the last argument is indeed the target local file for receiving .Ic \&ls output. If no local file is specified, or if .Ar local-file is .Sq Fl , the output is sent to the terminal. .It Ic macdef Ar macro-name Define a macro. Subsequent lines are stored as the macro .Ar macro-name ; a null line (consecutive newline characters in a file or carriage returns from the terminal) terminates macro input mode. There is a limit of 16 macros and 4096 total characters in all defined macros. Macros remain defined until a .Ic close command is executed. The macro processor interprets `$' and `\e' as special characters. A `$' followed by a number (or numbers) is replaced by the corresponding argument on the macro invocation command line. A `$' followed by an `i' signals that macro processor that the executing macro is to be looped. On the first pass `$i' is replaced by the first argument on the macro invocation command line, on the second pass it is replaced by the second argument, and so on. A `\e' followed by any character is replaced by that character. Use the `\e' to prevent special treatment of the `$'. .It Ic mdelete Op Ar remote-files Delete the .Ar remote-files on the remote machine. .It Ic mdir Ar remote-files local-file Like .Ic dir , except multiple remote files may be specified. If interactive prompting is on, .Nm ftp will prompt the user to verify that the last argument is indeed the target local file for receiving .Ic mdir output. .It Ic mget Ar remote-files Expand the .Ar remote-files on the remote machine and do a .Ic get for each file name thus produced. See .Ic glob for details on the filename expansion. Resulting file names will then be processed according to .Ic case , .Ic ntrans , and .Ic nmap settings. Files are transferred into the local working directory, which can be changed with .Ql lcd directory ; new local directories can be created with .Ql "\&! mkdir directory" . .It Ic mkdir Ar directory-name Make a directory on the remote machine. .It Ic mls Ar remote-files local-file Like .Ic nlist , except multiple remote files may be specified, and the .Ar local-file must be specified. If interactive prompting is on, .Nm ftp will prompt the user to verify that the last argument is indeed the target local file for receiving .Ic mls output. .It Ic mode Op Ar mode-name Set the file transfer .Ic mode to .Ar mode-name . The default mode is \*(Lqstream\*(Rq mode. .It Ic modtime Ar file-name Show the last modification time of the file on the remote machine. .It Ic mput Ar local-files Expand wild cards in the list of local files given as arguments and do a .Ic put for each file in the resulting list. See .Ic glob for details of filename expansion. Resulting file names will then be processed according to .Ic ntrans and .Ic nmap settings. .It Ic newer Ar file-name Get the file only if the modification time of the remote file is more recent that the file on the current system. If the file does not exist on the current system, the remote file is considered .Ic newer . Otherwise, this command is identical to .Ar get . .It Xo .Ic nlist .Op Ar remote-directory .Op Ar local-file .Xc Print a list of the files in a directory on the remote machine. If .Ar remote-directory is left unspecified, the current working directory is used. If interactive prompting is on, .Nm ftp will prompt the user to verify that the last argument is indeed the target local file for receiving .Ic nlist output. If no local file is specified, or if .Ar local-file is .Fl , the output is sent to the terminal. .It Ic nmap Op Ar inpattern outpattern Set or unset the filename mapping mechanism. If no arguments are specified, the filename mapping mechanism is unset. If arguments are specified, remote filenames are mapped during .Ic mput commands and .Ic put commands issued without a specified remote target filename. If arguments are specified, local filenames are mapped during .Ic mget commands and .Ic get commands issued without a specified local target filename. This command is useful when connecting to a .No non\- Ns Ux remote computer with different file naming conventions or practices. The mapping follows the pattern set by .Ar inpattern and .Ar outpattern . .Op Ar Inpattern is a template for incoming filenames (which may have already been processed according to the .Ic ntrans and .Ic case settings). Variable templating is accomplished by including the sequences `$1', `$2', ..., `$9' in .Ar inpattern . Use `\\' to prevent this special treatment of the `$' character. All other characters are treated literally, and are used to determine the .Ic nmap .Op Ar inpattern variable values. For example, given .Ar inpattern $1.$2 and the remote file name "mydata.data", $1 would have the value "mydata", and $2 would have the value "data". The .Ar outpattern determines the resulting mapped filename. The sequences `$1', `$2', ...., `$9' are replaced by any value resulting from the .Ar inpattern template. The sequence `$0' is replace by the original filename. Additionally, the sequence .Ql Op Ar seq1 , Ar seq2 is replaced by .Op Ar seq1 if .Ar seq1 is not a null string; otherwise it is replaced by .Ar seq2 . For example, the command .Pp .Bd -literal -offset indent -compact nmap $1.$2.$3 [$1,$2].[$2,file] .Ed .Pp would yield the output filename "myfile.data" for input filenames "myfile.data" and "myfile.data.old", "myfile.file" for the input filename "myfile", and "myfile.myfile" for the input filename ".myfile". Spaces may be included in .Ar outpattern , as in the example: `nmap $1 sed "s/ *$//" \*[Gt] $1' . Use the `\e' character to prevent special treatment of the `$','[','[', and `,' characters. .It Ic ntrans Op Ar inchars Op Ar outchars Set or unset the filename character translation mechanism. If no arguments are specified, the filename character translation mechanism is unset. If arguments are specified, characters in remote filenames are translated during .Ic mput commands and .Ic put commands issued without a specified remote target filename. If arguments are specified, characters in local filenames are translated during .Ic mget commands and .Ic get commands issued without a specified local target filename. This command is useful when connecting to a .No non\- Ns Ux remote computer with different file naming conventions or practices. Characters in a filename matching a character in .Ar inchars are replaced with the corresponding character in .Ar outchars . If the character's position in .Ar inchars is longer than the length of .Ar outchars , the character is deleted from the file name. .It Ic open Ar host Op Ar port Establish a connection to the specified .Ar host .Tn FTP server. An optional port number may be supplied, in which case, .Nm ftp will attempt to contact an .Tn FTP server at that port. If the .Ic auto-login option is on (default), .Nm ftp will also attempt to automatically log the user in to the .Tn FTP server (see below). .It Ic passive Toggle passive mode. If passive mode is turned on (default is off), the ftp client will send a .Dv PASV command for all data connections instead of the usual .Dv PORT command. The .Dv PASV command requests that the remote server open a port for the data connection and return the address of that port. The remote server listens on that port and the client connects to it. When using the more traditional .Dv PORT command, the client listens on a port and sends that address to the remote server, who connects back to it. Passive mode is useful when using .Nm ftp through a gateway router or host that controls the directionality of traffic. (Note that though ftp servers are required to support the .Dv PASV command by RFC 1123, some do not.) .It Ic prompt Toggle interactive prompting. Interactive prompting occurs during multiple file transfers to allow the user to selectively retrieve or store files. If prompting is turned off (default is on), any .Ic mget or .Ic mput will transfer all files, and any .Ic mdelete will delete all files. .It Ic proxy Ar ftp-command Execute an ftp command on a secondary control connection. This command allows simultaneous connection to two remote ftp servers for transferring files between the two servers. The first .Ic proxy command should be an .Ic open , to establish the secondary control connection. Enter the command "proxy ?" to see other ftp commands executable on the secondary connection. The following commands behave differently when prefaced by .Ic proxy : .Ic open will not define new macros during the auto-login process, .Ic close will not erase existing macro definitions, .Ic get and .Ic mget transfer files from the host on the primary control connection to the host on the secondary control connection, and .Ic put , .Ic mput , and .Ic append transfer files from the host on the secondary control connection to the host on the primary control connection. Third party file transfers depend upon support of the ftp protocol .Dv PASV command by the server on the secondary control connection. .It Ic put Ar local-file Op Ar remote-file Store a local file on the remote machine. If .Ar remote-file is left unspecified, the local file name is used after processing according to any .Ic ntrans or .Ic nmap settings in naming the remote file. File transfer uses the current settings for .Ic type , .Ic format , .Ic mode , and .Ic structure . .It Ic pwd Print the name of the current working directory on the remote machine. .It Ic quit A synonym for .Ic bye . .It Ic quote Ar arg1 arg2 ... The arguments specified are sent, verbatim, to the remote .Tn FTP server. .It Ic recv Ar remote-file Op Ar local-file A synonym for get. .It Ic reget Ar remote-file Op Ar local-file Reget acts like get, except that if .Ar local-file exists and is smaller than .Ar remote-file , .Ar local-file is presumed to be a partially transferred copy of .Ar remote-file and the transfer is continued from the apparent point of failure. This command is useful when transferring very large files over networks that are prone to dropping connections. .It Ic remotehelp Op Ar command-name Request help from the remote .Tn FTP server. If a .Ar command-name is specified it is supplied to the server as well. .It Ic remotestatus Op Ar file-name With no arguments, show status of remote machine. If .Ar file-name is specified, show status of .Ar file-name on remote machine. .It Xo .Ic rename .Op Ar from .Op Ar to .Xc Rename the file .Ar from on the remote machine, to the file .Ar to . .It Ic reset Clear reply queue. This command re-synchronizes command/reply sequencing with the remote ftp server. Resynchronization may be necessary following a violation of the ftp protocol by the remote server. .It Ic restart Ar marker Restart the immediately following .Ic get or .Ic put at the indicated .Ar marker . On .Ux systems, marker is usually a byte offset into the file. .It Ic rmdir Ar directory-name Delete a directory on the remote machine. .It Ic runique Toggle storing of files on the local system with unique filenames. If a file already exists with a name equal to the target local filename for a .Ic get or .Ic mget command, a ".1" is appended to the name. If the resulting name matches another existing file, a ".2" is appended to the original name. If this process continues up to ".99", an error message is printed, and the transfer does not take place. The generated unique filename will be reported. Note that .Ic runique will not affect local files generated from a shell command (see below). The default value is off. .It Ic send Ar local-file Op Ar remote-file A synonym for put. .It Ic sendport Toggle the use of .Dv PORT commands. By default, .Nm ftp will attempt to use a .Dv PORT command when establishing a connection for each data transfer. The use of .Dv PORT commands can prevent delays when performing multiple file transfers. If the .Dv PORT command fails, .Nm ftp will use the default data port. When the use of .Dv PORT commands is disabled, no attempt will be made to use .Dv PORT commands for each data transfer. This is useful for certain .Tn FTP implementations which do ignore .Dv PORT commands but, incorrectly, indicate they've been accepted. .It Ic site Ar arg1 arg2 ... The arguments specified are sent, verbatim, to the remote .Tn FTP server as a .Dv SITE command. .It Ic size Ar file-name Return size of .Ar file-name on remote machine. .It Ic status Show the current status of .Nm ftp . .It Ic struct Op Ar struct-name Set the file transfer .Ar structure to .Ar struct-name . By default \*(Lqstream\*(Rq structure is used. .It Ic sunique Toggle storing of files on remote machine under unique file names. Remote ftp server must support ftp protocol .Dv STOU command for successful completion. The remote server will report unique name. Default value is off. .It Ic system Show the type of operating system running on the remote machine. .It Ic tenex Set the file transfer type to that needed to talk to .Tn TENEX machines. .It Ic trace Toggle packet tracing. .It Ic type Op Ar type-name Set the file transfer .Ic type to .Ar type-name . If no type is specified, the current type is printed. The default type is network .Tn ASCII . .It Ic umask Op Ar newmask Set the default umask on the remote server to .Ar newmask . If .Ar newmask is omitted, the current umask is printed. .It Xo .Ic user Ar user-name .Op Ar password .Op Ar account .Xc Identify yourself to the remote .Tn FTP server. If the .Ar password is not specified and the server requires it, .Nm ftp will prompt the user for it (after disabling local echo). If an .Ar account field is not specified, and the .Tn FTP server requires it, the user will be prompted for it. If an .Ar account field is specified, an account command will be relayed to the remote server after the login sequence is completed if the remote server did not require it for logging in. Unless .Nm ftp is invoked with \*(Lqauto-login\*(Rq disabled, this process is done automatically on initial connection to the .Tn FTP server. .It Ic verbose Toggle verbose mode. In verbose mode, all responses from the .Tn FTP server are displayed to the user. In addition, if verbose is on, when a file transfer completes, statistics regarding the efficiency of the transfer are reported. By default, verbose is on. .It Ic \&? Op Ar command A synonym for help. .El .Pp The following command can be used with ftpsec-aware servers. .Bl -tag -width Fl .It Xo .Ic prot .Ar clear | .Ar safe | .Ar confidential | .Ar private .Xc Set the data protection level to the requested level. .El .Pp The following command can be used with ftp servers that has implemented the KAUTH site command. .Bl -tag -width Fl .It Ic kauth Op Ar principal Obtain remote tickets. .El .Pp Command arguments which have embedded spaces may be quoted with quote `"' marks. .Sh ABORTING A FILE TRANSFER To abort a file transfer, use the terminal interrupt key (usually Ctrl-C). Sending transfers will be immediately halted. Receiving transfers will be halted by sending a ftp protocol .Dv ABOR command to the remote server, and discarding any further data received. The speed at which this is accomplished depends upon the remote server's support for .Dv ABOR processing. If the remote server does not support the .Dv ABOR command, an .Ql ftp\*[Gt] prompt will not appear until the remote server has completed sending the requested file. .Pp The terminal interrupt key sequence will be ignored when .Nm ftp has completed any local processing and is awaiting a reply from the remote server. A long delay in this mode may result from the ABOR processing described above, or from unexpected behavior by the remote server, including violations of the ftp protocol. If the delay results from unexpected remote server behavior, the local .Nm ftp program must be killed by hand. .Sh FILE NAMING CONVENTIONS Files specified as arguments to .Nm ftp commands are processed according to the following rules. .Bl -enum .It If the file name .Sq Fl is specified, the .Ar stdin (for reading) or .Ar stdout (for writing) is used. .It If the first character of the file name is .Sq \&| , the remainder of the argument is interpreted as a shell command. .Nm Ftp then forks a shell, using .Xr popen 3 with the argument supplied, and reads (writes) from the stdout (stdin). If the shell command includes spaces, the argument must be quoted; e.g. \*(Lq" ls -lt"\*(Rq. A particularly useful example of this mechanism is: \*(Lqdir more\*(Rq. .It Failing the above checks, if ``globbing'' is enabled, local file names are expanded according to the rules used in the .Xr csh 1 ; c.f. the .Ic glob command. If the .Nm ftp command expects a single local file (.e.g. .Ic put ) , only the first filename generated by the "globbing" operation is used. .It For .Ic mget commands and .Ic get commands with unspecified local file names, the local filename is the remote filename, which may be altered by a .Ic case , .Ic ntrans , or .Ic nmap setting. The resulting filename may then be altered if .Ic runique is on. .It For .Ic mput commands and .Ic put commands with unspecified remote file names, the remote filename is the local filename, which may be altered by a .Ic ntrans or .Ic nmap setting. The resulting filename may then be altered by the remote server if .Ic sunique is on. .El .Sh FILE TRANSFER PARAMETERS The FTP specification specifies many parameters which may affect a file transfer. The .Ic type may be one of \*(Lqascii\*(Rq, \*(Lqimage\*(Rq (binary), \*(Lqebcdic\*(Rq, and \*(Lqlocal byte size\*(Rq (for .Tn PDP Ns -10's and .Tn PDP Ns -20's mostly). .Nm Ftp supports the ascii and image types of file transfer, plus local byte size 8 for .Ic tenex mode transfers. .Pp .Nm Ftp supports only the default values for the remaining file transfer parameters: .Ic mode , .Ic form , and .Ic struct . .Sh THE .netrc FILE The .Pa .netrc file contains login and initialization information used by the auto-login process. It resides in the user's home directory. The following tokens are recognized; they may be separated by spaces, tabs, or new-lines: .Bl -tag -width password .It Ic machine Ar name Identify a remote machine .Ar name . The auto-login process searches the .Pa .netrc file for a .Ic machine token that matches the remote machine specified on the .Nm ftp command line or as an .Ic open command argument. Once a match is made, the subsequent .Pa .netrc tokens are processed, stopping when the end of file is reached or another .Ic machine or a .Ic default token is encountered. .It Ic default This is the same as .Ic machine .Ar name except that .Ic default matches any name. There can be only one .Ic default token, and it must be after all .Ic machine tokens. This is normally used as: .Pp .Dl default login anonymous password user@site .Pp thereby giving the user .Ar automatic anonymous ftp login to machines not specified in .Pa .netrc . This can be overridden by using the .Fl n flag to disable auto-login. .It Ic login Ar name Identify a user on the remote machine. If this token is present, the auto-login process will initiate a login using the specified .Ar name . .It Ic password Ar string Supply a password. If this token is present, the auto-login process will supply the specified string if the remote server requires a password as part of the login process. Note that if this token is present in the .Pa .netrc file for any user other than .Ar anonymous , .Nm ftp will abort the auto-login process if the .Pa .netrc is readable by anyone besides the user. .It Ic account Ar string Supply an additional account password. If this token is present, the auto-login process will supply the specified string if the remote server requires an additional account password, or the auto-login process will initiate an .Dv ACCT command if it does not. .It Ic macdef Ar name Define a macro. This token functions like the .Nm ftp .Ic macdef command functions. A macro is defined with the specified name; its contents begin with the next .Pa .netrc line and continue until a null line (consecutive new-line characters) is encountered. If a macro named .Ic init is defined, it is automatically executed as the last step in the auto-login process. .El .Sh ENVIRONMENT .Nm Ftp uses the following environment variables. .Bl -tag -width Fl .It Ev HOME For default location of a .Pa .netrc file, if one exists. .It Ev SHELL For default shell. .El .Sh SEE ALSO .Xr ftpd 8 .Rs .%T RFC2228 .Re .Sh HISTORY The .Nm ftp command appeared in .Bx 4.2 . .Sh BUGS Correct execution of many commands depends upon proper behavior by the remote server. .Pp An error in the treatment of carriage returns in the .Bx 4.2 ascii-mode transfer code has been corrected. This correction may result in incorrect transfers of binary files to and from .Bx 4.2 servers using the ascii type. Avoid this problem by using the binary image type. heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/ftp.c000066400000000000000000001144141257755311500207230ustar00rootroot00000000000000/* * Copyright (c) 1985, 1989, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ftp_locl.h" RCSID ("$Id$"); struct sockaddr_storage hisctladdr_ss; struct sockaddr *hisctladdr = (struct sockaddr *)&hisctladdr_ss; struct sockaddr_storage data_addr_ss; struct sockaddr *data_addr = (struct sockaddr *)&data_addr_ss; struct sockaddr_storage myctladdr_ss; struct sockaddr *myctladdr = (struct sockaddr *)&myctladdr_ss; int data = -1; int abrtflag = 0; jmp_buf ptabort; int ptabflg; int ptflag = 0; off_t restart_point = 0; FILE *cin, *cout; typedef void (*sighand) (int); char * hookup (const char *host, int port) { static char hostnamebuf[MaxHostNameLen]; struct addrinfo *ai, *a; struct addrinfo hints; int error; char portstr[NI_MAXSERV]; socklen_t len; int s; memset (&hints, 0, sizeof(hints)); hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; hints.ai_flags = AI_CANONNAME; snprintf (portstr, sizeof(portstr), "%u", ntohs(port)); error = getaddrinfo (host, portstr, &hints, &ai); if (error) { warnx ("%s: %s", host, gai_strerror(error)); code = -1; return NULL; } strlcpy (hostnamebuf, host, sizeof(hostnamebuf)); hostname = hostnamebuf; s = -1; for (a = ai; a != NULL; a = a->ai_next) { s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); if (s < 0) continue; if (a->ai_canonname != NULL) strlcpy (hostnamebuf, a->ai_canonname, sizeof(hostnamebuf)); memcpy (hisctladdr, a->ai_addr, a->ai_addrlen); error = connect (s, a->ai_addr, a->ai_addrlen); if (error < 0) { char addrstr[256]; if (getnameinfo (a->ai_addr, a->ai_addrlen, addrstr, sizeof(addrstr), NULL, 0, NI_NUMERICHOST) != 0) strlcpy (addrstr, "unknown address", sizeof(addrstr)); warn ("connect %s", addrstr); close (s); s = -1; continue; } break; } freeaddrinfo (ai); if (s < 0) { warnx ("failed to contact %s", host); code = -1; return NULL; } len = sizeof(myctladdr_ss); if (getsockname (s, myctladdr, &len) < 0) { warn ("getsockname"); code = -1; close (s); return NULL; } #ifdef IPTOS_LOWDELAY socket_set_tos (s, IPTOS_LOWDELAY); #endif cin = fdopen (s, "r"); cout = fdopen (s, "w"); if (cin == NULL || cout == NULL) { warnx ("fdopen failed."); if (cin) fclose (cin); if (cout) fclose (cout); code = -1; goto bad; } if (verbose) printf ("Connected to %s.\n", hostname); if (getreply (0) > 2) { /* read startup message from server */ if (cin) fclose (cin); if (cout) fclose (cout); code = -1; goto bad; } #if defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT) { int on = 1; if (setsockopt (s, SOL_SOCKET, SO_OOBINLINE, (char *) &on, sizeof (on)) < 0 && debug) { warn ("setsockopt"); } } #endif /* SO_OOBINLINE */ return (hostname); bad: close (s); return NULL; } int login (char *host) { char tmp[80]; char defaultpass[128]; char *userstr, *pass, *acctstr; char *ruserstr, *rpass, *racctstr; int n, aflag = 0; char *myname = NULL; struct passwd *pw = k_getpwuid(getuid()); if (pw != NULL) myname = pw->pw_name; ruserstr = rpass = racctstr = NULL; if(sec_login(host)) printf("\n*** Using plaintext user and password ***\n\n"); else{ printf("Authentication successful.\n\n"); } if (ruserpassword (host, &ruserstr, &rpass, &racctstr) < 0) { code = -1; return (0); } userstr = ruserstr; pass = rpass; acctstr = racctstr; while (userstr == NULL) { if (myname) printf ("Name (%s:%s): ", host, myname); else printf ("Name (%s): ", host); *tmp = '\0'; if (fgets (tmp, sizeof (tmp) - 1, stdin) != NULL) tmp[strlen (tmp) - 1] = '\0'; if (*tmp == '\0') userstr = myname; else userstr = tmp; } strlcpy(username, userstr, sizeof(username)); if (ruserstr) free(ruserstr); n = command("USER %s", userstr); if (n == COMPLETE) n = command("PASS dummy"); /* DK: Compatibility with gssftp daemon */ else if(n == CONTINUE) { if (pass == NULL) { char prompt[128]; if(myname && (!strcmp(userstr, "ftp") || !strcmp(userstr, "anonymous"))) { snprintf(defaultpass, sizeof(defaultpass), "%s@%s", myname, mydomain); snprintf(prompt, sizeof(prompt), "Password (%s): ", defaultpass); } else if (sec_complete) { pass = myname; } else { *defaultpass = '\0'; snprintf(prompt, sizeof(prompt), "Password: "); } if (pass == NULL) { pass = defaultpass; UI_UTIL_read_pw_string (tmp, sizeof (tmp), prompt, 0); if (tmp[0]) pass = tmp; } } n = command ("PASS %s", pass); if (rpass) free(rpass); } if (n == CONTINUE) { aflag++; UI_UTIL_read_pw_string (tmp, sizeof(tmp), "Account:", 0); acctstr = tmp; n = command ("ACCT %s", acctstr); } if (n != COMPLETE) { if (racctstr) free(racctstr); warnx ("Login failed."); return (0); } if (!aflag && acctstr != NULL) command ("ACCT %s", acctstr); if (racctstr) free(racctstr); if (proxy) return (1); for (n = 0; n < macnum; ++n) { if (!strcmp("init", macros[n].mac_name)) { strlcpy (line, "$init", sizeof (line)); makeargv(); domacro(margc, margv); break; } } sec_set_protection_level (); return (1); } void cmdabort (int sig) { printf ("\n"); fflush (stdout); abrtflag++; if (ptflag) longjmp (ptabort, 1); } int command (char *fmt,...) { va_list ap; int r; sighand oldintr; abrtflag = 0; if (cout == NULL) { warn ("No control connection for command"); code = -1; return (0); } oldintr = signal(SIGINT, cmdabort); if(debug){ printf("---> "); if (strncmp("PASS ", fmt, 5) == 0) printf("PASS XXXX"); else { va_start(ap, fmt); vfprintf(stdout, fmt, ap); va_end(ap); } } va_start(ap, fmt); sec_vfprintf(cout, fmt, ap); va_end(ap); if(debug){ printf("\n"); fflush(stdout); } fprintf (cout, "\r\n"); fflush (cout); cpend = 1; r = getreply (!strcmp (fmt, "QUIT")); if (abrtflag && oldintr != SIG_IGN) (*oldintr) (SIGINT); signal (SIGINT, oldintr); return (r); } char reply_string[BUFSIZ]; /* last line of previous reply */ int getreply (int expecteof) { char *p; char *lead_string; int c; struct sigaction sa, osa; char buf[8192]; int reply_code; int long_warn = 0; sigemptyset (&sa.sa_mask); sa.sa_flags = 0; sa.sa_handler = cmdabort; sigaction (SIGINT, &sa, &osa); p = buf; reply_code = 0; while (1) { c = getc (cin); switch (c) { case EOF: if (expecteof) { sigaction (SIGINT, &osa, NULL); code = 221; return 0; } lostpeer (0); if (verbose) { printf ("421 Service not available, " "remote server has closed connection\n"); fflush (stdout); } code = 421; return (4); case IAC: c = getc (cin); if (c == WILL || c == WONT) fprintf (cout, "%c%c%c", IAC, DONT, getc (cin)); if (c == DO || c == DONT) fprintf (cout, "%c%c%c", IAC, WONT, getc (cin)); continue; case '\n': *p++ = '\0'; if(isdigit((unsigned char)buf[0])){ sscanf(buf, "%d", &code); if(code == 631){ code = 0; sec_read_msg(buf, prot_safe); sscanf(buf, "%d", &code); lead_string = "S:"; } else if(code == 632){ code = 0; sec_read_msg(buf, prot_private); sscanf(buf, "%d", &code); lead_string = "P:"; }else if(code == 633){ code = 0; sec_read_msg(buf, prot_confidential); sscanf(buf, "%d", &code); lead_string = "C:"; }else if(sec_complete) lead_string = "!!"; else lead_string = ""; if(code != 0 && reply_code == 0) reply_code = code; if (verbose > 0 || (verbose > -1 && code > 499)) fprintf (stdout, "%s%s\n", lead_string, buf); if (code == reply_code && buf[3] == ' ') { strlcpy (reply_string, buf, sizeof(reply_string)); if (code >= 200) cpend = 0; sigaction (SIGINT, &osa, NULL); if (code == 421) lostpeer (0); #if 1 if (abrtflag && osa.sa_handler != cmdabort && osa.sa_handler != SIG_IGN) osa.sa_handler (SIGINT); #endif if (code == 227 || code == 229) { char *q; q = strchr (reply_string, '('); if (q) { q++; strlcpy(pasv, q, sizeof(pasv)); q = strrchr(pasv, ')'); if (q) *q = '\0'; } } return code / 100; } }else{ if(verbose > 0 || (verbose > -1 && code > 499)){ if(sec_complete) fprintf(stdout, "!!"); fprintf(stdout, "%s\n", buf); } } p = buf; long_warn = 0; continue; default: if(p < buf + sizeof(buf) - 1) *p++ = c; else if(long_warn == 0) { fprintf(stderr, "WARNING: incredibly long line received\n"); long_warn = 1; } } } } #if 0 int getreply (int expecteof) { int c, n; int dig; int originalcode = 0, continuation = 0; sighand oldintr; int pflag = 0; char *cp, *pt = pasv; oldintr = signal (SIGINT, cmdabort); for (;;) { dig = n = code = 0; cp = reply_string; while ((c = getc (cin)) != '\n') { if (c == IAC) { /* handle telnet commands */ switch (c = getc (cin)) { case WILL: case WONT: c = getc (cin); fprintf (cout, "%c%c%c", IAC, DONT, c); fflush (cout); break; case DO: case DONT: c = getc (cin); fprintf (cout, "%c%c%c", IAC, WONT, c); fflush (cout); break; default: break; } continue; } dig++; if (c == EOF) { if (expecteof) { signal (SIGINT, oldintr); code = 221; return (0); } lostpeer (0); if (verbose) { printf ("421 Service not available, remote server has closed connection\n"); fflush (stdout); } code = 421; return (4); } if (c != '\r' && (verbose > 0 || (verbose > -1 && n == '5' && dig > 4))) { if (proxflag && (dig == 1 || dig == 5 && verbose == 0)) printf ("%s:", hostname); putchar (c); } if (dig < 4 && isdigit (c)) code = code * 10 + (c - '0'); if (!pflag && code == 227) pflag = 1; if (dig > 4 && pflag == 1 && isdigit (c)) pflag = 2; if (pflag == 2) { if (c != '\r' && c != ')') *pt++ = c; else { *pt = '\0'; pflag = 3; } } if (dig == 4 && c == '-') { if (continuation) code = 0; continuation++; } if (n == 0) n = c; if (cp < &reply_string[sizeof (reply_string) - 1]) *cp++ = c; } if (verbose > 0 || verbose > -1 && n == '5') { putchar (c); fflush (stdout); } if (continuation && code != originalcode) { if (originalcode == 0) originalcode = code; continue; } *cp = '\0'; if(sec_complete){ if(code == 631) sec_read_msg(reply_string, prot_safe); else if(code == 632) sec_read_msg(reply_string, prot_private); else if(code == 633) sec_read_msg(reply_string, prot_confidential); n = code / 100 + '0'; } if (n != '1') cpend = 0; signal (SIGINT, oldintr); if (code == 421 || originalcode == 421) lostpeer (0); if (abrtflag && oldintr != cmdabort && oldintr != SIG_IGN) (*oldintr) (SIGINT); return (n - '0'); } } #endif int empty (fd_set * mask, int sec) { struct timeval t; t.tv_sec = sec; t.tv_usec = 0; return (select (FD_SETSIZE, mask, NULL, NULL, &t)); } jmp_buf sendabort; static RETSIGTYPE abortsend (int sig) { mflag = 0; abrtflag = 0; printf ("\nsend aborted\nwaiting for remote to finish abort\n"); fflush (stdout); longjmp (sendabort, 1); } #define HASHBYTES 1024 static int copy_stream (FILE * from, FILE * to) { static size_t bufsize; static char *buf; int n; int bytes = 0; int werr = 0; int hashbytes = HASHBYTES; struct stat st; #if defined(HAVE_MMAP) && !defined(NO_MMAP) void *chunk; size_t off; #define BLOCKSIZE (1024 * 1024 * 10) #ifndef MAP_FAILED #define MAP_FAILED (-1) #endif if (fstat (fileno (from), &st) == 0 && S_ISREG (st.st_mode)) { /* * mmap zero bytes has potential of loosing, don't do it. */ if (st.st_size == 0) return 0; off = 0; while (off != st.st_size) { size_t len; ssize_t res; len = st.st_size - off; if (len > BLOCKSIZE) len = BLOCKSIZE; chunk = mmap (0, len, PROT_READ, MAP_SHARED, fileno (from), off); if (chunk == (void *) MAP_FAILED) { if (off == 0) /* try read if mmap doesn't work */ goto try_read; break; } res = sec_write (fileno (to), chunk, len); if (msync (chunk, len, MS_ASYNC)) warn ("msync"); if (munmap (chunk, len) < 0) warn ("munmap"); sec_fflush (to); if (res != len) return off; off += len; } return off; } try_read: #endif buf = alloc_buffer (buf, &bufsize, fstat (fileno (from), &st) >= 0 ? &st : NULL); if (buf == NULL) return -1; while ((n = read (fileno (from), buf, bufsize)) > 0) { werr = sec_write (fileno (to), buf, n); if (werr < 0) break; bytes += werr; while (hash && bytes > hashbytes) { putchar ('#'); hashbytes += HASHBYTES; } } sec_fflush (to); if (n < 0) warn ("local"); if (werr < 0) { if (errno != EPIPE) warn ("netout"); bytes = -1; } return bytes; } void sendrequest (char *cmd, char *local, char *remote, char *lmode, int printnames) { struct stat st; struct timeval start, stop; int c, d; FILE *fin, *dout = 0; int (*closefunc) (FILE *); RETSIGTYPE (*oldintr)(int), (*oldintp)(int); long bytes = 0, hashbytes = HASHBYTES; char *rmode = "w"; if (verbose && printnames) { if (strcmp (local, "-") != 0) printf ("local: %s ", local); if (remote) printf ("remote: %s\n", remote); } if (proxy) { proxtrans (cmd, local, remote); return; } if (curtype != type) changetype (type, 0); closefunc = NULL; oldintr = NULL; oldintp = NULL; if (setjmp (sendabort)) { while (cpend) { getreply (0); } if (data >= 0) { close (data); data = -1; } if (oldintr) signal (SIGINT, oldintr); if (oldintp) signal (SIGPIPE, oldintp); code = -1; return; } oldintr = signal (SIGINT, abortsend); if (strcmp (local, "-") == 0) fin = stdin; else if (*local == '|') { oldintp = signal (SIGPIPE, SIG_IGN); fin = popen (local + 1, lmode); if (fin == NULL) { warn ("%s", local + 1); signal (SIGINT, oldintr); signal (SIGPIPE, oldintp); code = -1; return; } closefunc = pclose; } else { fin = fopen (local, lmode); if (fin == NULL) { warn ("local: %s", local); signal (SIGINT, oldintr); code = -1; return; } closefunc = fclose; if (fstat (fileno (fin), &st) < 0 || !S_ISREG(st.st_mode)) { fprintf (stdout, "%s: not a plain file.\n", local); signal (SIGINT, oldintr); fclose (fin); code = -1; return; } } if (initconn ()) { signal (SIGINT, oldintr); if (oldintp) signal (SIGPIPE, oldintp); code = -1; if (closefunc != NULL) (*closefunc) (fin); return; } if (setjmp (sendabort)) goto abort; if (restart_point && (strcmp (cmd, "STOR") == 0 || strcmp (cmd, "APPE") == 0)) { int rc; switch (curtype) { case TYPE_A: rc = fseek (fin, (long) restart_point, SEEK_SET); break; case TYPE_I: case TYPE_L: rc = lseek (fileno (fin), restart_point, SEEK_SET); break; default: abort(); } if (rc < 0) { warn ("local: %s", local); restart_point = 0; if (closefunc != NULL) (*closefunc) (fin); return; } if (command ("REST %ld", (long) restart_point) != CONTINUE) { restart_point = 0; if (closefunc != NULL) (*closefunc) (fin); return; } restart_point = 0; rmode = "r+w"; } if (remote) { if (command ("%s %s", cmd, remote) != PRELIM) { signal (SIGINT, oldintr); if (oldintp) signal (SIGPIPE, oldintp); if (closefunc != NULL) (*closefunc) (fin); return; } } else if (command ("%s", cmd) != PRELIM) { signal(SIGINT, oldintr); if (oldintp) signal(SIGPIPE, oldintp); if (closefunc != NULL) (*closefunc)(fin); return; } dout = dataconn(rmode); if (dout == NULL) goto abort; set_buffer_size (fileno (dout), 0); gettimeofday (&start, (struct timezone *) 0); oldintp = signal (SIGPIPE, SIG_IGN); switch (curtype) { case TYPE_I: case TYPE_L: errno = d = c = 0; bytes = copy_stream (fin, dout); break; case TYPE_A: while ((c = getc (fin)) != EOF) { if (c == '\n') { while (hash && (bytes >= hashbytes)) { putchar ('#'); fflush (stdout); hashbytes += HASHBYTES; } if (ferror (dout)) break; sec_putc ('\r', dout); bytes++; } sec_putc (c, dout); bytes++; } sec_fflush (dout); if (hash) { if (bytes < hashbytes) putchar ('#'); putchar ('\n'); fflush (stdout); } if (ferror (fin)) warn ("local: %s", local); if (ferror (dout)) { if (errno != EPIPE) warn ("netout"); bytes = -1; } break; } if (closefunc != NULL) (*closefunc) (fin); fclose (dout); gettimeofday (&stop, (struct timezone *) 0); getreply (0); signal (SIGINT, oldintr); if (oldintp) signal (SIGPIPE, oldintp); if (bytes > 0) ptransfer ("sent", bytes, &start, &stop); return; abort: signal (SIGINT, oldintr); if (oldintp) signal (SIGPIPE, oldintp); if (!cpend) { code = -1; return; } if (data >= 0) { close (data); data = -1; } if (dout) fclose (dout); getreply (0); code = -1; if (closefunc != NULL && fin != NULL) (*closefunc) (fin); gettimeofday (&stop, (struct timezone *) 0); if (bytes > 0) ptransfer ("sent", bytes, &start, &stop); } jmp_buf recvabort; void abortrecv (int sig) { mflag = 0; abrtflag = 0; printf ("\nreceive aborted\nwaiting for remote to finish abort\n"); fflush (stdout); longjmp (recvabort, 1); } void recvrequest (char *cmd, char *local, char *remote, char *lmode, int printnames, int local_given) { FILE *fout = NULL, *din = NULL; int (*closefunc) (FILE *); sighand oldintr, oldintp; int c, d, is_retr, tcrflag, bare_lfs = 0; static size_t bufsize; static char *buf; long bytes = 0, hashbytes = HASHBYTES; struct timeval start, stop; struct stat st; is_retr = strcmp (cmd, "RETR") == 0; if (is_retr && verbose && printnames) { if (strcmp (local, "-") != 0) printf ("local: %s ", local); if (remote) printf ("remote: %s\n", remote); } if (proxy && is_retr) { proxtrans (cmd, local, remote); return; } closefunc = NULL; oldintr = NULL; oldintp = NULL; tcrflag = !crflag && is_retr; if (setjmp (recvabort)) { while (cpend) { getreply (0); } if (data >= 0) { close (data); data = -1; } if (oldintr) signal (SIGINT, oldintr); code = -1; return; } oldintr = signal (SIGINT, abortrecv); if (!local_given || (strcmp(local, "-") && *local != '|')) { if (access (local, 2) < 0) { char *dir = strrchr (local, '/'); if (errno != ENOENT && errno != EACCES) { warn ("local: %s", local); signal (SIGINT, oldintr); code = -1; return; } if (dir != NULL) *dir = 0; d = access (dir ? local : ".", 2); if (dir != NULL) *dir = '/'; if (d < 0) { warn ("local: %s", local); signal (SIGINT, oldintr); code = -1; return; } if (!runique && errno == EACCES && chmod (local, 0600) < 0) { warn ("local: %s", local); signal (SIGINT, oldintr); signal (SIGINT, oldintr); code = -1; return; } if (runique && errno == EACCES && (local = gunique (local)) == NULL) { signal (SIGINT, oldintr); code = -1; return; } } else if (runique && (local = gunique (local)) == NULL) { signal(SIGINT, oldintr); code = -1; return; } } if (!is_retr) { if (curtype != TYPE_A) changetype (TYPE_A, 0); } else if (curtype != type) changetype (type, 0); if (initconn ()) { signal (SIGINT, oldintr); code = -1; return; } if (setjmp (recvabort)) goto abort; if (is_retr && restart_point && command ("REST %ld", (long) restart_point) != CONTINUE) return; if (remote) { if (command ("%s %s", cmd, remote) != PRELIM) { signal (SIGINT, oldintr); return; } } else { if (command ("%s", cmd) != PRELIM) { signal (SIGINT, oldintr); return; } } din = dataconn ("r"); if (din == NULL) goto abort; set_buffer_size (fileno (din), 1); if (local_given && strcmp (local, "-") == 0) fout = stdout; else if (local_given && *local == '|') { oldintp = signal (SIGPIPE, SIG_IGN); fout = popen (local + 1, "w"); if (fout == NULL) { warn ("%s", local + 1); goto abort; } closefunc = pclose; } else { fout = fopen (local, lmode); if (fout == NULL) { warn ("local: %s", local); goto abort; } closefunc = fclose; } buf = alloc_buffer (buf, &bufsize, fstat (fileno (fout), &st) >= 0 ? &st : NULL); if (buf == NULL) goto abort; gettimeofday (&start, (struct timezone *) 0); switch (curtype) { case TYPE_I: case TYPE_L: if (restart_point && lseek (fileno (fout), restart_point, SEEK_SET) < 0) { warn ("local: %s", local); if (closefunc != NULL) (*closefunc) (fout); return; } errno = d = 0; while ((c = sec_read (fileno (din), buf, bufsize)) > 0) { if ((d = write (fileno (fout), buf, c)) != c) break; bytes += c; if (hash) { while (bytes >= hashbytes) { putchar ('#'); hashbytes += HASHBYTES; } fflush (stdout); } } if (hash && bytes > 0) { if (bytes < HASHBYTES) putchar ('#'); putchar ('\n'); fflush (stdout); } if (c < 0) { if (errno != EPIPE) warn ("netin"); bytes = -1; } if (d < c) { if (d < 0) warn ("local: %s", local); else warnx ("%s: short write", local); } break; case TYPE_A: if (restart_point) { int i, n, ch; if (fseek (fout, 0L, SEEK_SET) < 0) goto done; n = restart_point; for (i = 0; i++ < n;) { if ((ch = sec_getc (fout)) == EOF) goto done; if (ch == '\n') i++; } if (fseek (fout, 0L, SEEK_CUR) < 0) { done: warn ("local: %s", local); if (closefunc != NULL) (*closefunc) (fout); return; } } while ((c = sec_getc(din)) != EOF) { if (c == '\n') bare_lfs++; while (c == '\r') { while (hash && (bytes >= hashbytes)) { putchar ('#'); fflush (stdout); hashbytes += HASHBYTES; } bytes++; if ((c = sec_getc (din)) != '\n' || tcrflag) { if (ferror (fout)) goto break2; putc ('\r', fout); if (c == '\0') { bytes++; goto contin2; } if (c == EOF) goto contin2; } } putc (c, fout); bytes++; contin2:; } break2: if (bare_lfs) { printf ("WARNING! %d bare linefeeds received in ASCII mode\n", bare_lfs); printf ("File may not have transferred correctly.\n"); } if (hash) { if (bytes < hashbytes) putchar ('#'); putchar ('\n'); fflush (stdout); } if (ferror (din)) { if (errno != EPIPE) warn ("netin"); bytes = -1; } if (ferror (fout)) warn ("local: %s", local); break; } if (closefunc != NULL) (*closefunc) (fout); signal (SIGINT, oldintr); if (oldintp) signal (SIGPIPE, oldintp); fclose (din); gettimeofday (&stop, (struct timezone *) 0); getreply (0); if (bytes > 0 && is_retr) ptransfer ("received", bytes, &start, &stop); return; abort: /* abort using RFC959 recommended IP,SYNC sequence */ if (oldintp) signal (SIGPIPE, oldintr); signal (SIGINT, SIG_IGN); if (!cpend) { code = -1; signal (SIGINT, oldintr); return; } abort_remote(din); code = -1; if (data >= 0) { close (data); data = -1; } if (closefunc != NULL && fout != NULL) (*closefunc) (fout); if (din) fclose (din); gettimeofday (&stop, (struct timezone *) 0); if (bytes > 0) ptransfer ("received", bytes, &start, &stop); signal (SIGINT, oldintr); } static int parse_epsv (const char *str) { char sep; char *end; int port; if (*str == '\0') return -1; sep = *str++; if (sep != *str++) return -1; if (sep != *str++) return -1; port = strtol (str, &end, 0); if (str == end) return -1; if (end[0] != sep || end[1] != '\0') return -1; return htons(port); } static int parse_pasv (struct sockaddr_in *sin4, const char *str) { int a0, a1, a2, a3, p0, p1; /* * What we've got at this point is a string of comma separated * one-byte unsigned integer values. The first four are the an IP * address. The fifth is the MSB of the port number, the sixth is the * LSB. From that we'll prepare a sockaddr_in. */ if (sscanf (str, "%d,%d,%d,%d,%d,%d", &a0, &a1, &a2, &a3, &p0, &p1) != 6) { printf ("Passive mode address scan failure. " "Shouldn't happen!\n"); return -1; } if (a0 < 0 || a0 > 255 || a1 < 0 || a1 > 255 || a2 < 0 || a2 > 255 || a3 < 0 || a3 > 255 || p0 < 0 || p0 > 255 || p1 < 0 || p1 > 255) { printf ("Can't parse passive mode string.\n"); return -1; } memset (sin4, 0, sizeof(*sin4)); sin4->sin_family = AF_INET; sin4->sin_addr.s_addr = htonl ((a0 << 24) | (a1 << 16) | (a2 << 8) | a3); sin4->sin_port = htons ((p0 << 8) | p1); return 0; } static int passive_mode (void) { int port; data = socket (myctladdr->sa_family, SOCK_STREAM, 0); if (data < 0) { warn ("socket"); return (1); } if (options & SO_DEBUG) socket_set_debug (data); if (command ("EPSV") != COMPLETE) { if (command ("PASV") != COMPLETE) { printf ("Passive mode refused.\n"); goto bad; } } /* * Parse the reply to EPSV or PASV */ port = parse_epsv (pasv); if (port > 0) { data_addr->sa_family = myctladdr->sa_family; socket_set_address_and_port (data_addr, socket_get_address (hisctladdr), port); } else { if (parse_pasv ((struct sockaddr_in *)data_addr, pasv) < 0) goto bad; } if (connect (data, data_addr, socket_sockaddr_size (data_addr)) < 0) { warn ("connect"); goto bad; } #ifdef IPTOS_THROUGHPUT socket_set_tos (data, IPTOS_THROUGHPUT); #endif return (0); bad: close (data); data = -1; sendport = 1; return (1); } static int active_mode (void) { int tmpno = 0; socklen_t len; int result; noport: data_addr->sa_family = myctladdr->sa_family; socket_set_address_and_port (data_addr, socket_get_address (myctladdr), sendport ? 0 : socket_get_port (myctladdr)); if (data != -1) close (data); data = socket (data_addr->sa_family, SOCK_STREAM, 0); if (data < 0) { warn ("socket"); if (tmpno) sendport = 1; return (1); } if (!sendport) socket_set_reuseaddr (data, 1); if (bind (data, data_addr, socket_sockaddr_size (data_addr)) < 0) { warn ("bind"); goto bad; } if (options & SO_DEBUG) socket_set_debug (data); len = sizeof (data_addr_ss); if (getsockname (data, data_addr, &len) < 0) { warn ("getsockname"); goto bad; } if (listen (data, 1) < 0) warn ("listen"); if (sendport) { char addr_str[256]; int inet_af; int overbose; if (inet_ntop (data_addr->sa_family, socket_get_address (data_addr), addr_str, sizeof(addr_str)) == NULL) errx (1, "inet_ntop failed"); switch (data_addr->sa_family) { case AF_INET : inet_af = 1; break; #ifdef HAVE_IPV6 case AF_INET6 : inet_af = 2; break; #endif default : errx (1, "bad address family %d", data_addr->sa_family); } overbose = verbose; if (debug == 0) verbose = -1; result = command ("EPRT |%d|%s|%d|", inet_af, addr_str, ntohs(socket_get_port (data_addr))); verbose = overbose; if (result == ERROR) { struct sockaddr_in *sin4 = (struct sockaddr_in *)data_addr; unsigned int a = ntohl(sin4->sin_addr.s_addr); unsigned int p = ntohs(sin4->sin_port); if (data_addr->sa_family != AF_INET) { warnx ("remote server doesn't support EPRT"); goto bad; } result = command("PORT %d,%d,%d,%d,%d,%d", (a >> 24) & 0xff, (a >> 16) & 0xff, (a >> 8) & 0xff, a & 0xff, (p >> 8) & 0xff, p & 0xff); if (result == ERROR && sendport == -1) { sendport = 0; tmpno = 1; goto noport; } return (result != COMPLETE); } return result != COMPLETE; } if (tmpno) sendport = 1; #ifdef IPTOS_THROUGHPUT socket_set_tos (data, IPTOS_THROUGHPUT); #endif return (0); bad: close (data); data = -1; if (tmpno) sendport = 1; return (1); } /* * Need to start a listen on the data channel before we send the command, * otherwise the server's connect may fail. */ int initconn (void) { if (passivemode) return passive_mode (); else return active_mode (); } FILE * dataconn (const char *lmode) { struct sockaddr_storage from_ss; struct sockaddr *from = (struct sockaddr *)&from_ss; socklen_t fromlen = sizeof(from_ss); int s; if (passivemode) return (fdopen (data, lmode)); s = accept (data, from, &fromlen); if (s < 0) { warn ("accept"); close (data), data = -1; return (NULL); } close (data); data = s; #ifdef IPTOS_THROUGHPUT socket_set_tos (s, IPTOS_THROUGHPUT); #endif return (fdopen (data, lmode)); } void ptransfer (char *direction, long int bytes, struct timeval * t0, struct timeval * t1) { struct timeval td; float s; float bs; int prec; char *unit; if (verbose) { td.tv_sec = t1->tv_sec - t0->tv_sec; td.tv_usec = t1->tv_usec - t0->tv_usec; if (td.tv_usec < 0) { td.tv_sec--; td.tv_usec += 1000000; } s = td.tv_sec + (td.tv_usec / 1000000.); bs = bytes / (s ? s : 1); if (bs >= 1048576) { bs /= 1048576; unit = "M"; prec = 2; } else if (bs >= 1024) { bs /= 1024; unit = "k"; prec = 1; } else { unit = ""; prec = 0; } printf ("%ld bytes %s in %.3g seconds (%.*f %sbyte/s)\n", bytes, direction, s, prec, bs, unit); } } void psabort (int sig) { abrtflag++; } void pswitch (int flag) { sighand oldintr; static struct comvars { int connect; char name[MaxHostNameLen]; struct sockaddr_storage mctl; struct sockaddr_storage hctl; FILE *in; FILE *out; int tpe; int curtpe; int cpnd; int sunqe; int runqe; int mcse; int ntflg; char nti[17]; char nto[17]; int mapflg; char mi[MaxPathLen]; char mo[MaxPathLen]; } proxstruct, tmpstruct; struct comvars *ip, *op; abrtflag = 0; oldintr = signal (SIGINT, psabort); if (flag) { if (proxy) return; ip = &tmpstruct; op = &proxstruct; proxy++; } else { if (!proxy) return; ip = &proxstruct; op = &tmpstruct; proxy = 0; } ip->connect = connected; connected = op->connect; if (hostname) { strlcpy (ip->name, hostname, sizeof (ip->name)); } else ip->name[0] = 0; hostname = op->name; ip->hctl = hisctladdr_ss; hisctladdr_ss = op->hctl; ip->mctl = myctladdr_ss; myctladdr_ss = op->mctl; ip->in = cin; cin = op->in; ip->out = cout; cout = op->out; ip->tpe = type; type = op->tpe; ip->curtpe = curtype; curtype = op->curtpe; ip->cpnd = cpend; cpend = op->cpnd; ip->sunqe = sunique; sunique = op->sunqe; ip->runqe = runique; runique = op->runqe; ip->mcse = mcase; mcase = op->mcse; ip->ntflg = ntflag; ntflag = op->ntflg; strlcpy (ip->nti, ntin, sizeof (ip->nti)); strlcpy (ntin, op->nti, 17); strlcpy (ip->nto, ntout, sizeof (ip->nto)); strlcpy (ntout, op->nto, 17); ip->mapflg = mapflag; mapflag = op->mapflg; strlcpy (ip->mi, mapin, MaxPathLen); strlcpy (mapin, op->mi, MaxPathLen); strlcpy (ip->mo, mapout, MaxPathLen); strlcpy (mapout, op->mo, MaxPathLen); signal(SIGINT, oldintr); if (abrtflag) { abrtflag = 0; (*oldintr) (SIGINT); } } void abortpt (int sig) { printf ("\n"); fflush (stdout); ptabflg++; mflag = 0; abrtflag = 0; longjmp (ptabort, 1); } void proxtrans (char *cmd, char *local, char *remote) { sighand oldintr = NULL; int secndflag = 0, prox_type, nfnd; char *cmd2; fd_set mask; if (strcmp (cmd, "RETR")) cmd2 = "RETR"; else cmd2 = runique ? "STOU" : "STOR"; if ((prox_type = type) == 0) { if (unix_server && unix_proxy) prox_type = TYPE_I; else prox_type = TYPE_A; } if (curtype != prox_type) changetype (prox_type, 1); if (command ("PASV") != COMPLETE) { printf ("proxy server does not support third party transfers.\n"); return; } pswitch (0); if (!connected) { printf ("No primary connection\n"); pswitch (1); code = -1; return; } if (curtype != prox_type) changetype (prox_type, 1); if (command ("PORT %s", pasv) != COMPLETE) { pswitch (1); return; } if (setjmp (ptabort)) goto abort; oldintr = signal (SIGINT, abortpt); if (command ("%s %s", cmd, remote) != PRELIM) { signal (SIGINT, oldintr); pswitch (1); return; } sleep (2); pswitch (1); secndflag++; if (command ("%s %s", cmd2, local) != PRELIM) goto abort; ptflag++; getreply (0); pswitch (0); getreply (0); signal (SIGINT, oldintr); pswitch (1); ptflag = 0; printf ("local: %s remote: %s\n", local, remote); return; abort: signal (SIGINT, SIG_IGN); ptflag = 0; if (strcmp (cmd, "RETR") && !proxy) pswitch (1); else if (!strcmp (cmd, "RETR") && proxy) pswitch (0); if (!cpend && !secndflag) { /* only here if cmd = "STOR" (proxy=1) */ if (command ("%s %s", cmd2, local) != PRELIM) { pswitch (0); if (cpend) abort_remote ((FILE *) NULL); } pswitch (1); if (ptabflg) code = -1; if (oldintr) signal (SIGINT, oldintr); return; } if (cpend) abort_remote ((FILE *) NULL); pswitch (!proxy); if (!cpend && !secndflag) { /* only if cmd = "RETR" (proxy=1) */ if (command ("%s %s", cmd2, local) != PRELIM) { pswitch (0); if (cpend) abort_remote ((FILE *) NULL); pswitch (1); if (ptabflg) code = -1; signal (SIGINT, oldintr); return; } } if (cpend) abort_remote ((FILE *) NULL); pswitch (!proxy); if (cpend) { FD_ZERO (&mask); if (fileno(cin) >= FD_SETSIZE) errx (1, "fd too large"); FD_SET (fileno (cin), &mask); if ((nfnd = empty (&mask, 10)) <= 0) { if (nfnd < 0) { warn ("abort"); } if (ptabflg) code = -1; lostpeer (0); } getreply (0); getreply (0); } if (proxy) pswitch (0); pswitch (1); if (ptabflg) code = -1; signal (SIGINT, oldintr); } void reset (int argc, char **argv) { fd_set mask; int nfnd = 1; FD_ZERO (&mask); while (nfnd > 0) { int fd = fileno(cin); if (fd >= FD_SETSIZE) errx (1, "fd too large"); FD_SET (fd, &mask); if ((nfnd = empty (&mask, 0)) < 0) { warn ("reset"); code = -1; lostpeer(0); } else if (nfnd) { getreply(0); } } } char * gunique (char *local) { static char new[MaxPathLen]; char *cp = strrchr (local, '/'); int d, count = 0; char ext = '1'; if (cp) *cp = '\0'; d = access (cp ? local : ".", 2); if (cp) *cp = '/'; if (d < 0) { warn ("local: %s", local); return NULL; } strlcpy (new, local, sizeof(new)); cp = new + strlen(new); *cp++ = '.'; while (!d) { if (++count == 100) { printf ("runique: can't find unique file name.\n"); return NULL; } *cp++ = ext; *cp = '\0'; if (ext == '9') ext = '0'; else ext++; if ((d = access (new, 0)) < 0) break; if (ext != '0') cp--; else if (*(cp - 2) == '.') *(cp - 1) = '1'; else { *(cp - 2) = *(cp - 2) + 1; cp--; } } return (new); } void abort_remote (FILE * din) { char buf[BUFSIZ]; int nfnd; fd_set mask; int din_fd = -1; /* * send IAC in urgent mode instead of DM because 4.3BSD places oob mark * after urgent byte rather than before as is protocol now */ snprintf (buf, sizeof (buf), "%c%c%c", IAC, IP, IAC); if (send (fileno (cout), buf, 3, MSG_OOB) != 3) warn ("abort"); fprintf (cout, "%c", DM); sec_fprintf(cout, "ABOR"); sec_fflush (cout); fprintf (cout, "\r\n"); fflush(cout); FD_ZERO (&mask); if (fileno (cin) >= FD_SETSIZE) errx (1, "fd too large"); FD_SET (fileno (cin), &mask); if (din) { din_fd = fileno (din); if (din_fd >= FD_SETSIZE) errx (1, "fd too large"); FD_SET (din_fd, &mask); } if ((nfnd = empty (&mask, 10)) <= 0) { if (nfnd < 0) { warn ("abort"); } if (ptabflg) code = -1; lostpeer (0); } if (din && FD_ISSET (din_fd, &mask)) { while (read (din_fd, buf, BUFSIZ) > 0) /* LOOP */ ; } if (getreply (0) == ERROR && code == 552) { /* 552 needed for nic style abort */ getreply (0); } getreply (0); } heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/ftp_locl.h000066400000000000000000000065611257755311500217440ustar00rootroot00000000000000/* * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ #ifndef __FTP_LOCL_H__ #define __FTP_LOCL_H__ #ifdef HAVE_CONFIG_H #include #endif #ifdef HAVE_PWD_H #include #endif #include #include #include #include #include #ifdef TIME_WITH_SYS_TIME #include #include #elif defined(HAVE_SYS_TIME_H) #include #else #include #endif #ifdef HAVE_UNISTD_H #include #endif #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_PARAM_H #include #endif #ifdef HAVE_SYS_RESOURCE_H #include #endif #ifdef HAVE_SYS_WAIT_H #include #endif #ifdef HAVE_SYS_STAT_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_NETINET_IN_SYSTM_H #include #endif #ifdef HAVE_NETINET_IP_H #include #endif #ifdef HAVE_ARPA_FTP_H #include #endif #ifdef HAVE_ARPA_INET_H #include #endif #ifdef HAVE_ARPA_TELNET_H #include #endif #include #include #include #ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_SYS_MMAN_H #include #endif #include #ifdef SOCKS #include extern int LIBPREFIX(fclose) (FILE *); /* This doesn't belong here. */ struct tm *localtime(const time_t *); struct hostent *gethostbyname(const char *); #endif #include "ftp_var.h" #include "extern.h" #include "common.h" #include "pathnames.h" #include "roken.h" #include "security.h" /* des_read_pw_string */ #include "crypto-headers.h" #if defined(__sun__) && !defined(__svr4) int fclose(FILE*); int pclose(FILE*); #endif #endif /* __FTP_LOCL_H__ */ heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/ftp_var.h000066400000000000000000000133441257755311500216000ustar00rootroot00000000000000/* * Copyright (c) 1985, 1989, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)ftp_var.h 8.4 (Berkeley) 10/9/94 */ /* * FTP global variables. */ #ifdef HAVE_SYS_PARAM_H #include #endif #include /* * Options and other state info. */ extern int trace; /* trace packets exchanged */ extern int hash; /* print # for each buffer transferred */ extern int sendport; /* use PORT cmd for each data connection */ extern int verbose; /* print messages coming back from server */ extern int connected; /* connected to server */ extern int fromatty; /* input is from a terminal */ extern int interactive; /* interactively prompt on m* cmds */ extern int lineedit; /* use line-editing */ extern int debug; /* debugging level */ extern int bell; /* ring bell on cmd completion */ extern int doglob; /* glob local file names */ extern int autologin; /* establish user account on connection */ extern int doencrypt; extern int proxy; /* proxy server connection active */ extern int proxflag; /* proxy connection exists */ extern int sunique; /* store files on server with unique name */ extern int runique; /* store local files with unique name */ extern int mcase; /* map upper to lower case for mget names */ extern int ntflag; /* use ntin ntout tables for name translation */ extern int mapflag; /* use mapin mapout templates on file names */ extern int code; /* return/reply code for ftp command */ extern int crflag; /* if 1, strip car. rets. on ascii gets */ extern char pasv[64]; /* passive port for proxy data connection */ extern int passivemode; /* passive mode enabled */ extern char *altarg; /* argv[1] with no shell-like preprocessing */ extern char ntin[17]; /* input translation table */ extern char ntout[17]; /* output translation table */ extern char mapin[MaxPathLen]; /* input map template */ extern char mapout[MaxPathLen]; /* output map template */ extern char typename[32]; /* name of file transfer type */ extern int type; /* requested file transfer type */ extern int curtype; /* current file transfer type */ extern char structname[32]; /* name of file transfer structure */ extern int stru; /* file transfer structure */ extern char formname[32]; /* name of file transfer format */ extern int form; /* file transfer format */ extern char modename[32]; /* name of file transfer mode */ extern int mode; /* file transfer mode */ extern char bytename[32]; /* local byte size in ascii */ extern int bytesize; /* local byte size in binary */ extern char *hostname; /* name of host connected to */ extern int unix_server; /* server is unix, can use binary for ascii */ extern int unix_proxy; /* proxy is unix, can use binary for ascii */ extern jmp_buf toplevel; /* non-local goto stuff for cmd scanner */ extern char line[200]; /* input line buffer */ extern char *stringbase; /* current scan point in line buffer */ extern char argbuf[200]; /* argument storage buffer */ extern char *argbase; /* current storage point in arg buffer */ extern int margc; /* count of arguments on input line */ extern char **margv; /* args parsed from input line */ extern int margvlen; /* how large margv is currently */ extern int cpend; /* flag: if != 0, then pending server reply */ extern int mflag; /* flag: if != 0, then active multi command */ extern int options; /* used during socket creation */ extern int use_kerberos; /* use Kerberos authentication */ /* * Format of command table. */ struct cmd { char *c_name; /* name of command */ char *c_help; /* help string */ char c_bell; /* give bell when command completes */ char c_conn; /* must be connected to use command */ char c_proxy; /* proxy server may execute */ void (*c_handler) (int, char **); /* function to call */ }; struct macel { char mac_name[9]; /* macro name */ char *mac_start; /* start of macro in macbuf */ char *mac_end; /* end of macro in macbuf */ }; extern int macnum; /* number of defined macros */ extern struct macel macros[16]; extern char macbuf[4096]; heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/globals.c000066400000000000000000000061561257755311500215600ustar00rootroot00000000000000#include "ftp_locl.h" RCSID("$Id$"); /* * Options and other state info. */ int trace; /* trace packets exchanged */ int hash; /* print # for each buffer transferred */ int sendport; /* use PORT cmd for each data connection */ int verbose; /* print messages coming back from server */ int connected; /* connected to server */ int fromatty; /* input is from a terminal */ int interactive; /* interactively prompt on m* cmds */ int lineedit; /* use line-editing */ int debug; /* debugging level */ int bell; /* ring bell on cmd completion */ int doglob; /* glob local file names */ int doencrypt; /* try to use encryption */ int autologin; /* establish user account on connection */ int proxy; /* proxy server connection active */ int proxflag; /* proxy connection exists */ int sunique; /* store files on server with unique name */ int runique; /* store local files with unique name */ int mcase; /* map upper to lower case for mget names */ int ntflag; /* use ntin ntout tables for name translation */ int mapflag; /* use mapin mapout templates on file names */ int code; /* return/reply code for ftp command */ int crflag; /* if 1, strip car. rets. on ascii gets */ char pasv[64]; /* passive port for proxy data connection */ int passivemode; /* passive mode enabled */ char *altarg; /* argv[1] with no shell-like preprocessing */ char ntin[17]; /* input translation table */ char ntout[17]; /* output translation table */ char mapin[MaxPathLen]; /* input map template */ char mapout[MaxPathLen]; /* output map template */ char typename[32]; /* name of file transfer type */ int type; /* requested file transfer type */ int curtype; /* current file transfer type */ char structname[32]; /* name of file transfer structure */ int stru; /* file transfer structure */ char formname[32]; /* name of file transfer format */ int form; /* file transfer format */ char modename[32]; /* name of file transfer mode */ int mode; /* file transfer mode */ char bytename[32]; /* local byte size in ascii */ int bytesize; /* local byte size in binary */ char *hostname; /* name of host connected to */ int unix_server; /* server is unix, can use binary for ascii */ int unix_proxy; /* proxy is unix, can use binary for ascii */ jmp_buf toplevel; /* non-local goto stuff for cmd scanner */ char line[200]; /* input line buffer */ char *stringbase; /* current scan point in line buffer */ char argbuf[200]; /* argument storage buffer */ char *argbase; /* current storage point in arg buffer */ int margc; /* count of arguments on input line */ char **margv; /* args parsed from input line */ int margvlen; /* how large margv is currently */ int cpend; /* flag: if != 0, then pending server reply */ int mflag; /* flag: if != 0, then active multi command */ int options; /* used during socket creation */ int use_kerberos; /* use Kerberos authentication */ /* * Format of command table. */ int macnum; /* number of defined macros */ struct macel macros[16]; char macbuf[4096]; char username[32]; /* these are set in ruserpassword */ char myhostname[MaxHostNameLen]; char *mydomain; heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/gssapi.c000066400000000000000000000302731257755311500214200ustar00rootroot00000000000000/* * Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifdef FTP_SERVER #include "ftpd_locl.h" #else #include "ftp_locl.h" #endif #include #include #include RCSID("$Id$"); int ftp_do_gss_bindings = 0; int ftp_do_gss_delegate = 1; struct gssapi_data { gss_ctx_id_t context_hdl; gss_name_t client_name; gss_cred_id_t delegated_cred_handle; void *mech_data; }; static int gss_init(void *app_data) { struct gssapi_data *d = app_data; d->context_hdl = GSS_C_NO_CONTEXT; d->delegated_cred_handle = GSS_C_NO_CREDENTIAL; #if defined(FTP_SERVER) return 0; #else /* XXX Check the gss mechanism; with gss_indicate_mechs() ? */ #ifdef KRB5 return !use_kerberos; #else return 0; #endif /* KRB5 */ #endif /* FTP_SERVER */ } static int gss_check_prot(void *app_data, int level) { if(level == prot_confidential) return -1; return 0; } static int gss_decode(void *app_data, void *buf, int len, int level) { OM_uint32 maj_stat, min_stat; gss_buffer_desc input, output; gss_qop_t qop_state; int conf_state; struct gssapi_data *d = app_data; size_t ret_len; input.length = len; input.value = buf; maj_stat = gss_unwrap (&min_stat, d->context_hdl, &input, &output, &conf_state, &qop_state); if(GSS_ERROR(maj_stat)) return -1; memmove(buf, output.value, output.length); ret_len = output.length; gss_release_buffer(&min_stat, &output); return ret_len; } static int gss_overhead(void *app_data, int level, int len) { return 100; /* dunno? */ } static int gss_encode(void *app_data, void *from, int length, int level, void **to) { OM_uint32 min_stat; gss_buffer_desc input, output; int conf_state; struct gssapi_data *d = app_data; input.length = length; input.value = from; /* XXX We should really display the major status... */ (void) gss_wrap(&min_stat, d->context_hdl, level == prot_private, GSS_C_QOP_DEFAULT, &input, &conf_state, &output); *to = output.value; return output.length; } static void sockaddr_to_gss_address (struct sockaddr *sa, OM_uint32 *addr_type, gss_buffer_desc *gss_addr) { switch (sa->sa_family) { #ifdef HAVE_IPV6 case AF_INET6 : { struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa; gss_addr->length = 16; gss_addr->value = &sin6->sin6_addr; *addr_type = GSS_C_AF_INET6; break; } #endif case AF_INET : { struct sockaddr_in *sin4 = (struct sockaddr_in *)sa; gss_addr->length = 4; gss_addr->value = &sin4->sin_addr; *addr_type = GSS_C_AF_INET; break; } default : errx (1, "unknown address family %d", sa->sa_family); } } /* end common stuff */ #ifdef FTP_SERVER static int gss_adat(void *app_data, void *buf, size_t len) { char *p = NULL; gss_buffer_desc input_token, output_token; OM_uint32 maj_stat, min_stat; gss_name_t client_name; struct gssapi_data *d = app_data; gss_channel_bindings_t bindings; if (ftp_do_gss_bindings) { bindings = malloc(sizeof(*bindings)); if (bindings == NULL) errx(1, "out of memory"); sockaddr_to_gss_address (his_addr, &bindings->initiator_addrtype, &bindings->initiator_address); sockaddr_to_gss_address (ctrl_addr, &bindings->acceptor_addrtype, &bindings->acceptor_address); bindings->application_data.length = 0; bindings->application_data.value = NULL; } else bindings = GSS_C_NO_CHANNEL_BINDINGS; input_token.value = buf; input_token.length = len; maj_stat = gss_accept_sec_context (&min_stat, &d->context_hdl, GSS_C_NO_CREDENTIAL, &input_token, bindings, &client_name, NULL, &output_token, NULL, NULL, &d->delegated_cred_handle); if (bindings != GSS_C_NO_CHANNEL_BINDINGS) free(bindings); if(output_token.length) { if(rk_base64_encode(output_token.value, output_token.length, &p) < 0) { reply(535, "Out of memory base64-encoding."); return -1; } gss_release_buffer(&min_stat, &output_token); } if(maj_stat == GSS_S_COMPLETE){ d->client_name = client_name; client_name = GSS_C_NO_NAME; if(p) reply(235, "ADAT=%s", p); else reply(235, "ADAT Complete"); sec_complete = 1; } else if(maj_stat == GSS_S_CONTINUE_NEEDED) { if(p) reply(335, "ADAT=%s", p); else reply(335, "OK, need more data"); } else { OM_uint32 new_stat; OM_uint32 msg_ctx = 0; gss_buffer_desc status_string; gss_display_status(&new_stat, min_stat, GSS_C_MECH_CODE, GSS_C_NO_OID, &msg_ctx, &status_string); syslog(LOG_ERR, "gss_accept_sec_context: %.*s", (int)status_string.length, (char*)status_string.value); gss_release_buffer(&new_stat, &status_string); reply(431, "Security resource unavailable"); } if (client_name) gss_release_name(&min_stat, &client_name); free(p); return 0; } int gssapi_userok(void*, char*); int gssapi_session(void*, char*); struct sec_server_mech gss_server_mech = { "GSSAPI", sizeof(struct gssapi_data), gss_init, /* init */ NULL, /* end */ gss_check_prot, gss_overhead, gss_encode, gss_decode, /* */ NULL, gss_adat, NULL, /* pbsz */ NULL, /* ccc */ gssapi_userok, gssapi_session }; #else /* FTP_SERVER */ extern struct sockaddr *hisctladdr, *myctladdr; static int import_name(const char *kname, const char *host, gss_name_t *target_name) { OM_uint32 maj_stat, min_stat; gss_buffer_desc name; char *str; name.length = asprintf(&str, "%s@%s", kname, host); if (str == NULL) { printf("Out of memory\n"); return AUTH_ERROR; } name.value = str; maj_stat = gss_import_name(&min_stat, &name, GSS_C_NT_HOSTBASED_SERVICE, target_name); if (GSS_ERROR(maj_stat)) { OM_uint32 new_stat; OM_uint32 msg_ctx = 0; gss_buffer_desc status_string; gss_display_status(&new_stat, min_stat, GSS_C_MECH_CODE, GSS_C_NO_OID, &msg_ctx, &status_string); printf("Error importing name %.*s: %.*s\n", (int)name.length, (char *)name.value, (int)status_string.length, (char *)status_string.value); free(name.value); gss_release_buffer(&new_stat, &status_string); return AUTH_ERROR; } free(name.value); return 0; } static int gss_auth(void *app_data, char *host) { OM_uint32 maj_stat, min_stat; gss_name_t target_name; gss_buffer_desc input, output_token; int context_established = 0; char *p; int n = 0; gss_channel_bindings_t bindings; struct gssapi_data *d = app_data; OM_uint32 mech_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; const char *knames[] = { "ftp", "host", NULL }, **kname = knames; if(import_name(*kname++, host, &target_name)) return AUTH_ERROR; input.length = 0; input.value = NULL; if (ftp_do_gss_bindings) { bindings = malloc(sizeof(*bindings)); if (bindings == NULL) errx(1, "out of memory"); sockaddr_to_gss_address (myctladdr, &bindings->initiator_addrtype, &bindings->initiator_address); sockaddr_to_gss_address (hisctladdr, &bindings->acceptor_addrtype, &bindings->acceptor_address); bindings->application_data.length = 0; bindings->application_data.value = NULL; } else bindings = GSS_C_NO_CHANNEL_BINDINGS; if (ftp_do_gss_delegate) mech_flags |= GSS_C_DELEG_FLAG; while(!context_established) { maj_stat = gss_init_sec_context(&min_stat, GSS_C_NO_CREDENTIAL, &d->context_hdl, target_name, GSS_C_NO_OID, mech_flags, 0, bindings, &input, NULL, &output_token, NULL, NULL); if (GSS_ERROR(maj_stat)) { OM_uint32 new_stat; OM_uint32 msg_ctx = 0; gss_buffer_desc status_string; d->context_hdl = GSS_C_NO_CONTEXT; gss_release_name(&min_stat, &target_name); if(*kname != NULL) { if(import_name(*kname++, host, &target_name)) { if (bindings != GSS_C_NO_CHANNEL_BINDINGS) free(bindings); return AUTH_ERROR; } continue; } if (bindings != GSS_C_NO_CHANNEL_BINDINGS) free(bindings); gss_display_status(&new_stat, min_stat, GSS_C_MECH_CODE, GSS_C_NO_OID, &msg_ctx, &status_string); printf("Error initializing security context: %.*s\n", (int)status_string.length, (char*)status_string.value); gss_release_buffer(&new_stat, &status_string); return AUTH_CONTINUE; } if (input.value) { free(input.value); input.value = NULL; input.length = 0; } if (output_token.length != 0) { rk_base64_encode(output_token.value, output_token.length, &p); gss_release_buffer(&min_stat, &output_token); n = command("ADAT %s", p); free(p); } if (GSS_ERROR(maj_stat) || n >= 4) { if (d->context_hdl != GSS_C_NO_CONTEXT) gss_delete_sec_context (&min_stat, &d->context_hdl, GSS_C_NO_BUFFER); break; } if (maj_stat & GSS_S_CONTINUE_NEEDED) { p = strstr(reply_string, "ADAT="); if(p == NULL){ printf("Error: expected ADAT in reply. got: %s\n", reply_string); if (bindings != GSS_C_NO_CHANNEL_BINDINGS) free(bindings); return AUTH_ERROR; } else { p+=5; input.value = malloc(strlen(p)); input.length = rk_base64_decode(p, input.value); } } else { if(code != 235) { printf("Unrecognized response code: %d\n", code); if (bindings != GSS_C_NO_CHANNEL_BINDINGS) free(bindings); return AUTH_ERROR; } context_established = 1; } } gss_release_name(&min_stat, &target_name); if (bindings != GSS_C_NO_CHANNEL_BINDINGS) free(bindings); if (input.value) free(input.value); { gss_name_t targ_name; maj_stat = gss_inquire_context(&min_stat, d->context_hdl, NULL, &targ_name, NULL, NULL, NULL, NULL, NULL); if (GSS_ERROR(maj_stat) == 0) { gss_buffer_desc name; maj_stat = gss_display_name (&min_stat, targ_name, &name, NULL); if (GSS_ERROR(maj_stat) == 0) { printf("Authenticated to <%.*s>\n", (int)name.length, (char *)name.value); gss_release_buffer(&min_stat, &name); } gss_release_name(&min_stat, &targ_name); } else printf("Failed to get gss name of peer.\n"); } return AUTH_OK; } struct sec_client_mech gss_client_mech = { "GSSAPI", sizeof(struct gssapi_data), gss_init, gss_auth, NULL, /* end */ gss_check_prot, gss_overhead, gss_encode, gss_decode, }; #endif /* FTP_SERVER */ heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/kauth.c000066400000000000000000000037341257755311500212500ustar00rootroot00000000000000/* * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ftp_locl.h" RCSID("$Id$"); #if defined(KRB5) void afslog(int argc, char **argv) { int ret; if(argc > 2) { printf("usage: %s [cell]\n", argv[0]); code = -1; return; } if(argc == 2) ret = command("SITE AFSLOG %s", argv[1]); else ret = command("SITE AFSLOG"); code = (ret == COMPLETE); } #else int ftp_afslog_placeholder; #endif heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/main.c000066400000000000000000000270171257755311500210600ustar00rootroot00000000000000/* * Copyright (c) 1985, 1989, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * FTP User Program -- Command Interface. */ #include "ftp_locl.h" #include RCSID("$Id$"); static int help_flag; static int version_flag; static int debug_flag; struct getargs getargs[] = { { NULL, 'd', arg_flag, &debug_flag, "debug", NULL }, { NULL, 'g', arg_negative_flag, &doglob, "disables globbing", NULL}, { NULL, 'i', arg_negative_flag, &interactive, "Turn off interactive prompting", NULL}, { NULL, 'l', arg_negative_flag, &lineedit, "Turn off line editing", NULL}, { NULL, 'n', arg_negative_flag, &autologin, "Turn off auto-login", NULL}, { NULL, 'p', arg_flag, &passivemode, "passive mode", NULL}, { NULL, 't', arg_counter, &trace, "Packet tracing", NULL}, #ifdef KRB5 { "gss-bindings", 0, arg_negative_flag, &ftp_do_gss_bindings, "Don't use GSS-API bindings", NULL}, { "gss-delegate", 0, arg_negative_flag, &ftp_do_gss_delegate, "Disable delegation of GSS-API credentials", NULL}, #endif { NULL, 'v', arg_counter, &verbose, "verbosity", NULL}, { NULL, 'K', arg_negative_flag, &use_kerberos, "Disable kerberos authentication", NULL}, { "encrypt", 'x', arg_flag, &doencrypt, "Encrypt command and data channel if possible" }, { "version", 0, arg_flag, &version_flag }, { "help", 'h', arg_flag, &help_flag }, }; static int num_args = sizeof(getargs) / sizeof(getargs[0]); static void usage(int ecode) { arg_printusage(getargs, num_args, NULL, "[host [port]]"); exit(ecode); } int main(int argc, char **argv) { int top; struct passwd *pw = NULL; char homedir[MaxPathLen]; struct servent *sp; int optind = 0; setprogname(argv[0]); sp = getservbyname("ftp", "tcp"); if (sp == 0) errx(1, "ftp/tcp: unknown service"); doglob = 1; interactive = 1; autologin = 1; lineedit = 1; passivemode = 0; /* passive mode not active */ use_kerberos = 1; #ifdef KRB5 ftp_do_gss_bindings = 1; #endif if(getarg(getargs, num_args, argc, argv, &optind)) usage(1); if(help_flag) usage(0); if(version_flag) { print_version(NULL); exit(0); } if (debug_flag) { options |= SO_DEBUG; debug++; } argc -= optind; argv += optind; fromatty = isatty(fileno(stdin)); if (fromatty) verbose++; cpend = 0; /* no pending replies */ proxy = 0; /* proxy not active */ crflag = 1; /* strip c.r. on ascii gets */ sendport = -1; /* not using ports */ /* * Set up the home directory in case we're globbing. */ pw = k_getpwuid(getuid()); if (pw != NULL) { strlcpy(homedir, pw->pw_dir, sizeof(homedir)); home = homedir; } if (argc > 0) { char *xargv[5]; if (setjmp(toplevel)) exit(0); signal(SIGINT, intr); signal(SIGPIPE, lostpeer); xargv[0] = (char*)getprogname(); xargv[1] = argv[0]; xargv[2] = argv[1]; xargv[3] = argv[2]; xargv[4] = NULL; setpeer(argc+1, xargv); } if(setjmp(toplevel) == 0) top = 1; else top = 0; if (top) { signal(SIGINT, intr); signal(SIGPIPE, lostpeer); } for (;;) { cmdscanner(top); top = 1; } } void intr(int sig) { longjmp(toplevel, 1); } #ifndef SHUT_RDWR #define SHUT_RDWR 2 #endif RETSIGTYPE lostpeer(int sig) { if (connected) { if (cout != NULL) { shutdown(fileno(cout), SHUT_RDWR); fclose(cout); cout = NULL; } if (data >= 0) { shutdown(data, SHUT_RDWR); close(data); data = -1; } connected = 0; } pswitch(1); if (connected) { if (cout != NULL) { shutdown(fileno(cout), SHUT_RDWR); fclose(cout); cout = NULL; } connected = 0; } proxflag = 0; pswitch(0); sec_end(); SIGRETURN(0); } /* char * tail(filename) char *filename; { char *s; while (*filename) { s = strrchr(filename, '/'); if (s == NULL) break; if (s[1]) return (s + 1); *s = '\0'; } return (filename); } */ static char * simple_readline(char *prompt) { char buf[BUFSIZ]; printf ("%s", prompt); fflush (stdout); if(fgets(buf, sizeof(buf), stdin) == NULL) return NULL; if (buf[strlen(buf) - 1] == '\n') buf[strlen(buf) - 1] = '\0'; return strdup(buf); } #ifndef HAVE_READLINE static char * readline(char *prompt) { return simple_readline (prompt); } static void add_history(char *p) { } #else /* These should not really be here */ char *readline(char *); void add_history(char *); #endif /* * Command parser. */ void cmdscanner(int top) { struct cmd *c; int l; if (!top) putchar('\n'); for (;;) { if (fromatty) { char *p; if (lineedit) p = readline("ftp> "); else p = simple_readline("ftp> "); if(p == NULL) { printf("\n"); quit(0, 0); } strlcpy(line, p, sizeof(line)); if (lineedit) add_history(p); free(p); } else{ if (fgets(line, sizeof line, stdin) == NULL) quit(0, 0); } /* XXX will break on long lines */ l = strlen(line); if (l == 0) break; if (line[--l] == '\n') { if (l == 0) break; line[l] = '\0'; } else if (l == sizeof(line) - 2) { printf("sorry, input line too long\n"); while ((l = getchar()) != '\n' && l != EOF) /* void */; break; } /* else it was a line without a newline */ makeargv(); if (margc == 0) { continue; } c = getcmd(margv[0]); if (c == (struct cmd *)-1) { printf("?Ambiguous command\n"); continue; } if (c == 0) { printf("?Invalid command\n"); continue; } if (c->c_conn && !connected) { printf("Not connected.\n"); continue; } (*c->c_handler)(margc, margv); if (bell && c->c_bell) putchar('\007'); if (c->c_handler != help) break; } signal(SIGINT, intr); signal(SIGPIPE, lostpeer); } struct cmd * getcmd(char *name) { char *p, *q; struct cmd *c, *found; int nmatches, longest; longest = 0; nmatches = 0; found = 0; for (c = cmdtab; (p = c->c_name); c++) { for (q = name; *q == *p++; q++) if (*q == 0) /* exact match? */ return (c); if (!*q) { /* the name was a prefix */ if (q - name > longest) { longest = q - name; nmatches = 1; found = c; } else if (q - name == longest) nmatches++; } } if (nmatches > 1) return ((struct cmd *)-1); return (found); } /* * Slice a string up into argc/argv. */ int slrflag; void makeargv(void) { char **argp; argp = margv; stringbase = line; /* scan from first of buffer */ argbase = argbuf; /* store from first of buffer */ slrflag = 0; for (margc = 0; ; margc++) { /* Expand array if necessary */ if (margc == margvlen) { int i; margv = (margvlen == 0) ? (char **)malloc(20 * sizeof(char *)) : (char **)realloc(margv, (margvlen + 20)*sizeof(char *)); if (margv == NULL) errx(1, "cannot realloc argv array"); for(i = margvlen; i < margvlen + 20; ++i) margv[i] = NULL; margvlen += 20; argp = margv + margc; } if ((*argp++ = slurpstring()) == NULL) break; } } /* * Parse string into argbuf; * implemented with FSM to * handle quoting and strings */ char * slurpstring(void) { int got_one = 0; char *sb = stringbase; char *ap = argbase; char *tmp = argbase; /* will return this if token found */ if (*sb == '!' || *sb == '$') { /* recognize ! as a token for shell */ switch (slrflag) { /* and $ as token for macro invoke */ case 0: slrflag++; stringbase++; return ((*sb == '!') ? "!" : "$"); /* NOTREACHED */ case 1: slrflag++; altarg = stringbase; break; default: break; } } S0: switch (*sb) { case '\0': goto OUT; case ' ': case '\t': sb++; goto S0; default: switch (slrflag) { case 0: slrflag++; break; case 1: slrflag++; altarg = sb; break; default: break; } goto S1; } S1: switch (*sb) { case ' ': case '\t': case '\0': goto OUT; /* end of token */ case '\\': sb++; goto S2; /* slurp next character */ case '"': sb++; goto S3; /* slurp quoted string */ default: *ap++ = *sb++; /* add character to token */ got_one = 1; goto S1; } S2: switch (*sb) { case '\0': goto OUT; default: *ap++ = *sb++; got_one = 1; goto S1; } S3: switch (*sb) { case '\0': goto OUT; case '"': sb++; goto S1; default: *ap++ = *sb++; got_one = 1; goto S3; } OUT: if (got_one) *ap++ = '\0'; argbase = ap; /* update storage pointer */ stringbase = sb; /* update scan pointer */ if (got_one) { return (tmp); } switch (slrflag) { case 0: slrflag++; break; case 1: slrflag++; altarg = (char *) 0; break; default: break; } return NULL; } #define HELPINDENT ((int) sizeof ("directory")) /* * Help command. * Call each command handler with argc == 0 and argv[0] == name. */ void help(int argc, char **argv) { struct cmd *c; if (argc == 1) { int i, j, w, k; int columns, width = 0, lines; printf("Commands may be abbreviated. Commands are:\n\n"); for (c = cmdtab; c < &cmdtab[NCMDS]; c++) { int len = strlen(c->c_name); if (len > width) width = len; } width = (width + 8) &~ 7; columns = 80 / width; if (columns == 0) columns = 1; lines = (NCMDS + columns - 1) / columns; for (i = 0; i < lines; i++) { for (j = 0; j < columns; j++) { c = cmdtab + j * lines + i; if ((!proxy || c->c_proxy)) { printf("%s", c->c_name); } else { for (k=0; k < strlen(c->c_name); k++) { putchar(' '); } } if (c + lines >= &cmdtab[NCMDS]) { printf("\n"); break; } w = strlen(c->c_name); while (w < width) { w = (w + 8) &~ 7; putchar('\t'); } } } return; } while (--argc > 0) { char *arg; arg = *++argv; c = getcmd(arg); if (c == (struct cmd *)-1) printf("?Ambiguous help command %s\n", arg); else if (c == (struct cmd *)0) printf("?Invalid help command %s\n", arg); else printf("%-*s\t%s\n", HELPINDENT, c->c_name, c->c_help); } } heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/pathnames.h000066400000000000000000000037461257755311500221240ustar00rootroot00000000000000/* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)pathnames.h 8.1 (Berkeley) 6/6/93 */ #ifdef HAVE_PATHS_H #include #endif #define _PATH_TMP_XXX "/tmp/ftpXXXXXX" #ifndef _PATH_BSHELL #define _PATH_BSHELL "/bin/sh" #endif heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/ruserpass.c000066400000000000000000000173051257755311500221620ustar00rootroot00000000000000/* * Copyright (c) 1985, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ftp_locl.h" RCSID("$Id$"); static int token (void); static FILE *cfile; #define DEFAULT 1 #define LOGIN 2 #define PASSWD 3 #define ACCOUNT 4 #define MACDEF 5 #define PROT 6 #define ID 10 #define MACH 11 static char tokval[100]; static struct toktab { char *tokstr; int tval; } toktab[]= { { "default", DEFAULT }, { "login", LOGIN }, { "password", PASSWD }, { "passwd", PASSWD }, { "account", ACCOUNT }, { "machine", MACH }, { "macdef", MACDEF }, { "prot", PROT }, { NULL, 0 } }; /* * Write a copy of the hostname into `hostname, sz' and return a guess * as to the `domain' of that hostname. */ static char * guess_domain (char *hostname_str, size_t sz) { struct addrinfo *ai, *a; struct addrinfo hints; int error; char *dot; if (gethostname (hostname_str, sz) < 0) { strlcpy (hostname_str, "", sz); return ""; } dot = strchr (hostname_str, '.'); if (dot != NULL) return dot + 1; memset (&hints, 0, sizeof(hints)); hints.ai_flags = AI_CANONNAME; error = getaddrinfo (hostname_str, NULL, &hints, &ai); if (error) return hostname_str; for (a = ai; a != NULL; a = a->ai_next) if (a->ai_canonname != NULL) { strlcpy (hostname_str, ai->ai_canonname, sz); break; } freeaddrinfo (ai); dot = strchr (hostname_str, '.'); if (dot != NULL) return dot + 1; else return hostname_str; } int ruserpassword(char *host, char **aname, char **apass, char **aacct) { char *hdir, buf[BUFSIZ], *tmp; int t, i, c, usedefault = 0; struct stat stb; mydomain = guess_domain (myhostname, MaxHostNameLen); hdir = getenv("HOME"); if (hdir == NULL) hdir = "."; snprintf(buf, sizeof(buf), "%s/.netrc", hdir); cfile = fopen(buf, "r"); if (cfile == NULL) { if (errno != ENOENT) warn("%s", buf); return (0); } next: while ((t = token())) switch(t) { case DEFAULT: usedefault = 1; /* FALL THROUGH */ case MACH: if (!usedefault) { if (token() != ID) continue; /* * Allow match either for user's input host name * or official hostname. Also allow match of * incompletely-specified host in local domain. */ if (strcasecmp(host, tokval) == 0) goto match; if (strcasecmp(hostname, tokval) == 0) goto match; if ((tmp = strchr(hostname, '.')) != NULL && tmp++ && strcasecmp(tmp, mydomain) == 0 && strncasecmp(hostname, tokval, tmp-hostname) == 0 && tokval[tmp - hostname] == '\0') goto match; if ((tmp = strchr(host, '.')) != NULL && tmp++ && strcasecmp(tmp, mydomain) == 0 && strncasecmp(host, tokval, tmp - host) == 0 && tokval[tmp - host] == '\0') goto match; continue; } match: while ((t = token()) && t != MACH && t != DEFAULT) switch(t) { case LOGIN: if (token()) { if (*aname == 0) { *aname = strdup(tokval); } else { if (strcmp(*aname, tokval)) goto next; } } break; case PASSWD: if ((*aname == NULL || strcmp(*aname, "anonymous")) && fstat(fileno(cfile), &stb) >= 0 && (stb.st_mode & 077) != 0) { warnx("Error: .netrc file is readable by others."); warnx("Remove password or make file unreadable by others."); goto bad; } if (token() && *apass == 0) { *apass = strdup(tokval); } break; case ACCOUNT: if (fstat(fileno(cfile), &stb) >= 0 && (stb.st_mode & 077) != 0) { warnx("Error: .netrc file is readable by others."); warnx("Remove account or make file unreadable by others."); goto bad; } if (token() && *aacct == 0) { *aacct = strdup(tokval); } break; case MACDEF: if (proxy) { fclose(cfile); return (0); } while ((c=getc(cfile)) != EOF && (c == ' ' || c == '\t')); if (c == EOF || c == '\n') { printf("Missing macdef name argument.\n"); goto bad; } if (macnum == 16) { printf("Limit of 16 macros have already been defined\n"); goto bad; } tmp = macros[macnum].mac_name; *tmp++ = c; for (i=0; i < 8 && (c=getc(cfile)) != EOF && !isspace(c); ++i) { *tmp++ = c; } if (c == EOF) { printf("Macro definition missing null line terminator.\n"); goto bad; } *tmp = '\0'; if (c != '\n') { while ((c=getc(cfile)) != EOF && c != '\n'); } if (c == EOF) { printf("Macro definition missing null line terminator.\n"); goto bad; } if (macnum == 0) { macros[macnum].mac_start = macbuf; } else { macros[macnum].mac_start = macros[macnum-1].mac_end + 1; } tmp = macros[macnum].mac_start; while (tmp != macbuf + 4096) { if ((c=getc(cfile)) == EOF) { printf("Macro definition missing null line terminator.\n"); goto bad; } *tmp = c; if (*tmp == '\n') { if (*(tmp-1) == '\0') { macros[macnum++].mac_end = tmp - 1; break; } *tmp = '\0'; } tmp++; } if (tmp == macbuf + 4096) { printf("4K macro buffer exceeded\n"); goto bad; } break; case PROT: token(); if(doencrypt == 0 && sec_request_prot(tokval) < 0) warnx("Unknown protection level \"%s\"", tokval); break; default: warnx("Unknown .netrc keyword %s", tokval); break; } goto done; } done: fclose(cfile); return (0); bad: fclose(cfile); return (-1); } static int token(void) { char *cp; int c; struct toktab *t; if (feof(cfile) || ferror(cfile)) return (0); while ((c = getc(cfile)) != EOF && (c == '\n' || c == '\t' || c == ' ' || c == ',')) continue; if (c == EOF) return (0); cp = tokval; if (c == '"') { while ((c = getc(cfile)) != EOF && c != '"') { if (c == '\\') c = getc(cfile); *cp++ = c; } } else { *cp++ = c; while ((c = getc(cfile)) != EOF && c != '\n' && c != '\t' && c != ' ' && c != ',') { if (c == '\\') c = getc(cfile); *cp++ = c; } } *cp = 0; if (tokval[0] == 0) return (0); for (t = toktab; t->tokstr; t++) if (!strcmp(t->tokstr, tokval)) return (t->tval); return (ID); } heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/security.c000066400000000000000000000433241257755311500220020ustar00rootroot00000000000000/* * Copyright (c) 1998-2002, 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifdef FTP_SERVER #include "ftpd_locl.h" #else #include "ftp_locl.h" #endif RCSID("$Id$"); static enum protection_level command_prot; static enum protection_level data_prot; static size_t buffer_size; struct buffer { void *data; size_t size; size_t index; int eof_flag; }; static struct buffer in_buffer, out_buffer; int sec_complete; static struct { enum protection_level level; const char *name; } level_names[] = { { prot_clear, "clear" }, { prot_safe, "safe" }, { prot_confidential, "confidential" }, { prot_private, "private" } }; static const char * level_to_name(enum protection_level level) { int i; for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++) if(level_names[i].level == level) return level_names[i].name; return "unknown"; } #ifndef FTP_SERVER /* not used in server */ static enum protection_level name_to_level(const char *name) { int i; for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++) if(!strncasecmp(level_names[i].name, name, strlen(name))) return level_names[i].level; return prot_invalid; } #endif #ifdef FTP_SERVER static struct sec_server_mech *mechs[] = { #ifdef KRB5 &gss_server_mech, #endif NULL }; static struct sec_server_mech *mech; #else static struct sec_client_mech *mechs[] = { #ifdef KRB5 &gss_client_mech, #endif NULL }; static struct sec_client_mech *mech; #endif static void *app_data; int sec_getc(FILE *F) { if(sec_complete && data_prot) { char c; if(sec_read(fileno(F), &c, 1) <= 0) return EOF; return c; } else return getc(F); } static int block_read(int fd, void *buf, size_t len) { unsigned char *p = buf; int b; while(len) { b = read(fd, p, len); if (b == 0) return 0; else if (b < 0) return -1; len -= b; p += b; } return p - (unsigned char*)buf; } static int block_write(int fd, void *buf, size_t len) { unsigned char *p = buf; int b; while(len) { b = write(fd, p, len); if(b < 0) return -1; len -= b; p += b; } return p - (unsigned char*)buf; } static int sec_get_data(int fd, struct buffer *buf, int level) { int len; int b; void *tmp; b = block_read(fd, &len, sizeof(len)); if (b == 0) return 0; else if (b < 0) return -1; len = ntohl(len); tmp = realloc(buf->data, len); if (tmp == NULL) return -1; buf->data = tmp; b = block_read(fd, buf->data, len); if (b == 0) return 0; else if (b < 0) return -1; buf->size = (*mech->decode)(app_data, buf->data, len, data_prot); buf->index = 0; return 0; } static size_t buffer_read(struct buffer *buf, void *dataptr, size_t len) { len = min(len, buf->size - buf->index); memcpy(dataptr, (char*)buf->data + buf->index, len); buf->index += len; return len; } static size_t buffer_write(struct buffer *buf, void *dataptr, size_t len) { if(buf->index + len > buf->size) { void *tmp; if(buf->data == NULL) tmp = malloc(1024); else tmp = realloc(buf->data, buf->index + len); if(tmp == NULL) return -1; buf->data = tmp; buf->size = buf->index + len; } memcpy((char*)buf->data + buf->index, dataptr, len); buf->index += len; return len; } int sec_read(int fd, void *dataptr, int length) { size_t len; int rx = 0; if(sec_complete == 0 || data_prot == 0) return read(fd, dataptr, length); if(in_buffer.eof_flag){ in_buffer.eof_flag = 0; return 0; } len = buffer_read(&in_buffer, dataptr, length); length -= len; rx += len; dataptr = (char*)dataptr + len; while(length){ int ret; ret = sec_get_data(fd, &in_buffer, data_prot); if (ret < 0) return -1; if(ret == 0 && in_buffer.size == 0) { if(rx) in_buffer.eof_flag = 1; return rx; } len = buffer_read(&in_buffer, dataptr, length); length -= len; rx += len; dataptr = (char*)dataptr + len; } return rx; } static int sec_send(int fd, char *from, int length) { int bytes; void *buf; bytes = (*mech->encode)(app_data, from, length, data_prot, &buf); bytes = htonl(bytes); block_write(fd, &bytes, sizeof(bytes)); block_write(fd, buf, ntohl(bytes)); free(buf); return length; } int sec_fflush(FILE *F) { if(data_prot != prot_clear) { if(out_buffer.index > 0){ sec_write(fileno(F), out_buffer.data, out_buffer.index); out_buffer.index = 0; } sec_send(fileno(F), NULL, 0); } fflush(F); return 0; } int sec_write(int fd, char *dataptr, int length) { int len = buffer_size; int tx = 0; if(data_prot == prot_clear) return write(fd, dataptr, length); len -= (*mech->overhead)(app_data, data_prot, len); while(length){ if(length < len) len = length; sec_send(fd, dataptr, len); length -= len; dataptr += len; tx += len; } return tx; } int sec_vfprintf2(FILE *f, const char *fmt, va_list ap) { char *buf; int ret; if(data_prot == prot_clear) return vfprintf(f, fmt, ap); else { int len; len = vasprintf(&buf, fmt, ap); if (len == -1) return len; ret = buffer_write(&out_buffer, buf, len); free(buf); return ret; } } int sec_fprintf2(FILE *f, const char *fmt, ...) { int ret; va_list ap; va_start(ap, fmt); ret = sec_vfprintf2(f, fmt, ap); va_end(ap); return ret; } int sec_putc(int c, FILE *F) { char ch = c; if(data_prot == prot_clear) return putc(c, F); buffer_write(&out_buffer, &ch, 1); if(c == '\n' || out_buffer.index >= 1024 /* XXX */) { sec_write(fileno(F), out_buffer.data, out_buffer.index); out_buffer.index = 0; } return c; } int sec_read_msg(char *s, int level) { int len; char *buf; int return_code; buf = malloc(strlen(s)); len = rk_base64_decode(s + 4, buf); /* XXX */ len = (*mech->decode)(app_data, buf, len, level); if(len < 0) return -1; buf[len] = '\0'; if(buf[3] == '-') return_code = 0; else sscanf(buf, "%d", &return_code); if(buf[len-1] == '\n') buf[len-1] = '\0'; strcpy(s, buf); free(buf); return return_code; } int sec_vfprintf(FILE *f, const char *fmt, va_list ap) { char *buf; void *enc; int len; if(!sec_complete) return vfprintf(f, fmt, ap); if (vasprintf(&buf, fmt, ap) == -1) { printf("Failed to allocate command.\n"); return -1; } len = (*mech->encode)(app_data, buf, strlen(buf), command_prot, &enc); free(buf); if(len < 0) { printf("Failed to encode command.\n"); return -1; } if(rk_base64_encode(enc, len, &buf) < 0){ free(enc); printf("Out of memory base64-encoding.\n"); return -1; } free(enc); #ifdef FTP_SERVER if(command_prot == prot_safe) fprintf(f, "631 %s\r\n", buf); else if(command_prot == prot_private) fprintf(f, "632 %s\r\n", buf); else if(command_prot == prot_confidential) fprintf(f, "633 %s\r\n", buf); #else if(command_prot == prot_safe) fprintf(f, "MIC %s", buf); else if(command_prot == prot_private) fprintf(f, "ENC %s", buf); else if(command_prot == prot_confidential) fprintf(f, "CONF %s", buf); #endif free(buf); return 0; } int sec_fprintf(FILE *f, const char *fmt, ...) { va_list ap; int ret; va_start(ap, fmt); ret = sec_vfprintf(f, fmt, ap); va_end(ap); return ret; } /* end common stuff */ #ifdef FTP_SERVER int ccc_passed; void auth(char *auth_name) { int i; void *tmp; for(i = 0; (mech = mechs[i]) != NULL; i++){ if(!strcasecmp(auth_name, mech->name)){ tmp = realloc(app_data, mech->size); if (tmp == NULL) { reply(431, "Unable to accept %s at this time", mech->name); return; } app_data = tmp; if(mech->init && (*mech->init)(app_data) != 0) { reply(431, "Unable to accept %s at this time", mech->name); return; } if(mech->auth) { (*mech->auth)(app_data); return; } if(mech->adat) reply(334, "Send authorization data."); else reply(234, "Authorization complete."); return; } } free (app_data); app_data = NULL; reply(504, "%s is unknown to me", auth_name); } void adat(char *auth_data) { if(mech && !sec_complete) { void *buf = malloc(strlen(auth_data)); size_t len; len = rk_base64_decode(auth_data, buf); (*mech->adat)(app_data, buf, len); free(buf); } else reply(503, "You must %sissue an AUTH first.", mech ? "re-" : ""); } void pbsz(int size) { size_t new = size; if(!sec_complete) reply(503, "Incomplete security data exchange."); if(mech->pbsz) new = (*mech->pbsz)(app_data, size); if(buffer_size != new){ buffer_size = size; } if(new != size) reply(200, "PBSZ=%lu", (unsigned long)new); else reply(200, "OK"); } void prot(char *pl) { int p = -1; if(buffer_size == 0){ reply(503, "No protection buffer size negotiated."); return; } if(!strcasecmp(pl, "C")) p = prot_clear; else if(!strcasecmp(pl, "S")) p = prot_safe; else if(!strcasecmp(pl, "E")) p = prot_confidential; else if(!strcasecmp(pl, "P")) p = prot_private; else { reply(504, "Unrecognized protection level."); return; } if(sec_complete){ if((*mech->check_prot)(app_data, p)){ reply(536, "%s does not support %s protection.", mech->name, level_to_name(p)); }else{ data_prot = (enum protection_level)p; reply(200, "Data protection is %s.", level_to_name(p)); } }else{ reply(503, "Incomplete security data exchange."); } } void ccc(void) { if(sec_complete){ if(mech->ccc && (*mech->ccc)(app_data) == 0) { command_prot = data_prot = prot_clear; ccc_passed = 1; } else reply(534, "You must be joking."); }else reply(503, "Incomplete security data exchange."); } void mec(char *msg, enum protection_level level) { void *buf; size_t len, buf_size; if(!sec_complete) { reply(503, "Incomplete security data exchange."); return; } buf_size = strlen(msg) + 2; buf = malloc(buf_size); if (buf == NULL) { reply(501, "Failed to allocate %lu", (unsigned long)buf_size); return; } len = rk_base64_decode(msg, buf); command_prot = level; if(len == (size_t)-1) { free(buf); reply(501, "Failed to base64-decode command"); return; } len = (*mech->decode)(app_data, buf, len, level); if(len == (size_t)-1) { free(buf); reply(535, "Failed to decode command"); return; } ((char*)buf)[len] = '\0'; if(strstr((char*)buf, "\r\n") == NULL) strlcat((char*)buf, "\r\n", buf_size); new_ftp_command(buf); } /* ------------------------------------------------------------ */ int sec_userok(char *userstr) { if(sec_complete) return (*mech->userok)(app_data, userstr); return 0; } int sec_session(char *user) { if(sec_complete && mech->session) return (*mech->session)(app_data, user); return 0; } char *ftp_command; void new_ftp_command(char *command) { ftp_command = command; } void delete_ftp_command(void) { free(ftp_command); ftp_command = NULL; } int secure_command(void) { return ftp_command != NULL; } enum protection_level get_command_prot(void) { return command_prot; } #else /* FTP_SERVER */ void sec_status(void) { if(sec_complete){ printf("Using %s for authentication.\n", mech->name); printf("Using %s command channel.\n", level_to_name(command_prot)); printf("Using %s data channel.\n", level_to_name(data_prot)); if(buffer_size > 0) printf("Protection buffer size: %lu.\n", (unsigned long)buffer_size); }else{ printf("Not using any security mechanism.\n"); } } static int sec_prot_internal(int level) { int ret; char *p; unsigned int s = 1048576; int old_verbose = verbose; verbose = 0; if(!sec_complete){ printf("No security data exchange has taken place.\n"); return -1; } if(level){ ret = command("PBSZ %u", s); if(ret != COMPLETE){ printf("Failed to set protection buffer size.\n"); return -1; } buffer_size = s; p = strstr(reply_string, "PBSZ="); if(p) sscanf(p, "PBSZ=%u", &s); if(s < buffer_size) buffer_size = s; } verbose = old_verbose; ret = command("PROT %c", level["CSEP"]); /* XXX :-) */ if(ret != COMPLETE){ printf("Failed to set protection level.\n"); return -1; } data_prot = (enum protection_level)level; return 0; } enum protection_level set_command_prot(enum protection_level level) { int ret; enum protection_level old = command_prot; if(level != command_prot && level == prot_clear) { ret = command("CCC"); if(ret != COMPLETE) { printf("Failed to clear command channel.\n"); return prot_invalid; } } command_prot = level; return old; } void sec_prot(int argc, char **argv) { int level = -1; if(argc > 3) goto usage; if(argc == 1) { sec_status(); return; } if(!sec_complete) { printf("No security data exchange has taken place.\n"); code = -1; return; } level = name_to_level(argv[argc - 1]); if(level == -1) goto usage; if((*mech->check_prot)(app_data, level)) { printf("%s does not implement %s protection.\n", mech->name, level_to_name(level)); code = -1; return; } if(argc == 2 || strncasecmp(argv[1], "data", strlen(argv[1])) == 0) { if(sec_prot_internal(level) < 0){ code = -1; return; } } else if(strncasecmp(argv[1], "command", strlen(argv[1])) == 0) { if(set_command_prot(level) < 0) { code = -1; return; } } else goto usage; code = 0; return; usage: printf("usage: %s [command|data] [clear|safe|confidential|private]\n", argv[0]); code = -1; } void sec_prot_command(int argc, char **argv) { int level; if(argc > 2) goto usage; if(!sec_complete) { printf("No security data exchange has taken place.\n"); code = -1; return; } if(argc == 1) { sec_status(); } else { level = name_to_level(argv[1]); if(level == -1) goto usage; if((*mech->check_prot)(app_data, level)) { printf("%s does not implement %s protection.\n", mech->name, level_to_name(level)); code = -1; return; } if(set_command_prot(level) < 0) { code = -1; return; } } code = 0; return; usage: printf("usage: %s [clear|safe|confidential|private]\n", argv[0]); code = -1; } static enum protection_level request_data_prot; void sec_set_protection_level(void) { if(sec_complete && data_prot != request_data_prot) sec_prot_internal(request_data_prot); } int sec_request_prot(char *level) { int l = name_to_level(level); if(l == -1) return -1; request_data_prot = (enum protection_level)l; return 0; } int sec_login(char *host) { int ret; struct sec_client_mech **m; int old_verbose = verbose; verbose = -1; /* shut up all messages this will produce (they are usually not very user friendly) */ for(m = mechs; *m && (*m)->name; m++) { void *tmp; tmp = realloc(app_data, (*m)->size); if (tmp == NULL) { warnx ("realloc %lu failed", (unsigned long)(*m)->size); return -1; } app_data = tmp; if((*m)->init && (*(*m)->init)(app_data) != 0) { printf("Skipping %s...\n", (*m)->name); continue; } printf("Trying %s...\n", (*m)->name); ret = command("AUTH %s", (*m)->name); if(ret != CONTINUE){ if(code == 504){ printf("%s is not supported by the server.\n", (*m)->name); }else if(code == 534){ printf("%s rejected as security mechanism.\n", (*m)->name); }else if(ret == ERROR) { printf("The server doesn't support the FTP " "security extensions.\n"); verbose = old_verbose; return -1; } continue; } ret = (*(*m)->auth)(app_data, host); if(ret == AUTH_CONTINUE) continue; else if(ret != AUTH_OK){ /* mechanism is supposed to output error string */ verbose = old_verbose; return -1; } mech = *m; sec_complete = 1; if(doencrypt) { command_prot = prot_private; request_data_prot = prot_private; } else { command_prot = prot_safe; } break; } verbose = old_verbose; return *m == NULL; } void sec_end(void) { if (mech != NULL) { if(mech->end) (*mech->end)(app_data); if (app_data != NULL) { memset(app_data, 0, mech->size); free(app_data); app_data = NULL; } } sec_complete = 0; data_prot = (enum protection_level)0; } #endif /* FTP_SERVER */ heimdal-1.7~git20150920+dfsg/appl/ftp/ftp/security.h000066400000000000000000000102561257755311500220050ustar00rootroot00000000000000/* * Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ #ifndef __security_h__ #define __security_h__ enum protection_level { prot_invalid = -1, prot_clear = 0, prot_safe = 1, prot_confidential = 2, prot_private = 3 }; struct sec_client_mech { char *name; size_t size; int (*init)(void *); int (*auth)(void *, char*); void (*end)(void *); int (*check_prot)(void *, int); int (*overhead)(void *, int, int); int (*encode)(void *, void*, int, int, void**); int (*decode)(void *, void*, int, int); }; struct sec_server_mech { char *name; size_t size; int (*init)(void *); void (*end)(void *); int (*check_prot)(void *, int); int (*overhead)(void *, int, int); int (*encode)(void *, void*, int, int, void**); int (*decode)(void *, void*, int, int); int (*auth)(void *); int (*adat)(void *, void*, size_t); size_t (*pbsz)(void *, size_t); int (*ccc)(void*); int (*userok)(void*, char*); int (*session)(void*, char*); }; #define AUTH_OK 0 #define AUTH_CONTINUE 1 #define AUTH_ERROR 2 extern int ftp_do_gss_bindings; extern int ftp_do_gss_delegate; #ifdef FTP_SERVER extern struct sec_server_mech krb4_server_mech, gss_server_mech; #else extern struct sec_client_mech krb4_client_mech, gss_client_mech; #endif extern int sec_complete; #ifdef FTP_SERVER extern char *ftp_command; void new_ftp_command(char*); void delete_ftp_command(void); #endif /* ---- */ int sec_fflush (FILE *); int sec_fprintf (FILE *, const char *, ...) __attribute__ ((format (printf, 2,3))); int sec_getc (FILE *); int sec_putc (int, FILE *); int sec_read (int, void *, int); int sec_read_msg (char *, int); int sec_vfprintf (FILE *, const char *, va_list) __attribute__ ((format (printf, 2,0))); int sec_fprintf2(FILE *f, const char *fmt, ...) __attribute__ ((format (printf, 2,3))); int sec_vfprintf2(FILE *, const char *, va_list) __attribute__ ((format (printf, 2,0))); int sec_write (int, char *, int); #ifdef FTP_SERVER void adat (char *); void auth (char *); void ccc (void); void mec (char *, enum protection_level); void pbsz (int); void prot (char *); void delete_ftp_command (void); void new_ftp_command (char *); int sec_userok (char *); int sec_session(char *); int secure_command (void); enum protection_level get_command_prot(void); #else void sec_end (void); int sec_login (char *); void sec_prot (int, char **); void sec_prot_command (int, char **); int sec_request_prot (char *); void sec_set_protection_level (void); void sec_status (void); enum protection_level set_command_prot(enum protection_level); #endif #endif /* __security_h__ */ heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/000077500000000000000000000000001257755311500201255ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/Makefile.am000066400000000000000000000016401257755311500221620ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common AM_CPPFLAGS += -I$(srcdir)/../common -DFTP_SERVER WFLAGS += $(WFLAGS_LITE) libexec_PROGRAMS = ftpd CHECK_LOCAL = if KRB5 krb5_sources = gssapi.c gss_userok.c endif ftpd_SOURCES = \ extern.h \ ftpcmd.y \ ftpd.c \ ftpd_locl.h \ logwtmp.c \ ls.c \ pathnames.h \ popen.c \ security.c \ kauth.c \ klist.c \ $(krb5_sources) EXTRA_ftpd_SOURCES = kauth.c gssapi.c gss_userok.c $(ftpd_OBJECTS): security.h security.c: @test -f security.c || $(LN_S) $(srcdir)/../ftp/security.c . security.h: @test -f security.h || $(LN_S) $(srcdir)/../ftp/security.h . gssapi.c: @test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c . CLEANFILES = security.c security.h gssapi.c man_MANS = ftpd.8 ftpusers.5 LDADD = ../common/libcommon.a \ $(LIB_otp) \ $(LIB_gssapi) \ $(LIB_krb5) \ $(LIB_kafs) \ $(LIB_hcrypto) \ $(LIB_roken) EXTRA_DIST = NTMakefile $(man_MANS) heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/NTMakefile000066400000000000000000000027411257755311500220330ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\ftp\ftpd !include ../../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/extern.h000066400000000000000000000104071257755311500216050ustar00rootroot00000000000000/*- * Copyright (c) 1992, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)extern.h 8.2 (Berkeley) 4/4/94 */ #ifndef _EXTERN_H_ #define _EXTERN_H_ #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_NETDB_H #include #endif #include #include #ifdef HAVE_PWD_H #include #endif #ifdef HAVE_LIMITS_H #include #endif #ifndef NBBY #define NBBY CHAR_BIT #endif void abor(void); void blkfree(char **); char **copyblk(char **); void cwd(const char *); void do_delete(char *); void dologout(int); void eprt(char *); void epsv(char *); void fatal(char *); int filename_check(char *); int ftpd_pclose(FILE *); FILE *ftpd_popen(char *, char *, int, int); char *ftpd_getline(char *, int); void ftpd_logwtmp(char *, char *, char *); void lreply(int, const char *, ...) __attribute__ ((format (printf, 2, 3))); void makedir(char *); void nack(char *); void nreply(const char *, ...) __attribute__ ((format (printf, 1, 2))); void pass(char *); void pasv(void); void perror_reply(int, const char *); void pwd(void); void removedir(char *); void renamecmd(char *, char *); char *renamefrom(char *); void reply(int, const char *, ...) __attribute__ ((format (printf, 2, 3))); void retrieve(const char *, char *); void send_file_list(char *); void setproctitle(const char *, ...) __attribute__ ((format (printf, 1, 2))); void statcmd(void); void statfilecmd(char *); void do_store(char *, char *, int); void upper(char *); void user(char *); void yyerror(char *); void list_file(char*); void kauth(char *, char*); void klist(void); void cond_kdestroy(void); void kdestroy(void); void krbtkfile(const char *tkfile); void afslog(const char *, int); void afsunlog(void); extern int do_destroy_tickets; extern char *k5ccname; int find(char *); int builtin_ls(FILE*, const char*); int do_login(int code, char *passwd); int klogin(char *name, char *password); const char *ftp_rooted(const char *path); extern struct sockaddr *ctrl_addr, *his_addr; extern char hostname[]; extern struct sockaddr *data_dest; extern int logged_in; extern struct passwd *pw; extern int guest; extern int dochroot; extern int logging; extern int type; extern off_t file_size; extern off_t byte_count; extern int ccc_passed; extern int form; extern int debug; extern int ftpd_timeout; extern int maxtimeout; extern int pdata; extern char hostname[], remotehost[]; extern char proctitle[]; extern int usedefault; extern char tmpline[]; extern int paranoid; #endif /* _EXTERN_H_ */ heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/ftpcmd.y000066400000000000000000000710161257755311500216010ustar00rootroot00000000000000/* $NetBSD: ftpcmd.y,v 1.6 1995/06/03 22:46:45 mycroft Exp $ */ /* * Copyright (c) 1985, 1988, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)ftpcmd.y 8.3 (Berkeley) 4/6/94 */ /* * Grammar for FTP commands. * See RFC 959. */ %{ #include "ftpd_locl.h" RCSID("$Id$"); off_t restart_point; static int hasyyerrored; static int cmd_type; static int cmd_form; static int cmd_bytesz; char cbuf[64*1024]; char *fromname; struct tab { char *name; short token; short state; short implemented; /* 1 if command is implemented */ char *help; }; extern struct tab cmdtab[]; extern struct tab sitetab[]; static char *copy (char *); static void help (struct tab *, char *); static struct tab * lookup (struct tab *, char *); static void sizecmd (char *); static RETSIGTYPE toolong (int); static int yylex (void); /* This is for bison */ #if !defined(alloca) && !defined(HAVE_ALLOCA) #define alloca(x) malloc(x) #endif %} %union { int i; char *s; } %token A B C E F I L N P R S T SP CRLF COMMA USER PASS ACCT REIN QUIT PORT PASV TYPE STRU MODE RETR STOR APPE MLFL MAIL MSND MSOM MSAM MRSQ MRCP ALLO REST RNFR RNTO ABOR DELE CWD LIST NLST SITE sTAT HELP NOOP MKD RMD PWD CDUP STOU SMNT SYST SIZE MDTM EPRT EPSV UMASK IDLE CHMOD AUTH ADAT PROT PBSZ CCC MIC CONF ENC KAUTH KLIST KDESTROY KRBTKFILE AFSLOG LOCATE URL FEAT OPTS LEXERR %token STRING %token NUMBER %type check_login check_login_no_guest check_secure octal_number byte_size %type struct_code mode_code type_code form_code %type pathstring pathname password username %start cmd_list %% cmd_list : /* empty */ | cmd_list cmd { fromname = (char *) 0; restart_point = (off_t) 0; } | cmd_list rcmd ; cmd : USER SP username CRLF check_secure { if ($5) user($3); free($3); } | PASS SP password CRLF check_secure { if ($5) pass($3); memset ($3, 0, strlen($3)); free($3); } | PORT SP host_port CRLF check_secure { if ($5) { if (paranoid && (data_dest->sa_family != his_addr->sa_family || (socket_get_port(data_dest) < IPPORT_RESERVED) || memcmp(socket_get_address(data_dest), socket_get_address(his_addr), socket_addr_size(his_addr)) != 0)) { usedefault = 1; reply(500, "Illegal PORT range rejected."); } else { usedefault = 0; if (pdata >= 0) { close(pdata); pdata = -1; } reply(200, "PORT command successful."); } } } | EPRT SP STRING CRLF check_secure { if ($5) eprt ($3); free ($3); } | PASV CRLF check_login { if($3) pasv (); } | EPSV CRLF check_login { if($3) epsv (NULL); } | EPSV SP STRING CRLF check_login { if($5) epsv ($3); free ($3); } | TYPE SP type_code CRLF check_secure { if ($5) { switch (cmd_type) { case TYPE_A: if (cmd_form == FORM_N) { reply(200, "Type set to A."); type = cmd_type; form = cmd_form; } else reply(504, "Form must be N."); break; case TYPE_E: reply(504, "Type E not implemented."); break; case TYPE_I: reply(200, "Type set to I."); type = cmd_type; break; case TYPE_L: #if NBBY == 8 if (cmd_bytesz == 8) { reply(200, "Type set to L (byte size 8)."); type = cmd_type; } else reply(504, "Byte size must be 8."); #else /* NBBY == 8 */ UNIMPLEMENTED for NBBY != 8 #endif /* NBBY == 8 */ } } } | STRU SP struct_code CRLF check_secure { if ($5) { switch ($3) { case STRU_F: reply(200, "STRU F ok."); break; default: reply(504, "Unimplemented STRU type."); } } } | MODE SP mode_code CRLF check_secure { if ($5) { switch ($3) { case MODE_S: reply(200, "MODE S ok."); break; default: reply(502, "Unimplemented MODE type."); } } } | ALLO SP NUMBER CRLF check_secure { if ($5) { reply(202, "ALLO command ignored."); } } | ALLO SP NUMBER SP R SP NUMBER CRLF check_secure { if ($9) { reply(202, "ALLO command ignored."); } } | RETR SP pathname CRLF check_login { char *name = $3; if ($5 && name != NULL) retrieve(0, name); if (name != NULL) free(name); } | STOR SP pathname CRLF check_login { char *name = $3; if ($5 && name != NULL) do_store(name, "w", 0); if (name != NULL) free(name); } | APPE SP pathname CRLF check_login { char *name = $3; if ($5 && name != NULL) do_store(name, "a", 0); if (name != NULL) free(name); } | NLST CRLF check_login { if ($3) send_file_list("."); } | NLST SP STRING CRLF check_login { char *name = $3; if ($5 && name != NULL) send_file_list(name); if (name != NULL) free(name); } | LIST CRLF check_login { if($3) list_file("."); } | LIST SP pathname CRLF check_login { if($5) list_file($3); free($3); } | sTAT SP pathname CRLF check_login { if ($5 && $3 != NULL) statfilecmd($3); if ($3 != NULL) free($3); } | sTAT CRLF check_secure { if ($3) statcmd(); } | DELE SP pathname CRLF check_login_no_guest { if ($5 && $3 != NULL) do_delete($3); if ($3 != NULL) free($3); } | RNTO SP pathname CRLF check_login_no_guest { if($5){ if (fromname) { renamecmd(fromname, $3); free(fromname); fromname = (char *) 0; } else { reply(503, "Bad sequence of commands."); } } if ($3 != NULL) free($3); } | ABOR CRLF check_secure { if ($3) reply(225, "ABOR command successful."); } | CWD CRLF check_login { if ($3) { const char *path = pw->pw_dir; if (dochroot || guest) path = "/"; cwd(path); } } | CWD SP pathname CRLF check_login { if ($5 && $3 != NULL) cwd($3); if ($3 != NULL) free($3); } | HELP CRLF check_secure { if ($3) help(cmdtab, (char *) 0); } | HELP SP STRING CRLF check_secure { if ($5) { char *cp = $3; if (strncasecmp(cp, "SITE", 4) == 0) { cp = $3 + 4; if (*cp == ' ') cp++; if (*cp) help(sitetab, cp); else help(sitetab, (char *) 0); } else help(cmdtab, $3); } } | NOOP CRLF check_secure { if ($3) reply(200, "NOOP command successful."); } | MKD SP pathname CRLF check_login { if ($5 && $3 != NULL) makedir($3); if ($3 != NULL) free($3); } | RMD SP pathname CRLF check_login_no_guest { if ($5 && $3 != NULL) removedir($3); if ($3 != NULL) free($3); } | PWD CRLF check_login { if ($3) pwd(); } | CDUP CRLF check_login { if ($3) cwd(".."); } | FEAT CRLF check_secure { if ($3) { lreply(211, "Supported features:"); lreply(0, " MDTM"); lreply(0, " REST STREAM"); lreply(0, " SIZE"); reply(211, "End"); } } | OPTS SP STRING CRLF check_secure { if ($5) reply(501, "Bad options"); free ($3); } | SITE SP HELP CRLF check_secure { if ($5) help(sitetab, (char *) 0); } | SITE SP HELP SP STRING CRLF check_secure { if ($7) help(sitetab, $5); } | SITE SP UMASK CRLF check_login { if ($5) { int oldmask = umask(0); umask(oldmask); reply(200, "Current UMASK is %03o", oldmask); } } | SITE SP UMASK SP octal_number CRLF check_login_no_guest { if ($7) { if (($5 == -1) || ($5 > 0777)) { reply(501, "Bad UMASK value"); } else { int oldmask = umask($5); reply(200, "UMASK set to %03o (was %03o)", $5, oldmask); } } } | SITE SP CHMOD SP octal_number SP pathname CRLF check_login_no_guest { if ($9 && $7 != NULL) { if ($5 > 0777) reply(501, "CHMOD: Mode value must be between 0 and 0777"); else if (chmod($7, $5) < 0) perror_reply(550, $7); else reply(200, "CHMOD command successful."); } if ($7 != NULL) free($7); } | SITE SP IDLE CRLF check_secure { if ($5) reply(200, "Current IDLE time limit is %d seconds; max %d", ftpd_timeout, maxtimeout); } | SITE SP IDLE SP NUMBER CRLF check_secure { if ($7) { if ($5 < 30 || $5 > maxtimeout) { reply(501, "Maximum IDLE time must be between 30 and %d seconds", maxtimeout); } else { ftpd_timeout = $5; alarm((unsigned) ftpd_timeout); reply(200, "Maximum IDLE time set to %d seconds", ftpd_timeout); } } } | SITE SP KAUTH SP STRING CRLF check_login { reply(500, "Command not implemented."); } | SITE SP KLIST CRLF check_login { if($5) klist(); } | SITE SP KDESTROY CRLF check_login { reply(500, "Command not implemented."); } | SITE SP KRBTKFILE SP STRING CRLF check_login { reply(500, "Command not implemented."); } | SITE SP AFSLOG CRLF check_login { #if defined(KRB5) if(guest) reply(500, "Can't be done as guest."); else if($5) afslog(NULL, 0); #else reply(500, "Command not implemented."); #endif } | SITE SP AFSLOG SP STRING CRLF check_login { #if defined(KRB5) if(guest) reply(500, "Can't be done as guest."); else if($7) afslog($5, 0); if($5) free($5); #else reply(500, "Command not implemented."); #endif } | SITE SP LOCATE SP STRING CRLF check_login { if($7 && $5 != NULL) find($5); if($5 != NULL) free($5); } | SITE SP URL CRLF check_secure { if ($5) reply(200, "http://www.pdc.kth.se/heimdal/"); } | STOU SP pathname CRLF check_login { if ($5 && $3 != NULL) do_store($3, "w", 1); if ($3 != NULL) free($3); } | SYST CRLF check_secure { if ($3) { #if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__) reply(215, "UNIX Type: L%d", NBBY); #else reply(215, "UNKNOWN Type: L%d", NBBY); #endif } } /* * SIZE is not in RFC959, but Postel has blessed it and * it will be in the updated RFC. * * Return size of file in a format suitable for * using with RESTART (we just count bytes). */ | SIZE SP pathname CRLF check_login { if ($5 && $3 != NULL) sizecmd($3); if ($3 != NULL) free($3); } /* * MDTM is not in RFC959, but Postel has blessed it and * it will be in the updated RFC. * * Return modification time of file as an ISO 3307 * style time. E.g. YYYYMMDDHHMMSS or YYYYMMDDHHMMSS.xxx * where xxx is the fractional second (of any precision, * not necessarily 3 digits) */ | MDTM SP pathname CRLF check_login { if ($5 && $3 != NULL) { struct stat stbuf; if (stat($3, &stbuf) < 0) reply(550, "%s: %s", $3, strerror(errno)); else if (!S_ISREG(stbuf.st_mode)) { reply(550, "%s: not a plain file.", $3); } else { struct tm *t; time_t mtime = stbuf.st_mtime; t = gmtime(&mtime); reply(213, "%04d%02d%02d%02d%02d%02d", t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); } } if ($3 != NULL) free($3); } | QUIT CRLF check_secure { if ($3) { reply(221, "Goodbye."); dologout(0); } } | error CRLF { yyerrok; } ; rcmd : RNFR SP pathname CRLF check_login_no_guest { restart_point = (off_t) 0; if ($5 && $3) { fromname = renamefrom($3); if (fromname == (char *) 0 && $3) { free($3); } } } | REST SP byte_size CRLF check_secure { if ($5) { fromname = (char *) 0; restart_point = $3; /* XXX $3 is only "int" */ reply(350, "Restarting at %ld. %s", (long)restart_point, "Send STORE or RETRIEVE to initiate transfer."); } } | AUTH SP STRING CRLF { auth($3); free($3); } | ADAT SP STRING CRLF { adat($3); free($3); } | PBSZ SP NUMBER CRLF check_secure { if ($5) pbsz($3); } | PROT SP STRING CRLF check_secure { if ($5) prot($3); } | CCC CRLF check_secure { if ($3) ccc(); } | MIC SP STRING CRLF { mec($3, prot_safe); free($3); } | CONF SP STRING CRLF { mec($3, prot_confidential); free($3); } | ENC SP STRING CRLF { mec($3, prot_private); free($3); } ; username : STRING ; password : /* empty */ { $$ = (char *)calloc(1, sizeof(char)); } | STRING ; byte_size : NUMBER ; host_port : NUMBER COMMA NUMBER COMMA NUMBER COMMA NUMBER COMMA NUMBER COMMA NUMBER { struct sockaddr_in *sin4 = (struct sockaddr_in *)data_dest; sin4->sin_family = AF_INET; sin4->sin_port = htons($9 * 256 + $11); sin4->sin_addr.s_addr = htonl(($1 << 24) | ($3 << 16) | ($5 << 8) | $7); } ; form_code : N { $$ = FORM_N; } | T { $$ = FORM_T; } | C { $$ = FORM_C; } ; type_code : A { cmd_type = TYPE_A; cmd_form = FORM_N; } | A SP form_code { cmd_type = TYPE_A; cmd_form = $3; } | E { cmd_type = TYPE_E; cmd_form = FORM_N; } | E SP form_code { cmd_type = TYPE_E; cmd_form = $3; } | I { cmd_type = TYPE_I; } | L { cmd_type = TYPE_L; cmd_bytesz = NBBY; } | L SP byte_size { cmd_type = TYPE_L; cmd_bytesz = $3; } /* this is for a bug in the BBN ftp */ | L byte_size { cmd_type = TYPE_L; cmd_bytesz = $2; } ; struct_code : F { $$ = STRU_F; } | R { $$ = STRU_R; } | P { $$ = STRU_P; } ; mode_code : S { $$ = MODE_S; } | B { $$ = MODE_B; } | C { $$ = MODE_C; } ; pathname : pathstring { /* * Problem: this production is used for all pathname * processing, but only gives a 550 error reply. * This is a valid reply in some cases but not in others. */ if (logged_in && $1 && *$1 == '~') { glob_t gl; int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE; memset(&gl, 0, sizeof(gl)); if (glob($1, flags, NULL, &gl) || gl.gl_pathc == 0) { reply(550, "not found"); $$ = NULL; } else { $$ = strdup(gl.gl_pathv[0]); } globfree(&gl); free($1); } else $$ = $1; } ; pathstring : STRING ; octal_number : NUMBER { int ret, dec, multby, digit; /* * Convert a number that was read as decimal number * to what it would be if it had been read as octal. */ dec = $1; multby = 1; ret = 0; while (dec) { digit = dec%10; if (digit > 7) { ret = -1; break; } ret += digit * multby; multby *= 8; dec /= 10; } $$ = ret; } ; check_login_no_guest : check_login { $$ = $1 && !guest; if($1 && !$$) reply(550, "Permission denied"); } ; check_login : check_secure { if($1) { if(($$ = logged_in) == 0) reply(530, "Please login with USER and PASS."); } else $$ = 0; } ; check_secure : /* empty */ { $$ = 1; if(sec_complete && !ccc_passed && !secure_command()) { $$ = 0; reply(533, "Command protection level denied " "for paranoid reasons."); } } ; %% #define CMD 0 /* beginning of command */ #define ARGS 1 /* expect miscellaneous arguments */ #define STR1 2 /* expect SP followed by STRING */ #define STR2 3 /* expect STRING */ #define OSTR 4 /* optional SP then STRING */ #define ZSTR1 5 /* SP then optional STRING */ #define ZSTR2 6 /* optional STRING after SP */ #define SITECMD 7 /* SITE command */ #define NSTR 8 /* Number followed by a string */ struct tab cmdtab[] = { /* In order defined in RFC 765 */ { "USER", USER, STR1, 1, " username" }, { "PASS", PASS, ZSTR1, 1, " password" }, { "ACCT", ACCT, STR1, 0, "(specify account)" }, { "SMNT", SMNT, ARGS, 0, "(structure mount)" }, { "REIN", REIN, ARGS, 0, "(reinitialize server state)" }, { "QUIT", QUIT, ARGS, 1, "(terminate service)", }, { "PORT", PORT, ARGS, 1, " b0, b1, b2, b3, b4" }, { "EPRT", EPRT, STR1, 1, " string" }, { "PASV", PASV, ARGS, 1, "(set server in passive mode)" }, { "EPSV", EPSV, OSTR, 1, "[ foo]" }, { "TYPE", TYPE, ARGS, 1, " [ A | E | I | L ]" }, { "STRU", STRU, ARGS, 1, "(specify file structure)" }, { "MODE", MODE, ARGS, 1, "(specify transfer mode)" }, { "RETR", RETR, STR1, 1, " file-name" }, { "STOR", STOR, STR1, 1, " file-name" }, { "APPE", APPE, STR1, 1, " file-name" }, { "MLFL", MLFL, OSTR, 0, "(mail file)" }, { "MAIL", MAIL, OSTR, 0, "(mail to user)" }, { "MSND", MSND, OSTR, 0, "(mail send to terminal)" }, { "MSOM", MSOM, OSTR, 0, "(mail send to terminal or mailbox)" }, { "MSAM", MSAM, OSTR, 0, "(mail send to terminal and mailbox)" }, { "MRSQ", MRSQ, OSTR, 0, "(mail recipient scheme question)" }, { "MRCP", MRCP, STR1, 0, "(mail recipient)" }, { "ALLO", ALLO, ARGS, 1, "allocate storage (vacuously)" }, { "REST", REST, ARGS, 1, " offset (restart command)" }, { "RNFR", RNFR, STR1, 1, " file-name" }, { "RNTO", RNTO, STR1, 1, " file-name" }, { "ABOR", ABOR, ARGS, 1, "(abort operation)" }, { "DELE", DELE, STR1, 1, " file-name" }, { "CWD", CWD, OSTR, 1, "[ directory-name ]" }, { "XCWD", CWD, OSTR, 1, "[ directory-name ]" }, { "LIST", LIST, OSTR, 1, "[ path-name ]" }, { "NLST", NLST, OSTR, 1, "[ path-name ]" }, { "SITE", SITE, SITECMD, 1, "site-cmd [ arguments ]" }, { "SYST", SYST, ARGS, 1, "(get type of operating system)" }, { "STAT", sTAT, OSTR, 1, "[ path-name ]" }, { "HELP", HELP, OSTR, 1, "[ ]" }, { "NOOP", NOOP, ARGS, 1, "" }, { "MKD", MKD, STR1, 1, " path-name" }, { "XMKD", MKD, STR1, 1, " path-name" }, { "RMD", RMD, STR1, 1, " path-name" }, { "XRMD", RMD, STR1, 1, " path-name" }, { "PWD", PWD, ARGS, 1, "(return current directory)" }, { "XPWD", PWD, ARGS, 1, "(return current directory)" }, { "CDUP", CDUP, ARGS, 1, "(change to parent directory)" }, { "XCUP", CDUP, ARGS, 1, "(change to parent directory)" }, { "STOU", STOU, STR1, 1, " file-name" }, { "SIZE", SIZE, OSTR, 1, " path-name" }, { "MDTM", MDTM, OSTR, 1, " path-name" }, /* extensions from RFC2228 */ { "AUTH", AUTH, STR1, 1, " auth-type" }, { "ADAT", ADAT, STR1, 1, " auth-data" }, { "PBSZ", PBSZ, ARGS, 1, " buffer-size" }, { "PROT", PROT, STR1, 1, " prot-level" }, { "CCC", CCC, ARGS, 1, "" }, { "MIC", MIC, STR1, 1, " integrity command" }, { "CONF", CONF, STR1, 1, " confidentiality command" }, { "ENC", ENC, STR1, 1, " privacy command" }, /* RFC2389 */ { "FEAT", FEAT, ARGS, 1, "" }, { "OPTS", OPTS, ARGS, 1, " command [ options]" }, { NULL, 0, 0, 0, 0 } }; struct tab sitetab[] = { { "UMASK", UMASK, ARGS, 1, "[ umask ]" }, { "IDLE", IDLE, ARGS, 1, "[ maximum-idle-time ]" }, { "CHMOD", CHMOD, NSTR, 1, " mode file-name" }, { "HELP", HELP, OSTR, 1, "[ ]" }, { "KAUTH", KAUTH, STR1, 1, " principal [ ticket ]" }, { "KLIST", KLIST, ARGS, 1, "(show ticket file)" }, { "KDESTROY", KDESTROY, ARGS, 1, "(destroy tickets)" }, { "KRBTKFILE", KRBTKFILE, STR1, 1, " ticket-file" }, { "AFSLOG", AFSLOG, OSTR, 1, "[ cell]" }, { "LOCATE", LOCATE, STR1, 1, " globexpr" }, { "FIND", LOCATE, STR1, 1, " globexpr" }, { "URL", URL, ARGS, 1, "?" }, { NULL, 0, 0, 0, 0 } }; static struct tab * lookup(struct tab *p, char *cmd) { for (; p->name != NULL; p++) if (strcmp(cmd, p->name) == 0) return (p); return (0); } /* * ftpd_getline - a hacked up version of fgets to ignore TELNET escape codes. */ char * ftpd_getline(char *s, int n) { int c; char *cs; cs = s; /* might still be data within the security MIC/CONF/ENC */ if(ftp_command){ strlcpy(s, ftp_command, n); if (debug) syslog(LOG_DEBUG, "command: %s", s); return s; } while ((c = getc(stdin)) != EOF) { c &= 0377; if (c == IAC) { if ((c = getc(stdin)) != EOF) { c &= 0377; switch (c) { case WILL: case WONT: c = getc(stdin); printf("%c%c%c", IAC, DONT, 0377&c); fflush(stdout); continue; case DO: case DONT: c = getc(stdin); printf("%c%c%c", IAC, WONT, 0377&c); fflush(stdout); continue; case IAC: break; default: continue; /* ignore command */ } } } *cs++ = c; if (--n <= 0 || c == '\n') break; } if (c == EOF && cs == s) return (NULL); *cs++ = '\0'; if (debug) { if (!guest && strncasecmp("pass ", s, 5) == 0) { /* Don't syslog passwords */ syslog(LOG_DEBUG, "command: %.5s ???", s); } else { char *cp; int len; /* Don't syslog trailing CR-LF */ len = strlen(s); cp = s + len - 1; while (cp >= s && (*cp == '\n' || *cp == '\r')) { --cp; --len; } syslog(LOG_DEBUG, "command: %.*s", len, s); } } #ifdef XXX fprintf(stderr, "%s\n", s); #endif return (s); } static RETSIGTYPE toolong(int signo) { reply(421, "Timeout (%d seconds): closing control connection.", ftpd_timeout); if (logging) syslog(LOG_INFO, "User %s timed out after %d seconds", (pw ? pw -> pw_name : "unknown"), ftpd_timeout); dologout(1); SIGRETURN(0); } static int yylex(void) { static int cpos, state; char *cp, *cp2; struct tab *p; int n; char c; for (;;) { switch (state) { case CMD: hasyyerrored = 0; signal(SIGALRM, toolong); alarm((unsigned) ftpd_timeout); if (ftpd_getline(cbuf, sizeof(cbuf)-1) == NULL) { reply(221, "You could at least say goodbye."); dologout(0); } alarm(0); #ifdef HAVE_SETPROCTITLE if (strncasecmp(cbuf, "PASS", 4) != 0) setproctitle("%s: %s", proctitle, cbuf); #endif /* HAVE_SETPROCTITLE */ if ((cp = strchr(cbuf, '\r'))) { *cp++ = '\n'; *cp = '\0'; } if ((cp = strpbrk(cbuf, " \n"))) cpos = cp - cbuf; if (cpos == 0) cpos = 4; c = cbuf[cpos]; cbuf[cpos] = '\0'; strupr(cbuf); p = lookup(cmdtab, cbuf); cbuf[cpos] = c; if (p != 0) { if (p->implemented == 0) { nack(p->name); hasyyerrored = 1; break; } state = p->state; yylval.s = p->name; return (p->token); } break; case SITECMD: if (cbuf[cpos] == ' ') { cpos++; return (SP); } cp = &cbuf[cpos]; if ((cp2 = strpbrk(cp, " \n"))) cpos = cp2 - cbuf; c = cbuf[cpos]; cbuf[cpos] = '\0'; strupr(cp); p = lookup(sitetab, cp); cbuf[cpos] = c; if (p != 0) { if (p->implemented == 0) { state = CMD; nack(p->name); hasyyerrored = 1; break; } state = p->state; yylval.s = p->name; return (p->token); } state = CMD; break; case OSTR: if (cbuf[cpos] == '\n') { state = CMD; return (CRLF); } /* FALLTHROUGH */ case STR1: case ZSTR1: dostr1: if (cbuf[cpos] == ' ') { cpos++; if(state == OSTR) state = STR2; else state++; return (SP); } break; case ZSTR2: if (cbuf[cpos] == '\n') { state = CMD; return (CRLF); } /* FALLTHROUGH */ case STR2: cp = &cbuf[cpos]; n = strlen(cp); cpos += n - 1; /* * Make sure the string is nonempty and \n terminated. */ if (n > 1 && cbuf[cpos] == '\n') { cbuf[cpos] = '\0'; yylval.s = copy(cp); cbuf[cpos] = '\n'; state = ARGS; return (STRING); } break; case NSTR: if (cbuf[cpos] == ' ') { cpos++; return (SP); } if (isdigit((unsigned char)cbuf[cpos])) { cp = &cbuf[cpos]; while (isdigit((unsigned char)cbuf[++cpos])) ; c = cbuf[cpos]; cbuf[cpos] = '\0'; yylval.i = atoi(cp); cbuf[cpos] = c; state = STR1; return (NUMBER); } state = STR1; goto dostr1; case ARGS: if (isdigit((unsigned char)cbuf[cpos])) { cp = &cbuf[cpos]; while (isdigit((unsigned char)cbuf[++cpos])) ; c = cbuf[cpos]; cbuf[cpos] = '\0'; yylval.i = atoi(cp); cbuf[cpos] = c; return (NUMBER); } switch (cbuf[cpos++]) { case '\n': state = CMD; return (CRLF); case ' ': return (SP); case ',': return (COMMA); case 'A': case 'a': return (A); case 'B': case 'b': return (B); case 'C': case 'c': return (C); case 'E': case 'e': return (E); case 'F': case 'f': return (F); case 'I': case 'i': return (I); case 'L': case 'l': return (L); case 'N': case 'n': return (N); case 'P': case 'p': return (P); case 'R': case 'r': return (R); case 'S': case 's': return (S); case 'T': case 't': return (T); } break; default: fatal("Unknown state in scanner."); } yyerror(NULL); state = CMD; return (0); } } /* ARGSUSED */ void yyerror(char *s) { char *cp; if (hasyyerrored) return; if ((cp = strchr(cbuf,'\n'))) *cp = '\0'; reply(500, "'%s': command not understood.", cbuf); hasyyerrored = 1; } static char * copy(char *s) { char *p; p = strdup(s); if (p == NULL) fatal("Ran out of memory."); return p; } static void help(struct tab *ctab, char *s) { struct tab *c; int width, NCMDS; char *t; char buf[1024]; if (ctab == sitetab) t = "SITE "; else t = ""; width = 0, NCMDS = 0; for (c = ctab; c->name != NULL; c++) { int len = strlen(c->name); if (len > width) width = len; NCMDS++; } width = (width + 8) &~ 7; if (s == 0) { int i, j, w; int columns, lines; lreply(214, "The following %scommands are recognized %s.", t, "(* =>'s unimplemented)"); columns = 76 / width; if (columns == 0) columns = 1; lines = (NCMDS + columns - 1) / columns; for (i = 0; i < lines; i++) { strlcpy (buf, " ", sizeof(buf)); for (j = 0; j < columns; j++) { c = ctab + j * lines + i; snprintf (buf + strlen(buf), sizeof(buf) - strlen(buf), "%s%c", c->name, c->implemented ? ' ' : '*'); if (c + lines >= &ctab[NCMDS]) break; w = strlen(c->name) + 1; while (w < width) { strlcat (buf, " ", sizeof(buf)); w++; } } lreply(214, "%s", buf); } reply(214, "Direct comments to kth-krb-bugs@pdc.kth.se"); return; } strupr(s); c = lookup(ctab, s); if (c == (struct tab *)0) { reply(502, "Unknown command %s.", s); return; } if (c->implemented) reply(214, "Syntax: %s%s %s", t, c->name, c->help); else reply(214, "%s%-*s\t%s; unimplemented.", t, width, c->name, c->help); } static void sizecmd(char *filename) { switch (type) { case TYPE_L: case TYPE_I: { struct stat stbuf; if (stat(filename, &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) reply(550, "%s: not a plain file.", filename); else reply(213, "%lu", (unsigned long)stbuf.st_size); break; } case TYPE_A: { FILE *fin; int c; size_t count; struct stat stbuf; fin = fopen(filename, "r"); if (fin == NULL) { perror_reply(550, filename); return; } if (fstat(fileno(fin), &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) { reply(550, "%s: not a plain file.", filename); fclose(fin); return; } count = 0; while((c=getc(fin)) != EOF) { if (c == '\n') /* will get expanded to \r\n */ count++; count++; } fclose(fin); reply(213, "%lu", (unsigned long)count); break; } default: reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]); } } heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/ftpd.8000066400000000000000000000337021257755311500211600ustar00rootroot00000000000000.\" $NetBSD: ftpd.8,v 1.7 1995/04/11 02:44:53 cgd Exp $ .\" .\" Copyright (c) 1985, 1988, 1991, 1993 .\" The Regents of the University of California. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. All advertising materials mentioning features or use of this software .\" must display the following acknowledgement: .\" This product includes software developed by the University of .\" California, Berkeley and its contributors. .\" 4. Neither the name of the University nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 .\" .Dd July 19, 2003 .Dt FTPD 8 .Os BSD 4.2 .Sh NAME .Nm ftpd .Nd Internet File Transfer Protocol server .Sh SYNOPSIS .Nm .Op Fl a Ar authmode .Op Fl dilvU .Op Fl g Ar umask .Op Fl p Ar port .Op Fl T Ar maxtimeout .Op Fl t Ar timeout .Op Fl Fl gss-bindings .Op Fl I | Fl Fl no-insecure-oob .Op Fl u Ar default umask .Op Fl B | Fl Fl builtin-ls .Op Fl Fl good-chars= Ns Ar string .Sh DESCRIPTION .Nm Ftpd is the Internet File Transfer Protocol server process. The server uses the .Tn TCP protocol and listens at the port specified in the .Dq ftp service specification; see .Xr services 5 . .Pp Available options: .Bl -tag -width Ds .It Fl a Select the level of authentication required. Kerberised login can not be turned off. The default is to only allow kerberised login. Other possibilities can be turned on by giving a string of comma separated flags as argument to .Fl a . Recognised flags are: .Bl -tag -width plain .It Ar plain Allow logging in with plaintext password. The password can be a(n) OTP or an ordinary password. .It Ar otp Same as .Ar plain , but only OTP is allowed. .It Ar ftp Allow anonymous login. .El .Pp The following combination modes exists for backwards compatibility: .Bl -tag -width plain .It Ar none Same as .Ar plain,ftp . .It Ar safe Same as .Ar ftp . .It Ar user Ignored. .El .It Fl d Debugging information is written to the syslog using LOG_FTP. .It Fl g Anonymous users will get a umask of .Ar umask . .It Fl Fl gss-bindings require the peer to use GSS-API bindings (ie make sure IP addresses match). .It Fl i Open a socket and wait for a connection. This is mainly used for debugging when ftpd isn't started by inetd. .It Fl l Each successful and failed .Xr ftp 1 session is logged using syslog with a facility of LOG_FTP. If this option is specified twice, the retrieve (get), store (put), append, delete, make directory, remove directory and rename operations and their filename arguments are also logged. .It Fl p Use .Ar port (a service name or number) instead of the default .Ar ftp/tcp . .It Fl T A client may also request a different timeout period; the maximum period allowed may be set to .Ar timeout seconds with the .Fl T option. The default limit is 2 hours. .It Fl t The inactivity timeout period is set to .Ar timeout seconds (the default is 15 minutes). .It Fl u Set the initial umask to something else than the default 027. .It Fl U In previous versions of .Nm ftpd , when a passive mode client requested a data connection to the server, the server would use data ports in the range 1024..4999. Now, by default, if the system supports the IP_PORTRANGE socket option, the server will use data ports in the range 49152..65535. Specifying this option will revert to the old behavior. .It Fl v Verbose mode. .It Xo .Fl B , .Fl Fl builtin-ls .Xc use built-in ls to list files .It Xo .Fl Fl good-chars= Ns Ar string .Xc allowed anonymous upload filename chars .It Xo .Fl I .Fl Fl no-insecure-oob .Xc don't allow insecure out of band. Heimdal ftp clients before 0.6.3 doesn't support secure oob, so turning on this option makes them no longer work. .El .Pp The file .Pa /etc/nologin can be used to disable ftp access. If the file exists, .Nm displays it and exits. If the file .Pa /etc/ftpwelcome exists, .Nm prints it before issuing the .Dq ready message. If the file .Pa /etc/motd exists, .Nm prints it after a successful login. .Pp The ftp server currently supports the following ftp requests. The case of the requests is ignored. .Bl -column "Request" -offset indent .It Request Ta "Description" .It ABOR Ta "abort previous command" .It ACCT Ta "specify account (ignored)" .It ALLO Ta "allocate storage (vacuously)" .It APPE Ta "append to a file" .It CDUP Ta "change to parent of current working directory" .It CWD Ta "change working directory" .It DELE Ta "delete a file" .It HELP Ta "give help information" .It LIST Ta "give list files in a directory" Pq Dq Li "ls -lgA" .It MKD Ta "make a directory" .It MDTM Ta "show last modification time of file" .It MODE Ta "specify data transfer" Em mode .It NLST Ta "give name list of files in directory" .It NOOP Ta "do nothing" .It PASS Ta "specify password" .It PASV Ta "prepare for server-to-server transfer" .It PORT Ta "specify data connection port" .It PWD Ta "print the current working directory" .It QUIT Ta "terminate session" .It REST Ta "restart incomplete transfer" .It RETR Ta "retrieve a file" .It RMD Ta "remove a directory" .It RNFR Ta "specify rename-from file name" .It RNTO Ta "specify rename-to file name" .It SITE Ta "non-standard commands (see next section)" .It SIZE Ta "return size of file" .It STAT Ta "return status of server" .It STOR Ta "store a file" .It STOU Ta "store a file with a unique name" .It STRU Ta "specify data transfer" Em structure .It SYST Ta "show operating system type of server system" .It TYPE Ta "specify data transfer" Em type .It USER Ta "specify user name" .It XCUP Ta "change to parent of current working directory (deprecated)" .It XCWD Ta "change working directory (deprecated)" .It XMKD Ta "make a directory (deprecated)" .It XPWD Ta "print the current working directory (deprecated)" .It XRMD Ta "remove a directory (deprecated)" .El .Pp The following commands are specified by RFC2228. .Bl -column Request -offset indent .It AUTH Ta "authentication/security mechanism" .It ADAT Ta "authentication/security data" .It PROT Ta "data channel protection level" .It PBSZ Ta "protection buffer size" .It MIC Ta "integrity protected command" .It CONF Ta "confidentiality protected command" .It ENC Ta "privacy protected command" .It CCC Ta "clear command channel" .El .Pp The following non-standard or .Tn UNIX specific commands are supported by the SITE request. .Pp .Bl -column Request -offset indent .It UMASK Ta change umask, (e.g. .Ic "SITE UMASK 002" ) .It IDLE Ta set idle-timer, (e.g. .Ic "SITE IDLE 60" ) .It CHMOD Ta change mode of a file (e.g. .Ic "SITE CHMOD 755 filename" ) .It FIND Ta quickly find a specific file with GNU .Xr locate 1 . .It HELP Ta give help information. .El .Pp The following Kerberos related site commands are understood. .Bl -column Request -offset indent .It KAUTH Ta obtain remote tickets. .It KLIST Ta show remote tickets .El .Pp The remaining ftp requests specified in Internet RFC 959 are recognized, but not implemented. MDTM and SIZE are not specified in RFC 959, but will appear in the next updated FTP RFC. .Pp The ftp server will abort an active file transfer only when the ABOR command is preceded by a Telnet "Interrupt Process" (IP) signal and a Telnet "Synch" signal in the command Telnet stream, as described in Internet RFC 959. If a STAT command is received during a data transfer, preceded by a Telnet IP and Synch, transfer status will be returned. .Pp .Nm Ftpd interprets file names according to the .Dq globbing conventions used by .Xr csh 1 . This allows users to use the metacharacters .Dq Li \&*?[]{}~ . .Pp .Nm Ftpd authenticates users according to these rules. .Pp .Bl -enum -offset indent .It If Kerberos authentication is used, the user must pass valid tickets and the principal must be allowed to login as the remote user. .It The login name must be in the password data base, and not have a null password (if Kerberos is used the password field is not checked). In this case a password must be provided by the client before any file operations may be performed. If the user has an OTP key, the response from a successful USER command will include an OTP challenge. The client may choose to respond with a PASS command giving either a standard password or an OTP one-time password. The server will automatically determine which type of password it has been given and attempt to authenticate accordingly. See .Xr otp 1 for more information on OTP authentication. .It The login name must not appear in the file .Pa /etc/ftpusers . .It The user must have a standard shell returned by .Xr getusershell 3 . .It If the user name appears in the file .Pa /etc/ftpchroot the session's root will be changed to the user's login directory by .Xr chroot 2 as for an .Dq anonymous or .Dq ftp account (see next item). However, the user must still supply a password. This feature is intended as a compromise between a fully anonymous account and a fully privileged account. The account should also be set up as for an anonymous account. .It If the user name is .Dq anonymous or .Dq ftp , an anonymous ftp account must be present in the password file (user .Dq ftp ) . In this case the user is allowed to log in by specifying any password (by convention an email address for the user should be used as the password). .El .Pp In the last case, .Nm ftpd takes special measures to restrict the client's access privileges. The server performs a .Xr chroot 2 to the home directory of the .Dq ftp user. In order that system security is not breached, it is recommended that the .Dq ftp subtree be constructed with care, consider following these guidelines for anonymous ftp. .Pp In general all files should be owned by .Dq root , and have non-write permissions (644 or 755 depending on the kind of file). No files should be owned or writable by .Dq ftp (possibly with exception for the .Pa ~ftp/incoming , as specified below). .Bl -tag -width "~ftp/pub" -offset indent .It Pa ~ftp The .Dq ftp homedirectory should be owned by root. .It Pa ~ftp/bin The directory for external programs (such as .Xr ls 1 ) . These programs must either be statically linked, or you must setup an environment for dynamic linking when running chrooted. These programs will be used if present: .Bl -tag -width "locate" -offset indent .It ls Used when listing files. .It compress When retrieving a filename that ends in .Pa .Z , and that file isn't present, .Nm will try to find the filename without .Pa .Z and compress it on the fly. .It gzip Same as compress, just with files ending in .Pa .gz . .It gtar Enables retrieval of whole directories as files ending in .Pa .tar . Can also be combined with compression. You must use GNU Tar (or some other that supports the .Fl z and .Fl Z flags). .It locate Will enable ``fast find'' with the .Ic SITE FIND command. You must also create a .Pa locatedb file in .Pa ~ftp/etc . .El .It Pa ~ftp/etc If you put copies of the .Xr passwd 5 and .Xr group 5 files here, ls will be able to produce owner names rather than numbers. Remember to remove any passwords from these files. .Pp The file .Pa motd , if present, will be printed after a successful login. .It Pa ~ftp/dev Put a copy of .Xr /dev/null 7 here. .It Pa ~ftp/pub Traditional place to put whatever you want to make public. .El .Pp If you want guests to be able to upload files, create a .Pa ~ftp/incoming directory owned by .Dq root , and group .Dq ftp with mode 730 (make sure .Dq ftp is member of group .Dq ftp ) . The following restrictions apply to anonymous users: .Bl -bullet .It Directories created will have mode 700. .It Uploaded files will be created with an umask of 777, if not changed with the .Fl g option. .It These command are not accessible: .Ic DELE , RMD , RNTO , RNFR , .Ic SITE UMASK , and .Ic SITE CHMOD . .It Filenames must start with an alpha-numeric character, and consist of alpha-numeric characters or any of the following: .Li \&+ (plus), .Li \&- (minus), .Li \&= (equal), .Li \&_ (underscore), .Li \&. (period), and .Li \&, (comma). .El .Sh FILES .Bl -tag -width /etc/ftpwelcome -compact .It Pa /etc/ftpusers Access list for users. .It Pa /etc/ftpchroot List of normal users who should be chroot'd. .It Pa /etc/ftpwelcome Welcome notice. .It Pa /etc/motd Welcome notice after login. .It Pa /etc/nologin Displayed and access refused. .It Pa ~/.klogin Login access for Kerberos. .El .Sh SEE ALSO .Xr ftp 1 , .Xr otp 1 , .Xr getusershell 3 , .Xr ftpusers 5 , .Xr syslogd 8 .Sh STANDARDS .Bl -tag -compact -width "RFC 1938" .It Cm RFC 959 FTP PROTOCOL SPECIFICATION .It Cm RFC 1938 OTP Specification .It Cm RFC 2228 FTP Security Extensions. .El .Sh BUGS The server must run as the super-user to create sockets with privileged port numbers. It maintains an effective user id of the logged in user, reverting to the super-user only when binding addresses to sockets. The possible security holes have been extensively scrutinized, but are possibly incomplete. .Sh HISTORY The .Nm command appeared in .Bx 4.2 . heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/ftpd.c000066400000000000000000001507171257755311500212410ustar00rootroot00000000000000/* * Copyright (c) 1985, 1988, 1990, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #define FTP_NAMES #include "ftpd_locl.h" #ifdef KRB5 #include #endif #include "getarg.h" RCSID("$Id$"); static char version[] = "Version 6.00"; extern off_t restart_point; extern char cbuf[]; struct sockaddr_storage ctrl_addr_ss; struct sockaddr *ctrl_addr = (struct sockaddr *)&ctrl_addr_ss; struct sockaddr_storage data_source_ss; struct sockaddr *data_source = (struct sockaddr *)&data_source_ss; struct sockaddr_storage data_dest_ss; struct sockaddr *data_dest = (struct sockaddr *)&data_dest_ss; struct sockaddr_storage his_addr_ss; struct sockaddr *his_addr = (struct sockaddr *)&his_addr_ss; struct sockaddr_storage pasv_addr_ss; struct sockaddr *pasv_addr = (struct sockaddr *)&pasv_addr_ss; int data; int logged_in; struct passwd *pw; int debug = 0; int ftpd_timeout = 900; /* timeout after 15 minutes of inactivity */ int maxtimeout = 7200;/* don't allow idle time to be set beyond 2 hours */ int restricted_data_ports = 1; int logging; int guest; int dochroot; int type; int form; int stru; /* avoid C keyword */ int mode; int usedefault = 1; /* for data transfers */ int pdata = -1; /* for passive mode */ int allow_insecure_oob = 1; static int transflag; static int urgflag; off_t file_size; off_t byte_count; #if !defined(CMASK) || CMASK == 0 #undef CMASK #define CMASK 027 #endif int defumask = CMASK; /* default umask value */ int guest_umask = 0777; /* Paranoia for anonymous users */ char tmpline[10240]; char hostname[MaxHostNameLen]; char remotehost[MaxHostNameLen]; static char ttyline[20]; int paranoid = 1; #define AUTH_PLAIN (1 << 0) /* allow sending passwords */ #define AUTH_OTP (1 << 1) /* passwords are one-time */ #define AUTH_FTP (1 << 2) /* allow anonymous login */ static int auth_level = 0; /* Only allow kerberos login by default */ /* * Timeout intervals for retrying connections * to hosts that don't accept PORT cmds. This * is a kludge, but given the problems with TCP... */ #define SWAITMAX 90 /* wait at most 90 seconds */ #define SWAITINT 5 /* interval between retries */ int swaitmax = SWAITMAX; int swaitint = SWAITINT; #ifdef HAVE_SETPROCTITLE char proctitle[BUFSIZ]; /* initial part of title */ #endif /* HAVE_SETPROCTITLE */ #define LOGCMD(cmd, file) \ if (logging > 1) \ syslog(LOG_INFO,"%s %s%s", cmd, \ *(file) == '/' ? "" : curdir(), file); #define LOGCMD2(cmd, file1, file2) \ if (logging > 1) \ syslog(LOG_INFO,"%s %s%s %s%s", cmd, \ *(file1) == '/' ? "" : curdir(), file1, \ *(file2) == '/' ? "" : curdir(), file2); #define LOGBYTES(cmd, file, cnt) \ if (logging > 1) { \ if (cnt == (off_t)-1) \ syslog(LOG_INFO,"%s %s%s", cmd, \ *(file) == '/' ? "" : curdir(), file); \ else \ syslog(LOG_INFO, "%s %s%s = %ld bytes", \ cmd, (*(file) == '/') ? "" : curdir(), file, (long)cnt); \ } static void ack (char *); static void myoob (int); static int handleoobcmd(void); static int checkuser (char *, char *); static int checkaccess (char *); static FILE *dataconn (const char *, off_t, const char *); static void dolog (struct sockaddr *, int); static void end_login (void); static FILE *getdatasock (const char *, int); static char *gunique (char *); static RETSIGTYPE lostconn (int); static int receive_data (FILE *, FILE *); static void send_data (FILE *, FILE *); static struct passwd * sgetpwnam (char *); static char * curdir(void) { static char path[MaxPathLen+1]; /* path + '/' + '\0' */ if (getcwd(path, sizeof(path)-1) == NULL) return (""); if (path[1] != '\0') /* special case for root dir. */ strlcat(path, "/", sizeof(path)); /* For guest account, skip / since it's chrooted */ return (guest ? path+1 : path); } #ifndef LINE_MAX #define LINE_MAX 1024 #endif static int parse_auth_level(char *str) { char *p; int ret = 0; char *foo = NULL; for(p = strtok_r(str, ",", &foo); p; p = strtok_r(NULL, ",", &foo)) { if(strcmp(p, "user") == 0) ; #ifdef OTP else if(strcmp(p, "otp") == 0) ret |= AUTH_PLAIN|AUTH_OTP; #endif else if(strcmp(p, "ftp") == 0 || strcmp(p, "safe") == 0) ret |= AUTH_FTP; else if(strcmp(p, "plain") == 0) ret |= AUTH_PLAIN; else if(strcmp(p, "none") == 0) ret |= AUTH_PLAIN|AUTH_FTP; else warnx("bad value for -a: `%s'", p); } return ret; } /* * Print usage and die. */ static int interactive_flag; static char *guest_umask_string; static char *port_string; static char *umask_string; static char *auth_string; int use_builtin_ls = -1; static int help_flag; static int version_flag; static const char *good_chars = "+-=_,."; struct getargs args[] = { { NULL, 'a', arg_string, &auth_string, "required authentication", NULL }, { NULL, 'i', arg_flag, &interactive_flag, "don't assume stdin is a socket", NULL }, { NULL, 'p', arg_string, &port_string, "what port to listen to", NULL }, { NULL, 'g', arg_string, &guest_umask_string, "umask for guest logins", NULL }, { NULL, 'l', arg_counter, &logging, "log more stuff", "" }, { NULL, 't', arg_integer, &ftpd_timeout, "initial timeout", NULL }, { NULL, 'T', arg_integer, &maxtimeout, "max timeout", NULL }, { NULL, 'u', arg_string, &umask_string, "umask for user logins", NULL }, { NULL, 'U', arg_negative_flag, &restricted_data_ports, "don't use high data ports", NULL }, { NULL, 'd', arg_flag, &debug, "enable debugging", NULL }, { NULL, 'v', arg_flag, &debug, "enable debugging", NULL }, { "builtin-ls", 'B', arg_flag, &use_builtin_ls, "use built-in ls to list files", NULL }, { "good-chars", 0, arg_string, &good_chars, "allowed anonymous upload filename chars", NULL }, { "insecure-oob", 'I', arg_negative_flag, &allow_insecure_oob, "don't allow insecure OOB ABOR/STAT", NULL }, #ifdef KRB5 { "gss-bindings", 0, arg_flag, &ftp_do_gss_bindings, "Require GSS-API bindings", NULL}, #endif { "version", 0, arg_flag, &version_flag, NULL, NULL }, { "help", 'h', arg_flag, &help_flag, NULL, NULL } }; static int num_args = sizeof(args) / sizeof(args[0]); static void usage (int code) { arg_printusage(args, num_args, NULL, ""); exit (code); } /* output contents of a file */ static int show_file(const char *file, int code) { FILE *f; char buf[128]; f = fopen(file, "r"); if(f == NULL) return -1; while(fgets(buf, sizeof(buf), f)){ buf[strcspn(buf, "\r\n")] = '\0'; lreply(code, "%s", buf); } fclose(f); return 0; } int main(int argc, char **argv) { socklen_t his_addr_len, ctrl_addr_len; int on = 1; int port; struct servent *sp; int optind = 0; setprogname (argv[0]); if(getarg(args, num_args, argc, argv, &optind)) usage(1); if(help_flag) usage(0); if(version_flag) { print_version(NULL); exit(0); } if(auth_string) auth_level = parse_auth_level(auth_string); { char *p; long val = 0; if(guest_umask_string) { val = strtol(guest_umask_string, &p, 8); if (*p != '\0' || val < 0) warnx("bad value for -g"); else guest_umask = val; } if(umask_string) { val = strtol(umask_string, &p, 8); if (*p != '\0' || val < 0) warnx("bad value for -u"); else defumask = val; } } sp = getservbyname("ftp", "tcp"); if(sp) port = sp->s_port; else port = htons(21); if(port_string) { sp = getservbyname(port_string, "tcp"); if(sp) port = sp->s_port; else if(isdigit((unsigned char)port_string[0])) port = htons(atoi(port_string)); else warnx("bad value for -p"); } if (maxtimeout < ftpd_timeout) maxtimeout = ftpd_timeout; #if 0 if (ftpd_timeout > maxtimeout) ftpd_timeout = maxtimeout; #endif if(interactive_flag) mini_inetd(port, NULL); /* * LOG_NDELAY sets up the logging connection immediately, * necessary for anonymous ftp's that chroot and can't do it later. */ openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_FTP); his_addr_len = sizeof(his_addr_ss); if (getpeername(STDIN_FILENO, his_addr, &his_addr_len) < 0) { syslog(LOG_ERR, "getpeername (%s): %m",argv[0]); exit(1); } ctrl_addr_len = sizeof(ctrl_addr_ss); if (getsockname(STDIN_FILENO, ctrl_addr, &ctrl_addr_len) < 0) { syslog(LOG_ERR, "getsockname (%s): %m",argv[0]); exit(1); } #if defined(IP_TOS) if (ctrl_addr->sa_family == AF_INET) socket_set_tos(STDIN_FILENO, IP_TOS); #endif data_source->sa_family = ctrl_addr->sa_family; socket_set_port (data_source, htons(ntohs(socket_get_port(ctrl_addr)) - 1)); /* set this here so it can be put in wtmp */ snprintf(ttyline, sizeof(ttyline), "ftp%u", (unsigned)getpid()); /* freopen(_PATH_DEVNULL, "w", stderr); */ signal(SIGPIPE, lostconn); signal(SIGCHLD, SIG_IGN); #ifdef SIGURG if (signal(SIGURG, myoob) == SIG_ERR) syslog(LOG_ERR, "signal: %m"); #endif /* Try to handle urgent data inline */ #if defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT) if (setsockopt(0, SOL_SOCKET, SO_OOBINLINE, (void *)&on, sizeof(on)) < 0) syslog(LOG_ERR, "setsockopt: %m"); #endif #ifdef F_SETOWN if (fcntl(fileno(stdin), F_SETOWN, getpid()) == -1) syslog(LOG_ERR, "fcntl F_SETOWN: %m"); #endif dolog(his_addr, his_addr_len); /* * Set up default state */ data = -1; type = TYPE_A; form = FORM_N; stru = STRU_F; mode = MODE_S; tmpline[0] = '\0'; /* If logins are disabled, print out the message. */ if(show_file(_PATH_NOLOGIN, 530) == 0) { reply(530, "System not available."); exit(0); } show_file(_PATH_FTPWELCOME, 220); /* reply(220,) must follow */ gethostname(hostname, sizeof(hostname)); reply(220, "%s FTP server (%s" #ifdef KRB5 "+%s" #endif ") ready.", hostname, version #ifdef KRB5 ,heimdal_version #endif ); for (;;) yyparse(); /* NOTREACHED */ } static RETSIGTYPE lostconn(int signo) { if (debug) syslog(LOG_DEBUG, "lost connection"); dologout(-1); } /* * Helper function for sgetpwnam(). */ static char * sgetsave(char *s) { char *new = strdup(s); if (new == NULL) { perror_reply(421, "Local resource failure: malloc"); dologout(1); /* NOTREACHED */ } return new; } /* * Save the result of a getpwnam. Used for USER command, since * the data returned must not be clobbered by any other command * (e.g., globbing). */ static struct passwd * sgetpwnam(char *name) { static struct passwd save; struct passwd *p; if ((p = k_getpwnam(name)) == NULL) return (p); if (save.pw_name) { free(save.pw_name); free(save.pw_passwd); free(save.pw_gecos); free(save.pw_dir); free(save.pw_shell); } save = *p; save.pw_name = sgetsave(p->pw_name); save.pw_passwd = sgetsave(p->pw_passwd); save.pw_gecos = sgetsave(p->pw_gecos); save.pw_dir = sgetsave(p->pw_dir); save.pw_shell = sgetsave(p->pw_shell); return (&save); } static int login_attempts; /* number of failed login attempts */ static int askpasswd; /* had user command, ask for passwd */ static char curname[10]; /* current USER name */ #ifdef OTP OtpContext otp_ctx; #endif /* * USER command. * Sets global passwd pointer pw if named account exists and is acceptable; * sets askpasswd if a PASS command is expected. If logged in previously, * need to reset state. If name is "ftp" or "anonymous", the name is not in * _PATH_FTPUSERS, and ftp account exists, set guest and pw, then just return. * If account doesn't exist, ask for passwd anyway. Otherwise, check user * requesting login privileges. Disallow anyone who does not have a standard * shell as returned by getusershell(). Disallow anyone mentioned in the file * _PATH_FTPUSERS to allow people such as root and uucp to be avoided. */ void user(char *name) { char *cp, *shell; if(auth_level == 0 && !sec_complete){ reply(530, "No login allowed without authorization."); return; } if (logged_in) { if (guest) { reply(530, "Can't change user from guest login."); return; } else if (dochroot) { reply(530, "Can't change user from chroot user."); return; } end_login(); } guest = 0; if (strcmp(name, "ftp") == 0 || strcmp(name, "anonymous") == 0) { if ((auth_level & AUTH_FTP) == 0 || checkaccess("ftp") || checkaccess("anonymous")) reply(530, "User %s access denied.", name); else if ((pw = sgetpwnam("ftp")) != NULL) { guest = 1; defumask = guest_umask; /* paranoia for incoming */ askpasswd = 1; reply(331, "Guest login ok, type your name as password."); } else reply(530, "User %s unknown.", name); if (!askpasswd && logging) { char data_addr[256]; if (inet_ntop (his_addr->sa_family, socket_get_address(his_addr), data_addr, sizeof(data_addr)) == NULL) strlcpy (data_addr, "unknown address", sizeof(data_addr)); syslog(LOG_NOTICE, "ANONYMOUS FTP LOGIN REFUSED FROM %s(%s)", remotehost, data_addr); } return; } if((auth_level & AUTH_PLAIN) == 0 && !sec_complete){ reply(530, "Only authorized and anonymous login allowed."); return; } if ((pw = sgetpwnam(name))) { if ((shell = pw->pw_shell) == NULL || *shell == 0) shell = _PATH_BSHELL; while ((cp = getusershell()) != NULL) if (strcmp(cp, shell) == 0) break; endusershell(); if (cp == NULL || checkaccess(name)) { reply(530, "User %s access denied.", name); if (logging) { char data_addr[256]; if (inet_ntop (his_addr->sa_family, socket_get_address(his_addr), data_addr, sizeof(data_addr)) == NULL) strlcpy (data_addr, "unknown address", sizeof(data_addr)); syslog(LOG_NOTICE, "FTP LOGIN REFUSED FROM %s(%s), %s", remotehost, data_addr, name); } pw = (struct passwd *) NULL; return; } } if (logging) strlcpy(curname, name, sizeof(curname)); if(sec_complete) { if(sec_userok(name) == 0) { do_login(232, name); sec_session(name); } else reply(530, "User %s access denied.", name); } else { #ifdef OTP char ss[256]; if (otp_challenge(&otp_ctx, name, ss, sizeof(ss)) == 0) { reply(331, "Password %s for %s required.", ss, name); askpasswd = 1; } else #endif if ((auth_level & AUTH_OTP) == 0) { reply(331, "Password required for %s.", name); askpasswd = 1; } else { #ifdef OTP char *s; if ((s = otp_error (&otp_ctx)) != NULL) lreply(530, "OTP: %s", s); #endif reply(530, "Only authorized, anonymous" #ifdef OTP " and OTP " #endif "login allowed."); } } /* * Delay before reading passwd after first failed * attempt to slow down passwd-guessing programs. */ if (login_attempts) sleep(login_attempts); } /* * Check if a user is in the file "fname" */ static int checkuser(char *fname, char *name) { FILE *fd; int found = 0; char *p, line[BUFSIZ]; if ((fd = fopen(fname, "r")) != NULL) { while (fgets(line, sizeof(line), fd) != NULL) if ((p = strchr(line, '\n')) != NULL) { *p = '\0'; if (line[0] == '#') continue; if (strcmp(line, name) == 0) { found = 1; break; } } fclose(fd); } return (found); } /* * Determine whether a user has access, based on information in * _PATH_FTPUSERS. The users are listed one per line, with `allow' * or `deny' after the username. If anything other than `allow', or * just nothing, is given after the username, `deny' is assumed. * * If the user is not found in the file, but the pseudo-user `*' is, * the permission is taken from that line. * * This preserves the old semantics where if a user was listed in the * file he was denied, otherwise he was allowed. * * Return 1 if the user is denied, or 0 if he is allowed. */ static int match(const char *pattern, const char *string) { return fnmatch(pattern, string, FNM_NOESCAPE); } static int checkaccess(char *name) { #define ALLOWED 0 #define NOT_ALLOWED 1 FILE *fd; int allowed = ALLOWED; char *user, *perm, line[BUFSIZ]; char *foo; fd = fopen(_PATH_FTPUSERS, "r"); if(fd == NULL) return allowed; while (fgets(line, sizeof(line), fd) != NULL) { foo = NULL; user = strtok_r(line, " \t\n", &foo); if (user == NULL || user[0] == '#') continue; perm = strtok_r(NULL, " \t\n", &foo); if (match(user, name) == 0){ if(perm && strcmp(perm, "allow") == 0) allowed = ALLOWED; else allowed = NOT_ALLOWED; break; } } fclose(fd); return allowed; } #undef ALLOWED #undef NOT_ALLOWED int do_login(int code, char *passwd) { login_attempts = 0; /* this time successful */ if (setegid((gid_t)pw->pw_gid) < 0) { reply(550, "Can't set gid."); return -1; } initgroups(pw->pw_name, pw->pw_gid); #if defined(KRB5) if(k_hasafs()) k_setpag(); #endif /* open wtmp before chroot */ ftpd_logwtmp(ttyline, pw->pw_name, remotehost); logged_in = 1; dochroot = checkuser(_PATH_FTPCHROOT, pw->pw_name); if (guest) { /* * We MUST do a chdir() after the chroot. Otherwise * the old current directory will be accessible as "." * outside the new root! */ if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) { reply(550, "Can't set guest privileges."); return -1; } } else if (dochroot) { if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) { reply(550, "Can't change root."); return -1; } } else if (chdir(pw->pw_dir) < 0) { if (chdir("/") < 0) { reply(530, "User %s: can't change directory to %s.", pw->pw_name, pw->pw_dir); return -1; } else lreply(code, "No directory! Logging in with home=/"); } if (seteuid((uid_t)pw->pw_uid) < 0) { reply(550, "Can't set uid."); return -1; } if(use_builtin_ls == -1) { struct stat st; /* if /bin/ls exist and is a regular file, use it, otherwise use built-in ls */ if(stat("/bin/ls", &st) == 0 && S_ISREG(st.st_mode)) use_builtin_ls = 0; else use_builtin_ls = 1; } /* * Display a login message, if it exists. * N.B. reply(code,) must follow the message. */ show_file(_PATH_FTPLOGINMESG, code); if(show_file(_PATH_ISSUE_NET, code) != 0) show_file(_PATH_ISSUE, code); if (guest) { reply(code, "Guest login ok, access restrictions apply."); #ifdef HAVE_SETPROCTITLE snprintf (proctitle, sizeof(proctitle), "%s: anonymous/%s", remotehost, passwd); setproctitle("%s", proctitle); #endif /* HAVE_SETPROCTITLE */ if (logging) { char data_addr[256]; if (inet_ntop (his_addr->sa_family, socket_get_address(his_addr), data_addr, sizeof(data_addr)) == NULL) strlcpy (data_addr, "unknown address", sizeof(data_addr)); syslog(LOG_INFO, "ANONYMOUS FTP LOGIN FROM %s(%s), %s", remotehost, data_addr, passwd); } } else { reply(code, "User %s logged in.", pw->pw_name); #ifdef HAVE_SETPROCTITLE snprintf(proctitle, sizeof(proctitle), "%s: %s", remotehost, pw->pw_name); setproctitle("%s", proctitle); #endif /* HAVE_SETPROCTITLE */ if (logging) { char data_addr[256]; if (inet_ntop (his_addr->sa_family, socket_get_address(his_addr), data_addr, sizeof(data_addr)) == NULL) strlcpy (data_addr, "unknown address", sizeof(data_addr)); syslog(LOG_INFO, "FTP LOGIN FROM %s(%s) as %s", remotehost, data_addr, pw->pw_name); } } umask(defumask); return 0; } /* * Terminate login as previous user, if any, resetting state; * used when USER command is given or login fails. */ static void end_login(void) { if (seteuid((uid_t)0) < 0) fatal("Failed to seteuid"); if (logged_in) ftpd_logwtmp(ttyline, "", ""); pw = NULL; logged_in = 0; guest = 0; dochroot = 0; } #ifdef KRB5 static int krb5_verify(struct passwd *pwd, char *passwd) { krb5_context context; krb5_ccache id; krb5_principal princ; krb5_error_code ret; ret = krb5_init_context(&context); if(ret) return ret; ret = krb5_parse_name(context, pwd->pw_name, &princ); if(ret){ krb5_free_context(context); return ret; } ret = krb5_cc_new_unique(context, "MEMORY", NULL, &id); if(ret){ krb5_free_principal(context, princ); krb5_free_context(context); return ret; } ret = krb5_verify_user(context, princ, id, passwd, 1, NULL); krb5_free_principal(context, princ); if (k_hasafs()) { krb5_afslog_uid_home(context, id,NULL, NULL,pwd->pw_uid, pwd->pw_dir); } krb5_cc_destroy(context, id); krb5_free_context (context); if(ret) return ret; return 0; } #endif /* KRB5 */ void pass(char *passwd) { int rval; /* some clients insists on sending a password */ if (logged_in && askpasswd == 0){ reply(230, "Password not necessary"); return; } if (logged_in || askpasswd == 0) { reply(503, "Login with USER first."); return; } askpasswd = 0; rval = 1; if (!guest) { /* "ftp" is only account allowed no password */ if (pw == NULL) rval = 1; /* failure below */ #ifdef OTP else if (otp_verify_user (&otp_ctx, passwd) == 0) { rval = 0; } #endif else if((auth_level & AUTH_OTP) == 0) { #ifdef KRB5 rval = krb5_verify(pw, passwd); #endif if (rval) rval = unix_verify_user(pw->pw_name, passwd); } else { #ifdef OTP char *s; if ((s = otp_error(&otp_ctx)) != NULL) lreply(530, "OTP: %s", s); #endif } memset (passwd, 0, strlen(passwd)); /* * If rval == 1, the user failed the authentication * check above. If rval == 0, either Kerberos or * local authentication succeeded. */ if (rval) { char data_addr[256]; if (inet_ntop (his_addr->sa_family, socket_get_address(his_addr), data_addr, sizeof(data_addr)) == NULL) strlcpy (data_addr, "unknown address", sizeof(data_addr)); reply(530, "Login incorrect."); if (logging) syslog(LOG_NOTICE, "FTP LOGIN FAILED FROM %s(%s), %s", remotehost, data_addr, curname); pw = NULL; if (login_attempts++ >= 5) { syslog(LOG_NOTICE, "repeated login failures from %s(%s)", remotehost, data_addr); exit(0); } return; } } if(!do_login(230, passwd)) return; /* Forget all about it... */ end_login(); } void retrieve(const char *cmd, char *name) { FILE *fin = NULL, *dout; struct stat st; int (*closefunc) (FILE *); char line[BUFSIZ]; if (cmd == 0) { fin = fopen(name, "r"); closefunc = fclose; st.st_size = 0; if(fin == NULL){ int save_errno = errno; struct cmds { const char *ext; const char *cmd; const char *rev_cmd; } cmds[] = { {".tar", "/bin/gtar cPf - %s", NULL}, {".tar.gz", "/bin/gtar zcPf - %s", NULL}, {".tar.Z", "/bin/gtar ZcPf - %s", NULL}, {".gz", "/bin/gzip -c -- %s", "/bin/gzip -c -d -- %s"}, {".Z", "/bin/compress -c -- %s", "/bin/uncompress -c -- %s"}, {NULL, NULL, NULL} }; struct cmds *p; for(p = cmds; p->ext; p++){ char *tail = name + strlen(name) - strlen(p->ext); char c = *tail; if(strcmp(tail, p->ext) == 0 && (*tail = 0) == 0 && access(name, R_OK) == 0){ snprintf (line, sizeof(line), p->cmd, name); *tail = c; break; } *tail = c; if (p->rev_cmd != NULL) { char *ext; int ret; ret = asprintf(&ext, "%s%s", name, p->ext); if (ret != -1) { if (access(ext, R_OK) == 0) { snprintf (line, sizeof(line), p->rev_cmd, ext); free(ext); break; } free(ext); } } } if(p->ext){ fin = ftpd_popen(line, "r", 0, 0); closefunc = ftpd_pclose; st.st_size = -1; cmd = line; } else errno = save_errno; } } else { snprintf(line, sizeof(line), cmd, name); name = line; fin = ftpd_popen(line, "r", 1, 0); closefunc = ftpd_pclose; st.st_size = -1; } if (fin == NULL) { if (errno != 0) { perror_reply(550, name); if (cmd == 0) { LOGCMD("get", name); } } return; } byte_count = -1; if (cmd == 0){ if(fstat(fileno(fin), &st) < 0 || !S_ISREG(st.st_mode)) { reply(550, "%s: not a plain file.", name); goto done; } } if (restart_point) { if (type == TYPE_A) { off_t i, n; int c; n = restart_point; i = 0; while (i++ < n) { if ((c=getc(fin)) == EOF) { perror_reply(550, name); goto done; } if (c == '\n') i++; } } else if (lseek(fileno(fin), restart_point, SEEK_SET) < 0) { perror_reply(550, name); goto done; } } dout = dataconn(name, st.st_size, "w"); if (dout == NULL) goto done; set_buffer_size(fileno(dout), 0); send_data(fin, dout); fclose(dout); data = -1; pdata = -1; done: if (cmd == 0) LOGBYTES("get", name, byte_count); (*closefunc)(fin); } /* filename sanity check */ int filename_check(char *filename) { char *p; p = strrchr(filename, '/'); if(p) filename = p + 1; p = filename; if(isalnum((unsigned char)*p)){ p++; while(*p && (isalnum((unsigned char)*p) || strchr(good_chars, (unsigned char)*p))) p++; if(*p == '\0') return 0; } lreply(553, "\"%s\" is not an acceptable filename.", filename); lreply(553, "The filename must start with an alphanumeric " "character and must only"); reply(553, "consist of alphanumeric characters or any of the following: %s", good_chars); return 1; } void do_store(char *name, char *mode, int unique) { FILE *fout, *din; struct stat st; int (*closefunc) (FILE *); if(guest && filename_check(name)) return; if (unique) { char *uname; if (stat(name, &st) == 0) { if ((uname = gunique(name)) == NULL) return; name = uname; } LOGCMD(*mode == 'w' ? "put" : "append", name); } if (restart_point) mode = "r+"; fout = fopen(name, mode); closefunc = fclose; if (fout == NULL) { perror_reply(553, name); LOGCMD(*mode == 'w' ? "put" : "append", name); return; } byte_count = -1; if (restart_point) { if (type == TYPE_A) { off_t i, n; int c; n = restart_point; i = 0; while (i++ < n) { if ((c=getc(fout)) == EOF) { perror_reply(550, name); goto done; } if (c == '\n') i++; } /* * We must do this seek to "current" position * because we are changing from reading to * writing. */ if (fseek(fout, 0L, SEEK_CUR) < 0) { perror_reply(550, name); goto done; } } else if (lseek(fileno(fout), restart_point, SEEK_SET) < 0) { perror_reply(550, name); goto done; } } din = dataconn(name, (off_t)-1, "r"); if (din == NULL) goto done; set_buffer_size(fileno(din), 1); if (receive_data(din, fout) == 0) { if((*closefunc)(fout) < 0) perror_reply(552, name); else { if (unique) reply(226, "Transfer complete (unique file name:%s).", name); else reply(226, "Transfer complete."); } } else (*closefunc)(fout); fclose(din); data = -1; pdata = -1; done: LOGBYTES(*mode == 'w' ? "put" : "append", name, byte_count); } static FILE * getdatasock(const char *mode, int domain) { int s, t, tries; if (data >= 0) return (fdopen(data, mode)); if (seteuid(0) < 0) fatal("Failed to seteuid"); s = socket(domain, SOCK_STREAM, 0); if (s < 0) goto bad; socket_set_reuseaddr (s, 1); /* anchor socket to avoid multi-homing problems */ socket_set_address_and_port (data_source, socket_get_address (ctrl_addr), socket_get_port (data_source)); for (tries = 1; ; tries++) { if (bind(s, data_source, socket_sockaddr_size (data_source)) >= 0) break; if (errno != EADDRINUSE || tries > 10) goto bad; sleep(tries); } if (seteuid(pw->pw_uid) < 0) fatal("Failed to seteuid"); #ifdef IPTOS_THROUGHPUT socket_set_tos (s, IPTOS_THROUGHPUT); #endif return (fdopen(s, mode)); bad: /* Return the real value of errno (close may change it) */ t = errno; if (seteuid((uid_t)pw->pw_uid) < 0) fatal("Failed to seteuid"); close(s); errno = t; return (NULL); } static int accept_with_timeout(int socket, struct sockaddr *address, socklen_t *address_len, struct timeval *timeout) { int ret; fd_set rfd; FD_ZERO(&rfd); FD_SET(socket, &rfd); ret = select(socket + 1, &rfd, NULL, NULL, timeout); if(ret < 0) return ret; if(ret == 0) { errno = ETIMEDOUT; return -1; } return accept(socket, address, address_len); } static FILE * dataconn(const char *name, off_t size, const char *mode) { char sizebuf[32]; FILE *file; int domain, retry = 0; file_size = size; byte_count = 0; if (size >= 0) snprintf(sizebuf, sizeof(sizebuf), " (%ld bytes)", (long)size); else *sizebuf = '\0'; if (pdata >= 0) { struct sockaddr_storage from_ss; struct sockaddr *from = (struct sockaddr *)&from_ss; struct timeval timeout; int s; socklen_t fromlen = sizeof(from_ss); timeout.tv_sec = 15; timeout.tv_usec = 0; s = accept_with_timeout(pdata, from, &fromlen, &timeout); if (s < 0) { reply(425, "Can't open data connection."); close(pdata); pdata = -1; return (NULL); } close(pdata); pdata = s; #if defined(IPTOS_THROUGHPUT) if (from_ss.ss_family == AF_INET) socket_set_tos(s, IPTOS_THROUGHPUT); #endif reply(150, "Opening %s mode data connection for '%s'%s.", type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf); return (fdopen(pdata, mode)); } if (data >= 0) { reply(125, "Using existing data connection for '%s'%s.", name, sizebuf); usedefault = 1; return (fdopen(data, mode)); } if (usedefault) data_dest = his_addr; usedefault = 1; /* * Default to using the same socket type as the ctrl address, * unless we know the type of the data address. */ domain = data_dest->sa_family; if (domain == PF_UNSPEC) domain = ctrl_addr->sa_family; file = getdatasock(mode, domain); if (file == NULL) { char data_addr[256]; if (inet_ntop (data_source->sa_family, socket_get_address(data_source), data_addr, sizeof(data_addr)) == NULL) strlcpy (data_addr, "unknown address", sizeof(data_addr)); reply(425, "Can't create data socket (%s,%d): %s.", data_addr, socket_get_port (data_source), strerror(errno)); return (NULL); } data = fileno(file); while (connect(data, data_dest, socket_sockaddr_size(data_dest)) < 0) { if (errno == EADDRINUSE && retry < swaitmax) { sleep(swaitint); retry += swaitint; continue; } perror_reply(425, "Can't build data connection"); fclose(file); data = -1; return (NULL); } reply(150, "Opening %s mode data connection for '%s'%s.", type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf); return (file); } /* * Tranfer the contents of "instr" to "outstr" peer using the appropriate * encapsulation of the data subject * to Mode, Structure, and Type. * * NB: Form isn't handled. */ static void send_data(FILE *instr, FILE *outstr) { int c, cnt, filefd, netfd; static char *buf; static size_t bufsize; transflag = 1; switch (type) { case TYPE_A: while ((c = getc(instr)) != EOF) { if (urgflag && handleoobcmd()) return; byte_count++; if(c == '\n') sec_putc('\r', outstr); sec_putc(c, outstr); } sec_fflush(outstr); transflag = 0; urgflag = 0; if (ferror(instr)) goto file_err; if (ferror(outstr)) goto data_err; reply(226, "Transfer complete."); return; case TYPE_I: case TYPE_L: #if 0 /* XXX handle urg flag */ #if defined(HAVE_MMAP) && !defined(NO_MMAP) #ifndef MAP_FAILED #define MAP_FAILED (-1) #endif { struct stat st; char *chunk; int in = fileno(instr); if(fstat(in, &st) == 0 && S_ISREG(st.st_mode) && st.st_size > 0) { /* * mmap zero bytes has potential of loosing, don't do it. */ chunk = mmap(0, st.st_size, PROT_READ, MAP_SHARED, in, 0); if((void *)chunk != (void *)MAP_FAILED) { cnt = st.st_size - restart_point; sec_write(fileno(outstr), chunk + restart_point, cnt); if (munmap(chunk, st.st_size) < 0) warn ("munmap"); sec_fflush(outstr); byte_count = cnt; transflag = 0; urgflag = 0; } } } #endif #endif if(transflag) { struct stat st; netfd = fileno(outstr); filefd = fileno(instr); buf = alloc_buffer (buf, &bufsize, fstat(filefd, &st) >= 0 ? &st : NULL); if (buf == NULL) { transflag = 0; urgflag = 0; perror_reply(451, "Local resource failure: malloc"); return; } while ((cnt = read(filefd, buf, bufsize)) > 0 && sec_write(netfd, buf, cnt) == cnt) { byte_count += cnt; if (urgflag && handleoobcmd()) return; } sec_fflush(outstr); /* to end an encrypted stream */ transflag = 0; urgflag = 0; if (cnt != 0) { if (cnt < 0) goto file_err; goto data_err; } } reply(226, "Transfer complete."); return; default: transflag = 0; urgflag = 0; reply(550, "Unimplemented TYPE %d in send_data", type); return; } data_err: transflag = 0; urgflag = 0; perror_reply(426, "Data connection"); return; file_err: transflag = 0; urgflag = 0; perror_reply(551, "Error on input file"); } /* * Transfer data from peer to "outstr" using the appropriate encapulation of * the data subject to Mode, Structure, and Type. * * N.B.: Form isn't handled. */ static int receive_data(FILE *instr, FILE *outstr) { int cnt, bare_lfs = 0; static char *buf; static size_t bufsize; struct stat st; transflag = 1; buf = alloc_buffer (buf, &bufsize, fstat(fileno(outstr), &st) >= 0 ? &st : NULL); if (buf == NULL) { transflag = 0; urgflag = 0; perror_reply(451, "Local resource failure: malloc"); return -1; } switch (type) { case TYPE_I: case TYPE_L: while ((cnt = sec_read(fileno(instr), buf, bufsize)) > 0) { if (write(fileno(outstr), buf, cnt) != cnt) goto file_err; byte_count += cnt; if (urgflag && handleoobcmd()) return (-1); } if (cnt < 0) goto data_err; transflag = 0; urgflag = 0; return (0); case TYPE_E: reply(553, "TYPE E not implemented."); transflag = 0; urgflag = 0; return (-1); case TYPE_A: { char *p, *q; int cr_flag = 0; while ((cnt = sec_read(fileno(instr), buf + cr_flag, bufsize - cr_flag)) > 0){ if (urgflag && handleoobcmd()) return (-1); byte_count += cnt; cnt += cr_flag; cr_flag = 0; for(p = buf, q = buf; p < buf + cnt;) { if(*p == '\n') bare_lfs++; if(*p == '\r') { if(p == buf + cnt - 1){ cr_flag = 1; p++; continue; }else if(p[1] == '\n'){ *q++ = '\n'; p += 2; continue; } } *q++ = *p++; } fwrite(buf, q - buf, 1, outstr); if(cr_flag) buf[0] = '\r'; } if(cr_flag) putc('\r', outstr); fflush(outstr); if (ferror(instr)) goto data_err; if (ferror(outstr)) goto file_err; transflag = 0; urgflag = 0; if (bare_lfs) { lreply(226, "WARNING! %d bare linefeeds received in ASCII mode\r\n" " File may not have transferred correctly.\r\n", bare_lfs); } return (0); } default: reply(550, "Unimplemented TYPE %d in receive_data", type); transflag = 0; urgflag = 0; return (-1); } data_err: transflag = 0; urgflag = 0; perror_reply(426, "Data Connection"); return (-1); file_err: transflag = 0; urgflag = 0; perror_reply(452, "Error writing file"); return (-1); } void statfilecmd(char *filename) { FILE *fin; int c; char line[LINE_MAX]; snprintf(line, sizeof(line), "/bin/ls -la -- %s", filename); fin = ftpd_popen(line, "r", 1, 0); lreply(211, "status of %s:", filename); while ((c = getc(fin)) != EOF) { if (c == '\n') { if (ferror(stdout)){ perror_reply(421, "control connection"); ftpd_pclose(fin); dologout(1); /* NOTREACHED */ } if (ferror(fin)) { perror_reply(551, filename); ftpd_pclose(fin); return; } putc('\r', stdout); } putc(c, stdout); } ftpd_pclose(fin); reply(211, "End of Status"); } void statcmd(void) { #if 0 struct sockaddr_in *sin; u_char *a, *p; lreply(211, "%s FTP server (%s) status:", hostname, version); printf(" %s\r\n", version); printf(" Connected to %s", remotehost); if (!isdigit((unsigned char)remotehost[0])) printf(" (%s)", inet_ntoa(his_addr.sin_addr)); printf("\r\n"); if (logged_in) { if (guest) printf(" Logged in anonymously\r\n"); else printf(" Logged in as %s\r\n", pw->pw_name); } else if (askpasswd) printf(" Waiting for password\r\n"); else printf(" Waiting for user name\r\n"); printf(" TYPE: %s", typenames[type]); if (type == TYPE_A || type == TYPE_E) printf(", FORM: %s", formnames[form]); if (type == TYPE_L) #if NBBY == 8 printf(" %d", NBBY); #else printf(" %d", bytesize); /* need definition! */ #endif printf("; STRUcture: %s; transfer MODE: %s\r\n", strunames[stru], modenames[mode]); if (data != -1) printf(" Data connection open\r\n"); else if (pdata != -1) { printf(" in Passive mode"); sin = &pasv_addr; goto printaddr; } else if (usedefault == 0) { printf(" PORT"); sin = &data_dest; printaddr: a = (u_char *) &sin->sin_addr; p = (u_char *) &sin->sin_port; #define UC(b) (((int) b) & 0xff) printf(" (%d,%d,%d,%d,%d,%d)\r\n", UC(a[0]), UC(a[1]), UC(a[2]), UC(a[3]), UC(p[0]), UC(p[1])); #undef UC } else printf(" No data connection\r\n"); #endif reply(211, "End of status"); } void fatal(char *s) { reply(451, "Error in server: %s\n", s); reply(221, "Closing connection due to server error."); dologout(0); /* NOTREACHED */ } static void int_reply(int, char *, const char *, va_list) #ifdef __GNUC__ __attribute__ ((format (printf, 3, 0))) #endif ; static void int_reply(int n, char *c, const char *fmt, va_list ap) { char buf[10240]; char *p; p=buf; if(n){ snprintf(p, sizeof(buf), "%d%s", n, c); p+=strlen(p); } vsnprintf(p, sizeof(buf) - strlen(p), fmt, ap); p+=strlen(p); snprintf(p, sizeof(buf) - strlen(p), "\r\n"); p+=strlen(p); sec_fprintf(stdout, "%s", buf); fflush(stdout); if (debug) syslog(LOG_DEBUG, "<--- %s- ", buf); } void reply(int n, const char *fmt, ...) { va_list ap; va_start(ap, fmt); int_reply(n, " ", fmt, ap); delete_ftp_command(); va_end(ap); } void lreply(int n, const char *fmt, ...) { va_list ap; va_start(ap, fmt); int_reply(n, "-", fmt, ap); va_end(ap); } void nreply(const char *fmt, ...) { va_list ap; va_start(ap, fmt); int_reply(0, NULL, fmt, ap); va_end(ap); } static void ack(char *s) { reply(250, "%s command successful.", s); } void nack(char *s) { reply(502, "%s command not implemented.", s); } void do_delete(char *name) { struct stat st; LOGCMD("delete", name); if (stat(name, &st) < 0) { perror_reply(550, name); return; } if (S_ISDIR(st.st_mode)) { if (rmdir(name) < 0) { perror_reply(550, name); return; } goto done; } if (unlink(name) < 0) { perror_reply(550, name); return; } done: ack("DELE"); } void cwd(const char *path) { if (chdir(path) < 0) perror_reply(550, path); else ack("CWD"); } void makedir(char *name) { LOGCMD("mkdir", name); if(guest && filename_check(name)) return; if (mkdir(name, 0777) < 0) perror_reply(550, name); else{ if(guest) chmod(name, 0700); /* guest has umask 777 */ reply(257, "MKD command successful."); } } void removedir(char *name) { LOGCMD("rmdir", name); if (rmdir(name) < 0) perror_reply(550, name); else ack("RMD"); } void pwd(void) { char path[MaxPathLen]; char *ret; /* SunOS has a broken getcwd that does popen(pwd) (!!!), this * failes miserably when running chroot */ ret = getcwd(path, sizeof(path)); if (ret == NULL) reply(550, "%s.", strerror(errno)); else reply(257, "\"%s\" is current directory.", path); } char * renamefrom(char *name) { struct stat st; if (stat(name, &st) < 0) { perror_reply(550, name); return NULL; } reply(350, "File exists, ready for destination name"); return (name); } void renamecmd(char *from, char *to) { LOGCMD2("rename", from, to); if(guest && filename_check(to)) return; if (rename(from, to) < 0) perror_reply(550, "rename"); else ack("RNTO"); } static void dolog(struct sockaddr *sa, int len) { getnameinfo_verified (sa, len, remotehost, sizeof(remotehost), NULL, 0, 0); #ifdef HAVE_SETPROCTITLE snprintf(proctitle, sizeof(proctitle), "%s: connected", remotehost); setproctitle("%s", proctitle); #endif /* HAVE_SETPROCTITLE */ if (logging) { char data_addr[256]; if (inet_ntop (his_addr->sa_family, socket_get_address(his_addr), data_addr, sizeof(data_addr)) == NULL) strlcpy (data_addr, "unknown address", sizeof(data_addr)); syslog(LOG_INFO, "connection from %s(%s)", remotehost, data_addr); } } /* * Record logout in wtmp file * and exit with supplied status. */ void dologout(int status) { transflag = 0; urgflag = 0; if (logged_in) { #if KRB5 cond_kdestroy(); #endif seteuid((uid_t)0); /* No need to check, we call exit() below */ ftpd_logwtmp(ttyline, "", ""); } /* beware of flushing buffers after a SIGPIPE */ #ifdef XXX exit(status); #else _exit(status); #endif } void abor(void) { if (!transflag) return; reply(426, "Transfer aborted. Data connection closed."); reply(226, "Abort successful"); transflag = 0; } static void myoob(int signo) { urgflag = 1; } static char * mec_space(char *p) { while(isspace(*(unsigned char *)p)) p++; return p; } static int handleoobcmd(void) { char *cp; /* only process if transfer occurring */ if (!transflag) return 0; urgflag = 0; cp = tmpline; if (ftpd_getline(cp, sizeof(tmpline)) == NULL) { reply(221, "You could at least say goodbye."); dologout(0); } if (strncasecmp("MIC", cp, 3) == 0) { mec(mec_space(cp + 3), prot_safe); } else if (strncasecmp("CONF", cp, 4) == 0) { mec(mec_space(cp + 4), prot_confidential); } else if (strncasecmp("ENC", cp, 3) == 0) { mec(mec_space(cp + 3), prot_private); } else if (!allow_insecure_oob) { reply(533, "Command protection level denied " "for paranoid reasons."); goto out; } if (secure_command()) cp = ftp_command; if (strcasecmp(cp, "ABOR\r\n") == 0) { abor(); } else if (strcasecmp(cp, "STAT\r\n") == 0) { if (file_size != (off_t) -1) reply(213, "Status: %ld of %ld bytes transferred", (long)byte_count, (long)file_size); else reply(213, "Status: %ld bytes transferred", (long)byte_count); } out: return (transflag == 0); } /* * Note: a response of 425 is not mentioned as a possible response to * the PASV command in RFC959. However, it has been blessed as * a legitimate response by Jon Postel in a telephone conversation * with Rick Adams on 25 Jan 89. */ void pasv(void) { socklen_t len; char *p, *a; struct sockaddr_in *sin; if (ctrl_addr->sa_family != AF_INET) { reply(425, "You cannot do PASV with something that's not IPv4"); return; } if(pdata != -1) close(pdata); pdata = socket(ctrl_addr->sa_family, SOCK_STREAM, 0); if (pdata < 0) { perror_reply(425, "Can't open passive connection"); return; } pasv_addr->sa_family = ctrl_addr->sa_family; socket_set_address_and_port (pasv_addr, socket_get_address (ctrl_addr), 0); socket_set_portrange(pdata, restricted_data_ports, pasv_addr->sa_family); if (seteuid(0) < 0) fatal("Failed to seteuid"); if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) { if (seteuid(pw->pw_uid) < 0) fatal("Failed to seteuid"); goto pasv_error; } if (seteuid(pw->pw_uid) < 0) fatal("Failed to seteuid"); len = sizeof(pasv_addr_ss); if (getsockname(pdata, pasv_addr, &len) < 0) goto pasv_error; if (listen(pdata, 1) < 0) goto pasv_error; sin = (struct sockaddr_in *)pasv_addr; a = (char *) &sin->sin_addr; p = (char *) &sin->sin_port; #define UC(b) (((int) b) & 0xff) reply(227, "Entering Passive Mode (%d,%d,%d,%d,%d,%d)", UC(a[0]), UC(a[1]), UC(a[2]), UC(a[3]), UC(p[0]), UC(p[1])); return; pasv_error: close(pdata); pdata = -1; perror_reply(425, "Can't open passive connection"); return; } void epsv(char *proto) { socklen_t len; pdata = socket(ctrl_addr->sa_family, SOCK_STREAM, 0); if (pdata < 0) { perror_reply(425, "Can't open passive connection"); return; } pasv_addr->sa_family = ctrl_addr->sa_family; socket_set_address_and_port (pasv_addr, socket_get_address (ctrl_addr), 0); socket_set_portrange(pdata, restricted_data_ports, pasv_addr->sa_family); if (seteuid(0) < 0) fatal("Failed to seteuid"); if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) { if (seteuid(pw->pw_uid)) fatal("Failed to seteuid"); goto pasv_error; } if (seteuid(pw->pw_uid) < 0) fatal("Failed to seteuid"); len = sizeof(pasv_addr_ss); if (getsockname(pdata, pasv_addr, &len) < 0) goto pasv_error; if (listen(pdata, 1) < 0) goto pasv_error; reply(229, "Entering Extended Passive Mode (|||%d|)", ntohs(socket_get_port (pasv_addr))); return; pasv_error: close(pdata); pdata = -1; perror_reply(425, "Can't open passive connection"); return; } void eprt(char *str) { char *end; char sep; int af; int ret; int port; usedefault = 0; if (pdata >= 0) { close(pdata); pdata = -1; } sep = *str++; if (sep == '\0') { reply(500, "Bad syntax in EPRT"); return; } af = strtol (str, &end, 0); if (af == 0 || *end != sep) { reply(500, "Bad syntax in EPRT"); return; } str = end + 1; switch (af) { #ifdef HAVE_IPV6 case 2 : data_dest->sa_family = AF_INET6; break; #endif case 1 : data_dest->sa_family = AF_INET; break; default : reply(522, "Network protocol %d not supported, use (1" #ifdef HAVE_IPV6 ",2" #endif ")", af); return; } end = strchr (str, sep); if (end == NULL) { reply(500, "Bad syntax in EPRT"); return; } *end = '\0'; ret = inet_pton (data_dest->sa_family, str, socket_get_address (data_dest)); if (ret != 1) { reply(500, "Bad address syntax in EPRT"); return; } str = end + 1; port = strtol (str, &end, 0); if (port == 0 || *end != sep) { reply(500, "Bad port syntax in EPRT"); return; } if (port < IPPORT_RESERVED) { reply(500, "Bad port in invalid range in EPRT"); return; } socket_set_port (data_dest, htons(port)); if (paranoid && (data_dest->sa_family != his_addr->sa_family || memcmp(socket_get_address(data_dest), socket_get_address(his_addr), socket_sockaddr_size(data_dest)) != 0)) { reply(500, "Bad address in EPRT"); } reply(200, "EPRT command successful."); } /* * Generate unique name for file with basename "local". * The file named "local" is already known to exist. * Generates failure reply on error. */ static char * gunique(char *local) { static char new[MaxPathLen]; struct stat st; int count; char *cp; cp = strrchr(local, '/'); if (cp) *cp = '\0'; if (stat(cp ? local : ".", &st) < 0) { perror_reply(553, cp ? local : "."); return NULL; } if (cp) *cp = '/'; for (count = 1; count < 100; count++) { snprintf (new, sizeof(new), "%s.%d", local, count); if (stat(new, &st) < 0) return (new); } reply(452, "Unique file name cannot be created."); return (NULL); } /* * Format and send reply containing system error number. */ void perror_reply(int code, const char *string) { reply(code, "%s: %s.", string, strerror(errno)); } static char *onefile[] = { "", 0 }; void list_file(char *file) { if(use_builtin_ls) { FILE *dout; dout = dataconn(file, -1, "w"); if (dout == NULL) return; set_buffer_size(fileno(dout), 0); if(builtin_ls(dout, file) == 0) reply(226, "Transfer complete."); else reply(451, "Requested action aborted. Local error in processing."); fclose(dout); data = -1; pdata = -1; } else { #ifdef HAVE_LS_A const char *cmd = "/bin/ls -lA %s"; #else const char *cmd = "/bin/ls -la %s"; #endif retrieve(cmd, file); } } void send_file_list(char *whichf) { struct stat st; DIR *dirp = NULL; struct dirent *dir; FILE *dout = NULL; char **dirlist, *dirname; int simple = 0; int freeglob = 0; glob_t gl; char buf[MaxPathLen]; if (strpbrk(whichf, "~{[*?") != NULL) { int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE| #ifdef GLOB_MAXPATH GLOB_MAXPATH #else GLOB_LIMIT #endif ; memset(&gl, 0, sizeof(gl)); freeglob = 1; if (glob(whichf, flags, 0, &gl)) { reply(550, "not found"); goto out; } else if (gl.gl_pathc == 0) { errno = ENOENT; perror_reply(550, whichf); goto out; } dirlist = gl.gl_pathv; } else { onefile[0] = whichf; dirlist = onefile; simple = 1; } while ((dirname = *dirlist++)) { if (urgflag && handleoobcmd()) goto out; if (stat(dirname, &st) < 0) { /* * If user typed "ls -l", etc, and the client * used NLST, do what the user meant. */ if (dirname[0] == '-' && *dirlist == NULL && transflag == 0) { list_file(dirname); goto out; } perror_reply(550, whichf); goto out; } if (S_ISREG(st.st_mode)) { if (dout == NULL) { dout = dataconn("file list", (off_t)-1, "w"); if (dout == NULL) goto out; transflag = 1; } snprintf(buf, sizeof(buf), "%s%s\n", dirname, type == TYPE_A ? "\r" : ""); sec_write(fileno(dout), buf, strlen(buf)); byte_count += strlen(dirname) + 1; continue; } else if (!S_ISDIR(st.st_mode)) continue; if ((dirp = opendir(dirname)) == NULL) continue; while ((dir = readdir(dirp)) != NULL) { char nbuf[MaxPathLen]; if (urgflag && handleoobcmd()) goto out; if (!strcmp(dir->d_name, ".")) continue; if (!strcmp(dir->d_name, "..")) continue; snprintf(nbuf, sizeof(nbuf), "%s/%s", dirname, dir->d_name); /* * We have to do a stat to insure it's * not a directory or special file. */ if (simple || (stat(nbuf, &st) == 0 && S_ISREG(st.st_mode))) { if (dout == NULL) { dout = dataconn("file list", (off_t)-1, "w"); if (dout == NULL) goto out; transflag = 1; } if(strncmp(nbuf, "./", 2) == 0) snprintf(buf, sizeof(buf), "%s%s\n", nbuf +2, type == TYPE_A ? "\r" : ""); else snprintf(buf, sizeof(buf), "%s%s\n", nbuf, type == TYPE_A ? "\r" : ""); sec_write(fileno(dout), buf, strlen(buf)); byte_count += strlen(nbuf) + 1; } } closedir(dirp); } if (dout == NULL) reply(550, "No files found."); else if (ferror(dout) != 0) perror_reply(550, "Data connection"); else reply(226, "Transfer complete."); out: transflag = 0; if (dout != NULL){ sec_write(fileno(dout), buf, 0); /* XXX flush */ fclose(dout); } data = -1; pdata = -1; if (freeglob) globfree(&gl); } int find(char *pattern) { char line[1024]; FILE *f; snprintf(line, sizeof(line), "/bin/locate -d %s -- %s", ftp_rooted("/etc/locatedb"), pattern); f = ftpd_popen(line, "r", 1, 1); if(f == NULL){ perror_reply(550, "/bin/locate"); return 1; } lreply(200, "Output from find."); while(fgets(line, sizeof(line), f)){ if(line[strlen(line)-1] == '\n') line[strlen(line)-1] = 0; nreply("%s", line); } reply(200, "Done"); ftpd_pclose(f); return 0; } heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/ftpd_locl.h000066400000000000000000000073451257755311500222550ustar00rootroot00000000000000/* * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ #ifndef __ftpd_locl_h__ #define __ftpd_locl_h__ #ifdef HAVE_CONFIG_H #include #endif /* * FTP server. */ #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_PARAM_H #include #endif #ifdef HAVE_SYS_STAT_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #if defined(HAVE_SYS_IOCTL_H) && SunOS != 40 #include #endif #ifdef HAVE_SYS_IOCCOM_H #include #endif #ifdef TIME_WITH_SYS_TIME #include #include #elif defined(HAVE_SYS_TIME_H) #include #else #include #endif #ifdef HAVE_SYS_RESOURCE_H #include #endif #ifdef HAVE_SYS_WAIT_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_NETINET_IN_SYSTM_H #include #endif #ifdef HAVE_NETINET_IP_H #include #endif #ifdef HAVE_SYS_MMAN_H #include #endif #include #ifdef HAVE_ARPA_INET_H #include #endif #ifdef HAVE_ARPA_TELNET_H #include #endif #include #ifdef HAVE_DIRENT_H #include #endif #include #ifdef HAVE_FCNTL_H #include #endif #include #include #ifdef HAVE_PWD_H #include #endif #include #include #include #include #include #ifdef HAVE_SYSLOG_H #include #endif #include #ifdef HAVE_UNISTD_H #include #endif #ifdef HAVE_GRP_H #include #endif #include #ifdef HAVE_BSD_BSD_H #include #endif #include #include "roken.h" #include "pathnames.h" #include "extern.h" #include "common.h" #include "security.h" #ifdef KRB5 #include #endif /* KRB5 */ #if defined(KRB5) #include #endif #ifdef OTP #include #endif #ifdef SOCKS #include extern int LIBPREFIX(fclose) (FILE *); #endif /* SunOS doesn't have any declaration of fclose */ int fclose(FILE *stream); int yyparse(void); #ifndef LOG_FTP #define LOG_FTP LOG_DAEMON #endif #endif /* __ftpd_locl_h__ */ heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/ftpusers.5000066400000000000000000000013331257755311500220660ustar00rootroot00000000000000.\" $Id$ .\" .Dd May 7, 1997 .Dt FTPUSERS 5 .Os KTH-KRB .Sh NAME .Pa /etc/ftpusers .Nd FTP access list file .Sh DESCRIPTION .Pa /etc/ftpusers contains a list of users that should be allowed or denied FTP access. Each line contains a user, optionally followed by .Dq allow (anything but .Dq allow is ignored). The semi-user .Dq * matches any user. Users that has an explicit .Dq allow , or that does not match any line, are allowed access. Anyone else is denied access. .Pp Note that this is compatible with the old format, where this file contained a list of users that should be denied access. .Sh EXAMPLES This will deny anyone but .Dq foo and .Dq bar to use FTP: .Bd -literal foo allow bar allow * .Ed .Sh SEE ALSO .Xr ftpd 8 heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/gss_userok.c000066400000000000000000000052361257755311500224630ustar00rootroot00000000000000/* * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ftpd_locl.h" #include /* XXX sync with gssapi.c */ struct gssapi_data { gss_ctx_id_t context_hdl; gss_name_t client_name; gss_cred_id_t delegated_cred_handle; void *mech_data; }; int gssapi_userok(void*, char*); /* to keep gcc happy */ int gssapi_session(void*, char*); /* to keep gcc happy */ int gssapi_userok(void *app_data, char *username) { struct gssapi_data *data = app_data; /* Yes, this logic really is inverted. */ return !gss_userok(data->client_name, username); } int gssapi_session(void *app_data, char *username) { struct gssapi_data *data = app_data; OM_uint32 major, minor; int ret = 0; if (data->delegated_cred_handle != GSS_C_NO_CREDENTIAL) { major = gss_store_cred(&minor, data->delegated_cred_handle, GSS_C_INITIATE, GSS_C_NO_OID, 1, 1, NULL, NULL); if (GSS_ERROR(major)) ret = 1; afslog(NULL, 1); } gss_release_cred(&minor, &data->delegated_cred_handle); return ret; } heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/kauth.c000066400000000000000000000062331257755311500214110ustar00rootroot00000000000000/* * Copyright (c) 1995 - 1999, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ftpd_locl.h" RCSID("$Id$"); #if defined(KRB5) int do_destroy_tickets = 1; char *k5ccname; #endif #ifdef KRB5 static void dest_cc(void) { krb5_context context; krb5_error_code ret; krb5_ccache id; ret = krb5_init_context(&context); if (ret == 0) { if (k5ccname) ret = krb5_cc_resolve(context, k5ccname, &id); else ret = krb5_cc_default (context, &id); if (ret) krb5_free_context(context); } if (ret == 0) { krb5_cc_destroy(context, id); krb5_free_context (context); } } #endif #if defined(KRB5) /* * Only destroy if we created the tickets */ void cond_kdestroy(void) { if (do_destroy_tickets) { #if KRB5 dest_cc(); #endif do_destroy_tickets = 0; } afsunlog(); } void kdestroy(void) { #if KRB5 dest_cc(); #endif afsunlog(); reply(200, "Tickets destroyed"); } void afslog(const char *cell, int quiet) { if(k_hasafs()) { #ifdef KRB5 krb5_context context; krb5_error_code ret; krb5_ccache id; ret = krb5_init_context(&context); if (ret == 0) { if (k5ccname) ret = krb5_cc_resolve(context, k5ccname, &id); else ret = krb5_cc_default(context, &id); if (ret) krb5_free_context(context); } if (ret == 0) { krb5_afslog(context, id, cell, 0); krb5_cc_close (context, id); krb5_free_context (context); } #endif if (!quiet) reply(200, "afslog done"); } else { if (!quiet) reply(200, "no AFS present"); } } void afsunlog(void) { if(k_hasafs()) k_unlog(); } #else int ftpd_afslog_placeholder; #endif /* KRB5 */ heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/klist.c000066400000000000000000000112761257755311500214260ustar00rootroot00000000000000/* * Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "ftpd_locl.h" #ifdef KRB5 static int print_cred(krb5_context context, krb5_creds *cred) { char t1[128], t2[128], *str; krb5_error_code ret; krb5_timestamp sec; krb5_timeofday (context, &sec); if(cred->times.starttime) krb5_format_time(context, cred->times.starttime, t1, sizeof(t1), 1); else krb5_format_time(context, cred->times.authtime, t1, sizeof(t1), 1); if(cred->times.endtime > sec) krb5_format_time(context, cred->times.endtime, t2, sizeof(t2), 1); else strlcpy(t2, ">>>Expired<<<", sizeof(t2)); ret = krb5_unparse_name (context, cred->server, &str); if (ret) { lreply(500, "krb5_unparse_name: %d", ret); return 1; } lreply(200, "%-20s %-20s %s", t1, t2, str); free(str); return 0; } static int print_tickets (krb5_context context, krb5_ccache ccache, krb5_principal principal) { krb5_error_code ret; krb5_cc_cursor cursor; krb5_creds cred; char *str; ret = krb5_unparse_name (context, principal, &str); if (ret) { lreply(500, "krb5_unparse_name: %d", ret); return 500; } lreply(200, "%17s: %s:%s", "Credentials cache", krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache)); lreply(200, "%17s: %s", "Principal", str); free (str); ret = krb5_cc_start_seq_get (context, ccache, &cursor); if (ret) { lreply(500, "krb5_cc_start_seq_get: %d", ret); return 500; } lreply(200, " Issued Expires Principal"); while ((ret = krb5_cc_next_cred (context, ccache, &cursor, &cred)) == 0) { if (print_cred(context, &cred)) return 500; krb5_free_cred_contents (context, &cred); } if (ret != KRB5_CC_END) { lreply(500, "krb5_cc_get_next: %d", ret); return 500; } ret = krb5_cc_end_seq_get (context, ccache, &cursor); if (ret) { lreply(500, "krb5_cc_end_seq_get: %d", ret); return 500; } return 200; } static int klist5(void) { krb5_error_code ret; krb5_context context; krb5_ccache ccache; krb5_principal principal; int exit_status = 200; ret = krb5_init_context (&context); if (ret) { lreply(500, "krb5_init_context failed: %d", ret); return 500; } if (k5ccname) ret = krb5_cc_resolve(context, k5ccname, &ccache); else ret = krb5_cc_default (context, &ccache); if (ret) { lreply(500, "krb5_cc_default: %d", ret); return 500; } ret = krb5_cc_get_principal (context, ccache, &principal); if (ret) { if(ret == ENOENT) lreply(500, "No ticket file: %s", krb5_cc_get_name(context, ccache)); else lreply(500, "krb5_cc_get_principal: %d", ret); return 500; } exit_status = print_tickets (context, ccache, principal); ret = krb5_cc_close (context, ccache); if (ret) { lreply(500, "krb5_cc_close: %d", ret); exit_status = 500; } krb5_free_principal (context, principal); krb5_free_context (context); return exit_status; } #endif void klist(void) { #if KRB5 int res = klist5(); reply(res, " "); #else reply(500, "Command not implemented."); #endif } heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/logwtmp.c000066400000000000000000000117301257755311500217640ustar00rootroot00000000000000/* * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifdef HAVE_CONFIG_H #include RCSID("$Id$"); #endif #include #include #ifdef TIME_WITH_SYS_TIME #include #include #elif defined(HAVE_SYS_TIME_H) #include #else #include #endif #ifdef HAVE_UNISTD_H #include #endif #ifdef HAVE_FCNTL_H #include #endif #ifdef HAVE_UTMP_H #include #endif #ifdef HAVE_UTMPX_H #include #endif #ifdef HAVE_ASL_H #include #endif #include #include "extern.h" #ifndef HAVE_UTMPX_H #ifndef WTMP_FILE #ifdef _PATH_WTMP #define WTMP_FILE _PATH_WTMP #else #define WTMP_FILE "/var/adm/wtmp" #endif #endif #endif #ifdef HAVE_ASL_H #ifndef ASL_KEY_FACILITY #define ASL_KEY_FACILITY "Facility" #endif static void ftpd_logwtmp_asl(char *line, char *name, char *host) { static aslmsg m = NULL; static int init = 0; if (!init) { init = 1; m = asl_new(ASL_TYPE_MSG); if (m == NULL) return; asl_set(m, ASL_KEY_FACILITY, "org.h5l.ftpd"); } if (m) asl_log(NULL, m, ASL_LEVEL_NOTICE, "host %s/%s user %s%sconnected pid %d", host, line, name, name[0] ? " " : "dis", (int)getpid()); } #endif #ifndef HAVE_ASL_H static void ftpd_logwtmp_wtmp(char *line, char *name, char *host) { static int init = 0; #ifdef WTMP_FILE static int fd; #endif #ifdef WTMPX_FILE static int fdx; #endif #ifdef HAVE_UTMP_H struct utmp ut; #endif #if defined(WTMPX_FILE) || defined(HAVE_UTMPX_H) struct utmpx utx; #endif #if defined(WTMP_FILE) || defined(WTMPX_FILE) ssize_t ret; #endif #ifdef HAVE_UTMPX_H memset(&utx, 0, sizeof(struct utmpx)); #endif #ifdef HAVE_UTMP_H memset(&ut, 0, sizeof(struct utmp)); #ifdef HAVE_STRUCT_UTMP_UT_TYPE if(name[0]) ut.ut_type = USER_PROCESS; else ut.ut_type = DEAD_PROCESS; #endif strncpy(ut.ut_line, line, sizeof(ut.ut_line)); strncpy(ut.ut_name, name, sizeof(ut.ut_name)); #ifdef HAVE_STRUCT_UTMP_UT_PID ut.ut_pid = getpid(); #endif #ifdef HAVE_STRUCT_UTMP_UT_HOST strncpy(ut.ut_host, host, sizeof(ut.ut_host)); #endif ut.ut_time = time(NULL); #endif #if defined(WTMPX_FILE) || defined(HAVE_UTMPX_H) strncpy(utx.ut_line, line, sizeof(utx.ut_line)); strncpy(utx.ut_user, name, sizeof(utx.ut_user)); strncpy(utx.ut_host, host, sizeof(utx.ut_host)); #ifdef HAVE_STRUCT_UTMPX_UT_SYSLEN utx.ut_syslen = strlen(host) + 1; if (utx.ut_syslen > sizeof(utx.ut_host)) utx.ut_syslen = sizeof(utx.ut_host); #endif { struct timeval tv; gettimeofday (&tv, 0); utx.ut_tv.tv_sec = tv.tv_sec; utx.ut_tv.tv_usec = tv.tv_usec; } if(name[0]) utx.ut_type = USER_PROCESS; else utx.ut_type = DEAD_PROCESS; #endif #ifdef HAVE_UTMPX_H pututxline(&utx); #endif if(!init){ #ifdef WTMP_FILE fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0); #endif #ifdef WTMPX_FILE fdx = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0); #endif init = 1; } #if defined(WTMP_FILE) || defined(WTMPX_FILE) if(fd >= 0) { #ifdef WTMP_FILE ret = write(fd, &ut, sizeof(struct utmp)); /* XXX */ #endif #ifdef WTMPX_FILE ret = write(fdx, &utx, sizeof(struct utmpx)); #endif if (ret == -1) syslog(LOG_ERR, "ftpd_logwtmp_wtmp(): write(2) failed: %m"); } #endif } #endif /* !HAVE_ASL_H */ void ftpd_logwtmp(char *line, char *name, char *host) { #ifdef HAVE_ASL_H ftpd_logwtmp_asl(line, name, host); #else ftpd_logwtmp_wtmp(line, name, host); #endif } heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/ls.c000066400000000000000000000511751257755311500207200ustar00rootroot00000000000000/* * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef TEST #include "ftpd_locl.h" RCSID("$Id$"); #else #include #include #include #include #include #include #include #include #include #include #define sec_fprintf2 fprintf #define sec_fflush fflush static void list_files(FILE *out, const char **files, int n_files, int flags); static int parse_flags(const char *options); int main(int argc, char **argv) { int i = 1; int flags; if(argc > 1 && argv[1][0] == '-') { flags = parse_flags(argv[1]); i = 2; } else flags = parse_flags(NULL); list_files(stdout, (const char **)argv + i, argc - i, flags); return 0; } #endif struct fileinfo { struct stat st; int inode; int bsize; char mode[11]; int n_link; char *user; char *group; char *size; char *major; char *minor; char *date; char *filename; char *link; }; static void free_fileinfo(struct fileinfo *f) { free(f->user); free(f->group); free(f->size); free(f->major); free(f->minor); free(f->date); free(f->filename); free(f->link); } #define LS_DIRS (1 << 0) #define LS_IGNORE_DOT (1 << 1) #define LS_SORT_MODE (3 << 2) #define SORT_MODE(f) ((f) & LS_SORT_MODE) #define LS_SORT_NAME (1 << 2) #define LS_SORT_MTIME (2 << 2) #define LS_SORT_SIZE (3 << 2) #define LS_SORT_REVERSE (1 << 4) #define LS_SIZE (1 << 5) #define LS_INODE (1 << 6) #define LS_TYPE (1 << 7) #define LS_DISP_MODE (3 << 8) #define DISP_MODE(f) ((f) & LS_DISP_MODE) #define LS_DISP_LONG (1 << 8) #define LS_DISP_COLUMN (2 << 8) #define LS_DISP_CROSS (3 << 8) #define LS_SHOW_ALL (1 << 10) #define LS_RECURSIVE (1 << 11) #define LS_EXTRA_BLANK (1 << 12) #define LS_SHOW_DIRNAME (1 << 13) #define LS_DIR_FLAG (1 << 14) /* these files come via list_dir */ #ifndef S_ISTXT #define S_ISTXT S_ISVTX #endif #if !defined(_S_IFMT) && defined(S_IFMT) #define _S_IFMT S_IFMT #endif #ifndef S_ISSOCK #define S_ISSOCK(mode) (((mode) & _S_IFMT) == S_IFSOCK) #endif #ifndef S_ISLNK #define S_ISLNK(mode) (((mode) & _S_IFMT) == S_IFLNK) #endif static size_t block_convert(size_t blocks) { #ifdef S_BLKSIZE return blocks * S_BLKSIZE / 1024; #else return blocks * 512 / 1024; #endif } static int make_fileinfo(FILE *out, const char *filename, struct fileinfo *file, int flags) { char buf[128]; int file_type = 0; struct stat *st = &file->st; file->inode = st->st_ino; file->bsize = block_convert(st->st_blocks); if(S_ISDIR(st->st_mode)) { file->mode[0] = 'd'; file_type = '/'; } else if(S_ISCHR(st->st_mode)) file->mode[0] = 'c'; else if(S_ISBLK(st->st_mode)) file->mode[0] = 'b'; else if(S_ISREG(st->st_mode)) { file->mode[0] = '-'; if(st->st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) file_type = '*'; } else if(S_ISFIFO(st->st_mode)) { file->mode[0] = 'p'; file_type = '|'; } else if(S_ISLNK(st->st_mode)) { file->mode[0] = 'l'; file_type = '@'; } else if(S_ISSOCK(st->st_mode)) { file->mode[0] = 's'; file_type = '='; } #ifdef S_ISWHT else if(S_ISWHT(st->st_mode)) { file->mode[0] = 'w'; file_type = '%'; } #endif else file->mode[0] = '?'; { char *x[] = { "---", "--x", "-w-", "-wx", "r--", "r-x", "rw-", "rwx" }; strcpy(file->mode + 1, x[(st->st_mode & S_IRWXU) >> 6]); strcpy(file->mode + 4, x[(st->st_mode & S_IRWXG) >> 3]); strcpy(file->mode + 7, x[(st->st_mode & S_IRWXO) >> 0]); if((st->st_mode & S_ISUID)) { if((st->st_mode & S_IXUSR)) file->mode[3] = 's'; else file->mode[3] = 'S'; } if((st->st_mode & S_ISGID)) { if((st->st_mode & S_IXGRP)) file->mode[6] = 's'; else file->mode[6] = 'S'; } if((st->st_mode & S_ISTXT)) { if((st->st_mode & S_IXOTH)) file->mode[9] = 't'; else file->mode[9] = 'T'; } } file->n_link = st->st_nlink; { struct passwd *pwd; pwd = getpwuid(st->st_uid); if(pwd == NULL) { if (asprintf(&file->user, "%u", (unsigned)st->st_uid) == -1) file->user = NULL; } else file->user = strdup(pwd->pw_name); if (file->user == NULL) { syslog(LOG_ERR, "out of memory"); return -1; } } { struct group *grp; grp = getgrgid(st->st_gid); if(grp == NULL) { if (asprintf(&file->group, "%u", (unsigned)st->st_gid) == -1) file->group = NULL; } else file->group = strdup(grp->gr_name); if (file->group == NULL) { syslog(LOG_ERR, "out of memory"); return -1; } } if(S_ISCHR(st->st_mode) || S_ISBLK(st->st_mode)) { #if defined(major) && defined(minor) if (asprintf(&file->major, "%u", (unsigned)major(st->st_rdev)) == -1) file->major = NULL; if (asprintf(&file->minor, "%u", (unsigned)minor(st->st_rdev)) == -1) file->minor = NULL; #else /* Don't want to use the DDI/DKI crap. */ if (asprintf(&file->major, "%u", (unsigned)st->st_rdev) == -1) file->major = NULL; if (asprintf(&file->minor, "%u", 0) == -1) file->minor = NULL; #endif if (file->major == NULL || file->minor == NULL) { syslog(LOG_ERR, "out of memory"); return -1; } } else { if (asprintf(&file->size, "%lu", (unsigned long)st->st_size) == -1) file->size = NULL; } { time_t t = time(NULL); time_t mtime = st->st_mtime; struct tm *tm = localtime(&mtime); if((t - mtime > 6*30*24*60*60) || (mtime - t > 6*30*24*60*60)) strftime(buf, sizeof(buf), "%b %e %Y", tm); else strftime(buf, sizeof(buf), "%b %e %H:%M", tm); file->date = strdup(buf); if (file->date == NULL) { syslog(LOG_ERR, "out of memory"); return -1; } } { const char *p = strrchr(filename, '/'); if(p) p++; else p = filename; if((flags & LS_TYPE) && file_type != 0) { if (asprintf(&file->filename, "%s%c", p, file_type) == -1) file->filename = NULL; } else file->filename = strdup(p); if (file->filename == NULL) { syslog(LOG_ERR, "out of memory"); return -1; } } if(S_ISLNK(st->st_mode)) { int n; n = readlink((char *)filename, buf, sizeof(buf) - 1); if(n >= 0) { buf[n] = '\0'; file->link = strdup(buf); if (file->link == NULL) { syslog(LOG_ERR, "out of memory"); return -1; } } else sec_fprintf2(out, "readlink(%s): %s", filename, strerror(errno)); } return 0; } static void print_file(FILE *out, int flags, struct fileinfo *f, int max_inode, int max_bsize, int max_n_link, int max_user, int max_group, int max_size, int max_major, int max_minor, int max_date) { if(f->filename == NULL) return; if(flags & LS_INODE) { sec_fprintf2(out, "%*d", max_inode, f->inode); sec_fprintf2(out, " "); } if(flags & LS_SIZE) { sec_fprintf2(out, "%*d", max_bsize, f->bsize); sec_fprintf2(out, " "); } sec_fprintf2(out, "%s", f->mode); sec_fprintf2(out, " "); sec_fprintf2(out, "%*d", max_n_link, f->n_link); sec_fprintf2(out, " "); sec_fprintf2(out, "%-*s", max_user, f->user); sec_fprintf2(out, " "); sec_fprintf2(out, "%-*s", max_group, f->group); sec_fprintf2(out, " "); if(f->major != NULL && f->minor != NULL) sec_fprintf2(out, "%*s, %*s", max_major, f->major, max_minor, f->minor); else sec_fprintf2(out, "%*s", max_size, f->size); sec_fprintf2(out, " "); sec_fprintf2(out, "%*s", max_date, f->date); sec_fprintf2(out, " "); sec_fprintf2(out, "%s", f->filename); if(f->link) sec_fprintf2(out, " -> %s", f->link); sec_fprintf2(out, "\r\n"); } static int compare_filename(struct fileinfo *a, struct fileinfo *b) { if(a->filename == NULL) return 1; if(b->filename == NULL) return -1; return strcmp(a->filename, b->filename); } static int compare_mtime(struct fileinfo *a, struct fileinfo *b) { if(a->filename == NULL) return 1; if(b->filename == NULL) return -1; return b->st.st_mtime - a->st.st_mtime; } static int compare_size(struct fileinfo *a, struct fileinfo *b) { if(a->filename == NULL) return 1; if(b->filename == NULL) return -1; return b->st.st_size - a->st.st_size; } static int list_dir(FILE*, const char*, int); static int find_log10(int num) { int i = 1; while(num > 10) { i++; num /= 10; } return i; } /* * Operate as lstat but fake up entries for AFS mount points so we don't * have to fetch them. */ #ifdef KRB5 static int do_the_afs_dance = 1; #endif static int lstat_file (const char *file, struct stat *sb) { #ifdef KRB5 if (do_the_afs_dance && k_hasafs() && strcmp(file, ".") && strcmp(file, "..") && strcmp(file, "/")) { struct ViceIoctl a_params; char *dir, *last; char *path_bkp; static ino_t ino_counter = 0, ino_last = 0; int ret; const int maxsize = 2048; path_bkp = strdup (file); if (path_bkp == NULL) return -1; a_params.out = malloc (maxsize); if (a_params.out == NULL) { free (path_bkp); return -1; } /* If path contains more than the filename alone - split it */ last = strrchr (path_bkp, '/'); if (last != NULL) { if(last[1] == '\0') /* if path ended in /, replace with `.' */ a_params.in = "."; else a_params.in = last + 1; while(last > path_bkp && *--last == '/'); if(*last != '/' || last != path_bkp) { *++last = '\0'; dir = path_bkp; } else /* we got to the start, so this must be the root dir */ dir = "/"; } else { /* file is relative to cdir */ dir = "."; a_params.in = path_bkp; } a_params.in_size = strlen (a_params.in) + 1; a_params.out_size = maxsize; ret = k_pioctl (dir, VIOC_AFS_STAT_MT_PT, &a_params, 0); free (a_params.out); if (ret < 0) { free (path_bkp); if (errno != EINVAL) return ret; else /* if we get EINVAL this is probably not a mountpoint */ return lstat (file, sb); } /* * wow this was a mountpoint, lets cook the struct stat * use . as a prototype */ ret = lstat (dir, sb); free (path_bkp); if (ret < 0) return ret; if (ino_last == sb->st_ino) ino_counter++; else { ino_last = sb->st_ino; ino_counter = 0; } sb->st_ino += ino_counter; sb->st_nlink = 3; return 0; } #endif /* KRB5 */ return lstat (file, sb); } #define IS_DOT_DOTDOT(X) ((X)[0] == '.' && ((X)[1] == '\0' || \ ((X)[1] == '.' && (X)[2] == '\0'))) static int list_files(FILE *out, const char **files, int n_files, int flags) { struct fileinfo *fi; int i; int *dirs = NULL; size_t total_blocks = 0; int n_print = 0; int ret = 0; if(n_files == 0) return 0; if(n_files > 1) flags |= LS_SHOW_DIRNAME; fi = calloc(n_files, sizeof(*fi)); if (fi == NULL) { syslog(LOG_ERR, "out of memory"); return -1; } for(i = 0; i < n_files; i++) { if(lstat_file(files[i], &fi[i].st) < 0) { sec_fprintf2(out, "%s: %s\r\n", files[i], strerror(errno)); fi[i].filename = NULL; } else { int include_in_list = 1; total_blocks += block_convert(fi[i].st.st_blocks); if(S_ISDIR(fi[i].st.st_mode)) { if(dirs == NULL) dirs = calloc(n_files, sizeof(*dirs)); if(dirs == NULL) { syslog(LOG_ERR, "%s: %m", files[i]); ret = -1; goto out; } dirs[i] = 1; if((flags & LS_DIRS) == 0) include_in_list = 0; } if(include_in_list) { ret = make_fileinfo(out, files[i], &fi[i], flags); if (ret) goto out; n_print++; } } } switch(SORT_MODE(flags)) { case LS_SORT_NAME: qsort(fi, n_files, sizeof(*fi), (int (*)(const void*, const void*))compare_filename); break; case LS_SORT_MTIME: qsort(fi, n_files, sizeof(*fi), (int (*)(const void*, const void*))compare_mtime); break; case LS_SORT_SIZE: qsort(fi, n_files, sizeof(*fi), (int (*)(const void*, const void*))compare_size); break; } if(DISP_MODE(flags) == LS_DISP_LONG) { int max_inode = 0; int max_bsize = 0; int max_n_link = 0; int max_user = 0; int max_group = 0; int max_size = 0; int max_major = 0; int max_minor = 0; int max_date = 0; for(i = 0; i < n_files; i++) { if(fi[i].filename == NULL) continue; if(fi[i].inode > max_inode) max_inode = fi[i].inode; if(fi[i].bsize > max_bsize) max_bsize = fi[i].bsize; if(fi[i].n_link > max_n_link) max_n_link = fi[i].n_link; if(strlen(fi[i].user) > max_user) max_user = strlen(fi[i].user); if(strlen(fi[i].group) > max_group) max_group = strlen(fi[i].group); if(fi[i].major != NULL && strlen(fi[i].major) > max_major) max_major = strlen(fi[i].major); if(fi[i].minor != NULL && strlen(fi[i].minor) > max_minor) max_minor = strlen(fi[i].minor); if(fi[i].size != NULL && strlen(fi[i].size) > max_size) max_size = strlen(fi[i].size); if(strlen(fi[i].date) > max_date) max_date = strlen(fi[i].date); } if(max_size < max_major + max_minor + 2) max_size = max_major + max_minor + 2; else if(max_size - max_minor - 2 > max_major) max_major = max_size - max_minor - 2; max_inode = find_log10(max_inode); max_bsize = find_log10(max_bsize); max_n_link = find_log10(max_n_link); if(n_print > 0) sec_fprintf2(out, "total %lu\r\n", (unsigned long)total_blocks); if(flags & LS_SORT_REVERSE) for(i = n_files - 1; i >= 0; i--) print_file(out, flags, &fi[i], max_inode, max_bsize, max_n_link, max_user, max_group, max_size, max_major, max_minor, max_date); else for(i = 0; i < n_files; i++) print_file(out, flags, &fi[i], max_inode, max_bsize, max_n_link, max_user, max_group, max_size, max_major, max_minor, max_date); } else if(DISP_MODE(flags) == LS_DISP_COLUMN || DISP_MODE(flags) == LS_DISP_CROSS) { int max_len = 0; int size_len = 0; int num_files = n_files; int columns; int j; for(i = 0; i < n_files; i++) { if(fi[i].filename == NULL) { num_files--; continue; } if(strlen(fi[i].filename) > max_len) max_len = strlen(fi[i].filename); if(find_log10(fi[i].bsize) > size_len) size_len = find_log10(fi[i].bsize); } if(num_files == 0) goto next; if(flags & LS_SIZE) { columns = 80 / (size_len + 1 + max_len + 1); max_len = 80 / columns - size_len - 1; } else { columns = 80 / (max_len + 1); /* get space between columns */ max_len = 80 / columns; } if(flags & LS_SIZE) sec_fprintf2(out, "total %lu\r\n", (unsigned long)total_blocks); if(DISP_MODE(flags) == LS_DISP_CROSS) { for(i = 0, j = 0; i < n_files; i++) { if(fi[i].filename == NULL) continue; if(flags & LS_SIZE) sec_fprintf2(out, "%*u %-*s", size_len, fi[i].bsize, max_len, fi[i].filename); else sec_fprintf2(out, "%-*s", max_len, fi[i].filename); j++; if(j == columns) { sec_fprintf2(out, "\r\n"); j = 0; } } if(j > 0) sec_fprintf2(out, "\r\n"); } else { int skip = (num_files + columns - 1) / columns; for(i = 0; i < skip; i++) { for(j = i; j < n_files;) { while(j < n_files && fi[j].filename == NULL) j++; if(flags & LS_SIZE) sec_fprintf2(out, "%*u %-*s", size_len, fi[j].bsize, max_len, fi[j].filename); else sec_fprintf2(out, "%-*s", max_len, fi[j].filename); j += skip; } sec_fprintf2(out, "\r\n"); } } } else { for(i = 0; i < n_files; i++) { if(fi[i].filename == NULL) continue; sec_fprintf2(out, "%s\r\n", fi[i].filename); } } next: if(((flags & LS_DIRS) == 0 || (flags & LS_RECURSIVE)) && dirs != NULL) { for(i = 0; i < n_files; i++) { if(dirs[i]) { const char *p = strrchr(files[i], '/'); if(p == NULL) p = files[i]; else p++; if(!(flags & LS_DIR_FLAG) || !IS_DOT_DOTDOT(p)) { if((flags & LS_SHOW_DIRNAME)) { if ((flags & LS_EXTRA_BLANK)) sec_fprintf2(out, "\r\n"); sec_fprintf2(out, "%s:\r\n", files[i]); } list_dir(out, files[i], flags | LS_DIRS | LS_EXTRA_BLANK); } } } } out: for(i = 0; i < n_files; i++) free_fileinfo(&fi[i]); free(fi); if(dirs != NULL) free(dirs); return ret; } static void free_files (char **files, int n) { int i; for (i = 0; i < n; ++i) free (files[i]); free (files); } static int hide_file(const char *filename, int flags) { if(filename[0] != '.') return 0; if((flags & LS_IGNORE_DOT)) return 1; if(filename[1] == '\0' || (filename[1] == '.' && filename[2] == '\0')) { if((flags & LS_SHOW_ALL)) return 0; else return 1; } return 0; } static int list_dir(FILE *out, const char *directory, int flags) { DIR *d = opendir(directory); struct dirent *ent; char **files = NULL; int n_files = 0; int ret; if(d == NULL) { syslog(LOG_ERR, "%s: %m", directory); return -1; } while((ent = readdir(d)) != NULL) { void *tmp; if(hide_file(ent->d_name, flags)) continue; tmp = realloc(files, (n_files + 1) * sizeof(*files)); if (tmp == NULL) { syslog(LOG_ERR, "%s: out of memory", directory); free_files (files, n_files); closedir (d); return -1; } files = tmp; ret = asprintf(&files[n_files], "%s/%s", directory, ent->d_name); if (ret == -1) { syslog(LOG_ERR, "%s: out of memory", directory); free_files (files, n_files); closedir (d); return -1; } ++n_files; } closedir(d); return list_files(out, (const char**)files, n_files, flags | LS_DIR_FLAG); } static int parse_flags(const char *options) { #ifdef TEST int flags = LS_SORT_NAME | LS_IGNORE_DOT | LS_DISP_COLUMN; #else int flags = LS_SORT_NAME | LS_IGNORE_DOT | LS_DISP_LONG; #endif const char *p; if(options == NULL || *options != '-') return flags; for(p = options + 1; *p; p++) { switch(*p) { case '1': flags = (flags & ~LS_DISP_MODE); break; case 'a': flags |= LS_SHOW_ALL; /*FALLTHROUGH*/ case 'A': flags &= ~LS_IGNORE_DOT; break; case 'C': flags = (flags & ~LS_DISP_MODE) | LS_DISP_COLUMN; break; case 'd': flags |= LS_DIRS; break; case 'f': flags = (flags & ~LS_SORT_MODE); break; case 'F': flags |= LS_TYPE; break; case 'i': flags |= LS_INODE; break; case 'l': flags = (flags & ~LS_DISP_MODE) | LS_DISP_LONG; break; case 'r': flags |= LS_SORT_REVERSE; break; case 'R': flags |= LS_RECURSIVE; break; case 's': flags |= LS_SIZE; break; case 'S': flags = (flags & ~LS_SORT_MODE) | LS_SORT_SIZE; break; case 't': flags = (flags & ~LS_SORT_MODE) | LS_SORT_MTIME; break; case 'x': flags = (flags & ~LS_DISP_MODE) | LS_DISP_CROSS; break; /* these are a bunch of unimplemented flags from BSD ls */ case 'k': /* display sizes in kB */ case 'c': /* last change time */ case 'L': /* list symlink target */ case 'm': /* stream output */ case 'o': /* BSD file flags */ case 'p': /* display / after directories */ case 'q': /* print non-graphic characters */ case 'u': /* use last access time */ case 'T': /* display complete time */ case 'W': /* include whiteouts */ break; } } return flags; } int builtin_ls(FILE *out, const char *file) { int flags; int ret; if(*file == '-') { flags = parse_flags(file); file = "."; } else flags = parse_flags(""); ret = list_files(out, &file, 1, flags); sec_fflush(out); return ret; } heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/pathnames.h000066400000000000000000000046271257755311500222670ustar00rootroot00000000000000/* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)pathnames.h 8.1 (Berkeley) 6/4/93 */ #ifdef HAVE_PATHS_H #include #endif #ifndef _PATH_DEVNULL #define _PATH_DEVNULL "/dev/null" #endif #ifndef _PATH_NOLOGIN #define _PATH_NOLOGIN "/etc/nologin" #endif #ifndef _PATH_BSHELL #define _PATH_BSHELL "/bin/sh" #endif #ifndef _PATH_FTPUSERS #define _PATH_FTPUSERS SYSCONFDIR "/ftpusers" #endif #define _PATH_FTPCHROOT SYSCONFDIR "/ftpchroot" #define _PATH_FTPWELCOME SYSCONFDIR "/ftpwelcome" #define _PATH_FTPLOGINMESG SYSCONFDIR "/motd" #ifndef _PATH_ISSUE #define _PATH_ISSUE SYSCONFDIR "/issue" #endif #define _PATH_ISSUE_NET SYSCONFDIR "/issue.net" heimdal-1.7~git20150920+dfsg/appl/ftp/ftpd/popen.c000066400000000000000000000137271257755311500214240ustar00rootroot00000000000000/* * Copyright (c) 1988, 1993, 1994 * The Regents of the University of California. All rights reserved. * * This code is derived from software written by Ken Arnold and * published in UNIX Review, Vol. 6, No. 8. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ #ifdef HAVE_CONFIG_H #include RCSID("$Id$"); #endif #include #ifdef TIME_WITH_SYS_TIME #include #include #elif defined(HAVE_SYS_TIME_H) #include #else #include #endif #ifdef HAVE_SYS_RESOURCE_H #include #endif #include #include #include #include #include #include #include #include #include #include "extern.h" /* * Special version of popen which avoids call to shell. This ensures * no one may create a pipe to a hidden program as a side effect of a * list or dir command. */ static int *pids; static int fds; /* return path prepended with ~ftp if that file exists, otherwise * return path unchanged */ const char * ftp_rooted(const char *path) { static char home[MaxPathLen] = ""; static char newpath[MaxPathLen]; struct passwd *pwd; if(!home[0]) if((pwd = k_getpwnam("ftp"))) strlcpy(home, pwd->pw_dir, sizeof(home)); snprintf(newpath, sizeof(newpath), "%s/%s", home, path); if(access(newpath, X_OK)) strlcpy(newpath, path, sizeof(newpath)); return newpath; } #define MAXARGS 100 #define MAXGLOBS 1000 FILE * ftpd_popen(char *program, char *type, int do_stderr, int no_glob) { char *cp; FILE *iop; int argc, gargc, pdes[2], pid; char **pop, *argv[MAXARGS], *gargv[MAXGLOBS]; char *foo; if (strcmp(type, "r") && strcmp(type, "w")) return (NULL); if (!pids) { /* This function is ugly and should be rewritten, in * modern unices there is no such thing as a maximum * filedescriptor. */ fds = getdtablesize(); pids = (int*)calloc(fds, sizeof(int)); if(!pids) return NULL; } if (pipe(pdes) < 0) return (NULL); /* break up string into pieces */ foo = NULL; for (argc = 0, cp = program; argc < MAXARGS - 1; cp = NULL) { if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo))) break; } argv[MAXARGS - 1] = NULL; gargv[0] = (char*)ftp_rooted(argv[0]); /* glob each piece */ for (gargc = argc = 1; argv[argc] && gargc < MAXGLOBS - 1; argc++) { glob_t gl; int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE | #ifdef GLOB_MAXPATH GLOB_MAXPATH #else GLOB_LIMIT #endif ; memset(&gl, 0, sizeof(gl)); if (no_glob || glob(argv[argc], flags, NULL, &gl) || gl.gl_pathc == 0) gargv[gargc++] = strdup(argv[argc]); else for (pop = gl.gl_pathv; *pop && gargc < MAXGLOBS - 1; pop++) gargv[gargc++] = strdup(*pop); globfree(&gl); } gargv[gargc] = NULL; iop = NULL; switch(pid = fork()) { case -1: /* error */ close(pdes[0]); close(pdes[1]); goto pfree; /* NOTREACHED */ case 0: /* child */ if (*type == 'r') { if (pdes[1] != STDOUT_FILENO) { dup2(pdes[1], STDOUT_FILENO); close(pdes[1]); } if(do_stderr) dup2(STDOUT_FILENO, STDERR_FILENO); close(pdes[0]); } else { if (pdes[0] != STDIN_FILENO) { dup2(pdes[0], STDIN_FILENO); close(pdes[0]); } close(pdes[1]); } execv(gargv[0], gargv); gargv[0] = argv[0]; execv(gargv[0], gargv); _exit(1); } /* parent; assume fdopen can't fail... */ if (*type == 'r') { iop = fdopen(pdes[0], type); close(pdes[1]); } else { iop = fdopen(pdes[1], type); close(pdes[0]); } pids[fileno(iop)] = pid; pfree: for (argc = 1; gargv[argc] != NULL; argc++) free(gargv[argc]); return (iop); } int ftpd_pclose(FILE *iop) { int fdes, status; pid_t pid; sigset_t sigset, osigset; /* * pclose returns -1 if stream is not associated with a * `popened' command, or, if already `pclosed'. */ if (pids == 0 || pids[fdes = fileno(iop)] == 0) return (-1); fclose(iop); sigemptyset(&sigset); sigaddset(&sigset, SIGINT); sigaddset(&sigset, SIGQUIT); sigaddset(&sigset, SIGHUP); sigprocmask(SIG_BLOCK, &sigset, &osigset); while ((pid = waitpid(pids[fdes], &status, 0)) < 0 && errno == EINTR) continue; sigprocmask(SIG_SETMASK, &osigset, NULL); pids[fdes] = 0; if (pid < 0) return (pid); if (WIFEXITED(status)) return (WEXITSTATUS(status)); return (1); } heimdal-1.7~git20150920+dfsg/appl/gssmask/000077500000000000000000000000001257755311500200475ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/gssmask/Makefile.am000066400000000000000000000005141257755311500221030ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common noinst_PROGRAMS = gssmask gssmaestro gssmask_SOURCES = gssmask.c common.c common.h protocol.h gssmaestro_SOURCES = gssmaestro.c common.c common.h protocol.h LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LIB_roken) $(top_builddir)/lib/krb5/libkrb5.la EXTRA_DIST = NTMakefile heimdal-1.7~git20150920+dfsg/appl/gssmask/NTMakefile000066400000000000000000000027351257755311500217600ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\gssmask !include ../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/gssmask/common.c000066400000000000000000000056451257755311500215150ustar00rootroot00000000000000/* * Copyright (c) 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include RCSID("$Id$"); krb5_error_code store_string(krb5_storage *sp, const char *str) { size_t len = strlen(str) + 1; krb5_error_code ret; ret = krb5_store_int32(sp, len); if (ret) return ret; ret = krb5_storage_write(sp, str, len); if (ret != len) return EINVAL; return 0; } static void add_list(char ****list, size_t *listlen, char **str, size_t len) { size_t i; *list = erealloc(*list, sizeof(**list) * (*listlen + 1)); (*list)[*listlen] = ecalloc(len, sizeof(**list)); for (i = 0; i < len; i++) (*list)[*listlen][i] = str[i]; (*listlen)++; } static void permute(char ****list, size_t *listlen, char **str, const int start, const int len) { int i, j; #define SWAP(s,i,j) { char *t = str[i]; str[i] = str[j]; str[j] = t; } for (i = start; i < len - 1; i++) { for (j = i+1; j < len; j++) { SWAP(str,i,j); permute(list, listlen, str, i+1, len); SWAP(str,i,j); } } add_list(list, listlen, str, len); } char *** permutate_all(struct getarg_strings *strings, size_t *size) { char **list, ***all = NULL; int i; *size = 0; list = ecalloc(strings->num_strings, sizeof(*list)); for (i = 0; i < strings->num_strings; i++) list[i] = strings->strings[i]; permute(&all, size, list, 0, strings->num_strings); free(list); return all; } heimdal-1.7~git20150920+dfsg/appl/gssmask/common.h000066400000000000000000000067301257755311500215160ustar00rootroot00000000000000/* * Copyright (c) 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* $Id$ */ #ifdef HAVE_CONFIG_H #include #endif #include #ifdef HAVE_SYS_UTSNAME_H #include #endif #ifdef HAVE_SYS_WAIT_H #include #endif #include #include #include #include #include #include #include #include #include "protocol.h" /* * pthread support is disable because the pthread * test have no "application pthread libflags" variable, * when this is fixed pthread support can be enabled again. */ #undef ENABLE_PTHREAD_SUPPORT krb5_error_code store_string(krb5_storage *, const char *); #define ret16(_client, num) \ do { \ if (krb5_ret_int16((_client)->sock, &(num)) != 0) \ errx(1, "krb5_ret_int16 " #num); \ } while(0) #define ret32(_client, num) \ do { \ if (krb5_ret_int32((_client)->sock, &(num)) != 0) \ errx(1, "krb5_ret_int32 " #num); \ } while(0) #define retdata(_client, data) \ do { \ if (krb5_ret_data((_client)->sock, &(data)) != 0) \ errx(1, "krb5_ret_data " #data); \ } while(0) #define retstring(_client, data) \ do { \ if (krb5_ret_string((_client)->sock, &(data)) != 0) \ errx(1, "krb5_ret_data " #data); \ } while(0) #define put32(_client, num) \ do { \ if (krb5_store_int32((_client)->sock, num) != 0) \ errx(1, "krb5_store_int32 " #num); \ } while(0) #define putdata(_client, data) \ do { \ if (krb5_store_data((_client)->sock, data) != 0) \ errx(1, "krb5_store_data " #data); \ } while(0) #define putstring(_client, str) \ do { \ if (store_string((_client)->sock, str) != 0) \ errx(1, "krb5_store_str " #str); \ } while(0) char *** permutate_all(struct getarg_strings *, size_t *); heimdal-1.7~git20150920+dfsg/appl/gssmask/gssmaestro.c000066400000000000000000000541321257755311500224070ustar00rootroot00000000000000/* * Copyright (c) 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include RCSID("$Id$"); static FILE *logfile; /* * */ struct client { char *name; struct sockaddr *sa; socklen_t salen; krb5_storage *sock; int32_t capabilities; char *target_name; char *moniker; krb5_storage *logsock; int have_log; #ifdef ENABLE_PTHREAD_SUPPORT pthread_t thr; #else pid_t child; #endif }; static struct client **clients; static int num_clients; static int init_sec_context(struct client *client, int32_t *hContext, int32_t *hCred, int32_t flags, const char *targetname, const krb5_data *itoken, krb5_data *otoken) { int32_t val; krb5_data_zero(otoken); put32(client, eInitContext); put32(client, *hContext); put32(client, *hCred); put32(client, flags); putstring(client, targetname); putdata(client, *itoken); ret32(client, *hContext); ret32(client, val); retdata(client, *otoken); return val; } static int accept_sec_context(struct client *client, int32_t *hContext, int32_t flags, const krb5_data *itoken, krb5_data *otoken, int32_t *hDelegCred) { int32_t val; krb5_data_zero(otoken); put32(client, eAcceptContext); put32(client, *hContext); put32(client, flags); putdata(client, *itoken); ret32(client, *hContext); ret32(client, val); retdata(client, *otoken); ret32(client, *hDelegCred); return val; } static int acquire_cred(struct client *client, const char *username, const char *password, int32_t flags, int32_t *hCred) { int32_t val; put32(client, eAcquireCreds); putstring(client, username); putstring(client, password); put32(client, flags); ret32(client, val); ret32(client, *hCred); return val; } static int toast_resource(struct client *client, int32_t hCred) { int32_t val; put32(client, eToastResource); put32(client, hCred); ret32(client, val); return val; } static int goodbye(struct client *client) { put32(client, eGoodBye); return GSMERR_OK; } static int get_targetname(struct client *client, char **target) { put32(client, eGetTargetName); retstring(client, *target); return GSMERR_OK; } static int32_t encrypt_token(struct client *client, int32_t hContext, int32_t flags, krb5_data *in, krb5_data *out) { int32_t val; put32(client, eEncrypt); put32(client, hContext); put32(client, flags); put32(client, 0); putdata(client, *in); ret32(client, val); retdata(client, *out); return val; } static int32_t decrypt_token(struct client *client, int32_t hContext, int flags, krb5_data *in, krb5_data *out) { int32_t val; put32(client, eDecrypt); put32(client, hContext); put32(client, flags); put32(client, 0); putdata(client, *in); ret32(client, val); retdata(client, *out); return val; } static int32_t wrap_token_ext(struct client *client, int32_t hContext, int32_t flags, int32_t bflags, krb5_data *header, krb5_data *in, krb5_data *trailer, krb5_data *out) { int32_t val; put32(client, eWrapExt); put32(client, hContext); put32(client, flags); put32(client, bflags); putdata(client, *header); putdata(client, *in); putdata(client, *trailer); ret32(client, val); retdata(client, *out); return val; } static int32_t unwrap_token_ext(struct client *client, int32_t hContext, int32_t flags, int32_t bflags, krb5_data *header, krb5_data *in, krb5_data *trailer, krb5_data *out) { int32_t val; put32(client, eUnwrapExt); put32(client, hContext); put32(client, flags); put32(client, bflags); putdata(client, *header); putdata(client, *in); putdata(client, *trailer); ret32(client, val); retdata(client, *out); return val; } static int32_t get_mic(struct client *client, int32_t hContext, krb5_data *in, krb5_data *mic) { int32_t val; put32(client, eSign); put32(client, hContext); put32(client, 0); put32(client, 0); putdata(client, *in); ret32(client, val); retdata(client, *mic); return val; } static int32_t verify_mic(struct client *client, int32_t hContext, krb5_data *in, krb5_data *mic) { int32_t val; put32(client, eVerify); put32(client, hContext); put32(client, 0); put32(client, 0); putdata(client, *in); putdata(client, *mic); ret32(client, val); return val; } static int32_t get_version_capa(struct client *client, int32_t *version, int32_t *capa, char **version_str) { put32(client, eGetVersionAndCapabilities); ret32(client, *version); ret32(client, *capa); retstring(client, *version_str); return GSMERR_OK; } static int32_t get_moniker(struct client *client, char **moniker) { put32(client, eGetMoniker); retstring(client, *moniker); return GSMERR_OK; } static int wait_log(struct client *c) { int32_t port; struct sockaddr_storage sast; socklen_t salen = sizeof(sast); krb5_socket_t sock, sock2; int ret; memset(&sast, 0, sizeof(sast)); assert(sizeof(sast) >= c->salen); sock = socket(c->sa->sa_family, SOCK_STREAM, 0); if (sock == rk_INVALID_SOCKET) err(1, "failed to build socket for %s's logging port", c->moniker); sast.ss_family = c->sa->sa_family; ret = bind(sock, (struct sockaddr *)&sast, c->salen); if (ret < 0) err(1, "failed to bind %s's logging port", c->moniker); if (listen(sock, SOMAXCONN) < 0) err(1, "failed to listen %s's logging port", c->moniker); salen = sizeof(sast); ret = getsockname(sock, (struct sockaddr *)&sast, &salen); if (ret < 0) err(1, "failed to get address of local socket for %s", c->moniker); port = socket_get_port((struct sockaddr *)&sast); put32(c, eSetLoggingSocket); put32(c, ntohs(port)); salen = sizeof(sast); sock2 = accept(sock, (struct sockaddr *)&sast, &salen); if (sock2 == rk_INVALID_SOCKET) err(1, "failed to accept local socket for %s", c->moniker); rk_closesocket(sock); return sock2; } static int build_context(struct client *ipeer, struct client *apeer, int32_t flags, int32_t hCred, int32_t *iContext, int32_t *aContext, int32_t *hDelegCred) { int32_t val = GSMERR_ERROR, ic = 0, ac = 0, deleg = 0; krb5_data itoken, otoken; int iDone = 0, aDone = 0; int step = 0; int first_call = 0x80; if (apeer->target_name == NULL) errx(1, "apeer %s have no target name", apeer->name); krb5_data_zero(&itoken); while (!iDone || !aDone) { if (iDone) { warnx("iPeer already done, aPeer want extra rtt"); val = GSMERR_ERROR; goto out; } val = init_sec_context(ipeer, &ic, &hCred, flags|first_call, apeer->target_name, &itoken, &otoken); step++; switch(val) { case GSMERR_OK: iDone = 1; if (aDone) continue; break; case GSMERR_CONTINUE_NEEDED: break; default: warnx("iPeer %s failed with %d (step %d)", ipeer->name, (int)val, step); goto out; } if (aDone) { warnx("aPeer already done, iPeer want extra rtt"); val = GSMERR_ERROR; goto out; } val = accept_sec_context(apeer, &ac, flags|first_call, &otoken, &itoken, &deleg); step++; switch(val) { case GSMERR_OK: aDone = 1; if (iDone) continue; break; case GSMERR_CONTINUE_NEEDED: break; default: warnx("aPeer %s failed with %d (step %d)", apeer->name, (int)val, step); val = GSMERR_ERROR; goto out; } first_call = 0; val = GSMERR_OK; } if (iContext == NULL || val != GSMERR_OK) { if (ic) toast_resource(ipeer, ic); if (iContext) *iContext = 0; } else *iContext = ic; if (aContext == NULL || val != GSMERR_OK) { if (ac) toast_resource(apeer, ac); if (aContext) *aContext = 0; } else *aContext = ac; if (hDelegCred == NULL || val != GSMERR_OK) { if (deleg) toast_resource(apeer, deleg); if (hDelegCred) *hDelegCred = 0; } else *hDelegCred = deleg; out: return val; } static void test_mic(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2) { krb5_data msg, mic; int32_t val; msg.data = "foo"; msg.length = 3; krb5_data_zero(&mic); val = get_mic(c1, hc1, &msg, &mic); if (val) errx(1, "get_mic failed to host: %s", c1->moniker); val = verify_mic(c2, hc2, &msg, &mic); if (val) errx(1, "verify_mic failed to host: %s", c2->moniker); krb5_data_free(&mic); } static int32_t test_wrap(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2, int conf) { krb5_data msg, wrapped, out; int32_t val; msg.data = "foo"; msg.length = 3; krb5_data_zero(&wrapped); krb5_data_zero(&out); val = encrypt_token(c1, hc1, conf, &msg, &wrapped); if (val) { warnx("encrypt_token failed to host: %s", c1->moniker); return val; } val = decrypt_token(c2, hc2, conf, &wrapped, &out); if (val) { krb5_data_free(&wrapped); warnx("decrypt_token failed to host: %s", c2->moniker); return val; } if (msg.length != out.length) { warnx("decrypted'ed token have wrong length (%lu != %lu)", (unsigned long)msg.length, (unsigned long)out.length); val = GSMERR_ERROR; } else if (memcmp(msg.data, out.data, msg.length) != 0) { warnx("decryptd'ed token have wrong data"); val = GSMERR_ERROR; } krb5_data_free(&wrapped); krb5_data_free(&out); return val; } static int32_t test_wrap_ext(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2, int conf, int bflags) { krb5_data header, msg, trailer, wrapped, out; int32_t val; header.data = "header"; header.length = 6; msg.data = "0123456789abcdef"; /* padded for most enctypes */ msg.length = 32; trailer.data = "trailer"; trailer.length = 7; krb5_data_zero(&wrapped); krb5_data_zero(&out); val = wrap_token_ext(c1, hc1, conf, bflags, &header, &msg, &trailer, &wrapped); if (val) { warnx("encrypt_token failed to host: %s", c1->moniker); return val; } val = unwrap_token_ext(c2, hc2, conf, bflags, &header, &wrapped, &trailer, &out); if (val) { krb5_data_free(&wrapped); warnx("decrypt_token failed to host: %s", c2->moniker); return val; } if (msg.length != out.length) { warnx("decrypted'ed token have wrong length (%lu != %lu)", (unsigned long)msg.length, (unsigned long)out.length); val = GSMERR_ERROR; } else if (memcmp(msg.data, out.data, msg.length) != 0) { warnx("decryptd'ed token have wrong data"); val = GSMERR_ERROR; } krb5_data_free(&wrapped); krb5_data_free(&out); return val; } static int32_t test_token(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2, int wrap_ext) { int32_t val; int i; for (i = 0; i < 10; i++) { /* mic */ test_mic(c1, hc1, c2, hc2); test_mic(c2, hc2, c1, hc1); /* wrap */ val = test_wrap(c1, hc1, c2, hc2, 0); if (val) return val; val = test_wrap(c2, hc2, c1, hc1, 0); if (val) return val; val = test_wrap(c1, hc1, c2, hc2, 1); if (val) return val; val = test_wrap(c2, hc2, c1, hc1, 1); if (val) return val; if (wrap_ext) { /* wrap ext */ val = test_wrap_ext(c1, hc1, c2, hc2, 1, 0); if (val) return val; val = test_wrap_ext(c2, hc2, c1, hc1, 1, 0); if (val) return val; val = test_wrap_ext(c1, hc1, c2, hc2, 1, 1); if (val) return val; val = test_wrap_ext(c2, hc2, c1, hc1, 1, 1); if (val) return val; val = test_wrap_ext(c1, hc1, c2, hc2, 0, 0); if (val) return val; val = test_wrap_ext(c2, hc2, c1, hc1, 0, 0); if (val) return val; val = test_wrap_ext(c1, hc1, c2, hc2, 0, 1); if (val) return val; val = test_wrap_ext(c2, hc2, c1, hc1, 0, 1); if (val) return val; } } return GSMERR_OK; } static int log_function(void *ptr) { struct client *c = ptr; int32_t cmd, line; char *file, *string; while (1) { if (krb5_ret_int32(c->logsock, &cmd)) goto out; switch (cmd) { case eLogSetMoniker: if (krb5_ret_string(c->logsock, &file)) goto out; free(file); break; case eLogInfo: case eLogFailure: if (krb5_ret_string(c->logsock, &file)) goto out; if (krb5_ret_int32(c->logsock, &line)) goto out; if (krb5_ret_string(c->logsock, &string)) goto out; printf("%s:%lu: %s\n", file, (unsigned long)line, string); fprintf(logfile, "%s:%lu: %s\n", file, (unsigned long)line, string); fflush(logfile); free(file); free(string); if (krb5_store_int32(c->logsock, 0)) goto out; break; default: errx(1, "client send bad log command: %d", (int)cmd); } } out: return 0; } static void connect_client(const char *slave) { char *name, *port; struct client *c = ecalloc(1, sizeof(*c)); struct addrinfo hints, *res0, *res; int ret; krb5_socket_t sock; name = estrdup(slave); port = strchr(name, ':'); if (port == NULL) errx(1, "port missing from %s", name); *port++ = 0; c->name = estrdup(slave); memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_socktype = SOCK_STREAM; ret = getaddrinfo(name, port, &hints, &res0); if (ret) errx(1, "error resolving %s", name); for (res = res0, sock = rk_INVALID_SOCKET; res; res = res->ai_next) { sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol); if (sock == rk_INVALID_SOCKET) continue; if (connect(sock, res->ai_addr, res->ai_addrlen) < 0) { rk_closesocket(sock); sock = rk_INVALID_SOCKET; continue; } c->sa = ecalloc(1, res->ai_addrlen); memcpy(c->sa, res->ai_addr, res->ai_addrlen); c->salen = res->ai_addrlen; break; /* okay we got one */ } if (sock == rk_INVALID_SOCKET) err(1, "connect to host: %s", name); freeaddrinfo(res); c->sock = krb5_storage_from_socket(sock); rk_closesocket(sock); if (c->sock == NULL) errx(1, "krb5_storage_from_fd"); { int32_t version; char *str = NULL; get_version_capa(c, &version, &c->capabilities, &str); if (str) { free(str); } if (c->capabilities & HAS_MONIKER) get_moniker(c, &c->moniker); else c->moniker = c->name; if (c->capabilities & ISSERVER) get_targetname(c, &c->target_name); } if (logfile) { printf("starting log socket to client %s\n", c->moniker); sock = wait_log(c); c->logsock = krb5_storage_from_socket(sock); rk_closesocket(sock); if (c->logsock == NULL) errx(1, "failed to create log krb5_storage"); #ifdef ENABLE_PTHREAD_SUPPORT pthread_create(&c->thr, NULL, log_function, c); #else c->child = fork(); if (c->child == -1) errx(1, "failed to fork"); else if (c->child == 0) { log_function(c); fclose(logfile); exit(0); } #endif } clients = erealloc(clients, (num_clients + 1) * sizeof(*clients)); clients[num_clients] = c; num_clients++; free(name); } static struct client * get_client(const char *slave) { size_t i; for (i = 0; i < num_clients; i++) if (strcmp(slave, clients[i]->name) == 0) return clients[i]; errx(1, "failed to find client %s", slave); } /* * */ static int version_flag; static int help_flag; static int wrap_ext = 0; static char *logfile_str; static getarg_strings principals; static getarg_strings slaves; struct getargs args[] = { { "principals", 0, arg_strings, &principals, "Test principal", NULL }, { "slaves", 0, arg_strings, &slaves, "Slaves", NULL }, { "log-file", 0, arg_string, &logfile_str, "Logfile", NULL }, { "wrap-ext", 0, arg_flag, &wrap_ext, "test wrap extended", NULL }, { "version", 0, arg_flag, &version_flag, "Print version", NULL }, { "help", 0, arg_flag, &help_flag, NULL, NULL } }; static void usage(int ret) { arg_printusage (args, sizeof(args) / sizeof(args[0]), NULL, ""); exit (ret); } int main(int argc, char **argv) { int optidx= 0; char *user; char *password; char ***list, **p; size_t num_list, i, j, k; int failed = 0; setprogname (argv[0]); if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage (1); if (help_flag) usage (0); if (version_flag) { print_version (NULL); return 0; } if (optidx != argc) usage (1); if (principals.num_strings == 0) errx(1, "no principals"); user = estrdup(principals.strings[0]); password = strchr(user, ':'); if (password == NULL) errx(1, "password missing from %s", user); *password++ = 0; if (slaves.num_strings == 0) errx(1, "no principals"); if (logfile_str) { printf("open logfile %s\n", logfile_str); logfile = fopen(logfile_str, "w+"); if (logfile == NULL) err(1, "failed to open: %s", logfile_str); } /* * */ list = permutate_all(&slaves, &num_list); /* * Set up connection to all clients */ printf("Connecting to slaves\n"); for (i = 0; i < slaves.num_strings; i++) connect_client(slaves.strings[i]); /* * Test acquire credentials */ printf("Test acquire credentials\n"); for (i = 0; i < slaves.num_strings; i++) { int32_t hCred, val; val = acquire_cred(clients[i], user, password, 1, &hCred); if (val != GSMERR_OK) { warnx("Failed to acquire_cred on host %s: %d", clients[i]->moniker, (int)val); failed = 1; } else toast_resource(clients[i], hCred); } if (failed) goto out; /* * First test if all slaves can build context to them-self. */ printf("Self context tests\n"); for (i = 0; i < num_clients; i++) { int32_t hCred, val, delegCred; int32_t clientC, serverC; struct client *c = clients[i]; if (c->target_name == NULL) continue; printf("%s connects to self using %s\n", c->moniker, c->target_name); val = acquire_cred(c, user, password, 1, &hCred); if (val != GSMERR_OK) errx(1, "failed to acquire_cred: %d", (int)val); val = build_context(c, c, GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG| GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG| GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG, hCred, &clientC, &serverC, &delegCred); if (val == GSMERR_OK) { test_token(c, clientC, c, serverC, wrap_ext); toast_resource(c, clientC); toast_resource(c, serverC); if (delegCred) toast_resource(c, delegCred); } else { warnx("build_context failed: %d", (int)val); } /* * */ val = build_context(c, c, GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG, hCred, &clientC, &serverC, &delegCred); if (val == GSMERR_OK) { test_token(c, clientC, c, serverC, wrap_ext); toast_resource(c, clientC); toast_resource(c, serverC); if (delegCred) toast_resource(c, delegCred); } else { warnx("build_context failed: %d", (int)val); } toast_resource(c, hCred); } /* * Build contexts though all entries in each lists, including the * step from the last entry to the first, ie treat the list as a * circle. * * Only follow the delegated credential, but test "all" * flags. (XXX only do deleg|mutual right now. */ printf("\"All\" permutation tests\n"); for (i = 0; i < num_list; i++) { int32_t hCred, val, delegCred = 0; int32_t clientC = 0, serverC = 0; struct client *client, *server; p = list[i]; client = get_client(p[0]); val = acquire_cred(client, user, password, 1, &hCred); if (val != GSMERR_OK) errx(1, "failed to acquire_cred: %d", (int)val); for (j = 1; j < num_clients + 1; j++) { server = get_client(p[j % num_clients]); if (server->target_name == NULL) break; for (k = 1; k < j; k++) printf("\t"); printf("%s -> %s\n", client->moniker, server->moniker); val = build_context(client, server, GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG| GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG| GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG, hCred, &clientC, &serverC, &delegCred); if (val != GSMERR_OK) { warnx("build_context failed: %d", (int)val); break; } val = test_token(client, clientC, server, serverC, wrap_ext); if (val) break; toast_resource(client, clientC); toast_resource(server, serverC); if (!delegCred) { warnx("no delegated cred on %s", server->moniker); break; } toast_resource(client, hCred); hCred = delegCred; client = server; } if (hCred) toast_resource(client, hCred); } /* * Close all connections to clients */ out: printf("sending goodbye and waiting for log sockets\n"); for (i = 0; i < num_clients; i++) { goodbye(clients[i]); if (clients[i]->logsock) { #ifdef ENABLE_PTHREAD_SUPPORT pthread_join(&clients[i]->thr, NULL); #else waitpid(clients[i]->child, NULL, 0); #endif } } printf("done\n"); return 0; } heimdal-1.7~git20150920+dfsg/appl/gssmask/gssmask.c000066400000000000000000000665551257755311500217040ustar00rootroot00000000000000/* * Copyright (c) 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "common.h" RCSID("$Id$"); /* * */ enum handle_type { handle_context, handle_cred }; struct handle { int32_t idx; enum handle_type type; void *ptr; struct handle *next; }; struct client { krb5_storage *sock; krb5_storage *logging; char *moniker; int32_t nHandle; struct handle *handles; struct sockaddr_storage sa; socklen_t salen; char servername[MAXHOSTNAMELEN]; }; FILE *logfile; static char *targetname; krb5_context context; /* * */ static void logmessage(struct client *c, const char *file, unsigned int lineno, int level, const char *fmt, ...) { char *message; va_list ap; int32_t ackid; int ret; va_start(ap, fmt); ret = vasprintf(&message, fmt, ap); va_end(ap); if (ret == -1) errx(1, "out of memory"); if (logfile) fprintf(logfile, "%s:%u: %d %s\n", file, lineno, level, message); if (c->logging) { if (krb5_store_int32(c->logging, eLogInfo) != 0) errx(1, "krb5_store_int32: log level"); if (krb5_store_string(c->logging, file) != 0) errx(1, "krb5_store_string: filename"); if (krb5_store_int32(c->logging, lineno) != 0) errx(1, "krb5_store_string: filename"); if (krb5_store_string(c->logging, message) != 0) errx(1, "krb5_store_string: message"); if (krb5_ret_int32(c->logging, &ackid) != 0) errx(1, "krb5_ret_int32: ackid"); } free(message); } /* * */ static int32_t add_handle(struct client *c, enum handle_type type, void *data) { struct handle *h; h = ecalloc(1, sizeof(*h)); h->idx = ++c->nHandle; h->type = type; h->ptr = data; h->next = c->handles; c->handles = h; return h->idx; } static void del_handle(struct handle **h, int32_t idx) { OM_uint32 min_stat; if (idx == 0) return; while (*h) { if ((*h)->idx == idx) { struct handle *p = *h; *h = (*h)->next; switch(p->type) { case handle_context: { gss_ctx_id_t c = p->ptr; gss_delete_sec_context(&min_stat, &c, NULL); break; } case handle_cred: { gss_cred_id_t c = p->ptr; gss_release_cred(&min_stat, &c); break; } } free(p); return; } h = &((*h)->next); } errx(1, "tried to delete an unexisting handle"); } static void * find_handle(struct handle *h, int32_t idx, enum handle_type type) { if (idx == 0) return NULL; while (h) { if (h->idx == idx) { if (type == h->type) return h->ptr; errx(1, "monger switched type on handle!"); } h = h->next; } return NULL; } static int32_t convert_gss_to_gsm(OM_uint32 maj_stat) { switch(maj_stat) { case 0: return GSMERR_OK; case GSS_S_CONTINUE_NEEDED: return GSMERR_CONTINUE_NEEDED; case GSS_S_DEFECTIVE_TOKEN: return GSMERR_INVALID_TOKEN; case GSS_S_BAD_MIC: return GSMERR_AP_MODIFIED; default: return GSMERR_ERROR; } } static int32_t convert_krb5_to_gsm(krb5_error_code ret) { switch(ret) { case 0: return GSMERR_OK; default: return GSMERR_ERROR; } } /* * */ static int32_t acquire_cred(struct client *c, krb5_principal principal, krb5_get_init_creds_opt *opt, int32_t *handle) { krb5_error_code ret; krb5_creds cred; krb5_ccache id; gss_cred_id_t gcred; OM_uint32 maj_stat, min_stat; *handle = 0; krb5_get_init_creds_opt_set_forwardable (opt, 1); krb5_get_init_creds_opt_set_renew_life (opt, 3600 * 24 * 30); memset(&cred, 0, sizeof(cred)); ret = krb5_get_init_creds_password (context, &cred, principal, NULL, NULL, NULL, 0, NULL, opt); if (ret) { logmessage(c, __FILE__, __LINE__, 0, "krb5_get_init_creds failed: %d", ret); return convert_krb5_to_gsm(ret); } ret = krb5_cc_new_unique(context, "MEMORY", NULL, &id); if (ret) krb5_err (context, 1, ret, "krb5_cc_initialize"); ret = krb5_cc_initialize (context, id, cred.client); if (ret) krb5_err (context, 1, ret, "krb5_cc_initialize"); ret = krb5_cc_store_cred (context, id, &cred); if (ret) krb5_err (context, 1, ret, "krb5_cc_store_cred"); krb5_free_cred_contents (context, &cred); maj_stat = gss_krb5_import_cred(&min_stat, id, NULL, NULL, &gcred); krb5_cc_close(context, id); if (maj_stat) { logmessage(c, __FILE__, __LINE__, 0, "krb5 import creds failed with: %d", maj_stat); return convert_gss_to_gsm(maj_stat); } *handle = add_handle(c, handle_cred, gcred); return 0; } /* * */ #define HandleOP(h) \ handle##h(enum gssMaggotOp op, struct client *c) /* * */ static int HandleOP(GetVersionInfo) { put32(c, GSSMAGGOTPROTOCOL); errx(1, "GetVersionInfo"); } static int HandleOP(GoodBye) { struct handle *h = c->handles; unsigned int i = 0; while (h) { h = h->next; i++; } if (i) logmessage(c, __FILE__, __LINE__, 0, "Did not toast all resources: %d", i); return 1; } static int HandleOP(InitContext) { OM_uint32 maj_stat, min_stat, ret_flags; int32_t hContext, hCred, flags; krb5_data target_name, in_token; int32_t new_context_id = 0, gsm_error = 0; krb5_data out_token = { 0 , NULL }; gss_ctx_id_t ctx; gss_cred_id_t creds; gss_name_t gss_target_name; gss_buffer_desc input_token; gss_buffer_desc output_token = {0, 0}; gss_OID oid = GSS_C_NO_OID; gss_buffer_t input_token_ptr = GSS_C_NO_BUFFER; ret32(c, hContext); ret32(c, hCred); ret32(c, flags); retdata(c, target_name); retdata(c, in_token); logmessage(c, __FILE__, __LINE__, 0, "targetname: <%.*s>", (int)target_name.length, (char *)target_name.data); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) hContext = 0; creds = find_handle(c->handles, hCred, handle_cred); if (creds == NULL) abort(); input_token.length = target_name.length; input_token.value = target_name.data; maj_stat = gss_import_name(&min_stat, &input_token, GSS_KRB5_NT_PRINCIPAL_NAME, &gss_target_name); if (GSS_ERROR(maj_stat)) { logmessage(c, __FILE__, __LINE__, 0, "import name creds failed with: %d", maj_stat); gsm_error = convert_gss_to_gsm(maj_stat); goto out; } /* oid from flags */ if (in_token.length) { input_token.length = in_token.length; input_token.value = in_token.data; input_token_ptr = &input_token; if (ctx == NULL) krb5_errx(context, 1, "initcreds, context NULL, but not first req"); } else { input_token.length = 0; input_token.value = NULL; if (ctx) krb5_errx(context, 1, "initcreds, context not NULL, but first req"); } if ((flags & GSS_C_DELEG_FLAG) != 0) logmessage(c, __FILE__, __LINE__, 0, "init_sec_context delegating"); if ((flags & GSS_C_DCE_STYLE) != 0) logmessage(c, __FILE__, __LINE__, 0, "init_sec_context dce-style"); maj_stat = gss_init_sec_context(&min_stat, creds, &ctx, gss_target_name, oid, flags & 0x7f, 0, NULL, input_token_ptr, NULL, &output_token, &ret_flags, NULL); if (GSS_ERROR(maj_stat)) { if (hContext != 0) del_handle(&c->handles, hContext); new_context_id = 0; logmessage(c, __FILE__, __LINE__, 0, "gss_init_sec_context returns code: %d/%d", maj_stat, min_stat); } else { if (input_token.length == 0) new_context_id = add_handle(c, handle_context, ctx); else new_context_id = hContext; } gsm_error = convert_gss_to_gsm(maj_stat); if (output_token.length) { out_token.data = output_token.value; out_token.length = output_token.length; } out: logmessage(c, __FILE__, __LINE__, 0, "InitContext return code: %d", gsm_error); put32(c, new_context_id); put32(c, gsm_error); putdata(c, out_token); gss_release_name(&min_stat, &gss_target_name); if (output_token.length) gss_release_buffer(&min_stat, &output_token); krb5_data_free(&in_token); krb5_data_free(&target_name); return 0; } static int HandleOP(AcceptContext) { OM_uint32 maj_stat, min_stat, ret_flags; int32_t hContext, deleg_hcred, flags; krb5_data in_token; int32_t new_context_id = 0, gsm_error = 0; krb5_data out_token = { 0 , NULL }; gss_ctx_id_t ctx; gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL; gss_buffer_desc input_token, output_token; ret32(c, hContext); ret32(c, flags); retdata(c, in_token); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) hContext = 0; if (in_token.length) { input_token.length = in_token.length; input_token.value = in_token.data; } else { input_token.length = 0; input_token.value = NULL; } maj_stat = gss_accept_sec_context(&min_stat, &ctx, GSS_C_NO_CREDENTIAL, &input_token, GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, &output_token, &ret_flags, NULL, &deleg_cred); if (GSS_ERROR(maj_stat)) { if (hContext != 0) del_handle(&c->handles, hContext); logmessage(c, __FILE__, __LINE__, 0, "gss_accept_sec_context returns code: %d/%d", maj_stat, min_stat); new_context_id = 0; } else { if (hContext == 0) new_context_id = add_handle(c, handle_context, ctx); else new_context_id = hContext; } if (output_token.length) { out_token.data = output_token.value; out_token.length = output_token.length; } if ((ret_flags & GSS_C_DCE_STYLE) != 0) logmessage(c, __FILE__, __LINE__, 0, "accept_sec_context dce-style"); if ((ret_flags & GSS_C_DELEG_FLAG) != 0) { deleg_hcred = add_handle(c, handle_cred, deleg_cred); logmessage(c, __FILE__, __LINE__, 0, "accept_context delegated handle: %d", deleg_hcred); } else { gss_release_cred(&min_stat, &deleg_cred); deleg_hcred = 0; } gsm_error = convert_gss_to_gsm(maj_stat); put32(c, new_context_id); put32(c, gsm_error); putdata(c, out_token); put32(c, deleg_hcred); if (output_token.length) gss_release_buffer(&min_stat, &output_token); krb5_data_free(&in_token); return 0; } static int HandleOP(ToastResource) { int32_t handle; ret32(c, handle); logmessage(c, __FILE__, __LINE__, 0, "toasting %d", handle); del_handle(&c->handles, handle); put32(c, GSMERR_OK); return 0; } static int HandleOP(AcquireCreds) { char *name, *password; int32_t gsm_error, flags, handle = 0; krb5_principal principal = NULL; krb5_get_init_creds_opt *opt = NULL; krb5_error_code ret; retstring(c, name); retstring(c, password); ret32(c, flags); logmessage(c, __FILE__, __LINE__, 0, "username: %s password: %s", name, password); ret = krb5_parse_name(context, name, &principal); if (ret) { gsm_error = convert_krb5_to_gsm(ret); goto out; } ret = krb5_get_init_creds_opt_alloc (context, &opt); if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); krb5_get_init_creds_opt_set_pa_password(context, opt, password, NULL); gsm_error = acquire_cred(c, principal, opt, &handle); out: logmessage(c, __FILE__, __LINE__, 0, "AcquireCreds handle: %d return code: %d", handle, gsm_error); if (opt) krb5_get_init_creds_opt_free (context, opt); if (principal) krb5_free_principal(context, principal); free(name); free(password); put32(c, gsm_error); put32(c, handle); return 0; } static int HandleOP(Sign) { OM_uint32 maj_stat, min_stat; int32_t hContext, flags, seqno; krb5_data token; gss_ctx_id_t ctx; gss_buffer_desc input_token, output_token; ret32(c, hContext); ret32(c, flags); ret32(c, seqno); retdata(c, token); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) errx(1, "sign: reference to unknown context"); input_token.length = token.length; input_token.value = token.data; maj_stat = gss_get_mic(&min_stat, ctx, 0, &input_token, &output_token); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_get_mic failed"); krb5_data_free(&token); token.data = output_token.value; token.length = output_token.length; put32(c, 0); /* XXX fix gsm_error */ putdata(c, token); gss_release_buffer(&min_stat, &output_token); return 0; } static int HandleOP(Verify) { OM_uint32 maj_stat, min_stat; int32_t hContext, flags, seqno; krb5_data msg, mic; gss_ctx_id_t ctx; gss_buffer_desc msg_token, mic_token; gss_qop_t qop; ret32(c, hContext); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) errx(1, "verify: reference to unknown context"); ret32(c, flags); ret32(c, seqno); retdata(c, msg); msg_token.length = msg.length; msg_token.value = msg.data; retdata(c, mic); mic_token.length = mic.length; mic_token.value = mic.data; maj_stat = gss_verify_mic(&min_stat, ctx, &msg_token, &mic_token, &qop); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_verify_mic failed"); krb5_data_free(&mic); krb5_data_free(&msg); put32(c, 0); /* XXX fix gsm_error */ return 0; } static int HandleOP(GetVersionAndCapabilities) { int32_t cap = HAS_MONIKER; char name[256] = "unknown", *str; int ret; if (targetname) cap |= ISSERVER; /* is server */ #ifdef HAVE_UNAME { struct utsname ut; if (uname(&ut) == 0) { snprintf(name, sizeof(name), "%s-%s-%s", ut.sysname, ut.version, ut.machine); } } #endif ret = asprintf(&str, "gssmask %s %s", PACKAGE_STRING, name); if (ret == -1) errx(1, "out of memory"); put32(c, GSSMAGGOTPROTOCOL); put32(c, cap); putstring(c, str); free(str); return 0; } static int HandleOP(GetTargetName) { if (targetname) putstring(c, targetname); else putstring(c, ""); return 0; } static int HandleOP(SetLoggingSocket) { int32_t portnum; krb5_socket_t sock; int ret; ret32(c, portnum); logmessage(c, __FILE__, __LINE__, 0, "logging port on peer is: %d", (int)portnum); socket_set_port((struct sockaddr *)(&c->sa), htons(portnum)); sock = socket(((struct sockaddr *)&c->sa)->sa_family, SOCK_STREAM, 0); if (sock == rk_INVALID_SOCKET) return 0; ret = connect(sock, (struct sockaddr *)&c->sa, c->salen); if (ret < 0) { logmessage(c, __FILE__, __LINE__, 0, "failed connect to log port: %s", strerror(errno)); rk_closesocket(sock); return 0; } if (c->logging) krb5_storage_free(c->logging); c->logging = krb5_storage_from_socket(sock); rk_closesocket(sock); krb5_store_int32(c->logging, eLogSetMoniker); store_string(c->logging, c->moniker); logmessage(c, __FILE__, __LINE__, 0, "logging turned on"); return 0; } static int HandleOP(ChangePassword) { errx(1, "ChangePassword"); } static int HandleOP(SetPasswordSelf) { errx(1, "SetPasswordSelf"); } static int HandleOP(Wrap) { OM_uint32 maj_stat, min_stat; int32_t hContext, flags, seqno; krb5_data token; gss_ctx_id_t ctx; gss_buffer_desc input_token, output_token; int conf_state; ret32(c, hContext); ret32(c, flags); ret32(c, seqno); retdata(c, token); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) errx(1, "wrap: reference to unknown context"); input_token.length = token.length; input_token.value = token.data; maj_stat = gss_wrap(&min_stat, ctx, flags, 0, &input_token, &conf_state, &output_token); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_wrap failed"); krb5_data_free(&token); token.data = output_token.value; token.length = output_token.length; put32(c, 0); /* XXX fix gsm_error */ putdata(c, token); gss_release_buffer(&min_stat, &output_token); return 0; } static int HandleOP(Unwrap) { OM_uint32 maj_stat, min_stat; int32_t hContext, flags, seqno; krb5_data token; gss_ctx_id_t ctx; gss_buffer_desc input_token, output_token; int conf_state; gss_qop_t qop_state; ret32(c, hContext); ret32(c, flags); ret32(c, seqno); retdata(c, token); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) errx(1, "unwrap: reference to unknown context"); input_token.length = token.length; input_token.value = token.data; maj_stat = gss_unwrap(&min_stat, ctx, &input_token, &output_token, &conf_state, &qop_state); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_unwrap failed: %d/%d", maj_stat, min_stat); krb5_data_free(&token); if (maj_stat == GSS_S_COMPLETE) { token.data = output_token.value; token.length = output_token.length; } else { token.data = NULL; token.length = 0; } put32(c, 0); /* XXX fix gsm_error */ putdata(c, token); if (maj_stat == GSS_S_COMPLETE) gss_release_buffer(&min_stat, &output_token); return 0; } static int HandleOP(Encrypt) { return handleWrap(op, c); } static int HandleOP(Decrypt) { return handleUnwrap(op, c); } static int HandleOP(ConnectLoggingService2) { errx(1, "ConnectLoggingService2"); } static int HandleOP(GetMoniker) { putstring(c, c->moniker); return 0; } static int HandleOP(CallExtension) { errx(1, "CallExtension"); } static int HandleOP(AcquirePKInitCreds) { int32_t flags; krb5_data pfxdata; char fn[] = "FILE:/tmp/pkcs12-creds-XXXXXXX"; krb5_principal principal = NULL; int fd; ret32(c, flags); retdata(c, pfxdata); fd = mkstemp(fn + 5); if (fd < 0) errx(1, "mkstemp"); net_write(fd, pfxdata.data, pfxdata.length); krb5_data_free(&pfxdata); close(fd); if (principal) krb5_free_principal(context, principal); put32(c, -1); /* hResource */ put32(c, GSMERR_NOT_SUPPORTED); return 0; } static int HandleOP(WrapExt) { OM_uint32 maj_stat, min_stat; int32_t hContext, flags, bflags; krb5_data token, header, trailer; gss_ctx_id_t ctx; unsigned char *p; int conf_state, iov_len; gss_iov_buffer_desc iov[6]; ret32(c, hContext); ret32(c, flags); ret32(c, bflags); retdata(c, header); retdata(c, token); retdata(c, trailer); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) errx(1, "wrap: reference to unknown context"); memset(&iov, 0, sizeof(iov)); iov_len = sizeof(iov)/sizeof(iov[0]); if (bflags & WRAP_EXP_ONLY_HEADER) iov_len -= 2; /* skip trailer and padding, aka dce-style */ iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; if (header.length != 0) { iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[1].buffer.length = header.length; iov[1].buffer.value = header.data; } else { iov[1].type = GSS_IOV_BUFFER_TYPE_EMPTY; } iov[2].type = GSS_IOV_BUFFER_TYPE_DATA; iov[2].buffer.length = token.length; iov[2].buffer.value = token.data; if (trailer.length != 0) { iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[3].buffer.length = trailer.length; iov[3].buffer.value = trailer.data; } else { iov[3].type = GSS_IOV_BUFFER_TYPE_EMPTY; } iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; maj_stat = gss_wrap_iov_length(&min_stat, ctx, flags, 0, &conf_state, iov, iov_len); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_wrap_iov_length failed"); maj_stat = gss_wrap_iov(&min_stat, ctx, flags, 0, &conf_state, iov, iov_len); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_wrap_iov failed"); krb5_data_free(&token); token.length = iov[0].buffer.length + iov[2].buffer.length + iov[4].buffer.length + iov[5].buffer.length; token.data = malloc(token.length); p = token.data; memcpy(p, iov[0].buffer.value, iov[0].buffer.length); p += iov[0].buffer.length; memcpy(p, iov[2].buffer.value, iov[2].buffer.length); p += iov[2].buffer.length; memcpy(p, iov[4].buffer.value, iov[4].buffer.length); p += iov[4].buffer.length; memcpy(p, iov[5].buffer.value, iov[5].buffer.length); p += iov[5].buffer.length; gss_release_iov_buffer(NULL, iov, iov_len); put32(c, 0); /* XXX fix gsm_error */ putdata(c, token); free(token.data); return 0; } static int HandleOP(UnwrapExt) { OM_uint32 maj_stat, min_stat; int32_t hContext, flags, bflags; krb5_data token, header, trailer; gss_ctx_id_t ctx; gss_iov_buffer_desc iov[3]; int conf_state, iov_len; gss_qop_t qop_state; ret32(c, hContext); ret32(c, flags); ret32(c, bflags); retdata(c, header); retdata(c, token); retdata(c, trailer); iov_len = sizeof(iov)/sizeof(iov[0]); if (bflags & WRAP_EXP_ONLY_HEADER) iov_len -= 1; /* skip trailer and padding, aka dce-style */ ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) errx(1, "unwrap: reference to unknown context"); if (header.length != 0) { iov[0].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[0].buffer.length = header.length; iov[0].buffer.value = header.data; } else { iov[0].type = GSS_IOV_BUFFER_TYPE_EMPTY; } iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.length = token.length; iov[1].buffer.value = token.data; if (trailer.length != 0) { iov[2].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[2].buffer.length = trailer.length; iov[2].buffer.value = trailer.data; } else { iov[2].type = GSS_IOV_BUFFER_TYPE_EMPTY; } maj_stat = gss_unwrap_iov(&min_stat, ctx, &conf_state, &qop_state, iov, iov_len); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_unwrap failed: %d/%d", maj_stat, min_stat); if (maj_stat == GSS_S_COMPLETE) { token.data = iov[1].buffer.value; token.length = iov[1].buffer.length; } else { token.data = NULL; token.length = 0; } put32(c, 0); /* XXX fix gsm_error */ putdata(c, token); return 0; } /* * */ struct handler { enum gssMaggotOp op; const char *name; int (*func)(enum gssMaggotOp, struct client *); }; #define S(a) { e##a, #a, handle##a } struct handler handlers[] = { S(GetVersionInfo), S(GoodBye), S(InitContext), S(AcceptContext), S(ToastResource), S(AcquireCreds), S(Encrypt), S(Decrypt), S(Sign), S(Verify), S(GetVersionAndCapabilities), S(GetTargetName), S(SetLoggingSocket), S(ChangePassword), S(SetPasswordSelf), S(Wrap), S(Unwrap), S(ConnectLoggingService2), S(GetMoniker), S(CallExtension), S(AcquirePKInitCreds), S(WrapExt), S(UnwrapExt), }; #undef S /* * */ static struct handler * find_op(int32_t op) { int i; for (i = 0; i < sizeof(handlers)/sizeof(handlers[0]); i++) if (handlers[i].op == op) return &handlers[i]; return NULL; } static struct client * create_client(krb5_socket_t sock, int port, const char *moniker) { struct client *c; int ret; c = ecalloc(1, sizeof(*c)); if (moniker) { c->moniker = estrdup(moniker); } else { char hostname[MAXHOSTNAMELEN]; gethostname(hostname, sizeof(hostname)); ret = asprintf(&c->moniker, "gssmask: %s:%d", hostname, port); if (ret == -1) c->moniker = NULL; } if (!c->moniker) errx(1, "out of memory"); { c->salen = sizeof(c->sa); getpeername(sock, (struct sockaddr *)&c->sa, &c->salen); getnameinfo((struct sockaddr *)&c->sa, c->salen, c->servername, sizeof(c->servername), NULL, 0, NI_NUMERICHOST); } c->sock = krb5_storage_from_socket(sock); if (c->sock == NULL) errx(1, "krb5_storage_from_socket"); rk_closesocket(sock); return c; } static void free_client(struct client *c) { while(c->handles) del_handle(&c->handles, c->handles->idx); free(c->moniker); krb5_storage_free(c->sock); if (c->logging) krb5_storage_free(c->logging); free(c); } static void * handleServer(void *ptr) { struct handler *handler; struct client *c; int32_t op; c = (struct client *)ptr; while(1) { ret32(c, op); handler = find_op(op); if (handler == NULL) { logmessage(c, __FILE__, __LINE__, 0, "op %d not supported", (int)op); exit(1); } logmessage(c, __FILE__, __LINE__, 0, "---> Got op %s from server %s", handler->name, c->servername); if ((handler->func)(handler->op, c)) break; } return NULL; } static char *port_str; static int version_flag; static int help_flag; static char *logfile_str; static char *moniker_str; static int port = 4711; struct getargs args[] = { { "spn", 0, arg_string, &targetname, "This host's SPN", "service/host@REALM" }, { "port", 'p', arg_string, &port_str, "Use this port", "number-of-service" }, { "logfile", 0, arg_string, &logfile_str, "logfile", "number-of-service" }, { "moniker", 0, arg_string, &moniker_str, "nickname", "name" }, { "version", 0, arg_flag, &version_flag, "Print version", NULL }, { "help", 0, arg_flag, &help_flag, NULL, NULL } }; static void usage(int ret) { arg_printusage (args, sizeof(args) / sizeof(args[0]), NULL, ""); exit (ret); } int main(int argc, char **argv) { int optidx = 0; setprogname (argv[0]); if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage (1); if (help_flag) usage (0); if (version_flag) { print_version (NULL); return 0; } if (optidx != argc) usage (1); if (port_str) { char *ptr; port = strtol (port_str, &ptr, 10); if (port == 0 && ptr == port_str) errx (1, "Bad port `%s'", port_str); } krb5_init_context(&context); { const char *lf = logfile_str; if (lf == NULL) lf = "/dev/tty"; logfile = fopen(lf, "w"); if (logfile == NULL) err(1, "error opening %s", lf); } mini_inetd(htons(port), NULL); fprintf(logfile, "connected\n"); { struct client *c; c = create_client(0, port, moniker_str); /* close(0); */ handleServer(c); free_client(c); } krb5_free_context(context); return 0; } heimdal-1.7~git20150920+dfsg/appl/gssmask/protocol.h000066400000000000000000000170171257755311500220670ustar00rootroot00000000000000/* * Copyright (c) 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* * $Id$ */ /* missing from tests: * - export context * - import context */ /* * wire encodings: * int16: number, 2 bytes, in network order * int32: number, 4 bytes, in network order * length-encoded: [int32 length, data of length bytes] * string: [int32 length, string of length + 1 bytes, includes trailing '\0' ] */ enum gssMaggotErrorCodes { GSMERR_OK = 0, GSMERR_ERROR, GSMERR_CONTINUE_NEEDED, GSMERR_INVALID_TOKEN, GSMERR_AP_MODIFIED, GSMERR_TEST_ISSUE, GSMERR_NOT_SUPPORTED }; /* * input: * int32: message OP (enum gssMaggotProtocol) * ... * * return: -- on error * int32: not support (GSMERR_NOT_SUPPORTED) * * return: -- on existing message OP * int32: support (GSMERR_OK) -- only sent for extensions * ... */ #define GSSMAGGOTPROTOCOL 14 enum gssMaggotOp { eGetVersionInfo = 0, /* * input: * none * return: * int32: last version handled */ eGoodBye, /* * input: * none * return: * close socket */ eInitContext, /* * input: * int32: hContext * int32: hCred * int32: Flags * the lowest 0x7f flags maps directly to GSS-API flags * DELEGATE 0x001 * MUTUAL_AUTH 0x002 * REPLAY_DETECT 0x004 * SEQUENCE_DETECT 0x008 * CONFIDENTIALITY 0x010 * INTEGRITY 0x020 * ANONYMOUS 0x040 * * FIRST_CALL 0x080 * * NTLM 0x100 * SPNEGO 0x200 * length-encoded: targetname * length-encoded: token * return: * int32: hNewContextId * int32: gssapi status val * length-encoded: output token */ eAcceptContext, /* * input: * int32: hContext * int32: Flags -- unused ? * flags are same as flags for eInitContext * length-encoded: token * return: * int32: hNewContextId * int32: gssapi status val * length-encoded: output token * int32: delegation cred id */ eToastResource, /* * input: * int32: hResource * return: * int32: gsm status val */ eAcquireCreds, /* * input: * string: principal name * string: password * int32: flags * FORWARDABLE 0x001 * DEFAULT_CREDS 0x002 * * NTLM 0x100 * SPNEGO 0x200 * return: * int32: gsm status val * int32: hCred */ eEncrypt, /* * input: * int32: hContext * int32: flags * int32: seqno -- unused * length-encode: plaintext * return: * int32: gsm status val * length-encode: ciphertext */ eDecrypt, /* * input: * int32: hContext * int32: flags * int32: seqno -- unused * length-encode: ciphertext * return: * int32: gsm status val * length-encode: plaintext */ eSign, /* message same as eEncrypt */ eVerify, /* * input: * int32: hContext * int32: flags * int32: seqno -- unused * length-encode: message * length-encode: signature * return: * int32: gsm status val */ eGetVersionAndCapabilities, /* * return: * int32: protocol version * int32: capability flags */ #define ISSERVER 0x01 #define ISKDC 0x02 #define MS_KERBEROS 0x04 #define LOGSERVER 0x08 #define HAS_MONIKER 0x10 /* string: version string */ eGetTargetName, /* * return: * string: target principal name */ eSetLoggingSocket, /* * input: * int32: hostPort * return to the port on the host: * int32: opcode - for example eLogSetMoniker */ eChangePassword, /* here ended version 7 of the protocol */ /* * input: * string: principal name * string: old password * string: new password * return: * int32: gsm status val */ eSetPasswordSelf, /* same as eChangePassword */ eWrap, /* message same as eEncrypt */ eUnwrap, /* message same as eDecrypt */ eConnectLoggingService2, /* * return1: * int16: log port number * int32: master log prototocol version (0) * * wait for master to connect on the master log socket * * return2: * int32: gsm connection status * int32: maggot log prototocol version (2) */ eGetMoniker, /* * return: * string: moniker (Nickname the master can refer to maggot) */ eCallExtension, /* * input: * string: extension name * int32: message id * return: * int32: gsm status val */ eAcquirePKInitCreds, /* * input: * int32: flags * length-encode: certificate (pkcs12 data) * return: * int32: hResource * int32: gsm status val (GSMERR_NOT_SUPPORTED) */ /* here ended version 7 of the protocol */ eWrapExt, /* * input: * int32: hContext * int32: flags * int32: bflags * length-encode: protocol header * length-encode: plaintext * length-encode: protocol trailer * return: * int32: gsm status val * length-encode: ciphertext */ eUnwrapExt, /* * input: * int32: hContext * int32: flags * int32: bflags * length-encode: protocol header * length-encode: ciphertext * length-encode: protocol trailer * return: * int32: gsm status val * length-encode: plaintext */ /* here ended version 8 of the protocol */ eLastProtocolMessage }; /* bflags */ #define WRAP_EXP_ONLY_HEADER 1 enum gssMaggotLogOp{ eLogInfo = 0, /* string: File int32: Line string: message reply: int32: ackid */ eLogFailure, /* string: File int32: Line string: message reply: int32: ackid */ eLogSetMoniker /* string: moniker */ }; heimdal-1.7~git20150920+dfsg/appl/kf/000077500000000000000000000000001257755311500167775ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/kf/Makefile.am000066400000000000000000000005121257755311500210310ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common bin_PROGRAMS = kf libexec_PROGRAMS = kfd man_MANS = kf.1 kfd.8 kf_SOURCES = kf.c kf_locl.h kfd_SOURCES = kfd.c kf_locl.h LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ $(LIB_roken) EXTRA_DIST = NTMakefile $(man_MANS) heimdal-1.7~git20150920+dfsg/appl/kf/NTMakefile000066400000000000000000000027301257755311500207030ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\kf !include ../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/kf/kf.1000066400000000000000000000060241257755311500174630ustar00rootroot00000000000000.\" Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" 3. Neither the name of the Institute nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $Id$ .\" .Dd July 2, 2000 .Dt KF 1 .Os Heimdal .Sh NAME .Nm kf .Nd securely forward tickets .Sh SYNOPSIS .Nm .Oo .Fl p Ar port | .Fl Fl port Ns = Ns Ar port .Oc .Oo .Fl l Ar login | .Fl Fl login Ns = Ns Ar login .Oc .Oo .Fl c Ar ccache | .Fl Fl ccache Ns = Ns Ar ccache .Oc .Op Fl F | -forwardable .Op Fl G | -no-forwardable .Op Fl h | -help .Op Fl Fl version .Ar host ... .Sh DESCRIPTION The .Nm program forwards tickets to a remote host through an authenticated and encrypted stream. Options supported are: .Bl -tag -width indent .It Xo .Fl p Ar port , .Fl Fl port Ns = Ns Ar port .Xc port to connect to .It Xo .Fl l Ar login , .Fl Fl login Ns = Ns Ar login .Xc remote login name .It Xo .Fl c Ar ccache , .Fl Fl ccache Ns = Ns Ar ccache .Xc remote cred cache .It Fl F , -forwardable forward forwardable credentials .It Fl G , -no-forwardable do not forward forwardable credentials .It Fl h , -help .It Fl Fl version .El .Pp .Nm is useful when you do not want to enter your password on a remote host but want to have your tickets one for example AFS. .Pp In order for .Nm to work you will need to acquire your initial ticket with forwardable flag, i.e. .Nm kinit Fl Fl forwardable . .Pp .Nm telnet is able to forward tickets by itself. .\".Sh ENVIRONMENT .\".Sh FILES .\".Sh EXAMPLES .\".Sh DIAGNOSTICS .Sh SEE ALSO .Xr kinit 1 , .Xr telnet 1 , .Xr kfd 8 .\".Sh STANDARDS .\".Sh HISTORY .\".Sh AUTHORS .\".Sh BUGS heimdal-1.7~git20150920+dfsg/appl/kf/kf.c000066400000000000000000000217631257755311500175540ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2000, 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "kf_locl.h" RCSID("$Id$"); krb5_context context; static int help_flag; static int version_flag; static char *port_str; const char *service = KF_SERVICE; const char *remote_name = NULL; int forwardable = 0; const char *ccache_name = NULL; static struct getargs args[] = { { "port", 'p', arg_string, &port_str, "port to connect to", "port" }, { "login", 'l',arg_string, &remote_name,"remote login name","login"}, { "ccache", 'c',arg_string, &ccache_name, "remote cred cache","ccache"}, { "forwardable",'F',arg_flag,&forwardable, "Forward forwardable credentials", NULL }, { "forwardable",'G',arg_negative_flag,&forwardable, "Don't forward forwardable credentials", NULL }, { "help", 'h', arg_flag, &help_flag, NULL, NULL }, { "version", 0, arg_flag, &version_flag, NULL, NULL } }; static int num_args = sizeof(args) / sizeof(args[0]); static void usage(int code, struct getargs *inargs, int num_inargs) { arg_printusage(inargs, num_inargs, NULL, "hosts"); exit(code); } static int client_setup(krb5_context *ctx, int *argc, char **argv) { int optidx = 0; int port = 0; int status; setprogname (argv[0]); status = krb5_init_context (ctx); if (status) errx(1, "krb5_init_context failed: %d", status); forwardable = krb5_config_get_bool (*ctx, NULL, "libdefaults", "forwardable", NULL); if (getarg (args, num_args, *argc, argv, &optidx)) usage(1, args, num_args); if(help_flag) usage (0, args, num_args); if(version_flag) { print_version(NULL); exit(0); } if(port_str) { struct servent *s = roken_getservbyname(port_str, "tcp"); if(s) port = s->s_port; else { char *ptr; port = strtol (port_str, &ptr, 10); if (port == 0 && ptr == port_str) errx (1, "Bad port `%s'", port_str); port = htons(port); } } if (port == 0) port = krb5_getportbyname (*ctx, KF_PORT_NAME, "tcp", KF_PORT_NUM); if(*argc - optidx < 1) usage(1, args, num_args); *argc = optidx; return port; } /* * forward creds to `hostname'/`service' over `sock' * return 0 iff OK */ static int proto (int sock, const char *hostname, const char *svc, char *message, size_t len) { krb5_auth_context auth_context; krb5_error_code status; krb5_principal server; krb5_data data; krb5_data data_send; krb5_ccache ccache; krb5_creds creds; krb5_kdc_flags flags; krb5_principal principal; status = krb5_auth_con_init (context, &auth_context); if (status) { krb5_warn (context, status, "krb5_auth_con_init"); return 1; } status = krb5_auth_con_setaddrs_from_fd (context, auth_context, &sock); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_auth_con_setaddr"); return 1; } status = krb5_sname_to_principal (context, hostname, svc, KRB5_NT_SRV_HST, &server); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_sname_to_principal"); return 1; } status = krb5_sendauth (context, &auth_context, &sock, KF_VERSION_1, NULL, server, AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, NULL, NULL, NULL, NULL, NULL, NULL); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn(context, status, "krb5_sendauth"); return 1; } if (ccache_name == NULL) ccache_name = ""; data_send.data = (void *)remote_name; data_send.length = strlen(remote_name) + 1; status = krb5_write_priv_message(context, auth_context, &sock, &data_send); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_write_message"); return 1; } data_send.data = (void *)ccache_name; data_send.length = strlen(ccache_name)+1; status = krb5_write_priv_message(context, auth_context, &sock, &data_send); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_write_message"); return 1; } memset (&creds, 0, sizeof(creds)); status = krb5_cc_default (context, &ccache); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_cc_default"); return 1; } status = krb5_cc_get_principal (context, ccache, &principal); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_cc_get_principal"); return 1; } creds.client = principal; status = krb5_make_principal (context, &creds.server, principal->realm, KRB5_TGS_NAME, principal->realm, NULL); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_make_principal"); return 1; } creds.times.endtime = 0; flags.i = 0; flags.b.forwarded = 1; flags.b.forwardable = forwardable; status = krb5_get_forwarded_creds (context, auth_context, ccache, flags.i, hostname, &creds, &data); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_get_forwarded_creds"); return 1; } status = krb5_write_priv_message(context, auth_context, &sock, &data); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_mk_priv"); return 1; } krb5_data_free (&data); status = krb5_read_priv_message(context, auth_context, &sock, &data); krb5_auth_con_free(context, auth_context); if (status) { krb5_warn (context, status, "krb5_mk_priv"); return 1; } if(data.length >= len) { krb5_warnx (context, "returned string is too long, truncating"); memcpy(message, data.data, len); message[len - 1] = '\0'; } else { memcpy(message, data.data, data.length); message[data.length] = '\0'; } krb5_data_free (&data); return(strcmp(message, "ok")); } static int doit (const char *hostname, int port, const char *svc, char *message, size_t len) { struct addrinfo *ai, *a; struct addrinfo hints; int error; char portstr[NI_MAXSERV]; memset (&hints, 0, sizeof(hints)); hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; snprintf (portstr, sizeof(portstr), "%u", ntohs(port)); error = getaddrinfo (hostname, portstr, &hints, &ai); if (error) { errx (1, "getaddrinfo(%s): %s", hostname, gai_strerror(error)); } for (a = ai; a != NULL; a = a->ai_next) { int s; s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); if (s < 0) continue; if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { warn ("connect(%s)", hostname); close (s); continue; } freeaddrinfo (ai); return proto (s, hostname, svc, message, len); } warnx ("failed to contact %s", hostname); freeaddrinfo (ai); return 1; } int main(int argc, char **argv) { int argcc,port,i; int ret=0; argcc = argc; port = client_setup(&context, &argcc, argv); if (remote_name == NULL) { remote_name = get_default_username (); if (remote_name == NULL) errx (1, "who are you?"); } for (i = argcc;i < argc; i++) { char message[128]; ret = doit (argv[i], port, service, message, sizeof(message)); if(ret == 0) warnx ("%s: ok", argv[i]); else warnx ("%s: failed: %s", argv[i], message); } return(ret); } heimdal-1.7~git20150920+dfsg/appl/kf/kf_locl.h000066400000000000000000000046261257755311500205710ustar00rootroot00000000000000/* * Copyright (c) 1997 - 1999, 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_UNISTD_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_NETINET_IN6_H #include #endif #ifdef HAVE_NETINET6_IN6_H #include #endif #ifdef HAVE_PWD_H #include #endif #ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_SYS_PARAM_H #include #endif #include #include #include #include #include #define KF_SERVICE "host" #define KF_PORT_NAME "kf" #define KF_PORT_NUM 2110 #define KF_VERSION_1 "KFWDV0.1" heimdal-1.7~git20150920+dfsg/appl/kf/kfd.8000066400000000000000000000047051257755311500176420ustar00rootroot00000000000000.\" Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" 3. Neither the name of the Institute nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $Id$ .\" .Dd July 2, 2000 .Dt KFD 8 .Os Heimdal .Sh NAME .Nm kfd .Nd receive forwarded tickets .Sh SYNOPSIS .Nm .Oo .Fl p Ar port | .Fl Fl port Ns = Ns Ar port .Oc .Op Fl i | -inetd .Oo .Fl R Ar regpag | .Fl Fl regpag Ns = Ns Ar regpag .Oc .Op Fl h | -help .Op Fl Fl version .Sh DESCRIPTION This is the daemon for .Xr kf 1 . Supported options: .Bl -tag -width indent .It Xo .Fl p Ar port , .Fl Fl port Ns = Ns Ar port .Xc port to listen to .It Fl i , -inetd not started from inetd .It Xo .Fl R Ar regpag , .Fl Fl regpag= Ns Ar regpag .Xc path to regpag binary .El .\".Sh ENVIRONMENT .\".Sh FILES .Sh EXAMPLES Put the following in .Pa /etc/inetd.conf : .Bd -literal kf stream tcp nowait root /usr/heimdal/libexec/kfd kfd .Ed .\".Sh DIAGNOSTICS .Sh SEE ALSO .Xr kf 1 .\".Sh STANDARDS .\".Sh HISTORY .\".Sh AUTHORS .\".Sh BUGS heimdal-1.7~git20150920+dfsg/appl/kf/kfd.c000066400000000000000000000211361257755311500177120ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "kf_locl.h" RCSID("$Id$"); krb5_context context; char krb5_tkfile[MAXPATHLEN]; static int help_flag; static int version_flag; static char *port_str; char *service = KF_SERVICE; int do_inetd = 0; static char *regpag_str=NULL; static struct getargs args[] = { { "port", 'p', arg_string, &port_str, "port to listen to", "port" }, { "inetd",'i',arg_flag, &do_inetd, "Not started from inetd", NULL }, { "regpag",'R',arg_string,®pag_str,"path to regpag binary","regpag"}, { "help", 'h', arg_flag, &help_flag, NULL, NULL }, { "version", 0, arg_flag, &version_flag, NULL, NULL } }; static int num_args = sizeof(args) / sizeof(args[0]); static void usage(int code, struct getargs *inargs, int num_inargs) { arg_printusage(inargs, num_inargs, NULL, ""); exit(code); } static int server_setup(krb5_context *ctx, int argc, char **argv) { int port = 0; int local_argc; local_argc = krb5_program_setup(ctx, argc, argv, args, num_args, usage); if(help_flag) (*usage)(0, args, num_args); if(version_flag) { print_version(NULL); exit(0); } if(port_str){ struct servent *s = roken_getservbyname(port_str, "tcp"); if(s) port = s->s_port; else { char *ptr; port = strtol (port_str, &ptr, 10); if (port == 0 && ptr == port_str) errx (1, "Bad port `%s'", port_str); port = htons(port); } } if (port == 0) port = krb5_getportbyname (*ctx, KF_PORT_NAME, "tcp", KF_PORT_NUM); if(argv[local_argc] != NULL) usage(1, args, num_args); return port; } static int protocol_version; static krb5_boolean kfd_match_version(const void *arg, const char *version) { if(strcmp(version, KF_VERSION_1) == 0) { protocol_version = 1; return TRUE; } else if (strlen(version) == 4 && version[0] == '0' && version[1] == '.' && (version[2] == '4' || version[2] == '3') && islower((unsigned char)version[3])) { protocol_version = 0; return TRUE; } return FALSE; } static int proto (int sock, const char *svc) { krb5_auth_context auth_context; krb5_error_code status; krb5_principal server; krb5_ticket *ticket; char *name; char ret_string[10]; char hostname[MAXHOSTNAMELEN]; krb5_data data; krb5_data remotename; krb5_data tk_file; krb5_ccache ccache; char ccname[MAXPATHLEN]; struct passwd *pwd; status = krb5_auth_con_init (context, &auth_context); if (status) krb5_err(context, 1, status, "krb5_auth_con_init"); status = krb5_auth_con_setaddrs_from_fd (context, auth_context, &sock); if (status) krb5_err(context, 1, status, "krb5_auth_con_setaddr"); if(gethostname (hostname, sizeof(hostname)) < 0) krb5_err(context, 1, errno, "gethostname"); status = krb5_sname_to_principal (context, hostname, svc, KRB5_NT_SRV_HST, &server); if (status) krb5_err(context, 1, status, "krb5_sname_to_principal"); status = krb5_recvauth_match_version (context, &auth_context, &sock, kfd_match_version, NULL, server, 0, NULL, &ticket); if (status) krb5_err(context, 1, status, "krb5_recvauth"); status = krb5_unparse_name (context, ticket->client, &name); if (status) krb5_err(context, 1, status, "krb5_unparse_name"); if(protocol_version == 0) { data.data = "old clnt"; /* XXX old clients only had room for 10 bytes of message, and also didn't show it to the user */ data.length = strlen(data.data) + 1; krb5_write_message(context, &sock, &data); sleep(2); /* XXX give client time to finish */ krb5_errx(context, 1, "old client; exiting"); } status=krb5_read_priv_message (context, auth_context, &sock, &remotename); if (status) krb5_err(context, 1, status, "krb5_read_message"); status=krb5_read_priv_message (context, auth_context, &sock, &tk_file); if (status) krb5_err(context, 1, status, "krb5_read_message"); krb5_data_zero (&data); if(((char*)remotename.data)[remotename.length-1] != '\0') krb5_errx(context, 1, "unterminated received"); if(((char*)tk_file.data)[tk_file.length-1] != '\0') krb5_errx(context, 1, "unterminated received"); status = krb5_read_priv_message(context, auth_context, &sock, &data); if (status) { krb5_err(context, 1, errno, "krb5_read_priv_message"); goto out; } pwd = getpwnam ((char *)(remotename.data)); if (pwd == NULL) { status=1; krb5_warnx(context, "getpwnam: %s failed",(char *)(remotename.data)); goto out; } if(!krb5_kuserok (context, ticket->client, (char *)(remotename.data))) { status=1; krb5_warnx(context, "krb5_kuserok: permission denied"); goto out; } if (setgid(pwd->pw_gid) < 0) { krb5_warn(context, errno, "setgid"); goto out; } if (setuid(pwd->pw_uid) < 0) { krb5_warn(context, errno, "setuid"); goto out; } if (tk_file.length != 1) snprintf (ccname, sizeof(ccname), "%s", (char *)(tk_file.data)); else snprintf (ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%lu", (unsigned long)pwd->pw_uid); status = krb5_cc_resolve (context, ccname, &ccache); if (status) { krb5_warn(context, status, "krb5_cc_resolve"); goto out; } status = krb5_cc_initialize (context, ccache, ticket->client); if (status) { krb5_warn(context, status, "krb5_cc_initialize"); goto out; } status = krb5_rd_cred2 (context, auth_context, ccache, &data); krb5_cc_close (context, ccache); if (status) { krb5_warn(context, status, "krb5_rd_cred"); goto out; } strlcpy(krb5_tkfile,ccname,sizeof(krb5_tkfile)); krb5_warnx(context, "%s forwarded ticket to %s,%s", name, (char *)(remotename.data),ccname); out: if (status) { strlcpy(ret_string, "no", sizeof(ret_string)); krb5_warnx(context, "failed"); } else { strlcpy(ret_string, "ok", sizeof(ret_string)); } krb5_data_free (&tk_file); krb5_data_free (&remotename); krb5_data_free (&data); free(name); data.data = ret_string; data.length = strlen(ret_string) + 1; status = krb5_write_priv_message(context, auth_context, &sock, &data); krb5_auth_con_free(context, auth_context); return status; } static int doit (int port, const char *svc) { if (do_inetd) mini_inetd(port, NULL); return proto (STDIN_FILENO, svc); } int main(int argc, char **argv) { int port; int ret; krb5_log_facility *fac; setprogname (argv[0]); roken_openlog (argv[0], LOG_ODELAY | LOG_PID,LOG_AUTH); port = server_setup(&context, argc, argv); ret = krb5_openlog(context, "kfd", &fac); if(ret) krb5_err(context, 1, ret, "krb5_openlog"); ret = krb5_set_warn_dest(context, fac); if(ret) krb5_err(context, 1, ret, "krb5_set_warn_dest"); ret = doit (port, service); closelog(); if (ret == 0 && regpag_str != NULL) ret = execl(regpag_str, "regpag", "-t", krb5_tkfile, "-r", NULL); return ret; } heimdal-1.7~git20150920+dfsg/appl/login/000077500000000000000000000000001257755311500175075ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/login/ChangeLog000066400000000000000000000227471257755311500212750ustar00rootroot000000000000002008-04-15 Love Hörnquist Åstrand * utmp_login.c: Reorder to avoid prototype. * login_locl.h: If cygwin doesnt have WTMPX_FILE, it uses wtmp for wtmpx http://www.cygwin.com/ml/cygwin/2006-12/msg00630.html 2008-04-10 Love Hörnquist Åstrand * utmp_login.c: Remove utmp warning on mac os x 2006-12-05 Love Hörnquist Åstrand * limits_conf.c: Clear errno before calling the strtol functions. From Paul Stoeber to OpenBSD by Ray Lai and Björn Sandell. * limits_conf.c: Report to syslog strings that start with NUL; prevents negative index array access. Ray Lai of OpenBSD via Björn Sandell. 2006-10-07 Love Hörnquist Åstrand * Makefile.am: Add man_MANS to EXTRA_DIST 2006-09-22 Love Hörnquist Åstrand * read_string.c: try to not call signaction for signal 0 and use NSIG if it exists to determin how many signals there exists, also, only restore those signalhandlers that we got out. 2006-04-27 Love Hörnquist Åstrand * login_locl.h: Include "loginpaths.h" * loginpaths.h: Shared paths between login and rshd. 2006-01-09 Johan Danielsson * login.c: log successful logins 2005-08-08 Love Hörnquist Åstrand * login.c (do_login): only do krb4_get_afs_tokens if we have done v4 authentication or done a 5to4 conversion of tickets. This is to avoid delays on a realm that only support Kerberos 5 and drop Kerberos 4 requests. 2005-05-10 Dave Love * login.c: Include . 2005-05-02 Dave Love * limits_conf.c: Check RLIMIT_MEMLOCK, not RLIMIT_LOCK. 2005-04-28 Dave Love * limits_conf.c: Maybe include sys/resource.h. Use various RLIMIT_ macros conditionally. For Solaris, Irix and Tru64. 2005-04-22 Johan Danielsson * login.1: document limits.conf * Makefile.am: limits_conf.c * login_locl.h: template for limits.conf * login.c: read limits.conf (from /etc/security by default, overridable in login.conf) * limits_conf.c: implement a parser for limits.conf 2004-09-08 Johan Danielsson * login.c: use krb5_appdefault_boolean instead of krb5_config_get_bool 2003-09-03 Love Hörnquist Åstrand * login.c (krb5_to4): set client princ of the mcred 2003-07-07 Love Hörnquist Åstrand * login.c (krb5_to4): use krb5_cc_clear_mcred 2003-03-24 Johan Danielsson * Makefile.am: install man pages * login.1: manpage for login * login.c: allow "welcome" as well as "motd" in login.conf * login.access.5: login.access manual page 2003-03-18 Love Hörnquist Åstrand * login.c: also need pag_set * login.c: if there is kerberos 5, call krb5_afslog\* 2002-08-23 Johan Danielsson * login.c: if motd is set in login.conf, output its contents before starting the shell 2002-02-27 Johan Danielsson * login.c: reset signals to default, needed on solaris 8 2002-02-19 Johan Danielsson * login_locl.h: include netgroup.h and rpcsvc/ypclnt.h * login.c: make this build without krb5 2001-09-22 Assar Westerlund * login_locl.h: kludge: use absolute path to find prot.h so we do not get confused by athena's prot.h 2001-09-17 Assar Westerlund * login.c (do_login): add setpcred 2001-07-06 Assar Westerlund * login.c: move osf2c magic earlier. from Mark Davies 2001-06-19 Assar Westerlund * login.c (krb5_to4): dereference result from krb5_princ_realm. noted by Thomas Nystrom 2001-06-04 Assar Westerlund * update copyright messages on Wietse Venema's code. 2001-05-31 Assar Westerlund * login.c (krb5_to4): look for [realms]krb4_get_tickets to decide whether to get kerberos 4 tickets 2001-02-08 Assar Westerlund * utmp_login.c, utmpx_login.c: try to write a useful string as host in utmp, using the same algoritm as telnetd 2001-01-29 Assar Westerlund * login.c: remove some krb5_free_context that might happen at unappropriate times 2000-12-31 Assar Westerlund * login.c (main): handle krb5_init_context failure consistently 2000-12-11 Assar Westerlund * login.c (do_login): set the group on the tty. (r_flag): comment out * login.c (krb5_to4): always return a value 2000-10-15 Assar Westerlund * login.c (krb5_to4): check another return code 2000-08-22 Johan Danielsson * login.c (do_login): set PATH to something sane; (start_logout_process): avoid getting signals sent to the parent * login_locl.h: _PATH_DEFPATH 2000-07-01 Assar Westerlund * login.c (login_timeout): add back 2000-06-28 Johan Danielsson * env.c: new file for environment related functions * login.c: move environment stuff to separate file, allow specifying list of environment files via login.conf 2000-06-21 Assar Westerlund * Makefile.am (LDADD): add otp * login.c: add reading of /etc/environment. From Ake Sandgren add otp support. From Daniel Kouril 2000-06-09 Assar Westerlund * login.c (do_login): work-around for setuid and capabilities bug fixed in Linux 2.2.16 2000-04-09 Assar Westerlund * login.c: allow conversion of v5 -> v4 tickets when logging in with forwarded tickets 1999-11-09 Johan Danielsson * conf.c: remove case for not having cgetent, since it's in roken 1999-11-05 Assar Westerlund * login.c (do_login): conditionalize shadow stuff on getspnam 1999-10-30 Assar Westerlund * Makefile.am (login_DEPENDENCIES): remove, it's not entirely correct and was causing problems with non-GNU make 1999-10-28 Assar Westerlund * login.c (start_logout_proceess): don't examine `prog' before setting it. 1999-10-27 Assar Westerlund * login.c (do_login): chown and chmod the tty. some clean-up. 1999-10-03 Assar Westerlund * login.c (krb5_start_session): correct the ccache to krb524_convert_creds_kdc 1999-09-28 Assar Westerlund * login.c (krb5_verify): use krb5_verify_user_lrealm 1999-09-01 Johan Danielsson * login.c: SGI capability mumbo-jumbo 1999-08-09 Johan Danielsson * login.c (start_logout_process): call setproctitle * login_locl.h: declare struct spwd * login.c: add support for starting extra processes at login and logout; always preserve TERM and TZ * conf.c: add configuration file support 1999-08-07 Assar Westerlund * shadow.c (check_shadow): check for a NULL sp 1999-08-05 Assar Westerlund * login.c (main): move down login incorrect to disallow account guessing 1999-08-04 Assar Westerlund * utmpx_login.c (utmpx_login): fix for Solaris. From Miroslav Ruda * login_locl.h: add and some prototypes * login.c: fixes with v4 and shadow support. From Miroslav Ruda * shadow.c: new file with functions for handling shadow passwords * Makefile.am: add shadow 1999-07-22 Assar Westerlund * login.c (main): generate a better tty name 1999-05-25 Johan Danielsson * login.c (do_login): set $SHELL 1999-05-18 Assar Westerlund * add login-access 1999-05-11 Assar Westerlund * login.c: copy the v5 ccache to a file after having done setuid 1999-05-09 Assar Westerlund * login.c (krb5_verify): check seteuid for errors Mon Apr 19 22:30:55 1999 Assar Westerlund * login.c: conditionalize the kafs calls on KRB4 * Makefile.am (LDADD): add kafs * login.c: add support for getting afs tokens with v4 and v5 Sun Apr 18 14:12:28 1999 Johan Danielsson * login.c: check _PATH_NOLOGIN * login_locl.h: _PATH_NOLOGIN 1999-04-11 Assar Westerlund * login.c (main): use print_version Thu Apr 8 15:03:55 1999 Johan Danielsson * login.c: remove definition of KRB_VERIFY_USER et.al. (moved to config.h) * login_locl.h: include udb.h, sys/resource.h, and sys/category.h Sat Mar 27 17:58:37 1999 Johan Danielsson * Makefile.am: osfc2.c * login.c: magic for OSF C2, and Crays * login_locl.h: do_osfc2_magic proto * osfc2.c: bsd_locl -> login_locl * osfc2.c: OSF C2 magic Tue Mar 23 14:17:40 1999 Johan Danielsson * login_locl.h: _PATH_UTMP Sun Mar 21 15:02:31 1999 Johan Danielsson * login.c: `-h' is host, not help Sat Mar 20 00:11:13 1999 Assar Westerlund * login_locl.h: krb.h: add * login.c: static-size (krb4_verify): add Thu Mar 18 11:36:10 1999 Johan Danielsson * Makefile.am: include Makefile.am.common Thu Mar 11 17:53:36 1999 Johan Danielsson * utmpx_login.c: add some consts * utmp_login.c: add some consts * login.c: staticize * login_locl.h: add prototypes, and defaults for _PATH_* Mon Mar 1 10:49:14 1999 Johan Danielsson * utmpx_login.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_* * utmp_login.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_* heimdal-1.7~git20150920+dfsg/appl/login/Makefile.am000066400000000000000000000014771257755311500215540ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common man_MANS = login.1 login.access.5 bin_PROGRAMS = login login_SOURCES = \ conf.c \ env.c \ login.c \ login_access.c \ login_locl.h \ loginpaths.h \ limits_conf.c \ osfc2.c \ read_string.c \ shadow.c \ stty_default.c \ tty.c \ utmp_login.c \ utmpx_login.c noinst_HEADERS = $(srcdir)/login-protos.h LDADD = $(LIB_otp) \ $(LIB_kafs) \ $(top_builddir)/lib/krb5/libkrb5.la \ $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ $(LIB_roken) \ $(LIB_security) \ $(DBLIB) $(srcdir)/login-protos.h: $(login_SOURCES) cd $(srcdir); perl ../../cf/make-proto.pl -o login-protos.h -q -P comment $(login_SOURCES) || rm -f login-protos.h $(login_OBJECTS): $(srcdir)/login-protos.h EXTRA_DIST = NTMakefile $(man_MANS) heimdal-1.7~git20150920+dfsg/appl/login/NTMakefile000066400000000000000000000027331257755311500214160ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\login !include ../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/login/conf.c000066400000000000000000000037461257755311500206120ustar00rootroot00000000000000/* * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "login_locl.h" RCSID("$Id$"); static char *confbuf; static int login_conf_init(void) { char *files[] = { _PATH_LOGIN_CONF, NULL }; return cgetent(&confbuf, (void *)files, "default"); } char * login_conf_get_string(const char *str) { char *value; if(login_conf_init() != 0) return NULL; if(cgetstr(confbuf, (char *)str, &value) < 0) return NULL; return value; } heimdal-1.7~git20150920+dfsg/appl/login/env.c000066400000000000000000000054121257755311500204450ustar00rootroot00000000000000/* * Copyright (c) 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "login_locl.h" RCSID("$Id$"); /* * the environment we will send to execle and the shell. */ char **env; int num_env; void extend_env(char *str) { env = realloc(env, (num_env + 1) * sizeof(*env)); if(env == NULL) errx(1, "Out of memory!"); env[num_env++] = str; } void add_env(const char *var, const char *value) { int aret; int i; char *str; aret = asprintf(&str, "%s=%s", var, value); if(aret == -1) errx(1, "Out of memory!"); for(i = 0; i < num_env; i++) if(strncmp(env[i], var, strlen(var)) == 0 && env[i][strlen(var)] == '='){ free(env[i]); env[i] = str; return; } extend_env(str); } #if !HAVE_DECL_ENVIRON extern char **environ; #endif void copy_env(void) { char **p; for(p = environ; *p; p++) extend_env(*p); } void login_read_env(const char *file) { char **newenv; char *p; int i, j; newenv = NULL; i = read_environment(file, &newenv); for (j = 0; j < i; j++) { p = strchr(newenv[j], '='); if (p == NULL) errx(1, "%s: missing = in string %s", file, newenv[j]); *p++ = 0; add_env(newenv[j], p); *--p = '='; free(newenv[j]); } free(newenv); } heimdal-1.7~git20150920+dfsg/appl/login/limits_conf.c000066400000000000000000000135401257755311500221640ustar00rootroot00000000000000/* * Copyright (c) 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "login_locl.h" RCSID("$Id$"); #include #include #ifdef HAVE_SYS_RESOURCE_H #include #endif struct limit { const char *name; int resource; int scale; int has_limit; struct rlimit limit; } limits[] = { #define LIM(X, S) { #X, RLIMIT_##X, S, 0, {0, 0} } LIM(CORE, 1024), LIM(CPU, 60), LIM(DATA, 1024), LIM(FSIZE, 1024), #ifdef RLIMIT_MEMLOCK LIM(MEMLOCK, 1024), #endif LIM(NOFILE, 1), #ifdef RLIMIT_NPROC LIM(NPROC, 1), #endif #ifdef RLIMIT_RSS LIM(RSS, 1024), #endif LIM(STACK, 1024), #ifdef RLIMIT_AS LIM(AS, 1024), #endif #ifdef RLIMIT_LOCKS LIM(LOCKS, 1), #endif /* maxlogins priority */ { NULL, 0, 0, 0, {0, 0} } }; static struct limit * find_limit(const char *name) { struct limit *l; for(l = limits; l->name != NULL; l++) if(strcasecmp(name, l->name) == 0) return l; return NULL; } /* this function reads limits.conf files similar to pam_limits unimplemented features include: % maxlogins "-" no limits, priorities etc that are not set via setrlimit XXX uses static storage, and clobbers getgr* */ int read_limits_conf(const char *file, const struct passwd *pwd) { FILE *f; char *args[4]; int lineno = 0; char buf[1024]; struct limit *l; rlim_t value; f = fopen(file, "r"); if(f == NULL) { if(errno != ENOENT && errno != ENOTDIR) syslog(LOG_ERR, "%s: %m", file); return -1; } while(fgets(buf, sizeof(buf), f) != NULL) { char *last = NULL; char *end = NULL; int level; lineno++; if(buf[0] == '\0') { syslog(LOG_ERR, "%s: line %d: NUL character", file, lineno); continue; } if(buf[strlen(buf) - 1] != '\n') { /* file did not end with a newline, figure out if we're at the EOF, or if our buffer was too small */ int eof = 1; int c; while((c = fgetc(f)) != EOF) { eof = 0; if(c == '\n') break; } if(!eof) { syslog(LOG_ERR, "%s: line %d: line too long", file, lineno); continue; } } buf[strcspn(buf, "#\r\n")] = '\0'; if((args[0] = strtok_r(buf, " \t", &last)) == NULL || (args[1] = strtok_r(NULL, " \t", &last)) == NULL || (args[2] = strtok_r(NULL, " \t", &last)) == NULL || (args[3] = strtok_r(NULL, " \t", &last)) == NULL) { if(args[0] != NULL) /* this would include comment lines */ syslog(LOG_ERR, "%s: line %d: malformed line", file, lineno); continue; } l = find_limit(args[2]); if(l == NULL) { syslog(LOG_ERR, "%s: line %d: unknown limit %s", file, lineno, args[2]); continue; } if(strcmp(args[3], "-") == 0) { value = RLIM_INFINITY; } else { errno = 0; value = strtol(args[3], &end, 10); if(*end != '\0') { syslog(LOG_ERR, "%s: line %d: bad value %s", file, lineno, args[3]); continue; } if((value == LONG_MIN || value == LONG_MAX) && errno == ERANGE) { syslog(LOG_ERR, "%s: line %d: bad value %s", file, lineno, args[3]); continue; } if(value * l->scale < value) value = RLIM_INFINITY; else value *= l->scale; } level = 0; /* XXX unclear: if you set group hard and user soft limit, should the hard limit still apply? this code doesn't. */ if(strcmp(args[0], pwd->pw_name) == 0) level = 3; if(*args[0] == '@') { struct group *gr; gr = getgrnam(args[0] + 1); if(gr != NULL && gr->gr_gid == pwd->pw_gid) level = 2; } if(strcmp(args[0], "*") == 0) level = 1; if(level == 0 || level < l->has_limit) /* not for us */ continue; if(l->has_limit < level) { if(getrlimit(l->resource, &l->limit) < 0) continue; l->has_limit = level; } /* XXX unclear: if you soft to more than default hard, should we set hard to soft? this code doesn't. */ if(strcasecmp(args[1], "soft") == 0 || strcmp(args[1], "-") == 0) l->limit.rlim_cur = value; if(strcasecmp(args[1], "hard") == 0 || strcmp(args[1], "-") == 0) l->limit.rlim_max = value; } fclose(f); for(l = limits; l->name != NULL; l++) { if(l->has_limit) { if(l->limit.rlim_cur > l->limit.rlim_max) l->limit.rlim_cur = l->limit.rlim_max; if(setrlimit(l->resource, &l->limit) != 0) syslog(LOG_ERR, "setrlimit RLIM_%s failed: %m", l->name); } l->has_limit = 0; } return 0; } heimdal-1.7~git20150920+dfsg/appl/login/login.1000066400000000000000000000154151257755311500207070ustar00rootroot00000000000000.\" $Id$ .\" .Dd April 22, 2005 .Dt LOGIN 1 .Os HEIMDAL .Sh NAME .Nm login .Nd authenticate a user and start new session .Sh SYNOPSIS .Nm .Op Fl fp .Op Fl a Ar level .Op Fl h Ar hostname .Ar [username] .Sh DESCRIPTION This manual page documents the .Nm login program distributed with the Heimdal Kerberos 5 implementation, it may differ in important ways from your system version. .Pp The .Nm login programs logs users into the system. It is intended to be run by system daemons like .Xr getty 8 or .Xr telnetd 8 . If you are already logged in, but want to change to another user, you should use .Xr su 1 . .Pp A username can be given on the command line, else one will be prompted for. .Pp A password is required to login, unless the .Fl f option is given (indicating that the calling program has already done proper authentication). With .Fl f the user will be logged in without further questions. .Pp For password authentication Kerberos 5, OTP (if compiled in) and local .No ( Pa /etc/passwd ) passwords are supported. OTP will be used if the the user is registered to use it, and .Nm login is given the option .Fl a Li otp . When using OTP, a challenge is shown to the user. .Pp Further options are: .Bl -tag -width Ds .It Fl a Ar string Which authentication mode to use, the only supported value is currently .Dq otp . .It Fl f Indicates that the user is already authenticated. This happens, for instance, when login is started by telnetd, and the user has proved authentic via Kerberos. .It Fl h Ar hostname Indicates which host the user is logging in from. This is passed from telnetd, and is entered into the login database. .It Fl p This tells .Nm login to preserve all environment variables. If not given, only the .Dv TERM and .Dv TZ variables are preserved. It could be a security risk to pass random variables to .Nm login or the user shell, so the calling daemon should make sure it only passes .Dq safe variables. .El .Pp The process of logging user in proceeds as follows. .Pp First a check is made that logins are allowed at all. This usually means checking .Pa /etc/nologin . If it exists, and the user trying to login is not root, the contents is printed, and then login exits. .Pp Then various system parameters are set up, like changing the owner of the tty to the user, setting up signals, setting the group list, and user and group id. Also various machine specific tasks are performed. .Pp Next .Nm login changes to the users home directory, or if that fails, to .Pa / . The environment is setup, by adding some required variables (such as .Dv PATH ) , and also authentication related ones (such as .Dv KRB5CCNAME ) . If an environment file exists .No ( Pa /etc/environment ) , variables are set according to it. .Pp If one or more login message files are configured, their contents is printed to the terminal. .Pp If a login time command is configured, it is executed. A logout time command can also be configured, which makes .Nm login fork, and wait for the user shell to exit, and then run the command. This can be used to clean up user credentials. .Pp Finally, the user's shell is executed. If the user logging in is root, and root's login shell does not exist, a default shell (usually .Pa /bin/sh ) is also tried before giving up. .Sh ENVIRONMENT These environment variables are set by login (not including ones set by .Pa /etc/environment ) : .Pp .Bl -tag -compact -width USERXXLOGNAME .It Dv PATH the default system path .It Dv HOME the user's home directory (or possibly .Pa / ) .It Dv USER , Dv LOGNAME both set to the username .It Dv SHELL the user's shell .It Dv TERM , Dv TZ set to whatever is passed to .Nm login .It Dv KRB5CCNAME if the password is verified via Kerberos 5, this will point to the credentials cache file .El .Sh FILES .Bl -tag -compact -width Ds .It Pa /etc/environment Contains a set of environment variables that should be set in addition to the ones above. It should contain sh-style assignments like .Dq VARIABLE=value . Note that they are not parsed the way a shell would. No variable expansion is performed, and all strings are literal, and quotation marks should not be used. Everything after a hash mark is considered a comment. The following are all different (the last will set the variable .Dv BAR , not .Dv FOO ) . .Bd -literal -offset indent FOO=this is a string FOO="this is a string" BAR= FOO='this is a string' .Ed .It Pa /etc/login.access See .Xr login.access 5 . .It Pa /etc/login.conf This is a termcap style configuration file, that contains various settings used by .Nm login . Currently only the .Dq default capability record is used. The possible capability strings include: .Pp .Bl -tag -compact -width Ds .It Li environment This is a comma separated list of environment files that are read in the order specified. If this is missing the default .Pa /etc/environment is used. .It Li login_program This program will be executed just before the user's shell is started. It will be called without arguments. .It Li logout_program This program will be executed just after the user's shell has terminated. It will be called without arguments. This program will be the parent process of the spawned shell. .It Li motd A comma separated list of text files that will be printed to the user's terminal before starting the shell. The string .Li welcome works similarly, but points to a single file. .It Li limits Points to a file containing ulimit settings for various users. Syntax is inspired by what pam_limits uses, and the default is .Pa /etc/security/limits.conf . .El .It Pa /etc/nologin If it exists, login is denied to all but root. The contents of this file is printed before login exits. .El .Pp Other .Nm login programs typically print all sorts of information by default, such as last time you logged in, if you have mail, and system message files. This version of .Nm login does not, so there is no reason for .Pa .hushlogin files or similar. We feel that these tasks are best left to the user's shell, but the .Li login_program facility allows for a shell independent solution, if that is desired. .Sh EXAMPLES A .Pa login.conf file could look like: .Bd -literal -offset indent default:\\ :motd=/etc/motd,/etc/motd.local:\\ :limits=/etc/limits.conf: .Ed .Pp The .Pa limits.conf file consists of a table with four whitespace separated fields. First field is a username or a groupname (prefixed with .Sq @ ) , or .Sq * . Second field is .Sq soft , .Sq hard , or .Sq - (the last meaning both soft and hard). Third field is a limit name (such as .Sq cpu or .Sq core ) . Last field is the limit value (a number or .Sq - for unlimited). In the case of data sizes, the value is in kilobytes, and cputime is in minutes. .Sh SEE ALSO .Xr su 1 , .Xr login.access 5 , .Xr getty 8 , .Xr telnetd 8 .Sh AUTHORS This login program was written for the Heimdal Kerberos 5 implementation. The login.access code was written by Wietse Venema. .\".Sh BUGS heimdal-1.7~git20150920+dfsg/appl/login/login.access.5000066400000000000000000000030551257755311500221500ustar00rootroot00000000000000.\" $Id$ .\" .Dd March 21, 2003 .Dt LOGIN.ACCESS 5 .Os HEIMDAL .Sh NAME .Nm login.access .Nd login access control table .Sh DESCRIPTION The .Nm login.access file specifies on which ttys or from which hosts certain users are allowed to login. .Pp At login, the .Pa /etc/login.access file is checked for the first entry that matches a specific user/host or user/tty combination. That entry can either allow or deny login access to that user. .Pp Each entry have three fields separated by colon: .Bl -bullet .It The first field indicates the permission given if the entry matches. It can be either .Dq + (allow access) or .Dq - (deny access) . .It The second field is a comma separated list of users or groups for which the current entry applies. NIS netgroups can used (if configured) if preceded by @. The magic string ALL matches all users. A group will match if the user is a member of that group, or it is the user's primary group. .It The third field is a list of ttys, or network names. A network name can be either a hostname, a domain (indicated by a starting period), or a netgroup. As with the user list, ALL matches anything. LOCAL matches a string not containing a period. .El .Pp If the string EXCEPT is found in either the user or from list, the rest of the list are exceptions to the list before EXCEPT. .Sh BUGS If there's a user and a group with the same name, there is no way to make the group match if the user also matches. .Sh SEE ALSO .Xr login 1 .Sh AUTHORS The .Fn login_access function was written by Wietse Venema. This manual page was written for Heimdal. heimdal-1.7~git20150920+dfsg/appl/login/login.c000066400000000000000000000410731257755311500207700ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "login_locl.h" #ifdef HAVE_CAPABILITY_H #include #endif #ifdef HAVE_SYS_CAPABILITY_H #include #endif #ifdef HAVE_CRYPT_H #include #endif RCSID("$Id$"); static int login_timeout = 60; static int start_login_process(void) { char *prog, *argv0; prog = login_conf_get_string("login_program"); if(prog == NULL) return 0; argv0 = strrchr(prog, '/'); if(argv0) argv0++; else argv0 = prog; return simple_execle(prog, argv0, NULL, env); } static int start_logout_process(void) { char *prog, *argv0; pid_t pid; prog = login_conf_get_string("logout_program"); if(prog == NULL) return 0; argv0 = strrchr(prog, '/'); if(argv0) argv0++; else argv0 = prog; pid = fork(); if(pid == 0) { /* avoid getting signals sent to the shell */ setpgid(0, getpid()); return 0; } if(pid == -1) err(1, "fork"); /* wait for the real login process to exit */ #ifdef HAVE_SETPROCTITLE setproctitle("waitpid %d", pid); #endif while(1) { int status; int ret; ret = waitpid(pid, &status, 0); if(ret > 0) { if(WIFEXITED(status) || WIFSIGNALED(status)) { execle(prog, argv0, NULL, env); err(1, "exec %s", prog); } } else if(ret < 0) err(1, "waitpid"); } } static void exec_shell(const char *shell, int fallback) { char *sh; const char *p; extend_env(NULL); if(start_login_process() < 0) warn("login process"); start_logout_process(); p = strrchr(shell, '/'); if(p) p++; else p = shell; if (asprintf(&sh, "-%s", p) == -1) errx(1, "Out of memory"); execle(shell, sh, NULL, env); if(fallback){ warnx("Can't exec %s, trying %s", shell, _PATH_BSHELL); execle(_PATH_BSHELL, "-sh", NULL, env); err(1, "%s", _PATH_BSHELL); } err(1, "%s", shell); } static enum { NONE = 0, AUTH_KRB5 = 2, AUTH_OTP = 3 } auth; #ifdef OTP static OtpContext otp_ctx; static int otp_verify(struct passwd *pwd, const char *password) { return (otp_verify_user (&otp_ctx, password)); } #endif /* OTP */ static int pag_set = 0; #ifdef KRB5 static krb5_context context; static krb5_ccache id, id2; static int krb5_verify(struct passwd *pwd, const char *password) { krb5_error_code ret; krb5_principal princ; ret = krb5_parse_name(context, pwd->pw_name, &princ); if(ret) return 1; ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &id); if(ret) { krb5_free_principal(context, princ); return 1; } ret = krb5_verify_user_lrealm(context, princ, id, password, 1, NULL); krb5_free_principal(context, princ); return ret; } static int krb5_start_session (const struct passwd *pwd) { krb5_error_code ret; char residual[64]; /* copy credentials to file cache */ snprintf(residual, sizeof(residual), "FILE:/tmp/krb5cc_%u", (unsigned)pwd->pw_uid); krb5_cc_resolve(context, residual, &id2); ret = krb5_cc_copy_cache(context, id, id2); if (ret == 0) add_env("KRB5CCNAME", residual); else { krb5_cc_destroy (context, id2); return ret; } krb5_cc_close(context, id2); krb5_cc_destroy(context, id); return 0; } static void krb5_finish (void) { krb5_free_context(context); } static void krb5_get_afs_tokens (const struct passwd *pwd) { char cell[64]; char *pw_dir; krb5_error_code ret; if (!k_hasafs ()) return; ret = krb5_cc_default(context, &id2); if (ret == 0) { pw_dir = pwd->pw_dir; if (!pag_set) { k_setpag(); pag_set = 1; } if(k_afs_cell_of_file(pw_dir, cell, sizeof(cell)) == 0) krb5_afslog_uid_home (context, id2, cell, NULL, pwd->pw_uid, pwd->pw_dir); krb5_afslog_uid_home (context, id2, NULL, NULL, pwd->pw_uid, pwd->pw_dir); krb5_cc_close (context, id2); } } #endif /* KRB5 */ static int f_flag; static int p_flag; #if 0 static int r_flag; #endif static int version_flag; static int help_flag; static char *remote_host; static char *auth_level = NULL; struct getargs args[] = { { NULL, 'a', arg_string, &auth_level, "authentication mode", NULL }, #if 0 { NULL, 'd', NULL, NULL, NULL, NULL }, #endif { NULL, 'f', arg_flag, &f_flag, "pre-authenticated", NULL }, { NULL, 'h', arg_string, &remote_host, "remote host", "hostname" }, { NULL, 'p', arg_flag, &p_flag, "don't purge environment", NULL }, #if 0 { NULL, 'r', arg_flag, &r_flag, "rlogin protocol", NULL }, #endif { "version", 0, arg_flag, &version_flag, NULL, NULL }, { "help", 0, arg_flag,&help_flag, NULL, NULL } }; int nargs = sizeof(args) / sizeof(args[0]); static void update_utmp(const char *username, const char *hostname, char *tty, char *ttyn) { /* * Update the utmp files, both BSD and SYSV style. */ if (utmpx_login(tty, username, hostname) != 0 && !f_flag) { printf("No utmpx entry. You must exec \"login\" from the " "lowest level shell.\n"); exit(1); } utmp_login(ttyn, username, hostname); } static void checknologin(void) { FILE *f; char buf[1024]; f = fopen(_PATH_NOLOGIN, "r"); if(f == NULL) return; while(fgets(buf, sizeof(buf), f)) fputs(buf, stdout); fclose(f); exit(0); } /* print contents of a file */ static void show_file(const char *file) { FILE *f; char buf[BUFSIZ]; if((f = fopen(file, "r")) == NULL) return; while (fgets(buf, sizeof(buf), f)) fputs(buf, stdout); fclose(f); } /* * Actually log in the user. `pwd' contains all the relevant * information about the user. `ttyn' is the complete name of the tty * and `tty' the short name. */ static void do_login(const struct passwd *pwd, char *tty, char *ttyn) { #ifdef HAVE_GETSPNAM struct spwd *sp; #endif int rootlogin = (pwd->pw_uid == 0); gid_t tty_gid; struct group *gr; const char *home_dir; int i; if(!rootlogin) checknologin(); #ifdef HAVE_GETSPNAM sp = getspnam(pwd->pw_name); #endif update_utmp(pwd->pw_name, remote_host ? remote_host : "", tty, ttyn); gr = getgrnam ("tty"); if (gr != NULL) tty_gid = gr->gr_gid; else tty_gid = pwd->pw_gid; if (chown (ttyn, pwd->pw_uid, tty_gid) < 0) { warn("chown %s", ttyn); if (rootlogin == 0) exit (1); } if (chmod (ttyn, S_IRUSR | S_IWUSR | S_IWGRP) < 0) { warn("chmod %s", ttyn); if (rootlogin == 0) exit (1); } #ifdef HAVE_SETLOGIN if(setlogin(pwd->pw_name)){ warn("setlogin(%s)", pwd->pw_name); if(rootlogin == 0) exit(1); } #endif if(rootlogin == 0) { const char *file = login_conf_get_string("limits"); if(file == NULL) file = _PATH_LIMITS_CONF; read_limits_conf(file, pwd); } #ifdef HAVE_SETPCRED if (setpcred (pwd->pw_name, NULL) == -1) warn("setpcred(%s)", pwd->pw_name); #endif /* HAVE_SETPCRED */ #ifdef HAVE_INITGROUPS if(initgroups(pwd->pw_name, pwd->pw_gid)){ warn("initgroups(%s, %u)", pwd->pw_name, (unsigned)pwd->pw_gid); if(rootlogin == 0) exit(1); } #endif if(do_osfc2_magic(pwd->pw_uid)) exit(1); if(setgid(pwd->pw_gid)){ warn("setgid(%u)", (unsigned)pwd->pw_gid); if(rootlogin == 0) exit(1); } if(setuid(pwd->pw_uid) || (pwd->pw_uid != 0 && setuid(0) == 0)) { warn("setuid(%u)", (unsigned)pwd->pw_uid); if(rootlogin == 0) exit(1); } /* make sure signals are set to default actions, apparently some OS:es like to ignore SIGINT, which is not very convenient */ for (i = 1; i < NSIG; ++i) signal(i, SIG_DFL); /* all kinds of different magic */ #ifdef HAVE_GETSPNAM check_shadow(pwd, sp); #endif #if defined(HAVE_GETUDBNAM) && defined(HAVE_SETLIM) { struct udb *udb; long t; const long maxcpu = 46116860184; /* some random constant */ udb = getudbnam(pwd->pw_name); if(udb == UDB_NULL) errx(1, "Failed to get UDB entry."); t = udb->ue_pcpulim[UDBRC_INTER]; if(t == 0 || t > maxcpu) t = CPUUNLIM; else t *= 100 * CLOCKS_PER_SEC; if(limit(C_PROC, 0, L_CPU, t) < 0) warn("limit C_PROC"); t = udb->ue_jcpulim[UDBRC_INTER]; if(t == 0 || t > maxcpu) t = CPUUNLIM; else t *= 100 * CLOCKS_PER_SEC; if(limit(C_JOBPROCS, 0, L_CPU, t) < 0) warn("limit C_JOBPROCS"); nice(udb->ue_nice[UDBRC_INTER]); } #endif #if defined(HAVE_SGI_GETCAPABILITYBYNAME) && defined(HAVE_CAP_SET_PROC) /* XXX SGI capability hack IRIX 6.x (x >= 0?) has something called capabilities, that allow you to give away permissions (such as chown) to specific processes. From 6.5 this is default on, and the default capability set seems to not always be the empty set. The problem is that the runtime linker refuses to do just about anything if the process has *any* capabilities set, so we have to remove them here (unless otherwise instructed by /etc/capability). In IRIX < 6.5, these functions was called sgi_cap_setproc, etc, but we ignore this fact (it works anyway). */ { struct user_cap *ucap = sgi_getcapabilitybyname(pwd->pw_name); cap_t cap; if(ucap == NULL) cap = cap_from_text("all="); else cap = cap_from_text(ucap->ca_default); if(cap == NULL) err(1, "cap_from_text"); if(cap_set_proc(cap) < 0) err(1, "cap_set_proc"); cap_free(cap); free(ucap); } #endif home_dir = pwd->pw_dir; if (chdir(home_dir) < 0) { fprintf(stderr, "No home directory \"%s\"!\n", pwd->pw_dir); if (chdir("/")) exit(0); home_dir = "/"; fprintf(stderr, "Logging in with home = \"/\".\n"); } #ifdef KRB5 if (auth == AUTH_KRB5) { krb5_start_session (pwd); } krb5_get_afs_tokens (pwd); krb5_finish (); #endif /* KRB5 */ add_env("PATH", _PATH_DEFPATH); { const char *str = login_conf_get_string("environment"); char buf[MAXPATHLEN]; if(str == NULL) { login_read_env(_PATH_ETC_ENVIRONMENT); } else { while(strsep_copy(&str, ",", buf, sizeof(buf)) != -1) { if(buf[0] == '\0') continue; login_read_env(buf); } } } { const char *str = login_conf_get_string("motd"); char buf[MAXPATHLEN]; if(str != NULL) { while(strsep_copy(&str, ",", buf, sizeof(buf)) != -1) { if(buf[0] == '\0') continue; show_file(buf); } } else { str = login_conf_get_string("welcome"); if(str != NULL) show_file(str); } } add_env("HOME", home_dir); add_env("USER", pwd->pw_name); add_env("LOGNAME", pwd->pw_name); add_env("SHELL", pwd->pw_shell); exec_shell(pwd->pw_shell, rootlogin); } static int check_password(struct passwd *pwd, const char *password) { if(pwd->pw_passwd == NULL) return 1; if(pwd->pw_passwd[0] == '\0'){ #ifdef ALLOW_NULL_PASSWORD return password[0] != '\0'; #else return 1; #endif } if(strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) == 0) return 0; #ifdef KRB5 if(krb5_verify(pwd, password) == 0) { auth = AUTH_KRB5; return 0; } #endif #ifdef OTP if (otp_verify (pwd, password) == 0) { auth = AUTH_OTP; return 0; } #endif return 1; } static void usage(int status) { arg_printusage(args, nargs, NULL, "[username]"); exit(status); } static RETSIGTYPE sig_handler(int sig) { if (sig == SIGALRM) fprintf(stderr, "Login timed out after %d seconds\n", login_timeout); else fprintf(stderr, "Login received signal, exiting\n"); exit(0); } int main(int argc, char **argv) { int max_tries = 5; int try; char username[32]; int optidx = 0; int ask = 1; struct sigaction sa; setprogname(argv[0]); #ifdef KRB5 { krb5_error_code ret; ret = krb5_init_context(&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); } #endif openlog("login", LOG_ODELAY | LOG_PID, LOG_AUTH); if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage (1); argc -= optidx; argv += optidx; if(help_flag) usage(0); if (version_flag) { print_version (NULL); return 0; } if (geteuid() != 0) errx(1, "only root may use login, use su"); /* Default tty settings. */ stty_default(); if(p_flag) copy_env(); else { /* this set of variables is always preserved by BSD login */ if(getenv("TERM")) add_env("TERM", getenv("TERM")); if(getenv("TZ")) add_env("TZ", getenv("TZ")); } if(*argv){ if(strchr(*argv, '=') == NULL && strcmp(*argv, "-") != 0){ strlcpy (username, *argv, sizeof(username)); ask = 0; } } #if defined(DCE) && defined(AIX) esetenv("AUTHSTATE", "DCE", 1); #endif /* XXX should we care about environment on the command line? */ memset(&sa, 0, sizeof(sa)); sa.sa_handler = sig_handler; sigemptyset(&sa.sa_mask); sa.sa_flags = 0; sigaction(SIGALRM, &sa, NULL); alarm(login_timeout); for(try = 0; try < max_tries; try++){ struct passwd *pwd; char password[128]; int ret; char ttname[32]; char *tty, *ttyn; char prompt[128]; #ifdef OTP char otp_str[256]; #endif if(ask){ f_flag = 0; #if 0 r_flag = 0; #endif ret = read_string("login: ", username, sizeof(username), 1); if(ret == -3) exit(0); if(ret == -2) sig_handler(0); /* exit */ } pwd = k_getpwnam(username); #ifdef ALLOW_NULL_PASSWORD if (pwd != NULL && (pwd->pw_passwd[0] == '\0')) { strcpy(password,""); } else #endif { #ifdef OTP if(auth_level && strcmp(auth_level, "otp") == 0 && otp_challenge(&otp_ctx, username, otp_str, sizeof(otp_str)) == 0) snprintf (prompt, sizeof(prompt), "%s's %s Password: ", username, otp_str); else #endif strncpy(prompt, "Password: ", sizeof(prompt)); if (f_flag == 0) { ret = read_string(prompt, password, sizeof(password), 0); if (ret == -3) { ask = 1; continue; } if (ret == -2) sig_handler(0); } } if(pwd == NULL){ fprintf(stderr, "Login incorrect.\n"); ask = 1; continue; } if(f_flag == 0 && check_password(pwd, password)){ fprintf(stderr, "Login incorrect.\n"); ask = 1; continue; } ttyn = ttyname(STDIN_FILENO); if(ttyn == NULL){ snprintf(ttname, sizeof(ttname), "%s??", _PATH_TTY); ttyn = ttname; } if (strncmp (ttyn, _PATH_DEV, strlen(_PATH_DEV)) == 0) tty = ttyn + strlen(_PATH_DEV); else tty = ttyn; if (login_access (pwd, remote_host ? remote_host : tty) == 0) { fprintf(stderr, "Permission denied\n"); if (remote_host) syslog(LOG_NOTICE, "%s LOGIN REFUSED FROM %s", pwd->pw_name, remote_host); else syslog(LOG_NOTICE, "%s LOGIN REFUSED ON %s", pwd->pw_name, tty); exit (1); } else { if (remote_host) syslog(LOG_NOTICE, "%s LOGIN ACCEPTED FROM %s ppid=%d", pwd->pw_name, remote_host, (int) getppid()); else syslog(LOG_NOTICE, "%s LOGIN ACCEPTED ON %s ppid=%d", pwd->pw_name, tty, (int) getppid()); } alarm(0); do_login(pwd, tty, ttyn); } exit(1); } heimdal-1.7~git20150920+dfsg/appl/login/login_access.c000066400000000000000000000212051257755311500223040ustar00rootroot00000000000000/************************************************************************ * Copyright 1995 by Wietse Venema. All rights reserved. Some individual * files may be covered by other copyrights. * * This material was originally written and compiled by Wietse Venema at * Eindhoven University of Technology, The Netherlands, in 1990, 1991, * 1992, 1993, 1994 and 1995. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that this entire copyright notice * is duplicated in all such copies. * * This software is provided "as is" and without any expressed or implied * warranties, including, without limitation, the implied warranties of * merchantibility and fitness for any particular purpose. ************************************************************************/ /* * This module implements a simple but effective form of login access * control based on login names and on host (or domain) names, internet * addresses (or network numbers), or on terminal line names in case of * non-networked logins. Diagnostics are reported through syslog(3). * * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. */ #include "login_locl.h" RCSID("$Id$"); /* Delimiters for fields and for lists of users, ttys or hosts. */ static char fs[] = ":"; /* field separator */ static char sep[] = ", \t"; /* list-element separator */ /* Constants to be used in assignments only, not in comparisons... */ #define YES 1 #define NO 0 /* * A structure to bundle up all login-related information to keep the * functional interfaces as generic as possible. */ struct login_info { struct passwd *user; char *from; }; static int list_match(char *list, struct login_info *item, int (*match_fn)(char *, struct login_info *)); static int user_match(char *tok, struct login_info *item); static int from_match(char *tok, struct login_info *item); static int string_match(char *tok, char *string); /* login_access - match username/group and host/tty with access control file */ int login_access(struct passwd *user, char *from) { struct login_info item; FILE *fp; char line[BUFSIZ]; char *perm; /* becomes permission field */ char *users; /* becomes list of login names */ char *froms; /* becomes list of terminals or hosts */ int match = NO; int end; int lineno = 0; /* for diagnostics */ char *foo; /* * Bundle up the arguments to avoid unnecessary clumsiness lateron. */ item.user = user; item.from = from; /* * Process the table one line at a time and stop at the first match. * Blank lines and lines that begin with a '#' character are ignored. * Non-comment lines are broken at the ':' character. All fields are * mandatory. The first field should be a "+" or "-" character. A * non-existing table means no access control. */ if ((fp = fopen(_PATH_LOGACCESS, "r")) != 0) { while (!match && fgets(line, sizeof(line), fp)) { lineno++; if (line[end = strlen(line) - 1] != '\n') { syslog(LOG_ERR, "%s: line %d: missing newline or line too long", _PATH_LOGACCESS, lineno); continue; } if (line[0] == '#') continue; /* comment line */ while (end > 0 && isspace((unsigned char)line[end - 1])) end--; line[end] = 0; /* strip trailing whitespace */ if (line[0] == 0) /* skip blank lines */ continue; foo = NULL; if (!(perm = strtok_r(line, fs, &foo)) || !(users = strtok_r(NULL, fs, &foo)) || !(froms = strtok_r(NULL, fs, &foo)) || strtok_r(NULL, fs, &foo)) { syslog(LOG_ERR, "%s: line %d: bad field count", _PATH_LOGACCESS, lineno); continue; } if (perm[0] != '+' && perm[0] != '-') { syslog(LOG_ERR, "%s: line %d: bad first field", _PATH_LOGACCESS, lineno); continue; } match = (list_match(froms, &item, from_match) && list_match(users, &item, user_match)); } fclose(fp); } else if (errno != ENOENT) { syslog(LOG_ERR, "cannot open %s: %m", _PATH_LOGACCESS); } return (match == 0 || (line[0] == '+')); } /* list_match - match an item against a list of tokens with exceptions */ static int list_match(char *list, struct login_info *item, int (*match_fn)(char *, struct login_info *)) { char *tok; int match = NO; char *foo = NULL; /* * Process tokens one at a time. We have exhausted all possible matches * when we reach an "EXCEPT" token or the end of the list. If we do find * a match, look for an "EXCEPT" list and recurse to determine whether * the match is affected by any exceptions. */ for (tok = strtok_r(list, sep, &foo); tok != NULL; tok = strtok_r(NULL, sep, &foo)) { if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */ break; if ((match = (*match_fn) (tok, item)) != 0) /* YES */ break; } /* Process exceptions to matches. */ if (match != NO) { while ((tok = strtok_r(NULL, sep, &foo)) && strcasecmp(tok, "EXCEPT")) /* VOID */ ; if (tok == 0 || list_match(NULL, item, match_fn) == NO) return (match); } return (NO); } /* myhostname - figure out local machine name */ static char *myhostname(void) { static char name[MAXHOSTNAMELEN + 1] = ""; if (name[0] == 0) { gethostname(name, sizeof(name)); name[MAXHOSTNAMELEN] = 0; } return (name); } /* netgroup_match - match group against machine or user */ static int netgroup_match(char *group, char *machine, char *user) { #ifdef HAVE_YP_GET_DEFAULT_DOMAIN static char *mydomain = 0; if (mydomain == 0) yp_get_default_domain(&mydomain); return (innetgr(group, machine, user, mydomain)); #else syslog(LOG_ERR, "NIS netgroup support not configured"); return 0; #endif } /* user_match - match a username against one token */ static int user_match(char *tok, struct login_info *item) { char *string = item->user->pw_name; struct login_info fake_item; struct group *group; int i; char *at; /* * If a token has the magic value "ALL" the match always succeeds. * Otherwise, return YES if the token fully matches the username, if the * token is a group that contains the username, or if the token is the * name of the user's primary group. */ if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */ *at = 0; fake_item.from = myhostname(); return (user_match(tok, item) && from_match(at + 1, &fake_item)); } else if (tok[0] == '@') { /* netgroup */ return (netgroup_match(tok + 1, (char *) 0, string)); } else if (string_match(tok, string)) { /* ALL or exact match */ return (YES); } else if ((group = getgrnam(tok)) != 0) { /* try group membership */ if (item->user->pw_gid == group->gr_gid) return (YES); for (i = 0; group->gr_mem[i]; i++) if (strcasecmp(string, group->gr_mem[i]) == 0) return (YES); } return (NO); } /* from_match - match a host or tty against a list of tokens */ static int from_match(char *tok, struct login_info *item) { char *string = item->from; int tok_len; int str_len; /* * If a token has the magic value "ALL" the match always succeeds. Return * YES if the token fully matches the string. If the token is a domain * name, return YES if it matches the last fields of the string. If the * token has the magic value "LOCAL", return YES if the string does not * contain a "." character. If the token is a network number, return YES * if it matches the head of the string. */ if (tok[0] == '@') { /* netgroup */ return (netgroup_match(tok + 1, string, (char *) 0)); } else if (string_match(tok, string)) { /* ALL or exact match */ return (YES); } else if (tok[0] == '.') { /* domain: match last fields */ if ((str_len = strlen(string)) > (tok_len = strlen(tok)) && strcasecmp(tok, string + str_len - tok_len) == 0) return (YES); } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */ if (strchr(string, '.') == 0) return (YES); } else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */ && strncmp(tok, string, tok_len) == 0) { return (YES); } return (NO); } /* string_match - match a string against one token */ static int string_match(char *tok, char *string) { /* * If the token has the magic value "ALL" the match always succeeds. * Otherwise, return YES if the token fully matches the string. */ if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ return (YES); } else if (strcasecmp(tok, string) == 0) { /* try exact match */ return (YES); } return (NO); } heimdal-1.7~git20150920+dfsg/appl/login/login_locl.h000066400000000000000000000072571257755311500220140ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ #ifndef __LOGIN_LOCL_H__ #define __LOGIN_LOCL_H__ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_PATHS_H #include #endif #ifdef HAVE_UTMP_H #include #endif #ifdef HAVE_UTMPX_H #include #endif #ifdef HAVE_UDB_H #include #endif #ifdef HAVE_SYS_RESOURCE_H #include #endif #ifdef HAVE_SYS_CATEGORY_H #include #endif #ifdef HAVE_SYS_WAIT_H #include #endif #ifdef HAVE_SHADOW_H #include #endif #ifdef HAVE_NETGROUP_H #include #endif #ifdef HAVE_RPCSVC_YPCLNT_H #include #endif #ifdef KRB5 #include #endif #include #ifdef OTP #include #endif #ifdef HAVE_OSFC2 #define getargs OSFgetargs #include "/usr/include/prot.h" #undef getargs #endif #ifndef _PATH_BSHELL #define _PATH_BSHELL "/bin/sh" #endif #ifndef _PATH_TTY #define _PATH_TTY "/dev/tty" #endif #ifndef _PATH_DEV #define _PATH_DEV "/dev/" #endif #ifndef _PATH_WTMP #ifdef WTMP_FILE #define _PATH_WTMP WTMP_FILE #else #define _PATH_WTMP "/var/adm/wtmp" #endif #endif #ifndef _PATH_UTMP #ifdef UTMP_FILE #define _PATH_UTMP UTMP_FILE #else #define _PATH_UTMP "/var/adm/utmp" #endif #endif /* if cygwin doesnt have WTMPX_FILE, it uses wtmp for wtmpx * http://www.cygwin.com/ml/cygwin/2006-12/msg00630.html */ #ifdef __CYGWIN__ #ifndef WTMPX_FILE #define WTMPX_FILE WTMP_FILE #endif #endif #ifndef _PATH_LOGACCESS #define _PATH_LOGACCESS SYSCONFDIR "/login.access" #endif /* _PATH_LOGACCESS */ #ifndef _PATH_LOGIN_CONF #define _PATH_LOGIN_CONF SYSCONFDIR "/login.conf" #endif /* _PATH_LOGIN_CONF */ #ifndef _PATH_DEFPATH #define _PATH_DEFPATH "/usr/bin:/bin" #endif #include "loginpaths.h" struct spwd; extern char **env; extern int num_env; #include "login-protos.h" #endif /* __LOGIN_LOCL_H__ */ heimdal-1.7~git20150920+dfsg/appl/login/loginpaths.h000066400000000000000000000036771257755311500220450ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ #ifndef __LOGIN_PATH_H #define __LOGIN_PATH_H #ifndef _PATH_NOLOGIN #define _PATH_NOLOGIN "/etc/nologin" #endif #ifndef _PATH_ETC_ENVIRONMENT #define _PATH_ETC_ENVIRONMENT SYSCONFDIR "/environment" #endif #ifndef _PATH_LIMITS_CONF #define _PATH_LIMITS_CONF "/etc/security/limits.conf" #endif #endif /* __LOGIN_PATH_H */ heimdal-1.7~git20150920+dfsg/appl/login/osfc2.c000066400000000000000000000054021257755311500206700ustar00rootroot00000000000000/* * Copyright (c) 1998 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "login_locl.h" RCSID("$Id$"); int do_osfc2_magic(uid_t uid) { #ifdef HAVE_OSFC2 struct es_passwd *epw; char *argv[2]; /* fake */ argv[0] = (char*)getprogname(); argv[1] = NULL; set_auth_parameters(1, argv); epw = getespwuid(uid); if(epw == NULL) { syslog(LOG_AUTHPRIV|LOG_NOTICE, "getespwuid failed for %d", uid); printf("Sorry.\n"); return 1; } /* We don't check for auto-retired, foo-retired, bar-retired, or any other kind of retired accounts here; neither do we check for time-locked accounts, or any other kind of serious C2 mumbo-jumbo. We do, however, call setluid, since failing to do so is not very good (take my word for it). */ if(!epw->uflg->fg_uid) { syslog(LOG_AUTHPRIV|LOG_NOTICE, "attempted login by %s (has no uid)", epw->ufld->fd_name); printf("Sorry.\n"); return 1; } setluid(epw->ufld->fd_uid); if(getluid() != epw->ufld->fd_uid) { syslog(LOG_AUTHPRIV|LOG_NOTICE, "failed to set LUID for %s (%d)", epw->ufld->fd_name, epw->ufld->fd_uid); printf("Sorry.\n"); return 1; } #endif /* HAVE_OSFC2 */ return 0; } heimdal-1.7~git20150920+dfsg/appl/login/read_string.c000066400000000000000000000064371257755311500221660ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "login_locl.h" RCSID("$Id$"); static sig_atomic_t intr_flag; static void intr(int sig) { intr_flag++; } #ifndef NSIG #define NSIG 47 #endif int read_string(const char *prompt, char *buf, size_t len, int echo) { struct sigaction sigs[NSIG]; int oksigs[NSIG]; struct sigaction sa; FILE *tty; int ret = 0; int of = 0; int i; int c; char *p; struct termios t_new, t_old; memset(&oksigs, 0, sizeof(oksigs)); memset(&sa, 0, sizeof(sa)); sa.sa_handler = intr; sigemptyset(&sa.sa_mask); sa.sa_flags = 0; for(i = 1; i < sizeof(sigs) / sizeof(sigs[0]); i++) if (i != SIGALRM) if (sigaction(i, &sa, &sigs[i]) == 0) oksigs[i] = 1; if((tty = fopen("/dev/tty", "r")) == NULL) tty = stdin; fprintf(stderr, "%s", prompt); fflush(stderr); if(echo == 0){ tcgetattr(fileno(tty), &t_old); memcpy(&t_new, &t_old, sizeof(t_new)); t_new.c_lflag &= ~ECHO; tcsetattr(fileno(tty), TCSANOW, &t_new); } intr_flag = 0; p = buf; while(intr_flag == 0){ c = getc(tty); if(c == EOF){ if(!ferror(tty)) ret = 1; break; } if(c == '\n') break; if(of == 0) *p++ = c; of = (p == buf + len); } if(of) p--; *p = 0; if(echo == 0){ printf("\n"); tcsetattr(fileno(tty), TCSANOW, &t_old); } if(tty != stdin) fclose(tty); for(i = 1; i < sizeof(sigs) / sizeof(sigs[0]); i++) if (oksigs[i]) sigaction(i, &sigs[i], NULL); if(ret) return -3; if(intr_flag) return -2; if(of) return -1; return 0; } #if 0 int main() { char s[128]; int ret; ret = read_string("foo: ", s, sizeof(s), 0); printf("%d ->%s<-\n", ret, s); } #endif heimdal-1.7~git20150920+dfsg/appl/login/shadow.c000066400000000000000000000060031257755311500211370ustar00rootroot00000000000000/* * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "login_locl.h" RCSID("$Id$"); #ifdef HAVE_SHADOW_H #ifndef _PATH_CHPASS #define _PATH_CHPASS "/usr/bin/passwd" #endif static int change_passwd(const struct passwd *who) { int status; pid_t pid; switch (pid = fork()) { case -1: printf("fork /bin/passwd"); exit(1); case 0: execlp(_PATH_CHPASS, "passwd", who->pw_name, (char *) 0); exit(1); default: waitpid(pid, &status, 0); return (status); } } void check_shadow(const struct passwd *pw, const struct spwd *sp) { long today; today = time(0)/(24L * 60 * 60); if (sp == NULL) return; if (sp->sp_expire > 0) { if (today >= sp->sp_expire) { printf("Your account has expired.\n"); sleep(1); exit(0); } else if (sp->sp_expire - today < 14) { printf("Your account will expire in %d days.\n", (int)(sp->sp_expire - today)); } } if (sp->sp_max > 0) { if (today >= (sp->sp_lstchg + sp->sp_max)) { printf("Your password has expired. Choose a new one.\n"); change_passwd(pw); } else if (sp->sp_warn > 0 && (today > (sp->sp_lstchg + sp->sp_max - sp->sp_warn))) { printf("Your password will expire in %d days.\n", (int)(sp->sp_lstchg + sp->sp_max - today)); } } } #endif /* HAVE_SHADOW_H */ heimdal-1.7~git20150920+dfsg/appl/login/stty_default.c000066400000000000000000000054071257755311500223700ustar00rootroot00000000000000/* * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "login_locl.h" RCSID("$Id$"); #include /* HP-UX 9.0 termios doesn't define these */ #ifndef FLUSHO #define FLUSHO 0 #endif #ifndef XTABS #define XTABS 0 #endif #ifndef OXTABS #define OXTABS XTABS #endif /* Ultrix... */ #ifndef ECHOPRT #define ECHOPRT 0 #endif #ifndef ECHOCTL #define ECHOCTL 0 #endif #ifndef ECHOKE #define ECHOKE 0 #endif #ifndef IMAXBEL #define IMAXBEL 0 #endif #define Ctl(x) ((x) ^ 0100) void stty_default(void) { struct termios termios; /* * Finalize the terminal settings. Some systems default to 8 bits, * others to 7, so we should leave that alone. */ tcgetattr(0, &termios); termios.c_iflag |= (BRKINT|IGNPAR|ICRNL|IXON|IMAXBEL); termios.c_iflag &= ~IXANY; termios.c_lflag |= (ISIG|IEXTEN|ICANON|ECHO|ECHOE|ECHOK|ECHOCTL|ECHOKE); termios.c_lflag &= ~(ECHOPRT|TOSTOP|FLUSHO); termios.c_oflag |= (OPOST|ONLCR); termios.c_oflag &= ~OXTABS; termios.c_cc[VINTR] = Ctl('C'); termios.c_cc[VERASE] = Ctl('H'); termios.c_cc[VKILL] = Ctl('U'); termios.c_cc[VEOF] = Ctl('D'); termios.c_cc[VSUSP] = Ctl('Z'); tcsetattr(0, TCSANOW, &termios); } heimdal-1.7~git20150920+dfsg/appl/login/tty.c000066400000000000000000000043321257755311500204750ustar00rootroot00000000000000/* * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "login_locl.h" RCSID("$Id$"); /* * Clean the tty name. Return a pointer to the cleaned version. */ char * clean_ttyname (char *tty) { char *res = tty; if (strncmp (res, _PATH_DEV, strlen(_PATH_DEV)) == 0) res += strlen(_PATH_DEV); if (strncmp (res, "pty/", 4) == 0) res += 4; if (strncmp (res, "ptym/", 5) == 0) res += 5; return res; } /* * Generate a name usable as an `ut_id', typically without `tty'. */ char * make_id (char *tty) { char *res = tty; if (strncmp (res, "pts/", 4) == 0) res += 4; if (strncmp (res, "tty", 3) == 0) res += 3; return res; } heimdal-1.7~git20150920+dfsg/appl/login/utmp_login.c000066400000000000000000000110521257755311500220270ustar00rootroot00000000000000/* * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "login_locl.h" RCSID("$Id$"); /* try to put something useful from hostname into dst, dst_sz: * full name, first component or address */ void shrink_hostname (const char *hostname, char *dst, size_t dst_sz) { char local_hostname[MaxHostNameLen]; char *ld, *hd; int ret; struct addrinfo *ai; if (strlen(hostname) < dst_sz) { strlcpy (dst, hostname, dst_sz); return; } gethostname (local_hostname, sizeof(local_hostname)); hd = strchr (hostname, '.'); ld = strchr (local_hostname, '.'); if (hd != NULL && ld != NULL && strcmp(hd, ld) == 0 && hd - hostname < dst_sz) { strlcpy (dst, hostname, dst_sz); dst[hd - hostname] = '\0'; return; } ret = getaddrinfo (hostname, NULL, NULL, &ai); if (ret) { strncpy (dst, hostname, dst_sz); return; } ret = getnameinfo (ai->ai_addr, ai->ai_addrlen, dst, dst_sz, NULL, 0, NI_NUMERICHOST); freeaddrinfo (ai); if (ret) { strncpy (dst, hostname, dst_sz); return; } } /* update utmp and wtmp - the BSD way */ #if !defined(HAVE_UTMPX_H) || (defined(WTMP_FILE) && !defined(WTMPX_FILE)) void prepare_utmp (struct utmp *utmp, char *tty, const char *username, const char *hostname) { char *ttyx = clean_ttyname (tty); memset(utmp, 0, sizeof(*utmp)); utmp->ut_time = time(NULL); strncpy(utmp->ut_line, ttyx, sizeof(utmp->ut_line)); strncpy(utmp->ut_name, username, sizeof(utmp->ut_name)); # ifdef HAVE_STRUCT_UTMP_UT_USER strncpy(utmp->ut_user, username, sizeof(utmp->ut_user)); # endif # ifdef HAVE_STRUCT_UTMP_UT_ADDR if (hostname[0]) { struct hostent *he; if ((he = gethostbyname(hostname))) memcpy(&utmp->ut_addr, he->h_addr_list[0], sizeof(utmp->ut_addr)); } # endif # ifdef HAVE_STRUCT_UTMP_UT_HOST shrink_hostname (hostname, utmp->ut_host, sizeof(utmp->ut_host)); # endif # ifdef HAVE_STRUCT_UTMP_UT_TYPE utmp->ut_type = USER_PROCESS; # endif # ifdef HAVE_STRUCT_UTMP_UT_PID utmp->ut_pid = getpid(); # endif # ifdef HAVE_STRUCT_UTMP_UT_ID strncpy(utmp->ut_id, make_id(ttyx), sizeof(utmp->ut_id)); # endif } #endif #ifdef HAVE_UTMPX_H void utmp_login(char *tty, const char *username, const char *hostname) { return; } #else void utmp_login(char *tty, const char *username, const char *hostname) { struct utmp utmp; int fd; prepare_utmp (&utmp, tty, username, hostname); #ifdef HAVE_SETUTENT utmpname(_PATH_UTMP); setutent(); pututline(&utmp); endutent(); #else #ifdef HAVE_TTYSLOT { int ttyno; ttyno = ttyslot(); if (ttyno > 0 && (fd = open(_PATH_UTMP, O_WRONLY, 0)) >= 0) { lseek(fd, (long)(ttyno * sizeof(struct utmp)), SEEK_SET); write(fd, &utmp, sizeof(struct utmp)); close(fd); } } #endif /* HAVE_TTYSLOT */ #endif /* HAVE_SETUTENT */ if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) { write(fd, &utmp, sizeof(struct utmp)); close(fd); } } #endif /* !HAVE_UTMPX_H */ heimdal-1.7~git20150920+dfsg/appl/login/utmpx_login.c000066400000000000000000000063161257755311500222260ustar00rootroot00000000000000/************************************************************************ * Copyright 1995 by Wietse Venema. All rights reserved. Some individual * files may be covered by other copyrights. * * This material was originally written and compiled by Wietse Venema at * Eindhoven University of Technology, The Netherlands, in 1990, 1991, * 1992, 1993, 1994 and 1995. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that this entire copyright notice * is duplicated in all such copies. * * This software is provided "as is" and without any expressed or implied * warranties, including, without limitation, the implied warranties of * merchantibility and fitness for any particular purpose. ************************************************************************/ /* Author: Wietse Venema */ #include "login_locl.h" RCSID("$Id$"); /* utmpx_login - update utmp and wtmp after login */ #ifndef HAVE_UTMPX_H int utmpx_login(char *line, const char *user, const char *host) { return 0; } #else static void utmpx_update(struct utmpx *ut, char *line, const char *user, const char *host) { struct timeval tmp; char *clean_tty = clean_ttyname(line); strncpy(ut->ut_line, clean_tty, sizeof(ut->ut_line)); #ifdef HAVE_STRUCT_UTMPX_UT_ID strncpy(ut->ut_id, make_id(clean_tty), sizeof(ut->ut_id)); #endif strncpy(ut->ut_user, user, sizeof(ut->ut_user)); shrink_hostname (host, ut->ut_host, sizeof(ut->ut_host)); #ifdef HAVE_STRUCT_UTMPX_UT_SYSLEN ut->ut_syslen = strlen(host) + 1; if (ut->ut_syslen > sizeof(ut->ut_host)) ut->ut_syslen = sizeof(ut->ut_host); #endif ut->ut_type = USER_PROCESS; gettimeofday (&tmp, 0); ut->ut_tv.tv_sec = tmp.tv_sec; ut->ut_tv.tv_usec = tmp.tv_usec; pututxline(ut); #ifdef WTMPX_FILE updwtmpx(WTMPX_FILE, ut); #elif defined(WTMP_FILE) { /* XXX should be removed, just drop wtmp support */ struct utmp utmp; int fd; prepare_utmp (&utmp, line, user, host); if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) { write(fd, &utmp, sizeof(struct utmp)); close(fd); } } #endif } int utmpx_login(char *line, const char *user, const char *host) { struct utmpx *ut, save_ut; pid_t mypid = getpid(); int ret = (-1); /* * SYSV4 ttymon and login use tty port names with the "/dev/" prefix * stripped off. Rlogind and telnetd, on the other hand, make utmpx * entries with device names like /dev/pts/nnn. We therefore cannot use * getutxline(). Return nonzero if no utmp entry was found with our own * process ID for a login or user process. */ while ((ut = getutxent())) { /* Try to find a reusable entry */ if (ut->ut_pid == mypid && ( ut->ut_type == INIT_PROCESS || ut->ut_type == LOGIN_PROCESS || ut->ut_type == USER_PROCESS)) { save_ut = *ut; utmpx_update(&save_ut, line, user, host); ret = 0; break; } } if (ret == -1) { /* Grow utmpx file by one record. */ struct utmpx newut; memset(&newut, 0, sizeof(newut)); newut.ut_pid = mypid; utmpx_update(&newut, line, user, host); ret = 0; } endutxent(); return (ret); } #endif /* HAVE_UTMPX_H */ heimdal-1.7~git20150920+dfsg/appl/otp/000077500000000000000000000000001257755311500172015ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/otp/ChangeLog000066400000000000000000000026001257755311500207510ustar00rootroot000000000000002006-10-07 Love Hörnquist Åstrand * Makefile.am: Add man_MANS to EXTRA_DIST 2005-05-29 Love Hörquist Åstrand * Makefile.am: add LIB_roken as a explit dependency 2003-09-03 Love Hörquist Åstrand * otpprint.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ * otp.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ 2003-02-25 Love Hörquist Åstrand * otp.c: remove \n from errx, from NetBSD 2000-11-29 Johan Danielsson * otpprint.1: sort parameters and close a list * otp.1: sort parameters and close a list 1999-09-14 Assar Westerlund * otp.c (verify_user_otp): check return value from des_read_pw_string Thu Apr 1 16:51:07 1999 Johan Danielsson * otpprint.c: use getarg * otp.c: use getarg Thu Mar 18 12:08:58 1999 Johan Danielsson * Makefile.am: include Makefile.am.common Thu Mar 4 19:45:40 1999 Johan Danielsson * Makefile.am: DESTDIR Sat Feb 27 19:44:25 1999 Johan Danielsson * Makefile.am: add Sun Nov 22 10:32:50 1998 Assar Westerlund * otpprint.c: more braces * Makefile.in (WFLAGS): set Sun Dec 21 09:31:30 1997 Assar Westerlund * otp.c (renew): don't set the OTP if the reading of the string fails. heimdal-1.7~git20150920+dfsg/appl/otp/Makefile.am000066400000000000000000000006501257755311500212360ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common AM_CPPFLAGS += $(INCLUDE_hcrypto) bin_PROGRAMS = otp otpprint bin_SUIDS = otp otp_SOURCES = otp.c otp_locl.h otp_LDADD = $(LIB_hcrypto) $(LIB_roken) $(top_builddir)/lib/otp/libotp.la otpprint_SOURCES = otpprint.c otp_locl.h otpprint_LDADD = $(LIB_hcrypto) $(LIB_roken) $(top_builddir)/lib/otp/libotp.la man_MANS = otp.1 otpprint.1 EXTRA_DIST = NTMakefile $(man_MANS) heimdal-1.7~git20150920+dfsg/appl/otp/NTMakefile000066400000000000000000000027311257755311500211060ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\otp !include ../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/otp/otp.1000066400000000000000000000056371257755311500201000ustar00rootroot00000000000000.\" Copyright (c) 1996, 2000 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" 3. Neither the name of the Institute nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $Id$ .\" .Dd November 17, 1996 .Dt OTP 1 .Os KTH-KRB .Sh NAME .Nm otp .Nd manages one-time passwords .Sh SYNOPSIS .Nm otp .Op Fl dhlor .Op Fl f Ar algorithm .Op Fl u Ar user .Ar sequence-number .Ar seed .Sh DESCRIPTION The .Nm program initializes and updates your current series of one-time passwords (OTPs). .Pp Use this to set a new series of one-time passwords. Only perform this on the console or over an encrypted link as you will have to supply your pass-phrase. The other two parameters are .Ar sequence-number and .Ar seed . .Pp Options are: .Bl -tag -width Ds .It Fl d To delete a one-time password. .It Fl f Choose a different .Ar algorithm from the default md5. Pick any of: md4, md5, and sha. .It Fl h For getting a help message. .It Fl l List the current table of one-time passwords. .It Fl o To open (unlock) the otp-entry for a user. .It Fl r To renew a one-time password series. This operation can be performed over an potentially eavesdropped link because you do not supply the pass-phrase. First you need to supply the current one-time password and then the new one corresponding to the supplied .Ar sequence-number and .Ar seed . .It Fl u To choose a different .Ar user to set one-time passwords for. This only works when running .Nm as root. .El .Sh SEE ALSO .Xr otpprint 1 heimdal-1.7~git20150920+dfsg/appl/otp/otp.c000066400000000000000000000213151257755311500201510ustar00rootroot00000000000000/* * Copyright (c) 1995-1997, 1999 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "otp_locl.h" #include RCSID("$Id$"); static int listp; static int deletep; static int openp; static int renewp; static char* alg_string; static char *user; static int version_flag; static int help_flag; struct getargs args[] = { { "list", 'l', arg_flag, &listp, "list OTP status", NULL }, { "delete", 'd', arg_flag, &deletep, "delete OTP", NULL }, { "open", 'o', arg_flag, &openp, "open a locked OTP", NULL }, { "renew", 'r', arg_flag, &renewp, "securely renew OTP", NULL }, { "hash", 'f', arg_string, &alg_string, "hash algorithm (md4, md5, or sha)", "algorithm"}, { "user", 'u', arg_string, &user, "user other than current user (root only)", "user" }, { "version", 0, arg_flag, &version_flag, NULL, NULL }, { "help", 'h', arg_flag, &help_flag, NULL, NULL } }; int num_args = sizeof(args) / sizeof(args[0]); static void usage(int code) { arg_printusage(args, num_args, NULL, "[num seed]"); exit(code); } /* * Renew the OTP for a user. * The pass-phrase is not required (RFC 1938/8.0) */ static int renew (int argc, char **argv, OtpAlgorithm *alg, char *inuser) { OtpContext newctx, *ctx; char prompt[128]; char pw[64]; void *dbm; int ret; newctx.alg = alg; newctx.user = inuser; newctx.n = atoi (argv[0]); strlcpy (newctx.seed, argv[1], sizeof(newctx.seed)); strlwr(newctx.seed); snprintf (prompt, sizeof(prompt), "[ otp-%s %u %s ]", newctx.alg->name, newctx.n, newctx.seed); if (UI_UTIL_read_pw_string (pw, sizeof(pw), prompt, 0) == 0 && otp_parse (newctx.key, pw, alg) == 0) { ctx = &newctx; ret = 0; } else return 1; dbm = otp_db_open (); if (dbm == NULL) { warnx ("otp_db_open failed"); return 1; } otp_put (dbm, ctx); otp_db_close (dbm); return ret; } /* * Return 0 if the user could enter the next OTP. * I would rather have returned !=0 but it's shell-like here around. */ static int verify_user_otp(char *username) { OtpContext ctx; char passwd[OTP_MAX_PASSPHRASE + 1]; char prompt[128], ss[256]; if (otp_challenge (&ctx, username, ss, sizeof(ss)) != 0) { warnx("no otp challenge found for %s", username); return 1; } snprintf (prompt, sizeof(prompt), "%s's %s Password: ", username, ss); if(UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)) return 1; return otp_verify_user (&ctx, passwd); } /* * Set the OTP for a user */ static int set (int argc, char **argv, OtpAlgorithm *alg, char *inuser) { void *db; OtpContext ctx; char pw[OTP_MAX_PASSPHRASE + 1]; int ret; int i; ctx.alg = alg; ctx.user = strdup (inuser); if (ctx.user == NULL) err (1, "out of memory"); ctx.n = atoi (argv[0]); strlcpy (ctx.seed, argv[1], sizeof(ctx.seed)); strlwr(ctx.seed); do { if (UI_UTIL_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 1)) return 1; if (strlen (pw) < OTP_MIN_PASSPHRASE) printf ("Too short pass-phrase. Use at least %d characters\n", OTP_MIN_PASSPHRASE); } while(strlen(pw) < OTP_MIN_PASSPHRASE); ctx.alg->init (ctx.key, pw, ctx.seed); for (i = 0; i < ctx.n; ++i) ctx.alg->next (ctx.key); db = otp_db_open (); if(db == NULL) { free (ctx.user); err (1, "otp_db_open failed"); } ret = otp_put (db, &ctx); otp_db_close (db); free (ctx.user); return ret; } /* * Delete otp of user from the database */ static int delete_otp (int argc, char **argv, char *inuser) { void *db; OtpContext ctx; int ret; db = otp_db_open (); if(db == NULL) errx (1, "otp_db_open failed"); ctx.user = inuser; ret = otp_delete(db, &ctx); otp_db_close (db); return ret; } /* * Tell whether the user has an otp */ static int has_an_otp(char *inuser) { void *db; OtpContext ctx; int ret; db = otp_db_open (); if(db == NULL) { warnx ("otp_db_open failed"); return 0; /* if no db no otp! */ } ctx.user = inuser; ret = otp_simple_get(db, &ctx); otp_db_close (db); return !ret; } /* * Get and print out the otp entry for some user */ static void print_otp_entry_for_name (void *db, char *inuser) { OtpContext ctx; ctx.user = inuser; if (!otp_simple_get(db, &ctx)) { fprintf(stdout, "%s\totp-%s %d %s", ctx.user, ctx.alg->name, ctx.n, ctx.seed); if (ctx.lock_time) fprintf(stdout, "\tlocked since %s", ctime(&ctx.lock_time)); else fprintf(stdout, "\n"); } } static int open_otp (int argc, char **argv, char *inuser) { void *db; OtpContext ctx; int ret; db = otp_db_open (); if (db == NULL) errx (1, "otp_db_open failed"); ctx.user = inuser; ret = otp_simple_get (db, &ctx); if (ret == 0) ret = otp_put (db, &ctx); otp_db_close (db); return ret; } /* * Print otp entries for one or all users */ static int list_otps (int argc, char **argv, char *inuser) { void *db; struct passwd *pw; db = otp_db_open (); if(db == NULL) errx (1, "otp_db_open failed"); if (inuser) print_otp_entry_for_name(db, inuser); else /* scans all users... so as to get a deterministic order */ while ((pw = getpwent())) print_otp_entry_for_name(db, pw->pw_name); otp_db_close (db); return 0; } int main (int argc, char **argv) { int defaultp = 0; int uid = getuid(); OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT); int optidx = 0; setprogname (argv[0]); if(getarg(args, num_args, argc, argv, &optidx)) usage(1); if(help_flag) usage(0); if(version_flag) { print_version(NULL); exit(0); } if(deletep && uid != 0) errx (1, "Only root can delete OTPs"); if(alg_string) { alg = otp_find_alg (alg_string); if (alg == NULL) errx (1, "Unknown algorithm: %s", alg_string); } if (user && uid != 0) errx (1, "Only root can use `-u'"); argc -= optidx; argv += optidx; if (!(listp || deletep || renewp || openp)) defaultp = 1; if ( listp + deletep + renewp + defaultp + openp != 1) usage(1); /* one of -d or -l or -r or none */ if(deletep || openp || listp) { if(argc != 0) errx(1, "delete, open, and list requires no arguments"); } else { if(argc != 2) errx(1, "setup, and renew requires `num', and `seed'"); } if (listp) return list_otps (argc, argv, user); if (user == NULL) { struct passwd *pwd; pwd = k_getpwuid(uid); if (pwd == NULL) err (1, "You don't exist"); user = pwd->pw_name; } /* * users other that root must provide the next OTP to update the sequence. * it avoids someone to use a pending session to change an OTP sequence. * see RFC 1938/8.0. */ if (uid != 0 && (defaultp || renewp)) { if (!has_an_otp(user)) { errx (1, "Only root can set an initial OTP"); } else { /* Check the next OTP (RFC 1938/8.0: SHOULD) */ if (verify_user_otp(user) != 0) { errx (1, "User authentication failed"); } } } if (deletep) return delete_otp (argc, argv, user); else if (renewp) return renew (argc, argv, alg, user); else if (openp) return open_otp (argc, argv, user); else return set (argc, argv, alg, user); } heimdal-1.7~git20150920+dfsg/appl/otp/otp_locl.h000066400000000000000000000037671257755311500212020ustar00rootroot00000000000000/* * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #include #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_UNISTD_H #include #endif #ifdef HAVE_PWD_H #include #endif #include #include #include "crypto-headers.h" /* for des_read_pw_string */ #include heimdal-1.7~git20150920+dfsg/appl/otp/otpprint.1000066400000000000000000000052251257755311500211460ustar00rootroot00000000000000.\" Copyright (c) 1996, 2000 - 2001 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" 3. Neither the name of the Institute nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $Id$ .\" .Dd November 17, 1996 .Dt OTP 1 .Os KTH-KRB .Sh NAME .Nm otpprint .Nd print lists of one-time passwords .Sh SYNOPSIS .Nm otp .Op Fl n Ar count .Op Fl e .Op Fl h .Op Fl f Ar algorithm .Ar sequence-number .Ar seed .Sh DESCRIPTION The .Nm program prints lists of OTPs. .Pp Use this to print out a series of one-time passwords. You will have to supply the .Ar sequence number and the .Ar seed as arguments and then the program will prompt you for your pass-phrase. .Pp There are several different print formats. The default is to print each password with six short english words. .Pp Options are: .Bl -tag -width Ds .It Fl e Print the passwords in ``extended'' format. In this format a prefix that says ``hex:'' or ``word:'' is included. .It Fl f To choose a different .Ar algorithm from the default md5. Pick any of: md4, md5, and sha. .It Fl h Print the passwords in hex. .It Fl n Print .Ar count one-time passwords, starting at .Ar sequence-number and going backwards. The default is 10. .El .Sh SEE ALSO .Xr otp 1 heimdal-1.7~git20150920+dfsg/appl/otp/otpprint.c000066400000000000000000000073521257755311500212330ustar00rootroot00000000000000/* * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "otp_locl.h" #include RCSID("$Id$"); static int extendedp; static int count = 10; static int hexp; static char* alg_string; static int version_flag; static int help_flag; struct getargs args[] = { { "extended", 'e', arg_flag, &extendedp, "print keys in extended format", NULL }, { "count", 'n', arg_integer, &count, "number of keys to print", NULL }, { "hexadecimal", 'h', arg_flag, &hexp, "output in hexadecimal", NULL }, { "hash", 'f', arg_string, &alg_string, "hash algorithm (md4, md5, or sha)", "algorithm"}, { "version", 0, arg_flag, &version_flag, NULL, NULL }, { "help", 0, arg_flag, &help_flag, NULL, NULL } }; int num_args = sizeof(args) / sizeof(args[0]); static void usage(int code) { arg_printusage(args, num_args, NULL, "num seed"); exit(code); } static int print (int argc, char **argv, int incount, OtpAlgorithm *alg, void (*print_fn)(OtpKey, char *, size_t)) { char pw[64]; OtpKey key; int n; int i; char *seed; if (argc != 2) usage (1); n = atoi(argv[0]); seed = argv[1]; if (UI_UTIL_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 0)) return 1; alg->init (key, pw, seed); for (i = 0; i < n; ++i) { char s[64]; alg->next (key); if (i >= n - incount) { (*print_fn)(key, s, sizeof(s)); printf ("%d: %s\n", i + 1, s); } } return 0; } int main (int argc, char **argv) { int optidx = 0; void (*fn)(OtpKey, char *, size_t); OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT); setprogname (argv[0]); if(getarg(args, num_args, argc, argv, &optidx)) usage(1); if(help_flag) usage(0); if(version_flag) { print_version(NULL); exit(0); } if(alg_string) { alg = otp_find_alg (alg_string); if (alg == NULL) errx(1, "Unknown algorithm: %s", alg_string); } argc -= optidx; argv += optidx; if (hexp) { if (extendedp) fn = otp_print_hex_extended; else fn = otp_print_hex; } else { if (extendedp) fn = otp_print_stddict_extended; else fn = otp_print_stddict; } return print (argc, argv, count, alg, fn); } heimdal-1.7~git20150920+dfsg/appl/push/000077500000000000000000000000001257755311500173565ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/push/ChangeLog000066400000000000000000000116341257755311500211350ustar00rootroot000000000000002005-04-19 Love Hörnquist Åstrand * push.c: catch when snprint needs a larger buffer 2004-06-17 Johan Danielsson * push.c: alloc memory to handle very long lines 2003-04-03 Assar Westerlund * push.c: fixed one incorrect fprintf to stderr 2003-03-18 Love Hörnquist Åstrand * push.c: add names of pop states, add some more debugging and use fprintf(stderr) for all dbg stmts. 2001-09-04 Assar Westerlund * push.c (doit): check return values from snprintf being negative 2000-12-31 Assar Westerlund * push.c (main): handle krb5_init_context failure consistently 2000-12-26 Assar Westerlund * push.c: support several headers, from use estrdup, emalloc, erealloc 2000-11-29 Johan Danielsson * pfrom.1: work around bug in grog that makes it think it needs mdoc.old * push.8: work around bug in grog that makes it think it needs mdoc.old 2000-11-27 Johan Danielsson * push.c: add space to usage 2000-10-08 Assar Westerlund * push.c (doit): check that fds are not too large to select on 2000-03-04 Assar Westerlund * add man-page for pfrom 1999-12-28 Assar Westerlund * push.c (main): call k_getportbyname with port number in network-byte-order 1999-12-14 Assar Westerlund * push.c (do_connect): remove bogus local block variable 1999-12-05 Assar Westerlund * push.c (do_connect): use `getaddrinfo' * push.c: add --count (print number of messages and bytes at beginning) 1999-11-13 Assar Westerlund * push.c: make `-v' a arg_counter 1999-11-02 Assar Westerlund * push.c (main): redo the v4/v5 selection for consistency. -4 -> try only v4 -5 -> try only v5 none, -45 -> try v5, v4 1999-08-19 Assar Westerlund * push.c (doit): remember to step over the error message when we discover that XDELE is not supported 1999-08-12 Johan Danielsson * push.c: use XDELE 1999-08-05 Assar Westerlund * push.c (do_connect): v6-ify 1999-06-15 Assar Westerlund * push.c: get_default_username and the resulting const propagation 1999-05-21 Assar Westerlund * push.c (parse_pobox): try $USERNAME 1999-05-11 Assar Westerlund * push.c (do_v5): remove unused and non-working code 1999-05-10 Assar Westerlund * push.c (do_v5): call krb5_sendauth with ccache == NULL Wed Apr 7 23:40:00 1999 Assar Westerlund * Makefile.in: fix names of hesiod variables Wed Mar 24 04:37:04 1999 Assar Westerlund * Makefile.am (pfrom): fix typo * push.c (get_pobox): try to handle old and new hesiod APIs Mon Mar 22 22:19:40 1999 Assar Westerlund * Makefile.am: hesoid -> hesiod Sun Mar 21 18:02:10 1999 Johan Danielsson * Makefile.am: bindir -> libexecdir Sat Mar 20 00:12:26 1999 Assar Westerlund * Makefile.am: LDADD: add missing backslash Thu Mar 18 15:28:35 1999 Johan Danielsson * Makefile.am: clean pfrom * Makefile.am: include Makefile.am.common Mon Mar 15 18:26:16 1999 Johan Danielsson * push.c: strncasecmp headers Mon Feb 15 22:22:09 1999 Assar Westerlund * Makefile.in (pfrom): use libexecdir * Makefile.am: build and install pfrom * push.c (do_connect): init `s' (pop_state): spell-check enums Tue Nov 24 23:20:54 1998 Assar Westerlund * Makefile.in: build and install pfrom * pfrom.in: bindir -> libexecdir Sun Nov 22 15:33:52 1998 Johan Danielsson * push.c: eliminate some warnings Sun Nov 22 10:34:54 1998 Assar Westerlund * Makefile.in (WFLAGS): set Thu Nov 19 01:17:33 1998 Assar Westerlund * push_locl.h: add * Makefile.am, Makefile.in: link and include hesiod * push.c (get_pobox): new function. add hesiod support. 1998-11-07 Assar Westerlund * push.8: updated * push.c: --from implementation from Fri Jul 10 01:14:45 1998 Assar Westerlund * push.c (net_{read,write}): remove Wed Jun 24 14:41:41 1998 Johan Danielsson * push.c: allow `po:user@host' mailbox syntax Tue Jun 2 17:35:06 1998 Johan Danielsson * push.c: quote '^From ' properly Mon May 25 05:22:47 1998 Assar Westerlund * Makefile.in (clean): PROGS -> PROGRAMS Sun Apr 26 11:42:13 1998 Assar Westerlund * push.c (main): better default for v4 and v5 * push.c (main): init context correctly * push.c: should work with krb4 * push_locl.h: krb4 compat * Makefile.in: new file heimdal-1.7~git20150920+dfsg/appl/push/Makefile.am000066400000000000000000000007021257755311500214110ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common AM_CPPFLAGS += $(INCLUDE_hesiod) WFLAGS += $(WFLAGS_LITE) bin_SCRIPTS = pfrom libexec_PROGRAMS = push push_SOURCES = push.c push_locl.h pfrom: pfrom.in sed -e "s!%libexecdir%!$(libexecdir)!" $(srcdir)/pfrom.in > $@ chmod +x $@ man_MANS = push.8 pfrom.1 CLEANFILES = pfrom EXTRA_DIST = NTMakefile pfrom.in $(man_MANS) LDADD = $(LIB_krb5) \ $(LIB_hcrypto) \ $(LIB_roken) \ $(LIB_hesiod) heimdal-1.7~git20150920+dfsg/appl/push/NTMakefile000066400000000000000000000027321257755311500212640ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\push !include ../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/push/pfrom.1000066400000000000000000000040161257755311500205640ustar00rootroot00000000000000.\" Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" 3. Neither the name of the Institute nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $Id$ .\" .Dd March 4, 2000 .Dt PFROM 1 .Os HEIMDAL .Sh NAME .Nm pfrom .Nd "fetch a list of the current mail via POP" .Sh SYNOPSIS .Nm .Op Fl 4 | Fl Fl krb4 .Op Fl 5 | Fl Fl krb5 .Op Fl v | Fl Fl verbose .Op Fl c | -count .Op Fl Fl header .Oo Fl p Ar port-spec \*(Ba Xo .Fl Fl port= Ns Ar port-spec .Xc .Oc .Sh DESCRIPTION .Nm is a script that does push --from. .Sh SEE ALSO .Xr push 8 heimdal-1.7~git20150920+dfsg/appl/push/pfrom.in000066400000000000000000000001331257755311500210260ustar00rootroot00000000000000#!/bin/sh # $Id$ libexecdir=%libexecdir% PATH=$libexecdir:$PATH export PATH push --from $* heimdal-1.7~git20150920+dfsg/appl/push/push.8000066400000000000000000000045071257755311500204340ustar00rootroot00000000000000.\" $Id$ .\" .Dd May 31, 1998 .Dt PUSH 8 .Os HEIMDAL .Sh NAME .Nm push .Nd fetch mail via POP .Sh SYNOPSIS .Nm .Op Fl 5 | Fl Fl krb5 .Op Fl v | Fl Fl verbose .Op Fl f | Fl Fl fork .Op Fl l | -leave .Op Fl Fl from .Op Fl c | -count .Op Fl Fl headers Ns = Ns Ar headers .Oo Fl p Ar port-spec \*(Ba Xo .Fl Fl port Ns = Ns Ar port-spec .Xc .Oc .Ar po-box .Pa filename .Sh DESCRIPTION .Nm retrieves mail from the post office box .Ar po-box , and stores the mail in mbox format in .Pa filename . The .Ar po-box can have any of the following formats: .Bl -hang -compact -offset indent .It Ql hostname:username .It Ql po:hostname:username .It Ql username@hostname .It Ql po:username@hostname .It Ql hostname .It Ql po:username .El .Pp If no username is specified, .Nm assumes that it's the same as on the local machine; .Ar hostname defaults to the value of the .Ev MAILHOST environment variable. .Pp Supported options: .Bl -tag -width Ds .It Xo .Fl 5 , .Fl Fl krb5 .Xc use Kerberos 5 (if compiled with support for Kerberos 5) .It Xo .Fl f , .Fl Fl fork .Xc fork before starting to delete messages .It Xo .Fl l , .Fl Fl leave .Xc don't delete fetched mail .It Xo .Fl Fl from .Xc behave like from. .It Xo .Fl c , .Fl Fl count .Xc first print how many messages and bytes there are. .It Xo .Fl Fl headers Ns = Ns Ar headers .Xc a list of comma-separated headers that should get printed. .It Xo .Fl p Ar port-spec , .Fl Fl port Ns = Ns Ar port-spec .Xc use this port instead of the default .Ql kpop or .Ql 1109 . .El .Pp The default is to first try Kerberos 5 authentication and then, if that fails, Kerberos 4. .Sh ENVIRONMENT .Bl -tag -width Ds .It Ev MAILHOST points to the post office, if no other hostname is specified. .El .\".Sh FILES .Sh EXAMPLES .Bd -literal -offset indent $ push cornfield:roosta ~/.emacs-mail-crash-box .Ed .Pp tries to fetch mail for the user .Ar roosta from the post office at .Dq cornfield , and stores the mail in .Pa ~/.emacs-mail-crash-box (you are using Gnus, aren't you?) .Bd -literal -offset indent $ push --from -5 havregryn .Ed .Pp tries to fetch .Sy From: lines for current user at post office .Dq havregryn using Kerberos 5. .\".Sh DIAGNOSTICS .Sh SEE ALSO .Xr from 1 , .Xr pfrom 1 , .Xr movemail 8 , .Xr popper 8 .\".Sh STANDARDS .Sh HISTORY .Nm was written while waiting for .Nm movemail to finish getting the mail. .\".Sh AUTHORS .\".Sh BUGS heimdal-1.7~git20150920+dfsg/appl/push/push.c000066400000000000000000000441111257755311500205020ustar00rootroot00000000000000/* * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "push_locl.h" RCSID("$Id$"); #if defined(_AIX) && defined(STAT) /* * AIX defines STAT to 1 in sys/dir.h */ # undef STAT #endif #ifdef KRB5 static int use_v5 = -1; static krb5_context context; #endif static char *port_str; static int verbose_level; static int do_fork; static int do_leave; static int do_version; static int do_help; static int do_from; static int do_count; static char *header_str; struct getargs args[] = { #ifdef KRB5 { "krb5", '5', arg_flag, &use_v5, "Use Kerberos V5", NULL }, #endif { "verbose",'v', arg_counter, &verbose_level, "Verbose", NULL }, { "fork", 'f', arg_flag, &do_fork, "Fork deleting proc", NULL }, { "leave", 'l', arg_flag, &do_leave, "Leave mail on server", NULL }, { "port", 'p', arg_string, &port_str, "Use this port", "number-or-service" }, { "from", 0, arg_flag, &do_from, "Behave like from", NULL }, { "headers", 0, arg_string, &header_str, "Headers to print", NULL }, { "count", 'c', arg_flag, &do_count, "Print number of messages", NULL}, { "version", 0, arg_flag, &do_version, "Print version", NULL }, { "help", 0, arg_flag, &do_help, NULL, NULL } }; static void usage (int ret) { arg_printusage (args, sizeof(args) / sizeof(args[0]), NULL, "[[{po:username[@hostname] | hostname[:username]}] ...] " "filename"); exit (ret); } static int do_connect (const char *hostname, int port, int nodelay) { struct addrinfo *ai, *a; struct addrinfo hints; int error; int s = -1; char portstr[NI_MAXSERV]; memset (&hints, 0, sizeof(hints)); hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; snprintf (portstr, sizeof(portstr), "%u", ntohs(port)); error = getaddrinfo (hostname, portstr, &hints, &ai); if (error) errx (1, "getaddrinfo(%s): %s", hostname, gai_strerror(error)); for (a = ai; a != NULL; a = a->ai_next) { s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); if (s < 0) continue; if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { warn ("connect(%s)", hostname); close (s); continue; } break; } freeaddrinfo (ai); if (a == NULL) { warnx ("failed to contact %s", hostname); return -1; } if(setsockopt(s, IPPROTO_TCP, TCP_NODELAY, (void *)&nodelay, sizeof(nodelay)) < 0) err (1, "setsockopt TCP_NODELAY"); return s; } typedef enum { INIT = 0, GREET, USER, PASS, STAT, RETR, TOP, DELE, XDELE, QUIT} pop_state; static char *pop_state_string[] = { "INIT", "GREET", "USER", "PASS", "STAT", "RETR", "TOP", "DELE", "XDELE", "QUIT" }; #define PUSH_BUFSIZ 65536 #define STEP 16 struct write_state { struct iovec *iovecs; size_t niovecs, maxiovecs, allociovecs; int fd; }; static void write_state_init (struct write_state *w, int fd) { #ifdef UIO_MAXIOV w->maxiovecs = UIO_MAXIOV; #else w->maxiovecs = 16; #endif w->allociovecs = min(STEP, w->maxiovecs); w->niovecs = 0; w->iovecs = emalloc(w->allociovecs * sizeof(*w->iovecs)); w->fd = fd; } static void write_state_add (struct write_state *w, void *v, size_t len) { if(w->niovecs == w->allociovecs) { if(w->niovecs == w->maxiovecs) { if(writev (w->fd, w->iovecs, w->niovecs) < 0) err(1, "writev"); w->niovecs = 0; } else { w->allociovecs = min(w->allociovecs + STEP, w->maxiovecs); w->iovecs = erealloc (w->iovecs, w->allociovecs * sizeof(*w->iovecs)); } } w->iovecs[w->niovecs].iov_base = v; w->iovecs[w->niovecs].iov_len = len; ++w->niovecs; } static void write_state_flush (struct write_state *w) { if (w->niovecs) { if (writev (w->fd, w->iovecs, w->niovecs) < 0) err (1, "writev"); w->niovecs = 0; } } static void write_state_destroy (struct write_state *w) { free (w->iovecs); } static int doit(int s, const char *host, const char *user, const char *outfilename, const char *header_str, int leavep, int verbose, int forkp) { int ret; char out_buf[PUSH_BUFSIZ]; int out_len = 0; char *in_buf; size_t in_buf_size; size_t in_len = 0; char *in_ptr; pop_state state = INIT; unsigned count = 0, bytes; unsigned asked_for = 0, retrieved = 0, asked_deleted = 0, deleted = 0; unsigned sent_xdele = 0; int out_fd; char from_line[128]; ssize_t from_line_length; time_t now; struct write_state write_state; unsigned int numheaders = 1; char **headers = NULL; int i; char *tmp = NULL; in_buf = emalloc(PUSH_BUFSIZ + 1); in_ptr = in_buf; in_buf_size = PUSH_BUFSIZ; if (do_from) { char *tmp2; tmp2 = tmp = estrdup(header_str); out_fd = -1; if (verbose) fprintf (stderr, "%s@%s\n", user, host); while (*tmp != '\0') { tmp = strchr(tmp, ','); if (tmp == NULL) break; tmp++; numheaders++; } headers = emalloc(sizeof(char *) * (numheaders + 1)); for (i = 0; i < numheaders; i++) { headers[i] = strtok_r(tmp2, ",", &tmp2); } headers[numheaders] = NULL; } else { out_fd = open(outfilename, O_WRONLY | O_APPEND | O_CREAT, 0666); if (out_fd < 0) err (1, "open %s", outfilename); if (verbose) fprintf (stderr, "%s@%s -> %s\n", user, host, outfilename); } now = time(NULL); from_line_length = snprintf (from_line, sizeof(from_line), "From %s %s", "push", ctime(&now)); if (from_line_length < 0 || from_line_length > sizeof(from_line)) errx (1, "snprintf failed"); out_len = snprintf (out_buf, sizeof(out_buf), "USER %s\r\nPASS hej\r\nSTAT\r\n", user); if (out_len < 0 || out_len > sizeof(out_buf)) errx (1, "snprintf failed"); if (net_write (s, out_buf, out_len) != out_len) err (1, "write"); if (verbose > 1) fprintf (stderr, "%s", out_buf); if (!do_from) write_state_init (&write_state, out_fd); while(state != QUIT) { fd_set readset, writeset; FD_ZERO(&readset); FD_ZERO(&writeset); if (s >= FD_SETSIZE) errx (1, "fd too large"); FD_SET(s,&readset); if (verbose > 1) fprintf (stderr, "state: %s count: %d asked_for: %d " "retrieved: %d asked_deleted: %d\n", pop_state_string[state], count, asked_for, retrieved, asked_deleted); if (((state == STAT || state == RETR || state == TOP) && asked_for < count) || (state == XDELE && !sent_xdele) || (state == DELE && asked_deleted < count)) FD_SET(s,&writeset); ret = select (s + 1, &readset, &writeset, NULL, NULL); if (ret < 0) { if (errno == EAGAIN) continue; else err (1, "select"); } if (FD_ISSET(s, &readset)) { char *beg, *p; size_t rem; int blank_line = 0; if(in_len >= in_buf_size) { char *tmp = erealloc(in_buf, in_buf_size + PUSH_BUFSIZ + 1); in_ptr = tmp + (in_ptr - in_buf); in_buf = tmp; in_buf_size += PUSH_BUFSIZ; } ret = read (s, in_ptr, in_buf_size - in_len); if (ret < 0) err (1, "read"); else if (ret == 0) errx (1, "EOF during read"); in_len += ret; in_ptr += ret; *in_ptr = '\0'; beg = in_buf; rem = in_len; while(rem > 1 && (p = strstr(beg, "\r\n")) != NULL) { if (state == TOP) { char *copy = beg; for (i = 0; i < numheaders; i++) { size_t len; len = min(p - copy + 1, strlen(headers[i])); if (strncasecmp(copy, headers[i], len) == 0) { fprintf (stdout, "%.*s\n", (int)(p - copy), copy); } } if (beg[0] == '.' && beg[1] == '\r' && beg[2] == '\n') { if (numheaders > 1) fprintf (stdout, "\n"); state = STAT; if (++retrieved == count) { state = QUIT; net_write (s, "QUIT\r\n", 6); if (verbose > 1) fprintf (stderr, "QUIT\r\n"); } } rem -= p - beg + 2; beg = p + 2; } else if (state == RETR) { char *copy = beg; if (beg[0] == '.') { if (beg[1] == '\r' && beg[2] == '\n') { if(!blank_line) write_state_add(&write_state, "\n", 1); state = STAT; rem -= p - beg + 2; beg = p + 2; if (++retrieved == count) { write_state_flush (&write_state); if (fsync (out_fd) < 0) err (1, "fsync"); close(out_fd); if (leavep) { state = QUIT; net_write (s, "QUIT\r\n", 6); if (verbose > 1) fprintf (stderr, "QUIT\r\n"); } else { if (forkp) { pid_t pid; pid = fork(); if (pid < 0) warn ("fork"); else if(pid != 0) { if(verbose) fprintf (stderr, "(exiting)"); return 0; } } state = XDELE; if (verbose) fprintf (stderr, "deleting... "); } } continue; } else ++copy; } *p = '\n'; if(blank_line && strncmp(copy, "From ", min(p - copy + 1, 5)) == 0) write_state_add(&write_state, ">", 1); write_state_add(&write_state, copy, p - copy + 1); blank_line = (*copy == '\n'); rem -= p - beg + 2; beg = p + 2; } else if (rem >= 3 && strncmp (beg, "+OK", 3) == 0) { if (state == STAT) { if (!do_from) write_state_add(&write_state, from_line, from_line_length); blank_line = 0; if (do_from) state = TOP; else state = RETR; } else if (state == XDELE) { state = QUIT; net_write (s, "QUIT\r\n", 6); if (verbose > 1) fprintf (stderr, "QUIT\r\n"); break; } else if (state == DELE) { if (++deleted == count) { state = QUIT; net_write (s, "QUIT\r\n", 6); if (verbose > 1) fprintf (stderr, "QUIT\r\n"); break; } } else if (++state == STAT) { if(sscanf (beg + 4, "%u %u", &count, &bytes) != 2) errx(1, "Bad STAT-line: %.*s", (int)(p - beg), beg); if (verbose) { fprintf (stderr, "%u message(s) (%u bytes). " "fetching... ", count, bytes); if (do_from) fprintf (stderr, "\n"); } else if (do_count) { fprintf (stderr, "%u message(s) (%u bytes).\n", count, bytes); } if (count == 0) { state = QUIT; net_write (s, "QUIT\r\n", 6); if (verbose > 1) fprintf (stderr, "QUIT\r\n"); break; } } rem -= p - beg + 2; beg = p + 2; } else { if(state == XDELE) { state = DELE; rem -= p - beg + 2; beg = p + 2; } else errx (1, "Bad response: %.*s", (int)(p - beg), beg); } } if (!do_from) write_state_flush (&write_state); memmove (in_buf, beg, rem); in_len = rem; in_ptr = in_buf + rem; } if (FD_ISSET(s, &writeset)) { if ((state == STAT && !do_from) || state == RETR) out_len = snprintf (out_buf, sizeof(out_buf), "RETR %u\r\n", ++asked_for); else if ((state == STAT && do_from) || state == TOP) out_len = snprintf (out_buf, sizeof(out_buf), "TOP %u 0\r\n", ++asked_for); else if(state == XDELE) { out_len = snprintf(out_buf, sizeof(out_buf), "XDELE %u %u\r\n", 1, count); sent_xdele++; } else if(state == DELE) out_len = snprintf (out_buf, sizeof(out_buf), "DELE %u\r\n", ++asked_deleted); if (out_len < 0 || out_len > sizeof(out_buf)) errx (1, "snprintf failed"); if (net_write (s, out_buf, out_len) != out_len) err (1, "write"); if (verbose > 1) fprintf (stderr, "%s", out_buf); } } if (verbose) fprintf (stderr, "Done\n"); if (do_from) { free (tmp); free (headers); } else { write_state_destroy (&write_state); } return 0; } #ifdef KRB5 static int do_v5 (const char *host, int port, const char *user, const char *filename, const char *header_str, int leavep, int verbose, int forkp) { krb5_error_code ret; krb5_auth_context auth_context = NULL; krb5_principal server; const char *estr; int s; s = do_connect (host, port, 1); if (s < 0) return 1; ret = krb5_sname_to_principal (context, host, "pop", KRB5_NT_SRV_HST, &server); if (ret) { estr = krb5_get_error_message(context, ret); warnx ("krb5_sname_to_principal: %s", estr); krb5_free_error_message(context, estr); return 1; } ret = krb5_sendauth (context, &auth_context, &s, "KPOPV1.0", NULL, server, 0, NULL, NULL, NULL, NULL, NULL, NULL); krb5_free_principal (context, server); if (ret) { estr = krb5_get_error_message(context, ret); warnx ("krb5_sendauth: %s", estr); krb5_free_error_message(context, estr); return 1; } return doit (s, host, user, filename, header_str, leavep, verbose, forkp); } #endif #ifdef HESIOD #ifdef HESIOD_INTERFACES static char * hesiod_get_pobox (const char **user) { void *context; struct hesiod_postoffice *hpo; char *ret = NULL; if(hesiod_init (&context) != 0) err (1, "hesiod_init"); hpo = hesiod_getmailhost (context, *user); if (hpo == NULL) { warn ("hesiod_getmailhost %s", *user); } else { if (strcasecmp(hpo->hesiod_po_type, "pop") != 0) errx (1, "Unsupported po type %s", hpo->hesiod_po_type); ret = estrdup(hpo->hesiod_po_host); *user = estrdup(hpo->hesiod_po_name); hesiod_free_postoffice (context, hpo); } hesiod_end (context); return ret; } #else /* !HESIOD_INTERFACES */ static char * hesiod_get_pobox (const char **user) { char *ret = NULL; struct hes_postoffice *hpo; hpo = hes_getmailhost (*user); if (hpo == NULL) { warn ("hes_getmailhost %s", *user); } else { if (strcasecmp(hpo->po_type, "pop") != 0) errx (1, "Unsupported po type %s", hpo->po_type); ret = estrdup(hpo->po_host); *user = estrdup(hpo->po_name); } return ret; } #endif /* HESIOD_INTERFACES */ #endif /* HESIOD */ static char * get_pobox (const char **user) { char *ret = NULL; #ifdef HESIOD ret = hesiod_get_pobox (user); #endif if (ret == NULL) ret = getenv("MAILHOST"); if (ret == NULL) errx (1, "MAILHOST not set"); return ret; } static void parse_pobox (char *a0, const char **host, const char **user) { const char *h, *u; char *p; int po = 0; if (a0 == NULL) { *user = getenv ("USERNAME"); if (*user == NULL) { struct passwd *pwd = getpwuid (getuid ()); if (pwd == NULL) errx (1, "Who are you?"); *user = estrdup (pwd->pw_name); } *host = get_pobox (user); return; } /* if the specification starts with po:, remember this information */ if(strncmp(a0, "po:", 3) == 0) { a0 += 3; po++; } /* if there is an `@', the hostname is after it, otherwise at the beginning of the string */ p = strchr(a0, '@'); if(p != NULL) { *p++ = '\0'; h = p; } else { h = a0; } /* if there is a `:', the username comes before it, otherwise at the beginning of the string */ p = strchr(a0, ':'); if(p != NULL) { *p++ = '\0'; u = p; } else { u = a0; } if(h == u) { /* some inconsistent compatibility with various mailers */ if(po) { h = get_pobox (&u); } else { u = get_default_username (); if (u == NULL) errx (1, "Who are you?"); } } *host = h; *user = u; } int main(int argc, char **argv) { int port = 0; int optind = 0; int ret = 1; const char *host, *user, *filename = NULL; char *pobox = NULL; setprogname (argv[0]); #ifdef KRB5 { krb5_error_code ret; ret = krb5_init_context (&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); } #endif if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) usage (1); argc -= optind; argv += optind; if (do_help) usage (0); if (do_version) { print_version(NULL); return 0; } if (do_from && header_str == NULL) header_str = "From:"; else if (header_str != NULL) do_from = 1; if (do_from) { if (argc == 0) pobox = NULL; else if (argc == 1) pobox = argv[0]; else usage (1); } else { if (argc == 1) { filename = argv[0]; pobox = NULL; } else if (argc == 2) { filename = argv[1]; pobox = argv[0]; } else usage (1); } if (port_str) { struct servent *s = roken_getservbyname (port_str, "tcp"); if (s) port = s->s_port; else { char *ptr; port = strtol (port_str, &ptr, 10); if (port == 0 && ptr == port_str) errx (1, "Bad port `%s'", port_str); port = htons(port); } } if (port == 0) { #ifdef KRB5 port = krb5_getportbyname (context, "kpop", "tcp", 1109); #else #error must define KRB5 #endif } parse_pobox (pobox, &host, &user); #ifdef KRB5 if (ret && use_v5) { ret = do_v5 (host, port, user, filename, header_str, do_leave, verbose_level, do_fork); } #endif return ret; } heimdal-1.7~git20150920+dfsg/appl/push/push_locl.h000066400000000000000000000051111257755311500215150ustar00rootroot00000000000000/* * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #ifdef HAVE_FCNTL_H #include #endif #ifdef HAVE_ERRNO_H #include #endif #include #include #include #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SELECT_H #include #endif #ifdef HAVE_UNISTD_H #include #endif #ifdef HAVE_SYS_UIO_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_NETINET_IN6_H #include #endif #ifdef HAVE_NETINET6_IN6_H #include #endif #ifdef HAVE_NETINET_TCP_H #include #endif #ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_PWD_H #include #endif #ifdef HESIOD #include #endif #include #include #include #ifdef KRB5 #include #endif heimdal-1.7~git20150920+dfsg/appl/su/000077500000000000000000000000001257755311500170265ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/su/ChangeLog000066400000000000000000000062711257755311500206060ustar00rootroot000000000000002008-07-15 Love Hörnquist Åstrand * Makefile.am: no krb4 * su.c: Drop kerberos 4 support. 2007-10-19 Love Hörnquist Åstrand * su.c: read environment from _PATH_ETC_ENVIRONMENT * supaths.c: paths 2007-08-02 Love Hörnquist Åstrand * su.c: Check all local realms when su-ing, from Magnus Holmberg. 2007-06-19 Love Hörnquist Åstrand * su.c: If not root and not setuid, print warning. 2006-01-17 Love Hörnquist Åstrand * su.c (group_member_p): rename from group_member to avoid name pollution from glibc headers. Fixed based on report from David Love. 2006-01-12 Johan Danielsson * su.c: fix reversed logic when deciding to print tty or not 2005-10-22 Love Hörnquist Åstrand * su.c: Check return value from asprintf instead of string != NULL since it undefined behavior on Linux. From Björn Sandell 2005-05-10 Dave Love * su.c: Include . 2003-09-03 Love Hörnquist Åstrand * su.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ 2003-05-06 Johan Danielsson * su.c: remove accidentally committed code that prints the command being executed 2003-03-18 Love Hörnquist Åstrand * su.c (krb5_start_session): krb5_afslog doesn't depend on KRB4 any more 2002-02-19 Johan Danielsson * su.c: make this build without krb5 2002-01-09 Jacques Vidrine * su.c: Don't use getlogin() to determine whether we are root. Patch by joda. 2001-06-12 Assar Westerlund * su.c: check memory allocations. add some const 2000-12-31 Assar Westerlund * su.c (krb5_verify): handle krb5_init_context failure consistently 2000-08-28 Johan Danielsson * su.c: set KRBTKFILE 2000-07-10 Assar Westerlund * Makefile.am: actually install su * su.c (krb5_verify): try harder freeing. do not get upset on interrupted password read 2000-06-09 Assar Westerlund * su.c (main): work-around for setuid and capabilities bug fixed in Linux 2.2.16 2000-06-03 Assar Westerlund * su.c (main): just ignore shadow information if getspnam returns NULL 1999-10-20 Assar Westerlund * Makefile.am: use LIB_roken 1999-09-28 Assar Westerlund * su.c (krb5_verify): use krb5_verify_user_lrealm 1999-08-04 Assar Westerlund * su.c: add support for shadow passwords and rewrite some logic. From Miroslav Ruda * Makefile.am: add libkafs 1999-06-15 Assar Westerlund * su.c (main): conditionalize `getlogin' 1999-05-11 Assar Westerlund * su.c (verfiy_krb5): get the name out of the ccache before closing it 1999-05-05 Assar Westerlund * su.c: some more error checking Wed Apr 21 21:04:36 1999 Assar Westerlund * su.c (-f): implement * su.c: implement -i (verify_krb5): correct the ownership on the credential cache Tue Apr 20 13:26:13 1999 Johan Danielsson * su.c: don't depend on paths.h heimdal-1.7~git20150920+dfsg/appl/su/Makefile.am000066400000000000000000000005141257755311500210620ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common AM_CPPFLAGS += $(INCLUDE_hcrypto) bin_PROGRAMS = su bin_SUIDS = su su_SOURCES = su.c supaths.h man_MANS = su.1 LDADD = $(LIB_kafs) \ $(top_builddir)/lib/krb5/libkrb5.la \ $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ $(LIB_roken) EXTRA_DIST = NTMakefile $(man_MANS) heimdal-1.7~git20150920+dfsg/appl/su/NTMakefile000066400000000000000000000027301257755311500207320ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\su !include ../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/su/su.1000066400000000000000000000063621257755311500175460ustar00rootroot00000000000000.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" 3. Neither the name of the Institute nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $Id$ .\" .Dd January 12, 2006 .Dt SU 1 .Os HEIMDAL .Sh NAME .Nm su .Nd substitute user identity .Sh SYNOPSIS .Nm su .Op Fl K | Fl Fl no-kerberos .Op Fl f .Op Fl l | Fl Fl full .Op Fl m .Oo Fl i Ar instance \*(Ba Xo .Fl Fl instance= Ns Ar instance .Xc .Oc .Oo Fl c Ar command \*(Ba Xo .Fl Fl command= Ns Ar command .Xc .Oc .Op Ar login Op Ar "shell arguments" .Sh DESCRIPTION .Nm su will use Kerberos authentication provided that an instance for the user wanting to change effective UID is present in a file named .Pa .k5login in the target user id's home directory .Pp A special case exists where .Ql root Ap s .Pa ~/.k5login needs to contain an entry for: .Ql user Ns / Ns Ao instance Ac Ns @ Ns REALM for .Nm su to succed (where .Aq instance is .Ql root unless changed with .Fl i ) . .Pp In the absence of either an entry for current user in said file or other problems like missing .Ql host/hostname@REALM keys in the system's keytab, or user typing the wrong password, .Nm su will fall back to traditional .Pa /etc/passwd authentication. .Pp When using .Pa /etc/passwd authentication, .Nm su allows .Ql root access only to members of the group .Ql wheel , or to any user (with knowledge of the .Ql root password) if that group does not exist, or has no members. .Pp The options are as follows: .Bl -item -width Ds .It .Fl K , .Fl Fl no-kerberos don't use Kerberos. .It .Fl f don't read .cshrc. .It .Fl l , .Fl Fl full simulate full login. .It .Fl m leave environment unmodified. .It .Fl i Ar instance , .Fl Fl instance= Ns Ar instance root instance to use. .It .Fl c Ar command , .Fl Fl command= Ns Ar command command to execute. .El heimdal-1.7~git20150920+dfsg/appl/su/su.c000066400000000000000000000312621257755311500176250ustar00rootroot00000000000000/* * Copyright (c) 1999 - 2008 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of KTH nor the names of its contributors may be * used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include RCSID("$Id$"); #include #include #include #include #ifdef HAVE_PATHS_H #include #endif #ifdef HAVE_SHADOW_H #include #endif #include #ifdef HAVE_CRYPT_H #include #endif #include "crypto-headers.h" #ifdef KRB5 #include #endif #include #include #include #include #include "supaths.h" #if !HAVE_DECL_ENVIRON extern char **environ; #endif int kerberos_flag = 1; int csh_f_flag; int full_login; int env_flag; char *kerberos_instance = "root"; int help_flag; int version_flag; char *cmd; char tkfile[256]; struct getargs args[] = { { "kerberos", 'K', arg_negative_flag, &kerberos_flag, "don't use kerberos", NULL }, { NULL, 'f', arg_flag, &csh_f_flag, "don't read .cshrc", NULL }, { "full", 'l', arg_flag, &full_login, "simulate full login", NULL }, { NULL, 'm', arg_flag, &env_flag, "leave environment unmodified", NULL }, { "instance", 'i', arg_string, &kerberos_instance, "root instance to use", NULL }, { "command", 'c', arg_string, &cmd, "command to execute", NULL }, { "help", 'h', arg_flag, &help_flag, NULL, NULL }, { "version", 0, arg_flag, &version_flag, NULL, NULL }, }; static void usage (int ret) { arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "[login [shell arguments]]"); exit (ret); } static void free_info(struct passwd *p) { free (p->pw_name); free (p->pw_passwd); free (p->pw_dir); free (p->pw_shell); free (p); } static struct passwd* dup_info(const struct passwd *pwd) { struct passwd *info; info = malloc(sizeof(*info)); if(info == NULL) return NULL; info->pw_name = strdup(pwd->pw_name); info->pw_passwd = strdup(pwd->pw_passwd); info->pw_uid = pwd->pw_uid; info->pw_gid = pwd->pw_gid; info->pw_dir = strdup(pwd->pw_dir); info->pw_shell = strdup(pwd->pw_shell); if(info->pw_name == NULL || info->pw_passwd == NULL || info->pw_dir == NULL || info->pw_shell == NULL) { free_info (info); return NULL; } return info; } #ifdef KRB5 static krb5_context context; static krb5_ccache ccache; static int krb5_verify(const struct passwd *login_info, const struct passwd *su_info, const char *instance) { krb5_error_code ret; krb5_principal p; krb5_realm *realms, *r; char *login_name = NULL; int user_ok = 0; #if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN) login_name = getlogin(); #endif ret = krb5_init_context (&context); if (ret) { #if 0 warnx("krb5_init_context failed: %d", ret); #endif return 1; } ret = krb5_get_default_realms(context, &realms); if (ret) return 1; /* Check all local realms */ for (r = realms; *r != NULL && !user_ok; r++) { if (login_name == NULL || strcmp (login_name, "root") == 0) login_name = login_info->pw_name; if (strcmp (su_info->pw_name, "root") == 0) ret = krb5_make_principal(context, &p, *r, login_name, instance, NULL); else ret = krb5_make_principal(context, &p, *r, su_info->pw_name, NULL); if (ret) { krb5_free_host_realm(context, realms); return 1; } /* if we are su-ing too root, check with krb5_kuserok */ if (su_info->pw_uid == 0 && !krb5_kuserok(context, p, su_info->pw_name)) continue; ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &ccache); if(ret) { krb5_free_host_realm(context, realms); krb5_free_principal (context, p); return 1; } ret = krb5_verify_user(context, p, ccache, NULL, TRUE, NULL); krb5_free_principal (context, p); switch (ret) { case 0: user_ok = 1; break; case KRB5_LIBOS_PWDINTR : krb5_cc_destroy(context, ccache); break; case KRB5KRB_AP_ERR_BAD_INTEGRITY: case KRB5KRB_AP_ERR_MODIFIED: krb5_cc_destroy(context, ccache); krb5_warnx(context, "Password incorrect"); break; default : krb5_cc_destroy(context, ccache); krb5_warn(context, ret, "krb5_verify_user"); break; } } krb5_free_host_realm(context, realms); if (!user_ok) return 1; return 0; } static int krb5_start_session(void) { krb5_ccache ccache2; char *cc_name; int ret; ret = krb5_cc_new_unique(context, krb5_cc_type_file, NULL, &ccache2); if (ret) { krb5_cc_destroy(context, ccache); return 1; } ret = krb5_cc_copy_cache(context, ccache, ccache2); if (ret) { krb5_cc_destroy(context, ccache); krb5_cc_destroy(context, ccache2); return 1; } ret = asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2), krb5_cc_get_name(context, ccache2)); if (ret == -1) { krb5_cc_destroy(context, ccache); krb5_cc_destroy(context, ccache2); errx(1, "malloc - out of memory"); } esetenv("KRB5CCNAME", cc_name, 1); /* convert creds? */ if(k_hasafs()) { if (k_setpag() == 0) krb5_afslog(context, ccache2, NULL, NULL); } krb5_cc_close(context, ccache2); krb5_cc_destroy(context, ccache); return 0; } #endif #define GROUP_MEMBER 0 #define GROUP_MISSING 1 #define GROUP_EMPTY 2 #define GROUP_NOT_MEMBER 3 static int group_member_p(const char *group, const char *user) { struct group *g; int i; g = getgrnam(group); if(g == NULL) return GROUP_MISSING; if(g->gr_mem[0] == NULL) return GROUP_EMPTY; for(i = 0; g->gr_mem[i] != NULL; i++) if(strcmp(user, g->gr_mem[i]) == 0) return GROUP_MEMBER; return GROUP_NOT_MEMBER; } static int verify_unix(struct passwd *login, struct passwd *su) { char prompt[128]; char pw_buf[1024]; char *pw; int r; if(su->pw_passwd != NULL && *su->pw_passwd != '\0') { snprintf(prompt, sizeof(prompt), "%s's password: ", su->pw_name); r = UI_UTIL_read_pw_string(pw_buf, sizeof(pw_buf), prompt, 0); if(r != 0) exit(0); pw = crypt(pw_buf, su->pw_passwd); memset(pw_buf, 0, sizeof(pw_buf)); if(strcmp(pw, su->pw_passwd) != 0) { syslog (LOG_ERR | LOG_AUTH, "%s to %s: incorrect password", login->pw_name, su->pw_name); return 1; } } /* if su:ing to root, check membership of group wheel or root; if that group doesn't exist, or is empty, allow anyone to su root */ if(su->pw_uid == 0) { #ifndef ROOT_GROUP #define ROOT_GROUP "wheel" #endif int gs = group_member_p(ROOT_GROUP, login->pw_name); if(gs == GROUP_NOT_MEMBER) { syslog (LOG_ERR | LOG_AUTH, "%s to %s: not in group %s", login->pw_name, su->pw_name, ROOT_GROUP); return 1; } return 0; } return 0; } int main(int argc, char **argv) { int i, optidx = 0; char *su_user; struct passwd *su_info; struct passwd *login_info; struct passwd *pwd; char *shell; int ok = 0; setprogname (argv[0]); if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); for (i=0; i < optidx; i++) if (strcmp(argv[i], "-") == 0) { full_login = 1; break; } if(help_flag) usage(0); if(version_flag) { print_version(NULL); exit(0); } if(optidx >= argc) su_user = "root"; else su_user = argv[optidx++]; if (!issuid() && getuid() != 0) warnx("Not setuid and you are not root, expect this to fail"); pwd = k_getpwnam(su_user); if(pwd == NULL) errx (1, "unknown login %s", su_user); if (pwd->pw_uid == 0 && strcmp ("root", su_user) != 0) { syslog (LOG_ALERT, "NIS attack, user %s has uid 0", su_user); errx (1, "unknown login %s", su_user); } su_info = dup_info(pwd); if (su_info == NULL) errx (1, "malloc: out of memory"); pwd = getpwuid(getuid()); if(pwd == NULL) errx(1, "who are you?"); login_info = dup_info(pwd); if (login_info == NULL) errx (1, "malloc: out of memory"); if(env_flag) shell = login_info->pw_shell; else shell = su_info->pw_shell; if(shell == NULL || *shell == '\0') shell = _PATH_BSHELL; #ifdef KRB5 if(kerberos_flag && ok == 0 && krb5_verify(login_info, su_info, kerberos_instance) == 0) ok = 5; #endif if(ok == 0 && login_info->pw_uid && verify_unix(login_info, su_info) != 0) { printf("Sorry!\n"); exit(1); } #ifdef HAVE_GETSPNAM { struct spwd *sp; long today; sp = getspnam(su_info->pw_name); if (sp != NULL) { today = time(0)/(24L * 60 * 60); if (sp->sp_expire > 0) { if (today >= sp->sp_expire) { if (login_info->pw_uid) errx(1,"Your account has expired."); else printf("Your account has expired."); } else if (sp->sp_expire - today < 14) printf("Your account will expire in %d days.\n", (int)(sp->sp_expire - today)); } if (sp->sp_max > 0) { if (today >= sp->sp_lstchg + sp->sp_max) { if (login_info->pw_uid) errx(1,"Your password has expired. Choose a new one."); else printf("Your password has expired. Choose a new one."); } else if (today >= sp->sp_lstchg + sp->sp_max - sp->sp_warn) printf("Your account will expire in %d days.\n", (int)(sp->sp_lstchg + sp->sp_max -today)); } } } #endif { char *tty = ttyname (STDERR_FILENO); if (tty) syslog (LOG_NOTICE | LOG_AUTH, "%s to %s on %s", login_info->pw_name, su_info->pw_name, tty); else syslog (LOG_NOTICE | LOG_AUTH, "%s to %s", login_info->pw_name, su_info->pw_name); } if(!env_flag) { if(full_login) { char *t = getenv ("TERM"); char **newenv = NULL; int j; i = read_environment(_PATH_ETC_ENVIRONMENT, &newenv); environ = malloc ((10 + i) * sizeof (char *)); if (environ == NULL) err (1, "malloc"); environ[0] = NULL; for (j = 0; j < i; j++) { char *p = strchr(newenv[j], '='); if (p == NULL) errx(1, "enviroment '%s' missing '='", newenv[j]); *p++ = 0; esetenv (newenv[j], p, 1); } free(newenv); esetenv ("PATH", _PATH_DEFPATH, 1); if (t) esetenv ("TERM", t, 1); if (chdir (su_info->pw_dir) < 0) errx (1, "no directory"); } if (full_login || su_info->pw_uid) esetenv ("USER", su_info->pw_name, 1); esetenv("HOME", su_info->pw_dir, 1); esetenv("SHELL", shell, 1); } { char **new_argv; char *p; p = strrchr(shell, '/'); if(p) p++; else p = shell; if (strcmp(p, "csh") != 0) csh_f_flag = 0; new_argv = malloc(((cmd ? 2 : 0) + 1 + argc - optidx + 1 + csh_f_flag) * sizeof(*new_argv)); if (new_argv == NULL) err (1, "malloc"); i = 0; if(full_login) { if (asprintf(&new_argv[i++], "-%s", p) == -1) errx (1, "malloc"); } else new_argv[i++] = p; if (cmd) { new_argv[i++] = "-c"; new_argv[i++] = cmd; } if (csh_f_flag) new_argv[i++] = "-f"; for (argv += optidx; *argv; ++argv) new_argv[i++] = *argv; new_argv[i] = NULL; if(setgid(su_info->pw_gid) < 0) err(1, "setgid"); if (initgroups (su_info->pw_name, su_info->pw_gid) < 0) err (1, "initgroups"); if(setuid(su_info->pw_uid) < 0 || (su_info->pw_uid != 0 && setuid(0) == 0)) err(1, "setuid"); #ifdef KRB5 if (ok == 5) krb5_start_session(); #endif execve(shell, new_argv, environ); } exit(1); } heimdal-1.7~git20150920+dfsg/appl/su/supaths.h000066400000000000000000000036231257755311500206720ustar00rootroot00000000000000/* * Copyright (c) 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ #ifndef __SU_PATH_H #define __SU_PATH_H #ifndef _PATH_DEFPATH #define _PATH_DEFPATH "/usr/bin:/bin" #endif #ifndef _PATH_BSHELL #define _PATH_BSHELL "/bin/sh" #endif #ifndef _PATH_ETC_ENVIRONMENT #define _PATH_ETC_ENVIRONMENT SYSCONFDIR "/environment" #endif #endif /* __SU_PATH_H */ heimdal-1.7~git20150920+dfsg/appl/test/000077500000000000000000000000001257755311500173565ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/appl/test/Makefile.am000066400000000000000000000024161257755311500214150ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common WFLAGS += $(WFLAGS_LITE) noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \ uu_server uu_client nt_gss_server nt_gss_client http_client tcp_client_SOURCES = tcp_client.c common.c test_locl.h tcp_server_SOURCES = tcp_server.c common.c test_locl.h gssapi_server_SOURCES = gssapi_server.c gss_common.c common.c \ gss_common.h test_locl.h gssapi_client_SOURCES = gssapi_client.c gss_common.c common.c \ gss_common.h test_locl.h http_client_SOURCES = http_client.c gss_common.c common.c \ gss_common.h test_locl.h uu_server_SOURCES = uu_server.c common.c test_locl.h uu_client_SOURCES = uu_client.c common.c test_locl.h gssapi_server_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD) gssapi_client_LDADD = $(gssapi_server_LDADD) http_client_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD) nt_gss_client_SOURCES = nt_gss_client.c nt_gss_common.c nt_gss_common.h common.c nt_gss_server_SOURCES = nt_gss_server.c nt_gss_common.c nt_gss_common.h nt_gss_client_LDADD = $(gssapi_server_LDADD) nt_gss_server_LDADD = $(nt_gss_client_LDADD) LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ $(LIB_roken) EXTRA_DIST = NTMakefile jgssapi_server.java heimdal-1.7~git20150920+dfsg/appl/test/NTMakefile000066400000000000000000000027321257755311500212640ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=appl\test !include ../../windows/NTMakefile.w32 heimdal-1.7~git20150920+dfsg/appl/test/common.c000066400000000000000000000123001257755311500210060ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "test_locl.h" static int help_flag; static int version_flag; static char *port_str; char *keytab_str; krb5_keytab keytab; char *service = SERVICE; char *mech = "krb5"; int fork_flag; char *password = NULL; static struct getargs args[] = { { "port", 'p', arg_string, &port_str, "port to listen to", "port" }, { "service", 's', arg_string, &service, "service to use", "service" }, { "keytab", 'k', arg_string, &keytab_str, "keytab to use", "keytab" }, { "mech", 'm', arg_string, &mech, "gssapi mech to use", "mech" }, { "password", 'P', arg_string, &password, "password to use", "password" }, { "fork", 'f', arg_flag, &fork_flag, "do fork", NULL }, { "help", 'h', arg_flag, &help_flag, NULL, NULL }, { "version", 0, arg_flag, &version_flag, NULL, NULL } }; static int num_args = sizeof(args) / sizeof(args[0]); static void server_usage(int code, struct getargs *args, int num_args) { arg_printusage(args, num_args, NULL, ""); exit(code); } static void client_usage(int code, struct getargs *args, int num_args) { arg_printusage(args, num_args, NULL, "host"); exit(code); } static int common_setup(krb5_context *context, int *argc, char **argv, void (*usage)(int, struct getargs*, int)) { int port = 0; *argc = krb5_program_setup(context, *argc, argv, args, num_args, usage); if(help_flag) (*usage)(0, args, num_args); if(version_flag) { print_version(NULL); exit(0); } if(port_str){ struct servent *s = roken_getservbyname(port_str, "tcp"); if(s) port = s->s_port; else { char *ptr; port = strtol (port_str, &ptr, 10); if (port == 0 && ptr == port_str) errx (1, "Bad port `%s'", port_str); port = htons(port); } } if (port == 0) port = krb5_getportbyname (*context, PORT, "tcp", 4711); return port; } int server_setup(krb5_context *context, int argc, char **argv) { int port = common_setup(context, &argc, argv, server_usage); krb5_error_code ret; if(argv[argc] != NULL) server_usage(1, args, num_args); if (keytab_str != NULL) { ret = krb5_kt_resolve (*context, keytab_str, &keytab); if (ret) krb5_err (*context, 1, ret, "krb5_kt_resolve"); } else { ret = krb5_kt_default (*context, &keytab); if (ret) krb5_err (*context, 1, ret, "krb5_kt_default"); } return port; } int client_setup(krb5_context *context, int *argc, char **argv) { int optind = *argc; int port = common_setup(context, &optind, argv, client_usage); if(*argc - optind != 1) client_usage(1, args, num_args); *argc = optind; return port; } int client_doit (const char *hostname, int port, const char *service, int (*func)(int, const char *hostname, const char *service)) { struct addrinfo *ai, *a; struct addrinfo hints; int error; char portstr[NI_MAXSERV]; memset (&hints, 0, sizeof(hints)); hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; snprintf (portstr, sizeof(portstr), "%u", ntohs(port)); error = getaddrinfo (hostname, portstr, &hints, &ai); if (error) { errx (1, "%s: %s", hostname, gai_strerror(error)); return -1; } for (a = ai; a != NULL; a = a->ai_next) { int s; s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); if (s < 0) continue; socket_set_ipv6only(s, 1); if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { warn ("connect(%s)", hostname); close (s); continue; } freeaddrinfo (ai); return (*func) (s, hostname, service); } warnx ("failed to contact %s", hostname); freeaddrinfo (ai); return 1; } heimdal-1.7~git20150920+dfsg/appl/test/gss_common.c000066400000000000000000000100361257755311500216660ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "test_locl.h" #include #include #include #include "gss_common.h" RCSID("$Id$"); void write_token (int sock, gss_buffer_t buf) { uint32_t len, net_len; OM_uint32 min_stat; len = buf->length; net_len = htonl(len); if (net_write (sock, &net_len, 4) != 4) err (1, "write"); if (net_write (sock, buf->value, len) != len) err (1, "write"); gss_release_buffer (&min_stat, buf); } static void enet_read(int fd, void *buf, size_t len) { ssize_t ret; ret = net_read (fd, buf, len); if (ret == 0) errx (1, "EOF in read"); else if (ret < 0) errx (1, "read"); } void read_token (int sock, gss_buffer_t buf) { uint32_t len, net_len; enet_read (sock, &net_len, 4); len = ntohl(net_len); buf->length = len; buf->value = emalloc(len); enet_read (sock, buf->value, len); } void gss_print_errors (int min_stat) { OM_uint32 new_stat; OM_uint32 msg_ctx = 0; gss_buffer_desc status_string; OM_uint32 ret; do { ret = gss_display_status (&new_stat, min_stat, GSS_C_MECH_CODE, GSS_C_NO_OID, &msg_ctx, &status_string); fprintf (stderr, "%.*s\n", (int)status_string.length, (char *)status_string.value); gss_release_buffer (&new_stat, &status_string); } while (!GSS_ERROR(ret) && msg_ctx != 0); } void gss_verr(int exitval, int status, const char *fmt, va_list ap) { vwarnx (fmt, ap); gss_print_errors (status); exit (exitval); } void gss_err(int exitval, int status, const char *fmt, ...) { va_list args; va_start(args, fmt); gss_verr (exitval, status, fmt, args); va_end(args); } gss_OID select_mech(const char *mech) { if (strcasecmp(mech, "krb5") == 0) return GSS_KRB5_MECHANISM; else if (strcasecmp(mech, "spnego") == 0) return GSS_SPNEGO_MECHANISM; else if (strcasecmp(mech, "no-oid") == 0) return GSS_C_NO_OID; else errx (1, "Unknown mechanism '%s' (spnego, krb5, no-oid)", mech); } void print_gss_name(const char *prefix, gss_name_t name) { OM_uint32 maj_stat, min_stat; gss_buffer_desc name_token; maj_stat = gss_display_name (&min_stat, name, &name_token, NULL); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_display_name"); fprintf (stderr, "%s `%.*s'\n", prefix, (int)name_token.length, (char *)name_token.value); gss_release_buffer (&min_stat, &name_token); } heimdal-1.7~git20150920+dfsg/appl/test/gss_common.h000066400000000000000000000040631257755311500216760ustar00rootroot00000000000000/* * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ void write_token (int sock, gss_buffer_t buf); void read_token (int sock, gss_buffer_t buf); void gss_print_errors (int min_stat); void gss_verr(int exitval, int status, const char *fmt, va_list ap) __attribute__ ((format (printf, 3, 0))); void gss_err(int exitval, int status, const char *fmt, ...) __attribute__ ((format (printf, 3, 4))); gss_OID select_mech(const char *); void print_gss_name(const char *, gss_name_t); heimdal-1.7~git20150920+dfsg/appl/test/gssapi_client.c000066400000000000000000000207621257755311500223550ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "test_locl.h" #include #include #include #include "gss_common.h" RCSID("$Id$"); static int do_trans (int sock, gss_ctx_id_t context_hdl) { OM_uint32 maj_stat, min_stat; gss_buffer_desc real_input_token, real_output_token; gss_buffer_t input_token = &real_input_token, output_token = &real_output_token; int conf_flag; /* get_mic */ input_token->length = 3; input_token->value = strdup("hej"); maj_stat = gss_get_mic(&min_stat, context_hdl, GSS_C_QOP_DEFAULT, input_token, output_token); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_get_mic"); write_token (sock, input_token); write_token (sock, output_token); gss_release_buffer(&min_stat, output_token); /* verify mic */ read_token (sock, input_token); read_token (sock, output_token); maj_stat = gss_verify_mic(&min_stat, context_hdl, input_token, output_token, NULL); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_verify_mic"); gss_release_buffer (&min_stat, input_token); gss_release_buffer (&min_stat, output_token); /* wrap */ input_token->length = 7; input_token->value = "hemligt"; maj_stat = gss_wrap (&min_stat, context_hdl, 0, GSS_C_QOP_DEFAULT, input_token, NULL, output_token); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_wrap"); write_token (sock, output_token); maj_stat = gss_wrap (&min_stat, context_hdl, 1, GSS_C_QOP_DEFAULT, input_token, NULL, output_token); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_wrap"); write_token (sock, output_token); read_token (sock, input_token); maj_stat = gss_unwrap (&min_stat, context_hdl, input_token, output_token, &conf_flag, NULL); if(GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_unwrap"); write_token (sock, output_token); gss_release_buffer(&min_stat, output_token); return 0; } extern char *password; static int proto (int sock, const char *hostname, const char *service) { struct sockaddr_storage remote, local; socklen_t addrlen; int context_established = 0; gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; gss_buffer_desc real_input_token, real_output_token; gss_buffer_t input_token = &real_input_token, output_token = &real_output_token; OM_uint32 maj_stat, min_stat; gss_name_t server; gss_buffer_desc name_token; gss_OID mech_oid; char *str; mech_oid = select_mech(mech); name_token.length = asprintf (&str, "%s@%s", service, hostname); if (str == NULL) errx(1, "malloc - out of memory"); name_token.value = str; maj_stat = gss_import_name (&min_stat, &name_token, GSS_C_NT_HOSTBASED_SERVICE, &server); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "Error importing name `%s@%s':\n", service, hostname); if (password) { gss_buffer_desc pw; pw.value = password; pw.length = strlen(password); maj_stat = gss_acquire_cred_with_password(&min_stat, GSS_C_NO_NAME, &pw, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_INITIATE, &cred, NULL, NULL); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "Error acquiring default initiator credentials"); } addrlen = sizeof(local); if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 || addrlen > sizeof(local)) err (1, "getsockname(%s)", hostname); addrlen = sizeof(remote); if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 || addrlen > sizeof(remote)) err (1, "getpeername(%s)", hostname); input_token->length = 0; output_token->length = 0; #if 0 struct gss_channel_bindings_struct input_chan_bindings; u_char init_buf[4]; u_char acct_buf[4]; input_chan_bindings.initiator_addrtype = GSS_C_AF_INET; input_chan_bindings.initiator_address.length = 4; init_buf[0] = (local.sin_addr.s_addr >> 24) & 0xFF; init_buf[1] = (local.sin_addr.s_addr >> 16) & 0xFF; init_buf[2] = (local.sin_addr.s_addr >> 8) & 0xFF; init_buf[3] = (local.sin_addr.s_addr >> 0) & 0xFF; input_chan_bindings.initiator_address.value = init_buf; input_chan_bindings.acceptor_addrtype = GSS_C_AF_INET; input_chan_bindings.acceptor_address.length = 4; acct_buf[0] = (remote.sin_addr.s_addr >> 24) & 0xFF; acct_buf[1] = (remote.sin_addr.s_addr >> 16) & 0xFF; acct_buf[2] = (remote.sin_addr.s_addr >> 8) & 0xFF; acct_buf[3] = (remote.sin_addr.s_addr >> 0) & 0xFF; input_chan_bindings.acceptor_address.value = acct_buf; input_chan_bindings.application_data.value = emalloc(4); * (unsigned short*)input_chan_bindings.application_data.value = local.sin_port; * ((unsigned short *)input_chan_bindings.application_data.value + 1) = remote.sin_port; input_chan_bindings.application_data.length = 4; input_chan_bindings.application_data.length = 0; input_chan_bindings.application_data.value = NULL; #endif while(!context_established) { maj_stat = gss_init_sec_context(&min_stat, cred, &context_hdl, server, mech_oid, GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, 0, NULL, input_token, NULL, output_token, NULL, NULL); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_init_sec_context"); if (output_token->length != 0) write_token (sock, output_token); if (GSS_ERROR(maj_stat)) { if (context_hdl != GSS_C_NO_CONTEXT) gss_delete_sec_context (&min_stat, &context_hdl, GSS_C_NO_BUFFER); break; } if (maj_stat & GSS_S_CONTINUE_NEEDED) { read_token (sock, input_token); } else { context_established = 1; } } if (fork_flag) { pid_t pid; int pipefd[2]; if (pipe (pipefd) < 0) err (1, "pipe"); pid = fork (); if (pid < 0) err (1, "fork"); if (pid != 0) { gss_buffer_desc buf; maj_stat = gss_export_sec_context (&min_stat, &context_hdl, &buf); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_export_sec_context"); write_token (pipefd[1], &buf); exit (0); } else { gss_ctx_id_t context_hdl; gss_buffer_desc buf; close (pipefd[1]); read_token (pipefd[0], &buf); close (pipefd[0]); maj_stat = gss_import_sec_context (&min_stat, &buf, &context_hdl); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_import_sec_context"); gss_release_buffer (&min_stat, &buf); return do_trans (sock, context_hdl); } } else { return do_trans (sock, context_hdl); } } int main(int argc, char **argv) { krb5_context context; /* XXX */ int port = client_setup(&context, &argc, argv); return client_doit (argv[argc], port, service, proto); } heimdal-1.7~git20150920+dfsg/appl/test/gssapi_server.c000066400000000000000000000260141257755311500224010ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * A sample server that uses the GSSAPI. */ #include "test_locl.h" #include #include #include #include "gss_common.h" static int process_it(int sock, gss_ctx_id_t context_hdl, gss_name_t client_name ) { OM_uint32 maj_stat, min_stat; gss_buffer_desc real_input_token, real_output_token; gss_buffer_t input_token = &real_input_token, output_token = &real_output_token; gss_name_t server_name; int conf_flag; print_gss_name("User is", client_name); maj_stat = gss_inquire_context(&min_stat, context_hdl, NULL, &server_name, NULL, NULL, NULL, NULL, NULL); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_inquire_context"); print_gss_name("Server is", server_name); maj_stat = gss_release_name(&min_stat, &server_name); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_release_name"); /* gss_verify_mic */ read_token (sock, input_token); read_token (sock, output_token); maj_stat = gss_verify_mic (&min_stat, context_hdl, input_token, output_token, NULL); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_verify_mic"); fprintf (stderr, "gss_verify_mic: %.*s\n", (int)input_token->length, (char *)input_token->value); gss_release_buffer (&min_stat, input_token); gss_release_buffer (&min_stat, output_token); /* create mic */ input_token->length = 6; input_token->value = strdup("hejsan"); maj_stat = gss_get_mic(&min_stat, context_hdl, GSS_C_QOP_DEFAULT, input_token, output_token); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_get_mic"); write_token (sock, input_token); write_token (sock, output_token); gss_release_buffer (&min_stat, output_token); /* gss_unwrap */ read_token (sock, input_token); maj_stat = gss_unwrap (&min_stat, context_hdl, input_token, output_token, &conf_flag, NULL); if(GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_unwrap"); fprintf (stderr, "gss_unwrap: %.*s %s\n", (int)output_token->length, (char *)output_token->value, conf_flag ? "CONF" : "INT"); gss_release_buffer (&min_stat, input_token); gss_release_buffer (&min_stat, output_token); read_token (sock, input_token); maj_stat = gss_unwrap (&min_stat, context_hdl, input_token, output_token, &conf_flag, NULL); if(GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_unwrap"); fprintf (stderr, "gss_unwrap: %.*s %s\n", (int)output_token->length, (char *)output_token->value, conf_flag ? "CONF" : "INT"); gss_release_buffer (&min_stat, input_token); gss_release_buffer (&min_stat, output_token); input_token->value = "hejhej"; input_token->length = 6; maj_stat = gss_wrap (&min_stat, context_hdl, 1, GSS_C_QOP_DEFAULT, input_token, NULL, output_token); write_token (sock, output_token); gss_release_buffer (&min_stat, output_token); read_token (sock, input_token); if (input_token->length != 6 && memcmp(input_token->value, "hejhej", 6) != 0) errx(1, "invalid reply"); return 0; } static int proto (int sock, const char *service) { struct sockaddr_in remote, local; socklen_t addrlen; gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; gss_buffer_desc real_input_token, real_output_token; gss_buffer_t input_token = &real_input_token, output_token = &real_output_token; OM_uint32 maj_stat, min_stat; gss_name_t client_name; struct gss_channel_bindings_struct input_chan_bindings; gss_cred_id_t delegated_cred_handle = NULL; krb5_ccache ccache; u_char init_buf[4]; u_char acct_buf[4]; gss_OID mech_oid; char *mech, *p; addrlen = sizeof(local); if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 || addrlen != sizeof(local)) err (1, "getsockname)"); addrlen = sizeof(remote); if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 || addrlen != sizeof(remote)) err (1, "getpeername"); input_chan_bindings.initiator_addrtype = GSS_C_AF_INET; input_chan_bindings.initiator_address.length = 4; init_buf[0] = (remote.sin_addr.s_addr >> 24) & 0xFF; init_buf[1] = (remote.sin_addr.s_addr >> 16) & 0xFF; init_buf[2] = (remote.sin_addr.s_addr >> 8) & 0xFF; init_buf[3] = (remote.sin_addr.s_addr >> 0) & 0xFF; input_chan_bindings.initiator_address.value = init_buf; input_chan_bindings.acceptor_addrtype = GSS_C_AF_INET; input_chan_bindings.acceptor_address.length = 4; acct_buf[0] = (local.sin_addr.s_addr >> 24) & 0xFF; acct_buf[1] = (local.sin_addr.s_addr >> 16) & 0xFF; acct_buf[2] = (local.sin_addr.s_addr >> 8) & 0xFF; acct_buf[3] = (local.sin_addr.s_addr >> 0) & 0xFF; input_chan_bindings.acceptor_address.value = acct_buf; input_chan_bindings.application_data.value = emalloc(4); #if 0 * (unsigned short *)input_chan_bindings.application_data.value = remote.sin_port; * ((unsigned short *)input_chan_bindings.application_data.value + 1) = local.sin_port; input_chan_bindings.application_data.length = 4; #else input_chan_bindings.application_data.length = 0; input_chan_bindings.application_data.value = NULL; #endif delegated_cred_handle = GSS_C_NO_CREDENTIAL; do { read_token (sock, input_token); maj_stat = gss_accept_sec_context (&min_stat, &context_hdl, GSS_C_NO_CREDENTIAL, input_token, &input_chan_bindings, &client_name, &mech_oid, output_token, NULL, NULL, &delegated_cred_handle); if(GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_accept_sec_context"); if (output_token->length != 0) write_token (sock, output_token); if (GSS_ERROR(maj_stat)) { if (context_hdl != GSS_C_NO_CONTEXT) gss_delete_sec_context (&min_stat, &context_hdl, GSS_C_NO_BUFFER); break; } } while(maj_stat & GSS_S_CONTINUE_NEEDED); p = (char *)mech_oid->elements; if (mech_oid->length == GSS_KRB5_MECHANISM->length && memcmp(p, GSS_KRB5_MECHANISM->elements, mech_oid->length) == 0) mech = "Kerberos 5"; else if (mech_oid->length == GSS_SPNEGO_MECHANISM->length && memcmp(p, GSS_SPNEGO_MECHANISM->elements, mech_oid->length) == 0) mech = "SPNEGO"; /* XXX Silly, wont show up */ else mech = "Unknown"; printf("Using mech: %s\n", mech); if (delegated_cred_handle != GSS_C_NO_CREDENTIAL) { krb5_context context; printf("Delegated cred found\n"); maj_stat = krb5_init_context(&context); maj_stat = krb5_cc_resolve(context, "FILE:/tmp/krb5cc_test", &ccache); maj_stat = gss_krb5_copy_ccache(&min_stat, delegated_cred_handle, ccache); if (maj_stat == 0) { krb5_principal p; maj_stat = krb5_cc_get_principal(context, ccache, &p); if (maj_stat == 0) { char *name; maj_stat = krb5_unparse_name(context, p, &name); if (maj_stat == 0) { printf("Delegated user is: `%s'\n", name); free(name); } krb5_free_principal(context, p); } } krb5_cc_close(context, ccache); gss_release_cred(&min_stat, &delegated_cred_handle); } if (fork_flag) { pid_t pid; int pipefd[2]; if (pipe (pipefd) < 0) err (1, "pipe"); pid = fork (); if (pid < 0) err (1, "fork"); if (pid != 0) { gss_buffer_desc buf; maj_stat = gss_export_sec_context (&min_stat, &context_hdl, &buf); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_export_sec_context"); write_token (pipefd[1], &buf); exit (0); } else { gss_ctx_id_t context_hdl; gss_buffer_desc buf; close (pipefd[1]); read_token (pipefd[0], &buf); close (pipefd[0]); maj_stat = gss_import_sec_context (&min_stat, &buf, &context_hdl); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_import_sec_context"); gss_release_buffer (&min_stat, &buf); return process_it (sock, context_hdl, client_name); } } else { return process_it (sock, context_hdl, client_name); } } static void loop (int port, const char *service) { int sock, sock2; struct sockaddr_in my_addr; int one = 1; if (keytab_str) gsskrb5_register_acceptor_identity(keytab_str); sock = socket (AF_INET, SOCK_STREAM, 0); if (sock < 0) err (1, "socket"); memset (&my_addr, 0, sizeof(my_addr)); my_addr.sin_family = AF_INET; my_addr.sin_port = port; my_addr.sin_addr.s_addr = INADDR_ANY; if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, (void *)&one, sizeof(one)) < 0) warn ("setsockopt SO_REUSEADDR"); if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0) err (1, "bind"); while (1) { if (listen (sock, 1) < 0) err (1, "listen"); sock2 = accept (sock, NULL, NULL); if (sock2 < 0) err (1, "accept"); proto (sock2, service); } } /* * Iterative server; process one connection at a time. */ int main(int argc, char **argv) { krb5_context context = NULL; /* XXX */ krb5_error_code ret; int port = server_setup(&context, argc, argv); ret = krb5_kt_have_content(context, keytab); if (ret) krb5_err (context, 1, ret, "krb5_kt_have_content"); loop (port, service); return 0; } heimdal-1.7~git20150920+dfsg/appl/test/http_client.c000066400000000000000000000304071257755311500220430ustar00rootroot00000000000000/* * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "test_locl.h" #include #include #include #include "gss_common.h" #include RCSID("$Id$"); /* * A simplistic client implementing draft-brezak-spnego-http-04.txt */ static int do_connect (const char *hostname, const char *port) { struct addrinfo *ai, *a; struct addrinfo hints; int error; int s = -1; memset (&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = 0; error = getaddrinfo (hostname, port, &hints, &ai); if (error) errx (1, "getaddrinfo(%s): %s", hostname, gai_strerror(error)); for (a = ai; a != NULL; a = a->ai_next) { s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); if (s < 0) continue; if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { warn ("connect(%s)", hostname); close (s); continue; } break; } freeaddrinfo (ai); if (a == NULL) errx (1, "failed to contact %s", hostname); return s; } static void fdprintf(int s, const char *fmt, ...) { size_t len; ssize_t ret; va_list ap; char *str, *buf; va_start(ap, fmt); vasprintf(&str, fmt, ap); va_end(ap); if (str == NULL) errx(1, "vasprintf"); buf = str; len = strlen(buf); while (len) { ret = write(s, buf, len); if (ret == 0) err(1, "connection closed"); else if (ret < 0) err(1, "error"); len -= ret; buf += ret; } free(str); } static int help_flag; static int version_flag; static int verbose_flag; static int mutual_flag = 1; static int delegate_flag; static char *port_str = "http"; static char *gss_service = "HTTP"; static struct getargs http_args[] = { { "verbose", 'v', arg_flag, &verbose_flag, "verbose logging", NULL }, { "port", 'p', arg_string, &port_str, "port to connect to", "port" }, { "delegate", 0, arg_flag, &delegate_flag, "gssapi delegate credential", NULL }, { "gss-service", 's', arg_string, &gss_service, "gssapi service to use", "service" }, { "mech", 'm', arg_string, &mech, "gssapi mech to use", "mech" }, { "mutual", 0, arg_negative_flag, &mutual_flag, "no gssapi mutual auth", NULL }, { "help", 'h', arg_flag, &help_flag, NULL, NULL }, { "version", 0, arg_flag, &version_flag, NULL, NULL } }; static int num_http_args = sizeof(http_args) / sizeof(http_args[0]); static void usage(int code) { arg_printusage(http_args, num_http_args, NULL, "host [page]"); exit(code); } /* * */ struct http_req { char *response; char **headers; int num_headers; void *body; size_t body_size; }; static void http_req_zero(struct http_req *req) { req->response = NULL; req->headers = NULL; req->num_headers = 0; req->body = NULL; req->body_size = 0; } static void http_req_free(struct http_req *req) { int i; free(req->response); for (i = 0; i < req->num_headers; i++) free(req->headers[i]); free(req->headers); free(req->body); http_req_zero(req); } static const char * http_find_header(struct http_req *req, const char *header) { int i, len = strlen(header); for (i = 0; i < req->num_headers; i++) { if (strncasecmp(header, req->headers[i], len) == 0) { return req->headers[i] + len + 1; } } return NULL; } static int http_query(const char *host, const char *page, char **headers, struct http_req *req) { enum { RESPONSE, HEADER, BODY } state; ssize_t ret; char in_buf[1024], *in_ptr = in_buf; size_t in_len = 0; int s, i; http_req_zero(req); s = do_connect(host, port_str); if (s < 0) errx(1, "connection failed"); fdprintf(s, "GET %s HTTP/1.0\r\n", page); for (i = 0; headers[i]; i++) fdprintf(s, "%s\r\n", headers[i]); fdprintf(s, "Host: %s\r\n\r\n", host); state = RESPONSE; while (1) { ret = read (s, in_ptr, sizeof(in_buf) - in_len - 1); if (ret == 0) break; else if (ret < 0) err (1, "read: %lu", (unsigned long)ret); in_buf[ret + in_len] = '\0'; if (state == HEADER || state == RESPONSE) { char *p; in_len += ret; in_ptr += ret; while (1) { p = strstr(in_buf, "\r\n"); if (p == NULL) { break; } else if (p == in_buf) { memmove(in_buf, in_buf + 2, sizeof(in_buf) - 2); state = BODY; in_len -= 2; in_ptr -= 2; break; } else if (state == RESPONSE) { req->response = emalloc(p - in_buf + 1); memcpy(req->response, in_buf, p - in_buf); req->response[p - in_buf] = '\0'; state = HEADER; } else { req->headers = realloc(req->headers, (req->num_headers + 1) * sizeof(req->headers[0])); req->headers[req->num_headers] = emalloc(p - in_buf + 1); memcpy(req->headers[req->num_headers], in_buf, p - in_buf); req->headers[req->num_headers][p - in_buf] = '\0'; if (req->headers[req->num_headers] == NULL) errx(1, "strdup"); req->num_headers++; } memmove(in_buf, p + 2, sizeof(in_buf) - (p - in_buf) - 2); in_len -= (p - in_buf) + 2; in_ptr -= (p - in_buf) + 2; } } if (state == BODY) { req->body = erealloc(req->body, req->body_size + ret + 1); memcpy((char *)req->body + req->body_size, in_buf, ret); req->body_size += ret; ((char *)req->body)[req->body_size] = '\0'; in_ptr = in_buf; in_len = 0; } else abort(); } if (verbose_flag) { int i; printf("response: %s\n", req->response); for (i = 0; i < req->num_headers; i++) printf("header[%d] %s\n", i, req->headers[i]); printf("body: %.*s\n", (int)req->body_size, (char *)req->body); } close(s); return 0; } int main(int argc, char **argv) { struct http_req req; const char *host, *page; int i, done, print_body, gssapi_done, gssapi_started; char *headers[10] = { 0 }; int num_headers = 0; gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; gss_name_t server = GSS_C_NO_NAME; int optind = 0; gss_OID mech_oid; OM_uint32 flags; setprogname(argv[0]); if(getarg(http_args, num_http_args, argc, argv, &optind)) usage(1); if (help_flag) usage (0); if(version_flag) { print_version(NULL); exit(0); } argc -= optind; argv += optind; mech_oid = select_mech(mech); if (argc != 1 && argc != 2) errx(1, "usage: %s host [page]", getprogname()); host = argv[0]; if (argc == 2) page = argv[1]; else page = "/"; flags = 0; if (delegate_flag) flags |= GSS_C_DELEG_FLAG; if (mutual_flag) flags |= GSS_C_MUTUAL_FLAG; done = 0; num_headers = 0; gssapi_done = 1; gssapi_started = 0; do { print_body = 0; http_query(host, page, headers, &req); for (i = 0 ; headers[i]; i++) { free(headers[i]); headers[i] = NULL; } num_headers = 0; if (strstr(req.response, " 200 ") != NULL) { print_body = 1; done = 1; } else if (strstr(req.response, " 401 ") != NULL) { if (http_find_header(&req, "WWW-Authenticate:") == NULL) errx(1, "Got %s but missed `WWW-Authenticate'", req.response); gssapi_done = 0; } if (!gssapi_done) { const char *h = http_find_header(&req, "WWW-Authenticate:"); if (h == NULL) errx(1, "Got %s but missed `WWW-Authenticate'", req.response); if (strncasecmp(h, "Negotiate", 9) == 0) { OM_uint32 maj_stat, min_stat; gss_buffer_desc input_token, output_token; if (verbose_flag) printf("Negotiate found\n"); if (server == GSS_C_NO_NAME) { char *name; asprintf(&name, "%s@%s", gss_service, host); input_token.length = strlen(name); input_token.value = name; maj_stat = gss_import_name(&min_stat, &input_token, GSS_C_NT_HOSTBASED_SERVICE, &server); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_inport_name"); free(name); input_token.length = 0; input_token.value = NULL; } i = 9; while(h[i] && isspace((unsigned char)h[i])) i++; if (h[i] != '\0') { int len = strlen(&h[i]); if (len == 0) errx(1, "invalid Negotiate token"); input_token.value = emalloc(len); len = rk_base64_decode(&h[i], input_token.value); if (len < 0) errx(1, "invalid base64 Negotiate token %s", &h[i]); input_token.length = len; } else { if (gssapi_started) errx(1, "Negotiate already started"); gssapi_started = 1; input_token.length = 0; input_token.value = NULL; } maj_stat = gss_init_sec_context(&min_stat, GSS_C_NO_CREDENTIAL, &context_hdl, server, mech_oid, flags, 0, GSS_C_NO_CHANNEL_BINDINGS, &input_token, NULL, &output_token, NULL, NULL); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_init_sec_context"); else if (maj_stat & GSS_S_CONTINUE_NEEDED) gssapi_done = 0; else { gss_name_t targ_name, src_name; gss_buffer_desc name_buffer; gss_OID mech_type; gssapi_done = 1; printf("Negotiate done: %s\n", mech); maj_stat = gss_inquire_context(&min_stat, context_hdl, &src_name, &targ_name, NULL, &mech_type, NULL, NULL, NULL); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_inquire_context"); maj_stat = gss_display_name(&min_stat, src_name, &name_buffer, NULL); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_display_name"); printf("Source: %.*s\n", (int)name_buffer.length, (char *)name_buffer.value); gss_release_buffer(&min_stat, &name_buffer); maj_stat = gss_display_name(&min_stat, targ_name, &name_buffer, NULL); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_display_name"); printf("Target: %.*s\n", (int)name_buffer.length, (char *)name_buffer.value); gss_release_name(&min_stat, &targ_name); gss_release_buffer(&min_stat, &name_buffer); } if (output_token.length) { char *neg_token; rk_base64_encode(output_token.value, output_token.length, &neg_token); asprintf(&headers[num_headers++], "Authorization: Negotiate %s", neg_token); free(neg_token); gss_release_buffer(&min_stat, &output_token); } if (input_token.length) free(input_token.value); } else done = 1; } else done = 1; if (verbose_flag) { printf("%s\n\n", req.response); for (i = 0; i < req.num_headers; i++) printf("%s\n", req.headers[i]); printf("\n"); } if (print_body || verbose_flag) printf("%.*s\n", (int)req.body_size, (char *)req.body); http_req_free(&req); } while (!done); if (gssapi_done == 0) errx(1, "gssapi not done but http dance done"); return 0; } heimdal-1.7~git20150920+dfsg/appl/test/jgssapi_server.java000066400000000000000000000101551257755311500232510ustar00rootroot00000000000000/* * Copyright (c) 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ import org.ietf.jgss.*; import java.io.*; import java.net.Socket; import java.net.ServerSocket; public class jgssapi_server { static byte [] getMessage(DataInputStream inStream) throws IOException { byte[] token; token = new byte[inStream.readInt()]; inStream.readFully(token); return token; } static void putMessage(DataOutputStream outStream, byte [] token) throws IOException { outStream.writeInt(token.length); outStream.write(token); } public static void main(String[] args) throws IOException, GSSException { GSSManager manager = GSSManager.getInstance(); GSSContext context = manager.createContext((GSSCredential)null); byte[] token = null; int port = 4717; System.out.println("listen on port " + port); Socket s = new ServerSocket(port).accept(); DataInputStream inStream = new DataInputStream(s.getInputStream()); DataOutputStream outStream = new DataOutputStream(s.getOutputStream()); System.out.println("negotiate context"); while (!context.isEstablished()) { token = getMessage(inStream); token = context.acceptSecContext(token, 0, token.length); if (token != null) putMessage(outStream, token); } System.out.println("done"); /* * mic */ System.out.println("mic test"); System.out.println(" verify mic"); byte[] intoken = getMessage(inStream); byte[] outtoken = getMessage(inStream); byte[] bytes = null; context.verifyMIC(outtoken, 0, outtoken.length, intoken, 0, intoken.length, new MessageProp(0, false)); System.out.println(" create mic"); bytes = new byte[] { 0x66, 0x6f, 0x6f }; outtoken = context.getMIC(bytes, 0, bytes.length, new MessageProp(0, false)); putMessage(outStream, bytes); putMessage(outStream, outtoken); /* * wrap int */ System.out.println("warp int"); outtoken = getMessage(inStream); bytes = context.unwrap(outtoken, 0, outtoken.length, new MessageProp(0, false)); if (bytes == null) System.err.println("wrap int failed"); /* * wrap conf */ System.out.println("warp conf"); outtoken = getMessage(inStream); bytes = context.unwrap(outtoken, 0, outtoken.length, new MessageProp(0, true)); if (bytes == null) System.err.println("wrap conf failed"); /* * wrap conf */ System.out.println("warp conf"); intoken = new byte[] { 0x66, 0x6f, 0x6f }; outtoken = context.wrap(intoken, 0, intoken.length, new MessageProp(0, true)); putMessage(outStream, outtoken); outtoken = getMessage(inStream); context.dispose(); System.exit(0); } } heimdal-1.7~git20150920+dfsg/appl/test/nt_gss_client.c000066400000000000000000000112321257755311500223540ustar00rootroot00000000000000/* * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "test_locl.h" #include #include "nt_gss_common.h" RCSID("$Id$"); /* * This program tries to act as a client for the sample in `Sample * SSPI Code' in Windows 2000 RC1 SDK. */ static int proto (int sock, const char *hostname, const char *service) { struct sockaddr_in remote, local; socklen_t addrlen; int context_established = 0; gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; gss_buffer_t input_token, output_token; gss_buffer_desc real_input_token, real_output_token; OM_uint32 maj_stat, min_stat; gss_name_t server; gss_buffer_desc name_token; char *str; name_token.length = asprintf (&str, "%s@%s", service, hostname); if (str == NULL) errx(1, "out of memory"); name_token.value = str; maj_stat = gss_import_name (&min_stat, &name_token, GSS_C_NT_HOSTBASED_SERVICE, &server); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "Error importing name `%s@%s':\n", service, hostname); addrlen = sizeof(local); if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 || addrlen != sizeof(local)) err (1, "getsockname(%s)", hostname); addrlen = sizeof(remote); if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 || addrlen != sizeof(remote)) err (1, "getpeername(%s)", hostname); input_token = &real_input_token; output_token = &real_output_token; input_token->length = 0; output_token->length = 0; while(!context_established) { maj_stat = gss_init_sec_context(&min_stat, GSS_C_NO_CREDENTIAL, &context_hdl, server, GSS_C_NO_OID, GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, 0, GSS_C_NO_CHANNEL_BINDINGS, input_token, NULL, output_token, NULL, NULL); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_init_sec_context"); if (output_token->length != 0) nt_write_token (sock, output_token); if (GSS_ERROR(maj_stat)) { if (context_hdl != GSS_C_NO_CONTEXT) gss_delete_sec_context (&min_stat, &context_hdl, GSS_C_NO_BUFFER); break; } if (maj_stat & GSS_S_CONTINUE_NEEDED) { nt_read_token (sock, input_token); } else { context_established = 1; } } /* get_mic */ input_token->length = 3; input_token->value = strdup("hej"); maj_stat = gss_get_mic(&min_stat, context_hdl, GSS_C_QOP_DEFAULT, input_token, output_token); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_get_mic"); nt_write_token (sock, input_token); nt_write_token (sock, output_token); /* wrap */ input_token->length = 7; input_token->value = "hemligt"; maj_stat = gss_wrap (&min_stat, context_hdl, 1, GSS_C_QOP_DEFAULT, input_token, NULL, output_token); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_wrap"); nt_write_token (sock, output_token); return 0; } int main(int argc, char **argv) { krb5_context context; /* XXX */ int port = client_setup(&context, &argc, argv); return client_doit (argv[argc], port, service, proto); } heimdal-1.7~git20150920+dfsg/appl/test/nt_gss_common.c000066400000000000000000000071421257755311500223730ustar00rootroot00000000000000/* * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "test_locl.h" #include #include "nt_gss_common.h" RCSID("$Id$"); /* * These are functions that are needed to interoperate with the * `Sample SSPI Code' in Windows 2000 RC1 SDK. */ /* * Write the `gss_buffer_t' in `buf' onto the fd `sock', but remember that * the length is written in little-endian-order. */ void nt_write_token (int sock, gss_buffer_t buf) { unsigned char net_len[4]; uint32_t len; OM_uint32 min_stat; len = buf->length; net_len[0] = (len >> 0) & 0xFF; net_len[1] = (len >> 8) & 0xFF; net_len[2] = (len >> 16) & 0xFF; net_len[3] = (len >> 24) & 0xFF; if (write (sock, net_len, 4) != 4) err (1, "write"); if (write (sock, buf->value, len) != len) err (1, "write"); gss_release_buffer (&min_stat, buf); } /* * */ void nt_read_token (int sock, gss_buffer_t buf) { unsigned char net_len[4]; uint32_t len; if (read(sock, net_len, 4) != 4) err (1, "read"); len = (net_len[0] << 0) | (net_len[1] << 8) | (net_len[2] << 16) | (net_len[3] << 24); if (len > INT_MAX/16) errx(1, "len too large"); buf->length = len; buf->value = malloc(len); if (read (sock, buf->value, len) != len) err (1, "read"); } void gss_print_errors (int min_stat) { OM_uint32 new_stat; OM_uint32 msg_ctx = 0; gss_buffer_desc status_string; OM_uint32 ret; do { ret = gss_display_status (&new_stat, min_stat, GSS_C_MECH_CODE, GSS_C_NO_OID, &msg_ctx, &status_string); fprintf (stderr, "%.*s\n", (int)status_string.length, (char *)status_string.value); gss_release_buffer (&new_stat, &status_string); } while (!GSS_ERROR(ret) && msg_ctx != 0); } void gss_verr(int exitval, int status, const char *fmt, va_list ap) { vwarnx (fmt, ap); gss_print_errors (status); exit (exitval); } void gss_err(int exitval, int status, const char *fmt, ...) { va_list args; va_start(args, fmt); gss_verr (exitval, status, fmt, args); va_end(args); } heimdal-1.7~git20150920+dfsg/appl/test/nt_gss_common.h000066400000000000000000000037451257755311500224050ustar00rootroot00000000000000/* * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ void nt_write_token (int sock, gss_buffer_t buf); void nt_read_token (int sock, gss_buffer_t buf); void gss_print_errors (int min_stat); void gss_verr(int exitval, int status, const char *fmt, va_list ap) __attribute__ ((format (printf, 3, 0))); void gss_err(int exitval, int status, const char *fmt, ...) __attribute__ ((format (printf, 3, 4))); heimdal-1.7~git20150920+dfsg/appl/test/nt_gss_server.c000066400000000000000000000153701257755311500224130ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "test_locl.h" #include #include #include #include #include "nt_gss_common.h" RCSID("$Id$"); /* * This program tries to act as a server for the sample in `Sample * SSPI Code' in Windows 2000 RC1 SDK. * * use --dump-auth to get a binary dump of the authorization data in the ticket */ static int help_flag; static int version_flag; static char *port_str; char *service = SERVICE; static char *auth_file; static struct getargs args[] = { { "port", 'p', arg_string, &port_str, "port to listen to", "port" }, { "service", 's', arg_string, &service, "service to use", "service" }, { "dump-auth", 0, arg_string, &auth_file, "dump authorization data", "file" }, { "help", 'h', arg_flag, &help_flag, NULL, NULL }, { "version", 0, arg_flag, &version_flag, NULL, NULL } }; static int num_args = sizeof(args) / sizeof(args[0]); static int proto (int sock, const char *service) { struct sockaddr_in remote, local; socklen_t addrlen; gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; gss_buffer_t input_token, output_token; gss_buffer_desc real_input_token, real_output_token; OM_uint32 maj_stat, min_stat; gss_name_t client_name; gss_buffer_desc name_token; addrlen = sizeof(local); if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 || addrlen != sizeof(local)) err (1, "getsockname)"); addrlen = sizeof(remote); if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 || addrlen != sizeof(remote)) err (1, "getpeername"); input_token = &real_input_token; output_token = &real_output_token; do { nt_read_token (sock, input_token); maj_stat = gss_accept_sec_context (&min_stat, &context_hdl, GSS_C_NO_CREDENTIAL, input_token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL, output_token, NULL, NULL, NULL); if(GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_accept_sec_context"); if (output_token->length != 0) nt_write_token (sock, output_token); if (GSS_ERROR(maj_stat)) { if (context_hdl != GSS_C_NO_CONTEXT) gss_delete_sec_context (&min_stat, &context_hdl, GSS_C_NO_BUFFER); break; } } while(maj_stat & GSS_S_CONTINUE_NEEDED); if (auth_file != NULL) { gss_buffer_desc data; maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat, context_hdl, KRB5_AUTHDATA_WIN2K_PAC, &data); if (maj_stat == GSS_S_COMPLETE) { rk_dumpdata(auth_file, data.value, data.length); gss_release_buffer(&min_stat, &data); } } maj_stat = gss_display_name (&min_stat, client_name, &name_token, NULL); if (GSS_ERROR(maj_stat)) gss_err (1, min_stat, "gss_display_name"); fprintf (stderr, "User is `%.*s'\n", (int)name_token.length, (char *)name_token.value); /* write something back */ output_token->value = strdup ("hejsan"); output_token->length = strlen (output_token->value) + 1; nt_write_token (sock, output_token); output_token->value = strdup ("hoppsan"); output_token->length = strlen (output_token->value) + 1; nt_write_token (sock, output_token); return 0; } static int doit (int port, const char *service) { int sock, sock2; struct sockaddr_in my_addr; int one = 1; sock = socket (AF_INET, SOCK_STREAM, 0); if (sock < 0) err (1, "socket"); memset (&my_addr, 0, sizeof(my_addr)); my_addr.sin_family = AF_INET; my_addr.sin_port = port; my_addr.sin_addr.s_addr = INADDR_ANY; if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, (void *)&one, sizeof(one)) < 0) warn ("setsockopt SO_REUSEADDR"); if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0) err (1, "bind"); if (listen (sock, 1) < 0) err (1, "listen"); sock2 = accept (sock, NULL, NULL); if (sock2 < 0) err (1, "accept"); return proto (sock2, service); } static void usage(int code, struct getargs *args, int num_args) { arg_printusage(args, num_args, NULL, ""); exit(code); } static int common_setup(krb5_context *context, int *argc, char **argv, void (*usage)(int, struct getargs*, int)) { int port = 0; *argc = krb5_program_setup(context, *argc, argv, args, num_args, usage); if(help_flag) (*usage)(0, args, num_args); if(version_flag) { print_version(NULL); exit(0); } if(port_str){ struct servent *s = roken_getservbyname(port_str, "tcp"); if(s) port = s->s_port; else { char *ptr; port = strtol (port_str, &ptr, 10); if (port == 0 && ptr == port_str) errx (1, "Bad port `%s'", port_str); port = htons(port); } } if (port == 0) port = krb5_getportbyname (*context, PORT, "tcp", 4711); return port; } static int setup(krb5_context *context, int argc, char **argv) { int port = common_setup(context, &argc, argv, usage); if(argv[argc] != NULL) usage(1, args, num_args); return port; } int main(int argc, char **argv) { krb5_context context = NULL; /* XXX */ int port = setup(&context, argc, argv); return doit (port, service); } heimdal-1.7~git20150920+dfsg/appl/test/tcp_client.c000066400000000000000000000074341257755311500216560ustar00rootroot00000000000000/* * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "test_locl.h" RCSID("$Id$"); krb5_context context; static int proto (int sock, const char *hostname, const char *service) { krb5_auth_context auth_context; krb5_error_code status; krb5_principal server; krb5_data data; krb5_data packet; uint32_t len, net_len; status = krb5_auth_con_init (context, &auth_context); if (status) krb5_err (context, 1, status, "krb5_auth_con_init"); status = krb5_auth_con_setaddrs_from_fd (context, auth_context, &sock); if (status) krb5_err (context, 1, status, "krb5_auth_con_setaddrs_from_fd"); status = krb5_sname_to_principal (context, hostname, service, KRB5_NT_SRV_HST, &server); if (status) krb5_err (context, 1, status, "krb5_sname_to_principal"); status = krb5_sendauth (context, &auth_context, &sock, VERSION, NULL, server, AP_OPTS_MUTUAL_REQUIRED, NULL, NULL, NULL, NULL, NULL, NULL); if (status) krb5_err (context, 1, status, "krb5_sendauth"); data.data = "hej"; data.length = 3; krb5_data_zero (&packet); status = krb5_mk_safe (context, auth_context, &data, &packet, NULL); if (status) krb5_err (context, 1, status, "krb5_mk_safe"); len = packet.length; net_len = htonl(len); if (krb5_net_write (context, &sock, &net_len, 4) != 4) err (1, "krb5_net_write"); if (krb5_net_write (context, &sock, packet.data, len) != len) err (1, "krb5_net_write"); data.data = "hemligt"; data.length = 7; krb5_data_free (&packet); status = krb5_mk_priv (context, auth_context, &data, &packet, NULL); if (status) krb5_err (context, 1, status, "krb5_mk_priv"); len = packet.length; net_len = htonl(len); if (krb5_net_write (context, &sock, &net_len, 4) != 4) err (1, "krb5_net_write"); if (krb5_net_write (context, &sock, packet.data, len) != len) err (1, "krb5_net_write"); return 0; } int main(int argc, char **argv) { int port = client_setup(&context, &argc, argv); return client_doit (argv[argc], port, service, proto); } heimdal-1.7~git20150920+dfsg/appl/test/tcp_server.c000066400000000000000000000135111257755311500216770ustar00rootroot00000000000000/* * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * A sample server that uses the Kerberos V5 API. * * See "Introduction to the Kerberos 5 API" in the Doxygen documentation * for a walkthrough of this code. */ #include "test_locl.h" RCSID("$Id$"); /* The API needs one Kerberos context per thread. */ krb5_context context; static int proto (int sock, const char *service) { krb5_auth_context auth_context; krb5_error_code status; krb5_principal server; krb5_ticket *ticket; char *name; char hostname[MAXHOSTNAMELEN]; krb5_data packet; krb5_data data; uint32_t len, net_len; ssize_t n; /* Initialize the authentication context, to be used to authenticate the peer. */ status = krb5_auth_con_init (context, &auth_context); if (status) krb5_err (context, 1, status, "krb5_auth_con_init"); /* Extract the local and remote address from the socket into auth_context. */ status = krb5_auth_con_setaddrs_from_fd (context, auth_context, &sock); if (status) krb5_err (context, 1, status, "krb5_auth_con_setaddrs_from_fd"); if (gethostname (hostname, sizeof(hostname)) < 0) krb5_err (context, 1, errno, "gethostname"); /* Create principal "server" for "service" on "hostname" (this host). */ status = krb5_sname_to_principal (context, hostname, service, KRB5_NT_SRV_HST, &server); if (status) krb5_err (context, 1, status, "krb5_sname_to_principal"); /* * Perform the server side of the sendauth protocol. On success, "ticket" * contains the authenticated credentials of the client. */ status = krb5_recvauth (context, &auth_context, &sock, VERSION, server, 0, /* flags */ keytab, &ticket); if (status) krb5_err (context, 1, status, "krb5_recvauth"); /* Extract the client name as a string. */ status = krb5_unparse_name (context, ticket->client, &name); if (status) krb5_err (context, 1, status, "krb5_unparse_name"); fprintf (stderr, "User is `%s'\n", name); free (name); krb5_data_zero (&data); krb5_data_zero (&packet); /* * Read the payload (encoded as length, value). */ n = krb5_net_read (context, &sock, &net_len, 4); if (n == 0) krb5_errx (context, 1, "EOF in krb5_net_read"); if (n < 0) krb5_err (context, 1, errno, "krb5_net_read"); len = ntohl(net_len); krb5_data_alloc (&packet, len); n = krb5_net_read (context, &sock, packet.data, len); if (n == 0) krb5_errx (context, 1, "EOF in krb5_net_read"); if (n < 0) krb5_err (context, 1, errno, "krb5_net_read"); /* * Expect a KRB_SAFE message (authenticated, not encrypted) */ status = krb5_rd_safe (context, auth_context, &packet, &data, NULL); if (status) krb5_err (context, 1, status, "krb5_rd_safe"); fprintf (stderr, "safe packet: %.*s\n", (int)data.length, (char *)data.data); /* * Read the payload (encoded as length, value). */ n = krb5_net_read (context, &sock, &net_len, 4); if (n == 0) krb5_errx (context, 1, "EOF in krb5_net_read"); if (n < 0) krb5_err (context, 1, errno, "krb5_net_read"); len = ntohl(net_len); krb5_data_alloc (&packet, len); n = krb5_net_read (context, &sock, packet.data, len); if (n == 0) krb5_errx (context, 1, "EOF in krb5_net_read"); if (n < 0) krb5_err (context, 1, errno, "krb5_net_read"); /* * Expect a KRB_PRIV message (authenticated and encrypted) */ status = krb5_rd_priv (context, auth_context, &packet, &data, NULL); if (status) krb5_err (context, 1, status, "krb5_rd_priv"); fprintf (stderr, "priv packet: %.*s\n", (int)data.length, (char *)data.data); return 0; } static int doit (int port, const char *service) { /* Block waiting for a connection. */ mini_inetd (port, NULL); return proto (STDIN_FILENO, service); } /* * Process only one connection and then exit. */ int main(int argc, char **argv) { int port = server_setup(&context, argc, argv); krb5_error_code ret; ret = krb5_kt_have_content(context, keytab); if (ret) krb5_err (context, 1, ret, "krb5_kt_have_content"); return doit (port, service); } heimdal-1.7~git20150920+dfsg/appl/test/test_locl.h000066400000000000000000000052421257755311500215220ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* $Id$ */ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_UNISTD_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_NETINET_IN6_H #include #endif #ifdef HAVE_NETINET6_IN6_H #include #endif #ifdef HAVE_PWD_H #include #endif #ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_SYS_PARAM_H #include #endif #include #include #include #include #include #define SERVICE "test" #define PORT "test" extern char *service; extern char *mech; extern char *keytab_str; extern krb5_keytab keytab; extern int fork_flag; int server_setup(krb5_context*, int, char**); int client_setup(krb5_context*, int*, char**); int client_doit (const char *hostname, int port, const char *service, int (*func)(int, const char *hostname, const char *service)); heimdal-1.7~git20150920+dfsg/appl/test/uu_client.c000066400000000000000000000135431257755311500215170ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "test_locl.h" RCSID("$Id$"); krb5_context context; static int proto (int sock, const char *hostname, const char *service) { struct sockaddr_storage remote, local; socklen_t addrlen; krb5_address remote_addr, local_addr; krb5_context context; krb5_ccache ccache; krb5_auth_context auth_context; krb5_error_code status; krb5_principal client; krb5_data data; krb5_data packet; krb5_creds mcred, cred; krb5_ticket *ticket; addrlen = sizeof(local); if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 || addrlen > sizeof(local)) err (1, "getsockname(%s)", hostname); addrlen = sizeof(remote); if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 || addrlen > sizeof(remote)) err (1, "getpeername(%s)", hostname); status = krb5_init_context(&context); if (status) errx(1, "krb5_init_context failed: %d", status); status = krb5_cc_default (context, &ccache); if (status) krb5_err(context, 1, status, "krb5_cc_default"); status = krb5_auth_con_init (context, &auth_context); if (status) krb5_err(context, 1, status, "krb5_auth_con_init"); status = krb5_sockaddr2address (context, (struct sockaddr *)&local, &local_addr); if (status) krb5_err(context, 1, status, "krb5_sockaddr2address(local)"); status = krb5_sockaddr2address (context, (struct sockaddr *)&remote, &remote_addr); if (status) krb5_err(context, 1, status, "krb5_sockaddr2address(remote)"); status = krb5_auth_con_setaddrs (context, auth_context, &local_addr, &remote_addr); if (status) krb5_err(context, 1, status, "krb5_auth_con_setaddr"); krb5_cc_clear_mcred(&mcred); status = krb5_cc_get_principal(context, ccache, &client); if(status) krb5_err(context, 1, status, "krb5_cc_get_principal"); status = krb5_make_principal(context, &mcred.server, krb5_principal_get_realm(context, client), "krbtgt", krb5_principal_get_realm(context, client), NULL); if(status) krb5_err(context, 1, status, "krb5_make_principal"); mcred.client = client; status = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred); if(status) krb5_err(context, 1, status, "krb5_cc_retrieve_cred"); { char *client_name; krb5_data data; status = krb5_unparse_name(context, cred.client, &client_name); if(status) krb5_err(context, 1, status, "krb5_unparse_name"); data.data = client_name; data.length = strlen(client_name) + 1; status = krb5_write_message(context, &sock, &data); if(status) krb5_err(context, 1, status, "krb5_write_message"); free(client_name); } status = krb5_write_message(context, &sock, &cred.ticket); if(status) krb5_err(context, 1, status, "krb5_write_message"); status = krb5_auth_con_setuserkey(context, auth_context, &cred.session); if(status) krb5_err(context, 1, status, "krb5_auth_con_setuserkey"); status = krb5_recvauth(context, &auth_context, &sock, VERSION, client, 0, NULL, &ticket); if (status) krb5_err(context, 1, status, "krb5_recvauth"); if (ticket->ticket.authorization_data) { AuthorizationData *authz; int i; printf("Authorization data:\n"); authz = ticket->ticket.authorization_data; for (i = 0; i < authz->len; i++) { printf("\ttype %d, length %lu\n", authz->val[i].ad_type, (unsigned long)authz->val[i].ad_data.length); } } data.data = "hej"; data.length = 3; krb5_data_zero (&packet); status = krb5_mk_safe (context, auth_context, &data, &packet, NULL); if (status) krb5_err(context, 1, status, "krb5_mk_safe"); status = krb5_write_message(context, &sock, &packet); if(status) krb5_err(context, 1, status, "krb5_write_message"); data.data = "hemligt"; data.length = 7; krb5_data_free (&packet); status = krb5_mk_priv (context, auth_context, &data, &packet, NULL); if (status) krb5_err(context, 1, status, "krb5_mk_priv"); status = krb5_write_message(context, &sock, &packet); if(status) krb5_err(context, 1, status, "krb5_write_message"); return 0; } int main(int argc, char **argv) { int port = client_setup(&context, &argc, argv); return client_doit (argv[argc], port, service, proto); } heimdal-1.7~git20150920+dfsg/appl/test/uu_server.c000066400000000000000000000127611257755311500215500ustar00rootroot00000000000000/* * Copyright (c) 1997 - 2000, 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "test_locl.h" RCSID("$Id$"); krb5_context context; static int proto (int sock, const char *service) { struct sockaddr_storage remote, local; socklen_t addrlen; krb5_address remote_addr, local_addr; krb5_ccache ccache; krb5_auth_context auth_context; krb5_error_code status; krb5_data packet; krb5_data data; krb5_data client_name; krb5_creds in_creds, *out_creds; addrlen = sizeof(local); if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 || addrlen > sizeof(local)) err (1, "getsockname)"); addrlen = sizeof(remote); if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 || addrlen > sizeof(remote)) err (1, "getpeername"); status = krb5_auth_con_init (context, &auth_context); if (status) krb5_err(context, 1, status, "krb5_auth_con_init"); status = krb5_sockaddr2address (context, (struct sockaddr *)&local, &local_addr); if (status) krb5_err(context, 1, status, "krb5_sockaddr2address(local)"); status = krb5_sockaddr2address (context, (struct sockaddr *)&remote, &remote_addr); if (status) krb5_err(context, 1, status, "krb5_sockaddr2address(remote)"); status = krb5_auth_con_setaddrs (context, auth_context, &local_addr, &remote_addr); if (status) krb5_err(context, 1, status, "krb5_auth_con_setaddr"); status = krb5_read_message(context, &sock, &client_name); if(status) krb5_err(context, 1, status, "krb5_read_message"); memset(&in_creds, 0, sizeof(in_creds)); status = krb5_cc_default(context, &ccache); if(status) krb5_err(context, 1, status, "krb5_cc_default"); status = krb5_cc_get_principal(context, ccache, &in_creds.client); if(status) krb5_err(context, 1, status, "krb5_cc_get_principal"); status = krb5_read_message(context, &sock, &in_creds.second_ticket); if(status) krb5_err(context, 1, status, "krb5_read_message"); status = krb5_parse_name(context, client_name.data, &in_creds.server); if(status) krb5_err(context, 1, status, "krb5_parse_name"); status = krb5_get_credentials(context, KRB5_GC_USER_USER, ccache, &in_creds, &out_creds); if(status) krb5_err(context, 1, status, "krb5_get_credentials"); status = krb5_cc_default(context, &ccache); if(status) krb5_err(context, 1, status, "krb5_cc_default"); status = krb5_sendauth(context, &auth_context, &sock, VERSION, in_creds.client, in_creds.server, AP_OPTS_USE_SESSION_KEY, NULL, out_creds, ccache, NULL, NULL, NULL); if (status) krb5_err(context, 1, status, "krb5_sendauth"); { char *str; krb5_unparse_name(context, in_creds.server, &str); printf ("User is `%s'\n", str); free(str); krb5_unparse_name(context, in_creds.client, &str); printf ("Server is `%s'\n", str); free(str); } krb5_data_zero (&data); krb5_data_zero (&packet); status = krb5_read_message(context, &sock, &packet); if(status) krb5_err(context, 1, status, "krb5_read_message"); status = krb5_rd_safe (context, auth_context, &packet, &data, NULL); if (status) krb5_err(context, 1, status, "krb5_rd_safe"); printf ("safe packet: %.*s\n", (int)data.length, (char *)data.data); status = krb5_read_message(context, &sock, &packet); if(status) krb5_err(context, 1, status, "krb5_read_message"); status = krb5_rd_priv (context, auth_context, &packet, &data, NULL); if (status) krb5_err(context, 1, status, "krb5_rd_priv"); printf ("priv packet: %.*s\n", (int)data.length, (char *)data.data); return 0; } static int doit (int port, const char *service) { rk_socket_t sock; mini_inetd(port, &sock); return proto(sock, service); } int main(int argc, char **argv) { int port = server_setup(&context, argc, argv); return doit (port, service); } heimdal-1.7~git20150920+dfsg/autogen.sh000077500000000000000000000006451257755311500174510ustar00rootroot00000000000000#!/bin/sh # to really generate all files you need to run "make distcheck" in a # object tree, but this will do if you have all parts of the required # tool-chain installed set -e autoreconf -f -i || { echo "autoreconf failed: $?"; exit 1; } find . \( -name '*-private.h' -o -name '*-protos.h' \) | xargs rm -f perl -MJSON -e 'print foo;' || \ { echo "you must install JSON perl module (cpan install JSON)"; exit 1; } heimdal-1.7~git20150920+dfsg/cf/000077500000000000000000000000001257755311500160335ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/cf/ChangeLog000066400000000000000000001070421257755311500176110ustar00rootroot000000000000002008-07-26 Love Hörnquist Åstrand * krb-ipv6.m4: Patch from Björn Schlögl to enable disable-ness of ipv6. 2008-05-20 Love Hörnquist Åstrand * sunos.m4: Detect solaris2.11 and later and assume its sunos=58. Bug report from Klas Heggemann. 2008-05-05 Love Hörnquist Åstrand * version-script.m4: Add -rpath to avoid building a convince library, also sprinkle some other options to make the link line more like automake's. 2008-04-29 Love Hörnquist Åstrand * version-script.m4: use libtool to probe for version script to make it work on amd64/ia64 where -fpic in needed to build shared objects. 2008-04-24 Björn Sandell * pthreads.m4: macros for OpenBSD 2008-04-17 Love Hörnquist Åstrand * make-proto.pl: Define both export variables. * win32.m4: Export _FUNCTION and _VARIABLE for _win32 magic * krb-ipv6.m4: Rename cache variable to AC_CACHE_CHECK to make the cached. * win32.m4: replace _export with __declspec(dllexport) * make-proto.pl: Add __declspec(dllimport) to the exported functions. 2008-04-07 Love Hörnquist Åstrand * wflags.m4: Add -Wstrict-overflow=5 as an example. 2008-03-25 Love Hörnquist Åstrand * install-catman.sh: Match man_MANS = files with directories in them. 2008-02-23 Love Hörnquist Åstrand * make-proto.pl: Handle c-comments. * Makefile.am.common: Make DEFAULT_INCLUDES work better, avoid picking up the wrong headerfiles. $(top_builddir)/include vs ${builddir}. 2008-01-21 Love Hörnquist Åstrand * Makefile.am.common: remove the check-symbols check * check-symbols.sh: removed, use version script instead 2007-10-01 Love Hörnquist Åstrand * crypto.m4: openssl might require -ldl too, so lets check that. 2007-07-31 Love Hörnquist Åstrand * Makefile.am.common (check-local::): exit on failure to perform test. 2007-07-28 Love Hörnquist Åstrand * Makefile.am.common (check-local): also check that --help works. 2007-07-17 Love Hörnquist Åstrand * crypto.m4: depend on EVP_CIPHER_iv_length 2007-06-27 Love Hörnquist Åstrand * Makefile.am.common: Need absolute reference to the top source directory and top build directory. 2007-06-20 Love Hörnquist Åstrand * wflags.m4: Add --enable-developer and make it cause -Werror to be included. 2007-06-18 Love Hörnquist Åstrand * Makefile.am.common: Merge from samba config. * Makefile.am.common (makedir-in-tree): depend on INFO_DEPS. * valgrind-suppressions: Unknown suppression in runtime link editor 2007-06-08 Love Hörnquist Åstrand * Makefile.am.common: Add heimdal-lorikeet target distdir-in-tree 2007-06-04 Love Hörnquist Åstrand * framework-security.m4: test for -framework Security 2007-05-10 Love Hörnquist Åstrand * roken-frag.m4: we have a fnmatch.h only if there is a working implementation and a header file. If we do use roken, lets use our own headerfile that does symbol renaming. 2007-04-19 Love Hörnquist Åstrand * version-script.m4: check if ld supports --version-script 2007-04-11 Love Hörnquist Åstrand * roken-frag.m4: drop broken-getnameinfo.m4 * roken-frag.m4: drop test for broken getnameinfo, that old aix is no longer relevant. 2007-02-16 Love Hörnquist Åstrand * install-catman.sh: Stop overwriting cmd. 2007-01-15 Love Hörnquist Åstrand * install-catman.sh: Use test instead of [. * install-catman.sh: Use = instead of ==, make solaris more happy. 2007-01-08 Love Hörnquist Åstrand * roken-frag.m4: More headerfiles for iruserok prototype check. * check-symbols.sh: Add fc_softc for AIX as ignore syms. 2007-01-04 Love Hörnquist Åstrand * roken-frag.m4: Check if iruserok needs a prototype. 2006-12-06 Love Hörnquist Åstrand * check-compile-et.m4: set automake symbol COM_ERR when we build local com_err 2006-11-16 Love Hörnquist Åstrand * valgrind-suppressions: We shouldn't be running /bin/ls under valgrind, but for now, at least make it easier to see any other warnings. From Andrew Bartlett. 2006-10-22 Love Hörnquist Åstrand * Makefile.am.common: Add target for valgrind debugging * valgrind-suppressions: valgrind suppressions 2006-10-21 Love Hörnquist Åstrand * check-lex.m4: Borrow test for autoconf cvs to help hpux hosts 2006-10-20 Love Hörnquist Åstrand * Makefile.am.common: provide uninstall hook for cat/manpages. * install-catman.sh: provide uninstall command 2006-10-19 Love Hörnquist Åstrand * roken-frag.m4: Add check for timegm. * roken-frag.m4: Include sys/types.h for sys/socket.h and netdb.h. 2006-10-07 Love Hörnquist Åstrand * Makefile.am.common (install-build-headers): make this function convoluted and deal with dist_, nodist, nobase and all its friends. * have-struct-field.m4: memset the structure to make sure that we don't get compiler warnings. * crypto.m4: OpenSSL_add_all_algorithms is not a openssl specific requirement, hcrypto need to have to too. * crypto.m4: Require openssl have OpenSSL_add_all_algorithms 2006-10-04 Love Hörnquist Åstrand * autobuild.m4: Add autobuild, GPLed, but free to use in projects not avaible under GPL or LGPL (just like autoconf). 2006-09-16 Love Hörnquist Åstrand * roken-frag.m4: Add samba_SOCKET_WRAPPER fragment 2006-09-12 Love Hörnquist Åstrand * socket-wrapper.m4: Add socket-wrapper test 2006-05-06 Love Hörnquist Åstrand * crypto.m4: Move up evp.h to please OpenSSL, from Douglas E. Engert. 2006-04-22 Love Hörnquist Åstrand * roken-frag.m4: Add check for fnmatch.h, its needed to be done for the automake conditional below. 2006-04-15 Love Hörnquist Åstrand * crypto.m4: Require SHA256 2006-01-18 Love Hörnquist Åstrand * crypto.m4 Check for if we are to consider using OpenSSL, also check for headers since make_crypto.c assumes that the name of the files. 2006-01-13 Love Hörnquist Åstrand * crypto.m4: libdes is renamed to hcrypto * crypto.m4: Remove support for old hash names. 2005-10-26 Love Hörnquist Åstrand * install-catman.sh: Add variable INSTALL_CATPAGES that controls if cat pages are installed, defaults to true. From Johnny Lam . 2005-09-28 Love Hörnquist Åstrand * roken-frag.m4: Check for and uintptr_t 2005-09-02 Love Hörnquist Åstrand * roken-frag.m4: Resolver check moved to rk_RESOLV, from Andrew Bartlet * resolv.m4: Resolver checks, broken out so samba can use it From Andrew Bartlet 2005-08-22 Love Hörnquist Åstrand * roken-frag.m4: Check for res_ndestroy. 2005-08-03 Love Hörnquist Åstrand * crypto.m4: Add , OpenSSL 0.9.8 needs it for size_t. From: Quanah Gibson-Mount 2005-07-12 Love Hörnquist Åstrand * check-compile-et.m4: check that initialize_conf_error_table_r have the right argument 2005-07-07 Love Hörnquist Åstrand * check-symbols.sh: allow symbols to start with ., aix uses this 2005-06-16 Love Hörnquist Åstrand * krb-bigendian.m4: use ansi c prototypes * krb-func-getcwd-broken.m4: use ansi c prototypes * broken-snprintf.m4: use ansi c prototypes * have-pragma-weak.m4: use ansi c declarations * check-getpwnam_r-posix.m4: use ansi c declarations * broken-realloc.m4: use ansi c declarations * check-compile-et.m4: use ansi c declarations * dlopen.m4: add headers and argument to dlopen * c-function.m4: use ansi c declarations * check-var.m4: use ansi c declarations * pthreads.m4: disable threads on aix because of utmp/utmpx problems * broken-getaddrinfo.m4: check for brokenness in getaddrinfo on AIX that can't handle "0" as port number. 2005-06-11 Love Hörnquist Åstrand * db.m4: Add an option to disable ndbm, from Stefan Metzmacher 2005-06-03 Love Hörnquist Åstrand * pthreads.m4: rework how pthreads support to turned on/off, always run though the switch to figure out what the linker/compiler flag are 2005-06-01 Love Hörnquist Åstrand * pthreads.m4: s/else if/elif/ * check-symbols.sh: AIX have a diffrent nm, use -B to get bsd like output * pthreads.m4: aix case: assume gcc handles -pthread, in the non-gcc case, use the compiler as hint (xlc vs xlc_r) if this environment handles threads or not 2005-05-22 Love Hörnquist Åstrand * check-symbols.sh: ignore weak symbols too 2005-05-19 David Love * check-getpwnam_r-posix.m4: define _POSIX_PTHREAD_SEMANTICS to make solaris provide the right getpwname_r 2005-05-17 Johan Danielsson * roken-frag.m4: am_conditional have_cgetent 2005-05-10 David Love * roken-frag.m4: Get daemon declared on Solaris (it's in unistd.h but masked by a feature test), just to avoid a warning, since it has int args. 2005-05-11 Love Hörnquist Åstrand * check-var.m4: AC_CHECK_DECL and AC_CHECK_DECLS have a subtile diffrence, the later defines HAVE_ cpp symbols, the first doesn't. 2005-05-05 Love Hörnquist Åstrand * check-symbols.sh: ignore N symbols too 2005-04-30 Love Hörnquist Åstrand * broken-snprintf.m4: include checking if snprintf(NULL, 0, "") works * check-compile-et.m4: require compile_et to generate a initialize_FOO_error_table_r (they are used in libkrb5), and always check for initialize_error_table_r 2005-04-29 Love Hörnquist Åstrand * Makefile.am.common: add LIB_com_err 2005-04-29 David Love * roken-frag.m4: Check for correct vis.h. 2005-04-28 David Love * pthreads.m4: Set PTHREADS_LIBS on Irix. 2005-04-27 Love Hörnquist Åstrand * broken-realloc.m4: use rk_realloc if realloc is broken, this makes "host-tools" not beeing able to use realloc * pthreads.m4: Add support for Solaris, Irix, and modern Linux. From David Love 2005-04-25 Love Hörnquist Åstrand * check-symbols.sh: limit the units functions to asn1_[A-Za-z0-9]*_units$ 2005-04-20 Love Hörnquist Åstrand * check-symbols.sh: this lib include com_err, add -com_err to CHECK_SYMBOLS * check-symbols.sh: print the type so I don't need to ask for it 2005-04-18 Love Hörnquist Åstrand * check-symbols.sh: ignore filename symbols 2005-04-04 Love Hörnquist Åstrand * check-symbols.sh: assume symbols prefixed with _ is a sideeffekt of the local linker and also just fine 2005-03-16 Love Hörnquist Åstrand * roken-frag.m4: include for 2005-03-01 Love Hörnquist Åstrand * sunos.m4: Match solaris 10. From: Joakim Fallsjo 2004-12-29 Love * check-symbols.sh: add -asn1compile symbols 2004-12-29 Love Hörnquist Åstrand * check-symbols.sh: add exported symbols test * Makefile.am.common: add CHECK_SYMBOLS tests, so that we don't export to much stuff 2004-09-03 Love Hörnquist Åstrand * make-proto.pl: add cpluscplus extern "C" support 2004-07-09 Love Hörnquist Åstrand * pthreads.m4: add -pthread to LIBS since libtool doesn't preserve it for us when adding is as a dependency on libs 2004-04-24 Johan Danielsson * largefile.m4: like AC_SYS_LARGEFILE, but also add to CPPFLAGS 2004-04-14 Love Hörnquist Åstrand * check-compile-et.m4: even more evil stuff for cross-compiling * check-x.m4: use AC_RUN_IFELSE so we can handle cross compiling * check-compile-et.m4: use AC_RUN_IFELSE so we can handle cross compiling 2004-04-13 Love Hörnquist Åstrand * make-proto.pl: if -E, add windows standard calling conv to headerfile if needed * win32.m4: add rk_WIN32_EXPORT 2004-02-12 Love Hörnquist Åstrand * configure.in: rename AC_WFLAGS to rk_WFLAGS * *.m4: overquote to pacify automake1.8 2004-02-11 Love Hörnquist Åstrand * roken-frag.m4: resolv.h is even more special * roken-frag.m4: AC_CHECK_HEADERS(net/if.h netinet6/in6_var.h sys/sysctl.h sys/proc.h, resolv.h) are all special and need extra help * test-package.m4: If there is a --with-PACKAGE=path but no --with-PACKAGE-config, go seach for path/PACKEGE-config and use it if it exists. Inspired by Harald Barth 2003-09-03 Love Hörnquist Åstrand * crypto.m4: check for DES_, AES_, and if openssl UI_ 2003-08-27 Johan Danielsson * vararray.m4: test for variable-length arrays * roken-frag.m4: test for poll and poll.h 2003-08-16 Love Hörnquist Åstrand * Makefile.am.common: don't try doing local checks if CHECK_LOCAL is set to no-check-local 2003-08-01 Love Hörnquist Åstrand * check-compile-et.m4: check if compile_et support ``error_table N M'' also, don't be overly aggressivly reset CFLAGS 2003-07-22 Love Hörnquist Åstrand * pthreads.m4: pthread test 2003-05-08 Johan Danielsson * Makefile.am.common: change install-data-local to install-data-hook 2003-05-05 Assar Westerlund * crypto.m4: define OPENSSL_DES_LIBDES_COMPATIBILITY 2003-04-03 Love Hörnquist Åstrand * crypto.m4: check if libcrypto needs -lnsl or -lsocket 2003-04-02 Love Hörnquist Åstrand * crypto.m4: in the case where se don't link with kerberos 4, use ${with_openssl_include} if its are set (not ${with_openssl}/include) same for with_openssl_lib 2003-03-18 Love Hörnquist Åstrand * Makefile.am.common: always define LIB_kafs 2003-03-12 Love Hörnquist Åstrand * check-compile-et.m4: check if the output of compile_et needs initialize_error_table_r 2003-02-17 Love Hörnquist Åstrand * check-var.m4: add a check if the variable is avaible when we include the headerfiles 2002-12-18 Johan Danielsson * roken-frag.m4: res_nsearch takes 6 parameters; spotted by Howard Chu 2002-10-25 Johan Danielsson * crypto.m4: do a better job at matching headers to libraries 2002-10-16 Johan Danielsson * sunos.m4: more quoting 2002-09-19 Johan Danielsson * make-proto.pl: check the processed string for closing ), not the source 2002-09-10 Johan Danielsson * crypto.m4: use m4 macros for test cases, also test for older hash names * test-package.m4: include dep libraries in LIB_* * crypto.m4: move krb4 test before test for openssl, and bail out if krb4 is requested, but the crypto library is not the same as krb4 * db.m4: filter contents of LDFLAGS 2002-09-09 Johan Danielsson * auth-modules.m4: rename to rk_AUTH_MODULES * auth-modules.m4: only include modules explicitly asked for 2002-09-04 Johan Danielsson * roken-frag.m4: test for res_nsearch 2002-09-03 Assar Westerlund * roken-frag.m4: check for sys/mman.h and mmap (used by parse_reply-test) 2002-08-28 Assar Westerlund * krb-readline.m4: also add LIB_tgetent in the case of editline * crypto.m4: define HAVE_OPENSSL even if we got to hear about it by krb4 2002-08-28 Johan Danielsson * krb-readline.m4: add LIB_tgetent to LIB_readline if we have to * sunos.m4: various sunos tests * crypto.m4: try to extract the crypto compiler flags from {INCLUDE,LIB}_krb4 (XXX this is really horrible) * krb-readline.m4: don't add -rpath to LIB_readline (libtool should to this for us), also don't append LIB_tgetent to LIB_readline (TEST_PACKAGE should do this) * test-package.m4: add the possibility to use a *-config program to get flags; rename to rk_TEST_PACKAGE while here * krb-bigendian.m4: move ENDIANESS_IN_SYS_PARAM_H tests here * aix.m4: rename to rk_AIX * telnet.m4: move telnet tests here * aix.m4: restructure this somewhat * dlopen.m4: test for dlopen suitable for AC_REQUIRE * irix.m4: move some stuff here and rename to irix.m4 * krb-sys-nextstep.m4: move SGTTY stuff to read_pwd.c 2002-08-28 Jacques Vidrine * auth-modules.m4: do not build pam_krb4 on freebsd 2002-08-26 Assar Westerlund * roken-frag.m4: test for the vis, strvis functions requiring prototypes 2002-08-23 Johan Danielsson * need-proto.m4: missing comma 2002-08-22 Johan Danielsson * roken-frag.m4: some rototilling * need-proto.m4: use AS_TR_CPP 2002-08-20 Johan Danielsson * roken-frag.m4: HAVE_TYPE instead of CHECK_TYPE ssize_t * krb-version.m4: use PACKAGE_TARNAME and PACKAGE_STRING * broken-getaddrinfo.m4: can't test for EAI_SERVICE here since AIX is even more fsck:ed * roken-frag.m4: test for altzone 2002-08-19 Johan Danielsson * Makefile.am.common: only define ROKEN_RENAME if do_roken_rename 2002-08-13 Johan Danielsson * Makefile.am.common: add ROKEN_RENAME variable 2002-08-12 Johan Danielsson * make-proto.pl: include to get va_list * destdirs.m4: also define localstatedir and sysconfdir 2002-08-01 Johan Danielsson * crypto.m4: newer openssl seems to take the address of the schedule parameter to des_cbc_encrypt, so we need to feed it a variable, not just NULL (from Magnus Holmberg) 2002-05-24 Johan Danielsson * misc.m4: change \100 back to @; some m4's (probably some regex) doesn't like this as a replacement regexp; the reason it was once changed to \100 was probably because of some autoconf bug at the time 2002-05-20 Johan Danielsson * broken2.m4 []-less is apparently the way to go 2002-05-19 Johan Danielsson * otp.m4: check db_type instead of precence of dbm_firstkey * roken-frag.m4: don't AC_LIBOBJ more than one function at a time * find-if-not-broken.m4: s/AC_LIBOBJ/rk_LIBOBJ/ * broken2.m4: s/AC_LIBOBJ/rk_LIBOBJ/ * broken.m4: s/AC_LIBOBJ/rk_LIBOBJ/ * misc.m4: automake can't handle macros passed to AC_LIBOBJ, so add an alias to it called rk_LIBOBJ; this requires that the relevant source are manually included in roken/Makefile.am * aix.m4: ac_enable --diable-dynamic-afs * roken-frag.m4: use AC_LIBOBJ * krb-func-getcwd-broken.m4: use AC_LIBOBJ * find-if-not-broken.m4: use AC_LIBOBJ * broken2.m4: use AC_LIBOBJ * broken.m4: use AC_LIBOBJ * aix.m4: recognise aix5 2002-05-17 Johan Danielsson * crypto.m4: am-conditionalise HAVE_OPENSSL * db.m4: make it possible to run this twice * Makefile.am.common: also install nodist_include_HEADERS 2002-05-16 Johan Danielsson * make-proto.pl: make it possible to redefine the "private" regexp 2002-05-02 Johan Danielsson * db.m4: am_cond HAVE_* 2002-04-30 Johan Danielsson * krb-ipv6.m4: use AC_HELP_STRING; fix logic bug in AC_MSG_RESULT call * test-package.m4: use AC_HELP_STRING * roken.m4: use AC_HELP_STRING * osfc2.m4: use AC_HELP_STRING * mips-abi.m4: use AC_HELP_STRING * krb-bigendian.m4: use AC_HELP_STRING * db.m4: rework this somewhat; check for db3/4 in subdirs, change --with to --enable; it should really be possible to point it to some directory --with-berkeley-db=/foo * otp.m4: OTP test 2002-04-25 Johan Danielsson * destdirs.m4: define BINDIR et al 2002-04-18 Johan Danielsson * misc.m4: remove some stuff that is defined elsewhere * make-proto.pl: optionally remove __P and parameter names 2001-11-30 Assar Westerlund * roken-frag.m4: move ipv6 tests after -lsocket (to handle Solaris 8) 2001-09-29 Assar Westerlund * install-catman.sh: handle man pages without SYNOPSIS but looking for both SYNOPSIS and DESCRIPTION 2001-09-18 Johan Danielsson * roken-frag.m4: include freeaddrinfo if using getaddrinfo 2001-09-13 Assar Westerlund * db.m4: test for the ndbm database really being a .db one and use it when moving/removing database files 2001-09-03 Assar Westerlund * db.m4: prefer ndbm.h to dbm.h * roken-frag.m4: check for atexit and on_exit 2001-09-02 Assar Westerlund * check-compile-et.m4: only add /usr/include/et to CPPFLAGS if it's actually used 2001-09-01 Assar Westerlund * Makefile.am.common (AUTOMAKE_OPTIONS): set 1.4b here so that users are warned if using earlier automake versions * find-func-no-libs2.m4: ignore "no" as a library - another special case to make it easy to send the result from this macro into another invocation 2001-08-30 Assar Westerlund * db.m4: check for ndbm functions in db3 library too 2001-08-29 Jacques Vidrine * check-compile-et.m4: Check for already-installed com_err. * Makefile.am.common: Use the compile_et discovered at configuration time. 2001-08-29 Assar Westerlund * crypto.m4: use AC_WITH_ALL to allow separate specification of include and lib * with-all.m4: new macro for doing --with-foo, --with-foo-include, and --with-foo-lib in a sensible way * find-func-no-libs2.m4: handle both -llib and lib in the second argument also yes -> "" as a library, to ease callers that send in results from this macro (this might be a little bit unclean) 2001-08-28 Assar Westerlund * roken-frag.m4: test for issetugid 2001-08-24 Assar Westerlund * Makefile.am.common: change one += to = to AM_CFLAGS to avoid an error with recent automake 2001-08-22 Assar Westerlund * crypto.m4: SHA1_CTX should be SHA_CTX 2001-08-21 Assar Westerlund * roken-frag.m4: remove all winsock.h for now, it does more harm than good under cygwin and if it should be used, the correct conditional needs to be found from 2001-08-21 Johan Danielsson * check-var.m4: AC_TR_CPP -> AS_TR_CPP to make autoconf 2.52 happy 2001-08-17 Johan Danielsson * krb-ipv6.m4: add test for non-existant in6addr_loopback in AIX 2001-08-15 Johan Danielsson * roken-frag.m4: test for getaddrinfo's that doesn't like numeric services * broken-getaddrinfo.m4: test for getaddrinfo's that doesn't like numeric services 2001-08-08 Assar Westerlund * db.m4: do a separate test for gdbm/ndbm.h and -lgdbm 2001-08-05 Assar Westerlund * db.m4: ac_cv_funclib_\func can be yes * db.m4: use AC_FIND_FUNC_NO_LIBS to test in libc anset cache variables after first attempt at finding dbm_firstkey (how should this be done?) * db.m4: do not test for ndbm library when ndbm-db was found in libc * db.m4: test for ndbm-compatability with db * db.m4: add forgotten AC_SUBST * db.m4: first steps towards a new db test * roken-frag.m4: remove header files checked by rk_db 2001-08-05 Assar Westerlund * roken-frag.m4: remove header files checked by rk_db 2001-06-24 Assar Westerlund * roken-frag.m4: make sure of building getaddrinfo et al if missing 2001-06-20 Johan Danielsson * install-catman.sh: try to install links to manpages 2001-06-19 Assar Westerlund * broken-glob.m4: try to handle FreeBSD's GLOB_MAXPATH 2001-06-18 Johan Danielsson * roken-frag.m4: test for getaddrinfo needs netdb.h on Tru64 2001-06-17 Assar Westerlund * roken-frag.m4 (AC_CHECK_HEADERS): test for random * roken-frag.m4 (AC_CHECK_HEADERS): test for initstate and setstate * roken-frag.m4 (AC_BROKEN): test for emalloc,ecalloc,erealloc,estrdup 2001-05-11 Johan Danielsson * roken-frag.m4: bswap{16,32} 2001-03-26 Assar Westerlund * broken-glob.m4: also test for GLOB_LIMIT * krb-ipv6.m4: restore CFLAGS if v6 is not detected 2001-02-20 Assar Westerlund * roken-frag.m4: check for getprogname, setprogname 2001-02-07 Assar Westerlund * Makefile.am.common (LIB_kdfs): set. use it. from Ake Sandgren 2000-12-26 Assar Westerlund * krb-ipv6.m4: remove some dnl that weren't the correct with modern autoconf 2000-12-15 Assar Westerlund * roken-frag.m4 (inet_ntoa, inet_ntop, inet_pton): add necessary includes when testing * broken2.m4: new variant of broken, with includes and arguments * test-package.m4: s/ifval/m4_ifval/ to keep in sync with autoconf. from Ake Sandgren * check-var.m4: s/ifval/m4_ifval/ to keep in sync with autoconf. from Ake Sandgren 2000-12-13 Assar Westerlund * krb-irix.m4: need to set irix to no first. From Ake Sandgren 2000-12-12 Johan Danielsson * roken-frag.m4: move sa_len test to before test for broken getnameinfo 2000-12-12 Assar Westerlund * roken-frag.m4: only test for broken getnameinfo if it exists 2000-12-10 Johan Danielsson * roken-frag.m4: ifaddrs.h 2000-12-06 Johan Danielsson * roken-frag.m4: test for unvis, and vis.h * roken-frag.m4: test for strvis* 2000-12-05 Johan Danielsson * Makefile.am.common: just warn if we fail to setuid a program * broken-getnameinfo.m4: add more quotes * roken-frag.m4: test for getifaddrs * roken-frag.m4: test for broken AIX getnameinfo * broken-getnameinfo.m4: test for broken getnameinfo 2000-12-01 Assar Westerlund * Makefile.am.common: add kludge for LIBS 2000-11-30 Johan Danielsson * check-man.m4: update this after recent changes * Makefile.am.common: use install-catman.sh * install-catman.sh: script to install preformatted manual pages * Makefile.am.common: change cat handling 2000-11-29 Johan Danielsson * roken-frag.m4: don't use AC_CONFIG_FILES here, since it doesn't work with automake 2000-11-15 Assar Westerlund * krb-readline.m4: link against the libtool-versions of libeditline and libel_compat * Makefile.am.common (INCLUDES): add $(INCLUDES_roken) * roken-frag.m4 (CPPFLAGS_roken): rename to INCLUDES_roken 2000-11-05 Johan Danielsson * aix.m4: set aix 2000-08-19 Assar Westerlund * krb-bigendian.m4: merge from arla: make it work better 2000-08-07 Johan Danielsson * roken-frag.m4: check getsockname for proto compat 2000-08-04 Johan Danielsson * Makefile.am.common: add library for pidfile * roken-frag.m4: tests for util.h and pidfile 2000-07-19 Johan Danielsson * check-var.m4: rename to rk_CHECK_VAR, transposing the arguments, and making the second optional, AU_DEFINE AC_CHECK_VAR to rk_CHECK_VAR * roken-frag.m4: other roken tests * db.m4: db tests 2000-07-18 Johan Danielsson * mips-abi.m4: AC_ERROR -> AC_MSG_ERROR * check-netinet-ip-and-tcp.m4: use cache_check, and make this work with new autoconf * aix.m4: don't subst AFS_EXTRA_LD 2000-07-15 Johan Danielsson * check-var.m4: workaround feature of newer autoconf * find-func-no-libs2.m4: use cleaner autoheader trick * have-type.m4: use cleaner autoheader trick * have-types.m4: use cleaner autoheader trick * test-package.m4: add 6th parameter for now * broken.m4: use cleaner autoheader trick * retsigtype.m4: test for signal handler return type * broken-realloc.m4: test for broken realloc 2000-07-08 Assar Westerlund * roken.m4: set CPPFLAGS_roken and call AC_CONFIG_SUBDIRS 2000-07-02 Assar Westerlund * Makefile.am.common (CP): set and use 2000-04-05 Assar Westerlund * Makefile.am.common (INCLUDE_openldap, LIB_openldap): add 2000-03-28 Assar Westerlund * krb-prog-yacc.m4: AC_MSG_WARNING should be AC_MSG_WARN * shared-libs.m4: try to update to freebsd5 (and elf) 2000-03-16 Assar Westerlund * krb-prog-yacc.m4: warn we do not find any yacc 2000-01-08 Assar Westerlund * krb-bigendian.m4: new file, replacement for ac_c_bigendian 2000-01-01 Assar Westerlund * krb-ipv6.m4: re-organize: test for type of stack first so that we can find the libraries that we might have to link the test program against. not linking the test program means we don't know if the right stuff is in the libraries. also cosmetic changes to make sure we print the checking for... nicely 1999-12-21 Assar Westerlund * krb-ipv6.m4: try linking, not only compiling * krb-ipv6.m4: add --without-ipv6 make sure we have `in6addr_any' which we use in the code. This test avoids false positives on OpenBSD 1999-11-29 Johan Danielsson * grok-type.m4: inttypes.h 1999-11-05 Assar Westerlund * check-x.m4: include X_PRE_LIBS and X_EXTRA_LIBS when testing 1999-11-01 Assar Westerlund * Makefile.am.common (install-build-headers): use `cp' instead of INSTALL_DATA for copying header files inside the build tree. The user might have redefined INSTALL_DATA to specify owners and other information. 1999-10-30 Assar Westerlund * find-func-no-libs2.m4: add yet another argument to allow specify linker flags that will be added _before_ the library when trying to link * find-func-no-libs.m4: add yet another argument to allow specify linker flags that will be added _before_ the library when trying to link 1999-10-12 Assar Westerlund * find-func-no-libs2.m4 (AC_FIND_FUNC_NO_LIBS2): new argument `extra libs' * find-func-no-libs.m4 (AC_FIND_FUNC_NO_LIBS): new argument `extra libs' 1999-09-01 Johan Danielsson * capabilities.m4: sgi capabilities 1999-07-29 Assar Westerlund * have-struct-field.m4: quote macros when undefining 1999-07-28 Assar Westerlund * Makefile.am.common (install-build-headers): add dependencies 1999-07-24 Assar Westerlund * have-type.m4: try to get autoheader to co-operate * have-type.m4: stolen from Arla * krb-struct-sockaddr-sa-len.m4: not used any longer. removed. 1999-06-13 Assar Westerlund * krb-struct-spwd.m4: consequent name of cache variables * krb-func-getlogin.m4: new file for testing for posix (broken) getlogin * shared-libs.m4 (freebsd[34]): don't use ld -Bshareable 1999-06-02 Johan Danielsson * check-x.m4: extended test for X 1999-05-14 Assar Westerlund * check-netinet-ip-and-tcp.m4: proper autoheader tricks * check-netinet-ip-and-tcp.m4: new file for checking for netinet/{ip,tcp}.h. These are special as they on Irix 6.5.3 require to be included in advance. * check-xau.m4: we also need to check for XauFilename since it's used by appl/kx. And on Irix 6.5 that function requires linking with -lX11. 1999-05-08 Assar Westerlund * krb-find-db.m4: try with more header files than ndbm.h 1999-04-19 Assar Westerlund * test-package.m4: try to handle the case of --without-package correctly 1999-04-17 Assar Westerlund * make-aclocal: removed. Not used anymore, being replaced by aclocal from automake. Thu Apr 15 14:17:26 1999 Johan Danielsson * make-proto.pl: handle __attribute__ Fri Apr 9 20:37:18 1999 Assar Westerlund * shared-libs.m4: quote $@ (freebsd3): add install_symlink_command2 Wed Apr 7 20:40:22 1999 Assar Westerlund * shared-libs.m4 (hpux): no library dependencies Mon Apr 5 16:13:08 1999 Johan Danielsson * test-package.m4: compile and link, rather than looking for files; also export more information, so it's possible to add rpath information Tue Mar 30 13:49:54 1999 Johan Danielsson * Makefile.am.common: CFLAGS -> AM_CFLAGS Mon Mar 29 16:51:12 1999 Johan Danielsson * check-xau.m4: check for XauWriteAuth before checking for XauReadAuth to catch -lX11:s not containing XauWriteAuth, and IRIX 6.5 that doesn't work with -lXau Sat Mar 27 18:03:58 1999 Johan Danielsson * osfc2.m4: --enable-osfc2 Fri Mar 19 15:34:52 1999 Johan Danielsson * shared-libs.m4: move shared lib stuff here Wed Mar 24 23:24:51 1999 Assar Westerlund * Makefile.am.common (install-build-headers): simplify loop Tue Mar 23 17:31:23 1999 Johan Danielsson * check-getpwnam_r-posix.m4: check for getpwnam_r, and if it's posix or not Tue Mar 23 00:00:13 1999 Assar Westerlund * Makefile.am.common (install_build_headers): try to make it work better when list of headers is empty. handle make rewriting the filenames. * Makefile.am.common: hesoid -> hesiod Sun Mar 21 14:48:03 1999 Johan Danielsson * grok-type.m4: * Makefile.am.common: fix for automake bug/feature; add more LIB_* * test-package.m4: fix typo * check-man.m4: fix some typos * auth-modules.m4: tests for authentication modules Thu Mar 18 11:02:55 1999 Johan Danielsson * Makefile.am.common: make install-build-headers a multi dependency target * Makefile.am.common: remove include_dir hack * Makefile.am.common: define LIB_kafs and LIB_gssapi * krb-find-db.m4: subst DBLIB also * check-xau.m4: test for Xau{Read,Write}Auth Wed Mar 10 19:29:20 1999 Johan Danielsson * wflags.m4: AC_WFLAGS Mon Mar 1 11:23:41 1999 Johan Danielsson * have-struct-field.m4: remove extra AC_MSG_RESULT * proto-compat.m4: typo * krb-func-getcwd-broken.m4: update to autoconf 2.13 * krb-find-db.m4: update to autoconf 2.13 * check-declaration.m4: typo * have-pragma-weak.m4: update to autoconf 2.13 * have-struct-field.m4: better handling of types with spaces Mon Feb 22 20:05:06 1999 Johan Danielsson * broken-glob.m4: check for broken glob Sun Jan 31 06:50:33 1999 Assar Westerlund * krb-ipv6.m4: more magic for different v6 implementations. From Jun-ichiro itojun Hagino Sun Nov 22 12:16:06 1998 Assar Westerlund * krb-struct-spwd.m4: new file Thu Jun 4 04:07:41 1998 Assar Westerlund * find-func-no-libs2.m4: new file Fri May 1 23:31:28 1998 Assar Westerlund * c-attribute.m4, c-function.m4: new files (from arla) Wed Mar 18 23:11:29 1998 Assar Westerlund * krb-ipv6.m4: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6 Thu Feb 26 02:37:49 1998 Assar Westerlund * make-proto.pl: should work with perl4 heimdal-1.7~git20150920+dfsg/cf/Makefile.am.common000066400000000000000000000167071257755311500213710ustar00rootroot00000000000000# $Id$ SUFFIXES = .et .h .pc.in .pc DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include AM_CPPFLAGS = $(INCLUDES_roken) if do_roken_rename ROKEN_RENAME = -DROKEN_RENAME endif AM_CFLAGS = $(WFLAGS) CP = cp ## set build_HEADERZ to headers that should just be installed in build tree buildinclude = $(top_builddir)/include ## these aren't detected by automake LIB_XauReadAuth = @LIB_XauReadAuth@ LIB_crypt = @LIB_crypt@ LIB_dbm_firstkey = @LIB_dbm_firstkey@ LIB_dbopen = @LIB_dbopen@ LIB_dlopen = @LIB_dlopen@ LIB_dn_expand = @LIB_dn_expand@ LIB_el_init = @LIB_el_init@ LIB_getattr = @LIB_getattr@ LIB_gethostbyname = @LIB_gethostbyname@ LIB_getpwent_r = @LIB_getpwent_r@ LIB_getpwnam_r = @LIB_getpwnam_r@ LIB_getsockopt = @LIB_getsockopt@ LIB_logout = @LIB_logout@ LIB_logwtmp = @LIB_logwtmp@ LIB_odm_initialize = @LIB_odm_initialize@ LIB_openpty = @LIB_openpty@ LIB_pidfile = @LIB_pidfile@ LIB_res_search = @LIB_res_search@ LIB_setpcred = @LIB_setpcred@ LIB_setsockopt = @LIB_setsockopt@ LIB_socket = @LIB_socket@ LIB_syslog = @LIB_syslog@ LIB_tgetent = @LIB_tgetent@ LIB_com_err = @LIB_com_err@ LIB_door_create = @LIB_door_create@ HESIODLIB = @HESIODLIB@ HESIODINCLUDE = @HESIODINCLUDE@ INCLUDE_hesiod = @INCLUDE_hesiod@ LIB_hesiod = @LIB_hesiod@ INCLUDE_krb4 = @INCLUDE_krb4@ LIB_krb4 = @LIB_krb4@ INCLUDE_openldap = @INCLUDE_openldap@ LIB_openldap = @LIB_openldap@ INCLUDE_readline = @INCLUDE_readline@ LIB_readline = @LIB_readline@ LEXLIB = @LEXLIB@ libexec_heimdaldir = $(libexecdir)/heimdal install-suid-programs: @foo='$(bin_SUIDS)'; \ for file in $$foo; do \ x=$(DESTDIR)$(bindir)/$$file; \ if chown 0:0 $$x && chmod u+s $$x; then :; else \ echo "*"; \ echo "* Failed to install $$x setuid root"; \ echo "*"; \ fi; \ done install-exec-local: install-suid-programs codesign-all: @if [ X"$$CODE_SIGN_IDENTITY" != X ] ; then \ foo='$(bin_PROGRAMS) $(sbin_PROGRAMS) $(libexec_PROGRAMS)' ; \ for file in $$foo ; do \ echo "CODESIGN $$file" ; \ codesign -f -s "$$CODE_SIGN_IDENTITY" $$file || exit 1 ; \ done ; \ fi all-local: codesign-all install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS) $(noinst_HEADERS) @foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(noinst_HEADERS)'; \ for f in $$foo; do \ f=`basename $$f`; \ if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ else file="$$f"; fi; \ if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ : ; else \ echo " $(CP) $$file $(buildinclude)/$$f"; \ $(CP) $$file $(buildinclude)/$$f; \ fi ; \ done ; \ foo='$(nobase_include_HEADERS)'; \ for f in $$foo; do \ if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ else file="$$f"; fi; \ $(mkdir_p) $(buildinclude)/`dirname $$f` ; \ if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ : ; else \ echo " $(CP) $$file $(buildinclude)/$$f"; \ $(CP) $$file $(buildinclude)/$$f; \ fi ; \ done all-local: install-build-headers check-local:: @if test '$(CHECK_LOCAL)' = "no-check-local"; then \ foo=''; elif test '$(CHECK_LOCAL)'; then \ foo='$(CHECK_LOCAL)'; else \ foo='$(PROGRAMS)'; fi; \ if test "$$foo"; then \ failed=0; all=0; \ for i in $$foo; do \ all=`expr $$all + 1`; \ if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \ echo "PASS: $$i"; \ else \ echo "FAIL: $$i"; \ failed=`expr $$failed + 1`; \ fi; \ done; \ if test "$$failed" -eq 0; then \ banner="All $$all tests passed"; \ else \ banner="$$failed of $$all tests failed"; \ fi; \ dashes=`echo "$$banner" | sed s/./=/g`; \ echo "$$dashes"; \ echo "$$banner"; \ echo "$$dashes"; \ test "$$failed" -eq 0 || exit 1; \ fi SUFFIXES += .x .z .hx .x.c: @cmp -s $< $@ 2> /dev/null || cp $< $@ .hx.h: @cmp -s $< $@ 2> /dev/null || cp $< $@ SUFFIXES += .1 .3 .5 .7 .8 .cat1 .cat3 .cat5 .cat7 .cat8 NROFF_MAN = groff -mandoc -Tascii #NROFF_MAN = nroff -man .1.cat1: $(NROFF_MAN) $< > $@ .3.cat3: $(NROFF_MAN) $< > $@ .5.cat5: $(NROFF_MAN) $< > $@ .7.cat7: $(NROFF_MAN) $< > $@ .8.cat8: $(NROFF_MAN) $< > $@ ## MAINTAINERCLEANFILES += dist-cat1-mans: @foo='$(man1_MANS)'; \ bar='$(man_MANS)'; \ for i in $$bar; do \ case $$i in \ *.1) foo="$$foo $$i";; \ esac; done ;\ for i in $$foo; do \ x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ done dist-cat3-mans: @foo='$(man3_MANS)'; \ bar='$(man_MANS)'; \ for i in $$bar; do \ case $$i in \ *.3) foo="$$foo $$i";; \ esac; done ;\ for i in $$foo; do \ x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ done dist-cat5-mans: @foo='$(man5_MANS)'; \ bar='$(man_MANS)'; \ for i in $$bar; do \ case $$i in \ *.5) foo="$$foo $$i";; \ esac; done ;\ for i in $$foo; do \ x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ done dist-cat7-mans: @foo='$(man7_MANS)'; \ bar='$(man_MANS)'; \ for i in $$bar; do \ case $$i in \ *.7) foo="$$foo $$i";; \ esac; done ;\ for i in $$foo; do \ x=`echo $$i | sed 's/\.[^.]*$$/.cat7/'`; \ echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ done dist-cat8-mans: @foo='$(man8_MANS)'; \ bar='$(man_MANS)'; \ for i in $$bar; do \ case $$i in \ *.8) foo="$$foo $$i";; \ esac; done ;\ for i in $$foo; do \ x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ done dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat7-mans dist-cat8-mans install-cat-mans: $(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS) uninstall-cat-mans: $(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS) install-data-hook: install-cat-mans uninstall-hook: uninstall-cat-mans .et.h: $(COMPILE_ET) $< .et.c: $(COMPILE_ET) $< LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) if KRB5 LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ $(top_builddir)/lib/asn1/libasn1.la LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la endif LIB_heimbase = $(top_builddir)/lib/base/libheimbase.la if DCE LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la endif # # Useful target for debugging # check-valgrind: tobjdir=`cd $(top_builddir) && pwd` ; \ tsrcdir=`cd $(top_srcdir) && pwd` ; \ env TESTS_ENVIRONMENT="$${tsrcdir}/cf/maybe-valgrind.sh -s $${tsrcdir} -o $${tobjdir}" make check # # Target to please samba build farm, builds distfiles in-tree. # Will break when automake changes... # distdir-in-tree: $(DISTFILES) $(INFO_DEPS) list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" != .; then \ (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \ fi ; \ done #silent-rules heim_verbose = $(heim_verbose_$(V)) heim_verbose_ = $(heim_verbose_$(AM_DEFAULT_VERBOSITY)) heim_verbose_0 = @echo " GEN "$@; heimdal-1.7~git20150920+dfsg/cf/aix.m4000066400000000000000000000023311257755311500170550ustar00rootroot00000000000000dnl dnl $Id$ dnl AC_DEFUN([rk_AIX],[ aix=no case "$host" in *-*-aix3*) aix=3 ;; *-*-aix[[4-9]]*) aix=4 ;; esac AM_CONDITIONAL(AIX, test "$aix" != no)dnl AM_CONDITIONAL(AIX4, test "$aix" = 4)dnl AC_ARG_ENABLE(dynamic-afs, AS_HELP_STRING([--disable-dynamic-afs], [do not use loaded AFS library with AIX])) if test "$aix" != no; then AC_DEFINE(NEED_QSORT, 1, [if your qsort is not a stable sort]) if test "$enable_dynamic_afs" != no; then AC_REQUIRE([rk_DLOPEN]) if test "$ac_cv_func_dlopen" = no; then AC_FIND_FUNC_NO_LIBS(loadquery, ld) fi if test "$ac_cv_func_dlopen" != no; then AIX_EXTRA_KAFS='$(LIB_dlopen)' elif test "$ac_cv_func_loadquery" != no; then AIX_EXTRA_KAFS='$(LIB_loadquery)' else AC_MSG_NOTICE([not using dynloaded AFS library]) AIX_EXTRA_KAFS= enable_dynamic_afs=no fi else AIX_EXTRA_KAFS= fi fi AM_CONDITIONAL(AIX_DYNAMIC_AFS, test "$enable_dynamic_afs" != no)dnl AC_SUBST(AIX_EXTRA_KAFS)dnl if test "$aix" != no; then AC_DEFINE([_ALL_SOURCE],1,[Required for functional/sane headers on AIX]) fi AH_BOTTOM([#if _AIX /* XXX this is gross, but kills about a gazillion warnings */ struct ether_addr; struct sockaddr; struct sockaddr_dl; struct sockaddr_in; #endif]) ]) heimdal-1.7~git20150920+dfsg/cf/auth-modules.m4000066400000000000000000000016211257755311500207040ustar00rootroot00000000000000dnl $Id$ dnl dnl Figure what authentication modules should be built dnl dnl rk_AUTH_MODULES(module-list) AC_DEFUN([rk_AUTH_MODULES],[ AC_MSG_CHECKING([which authentication modules should be built]) z='m4_ifval([$1], $1, [sia pam afskauthlib])' LIB_AUTH_SUBDIRS= for i in $z; do case $i in sia) if test "$ac_cv_header_siad_h" = yes; then LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS sia" fi ;; pam) case "${host}" in *-*-freebsd*) ac_cv_want_pam_krb4=no ;; *) ac_cv_want_pam_krb4=yes ;; esac if test "$ac_cv_want_pam_krb4" = yes -a \ "$ac_cv_header_security_pam_modules_h" = yes -a \ "$enable_shared" = yes; then LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS pam" fi ;; afskauthlib) case "${host}" in *-*-irix[[56]]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;; esac ;; esac done if test "$LIB_AUTH_SUBDIRS"; then AC_MSG_RESULT($LIB_AUTH_SUBDIRS) else AC_MSG_RESULT(none) fi AC_SUBST(LIB_AUTH_SUBDIRS)dnl ]) heimdal-1.7~git20150920+dfsg/cf/broken-getaddrinfo.m4000066400000000000000000000013561257755311500220460ustar00rootroot00000000000000dnl $Id$ dnl dnl test if getaddrinfo can handle numeric services AC_DEFUN([rk_BROKEN_GETADDRINFO],[ AC_CACHE_CHECK([if getaddrinfo handles numeric services], ac_cv_func_getaddrinfo_numserv, AC_RUN_IFELSE([AC_LANG_SOURCE([[#include #include #include #include int main(int argc, char **argv) { struct addrinfo hints, *ai; memset(&hints, 0, sizeof(hints)); hints.ai_flags = AI_PASSIVE; hints.ai_socktype = SOCK_STREAM; hints.ai_family = PF_UNSPEC; if(getaddrinfo(NULL, "17", &hints, &ai) != 0) return 1; if(getaddrinfo(NULL, "0", &hints, &ai) != 0) return 1; return 0; } ]])],[ac_cv_func_getaddrinfo_numserv=yes],[ac_cv_func_getaddrinfo_numserv=no],[ac_cv_func_getaddrinfo_numserv=yes]))]) heimdal-1.7~git20150920+dfsg/cf/broken-glob.m4000066400000000000000000000012711257755311500204770ustar00rootroot00000000000000dnl $Id$ dnl dnl check for glob(3) dnl AC_DEFUN([AC_BROKEN_GLOB],[ AC_CACHE_CHECK(for working glob, ac_cv_func_glob_working, ac_cv_func_glob_working=yes AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include #include ]],[[ glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE| #ifdef GLOB_MAXPATH GLOB_MAXPATH #else GLOB_LIMIT #endif , NULL, NULL); ]])],[:],[ac_cv_func_glob_working=no])) if test "$ac_cv_func_glob_working" = yes; then AC_DEFINE(HAVE_GLOB, 1, [define if you have a glob() that groks GLOB_BRACE, GLOB_NOCHECK, GLOB_QUOTE, GLOB_TILDE, and GLOB_LIMIT]) fi if test "$ac_cv_func_glob_working" = yes; then AC_NEED_PROTO([#include #include ],glob) fi ]) heimdal-1.7~git20150920+dfsg/cf/broken-realloc.m4000066400000000000000000000011541257755311500211750ustar00rootroot00000000000000dnl dnl $Id$ dnl dnl Test for realloc that doesn't handle NULL as first parameter dnl AC_DEFUN([rk_BROKEN_REALLOC], [ AC_CACHE_CHECK(if realloc if broken, ac_cv_func_realloc_broken, [ ac_cv_func_realloc_broken=no AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include #include int main(int argc, char **argv) { return realloc(NULL, 17) == NULL; } ]])],[:], [ac_cv_func_realloc_broken=yes],[:]) ]) if test "$ac_cv_func_realloc_broken" = yes ; then AC_DEFINE(BROKEN_REALLOC, 1, [Define if realloc(NULL) doesn't work.]) fi AH_BOTTOM([#ifdef BROKEN_REALLOC #define realloc(X, Y) rk_realloc((X), (Y)) #endif]) ]) heimdal-1.7~git20150920+dfsg/cf/broken-snprintf.m4000066400000000000000000000027661257755311500214310ustar00rootroot00000000000000dnl $Id$ dnl AC_DEFUN([AC_BROKEN_SNPRINTF], [ AC_CACHE_CHECK(for working snprintf,ac_cv_func_snprintf_working, ac_cv_func_snprintf_working=yes AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include #include int main(int argc, char **argv) { char foo[[3]]; snprintf(foo, 2, "12"); return strcmp(foo, "1") || snprintf(NULL, 0, "%d", 12) != 2; }]])],[:],[ac_cv_func_snprintf_working=no],[:])) if test "$ac_cv_func_snprintf_working" = yes; then AC_DEFINE_UNQUOTED(HAVE_SNPRINTF, 1, [define if you have a working snprintf]) fi if test "$ac_cv_func_snprintf_working" = yes; then AC_NEED_PROTO([#include ],snprintf) fi ]) AC_DEFUN([AC_BROKEN_VSNPRINTF],[ AC_CACHE_CHECK(for working vsnprintf,ac_cv_func_vsnprintf_working, ac_cv_func_vsnprintf_working=yes AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include #include #include int foo(int num, ...) { char bar[[3]]; va_list arg; va_start(arg, num); vsnprintf(bar, 2, "%s", arg); va_end(arg); return strcmp(bar, "1"); } int bar(int num, int len, ...) { int r; va_list arg; va_start(arg, len); r = vsnprintf(NULL, 0, "%s", arg); va_end(arg); return r != len; } int main(int argc, char **argv) { return foo(0, "12") || bar(0, 2, "12"); }]])],[:],[ac_cv_func_vsnprintf_working=no],[:])) if test "$ac_cv_func_vsnprintf_working" = yes; then AC_DEFINE_UNQUOTED(HAVE_VSNPRINTF, 1, [define if you have a working vsnprintf]) fi if test "$ac_cv_func_vsnprintf_working" = yes; then AC_NEED_PROTO([#include ],vsnprintf) fi ]) heimdal-1.7~git20150920+dfsg/cf/broken.m4000066400000000000000000000004731257755311500175610ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl Same as AC _REPLACE_FUNCS, just define HAVE_func if found in normal dnl libraries AC_DEFUN([AC_BROKEN], [AC_FOREACH([rk_func], [$1], [AC_CHECK_FUNC(rk_func, [AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]rk_func), 1, [Define if you have the function `]rk_func['.])], [rk_LIBOBJ(rk_func)])])]) heimdal-1.7~git20150920+dfsg/cf/broken2.m4000066400000000000000000000013421257755311500176370ustar00rootroot00000000000000dnl $Id$ dnl dnl AC_BROKEN but with more arguments dnl AC_BROKEN2(func, includes, arguments) AC_DEFUN([AC_BROKEN2], [AC_MSG_CHECKING([for $1]) AC_CACHE_VAL(ac_cv_func_[]$1, [AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2]],[[ /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_$1) || defined (__stub___$1) choke me #else $1($3); #endif ]])], [eval "ac_cv_func_[]$1=yes"], [eval "ac_cv_func_[]$1=no"])]) if eval "test \"\${ac_cv_func_[]$1}\" = yes"; then AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, define) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) rk_LIBOBJ($1) fi]) heimdal-1.7~git20150920+dfsg/cf/c-attribute.m4000066400000000000000000000010231257755311500205140ustar00rootroot00000000000000dnl dnl $Id$ dnl dnl dnl Test for __attribute__ dnl AC_DEFUN([AC_C___ATTRIBUTE__], [ AC_MSG_CHECKING(for __attribute__) AC_CACHE_VAL(ac_cv___attribute__, [ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include static void foo(void) __attribute__ ((noreturn)); static void foo(void) { exit(1); } ]])], [ac_cv___attribute__=yes], [ac_cv___attribute__=no])]) if test "$ac_cv___attribute__" = "yes"; then AC_DEFINE(HAVE___ATTRIBUTE__, 1, [define if your compiler has __attribute__]) fi AC_MSG_RESULT($ac_cv___attribute__) ]) heimdal-1.7~git20150920+dfsg/cf/c-function.m4000066400000000000000000000011031257755311500203350ustar00rootroot00000000000000dnl dnl $Id$ dnl dnl dnl Test for __FUNCTION__ dnl AC_DEFUN([AC_C___FUNCTION__], [ AC_MSG_CHECKING(for __FUNCTION__) AC_CACHE_VAL(ac_cv___function__, [ AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include static char *foo(void) { return __FUNCTION__; } int main(int argc, char **argc) { return strcmp(foo(), "foo") != 0; } ]])], [ac_cv___function__=yes], [ac_cv___function__=no], [ac_cv___function__=no])]) if test "$ac_cv___function__" = "yes"; then AC_DEFINE(HAVE___FUNCTION__, 1, [define if your compiler has __FUNCTION__]) fi AC_MSG_RESULT($ac_cv___function__) ]) heimdal-1.7~git20150920+dfsg/cf/capabilities.m4000066400000000000000000000002751257755311500207320ustar00rootroot00000000000000dnl dnl $Id$ dnl dnl dnl Test SGI capabilities dnl AC_DEFUN([KRB_CAPABILITIES],[ AC_CHECK_HEADERS(capability.h sys/capability.h) AC_CHECK_FUNCS(sgi_getcapabilitybyname cap_set_proc) ]) heimdal-1.7~git20150920+dfsg/cf/check-compile-et.m4000066400000000000000000000070631257755311500214140ustar00rootroot00000000000000dnl $Id$ dnl dnl CHECK_COMPILE_ET AC_DEFUN([CHECK_COMPILE_ET], [ AC_CHECK_PROG(COMPILE_ET, compile_et, [compile_et], [no]) krb_cv_compile_et="no" krb_cv_com_err_need_r="" krb_cv_compile_et_cross=no if test "${COMPILE_ET}" != "no"; then dnl We have compile_et. Now let's see if it supports `prefix' and `index'. AC_MSG_CHECKING(whether compile_et has the features we need) cat > conftest_et.et <<'EOF' error_table test conf prefix CONFTEST index 1 error_code CODE1, "CODE1" index 128 error_code CODE2, "CODE2" end EOF if ${COMPILE_ET} conftest_et.et >/dev/null 2>&1; then dnl XXX Some systems have . save_CPPFLAGS="${CPPFLAGS}" if test -d "/usr/include/et"; then CPPFLAGS="-I/usr/include/et ${CPPFLAGS}" fi dnl Check that the `prefix' and `index' directives were honored. AC_LANG(C) AC_RUN_IFELSE([AC_LANG_SOURCE([ #include #include #include "conftest_et.h" int main(int argc, char **argv){ #ifndef ERROR_TABLE_BASE_conf #error compile_et does not handle error_table N M #endif return (CONFTEST_CODE2 - CONFTEST_CODE1) != 127;} ])], [krb_cv_compile_et="yes"],[CPPFLAGS="${save_CPPFLAGS}"], [krb_cv_compile_et="yes" krb_cv_compile_et_cross=yes] ) fi AC_MSG_RESULT(${krb_cv_compile_et}) if test "${krb_cv_compile_et}" = "yes" -a "${krb_cv_compile_et_cross}" = no; then AC_MSG_CHECKING([for if com_err generates a initialize_conf_error_table_r]) AC_EGREP_CPP([initialize_conf_error_table_r.*struct et_list], [#include "conftest_et.h"], [krb_cv_com_err_need_r="ok"]) if test X"$krb_cv_com_err_need_r" = X ; then AC_MSG_RESULT(no) krb_cv_compile_et=no else AC_MSG_RESULT(yes) fi fi rm -fr conftest* fi if test "${krb_cv_compile_et_cross}" = yes ; then krb_cv_com_err="cross" elif test "${krb_cv_compile_et}" = "yes"; then dnl Since compile_et seems to work, let's check libcom_err krb_cv_save_LIBS="${LIBS}" LIBS="${LIBS} -lcom_err" AC_MSG_CHECKING(for com_err) AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],[[ const char *p; p = error_message(0); initialize_error_table_r(0,0,0,0); com_right_r(0, 0, 0, 0); ]])],[krb_cv_com_err="yes"],[krb_cv_com_err="no"; CPPFLAGS="${save_CPPFLAGS}"]) AC_MSG_RESULT(${krb_cv_com_err}) LIBS="${krb_cv_save_LIBS}" else dnl Since compile_et doesn't work, forget about libcom_err krb_cv_com_err="no" fi dnl Only use the system's com_err if we found compile_et, libcom_err, and dnl com_err.h. if test "${krb_cv_com_err}" = "yes"; then DIR_com_err="" LIB_com_err="-lcom_err" LIB_com_err_a="" LIB_com_err_so="" AC_MSG_NOTICE(Using the already-installed com_err) COMPILE_ET="${ac_cv_prog_COMPILE_ET}" localcomerr=no elif test "${krb_cv_com_err}" = "cross"; then DIR_com_err="com_err" LIB_com_err="\$(top_builddir)/lib/com_err/libcom_err.la" LIB_com_err_a="\$(top_builddir)/lib/com_err/.libs/libcom_err.a" LIB_com_err_so="\$(top_builddir)/lib/com_err/.libs/libcom_err.so" AC_MSG_NOTICE(Using our own com_err with toolchain compile_et) COMPILE_ET="${ac_cv_prog_COMPILE_ET}" localcomerr=yes else COMPILE_ET="\$(top_builddir)/lib/com_err/compile_et" DIR_com_err="com_err" LIB_com_err="\$(top_builddir)/lib/com_err/libcom_err.la" LIB_com_err_a="\$(top_builddir)/lib/com_err/.libs/libcom_err.a" LIB_com_err_so="\$(top_builddir)/lib/com_err/.libs/libcom_err.so" AC_MSG_NOTICE(Using our own com_err) localcomerr=yes fi AM_CONDITIONAL(COM_ERR, test "$localcomerr" = yes)dnl AC_SUBST(COMPILE_ET) AC_SUBST(DIR_com_err) AC_SUBST(LIB_com_err) AC_SUBST(LIB_com_err_a) AC_SUBST(LIB_com_err_so) ]) heimdal-1.7~git20150920+dfsg/cf/check-getpwnam_r-posix.m4000066400000000000000000000024261257755311500226570ustar00rootroot00000000000000dnl $Id$ dnl dnl check for getpwnam_r, and if it's posix or not AC_DEFUN([AC_CHECK_GETPWNAM_R_POSIX],[ AC_FIND_FUNC_NO_LIBS(getpwnam_r,c_r) if test "$ac_cv_func_getpwnam_r" = yes; then AC_CACHE_CHECK(if getpwnam_r is posix,ac_cv_func_getpwnam_r_posix, ac_libs="$LIBS" LIBS="$LIBS $LIB_getpwnam_r" AC_RUN_IFELSE([AC_LANG_SOURCE([[ #define _POSIX_PTHREAD_SEMANTICS #include int main(int argc, char **argv) { struct passwd pw, *pwd; return getpwnam_r("", &pw, 0, 0, &pwd) < 0; } ]])],[ac_cv_func_getpwnam_r_posix=yes],[ac_cv_func_getpwnam_r_posix=no],[:]) LIBS="$ac_libs") AC_CACHE_CHECK(if _POSIX_PTHREAD_SEMANTICS is needed,ac_cv_func_getpwnam_r_posix_def, ac_libs="$LIBS" LIBS="$LIBS $LIB_getpwnam_r" AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include int main(int argc, char **argv) { struct passwd pw, *pwd; return getpwnam_r("", &pw, 0, 0, &pwd) < 0; } ]])],[ac_cv_func_getpwnam_r_posix_def=no],[ac_cv_func_getpwnam_r_posix_def=yes],[:]) LIBS="$ac_libs") if test "$ac_cv_func_getpwnam_r_posix" = yes; then AC_DEFINE(POSIX_GETPWNAM_R, 1, [Define if getpwnam_r has POSIX flavour.]) fi if test "$ac_cv_func_getpwnam_r_posix" = yes -a "$ac_cv_func_getpwnam_r_posix_def" = yes; then AC_DEFINE(_POSIX_PTHREAD_SEMANTICS, 1, [Define to get POSIX getpwnam_r in some systems.]) fi fi ]) heimdal-1.7~git20150920+dfsg/cf/check-man.m4000066400000000000000000000023711257755311500201260ustar00rootroot00000000000000dnl $Id$ dnl check how to format manual pages dnl AC_DEFUN([rk_CHECK_MAN], [AC_PATH_PROG(NROFF, nroff) AC_PATH_PROG(GROFF, groff) AC_CACHE_CHECK(how to format man pages,ac_cv_sys_man_format, [cat > conftest.1 << END .Dd January 1, 1970 .Dt CONFTEST 1 .Sh NAME .Nm conftest .Nd foobar END if test "$NROFF" ; then for i in "-mdoc" "-mandoc"; do if "$NROFF" $i conftest.1 2> /dev/null | \ grep Jan > /dev/null 2>&1 ; then ac_cv_sys_man_format="$NROFF $i" break fi done fi if test "$ac_cv_sys_man_format" = "" -a "$GROFF" ; then for i in "-mdoc" "-mandoc"; do if "$GROFF" -Tascii $i conftest.1 2> /dev/null | \ grep Jan > /dev/null 2>&1 ; then ac_cv_sys_man_format="$GROFF -Tascii $i" break fi done fi if test "$ac_cv_sys_man_format"; then ac_cv_sys_man_format="$ac_cv_sys_man_format \[$]< > \[$]@" fi ]) if test "$ac_cv_sys_man_format"; then CATMAN="$ac_cv_sys_man_format" AC_SUBST(CATMAN) fi AM_CONDITIONAL(CATMAN, test "$CATMAN") AC_CACHE_CHECK(extension of pre-formatted manual pages,ac_cv_sys_catman_ext, [if grep _suffix /etc/man.conf > /dev/null 2>&1; then ac_cv_sys_catman_ext=0 else ac_cv_sys_catman_ext=number fi ]) if test "$ac_cv_sys_catman_ext" = number; then CATMANEXT='$$section' else CATMANEXT=0 fi AC_SUBST(CATMANEXT) ]) heimdal-1.7~git20150920+dfsg/cf/check-netinet-ip-and-tcp.m4000066400000000000000000000014301257755311500227460ustar00rootroot00000000000000dnl dnl $Id$ dnl dnl extra magic check for netinet/{ip.h,tcp.h} because on irix 6.5.3 dnl you have to include standards.h before including these files AC_DEFUN([CHECK_NETINET_IP_AND_TCP], [ AC_CHECK_HEADERS(standards.h) for i in netinet/ip.h netinet/tcp.h; do cv=`echo "$i" | sed 'y%./+-%__p_%'` AC_CACHE_CHECK([for $i],ac_cv_header_$cv, [AC_PREPROC_IFELSE([AC_LANG_SOURCE([[ #ifdef HAVE_STANDARDS_H #include #endif #include <$i> ]])], [eval "ac_cv_header_$cv=yes"], [eval "ac_cv_header_$cv=no"])]) ac_res=`eval echo \\$ac_cv_header_$cv` if test "$ac_res" = yes; then ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` AC_DEFINE_UNQUOTED($ac_tr_hdr, 1) fi done if false;then AC_CHECK_HEADERS(netinet/ip.h netinet/tcp.h) fi ]) heimdal-1.7~git20150920+dfsg/cf/check-type-extra.m4000066400000000000000000000010651257755311500214540ustar00rootroot00000000000000dnl $Id$ dnl dnl ac_check_type + extra headers dnl AC_CHECK_TYPE_EXTRA(TYPE, DEFAULT, HEADERS) AC_DEFUN([AC_CHECK_TYPE_EXTRA], [AC_REQUIRE([AC_HEADER_STDC])dnl AC_MSG_CHECKING(for $1) AC_CACHE_VAL(ac_cv_type_$1, [AC_EGREP_CPP(dnl changequote(<<,>>)dnl <<$1[^a-zA-Z_0-9]>>dnl changequote([,]), [#include #if STDC_HEADERS #include #include #endif $3], ac_cv_type_$1=yes, ac_cv_type_$1=no)])dnl AC_MSG_RESULT($ac_cv_type_$1) if test $ac_cv_type_$1 = no; then AC_DEFINE($1, $2, [Define this to what the type $1 should be.]) fi ]) heimdal-1.7~git20150920+dfsg/cf/check-var.m4000066400000000000000000000014221257755311500201370ustar00rootroot00000000000000dnl $Id$ dnl dnl rk_CHECK_VAR(variable, includes) AC_DEFUN([rk_CHECK_VAR], [ AC_MSG_CHECKING(for $1) AC_CACHE_VAL(ac_cv_var_$1, [ m4_ifval([$2],[ AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2 void * foo(void) { return &$1; }]],[[foo()]])], [ac_cv_var_$1=yes],[ac_cv_var_$1=no])]) if test "$ac_cv_var_$1" != yes ; then AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2 extern int $1; int foo(void) { return $1; }]],[[foo()]])], [ac_cv_var_$1=yes],[ac_cv_var_$1=no]) fi ]) ac_foo=`eval echo \\$ac_cv_var_$1` AC_MSG_RESULT($ac_foo) if test "$ac_foo" = yes; then AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, [Define if you have the `]$1[' variable.]) m4_ifval([$2], AC_CHECK_DECLS([$1],[],[],[$2])) fi ]) AC_WARNING_ENABLE([obsolete]) AU_DEFUN([AC_CHECK_VAR], [rk_CHECK_VAR([$2], [$1])], [foo]) heimdal-1.7~git20150920+dfsg/cf/check-x.m4000066400000000000000000000022101257755311500176120ustar00rootroot00000000000000dnl dnl See if there is any X11 present dnl dnl $Id$ AC_DEFUN([KRB_CHECK_X],[ AC_PATH_XTRA # try to figure out if we need any additional ld flags, like -R # and yes, the autoconf X test is utterly broken if test "$no_x" != yes; then AC_CACHE_CHECK(for special X linker flags,krb_cv_sys_x_libs_rpath,[ ac_save_libs="$LIBS" ac_save_cflags="$CFLAGS" CFLAGS="$CFLAGS $X_CFLAGS" krb_cv_sys_x_libs_rpath="" krb_cv_sys_x_libs="" for rflag in "" "-R" "-R " "-rpath "; do if test "$rflag" = ""; then foo="$X_LIBS" else foo="" for flag in $X_LIBS; do case $flag in -L*) foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`" ;; *) foo="$foo $flag" ;; esac done fi LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS" AC_LANG(C) AC_RUN_IFELSE([AC_LANG_SOURCE([ #include foo(void) { XOpenDisplay(NULL); } main(int argc, char **argv) { return 0; } ])],krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break,:, krb_cv_sys_x_libs_rpath="" ; krb_cv_sys_x_libs="" ; break) done LIBS="$ac_save_libs" CFLAGS="$ac_save_cflags" ]) X_LIBS="$krb_cv_sys_x_libs" fi ]) heimdal-1.7~git20150920+dfsg/cf/check-xau.m4000066400000000000000000000034071257755311500201510ustar00rootroot00000000000000dnl $Id$ dnl dnl check for Xau{Read,Write}Auth and XauFileName dnl AC_DEFUN([AC_CHECK_XAU],[ save_CFLAGS="$CFLAGS" CFLAGS="$X_CFLAGS $CFLAGS" save_LIBS="$LIBS" dnl LIBS="$X_LIBS $X_PRE_LIBS $X_EXTRA_LIBS $LIBS" LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS" save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS $X_LIBS" ## check for XauWriteAuth first, so we detect the case where ## XauReadAuth is in -lX11, but XauWriteAuth is only in -lXau this ## could be done by checking for XauReadAuth in -lXau first, but this ## breaks in IRIX 6.5 AC_FIND_FUNC_NO_LIBS(XauWriteAuth, X11 Xau,[#include ],[0,0]) ac_xxx="$LIBS" LIBS="$LIB_XauWriteAuth $LIBS" AC_FIND_FUNC_NO_LIBS(XauReadAuth, X11 Xau,[#include ],[0]) LIBS="$LIB_XauReadAauth $LIBS" AC_FIND_FUNC_NO_LIBS(XauFileName, X11 Xau,[#include ]) LIBS="$ac_xxx" ## set LIB_XauReadAuth to union of these tests, since this is what the ## Makefiles are using case "$ac_cv_funclib_XauWriteAuth" in yes) ;; no) ;; *) if test "$ac_cv_funclib_XauReadAuth" = yes; then if test "$ac_cv_funclib_XauFileName" = yes; then LIB_XauReadAuth="$LIB_XauWriteAuth" else LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName" fi else if test "$ac_cv_funclib_XauFileName" = yes; then LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth" else LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName" fi fi ;; esac if test "$AUTOMAKE" != ""; then AM_CONDITIONAL(NEED_WRITEAUTH, test "$ac_cv_func_XauWriteAuth" != "yes") else AC_SUBST(NEED_WRITEAUTH_TRUE) AC_SUBST(NEED_WRITEAUTH_FALSE) if test "$ac_cv_func_XauWriteAuth" != "yes"; then NEED_WRITEAUTH_TRUE= NEED_WRITEAUTH_FALSE='#' else NEED_WRITEAUTH_TRUE='#' NEED_WRITEAUTH_FALSE= fi fi CFLAGS=$save_CFLAGS LIBS=$save_LIBS LDFLAGS=$save_LDFLAGS ]) heimdal-1.7~git20150920+dfsg/cf/crypto.m4000066400000000000000000000072071257755311500176230ustar00rootroot00000000000000dnl $Id$ dnl dnl test for crypto libraries: dnl - libcrypto (from openssl) dnl - own-built libhcrypto m4_define([test_headers], [ #undef KRB5 /* makes md4.h et al unhappy */ #ifdef HAVE_OPENSSL #ifdef HAVE_SYS_TYPES_H #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #else #include #include #include #include #include #include #include #include #include #include #endif ]) m4_define([test_body], [ void *schedule = 0; EVP_MD_CTX mdctx; EVP_md4(); EVP_md5(); EVP_sha1(); EVP_sha256(); EVP_MD_CTX_init(&mdctx); EVP_DigestInit_ex(&mdctx, EVP_sha1(), (ENGINE *)0); EVP_CIPHER_iv_length(((EVP_CIPHER*)0)); UI_UTIL_read_pw_string(0,0,0,0); RAND_status(); #ifdef HAVE_OPENSSL EC_KEY_new(); #endif OpenSSL_add_all_algorithms(); AES_encrypt(0,0,0); DES_cbc_encrypt(0, 0, 0, schedule, 0, 0); RC4(0, 0, 0, 0);]) m4_define([bn_headers], [ #include #include ]) m4_define([bn_body], [ BIGNUM *bn = BN_new(); BN_set_word(bn, 1); if (BN_is_negative(bn)) exit(EXIT_FAILURE); BN_set_negative(bn, 1); if (!BN_is_negative(bn)) exit(EXIT_FAILURE); exit(EXIT_SUCCESS); ]) AC_DEFUN([KRB_CRYPTO],[ crypto_lib=unknown AC_WITH_ALL([openssl]) DIR_hcrypto= AC_MSG_CHECKING([for crypto library]) openssl=no if test "$crypto_lib" = "unknown" -a "$with_openssl" != "no"; then save_CFLAGS="$CFLAGS" save_LIBS="$LIBS" INCLUDE_hcrypto= LIB_hcrypto= if test "$with_openssl_include" != ""; then INCLUDE_hcrypto="-I${with_openssl_include}" fi if test "$with_openssl_lib" != ""; then LIB_hcrypto="-L${with_openssl_lib}" fi CFLAGS="-DHAVE_OPENSSL ${INCLUDE_hcrypto} ${CFLAGS}" saved_LIB_hcrypto="$LIB_hcrypto" for lres in "" "-ldl" "-lnsl -lsocket" "-lnsl -lsocket -ldl"; do LIB_hcrypto="${saved_LIB_hcrypto} -lcrypto $lres" LIB_hcrypto_a="$LIB_hcrypto" LIB_hcrypto_so="$LIB_hcrypto" LIB_hcrypto_appl="$LIB_hcrypto" LIBS="${LIBS} ${LIB_hcrypto}" AC_LINK_IFELSE([AC_LANG_PROGRAM([test_headers],[test_body])], [ crypto_lib=libcrypto openssl=yes AC_MSG_RESULT([libcrypto]) AC_RUN_IFELSE([AC_LANG_PROGRAM([bn_headers],[bn_body])], [ AC_DEFINE([HAVE_BN_IS_NEGATIVE], 1, [define if OpenSSL provides BN_is_negative]) ]) ]) if test "$crypto_lib" = libcrypto ; then break; fi done AC_CHECK_LIB(crypto, RAND_egd, AC_DEFINE(HAVE_RAND_EGD, 1, [Define if the libcrypto has RAND_egd])) CFLAGS="$save_CFLAGS" LIBS="$save_LIBS" fi if test "$crypto_lib" = "unknown"; then DIR_hcrypto='hcrypto' LIB_hcrypto='$(top_builddir)/lib/hcrypto/libhcrypto.la' LIB_hcrypto_a='$(top_builddir)/lib/hcrypto/.libs/libhcrypto.a' LIB_hcrypto_so='$(top_builddir)/lib/hcrypto/.libs/libhcrypto.so' LIB_hcrypto_appl="-lhcrypto" AC_MSG_RESULT([included libhcrypto]) fi if test "$openssl" = "yes"; then AC_DEFINE([HAVE_OPENSSL], 1, [define to use openssl's libcrypto]) fi AM_CONDITIONAL(HAVE_OPENSSL, test "$openssl" = yes)dnl AC_SUBST(DIR_hcrypto) AC_SUBST(INCLUDE_hcrypto) AC_SUBST(LIB_hcrypto) AC_SUBST(LIB_hcrypto_a) AC_SUBST(LIB_hcrypto_so) AC_SUBST(LIB_hcrypto_appl) ]) heimdal-1.7~git20150920+dfsg/cf/db.m4000066400000000000000000000146311257755311500166670ustar00rootroot00000000000000dnl $Id$ dnl dnl tests for various db libraries dnl AC_DEFUN([rk_DB],[ AC_ARG_WITH(berkeley-db, AS_HELP_STRING([--with-berkeley-db], [enable support for berkeley db @<:@default=check@:>@]), [], [with_berkeley_db=check]) dbheader="" AC_ARG_WITH(berkeley-db-include, AS_HELP_STRING([--with-berkeley-db-include=dir], [use berkeley-db headers in dir]), [dbheader=$withval], [with_berkeley_db_include=check]) AC_ARG_ENABLE(ndbm-db, AS_HELP_STRING([--disable-ndbm-db], [if you don't want ndbm db]),[ ]) AC_ARG_ENABLE(mdb-db, AS_HELP_STRING([--disable-mdb-db], [if you don't want OpenLDAP libmdb db]),[ ]) have_ndbm=no db_type=unknown AS_IF([test "x$with_berkeley_db" != xno], [AS_IF([test "x$with_berkeley_db_include" != xcheck], [AC_CHECK_HEADERS(["$dbheader/db.h"], [AC_SUBST([DBHEADER], [$dbheader]) AC_DEFINE([HAVE_DBHEADER], [1], [Define if you have user supplied header location]) ], [if test "x$with_berkeley_db_include" != xcheck; then AC_MSG_FAILURE( [--with-berkeley-db-include was given but include test failed]) fi ])], [AC_CHECK_HEADERS([ \ db6/db.h \ db5/db.h \ db4/db.h \ db3/db.h \ db.h \ ])]) dnl db_create is used by db3 and db4 and db5 AC_FIND_FUNC_NO_LIBS(db_create, [$dbheader] db5 db4 db3 db, [ #include #ifdef HAVE_DBHEADER #include <$dbheader/db.h> #elif HAVE_DB6_DB_H #include #elif HAVE_DB5_DB_H #include #elif HAVE_DB4_DB_H #include #elif defined(HAVE_DB3_DB_H) #include #else #include #endif ],[NULL, NULL, 0]) if test "$ac_cv_func_db_create" = "yes"; then db_type=db3 if test "$ac_cv_funclib_db_create" != "yes"; then DBLIB="$ac_cv_funclib_db_create" else DBLIB="" fi AC_DEFINE(HAVE_DB3, 1, [define if you have a berkeley db3/4/5 library]) fi dnl dbopen is used by db1/db2 AC_FIND_FUNC_NO_LIBS(dbopen, db2 db, [ #include #if defined(HAVE_DB2_DB_H) #include #elif defined(HAVE_DB_H) #include #else #error no db.h #endif ],[NULL, 0, 0, 0, NULL]) if test "$ac_cv_func_dbopen" = "yes"; then db_type=db1 if test "$ac_cv_funclib_dbopen" != "yes"; then DBLIB="$ac_cv_funclib_dbopen" else DBLIB="" fi AC_DEFINE(HAVE_DB1, 1, [define if you have a berkeley db1/2 library]) fi dnl test for ndbm compatability if test "$ac_cv_func_dbm_firstkey" != yes; then AC_FIND_FUNC_NO_LIBS2(dbm_firstkey, $ac_cv_funclib_dbopen $ac_cv_funclib_db_create, [ #include #define DB_DBM_HSEARCH 1 #include DBM *dbm; ],[NULL]) if test "$ac_cv_func_dbm_firstkey" = "yes"; then if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then LIB_NDBM="$ac_cv_funclib_dbm_firstkey" else LIB_NDBM="" fi AC_DEFINE(HAVE_DB_NDBM, 1, [define if you have ndbm compat in db]) AC_DEFINE(HAVE_NEW_DB, 1, [Define if NDBM really is DB (creates files *.db)]) else $as_unset ac_cv_func_dbm_firstkey $as_unset ac_cv_funclib_dbm_firstkey fi fi ]) # fi berkeley db if test "$enable_mdb_db" != "no"; then if test "$db_type" = "unknown"; then AC_CHECK_HEADER(mdb.h, [ AC_CHECK_LIB(mdb, mdb_env_create, db_type=mdb; DBLIB="-lmdb" AC_DEFINE(HAVE_MDB, 1, [define if you have the OpenLDAP mdb library]))]) fi fi if test "$enable_ndbm_db" != "no"; then if test "$db_type" = "unknown" -o "$ac_cv_func_dbm_firstkey" = ""; then AC_CHECK_HEADERS([ \ dbm.h \ ndbm.h \ ]) AC_FIND_FUNC_NO_LIBS(dbm_firstkey, ndbm, [ #include #if defined(HAVE_NDBM_H) #include #elif defined(HAVE_DBM_H) #include #endif DBM *dbm; ],[NULL]) if test "$ac_cv_func_dbm_firstkey" = "yes"; then if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then LIB_NDBM="$ac_cv_funclib_dbm_firstkey" else LIB_NDBM="" fi AC_DEFINE(HAVE_NDBM, 1, [define if you have a ndbm library])dnl have_ndbm=yes if test "$db_type" = "unknown"; then db_type=ndbm DBLIB="$LIB_NDBM" fi else $as_unset ac_cv_func_dbm_firstkey $as_unset ac_cv_funclib_dbm_firstkey AC_CHECK_HEADERS([ \ gdbm/ndbm.h \ ]) AC_FIND_FUNC_NO_LIBS(dbm_firstkey, gdbm, [ #include #include DBM *dbm; ],[NULL]) if test "$ac_cv_func_dbm_firstkey" = "yes"; then if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then LIB_NDBM="$ac_cv_funclib_dbm_firstkey" else LIB_NDBM="" fi AC_DEFINE(HAVE_NDBM, 1, [define if you have a ndbm library])dnl have_ndbm=yes if test "$db_type" = "unknown"; then db_type=ndbm DBLIB="$LIB_NDBM" fi fi fi fi #enable_ndbm_db fi # unknown if test "$have_ndbm" = "yes"; then AC_MSG_CHECKING([if ndbm is implemented with db]) AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include #include #if defined(HAVE_GDBM_NDBM_H) #include #elif defined(HAVE_NDBM_H) #include #elif defined(HAVE_DBM_H) #include #endif int main(int argc, char **argv) { DBM *d; d = dbm_open("conftest", O_RDWR | O_CREAT, 0666); if (d == NULL) return 1; dbm_close(d); return 0; }]])],[ if test -f conftest.db; then AC_MSG_RESULT([yes]) AC_DEFINE(HAVE_NEW_DB, 1, [Define if NDBM really is DB (creates files *.db)]) else AC_MSG_RESULT([no]) fi],[AC_MSG_RESULT([no])],[AC_MSG_RESULT([no-cross])]) fi AM_CONDITIONAL(HAVE_DB1, test "$db_type" = db1)dnl AM_CONDITIONAL(HAVE_DB3, test "$db_type" = db3)dnl AM_CONDITIONAL(HAVE_MDB, test "$db_type" = mdb)dnl AM_CONDITIONAL(HAVE_NDBM, test "$db_type" = ndbm)dnl AM_CONDITIONAL(HAVE_DBHEADER, test "$dbheader" != "")dnl ## it's probably not correct to include LDFLAGS here, but we might ## need it, for now just add any possible -L z="" for i in $LDFLAGS; do case "$i" in -L*) z="$z $i";; esac done DBLIB="$z $DBLIB" AC_SUBST(DBLIB)dnl AC_SUBST(LIB_NDBM)dnl ]) heimdal-1.7~git20150920+dfsg/cf/destdirs.m4000066400000000000000000000006751257755311500201260ustar00rootroot00000000000000dnl dnl $Id$ dnl AC_DEFUN([rk_DESTDIRS], [ # This is done by AC_OUTPUT but we need the result here. test "x$prefix" = xNONE && prefix=$ac_default_prefix test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' AC_FOREACH([rk_dir], [bin lib libexec localstate sbin sysconf], [ x="${rk_dir[]dir}" eval y="$x" while test "x$y" != "x$x"; do x="$y" eval y="$x" done AC_DEFINE_UNQUOTED(AS_TR_CPP(rk_dir[]dir), "$x", [path to ]rk_dir[])]) ]) heimdal-1.7~git20150920+dfsg/cf/dispatch.m4000066400000000000000000000006371257755311500201020ustar00rootroot00000000000000 AC_DEFUN([rk_LIBDISPATCH],[ AC_CHECK_HEADERS([dispatch/dispatch.h]) AC_FIND_FUNC_NO_LIBS(dispatch_async_f, dispatch, [#ifdef HAVE_DISPATCH_DISPATCH_H #include #endif],[0,0,0]) if test "$ac_cv_func_dispatch_async_f" = yes ; then AC_DEFINE([HAVE_GCD], 1, [Define if os support gcd.]) libdispatch=yes else libdispatch=no fi AM_CONDITIONAL(have_gcd, test "$libdispatch" = yes) ])heimdal-1.7~git20150920+dfsg/cf/dlopen.m4000066400000000000000000000005751257755311500175650ustar00rootroot00000000000000dnl dnl $Id$ dnl AC_DEFUN([rk_DLOPEN], [ AC_FIND_FUNC_NO_LIBS(dlopen, dl,[ #ifdef HAVE_DLFCN_H #include #endif],[0,0]) AM_CONDITIONAL(HAVE_DLOPEN, test "$ac_cv_funclib_dlopen" != no) ]) AC_DEFUN([rk_DLADDR], [ AC_FIND_FUNC_NO_LIBS(dladdr, dl,[ #ifdef HAVE_DLFCN_H #include #endif],[0,0]) AM_CONDITIONAL(HAVE_DLADDR, test "$ac_cv_funclib_dladdr" != no) ]) heimdal-1.7~git20150920+dfsg/cf/find-func-no-libs.m4000066400000000000000000000004071257755311500215100ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl Look for function in any of the specified libraries dnl dnl AC_FIND_FUNC_NO_LIBS(func, libraries, includes, arguments, extra libs, extra args) AC_DEFUN([AC_FIND_FUNC_NO_LIBS], [ AC_FIND_FUNC_NO_LIBS2([$1], ["" $2], [$3], [$4], [$5], [$6])]) heimdal-1.7~git20150920+dfsg/cf/find-func-no-libs2.m4000066400000000000000000000025351257755311500215760ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl Look for function in any of the specified libraries dnl dnl AC_FIND_FUNC_NO_LIBS2(func, libraries, includes, arguments, extra libs, extra args) AC_DEFUN([AC_FIND_FUNC_NO_LIBS2], [ AC_MSG_CHECKING([for $1]) AC_CACHE_VAL(ac_cv_funclib_$1, [ if eval "test \"\$ac_cv_func_$1\" != yes" ; then ac_save_LIBS="$LIBS" for ac_lib in $2; do case "$ac_lib" in "") ;; yes) ac_lib="" ;; no) continue ;; -l*) ;; *) ac_lib="-l$ac_lib" ;; esac LIBS="$6 $ac_lib $5 $ac_save_LIBS" AC_LINK_IFELSE([AC_LANG_PROGRAM([[$3]],[[$1($4)]])],[eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break]) done eval "ac_cv_funclib_$1=\${ac_cv_funclib_$1-no}" LIBS="$ac_save_LIBS" fi ]) eval "ac_res=\$ac_cv_funclib_$1" if false; then AC_CHECK_FUNCS($1) dnl AC_CHECK_LIBS($2, foo) fi # $1 eval "ac_tr_func=HAVE_[]upcase($1)" eval "ac_tr_lib=HAVE_LIB[]upcase($ac_res | sed -e 's/-l//')" eval "LIB_$1=$ac_res" case "$ac_res" in yes) eval "ac_cv_func_$1=yes" eval "LIB_$1=" AC_DEFINE_UNQUOTED($ac_tr_func) AC_MSG_RESULT([yes]) ;; no) eval "ac_cv_func_$1=no" eval "LIB_$1=" AC_MSG_RESULT([no]) ;; *) eval "ac_cv_func_$1=yes" eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" AC_DEFINE_UNQUOTED($ac_tr_func) AC_DEFINE_UNQUOTED($ac_tr_lib) AC_MSG_RESULT([yes, in $ac_res]) ;; esac AC_SUBST(LIB_$1) ]) heimdal-1.7~git20150920+dfsg/cf/find-func.m4000066400000000000000000000003031257755311500201420ustar00rootroot00000000000000dnl $Id$ dnl dnl AC_FIND_FUNC(func, libraries, includes, arguments) AC_DEFUN([AC_FIND_FUNC], [ AC_FIND_FUNC_NO_LIBS([$1], [$2], [$3], [$4]) if test -n "$LIB_$1"; then LIBS="$LIB_$1 $LIBS" fi ]) heimdal-1.7~git20150920+dfsg/cf/find-if-not-broken.m4000066400000000000000000000003201257755311500216600ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl Mix between AC_FIND_FUNC and AC_BROKEN dnl AC_DEFUN([AC_FIND_IF_NOT_BROKEN], [AC_FIND_FUNC([$1], [$2], [$3], [$4]) if eval "test \"$ac_cv_func_$1\" != yes"; then rk_LIBOBJ([$1]) fi ]) heimdal-1.7~git20150920+dfsg/cf/framework-security.m4000066400000000000000000000016141257755311500221410ustar00rootroot00000000000000AC_DEFUN([rk_FRAMEWORK_SECURITY], [ AC_MSG_CHECKING([for framework security]) AC_CACHE_VAL(rk_cv_framework_security, [ if test "$rk_cv_framework_security" != yes; then ac_save_LIBS="$LIBS" LIBS="$ac_save_LIBS -framework Security -framework CoreFoundation" AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[SecKeychainSearchRef searchRef; SecKeychainSearchCreateFromAttributes(NULL,kSecCertificateItemClass,NULL, &searchRef); CFRelease(&searchRef); ]])],[rk_cv_framework_security=yes]) LIBS="$ac_save_LIBS" fi ]) if test "$rk_cv_framework_security" = yes; then AC_DEFINE(HAVE_FRAMEWORK_SECURITY, 1, [Have -framework Security]) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) fi AM_CONDITIONAL(FRAMEWORK_SECURITY, test "$rk_cv_framework_security" = yes) if test "$rk_cv_framework_security" = yes; then AC_NEED_PROTO([#include ],SecKeyGetCSPHandle) fi ]) heimdal-1.7~git20150920+dfsg/cf/have-pragma-weak.m4000066400000000000000000000015211257755311500214110ustar00rootroot00000000000000dnl $Id$ dnl AC_DEFUN([AC_HAVE_PRAGMA_WEAK], [ if test "${enable_shared}" = "yes"; then AC_MSG_CHECKING(for pragma weak) AC_CACHE_VAL(ac_have_pragma_weak, [ ac_have_pragma_weak=no cat > conftest_foo.$ac_ext <<'EOF' [#]line __oline__ "configure" #include "confdefs.h" #pragma weak foo = _foo int _foo = 17; EOF cat > conftest_bar.$ac_ext <<'EOF' [#]line __oline__ "configure" #include "confdefs.h" extern int foo; int t(void) { return foo; } int main(int argc, char **argv) { return t(); } EOF if AC_TRY_EVAL('CC -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest_foo.$ac_ext conftest_bar.$ac_ext 1>&AC_FD_CC'); then ac_have_pragma_weak=yes fi rm -rf conftest* ]) if test "$ac_have_pragma_weak" = "yes"; then AC_DEFINE(HAVE_PRAGMA_WEAK, 1, [Define this if your compiler supports \`#pragma weak.'])dnl fi AC_MSG_RESULT($ac_have_pragma_weak) fi ]) heimdal-1.7~git20150920+dfsg/cf/have-struct-field.m4000066400000000000000000000010431257755311500216210ustar00rootroot00000000000000dnl $Id$ dnl dnl check for fields in a structure dnl dnl AC_HAVE_STRUCT_FIELD(struct, field, headers) AC_DEFUN([AC_HAVE_STRUCT_FIELD], [ define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_])) AC_CACHE_CHECK([for $2 in $1], cache_val,[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$3]], [[$1 x; memset(&x, 0, sizeof(x)); x.$2]])], [cache_val=yes], [cache_val=no]) ]) if test "$cache_val" = yes; then define(foo, translit(HAVE_$1_$2, [a-z ], [A-Z_])) AC_DEFINE(foo, 1, [Define if $1 has field $2.]) undefine([foo]) fi undefine([cache_val]) ]) heimdal-1.7~git20150920+dfsg/cf/have-type.m4000066400000000000000000000013421257755311500201770ustar00rootroot00000000000000dnl $Id$ dnl dnl check for existance of a type dnl AC_HAVE_TYPE(TYPE,INCLUDES) AC_DEFUN([AC_HAVE_TYPE], [ AC_REQUIRE([AC_HEADER_STDC]) cv=`echo "$1" | sed 'y%./+- %__p__%'` AC_MSG_CHECKING(for $1) AC_CACHE_VAL([ac_cv_type_$cv], AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include #if STDC_HEADERS #include #include #endif $2]], [[$1 foo;]])], [eval "ac_cv_type_$cv=yes"], [eval "ac_cv_type_$cv=no"]))dnl ac_foo=`eval echo \\$ac_cv_type_$cv` AC_MSG_RESULT($ac_foo) if test "$ac_foo" = yes; then ac_tr_hdr=HAVE_`echo $1 | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` if false; then AC_CHECK_TYPES($1) fi AC_DEFINE_UNQUOTED($ac_tr_hdr, 1, [Define if you have type `$1']) fi ]) heimdal-1.7~git20150920+dfsg/cf/have-types.m4000066400000000000000000000002041257755311500203560ustar00rootroot00000000000000dnl dnl $Id$ dnl AC_DEFUN([AC_HAVE_TYPES], [ for i in $1; do AC_HAVE_TYPE($i) done if false;then AC_CHECK_FUNCS($1) fi ]) heimdal-1.7~git20150920+dfsg/cf/install-catman.sh000066400000000000000000000035601257755311500213020ustar00rootroot00000000000000#!/bin/sh # # $Id$ # # install preformatted manual pages cmd="$1"; shift INSTALL_DATA="$1"; shift mkinstalldirs="$1"; shift srcdir="$1"; shift manbase="$1"; shift suffix="$1"; shift catinstall="${INSTALL_CATPAGES-yes}" for f in "$@"; do echo $f base=`echo "$f" | sed 's~\.[^.]*$~~; s~.*/~~'` section=`echo "$f" | sed 's/^[^.]*\.//'` mandir="$manbase/man$section" catdir="$manbase/cat$section" c="$base.cat$section" if test "$catinstall" = yes -a -f "$srcdir/$c"; then if test "$cmd" = install ; then if test \! -d "$catdir"; then eval "$mkinstalldirs $catdir" fi eval "echo $INSTALL_DATA $srcdir/$c $catdir/$base.$suffix" eval "$INSTALL_DATA $srcdir/$c $catdir/$base.$suffix" elif test "$cmd" = uninstall ; then eval "echo rm -f $catdir/$base.$suffix" eval "rm -f $catdir/$base.$suffix" fi fi for link in `sed -n -e '/SYNOPSIS/q;/DESCRIPTION/q;s/^\.Nm \([^ ]*\).*/\1/p' $srcdir/$f`; do if test "$link" = "$base" ; then continue fi if test "$cmd" = install ; then target="$mandir/$link.$section" for lncmd in "ln -f $mandir/$base.$section $target" \ "ln -s $base.$section $target" \ "cp -f $mandir/$base.$section $target" do if eval "$lncmd"; then eval echo "$lncmd" break fi done if test "$catinstall" = yes -a -f "$srcdir/$c"; then eval target="$catdir/$link.$suffix" eval source="$catdir/$base.$suffix" for lncmd in "ln -f $source $target" \ "ln -fs $source $target" \ "cp -f $catdir/$source $target" do if eval "$lncmd"; then eval echo "$lncmd" break fi done fi elif test "$cmd" = uninstall ; then target="$mandir/$link.$section" eval "echo rm -f $target" eval "rm -f $target" if test "$catinstall" = yes; then target="$catdir/$link.$suffix" eval "echo rm -f $target" eval "rm -f $target" fi fi done done heimdal-1.7~git20150920+dfsg/cf/irix.m4000066400000000000000000000002171257755311500172500ustar00rootroot00000000000000dnl dnl $Id$ dnl AC_DEFUN([rk_IRIX], [ irix=no case "$host" in *-*-irix*) irix=yes ;; esac AM_CONDITIONAL(IRIX, test "$irix" != no)dnl ]) heimdal-1.7~git20150920+dfsg/cf/krb-bigendian.m4000066400000000000000000000037161257755311500210000ustar00rootroot00000000000000dnl dnl $Id$ dnl dnl check if this computer is little or big-endian dnl if we can figure it out at compile-time then don't define the cpp symbol dnl otherwise test for it and define it. also allow options for overriding dnl it when cross-compiling AC_DEFUN([KRB_C_BIGENDIAN], [ AC_ARG_ENABLE(bigendian, AS_HELP_STRING([--enable-bigendian],[the target is big endian]), krb_cv_c_bigendian=yes) AC_ARG_ENABLE(littleendian, AS_HELP_STRING([--enable-littleendian],[the target is little endian]), krb_cv_c_bigendian=no) AC_CACHE_CHECK([whether byte order is known at compile time], krb_cv_c_bigendian_compile, [AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ #include #include #if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN bogus endian macros #endif]])],[krb_cv_c_bigendian_compile=yes],[krb_cv_c_bigendian_compile=no])]) AC_CACHE_CHECK(whether byte ordering is bigendian, krb_cv_c_bigendian,[ if test "$krb_cv_c_bigendian_compile" = "yes"; then AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ #include #include #if BYTE_ORDER != BIG_ENDIAN not big endian #endif]])],[krb_cv_c_bigendian=yes],[krb_cv_c_bigendian=no]) else AC_RUN_IFELSE([AC_LANG_SOURCE([[main (int argc, char **argv) { /* Are we little or big endian? From Harbison&Steele. */ union { long l; char c[sizeof (long)]; } u; u.l = 1; exit (u.c[sizeof (long) - 1] == 1); }]])],[krb_cv_c_bigendian=no],[krb_cv_c_bigendian=yes], [AC_MSG_ERROR([specify either --enable-bigendian or --enable-littleendian])]) fi ]) if test "$krb_cv_c_bigendian" = "yes"; then AC_DEFINE(WORDS_BIGENDIAN, 1, [define if target is big endian])dnl fi if test "$krb_cv_c_bigendian_compile" = "yes"; then AC_DEFINE(ENDIANESS_IN_SYS_PARAM_H, 1, [define if sys/param.h defines the endiness])dnl fi AH_BOTTOM([ #ifdef ENDIANESS_IN_SYS_PARAM_H # include # include # if BYTE_ORDER == BIG_ENDIAN # define WORDS_BIGENDIAN 1 # endif #endif ]) ]) heimdal-1.7~git20150920+dfsg/cf/krb-func-getcwd-broken.m4000066400000000000000000000014571257755311500225440ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl test for broken getcwd in (SunOS braindamage) dnl AC_DEFUN([AC_KRB_FUNC_GETCWD_BROKEN], [ if test "$ac_cv_func_getcwd" = yes; then AC_MSG_CHECKING(if getcwd is broken) AC_CACHE_VAL(ac_cv_func_getcwd_broken, [ ac_cv_func_getcwd_broken=no AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include char *getcwd(char*, int); void *popen(char *cmd, char *mode) { errno = ENOTTY; return 0; } int main(int argc, char **argv) { char *ret; ret = getcwd(0, 1024); if(ret == 0 && errno == ENOTTY) return 0; return 1; } ]])], [ac_cv_func_getcwd_broken=yes],[:],[:]) ]) if test "$ac_cv_func_getcwd_broken" = yes; then AC_DEFINE(BROKEN_GETCWD, 1, [Define if getcwd is broken (like in SunOS 4).])dnl AC_LIBOBJ(getcwd) AC_MSG_RESULT($ac_cv_func_getcwd_broken) else AC_MSG_RESULT([seems ok]) fi fi ]) heimdal-1.7~git20150920+dfsg/cf/krb-func-getlogin.m4000066400000000000000000000010141257755311500216060ustar00rootroot00000000000000dnl dnl $Id$ dnl dnl test for POSIX (broken) getlogin dnl AC_DEFUN([AC_FUNC_GETLOGIN], [ AC_CHECK_FUNCS(getlogin setlogin) if test "$ac_cv_func_getlogin" = yes; then AC_CACHE_CHECK(if getlogin is posix, ac_cv_func_getlogin_posix, [ if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then ac_cv_func_getlogin_posix=no else ac_cv_func_getlogin_posix=yes fi ]) if test "$ac_cv_func_getlogin_posix" = yes; then AC_DEFINE(POSIX_GETLOGIN, 1, [Define if getlogin has POSIX flavour (and not BSD).]) fi fi ]) heimdal-1.7~git20150920+dfsg/cf/krb-ipv6.m4000066400000000000000000000062171257755311500177430ustar00rootroot00000000000000dnl $Id$ dnl dnl test for IPv6 dnl ac_cv_lib_ipv6=check AC_DEFUN([AC_KRB_IPV6], [ AC_ARG_WITH(ipv6, AS_HELP_STRING([--without-ipv6],[do not enable IPv6 support]),[ ac_cv_lib_ipv6="$withval" ]) save_CFLAGS="${CFLAGS}" if test "X$ac_cv_lib_ipv6" != "Xno"; then AC_CACHE_CHECK([for IPv6 stack type], rk_cv_v6type, [dnl check for different v6 implementations (by itojun) v6type=unknown v6lib=none for i in v6d toshiba kame inria zeta linux; do case $i in v6d) AC_EGREP_CPP(yes, [ #include #ifdef __V6D__ yes #endif], [v6type=$i; v6lib=v6; v6libdir=/usr/local/v6/lib; CFLAGS="-I/usr/local/v6/include $CFLAGS"]) ;; toshiba) AC_EGREP_CPP(yes, [ #include #ifdef _TOSHIBA_INET6 yes #endif], [v6type=$i; v6lib=inet6; v6libdir=/usr/local/v6/lib; CFLAGS="-DINET6 $CFLAGS"]) ;; kame) AC_EGREP_CPP(yes, [ #include #ifdef __KAME__ yes #endif], [v6type=$i; v6lib=inet6; v6libdir=/usr/local/v6/lib; CFLAGS="-DINET6 $CFLAGS"]) ;; inria) AC_EGREP_CPP(yes, [ #include #ifdef IPV6_INRIA_VERSION yes #endif], [v6type=$i; CFLAGS="-DINET6 $CFLAGS"]) ;; zeta) AC_EGREP_CPP(yes, [ #include #ifdef _ZETA_MINAMI_INET6 yes #endif], [v6type=$i; v6lib=inet6; v6libdir=/usr/local/v6/lib; CFLAGS="-DINET6 $CFLAGS"]) ;; linux) if test -d /usr/inet6; then v6type=$i v6lib=inet6 v6libdir=/usr/inet6 CFLAGS="-DINET6 $CFLAGS" fi ;; esac if test "$v6type" != "unknown"; then break fi done if test "$v6lib" != "none"; then for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do if test -d $dir -a -f $dir/lib$v6lib.a; then LIBS="-L$dir -l$v6lib $LIBS" break fi done fi]) AC_CACHE_CHECK([for IPv6], rk_cv_lib_ipv6, [ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_NETINET_IN6_H #include #endif ]], [[ struct sockaddr_in6 sin6; int s; s = socket(AF_INET6, SOCK_DGRAM, 0); sin6.sin6_family = AF_INET6; sin6.sin6_port = htons(17); sin6.sin6_addr = in6addr_any; bind(s, (struct sockaddr *)&sin6, sizeof(sin6)); ]])], [ac_cv_lib_ipv6=yes], [ac_cv_lib_ipv6=no])]) fi if test "$ac_cv_lib_ipv6" = yes; then AC_DEFINE(HAVE_IPV6, 1, [Define if you have IPv6.]) else CFLAGS="${save_CFLAGS}" fi ## test for AIX missing in6addr_loopback if test "$ac_cv_lib_ipv6" = yes; then AC_CACHE_CHECK([for in6addr_loopback],[rk_cv_var_in6addr_loopback],[ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_NETINET_IN6_H #include #endif]],[[ struct sockaddr_in6 sin6; sin6.sin6_addr = in6addr_loopback; ]])],[ac_cv_var_in6addr_loopback=yes],[ac_cv_var_in6addr_loopback=no])]) if test "$ac_cv_var_in6addr_loopback" = yes; then AC_DEFINE(HAVE_IN6ADDR_LOOPBACK, 1, [Define if you have the in6addr_loopback variable]) fi fi ])heimdal-1.7~git20150920+dfsg/cf/krb-prog-ln-s.m4000066400000000000000000000007741257755311500206770ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl Better test for ln -s, ln or cp dnl AC_DEFUN([AC_KRB_PROG_LN_S], [AC_MSG_CHECKING(for ln -s or something else) AC_CACHE_VAL(ac_cv_prog_LN_S, [rm -f conftestdata if ln -s X conftestdata 2>/dev/null then rm -f conftestdata ac_cv_prog_LN_S="ln -s" else touch conftestdata1 if ln conftestdata1 conftestdata2; then rm -f conftestdata* ac_cv_prog_LN_S=ln else ac_cv_prog_LN_S=cp fi fi])dnl LN_S="$ac_cv_prog_LN_S" AC_MSG_RESULT($ac_cv_prog_LN_S) AC_SUBST(LN_S)dnl ]) heimdal-1.7~git20150920+dfsg/cf/krb-prog-ranlib.m4000066400000000000000000000002031257755311500212600ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl Also look for EMXOMF for OS/2 dnl AC_DEFUN([AC_KRB_PROG_RANLIB], [AC_CHECK_PROGS(RANLIB, ranlib EMXOMF, :)]) heimdal-1.7~git20150920+dfsg/cf/krb-prog-yacc.m4000066400000000000000000000003721257755311500207370ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl We prefer byacc or yacc because they do not use `alloca' dnl AC_DEFUN([AC_KRB_PROG_YACC], [AC_CHECK_PROGS(YACC, byacc yacc 'bison -y') if test "$YACC" = ""; then AC_MSG_WARN([yacc not found - some stuff will not build]) fi ]) heimdal-1.7~git20150920+dfsg/cf/krb-readline.m4000066400000000000000000000010371257755311500206350ustar00rootroot00000000000000dnl $Id$ dnl dnl Tests for readline functions dnl dnl el_init AC_DEFUN([KRB_READLINE],[ dnl readline ac_foo=no build_editline=no if test "$with_readline" = yes; then : elif test "$with_libedit" = yes; then LIB_readline="${LIB_libedit}" elif test "$ac_cv_func_readline" = yes; then : else build_libedit=yes LIB_readline="\$(top_builddir)/lib/libedit/src/libheimedit.la \$(LIB_tgetent)" fi AM_CONDITIONAL(LIBEDIT, test "$build_libedit" = yes) AC_DEFINE(HAVE_READLINE, 1, [Define if you have a readline compatible library.])dnl ]) heimdal-1.7~git20150920+dfsg/cf/krb-struct-spwd.m4000066400000000000000000000007311257755311500213510ustar00rootroot00000000000000dnl $Id$ dnl dnl Test for `struct spwd' AC_DEFUN([AC_KRB_STRUCT_SPWD], [ AC_MSG_CHECKING(for struct spwd) AC_CACHE_VAL(ac_cv_struct_spwd, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include #ifdef HAVE_SHADOW_H #include #endif]],[[struct spwd foo;]])], [ac_cv_struct_spwd=yes], [ac_cv_struct_spwd=no]) ]) AC_MSG_RESULT($ac_cv_struct_spwd) if test "$ac_cv_struct_spwd" = "yes"; then AC_DEFINE(HAVE_STRUCT_SPWD, 1, [define if you have struct spwd]) fi ]) heimdal-1.7~git20150920+dfsg/cf/krb-struct-winsize.m4000066400000000000000000000013201257755311500220570ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl Search for struct winsize dnl AC_DEFUN([AC_KRB_STRUCT_WINSIZE], [ AC_MSG_CHECKING(for struct winsize) AC_CACHE_VAL(ac_cv_struct_winsize, [ ac_cv_struct_winsize=no for i in sys/termios.h sys/ioctl.h; do AC_EGREP_HEADER( struct[[ ]]*winsize,dnl $i, ac_cv_struct_winsize=yes; break)dnl done ]) if test "$ac_cv_struct_winsize" = "yes"; then AC_DEFINE(HAVE_STRUCT_WINSIZE, 1, [define if struct winsize is declared in sys/termios.h]) fi AC_MSG_RESULT($ac_cv_struct_winsize) AC_EGREP_HEADER(ws_xpixel, termios.h, AC_DEFINE(HAVE_WS_XPIXEL, 1, [define if struct winsize has ws_xpixel])) AC_EGREP_HEADER(ws_ypixel, termios.h, AC_DEFINE(HAVE_WS_YPIXEL, 1, [define if struct winsize has ws_ypixel])) ]) heimdal-1.7~git20150920+dfsg/cf/krb-sys-aix.m4000066400000000000000000000004241257755311500204460ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl AIX have a very different syscall convention dnl AC_DEFUN([AC_KRB_SYS_AIX], [ AC_MSG_CHECKING(for AIX) AC_CACHE_VAL(krb_cv_sys_aix, AC_EGREP_CPP(yes, [#ifdef _AIX yes #endif ], krb_cv_sys_aix=yes, krb_cv_sys_aix=no) ) AC_MSG_RESULT($krb_cv_sys_aix) ]) heimdal-1.7~git20150920+dfsg/cf/krb-sys-nextstep.m4000066400000000000000000000006401257755311500215370ustar00rootroot00000000000000dnl $Id$ dnl dnl NEXTSTEP is not posix compliant by default, dnl you need a switch -posix to the compiler dnl AC_DEFUN([rk_SYS_NEXTSTEP], [ AC_CACHE_CHECK(for NeXTSTEP, rk_cv_sys_nextstep, [ AC_EGREP_CPP(yes, [#if defined(NeXT) && !defined(__APPLE__) yes #endif ], rk_cv_sys_nextstep=yes, rk_cv_sys_nextstep=no)]) if test "$rk_cv_sys_nextstep" = "yes"; then CFLAGS="$CFLAGS -posix" LIBS="$LIBS -posix" fi ]) heimdal-1.7~git20150920+dfsg/cf/krb-version.m4000066400000000000000000000014251257755311500205400ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl output a C header-file with some version strings dnl AC_DEFUN([AC_KRB_VERSION],[ cat > include/newversion.h.in </dev/null | sed 1q` Date=`date` mv -f include/newversion.h.in include/version.h.in sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h fi ]) heimdal-1.7~git20150920+dfsg/cf/largefile.m4000066400000000000000000000011101257755311500202200ustar00rootroot00000000000000dnl $Id$ dnl dnl Figure out what flags we need for 64-bit file access, and also set dnl them on the command line. dnl AC_DEFUN([rk_SYS_LARGEFILE],[ AC_REQUIRE([AC_SYS_LARGEFILE])dnl dnl need to set this on the command line, since it might otherwise break dnl with generated code, such as lex if test "$enable_largefile" != no -a "$ac_cv_sys_large_files" != no; then CPPFLAGS="$CPPFLAGS -D_LARGE_FILES=$ac_cv_sys_large_files" fi if test "$enable_largefile" != no -a "$ac_cv_sys_file_offset_bits" != no; then CPPFLAGS="$CPPFLAGS -D_FILE_OFFSET_BITS=$ac_cv_sys_file_offset_bits" fi ]) heimdal-1.7~git20150920+dfsg/cf/make-proto.pl000066400000000000000000000226151257755311500204540ustar00rootroot00000000000000# Make prototypes from .c files # $Id$ use Getopt::Std; use File::Compare; use JSON; my $comment = 0; my $doxygen = 0; my $funcdoc = 0; my $if_0 = 0; my $brace = 0; my $line = ""; my $debug = 0; my $oproto = 1; my $private_func_re = "^_"; my %depfunction; my %exported; my %deprecated; my $apple = 0; my %documentation; getopts('x:m:o:p:dqE:R:P:') || die "foo"; if($opt_a) { $apple = 1; } if($opt_a) { $apple = 1; } if($opt_d) { $debug = 1; } if($opt_q) { $oproto = 0; } if($opt_R) { $private_func_re = $opt_R; } my %flags = ( 'multiline-proto' => 1, 'header' => 1, 'function-blocking' => 0, 'gnuc-attribute' => 1, 'cxx' => 1 ); if($opt_m) { foreach $i (split(/,/, $opt_m)) { if($i eq "roken") { $flags{"multiline-proto"} = 0; $flags{"header"} = 0; $flags{"function-blocking"} = 0; $flags{"gnuc-attribute"} = 0; $flags{"cxx"} = 0; } else { if(substr($i, 0, 3) eq "no-") { $flags{substr($i, 3)} = 0; } else { $flags{$i} = 1; } } } } if($opt_x) { my $EXP; local $/; open(EXP, '<', $opt_x) || die "open ${opt_x}"; my $obj = JSON->new->utf8->decode(); close $EXP; foreach my $x (keys %$obj) { if (defined $obj->{$x}->{"export"}) { $exported{$x} = $obj->{$x}; } if (defined $obj->{$x}->{"deprecated"}) { $deprecated{$x} = $obj->{$x}->{"deprecated"}; } } } while(<>) { print $brace, " ", $_ if($debug); # Handle C comments s@/\*.*\*/@@; s@//.*/@@; if ( s@/\*\*(.*)@@) { $comment = 1; $doxygen = 1; $funcdoc = $1; } elsif ( s@/\*.*@@) { $comment = 1; } elsif ($comment && s@.*\*/@@) { $comment = 0; $doxygen = 0; } elsif ($doxygen) { $funcdoc .= $_; next; } elsif ($comment) { next; } if(/^\#if 0/) { $if_0 = 1; } if($if_0 && /^\#endif/) { $if_0 = 0; } if($if_0) { next } if(/^\s*\#/) { next; } if(/^\s*$/) { $line = ""; next; } if(/\{/){ if (!/\}/) { $brace++; } $_ = $line; while(s/\*\//\ca/){ s/\/\*(.|\n)*\ca//; } s/^\s*//; s/\s*$//; s/\s+/ /g; if($_ =~ /\)$/){ if(!/^static/ && !/^PRIVATE/){ $attr = ""; if(m/(.*)(__attribute__\s?\(.*\))/) { $attr .= " $2"; $_ = $1; } if(m/(.*)\s(\w+DEPRECATED_FUNCTION)\s?(\(.*\))(.*)/) { $depfunction{$2} = 1; $attr .= " $2$3"; $_ = "$1 $4"; } if(m/(.*)\s(\w+DEPRECATED)(.*)/) { $attr .= " $2"; $_ = "$1 $3"; } if(m/(.*)\s(HEIMDAL_\w+_ATTRIBUTE)\s?(\(.*\))?(.*)/) { $attr .= " $2$3"; $_ = "$1 $4"; } # remove outer () s/\s*\(//; # remove , within () while(s/\(([^()]*),(.*)\)/($1\$$2)/g){} s/\<\s*void\s*\>/<>/; # remove parameter names if($opt_P eq "remove") { s/(\s*)([a-zA-Z0-9_]+)([,>])/$3/g; s/\s+\*/*/g; s/\(\*(\s*)([a-zA-Z0-9_]+)\)/(*)/g; } elsif($opt_P eq "comment") { s/([a-zA-Z0-9_]+)([,>])/\/\*$1\*\/$2/g; s/\(\*([a-zA-Z0-9_]+)\)/(*\/\*$1\*\/)/g; } s/\<\>//; # add newlines before parameters if($flags{"multiline-proto"}) { s/,\s*/,\n\t/g; } else { s/,\s*/, /g; } # fix removed , s/\$/,/g; # match function name /([a-zA-Z0-9_]+)\s*\/$RP/; # insert newline before function name if($flags{"multiline-proto"}) { s/(.*)\s([a-zA-Z0-9_]+ \Q$LP\E)/$1\n$2/; } if($attr ne "") { $_ .= "\n $attr"; } if ($funcdoc) { $documentation{$f} = $funcdoc; } $funcdoc = undef; if ($apple && exists $exported{$f}) { $ios = $exported{$f}{ios}; $ios = "NA" if (!defined $ios); $mac = $exported{$f}{macos}; $mac = "NA" if (!defined $mac); die "$f neither" if ($mac eq "NA" and $ios eq "NA"); $_ = $_ . " __OSX_AVAILABLE_STARTING(__MAC_${mac}, __IPHONE_${ios})"; } if (exists $deprecated{$f}) { $_ = $_ . " GSSAPI_DEPRECATED_FUNCTION(\"$deprecated{$f}\")"; $depfunction{GSSAPI_DEPRECATED_FUNCTION} = 1; } $_ = $_ . ";"; $funcs{$f} = $_; } } $line = ""; } if(/\}/){ $brace--; } if(/^\}/){ $brace = 0; } if($brace == 0) { $line = $line . " " . $_; } } die "reached end of code and still in doxygen comment" if ($doxygen); die "reached end of code and still in comment" if ($comment); sub foo { local ($arg) = @_; $_ = $arg; s/.*\/([^\/]*)/$1/; s/.*\\([^\\]*)/$1/; s/[^a-zA-Z0-9]/_/g; "__" . $_ . "__"; } if($opt_o) { open(OUT, ">${opt_o}.new"); $block = &foo($opt_o); } else { $block = "__public_h__"; } if($opt_p) { open(PRIV, ">${opt_p}.new"); $private = &foo($opt_p); } else { $private = "__private_h__"; } $public_h = ""; $private_h = ""; $public_h_header .= "/* This is a generated file */ #ifndef $block #define $block "; if ($oproto) { $public_h_header .= "#ifdef __STDC__ #include #ifndef __P #define __P(x) x #endif #else #ifndef __P #define __P(x) () #endif #endif "; } else { $public_h_header .= "#include "; } $public_h_trailer = ""; $private_h_header = "/* This is a generated file */ #ifndef $private #define $private "; if($oproto) { $private_h_header .= "#ifdef __STDC__ #include #ifndef __P #define __P(x) x #endif #else #ifndef __P #define __P(x) () #endif #endif "; } else { $private_h_header .= "#include "; } $private_h_trailer = ""; foreach(sort keys %funcs){ if(/^(DllMain|main)$/) { next } if ($funcs{$_} =~ /\^/) { $beginblock = "#ifdef __BLOCKS__\n"; $endblock = "#endif /* __BLOCKS__ */\n"; } else { $beginblock = $endblock = ""; } # if we have an export table and doesn't have content, or matches private RE if((scalar(keys(%exported)) ne 0 && !exists $exported{$_} ) || /$private_func_re/) { $private_h .= $beginblock; # if ($apple and not /$private_func_re/) { # $private_h .= "#define $_ __ApplePrivate_${_}\n"; # } $private_h .= $funcs{$_} . "\n" ; $private_h .= $endblock . "\n"; if($funcs{$_} =~ /__attribute__/) { $private_attribute_seen = 1; } } else { if($documentation{$_}) { $public_h .= "/**\n"; $public_h .= "$documentation{$_}"; $public_h .= " */\n\n"; } if($flags{"function-blocking"}) { $fupper = uc $_; if($exported{$_} =~ /proto/) { $public_h .= "#if !defined(HAVE_$fupper) || defined(NEED_${fupper}_PROTO)\n"; } else { $public_h .= "#ifndef HAVE_$fupper\n"; } } $public_h .= $beginblock . $funcs{$_} . "\n" . $endblock; if($funcs{$_} =~ /__attribute__/) { $public_attribute_seen = 1; } if($flags{"function-blocking"}) { $public_h .= "#endif\n"; } $public_h .= "\n"; } } if($flags{"gnuc-attribute"}) { if ($public_attribute_seen) { $public_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__) #define __attribute__(x) #endif "; } if ($private_attribute_seen) { $private_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__) #define __attribute__(x) #endif "; } } my $depstr = ""; my $undepstr = ""; foreach (keys %depfunction) { $depstr .= "#ifndef $_ #ifndef __has_extension #define __has_extension(x) 0 #define ${_}has_extension 1 #endif #if __has_extension(attribute_deprecated_with_message) #define $_(x) __attribute__((__deprecated__(x))) #elif defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) #define $_(X) __attribute__((__deprecated__)) #else #define $_(X) #endif #ifdef ${_}has_extension #undef __has_extension #undef ${_}has_extension #endif #endif /* $_ */ "; $public_h_trailer .= "#undef $_ "; $private_h_trailer .= "#undef $_ #define $_(X) "; } $public_h_header .= $depstr; $private_h_header .= $depstr; if($flags{"cxx"}) { $public_h_header .= "#ifdef __cplusplus extern \"C\" { #endif "; $public_h_trailer = "#ifdef __cplusplus } #endif " . $public_h_trailer; } if ($opt_E) { $public_h_header .= "#ifndef $opt_E #ifndef ${opt_E}_FUNCTION #if defined(_WIN32) #define ${opt_E}_FUNCTION __declspec(dllimport) #define ${opt_E}_CALL __stdcall #define ${opt_E}_VARIABLE __declspec(dllimport) #else #define ${opt_E}_FUNCTION #define ${opt_E}_CALL #define ${opt_E}_VARIABLE #endif #endif #endif "; $private_h_header .= "#ifndef $opt_E #ifndef ${opt_E}_FUNCTION #if defined(_WIN32) #define ${opt_E}_FUNCTION __declspec(dllimport) #define ${opt_E}_CALL __stdcall #define ${opt_E}_VARIABLE __declspec(dllimport) #else #define ${opt_E}_FUNCTION #define ${opt_E}_CALL #define ${opt_E}_VARIABLE #endif #endif #endif "; } $public_h_trailer .= $undepstr; $private_h_trailer .= $undepstr; if ($public_h ne "" && $flags{"header"}) { $public_h = $public_h_header . $public_h . $public_h_trailer . "#endif /* $block */\n"; } if ($private_h ne "" && $flags{"header"}) { $private_h = $private_h_header . $private_h . $private_h_trailer . "#endif /* $private */\n"; } if($opt_o) { print OUT $public_h; } if($opt_p) { print PRIV $private_h; } close OUT; close PRIV; if ($opt_o) { if (compare("${opt_o}.new", ${opt_o}) != 0) { printf("updating ${opt_o}\n"); rename("${opt_o}.new", ${opt_o}); } else { unlink("${opt_o}.new"); } } if ($opt_p) { if (compare("${opt_p}.new", ${opt_p}) != 0) { printf("updating ${opt_p}\n"); rename("${opt_p}.new", ${opt_p}); } else { unlink("${opt_p}.new"); } } heimdal-1.7~git20150920+dfsg/cf/maybe-valgrind.sh000077500000000000000000000045601257755311500213000ustar00rootroot00000000000000#!/bin/sh # # Copyright (c) 2006 - 2007 Kungliga Tekniska Hgskolan # (Royal Institute of Technology, Stockholm, Sweden). # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # 3. Neither the name of the Institute nor the names of its contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. while true do case $1 in -s) tsrcdir="$2"; shift 2;; -o) tobjdir="$2"; shift 2;; -*) echo "$0: Bad option $1"; echo $usage; exit 1;; *) break;; esac done if [ X"${tobjdir}" = "X" -o X"${tsrcdir}" = X ] ; then echo "tobjdir or tsrcdir not defined" exit 1 fi if [ ! -f "${tobjdir}/libtool" ]; then echo "libtool missing from \"${tobjdir}\"" exit 1 fi doit=1 libtool="${tobjdir}/libtool --mode=execute" valgrind="valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=${tsrcdir}/cf/valgrind-suppressions" if head -10 "$1" | grep 'Generated by ltmain.sh' > /dev/null ; then uselibtool=1 elif head -10 "$1" | grep 'bin/sh' > /dev/null ; then libtool= valgrind= fi exec $libtool $valgrind "$@" heimdal-1.7~git20150920+dfsg/cf/mips-abi.m4000066400000000000000000000046131257755311500200020ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl Check for MIPS/IRIX ABI flags. Sets $abi and $abilibdirext to some dnl value. AC_DEFUN([AC_MIPS_ABI], [ AC_ARG_WITH(mips_abi, AS_HELP_STRING([--with-mips-abi=abi],[ABI to use for IRIX (32, n32, or 64)])) case "$host_os" in irix*) with_mips_abi="${with_mips_abi:-yes}" if test -n "$GCC"; then # GCC < 2.8 only supports the O32 ABI. GCC >= 2.8 has a flag to select # which ABI to use, but only supports (as of 2.8.1) the N32 and 64 ABIs. # # Default to N32, but if GCC doesn't grok -mabi=n32, we assume an old # GCC and revert back to O32. The same goes if O32 is asked for - old # GCCs doesn't like the -mabi option, and new GCCs can't output O32. # # Don't you just love *all* the different SGI ABIs? case "${with_mips_abi}" in 32|o32) abi='-mabi=32'; abilibdirext='' ;; n32|yes) abi='-mabi=n32'; abilibdirext='32' ;; 64) abi='-mabi=64'; abilibdirext='64' ;; no) abi=''; abilibdirext='';; *) AC_MSG_ERROR("Invalid ABI specified") ;; esac if test -n "$abi" ; then ac_foo=krb_cv_gcc_`echo $abi | tr =- __` dnl dnl can't use AC_CACHE_CHECK here, since it doesn't quote CACHE-ID to dnl AC_MSG_RESULT dnl AC_MSG_CHECKING([if $CC supports the $abi option]) AC_CACHE_VAL($ac_foo, [ save_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $abi" AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],[[int x;]])],[eval $ac_foo=yes], [eval $ac_foo=no])dnl CFLAGS="$save_CFLAGS" ]) ac_res=`eval echo \\\$$ac_foo` AC_MSG_RESULT($ac_res) if test $ac_res = no; then # Try to figure out why that failed... case $abi in -mabi=32) save_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -mabi=n32" AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],[[int x;]])],[ac_res=yes],[ac_res=no])dnl CLAGS="$save_CFLAGS" if test $ac_res = yes; then # New GCC AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI]) fi # Old GCC abi='' abilibdirext='' ;; -mabi=n32|-mabi=64) if test $with_mips_abi = yes; then # Old GCC, default to O32 abi='' abilibdirext='' else # Some broken GCC AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI]) fi ;; esac fi #if test $ac_res = no; then fi #if test -n "$abi" ; then else case "${with_mips_abi}" in 32|o32) abi='-32'; abilibdirext='' ;; n32|yes) abi='-n32'; abilibdirext='32' ;; 64) abi='-64'; abilibdirext='64' ;; no) abi=''; abilibdirext='';; *) AC_MSG_ERROR("Invalid ABI specified") ;; esac fi #if test -n "$GCC"; then ;; esac ]) heimdal-1.7~git20150920+dfsg/cf/misc.m4000066400000000000000000000006321257755311500172310ustar00rootroot00000000000000 dnl $Id$ dnl AC_DEFUN([upcase],[`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`])dnl AC_DEFUN([rk_LIBOBJ],[AC_LIBOBJ([$1])])dnl AC_DEFUN([rk_CONFIG_HEADER],[AH_TOP([#ifndef RCSID #define RCSID(msg) \ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } #endif /* Maximum values on all known systems */ #define MaxHostNameLen (64+4) #define MaxPathLen (1024+4) ])])heimdal-1.7~git20150920+dfsg/cf/need-proto.m4000066400000000000000000000011461257755311500203530ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl Check if we need the prototype for a function dnl dnl AC_NEED_PROTO(includes, function) AC_DEFUN([AC_NEED_PROTO], [ if test "$ac_cv_func_$2+set" != set -o "$ac_cv_func_$2" = yes; then AC_CACHE_CHECK([if $2 needs a prototype], ac_cv_func_$2_noproto, AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$1 struct foo { int foo; } xx; extern int $2 (struct foo*);]],[[$2(&xx)]])], [eval "ac_cv_func_$2_noproto=yes"], [eval "ac_cv_func_$2_noproto=no"])) if test "$ac_cv_func_$2_noproto" = yes; then AC_DEFINE(AS_TR_CPP(NEED_[]$2[]_PROTO), 1, [define if the system is missing a prototype for $2()]) fi fi ]) heimdal-1.7~git20150920+dfsg/cf/osfc2.m4000066400000000000000000000005031257755311500173070ustar00rootroot00000000000000dnl $Id$ dnl dnl enable OSF C2 stuff AC_DEFUN([AC_CHECK_OSFC2],[ AC_ARG_ENABLE(osfc2, AS_HELP_STRING([--enable-osfc2],[enable some OSF C2 support])) LIB_security= if test "$enable_osfc2" = yes; then AC_DEFINE(HAVE_OSFC2, 1, [Define to enable basic OSF C2 support.]) LIB_security=-lsecurity fi AC_SUBST(LIB_security) ]) heimdal-1.7~git20150920+dfsg/cf/otp.m4000066400000000000000000000013201257755311500170730ustar00rootroot00000000000000dnl $Id$ dnl dnl check requirements for OTP library dnl AC_DEFUN([rk_OTP],[ AC_REQUIRE([rk_DB])dnl AC_ARG_ENABLE(otp, AS_HELP_STRING([--disable-otp],[if you don't want OTP support])) if test "$enable_otp" = yes -a "$db_type" = unknown; then AC_MSG_ERROR([OTP requires a NDBM/DB compatible library]) fi if test "$enable_otp" != no; then if test "$db_type" != unknown; then enable_otp=yes else enable_otp=no fi fi if test "$enable_otp" = yes; then AC_DEFINE(OTP, 1, [Define if you want OTP support in applications.]) LIB_otp='$(top_builddir)/lib/otp/libotp.la' AC_SUBST(LIB_otp) fi AC_MSG_CHECKING([whether to enable OTP library]) AC_MSG_RESULT($enable_otp) AM_CONDITIONAL(OTP, test "$enable_otp" = yes)dnl ]) heimdal-1.7~git20150920+dfsg/cf/pkg.m4000066400000000000000000000121441257755311500170600ustar00rootroot00000000000000# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- # # Copyright 2004 Scott James Remnant . # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. # PKG_PROG_PKG_CONFIG([MIN-VERSION]) # ---------------------------------- AC_DEFUN([PKG_PROG_PKG_CONFIG], [m4_pattern_forbid([^_?PKG_[A-Z_]+$]) m4_pattern_allow([^PKG_CONFIG(_PATH)?$]) AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then AC_PATH_TOOL([PKG_CONFIG], [pkg-config]) fi if test -n "$PKG_CONFIG"; then _pkg_min_version=m4_default([$1], [0.9.0]) AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version]) if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then AC_MSG_RESULT([yes]) else AC_MSG_RESULT([no]) PKG_CONFIG="" fi fi[]dnl ])# PKG_PROG_PKG_CONFIG # PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) # # Check to see whether a particular set of modules exists. Similar # to PKG_CHECK_MODULES(), but does not set variables or print errors. # # # Similar to PKG_CHECK_MODULES, make sure that the first instance of # this or PKG_CHECK_MODULES is called, or make sure to call # PKG_CHECK_EXISTS manually # -------------------------------------------------------------- AC_DEFUN([PKG_CHECK_EXISTS], [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl if test -n "$PKG_CONFIG" && \ AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then m4_ifval([$2], [$2], [:]) m4_ifvaln([$3], [else $3])dnl fi]) # _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) # --------------------------------------------- m4_define([_PKG_CONFIG], [if test -n "$PKG_CONFIG"; then if test -n "$$1"; then pkg_cv_[]$1="$$1" else PKG_CHECK_EXISTS([$3], [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`], [pkg_failed=yes]) fi else pkg_failed=untried fi[]dnl ])# _PKG_CONFIG # _PKG_SHORT_ERRORS_SUPPORTED # ----------------------------- AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], [AC_REQUIRE([PKG_PROG_PKG_CONFIG]) if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi[]dnl ])# _PKG_SHORT_ERRORS_SUPPORTED # PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], # [ACTION-IF-NOT-FOUND]) # # # Note that if there is a possibility the first call to # PKG_CHECK_MODULES might not happen, you should be sure to include an # explicit call to PKG_PROG_PKG_CONFIG in your configure.ac # # # -------------------------------------------------------------- AC_DEFUN([PKG_CHECK_MODULES], [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl pkg_failed=no AC_MSG_CHECKING([for $1]) _PKG_CONFIG([$1][_CFLAGS], [cflags], [$2]) _PKG_CONFIG([$1][_LIBS], [libs], [$2]) m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS and $1[]_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details.]) if test $pkg_failed = yes; then _PKG_SHORT_ERRORS_SUPPORTED if test $_pkg_short_errors_supported = yes; then $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$2"` else $1[]_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$2"` fi # Put the nasty error message in config.log where it belongs echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD ifelse([$4], , [AC_MSG_ERROR(dnl [Package requirements ($2) were not met: $$1_PKG_ERRORS Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. _PKG_TEXT ])], [AC_MSG_RESULT([no]) $4]) elif test $pkg_failed = untried; then ifelse([$4], , [AC_MSG_FAILURE(dnl [The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full path to pkg-config. _PKG_TEXT To get pkg-config, see .])], [$4]) else $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS $1[]_LIBS=$pkg_cv_[]$1[]_LIBS AC_MSG_RESULT([yes]) ifelse([$3], , :, [$3]) fi[]dnl ])# PKG_CHECK_MODULES heimdal-1.7~git20150920+dfsg/cf/proto-compat.m4000066400000000000000000000011311257755311500207150ustar00rootroot00000000000000dnl $Id$ dnl dnl dnl Check if the prototype of a function is compatible with another one dnl dnl AC_PROTO_COMPAT(includes, function, prototype) AC_DEFUN([AC_PROTO_COMPAT], [ AC_CACHE_CHECK([if $2 is compatible with system prototype], ac_cv_func_$2_proto_compat, AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$1]],[[$3]])], [eval "ac_cv_func_$2_proto_compat=yes"], [eval "ac_cv_func_$2_proto_compat=no"])) define([foo], translit($2, [a-z], [A-Z])[_PROTO_COMPATIBLE]) if test "$ac_cv_func_$2_proto_compat" = yes; then AC_DEFINE(foo, 1, [define if prototype of $2 is compatible with $3]) fi undefine([foo]) ])heimdal-1.7~git20150920+dfsg/cf/pthreads.m4000066400000000000000000000044571257755311500201210ustar00rootroot00000000000000Dnl $Id$ AC_DEFUN([KRB_PTHREADS], [ AC_MSG_CHECKING(if compiling threadsafe libraries) AC_ARG_ENABLE(pthread-support, AS_HELP_STRING([--enable-pthread-support], [if you want thread safe libraries]), [],[enable_pthread_support=maybe]) case "$host" in *-*-solaris2*) native_pthread_support=yes if test "$GCC" = yes; then PTHREAD_CFLAGS="-D_REENTRANT -D_TS_ERRNO" PTHREAD_LIBADD=-lpthread else PTHREAD_CFLAGS="-mt -D_REENTRANT -D_TS_ERRNO" PTHREAD_LDADD=-mt PTHREAD_LIBADD="-mt -lpthread" fi ;; *-*-netbsd[[12]]*) native_pthread_support="if running netbsd 1.6T or newer" dnl heim_threads.h knows this PTHREAD_LIBADD="-lpthread" ;; *-*-netbsd[[3456789]]*) native_pthread_support="netbsd 3 uses explict pthread" dnl heim_threads.h knows this PTHREAD_LIBADD="-lpthread" ;; *-*-freebsd[[56789]]*) native_pthread_support=yes PTHREAD_LIBADD="-pthread" ;; *-*-openbsd*) native_pthread_support=yes PTHREAD_CFLAGS=-pthread PTHREAD_LIBADD=-pthread ;; *-*-gnu*) native_pthread_support=yes PTHREADS_CFLAGS=-pthread PTHREAD_LIBADD="-pthread -lpthread" ;; *-*-linux* | *-*-linux-gnu) case `uname -r` in 2.*|3.*) native_pthread_support=yes PTHREAD_CFLAGS=-pthread PTHREAD_LIBADD=-pthread ;; esac ;; *-*-kfreebsd*-gnu*) native_pthread_support=yes PTHREAD_CFLAGS=-pthread PTHREAD_LIBADD=-pthread ;; *-*-aix*) dnl AIX is disabled since we don't handle the utmp/utmpx dnl problems that aix causes when compiling with pthread support native_pthread_support=no ;; mips-sgi-irix6.[[5-9]]) # maybe works for earlier versions too native_pthread_support=yes PTHREAD_LIBADD="-lpthread" ;; *-*-darwin*) native_pthread_support=yes ;; *) native_pthread_support=no ;; esac if test "$enable_pthread_support" = maybe ; then enable_pthread_support="$native_pthread_support" fi if test "$enable_pthread_support" != no; then AC_DEFINE(ENABLE_PTHREAD_SUPPORT, 1, [Define if you want have a thread safe libraries]) dnl This sucks, but libtool doesn't save the depenecy on -pthread dnl for libraries. LIBS="$PTHREAD_LIBADD $LIBS" else PTHREAD_CFLAGS="" PTHREAD_LIBADD="" fi CFLAGS="$CFLAGS $PTHREAD_CFLAGS" LDADD="$LDADD $PTHREAD_LDADD" LIBADD="$LIBADD $PTHREAD_LIBADD" AC_SUBST(PTHREAD_CFLAGS) AC_SUBST(PTHREAD_LDADD) AC_SUBST(PTHREAD_LIBADD) AC_MSG_RESULT($enable_pthread_support) ]) heimdal-1.7~git20150920+dfsg/cf/resolv.m4000066400000000000000000000035171257755311500176150ustar00rootroot00000000000000dnl stuff used by DNS resolv code in roken dnl dnl $Id$ dnl AC_DEFUN([rk_RESOLV],[ AC_CHECK_HEADERS([arpa/nameser.h dns.h]) AC_CHECK_HEADERS(resolv.h, , , [AC_INCLUDES_DEFAULT #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_NAMESER_H #include #endif ]) AC_FIND_FUNC(res_search, resolv, [ #include #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_NAMESER_H #include #endif #ifdef HAVE_RESOLV_H #include #endif ], [0,0,0,0,0]) AC_FIND_FUNC(res_nsearch, resolv, [ #include #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_NAMESER_H #include #endif #ifdef HAVE_RESOLV_H #include #endif ], [0,0,0,0,0,0]) AC_FIND_FUNC(res_ndestroy, resolv, [ #include #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_NAMESER_H #include #endif #ifdef HAVE_RESOLV_H #include #endif ], [0]) AC_FIND_FUNC_NO_LIBS(dns_search,, [ #ifdef HAVE_DNS_H #include #endif ], [0,0,0,0,0,0,0,0]) AC_FIND_FUNC(dn_expand, resolv, [ #include #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_NAMESER_H #include #endif #ifdef HAVE_RESOLV_H #include #endif ], [0,0,0,0,0]) rk_CHECK_VAR(_res, [#include #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_NAMESER_H #include #endif #ifdef HAVE_RESOLV_H #include #endif]) ]) heimdal-1.7~git20150920+dfsg/cf/retsigtype.m4000066400000000000000000000006461257755311500205020ustar00rootroot00000000000000dnl dnl $Id$ dnl dnl Figure out return type of signal handlers, and define SIGRETURN macro dnl that can be used to return from one dnl AC_DEFUN([rk_RETSIGTYPE],[ AC_TYPE_SIGNAL if test "$ac_cv_type_signal" = "void" ; then AC_DEFINE(VOID_RETSIGTYPE, 1, [Define if signal handlers return void.]) fi AH_BOTTOM([#ifdef VOID_RETSIGTYPE #define SIGRETURN(x) return #else #define SIGRETURN(x) return (RETSIGTYPE)(x) #endif]) ])heimdal-1.7~git20150920+dfsg/cf/roken-frag.m4000066400000000000000000000346401257755311500203370ustar00rootroot00000000000000dnl $Id$ dnl dnl some code to get roken working dnl dnl rk_ROKEN(subdir) dnl AC_DEFUN([rk_ROKEN], [ AC_REQUIRE([rk_CONFIG_HEADER]) DIR_roken=roken LIB_roken='$(top_builddir)/$1/libroken.la' INCLUDES_roken='-I$(top_builddir)/$1 -I$(top_srcdir)/$1' dnl Checks for programs AC_REQUIRE([AC_PROG_CC]) AC_REQUIRE([AC_PROG_AWK]) AC_REQUIRE([AC_OBJEXT]) AC_REQUIRE([AC_EXEEXT]) AC_REQUIRE([LT_INIT]) AC_REQUIRE([AC_MIPS_ABI]) AC_DEFINE(rk_PATH_DELIM, '/', [Path name delimiter]) dnl C characteristics AC_REQUIRE([AC_C___ATTRIBUTE__]) AC_REQUIRE([AC_C_INLINE]) AC_REQUIRE([AC_C_CONST]) rk_WFLAGS(-Wall -Wextra -Wno-sign-compare -Wno-unused-parameter -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -Wshadow) dnl -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wstrict-prototypes dnl -Wcast-qual -Wswitch -Wformat=2 -Wwrite-strings AC_REQUIRE([rk_DB]) dnl C types AC_REQUIRE([AC_TYPE_SIZE_T]) AC_HAVE_TYPE([ssize_t],[#include ]) AC_REQUIRE([AC_TYPE_PID_T]) AC_REQUIRE([AC_TYPE_UID_T]) AC_HAVE_TYPE([long long]) AC_REQUIRE([rk_RETSIGTYPE]) dnl Checks for header files. AC_REQUIRE([AC_HEADER_STDC]) AC_REQUIRE([AC_HEADER_TIME]) AC_CHECK_HEADERS([\ arpa/inet.h \ config.h \ crypt.h \ dirent.h \ errno.h \ err.h \ fcntl.h \ fnmatch.h \ grp.h \ ifaddrs.h \ netinet/in.h \ netinet/in6.h \ netinet/in_systm.h \ netinet6/in6.h \ paths.h \ poll.h \ pwd.h \ rpcsvc/ypclnt.h \ search.h \ shadow.h \ stdint.h \ sys/auxv.h \ sys/bswap.h \ sys/errno.h \ sys/ioctl.h \ sys/mman.h \ sys/param.h \ sys/resource.h \ sys/sockio.h \ sys/stat.h \ sys/time.h \ sys/tty.h \ sys/types.h \ sys/uio.h \ sys/utsname.h \ sys/wait.h \ syslog.h \ termios.h \ winsock2.h \ ws2tcpip.h \ unistd.h \ userconf.h \ usersec.h \ util.h \ ]) AC_HAVE_TYPE([uintptr_t],[#ifdef HAVE_STDINT_H #include #endif]) dnl Sunpro 5.2 has a vis.h which is something different. AC_CHECK_HEADERS(vis.h, , , [ #include #ifndef VIS_SP #error invis #endif]) AC_CHECK_HEADERS(netdb.h, , , [AC_INCLUDES_DEFAULT #ifdef HAVE_SYS_TYPES_H #include #endif ]) AC_CHECK_HEADERS(sys/socket.h, , , [AC_INCLUDES_DEFAULT #ifdef HAVE_SYS_TYPES_H #include #endif ]) AC_CHECK_HEADERS(net/if.h, , , [AC_INCLUDES_DEFAULT #ifdef HAVE_SYS_TYPES_H #include #endif #if HAVE_SYS_SOCKET_H #include #endif]) AC_CHECK_HEADERS(netinet6/in6_var.h, , , [AC_INCLUDES_DEFAULT #ifdef HAVE_SYS_TYPES_H #include #endif #if HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET6_IN6_H #include #endif ]) AC_CHECK_HEADERS(sys/sysctl.h, , , [AC_INCLUDES_DEFAULT #ifdef HAVE_SYS_PARAM_H #include #endif ]) AC_CHECK_HEADERS(sys/proc.h, , , [AC_INCLUDES_DEFAULT #ifdef HAVE_SYS_PARAM_H #include #endif ]) AC_REQUIRE([CHECK_NETINET_IP_AND_TCP]) AM_CONDITIONAL(have_err_h, test "$ac_cv_header_err_h" = yes) AM_CONDITIONAL(have_ifaddrs_h, test "$ac_cv_header_ifaddrs_h" = yes) AM_CONDITIONAL(have_search_h, test "$ac_cv_header_search_h" = yes) AM_CONDITIONAL(have_vis_h, test "$ac_cv_header_vis_h" = yes) dnl Check for functions and libraries AC_FIND_FUNC(socket, socket) AC_FIND_FUNC(gethostbyname, nsl) AC_FIND_FUNC(syslog, syslog) AC_KRB_IPV6 AC_FIND_FUNC(gethostbyname2, inet6 ip6) rk_RESOLV AC_BROKEN_SNPRINTF AC_BROKEN_VSNPRINTF AC_BROKEN_GLOB if test "$ac_cv_func_glob_working" != yes; then AC_LIBOBJ(glob) fi AM_CONDITIONAL(have_glob_h, test "$ac_cv_func_glob_working" = yes) AC_CHECK_FUNCS([ \ asnprintf \ asprintf \ atexit \ cgetent \ getauxval \ getconfattr \ getprogname \ getrlimit \ getspnam \ issetugid \ on_exit \ poll \ random \ setprogname \ strsvis \ strsvisx \ strunvis \ strvis \ strvisx \ svis \ sysconf \ sysctl \ tdelete \ tfind \ twalk \ uname \ unvis \ vasnprintf \ vasprintf \ vis \ ]) if test "$ac_cv_func_cgetent" = no; then AC_LIBOBJ(getcap) fi AM_CONDITIONAL(have_cgetent, test "$ac_cv_func_cgetent" = yes) AC_REQUIRE([AC_FUNC_GETLOGIN]) AC_REQUIRE([AC_FUNC_MMAP]) AC_FIND_FUNC_NO_LIBS(getsockopt,, [#ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif], [0,0,0,0,0]) AC_FIND_FUNC_NO_LIBS(setsockopt,, [#ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif], [0,0,0,0,0]) AC_FIND_IF_NOT_BROKEN(hstrerror, resolv, [#ifdef HAVE_NETDB_H #include #endif], 17) AC_NEED_PROTO([ #ifdef HAVE_NETDB_H #include #endif], hstrerror) AC_FOREACH([rk_func], [asprintf vasprintf asnprintf vasnprintf], [AC_NEED_PROTO([ #include #include ], rk_func)]) AC_FIND_FUNC_NO_LIBS(bswap16,, [#ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_BSWAP_H #include #endif],0) AC_FIND_FUNC_NO_LIBS(bswap32,, [#ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_BSWAP_H #include #endif],0) AC_FIND_FUNC_NO_LIBS(pidfile,util, [#ifdef HAVE_UTIL_H #include #endif],0) AC_FIND_IF_NOT_BROKEN(getaddrinfo,, [#ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif],[0,0,0,0]) AC_FIND_IF_NOT_BROKEN(getnameinfo,, [#ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif],[0,0,0,0,0,0,0]) AC_FIND_IF_NOT_BROKEN(freeaddrinfo,, [#ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif],[0]) AC_FIND_IF_NOT_BROKEN(gai_strerror,, [#ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif],[0]) case "$host_os" in darwin*) ;; *) AC_BROKEN([daemon]) ;; esac AC_BROKEN([ \ chown \ copyhostent \ closefrom \ ecalloc \ emalloc \ erealloc \ estrdup \ err \ errx \ fchown \ flock \ fnmatch \ freehostent \ getcwd \ getdtablesize \ getegid \ geteuid \ getgid \ gethostname \ getifaddrs \ getipnodebyaddr \ getipnodebyname \ getopt \ gettimeofday \ getuid \ getusershell \ initgroups \ innetgr \ iruserok \ localtime_r \ lstat \ memmove \ memset_s \ mkstemp \ putenv \ rcmd \ readv \ recvmsg \ sendmsg \ setegid \ setenv \ seteuid \ strcasecmp \ strdup \ strerror \ strftime \ strlcat \ strlcpy \ strlwr \ strncasecmp \ strndup \ strnlen \ strptime \ strsep \ strsep_copy \ strtok_r \ strtoll \ strtoull \ strupr \ swab \ tsearch \ timegm \ unsetenv \ verr \ verrx \ vsyslog \ vwarn \ vwarnx \ warn \ warnx \ writev \ ]) AM_CONDITIONAL(have_fnmatch_h, test "$ac_cv_header_fnmatch_h" = yes -a "$ac_cv_func_fnmatch" = yes) AC_FOREACH([rk_func], [strndup strsep strtok_r], [AC_NEED_PROTO([#include ], rk_func)]) AC_CHECK_FUNC([strtoll], [AC_DEFINE_UNQUOTED(HAVE_STRTOLL, 1, [Define if you have the function strtoll.])]) AC_CHECK_FUNC([strtoull], [AC_DEFINE_UNQUOTED(HAVE_STRTOULL, 1, [Define if you have the function strtoull.])]) AC_FOREACH([rk_func], [strsvis strsvisx strunvis strvis strvisx svis unvis vis], [AC_NEED_PROTO([#ifdef HAVE_VIS_H #include #endif], rk_func)]) AC_MSG_CHECKING([checking for dirfd]) AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include #ifdef HAVE_DIRENT_H #include #endif ]], [[DIR *d = 0; dirfd(d);]])], [ac_rk_have_dirfd=yes], [ac_rk_have_dirfd=no]) if test "$ac_rk_have_dirfd" = "yes" ; then AC_DEFINE_UNQUOTED(HAVE_DIRFD, 1, [have a dirfd function/macro]) fi AC_MSG_RESULT($ac_rk_have_dirfd) AC_HAVE_STRUCT_FIELD(DIR, dd_fd, [#include #ifdef HAVE_DIRENT_H #include #endif]) AC_BROKEN2(inet_aton, [#ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_INET_H #include #endif], [0,0]) AC_BROKEN2(inet_ntop, [#ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_INET_H #include #endif], [0, 0, 0, 0]) AC_BROKEN2(inet_pton, [#ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_INET_H #include #endif], [0,0,0]) dnl dnl Check for sa_len in struct sockaddr, dnl needs to come before the getnameinfo test dnl AC_HAVE_STRUCT_FIELD(struct sockaddr, sa_len, [#include #include ]) if test "$ac_cv_func_getaddrinfo" = "yes"; then rk_BROKEN_GETADDRINFO if test "$ac_cv_func_getaddrinfo_numserv" = no; then AC_LIBOBJ(getaddrinfo) AC_LIBOBJ(freeaddrinfo) fi fi AC_NEED_PROTO([#include ], setenv) AC_NEED_PROTO([#include ], unsetenv) AC_NEED_PROTO([#include ], gethostname) AC_NEED_PROTO([#include ], mkstemp) AC_NEED_PROTO([#include ], getusershell) AC_NEED_PROTO([#include ], daemon) AC_NEED_PROTO([ #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_INET_H #include #endif #ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_UNISTD_H #include #endif], iruserok) AC_NEED_PROTO([ #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_INET_H #include #endif], inet_aton) AC_FIND_FUNC_NO_LIBS(crypt, crypt)dnl AC_REQUIRE([rk_BROKEN_REALLOC])dnl dnl AC_KRB_FUNC_GETCWD_BROKEN dnl strerror_r is great fun, on linux it exists before sus catched up, dnl so the return type is diffrent, lets check for both AC_PROTO_COMPAT([ #include #include ], strerror_r, int strerror_r(int, char *, size_t)) AC_CHECK_FUNC([strerror_r], [AC_DEFINE_UNQUOTED(HAVE_STRERROR_R, 1, [Define if you have the function strerror_r.])]) dnl dnl Checks for prototypes and declarations dnl AC_PROTO_COMPAT([ #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_INET_H #include #endif #ifdef HAVE_NETDB_H #include #endif ], gethostbyname, struct hostent *gethostbyname(const char *)) AC_PROTO_COMPAT([ #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_INET_H #include #endif #ifdef HAVE_NETDB_H #include #endif ], gethostbyaddr, struct hostent *gethostbyaddr(const void *, size_t, int)) AC_PROTO_COMPAT([ #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_ARPA_INET_H #include #endif #ifdef HAVE_NETDB_H #include #endif ], getservbyname, struct servent *getservbyname(const char *, const char *)) AC_PROTO_COMPAT([ #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif ], getsockname, int getsockname(int, struct sockaddr*, socklen_t*)) AC_PROTO_COMPAT([ #ifdef HAVE_SYSLOG_H #include #endif ], openlog, void openlog(const char *, int, int)) AC_NEED_PROTO([ #ifdef HAVE_CRYPT_H #include #endif #ifdef HAVE_UNISTD_H #include #endif ], crypt) dnl variables rk_CHECK_VAR(h_errno, [#ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif ]) rk_CHECK_VAR(h_errlist, [#ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif]) rk_CHECK_VAR(h_nerr, [#ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif]) rk_CHECK_VAR([__progname], [#ifdef HAVE_ERR_H #include #endif]) AC_CHECK_DECLS([optarg, optind, opterr, optopt, environ],[],[],[ #include #ifdef HAVE_UNISTD_H #include #endif]) dnl dnl Check for fields in struct tm dnl AC_HAVE_STRUCT_FIELD(struct tm, tm_gmtoff, [#include ]) AC_HAVE_STRUCT_FIELD(struct tm, tm_zone, [#include ]) dnl dnl or do we have a variable `timezone' ? dnl rk_CHECK_VAR(timezone,[#include ]) rk_CHECK_VAR(altzone,[#include ]) AC_HAVE_TYPE([sa_family_t],[ #include #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif]) AC_HAVE_TYPE([socklen_t],[ #include #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif]) AC_HAVE_TYPE([struct sockaddr], [ #include #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif]) AC_HAVE_TYPE([struct sockaddr_storage], [ #include #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif]) AC_HAVE_TYPE([struct addrinfo], [ #include #ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif]) AC_HAVE_TYPE([struct ifaddrs], [#include ]) AC_HAVE_TYPE([struct iovec],[ #include #include ]) AC_HAVE_TYPE([struct msghdr],[ #include #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif]) dnl dnl Check for struct winsize dnl AC_KRB_STRUCT_WINSIZE dnl dnl Check for struct spwd dnl AC_KRB_STRUCT_SPWD # # Check if we want samba's socket wrapper # samba_SOCKET_WRAPPER dnl won't work with automake dnl moved to AC_OUTPUT in configure.in dnl AC_CONFIG_FILES($1/Makefile) LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)" AC_SUBST(DIR_roken)dnl AC_SUBST(LIB_roken)dnl AC_SUBST(INCLUDES_roken)dnl ]) heimdal-1.7~git20150920+dfsg/cf/roken-h-process.pl000066400000000000000000000070161257755311500214130ustar00rootroot00000000000000#!/usr/bin/perl use Getopt::Std; my $debug = 0; getopts('dc:p:o:') || die "foo"; if ($opt_d) { $debug = 1; } die "missing arg" if (!defined $opt_c || !defined $opt_p || !defined $opt_o); my %defines; my $IN; my $OUT; print "parse config.h\n" if ($debug); open IN, $opt_c || die "failed open ${opt_c}"; my @nesting; push @nesting, 1; while () { if (m/\s*#ifdef\s+(.*)/) { my $var = $1; if (defined $defines{$var}) { push @nesting, 1; } else { push @nesting, 0; } next; } elsif (m/\s*#ifndef\s+(.*)/) { my $var = $1; if (defined $defines{$var}) { push @nesting, 0; } else { push @nesting, 1; } next; } elsif (m/\s*#else/) { my $var = pop @nesting; $var = !$var; push @nesting, $var; next; } elsif ($nesting[$#nesting] and m/\s*#define\s+(\w+)\s+(\S+)/) { my $res = $2; $res = 1 if (!defined $res); $defines{$1} = $res; } } close IN; if ($debug) { foreach my $i (keys %defines) { print "k: $i v: $defines{$i}\n"; } } open IN, "$opt_p" || die "failed open ${opt_p}"; open OUT, ">$opt_o" || die "failed open ${opt_o}"; print "parse roken.h.in\n" if ($debug); print OUT "/* This is an OS dependent, generated file */\n"; print OUT "\n"; print OUT "\n"; print OUT "#ifndef __ROKEN_H__\n"; print OUT "#define __ROKEN_H__\n"; print OUT "\n"; @nesting = (1); while () { if (m/\s*#ifdef\s+(.*)/) { my $var = $1; if (defined $defines{$var}) { push @nesting, 1; } else { push @nesting, 0; } next; } elsif (m/\s*#ifndef\s+(.*)/) { my $var = $1; if (defined $defines{$var}) { push @nesting, 0; } else { push @nesting, 1; } next; } elsif (m/\s*#if\s+(.*)/) { my $res = parse_if($1); print "line = $res: $1\n" if ($debug); push @nesting, $res; next; } elsif (m/\s*#elif\s+(.*)/) { my $res = pop @nesting; if ($res gt 0) { $res = -1; } else { my $res = parse_if($1); } push @nesting, $res; next; } elsif (m/\s*#else/) { my $var = pop @nesting; $var = !$var; push @nesting, $var; next; } elsif (m/\s*#endif/) { pop @nesting; next; } print "line: $_\n" if ($debug); print "nesting dep $#{nesting}\n" if ($debug); my $i = 0, $t = 1; while ($i le $#nesting) { $t = 0 if ($nesting[$i] le 0); print "nesting $i val $nesting[$i] -> $t\n" if ($debug); $i++; } if ($t) { print OUT; } } print OUT "\n"; print OUT "#endif /* __ROKEN_H__ */\n"; close IN; exit 0; sub parse_if { my ($neg, $var); $_ = shift; if (m/^\s*$/) { print "end $_\n" if ($debug); return 1; } elsif (m/^\(([^&]+)\&\&(.*)\)\s*\|\|\s*\(([^&]+)\&\&(.*)\)$/) { print "($1 and $2) or ($3 and $4)\n" if ($debug); return ((parse_if($1) and parse_if($2)) or (parse_if($3) and parse_if($4))); } elsif (m/^([^&]+)\&\&(.*)$/) { print "$1 and $2\n" if ($debug); return parse_if($1) and parse_if($2); } elsif (m/^([^\|]+)\|\|(.*)$/) { print "$1 or $2\n" if ($debug); return (parse_if($1) or parse_if($2)); } elsif (m/^\s*(\!)?\s*defined\((\w+)\)/) { ($neg, $var) = ($1, $2); print "def: ${neg}-defined(${var})\n" if ($debug); my $res = defined $defines{$var}; if ($neg eq "!") { if ($res) { $res = 0; } else { $res = 1; } } print "res: $res\n" if ($debug); return $res; } elsif (m/^\s*(\!)?(\w+)/) { ($neg, $var) = ($1, $2); print "var: $neg $var\n" if ($debug); my $res; if (defined $defines{$var}) { $res = $defines{$var}; } else { $res = 0; } $res = ! $res if ($neg =~ m/!/); print "res: $res\n" if ($debug); return $res; } die "failed parse: $_\n"; } heimdal-1.7~git20150920+dfsg/cf/roken.m4000066400000000000000000000024201257755311500174110ustar00rootroot00000000000000dnl $Id$ dnl dnl try to look for an installed roken library with sufficient stuff dnl dnl set LIB_roken to the what we should link with dnl set DIR_roken to if the directory should be built dnl set CPPFLAGS_roken to stuff to add to CPPFLAGS dnl AC_ROKEN(version,directory-to-try,roken-dir,fallback-library,fallback-cppflags) AC_DEFUN([AC_ROKEN], [ AC_ARG_WITH(roken, AS_HELP_STRING([--with-roken=dir],[use the roken library in dir]), [if test "$withval" = "no"; then AC_MSG_ERROR(roken is required) fi]) save_CPPFLAGS="${CPPFLAGS}" case $with_roken in yes|"") dirs="$2" ;; *) dirs="$with_roken" ;; esac roken_installed=no for i in $dirs; do AC_MSG_CHECKING(for roken in $i) CPPFLAGS="-I$i/include ${CPPFLAGS}" AC_PREPROC_IFELSE([AC_LANG_SOURCE([[ #include #if ROKEN_VERSION < $1 #error old roken version, should be $1 fail #endif ]])],[roken_installed=yes; break]) AC_MSG_RESULT($roken_installed) done CPPFLAGS="$save_CPPFLAGS" if test "$roken_installed" != "yes"; then DIR_roken="roken" LIB_roken='$4' CPPFLAGS_roken='$5' AC_CONFIG_SUBDIRS(lib/roken) else LIB_roken="$i/lib/libroken.la" CPPFLAGS_roken="-I$i/include" fi LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)" AC_SUBST(LIB_roken)dnl AC_SUBST(DIR_roken)dnl AC_SUBST(CPPFLAGS_roken)dnl ]) heimdal-1.7~git20150920+dfsg/cf/socket-wrapper.m4000066400000000000000000000006341257755311500212460ustar00rootroot00000000000000dnl $Id$ dnl AC_DEFUN([samba_SOCKET_WRAPPER], [ AC_ARG_ENABLE(socket-wrapper, AS_HELP_STRING([--enable-socket-wrapper], [use sambas socket-wrapper for testing])) AM_CONDITIONAL(have_socket_wrapper, test "x$enable_socket_wrapper" = xyes)dnl if test "x$enable_socket_wrapper" = xyes ; then AC_DEFINE(SOCKET_WRAPPER_REPLACE, 1, [Define if you want to use samba socket wrappers.]) fi ]) heimdal-1.7~git20150920+dfsg/cf/sunos.m4000066400000000000000000000004711257755311500174460ustar00rootroot00000000000000dnl dnl $Id$ dnl AC_DEFUN([rk_SUNOS],[ sunos=no case "$host" in *-*-solaris2.7) sunos=57 ;; *-*-solaris2.[[89]] | *-*-solaris2.1[[0-9]]) sunos=58 ;; *-*-solaris2*) sunos=50 ;; esac if test "$sunos" != no; then AC_DEFINE_UNQUOTED(SunOS, $sunos, [Define to what version of SunOS you are running.]) fi ])heimdal-1.7~git20150920+dfsg/cf/symbol-version.py000066400000000000000000000050301257755311500213730ustar00rootroot00000000000000# # Copyright (c) 2008 Kungliga Tekniska Högskolan # (Royal Institute of Technology, Stockholm, Sweden). # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # 3. Neither the name of the Institute nor the names of its contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. import sys tokens = [ 'SYMBOL' ] literals = ['{','}',';', ':'] t_SYMBOL = r'[a-zA-Z_][a-zA-Z0-9_\.]*' t_ignore = " \t\n" def t_error(t): print "Illegal character '%s'" % t.value[0] t.lexer.skip(1) import ply.lex as lex lex.lex() namespace = "global" symbols = [] def p_syms(p): 'syms : SYMBOL "{" elements "}"' print "# %s" % p[1] def p_elements(p): '''elements : element | element elements''' def p_element(p): '''element : SYMBOL ":" | SYMBOL ";"''' global namespace if p[2] == ':': namespace = p[1] else: symbols.append([namespace, p[1]]) def p_error(p): if p: print "Syntax error at '%s'" % p.value else: print "Syntax error at EOF" import ply.yacc as yacc yacc.yacc() lines = sys.stdin.readlines() for line in lines: yacc.parse(line) for symbol in symbols: if symbol[0] == "global": print "%s" % symbol[1] heimdal-1.7~git20150920+dfsg/cf/telnet.m4000066400000000000000000000036461257755311500176010ustar00rootroot00000000000000dnl dnl $Id$ dnl dnl stuff used by telnet AC_DEFUN([rk_TELNET],[ AC_DEFINE(AUTHENTICATION, 1, [Define if you want authentication support in telnet.])dnl AC_DEFINE(ENCRYPTION, 1, [Define if you want encryption support in telnet.])dnl AC_DEFINE(DES_ENCRYPTION, 1, [Define if you want to use DES encryption in telnet.])dnl AC_DEFINE(DIAGNOSTICS, 1, [Define this to enable diagnostics in telnet.])dnl AC_DEFINE(OLD_ENVIRON, 1, [Define this to enable old environment option in telnet.])dnl if false; then AC_DEFINE(ENV_HACK, 1, [Define this if you want support for broken ENV_{VAR,VAL} telnets.]) fi # Simple test for streamspty, based on the existance of getmsg(), alas # this breaks on SunOS4 which have streams but BSD-like ptys # # And also something wierd has happend with dec-osf1, fallback to bsd-ptys case "$host" in *-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux1[[01]]*) ;; *) AC_CHECK_FUNC(getmsg) if test "$ac_cv_func_getmsg" = "yes"; then AC_CACHE_CHECK([if getmsg works], ac_cv_func_getmsg_works, AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include #include int main(int argc, char **argv) { int ret; ret = getmsg(open("/dev/null", 0), NULL, NULL, NULL); if(ret < 0 && errno == ENOSYS) return 1; return 0; } ]])], [ac_cv_func_getmsg_works=yes], [ac_cv_func_getmsg_works=no], [ac_cv_func_getmsg_works=no])) if test "$ac_cv_func_getmsg_works" = "yes"; then AC_DEFINE(HAVE_GETMSG, 1, [Define if you have a working getmsg.]) AC_DEFINE(STREAMSPTY, 1, [Define if you have streams ptys.]) fi fi ;; esac AH_BOTTOM([ /* Set this to the default system lead string for telnetd * can contain %-escapes: %s=sysname, %m=machine, %r=os-release * %v=os-version, %t=tty, %h=hostname, %d=date and time */ #undef USE_IM /* Used with login -p */ #undef LOGIN_ARGS /* set this to a sensible login */ #ifndef LOGIN_PATH #define LOGIN_PATH BINDIR "/login" #endif ]) ]) heimdal-1.7~git20150920+dfsg/cf/test-package.m4000066400000000000000000000057731257755311500206610ustar00rootroot00000000000000dnl $Id$ dnl dnl rk_TEST_PACKAGE(package,headers,libraries,extra libs, dnl default locations, conditional, config-program, headers) AC_DEFUN([rk_TEST_PACKAGE],[ AC_ARG_WITH($1, AS_HELP_STRING([--with-$1=dir],[use $1 in dir])) AC_ARG_WITH($1-lib, AS_HELP_STRING([--with-$1-lib=dir],[use $1 libraries in dir]), [if test "$withval" = "yes" -o "$withval" = "no"; then AC_MSG_ERROR([No argument for --with-$1-lib]) elif test "X$with_$1" = "X"; then with_$1=yes fi]) AC_ARG_WITH($1-include, AS_HELP_STRING([--with-$1-include=dir],[use $1 headers in dir]), [if test "$withval" = "yes" -o "$withval" = "no"; then AC_MSG_ERROR([No argument for --with-$1-include]) elif test "X$with_$1" = "X"; then with_$1=yes fi]) AC_ARG_WITH($1-config, AS_HELP_STRING([--with-$1-config=path],[config program for $1])) m4_ifval([$6], m4_define([rk_pkgname], $6), m4_define([rk_pkgname], AS_TR_CPP($1))) AC_MSG_CHECKING(for $1) case "$with_$1" in yes|"") d='$5' ;; no) d= ;; *) d="$with_$1" ;; esac header_dirs= lib_dirs= for i in $d; do if test "$with_$1_include" = ""; then if test -d "$i/include/$1"; then header_dirs="$header_dirs $i/include/$1" fi if test -d "$i/include"; then header_dirs="$header_dirs $i/include" fi fi if test "$with_$1_lib" = ""; then if test -d "$i/lib$abilibdirext"; then lib_dirs="$lib_dirs $i/lib$abilibdirext" fi fi done if test "$with_$1_include"; then header_dirs="$with_$1_include $header_dirs" fi if test "$with_$1_lib"; then lib_dirs="$with_$1_lib $lib_dirs" fi if test "$with_$1_config" = ""; then with_$1_config='$7' fi $1_cflags= $1_libs= case "$with_$1_config" in yes|no|""|"$7") if test -f $with_$1/bin/$7 ; then with_$1_config=$with_$1/bin/$7 fi ;; esac case "$with_$1_config" in yes|no|"") ;; *) $1_cflags="`$with_$1_config --cflags 2>&1`" $1_libs="`$with_$1_config --libs 2>&1`" ;; esac found=no if test "$with_$1" != no; then save_CFLAGS="$CFLAGS" save_LIBS="$LIBS" if test "$[]$1_cflags" -a "$[]$1_libs"; then CFLAGS="$[]$1_cflags $save_CFLAGS" LIBS="$[]$1_libs $save_LIBS" m4_ifval([$8],[AC_CHECK_HEADERS([[$8]])]) AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2]],[[]])],[ INCLUDE_$1="$[]$1_cflags" LIB_$1="$[]$1_libs" AC_MSG_RESULT([from $with_$1_config]) found=yes]) fi if test "$found" = no; then ires= lres= for i in $header_dirs; do CFLAGS="-I$i $save_CFLAGS" m4_ifval([$8],[AC_CHECK_HEADERS([[$8]])]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$2]],[[]])],[ires=$i;break]) done for i in $lib_dirs; do LIBS="-L$i $3 $4 $save_LIBS" AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2]],[[]])],[lres=$i;break]) done if test "$ires" -a "$lres" -a "$with_$1" != "no"; then INCLUDE_$1="-I$ires" LIB_$1="-L$lres $3 $4" found=yes AC_MSG_RESULT([headers $ires, libraries $lres]) fi fi CFLAGS="$save_CFLAGS" LIBS="$save_LIBS" fi if test "$found" = yes; then AC_DEFINE_UNQUOTED(rk_pkgname, 1, [Define if you have the $1 package.]) with_$1=yes else with_$1=no INCLUDE_$1= LIB_$1= AC_MSG_RESULT(no) fi AC_SUBST(INCLUDE_$1) AC_SUBST(LIB_$1) ]) heimdal-1.7~git20150920+dfsg/cf/valgrind-suppressions000066400000000000000000000027601257755311500223440ustar00rootroot00000000000000# $Id$ { linux db init brokenness Memcheck:Param pwrite64(buf) fun:do_pwrite64 fun:__os_io fun:__memp_pgwrite fun:__memp_fsync fun:__bam_read_root fun:__bam_open fun:__db_dbopen fun:__db_open fun:DB_open } { linux strerror Memcheck:Leak fun:_vgrZU_libcZdsoZa_malloc fun:rwlock_add_to_list fun:rwlock_have_already fun:pthread_rwlock_rdlock fun:__dcigettext fun:dcgettext fun:strerror_r fun:strerror } { linux db close brokenness Memcheck:Param pwrite64(buf) fun:do_pwrite64 fun:__os_io fun:__memp_pgwrite fun:__memp_fsync fun:__db_sync fun:__db_close fun:DB_close } { GLIBC 2.1.2 getservbyname defect Memcheck:Leak fun:_vgrZU_libcZdsoZa_malloc fun:strdup obj:* obj:* fun:getservbyname_r@@GLIBC_2.1.2 fun:getservbyname } { glibc getaddrinfo defect Memcheck:Leak fun:_vgrZU_libcZdsoZa_malloc fun:__libc_res_nsend fun:__libc_res_nquery fun:__libc_res_nquerydomain fun:__libc_res_nsearch obj:* fun:gaih_inet fun:getaddrinfo } { glibc dlopen failure called from /bin/ls Memcheck:Addr4 obj:/lib/ld-2.3.6.so obj:/lib/ld-2.3.6.so obj:/lib/ld-2.3.6.so } { Unknown suppression in runtime link editor Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so } { Unknown suppression in runtime link editor Memcheck:Addr4 obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so } heimdal-1.7~git20150920+dfsg/cf/vararray.m4000066400000000000000000000007101257755311500201220ustar00rootroot00000000000000dnl dnl $Id$ dnl dnl Test for variable size arrays. dnl AC_DEFUN([rk_C_VARARRAY], [ AC_CACHE_CHECK([if the compiler supports variable-length arrays],[rk_cv_c_vararray],[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],[[int x = 0; { int y[x]; }]])], [rk_cv_c_vararray=yes], [rk_cv_c_vararray=no])]) if test "$rk_cv_c_vararray" = yes; then AC_DEFINE([HAVE_VARIABLE_LENGTH_ARRAY], [1], [Define if your compiler supports variable-length arrays.]) fi ]) heimdal-1.7~git20150920+dfsg/cf/version-script.m4000066400000000000000000000016231257755311500212660ustar00rootroot00000000000000dnl check if ld supports --version-script dnl AC_DEFUN([rk_VERSIONSCRIPT],[ AC_CACHE_CHECK(for ld --version-script, rk_cv_version_script,[ rk_cv_version_script=no cat > conftest.map < conftest.c < \$def_name, "vs=s" => \$vs_name, "help|?" => \$show_help) or pod2usage( -exitval => 2, -verbose => 3 ); pod2usage( -exitval => 1, -verbose => 3 ) if $show_help or !$def_name or !$vs_name; open (my $def, '<', $def_name) or die $!; open (my $vs, '<', $vs_name) or die $!; # First go through the version-script my $global = 0; while(<$vs>) { next unless m/^([^#]+)/; @a = split(/\s+|({|})/,$1); for $f (@a) { given ($f) { when (/global\:/) { $global = 1; } when (/{|}|.*\:/) { $global = 0; } when (/(.*)\;/ and $global == 1) { $syms{$1} = 1; } } } } while(<$def>) { next if m/^#/; next unless m/^;!([^;]+)/ or m/^([^;]+);?(!?)/; @a = split(/\s+/, $1); for $f (@a) { next if $f =~ /EXPORTS/ or $f =~ /DATA/ or not $f; if (not exists $syms{$f} and not $2) { print "$f: Only in DEF\n"; ++$def_only; } delete $syms{$f}; } } #while (($k,$v) = each %syms) { for $k (sort keys %syms) { print "$k: Only in VS\n"; ++$vs_only; } close($def); close($vs); if ($def_only or $vs_only) { print "\nMismatches found.\n"; exit(1); } __END__ =head1 NAME w32-sync-exported-symbols.pl - Synchronize Windows .def with version-script =head1 SYNOPSIS w32-sync-exported-symbols.pl {options} Options: --def Name of .def file --vs Name of version-script file =head1 DESCRIPTION Verifies that all the symbols exported by the version-script is also accounted for in the .def file. Also checks that no extra symbols are exported by the .def file unless they are marked as safe. =cut heimdal-1.7~git20150920+dfsg/cf/w32-def-from-dll.pl000066400000000000000000000126361257755311500212610ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2010, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # my $show_module_name = 1; my $use_indent = 1; my $strip_leading_underscore = 0; my $always_export = 0; my $module_name = ""; my $local_prefix = "SHIM_"; my %forward_exports = (); my %local_exports = (); sub build_forwarder_target_list($) { $fn = shift; print STDERR "Processing defs from file [$fn]\n"; open(SP, '-|', "dumpbin /exports \"".$fn."\"") or die "Can't open pipe for $fn"; LINE: while () { # 112 6F 00071CDC krb5_encrypt_size /^ +([[:digit:]]+)\s+[[:xdigit:]]+\s[[:xdigit:]]{8,}\s+(\S+)(?:| = (\S*))$/ && do { my ($ordinal, $symbol, $in) = ($1, $2, $3); if ($in eq "") { $in = $symbol }; $forward_exports{$symbol} = $in; }; } close SP; } # Dump all symbols for the given dll file that are defined and have # external scope. sub build_def_file($) { $fn = shift; print STDERR "Opening dump of DLL [$fn]\n"; open(SP, '-|', "dumpbin /exports \"".$fn."\"") or die "Can't open pipe for $fn"; LINE: while () { # 112 6F 00071CDC krb5_encrypt_size /^ +([[:digit:]]+)\s+[[:xdigit:]]+\s[[:xdigit:]]{8,}\s+(\S+)(?:| = (\S*))$/ && do { my ($ordinal, $symbol, $in) = ($1, $2, $3); if ($strip_leading_underscore && $symbol =~ /_(.*)/) { $symbol = $1; } if (exists $local_exports{$symbol}) { print "\t".$symbol; print " = ".$local_exports{$symbol}; if ($in ne $local_exports{$symbol} and $in ne "") { print STDERR "Incorrect calling convention for local $symbol\n"; print STDERR " ".$in." != ".$local_exports{$symbol}."\n"; } print "\t@".$ordinal."\n"; } elsif (exists $local_exports{$local_prefix.$symbol}) { print "\t".$symbol; print " = ".$local_exports{$local_prefix.$symbol}; print "\t@".$ordinal."\n"; } elsif (exists $forward_exports{$symbol}) { print "\t".$symbol; print " = ".$module_name; if ($in ne $forward_exports{$symbol} and $in ne "") { print STDERR "Incorrect calling convention for $symbol\n"; print STDERR " ".$in." != ".$forward_exports{$symbol}."\n"; } my $texp = $forward_exports{$symbol}; if ($texp =~ /^_([^@]+)$/) { $texp = $1; } print $texp."\t@".$ordinal."\n"; } elsif ($always_export) { print "\t".$symbol." = ".$local_prefix.$symbol; print "\t@".$ordinal."\n"; } else { print STDERR "Symbol not found: $symbol\n"; } }; } close SP; } sub build_local_exports_list($) { $fn = shift; print STDERR "Opening dump of object [$fn]\n"; open(SP, '-|', "dumpbin /symbols \"".$fn."\"") or die "Can't open pipe for $fn"; LINE: while () { # 009 00000010 SECT3 notype () External | _remove_error_table@4 m/^[[:xdigit:]]{3,}\s[[:xdigit:]]{8,}\s(\w+)\s+\w*\s+(?:\(\)| )\s+(\w+)\s+\|\s+(\S+)$/ && do { my ($section, $visibility, $symbol) = ($1, $2, $3); if ($section ne "UNDEF" && $visibility eq "External") { my $exp_name = $symbol; if ($symbol =~ m/^_(\w+)(?:@.*|)$/) { $exp_name = $1; } if ($symbol =~ m/^_([^@]+)$/) { $symbol = $1; } $local_exports{$exp_name} = $symbol; } }; } close SP; } sub process_file($) { $fn = shift; if ($fn =~ m/\.dll$/i) { build_def_file($fn); } elsif ($fn =~ m/\.obj$/i) { build_local_exports_list($fn); } else { die "File type not recognized for $fn."; } } sub use_response_file($) { $fn = shift; open (RF, '<', $fn) or die "Can't open response file $fn"; while () { /^(\S+)$/ && do { process_file($1); } } close RF; } print "; This is a generated file. Do not modify directly.\n"; print "EXPORTS\n"; for (@ARGV) { ARG: { /^-m(.*)$/ && do { $module_name = $1."."; last ARG; }; /^-l(.*)$/ && do { $local_prefix = $1."_"; last ARG; }; /^-a$/ && do { $always_export = 1; last ARG; }; /^-e(.*)$/ && do { build_forwarder_target_list($1); last ARG; }; /^@(.*)$/ && do { use_response_file($1); last ARG; }; process_file($_); } } heimdal-1.7~git20150920+dfsg/cf/w32-detect-vc-version.pl000066400000000000000000000034741257755311500223520ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2010, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # # Try to detect the version of Visual C++ in use by parsing the output # of cl.exe. $cl_cmd = shift; die "C compiler command should be specified" if ($cl_cmd eq ''); open(CL, '-|', $cl_cmd." 2>&1") or die "Can't run C compiler command [$cl_cmd]"; $verline = ; if ($verline =~ /(\d+).(\d+).(\d+).(\d+)/) { print "Found Version: $1.$2.$3.$4\n"; exit $1 + 0; } else { print "Mismatch"; exit 1; } heimdal-1.7~git20150920+dfsg/cf/w32-hh-toc-from-info.pl000066400000000000000000000057611257755311500220660ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2010, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # use HTML::TreeBuilder; my $input_file = "index.html"; my $toc_file = "toc.hhc"; for (@ARGV) { ARG: { /-o(.*)/ && do { $toc_file = $1; last ARG; }; $input_file = $_; } } print "Processing TOC in $input_file\n"; print "Writing to $toc_file\n"; open(TOC, '>', $toc_file) or die "Can't open $toc_file\n"; my $tree = HTML::TreeBuilder->new(); $tree->parse_file($input_file); my $contents = $tree->look_down('class', 'contents'); my $clist = $contents->find_by_tag_name('ul'); print TOC ' '; process_ul_element($clist, 0); print TOC ' '; sub process_ul_element { my $e = shift; my $level = shift; if ($e->tag() eq "ul") { print TOC ' 'x$level; print TOC "
    \n"; my @items = $e->content_list(); for (@items) { process_li_element($_, $level + 1); } print TOC ' 'x$level; print TOC "
\n"; } } sub process_li_element { my $e = shift; my $level = shift; if ($e->tag() eq "li") { my $a = $e->find_by_tag_name('a'); my $href = $a->attr('href'); my @ac = $a->content_list(); my $title = $ac[0]; print TOC " "x$level; print TOC "
  • \n"; my @items = $e->content_list(); for (@items) { process_ul_element($_, $level + 1); } } } heimdal-1.7~git20150920+dfsg/cf/w32-list-externs-from-objs.pl000066400000000000000000000057731257755311500233520ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2010, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # my $show_module_name = 1; my $use_indent = 1; my $strip_leading_underscore = 0; # Dump all symbols for the given object file that are defined and have # external scope. sub dump_symbols_for_file($) { $fn = shift; print STDERR "Opening dump of object [$fn]\n"; open(SP, '-|', "dumpbin /symbols \"".$fn."\"") or die "Can't open pipe for $fn"; LINE: while () { # 008 00000000 SECT3 notype () External | _encode_AccessDescription /^[[:xdigit:]]{3,}\s[[:xdigit:]]{8,}\s(\w+)\s+\w*\s+(\(\)| )\s+(\w+)\s+\|\s+([0-9a-zA-Z\@\_]+)$/ && do { my ($section, $type, $visibility, $symbol) = ($1, $2, $3, $4); if ($section ne "UNDEF" && $visibility eq "External") { print $fn if $show_module_name; print "\t" if $use_indent || $show_module_name; if ($strip_leading_underscore && $symbol =~ /_(.*)/) { $symbol = $1; } if ($strip_leading_underscore && $symbol =~ /(.*)\@.*$/) { $symbol = $1; } print $symbol; if ($type ne "()") { print "\tDATA"; } print "\n"; } }; } close SP; } sub use_response_file($) { $fn = shift; open (RF, '<', $fn) or die "Can't open response file $fn"; while () { /(\S+)/ && do { dump_symbols_for_file($1); } } close RF; } for (@ARGV) { ARG: { /^-q$/ && do { $show_module_name = 0; last ARG; }; /^-1$/ && do { $use_indent = 0; last ARG; }; /^-u$/ && do { $strip_leading_underscore = 1; last ARG; }; /^@(.*)$/ && do { use_response_file($1); last ARG; }; dump_symbols_for_file($_); } } heimdal-1.7~git20150920+dfsg/cf/wflags.m4000066400000000000000000000021531257755311500175610ustar00rootroot00000000000000dnl $Id$ dnl dnl set WFLAGS AC_DEFUN([rk_WFLAGS],[ AC_ARG_ENABLE(developer, AS_HELP_STRING([--enable-developer], [enable developer warnings])) if test "X$enable_developer" = Xyes; then dwflags="-Werror" fi AM_CONDITIONAL(DEVELOPER_MODE, test "X$enable_developer" = Xyes) WFLAGS_NOUNUSED="" WFLAGS_NOIMPLICITINT="" if test -z "$WFLAGS" -a "$GCC" = "yes"; then # -Wno-implicit-int for broken X11 headers # leave these out for now: # -Wcast-align doesn't work well on alpha osf/1 # -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast # -Wmissing-declarations -Wnested-externs # -Wstrict-overflow=5 WFLAGS="ifelse($#, 0,-Wall, $1) $dwflags" WFLAGS_NOIMPLICITINT="-Wno-implicit-int" # # WFLAGS_LITE can be appended to WFLAGS to turn off a host of warnings # that fail for various bits of older code in appl/. Let's not use it # for the main libraries, though. WFLAGS_LITE="-Wno-extra -Wno-missing-field-initializers -Wno-strict-aliasing -Wno-shadow" # -Wno-unused-result (not supported on gcc-4.2) fi AC_SUBST(WFLAGS)dnl AC_SUBST(WFLAGS_LITE)dnl AC_SUBST(WFLAGS_NOIMPLICITINT)dnl ]) heimdal-1.7~git20150920+dfsg/cf/win32.m4000066400000000000000000000005121257755311500172350ustar00rootroot00000000000000dnl $Id$ dnl rk_WIN32_EXPORT buildsymbol symbol-that-export AC_DEFUN([rk_WIN32_EXPORT],[AH_TOP([#ifdef $1 #ifndef $2 #ifdef _WIN32_ #define $2_FUNCTION __declspec(dllexport) #define $2_CALL __stdcall #define $2_VARIABLE __declspec(dllexport) #else #define $2_FUNCTION #define $2_CALL #define $2_VARIABLE #endif #endif #endif ])]) heimdal-1.7~git20150920+dfsg/cf/with-all.m4000066400000000000000000000015221257755311500200160ustar00rootroot00000000000000dnl dnl $Id$ dnl dnl AC_WITH_ALL(name) AC_DEFUN([AC_WITH_ALL], [ AC_ARG_WITH($1, AS_HELP_STRING([--with-$1=dir], [use $1 in dir])) AC_ARG_WITH($1-lib, AS_HELP_STRING([--with-$1-lib=dir], [use $1 libraries in dir]), [if test "$withval" = "yes" -o "$withval" = "no"; then AC_MSG_ERROR([No argument for --with-$1-lib]) elif test "X$with_$1" = "X"; then with_$1=yes fi]) AC_ARG_WITH($1-include, AS_HELP_STRING([--with-$1-include=dir], [use $1 headers in dir]), [if test "$withval" = "yes" -o "$withval" = "no"; then AC_MSG_ERROR([No argument for --with-$1-include]) elif test "X$with_$1" = "X"; then with_$1=yes fi]) case "$with_$1" in yes) ;; no) ;; "") ;; *) if test "$with_$1_include" = ""; then with_$1_include="$with_$1/include" fi if test "$with_$1_lib" = ""; then with_$1_lib="$with_$1/lib$abilibdirext" fi ;; esac ])heimdal-1.7~git20150920+dfsg/configure.ac000066400000000000000000000410321257755311500177310ustar00rootroot00000000000000dnl Process this file with autoconf to produce a configure script. AC_REVISION($Revision$) AC_PREREQ(2.62) test -z "$CFLAGS" && CFLAGS="-g" AC_INIT([Heimdal],[1.6.99],[heimdal-bugs@h5l.org]) AC_CONFIG_SRCDIR([kuser/kinit.c]) AC_CONFIG_HEADERS(include/config.h) AC_CONFIG_MACRO_DIR([cf]) AM_INIT_AUTOMAKE([foreign 1.11]) AM_MAINTAINER_MODE LT_PREREQ([2.2]) LT_INIT([shared static win32-dll]) dnl Checks for programs. AC_PROG_CC AM_PROG_CC_C_O AC_PROG_CPP m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) AC_PREFIX_DEFAULT(/usr/heimdal) test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc' test "$localstatedir" = '${prefix}/var' && localstatedir='/var/heimdal' AC_CANONICAL_HOST CANONICAL_HOST=$host AC_SUBST(CANONICAL_HOST) rk_SYS_LARGEFILE rk_AIX rk_IRIX rk_SUNOS dnl dnl this is needed to run the configure tests against glibc dnl AC_DEFINE([_GNU_SOURCE], 1, [Define to enable extensions on glibc-based systems such as Linux.]) AC_OBJEXT AC_EXEEXT dnl AC_KRB_PROG_YACC AC_PROG_YACC AM_PROG_LEX dnl AC_PROG_RANLIB AC_PROG_AWK AC_KRB_PROG_LN_S AC_MIPS_ABI CC="$CC $abi" libdir="$libdir$abilibdirext" AC_C___ATTRIBUTE__ AM_CONDITIONAL(ENABLE_SHARED, test "$enable_shared" = "yes") rk_VERSIONSCRIPT dnl dnl Helper bits for cross compiling dnl AM_CONDITIONAL(CROSS_COMPILE, test "${cross_compiling}" = yes) AC_ARG_WITH(cross-tools, AS_HELP_STRING([--with-cross-tools=dir], [use cross tools in dir]), [if test "$withval" = "yes"; then AC_MSG_ERROR([Need path to cross tools]) fi with_cross_tools="${with_cross_tools}/" ]) if test "${cross_compiling}" != yes ; then ASN1_COMPILE="\$(top_builddir)/lib/asn1/asn1_compile\$(EXEEXT)" SLC="\$(top_builddir)/lib/sl/slc" ASN1_COMPILE_DEP="\$(ASN1_COMPILE)" SLC_DEP="\$(SLC)" else ASN1_COMPILE="${with_cross_tools}asn1_compile" SLC="${with_cross_tools}slc" ASN1_COMPILE_DEP= SLC_DEP= ac_cv_prog_COMPILE_ET=${with_cross_tools}compile_et fi AC_SUBST([ASN1_COMPILE]) AC_SUBST([ASN1_COMPILE_DEP]) AC_SUBST([SLC]) AC_SUBST([SLC_DEP]) dnl --- AC_DEFINE(HEIM_WEAK_CRYPTO, 1, [Define if you want support for weak crypto]) rk_TEST_PACKAGE(openldap, [#include #include ], [-lldap -llber],,,OPENLDAP) AC_ARG_ENABLE(hdb-openldap-module, AS_HELP_STRING([--enable-hdb-openldap-module], [if you want support to build openldap hdb as shared object])) if test "$enable_hdb_openldap_module" = yes -a "$with_openldap" = yes; then AC_DEFINE(OPENLDAP_MODULE, 1, [Define if you want support for hdb ldap module]) fi AM_CONDITIONAL(OPENLDAP_MODULE, test "$enable_hdb_openldap_module" = yes -a "$with_openldap" = yes) dnl dnl Optional modules, pk-init, digest, kx509 dnl AC_ARG_ENABLE(pk-init, AS_HELP_STRING([--disable-pk-init], [if you want disable to PK-INIT support])) if test "$enable_pk_init" != no ;then AC_DEFINE([PKINIT], 1, [Define to enable PKINIT.]) fi AM_CONDITIONAL(PKINIT, test "$enable_pk_init" != no) AC_ARG_ENABLE(digest, AS_HELP_STRING([--disable-digest], [if you want disable to DIGEST support])) if test "$enable_digest" != no ;then AC_DEFINE([DIGEST], 1, [Define to enable DIGEST.]) fi AC_ARG_ENABLE(kx509, AS_HELP_STRING([--disable-kx509], [if you want disable to kx509 support])) if test "$enable_kx509" != no ;then AC_DEFINE([KX509], 1, [Define to enable kx509.]) fi dnl Need to test if pkg-config exists PKG_PROG_PKG_CONFIG dnl libcap-ng AC_ARG_WITH([capng], AC_HELP_STRING([--with-capng], [use libcap-ng to drop KDC privileges @<:@default=check@:>@]), [], [with_capng=check]) if test "$with_capng" != "no"; then PKG_CHECK_MODULES([CAPNG], [libcap-ng >= 0.4.0], [with_capng=yes],[with_capng=no]) fi if test "$with_capng" = "yes"; then AC_DEFINE_UNQUOTED([HAVE_CAPNG], 1, [whether capng is available for privilege reduction]) fi AM_CONDITIONAL([HAVE_CAPNG], [test "$with_capng" != "no"]) AC_SUBST([CAPNG_CFLAGS]) AC_SUBST([CAPNG_LIBS]) dnl Check for sqlite rk_TEST_PACKAGE(sqlite3, [#include #ifndef SQLITE_OPEN_CREATE #error "old version" #endif], [-lsqlite3],,,SQLITE3) if test "X$with_sqlite3" != Xyes ; then INCLUDE_sqlite3="-I\$(top_srcdir)/lib/sqlite" LIB_sqlite3="\$(top_builddir)/lib/sqlite/libheimsqlite.la" fi AM_CONDITIONAL(SQLITE3, test "X$with_sqlite3" = Xyes) AC_DEFINE(HAVE_SQLITE3, 1, [Define if you want support for sqlite in Heimdal.]) AC_ARG_ENABLE(sqlite-cache, AS_HELP_STRING([--disable-sqlite-cache],[if you want support for cache in sqlite])) if test "$enable_sqlite_cache" != no; then AC_DEFINE(HAVE_SCC, 1, [Define if you want support for cache in sqlite.]) fi AM_CONDITIONAL(have_scc, test "$enable_sqlite_cache" != no) dnl check for libintl rk_TEST_PACKAGE(libintl, [#include ], [-lintl],,,LIBINTL) dnl path where the hdb directory is stored AC_ARG_WITH([hdbdir], [AS_HELP_STRING([--with-hdbdir],[Default location for KDC database @<:@default=/var/heimdal@:>@])], [], [with_hdbdir=/var/heimdal]) DIR_hdbdir="$with_hdbdir" AC_SUBST([DIR_hdbdir]) AM_CONDITIONAL(KRB5, true) AM_CONDITIONAL(do_roken_rename, true) AC_DEFINE(SUPPORT_INETD, 1, [Enable use of inetd style startup.])dnl AC_DEFINE(KRB5, 1, [Enable Kerberos 5 support in applications.])dnl AC_SUBST(LIB_kdb)dnl KRB_CRYPTO KRB_PTHREADS AC_ARG_ENABLE(dce, AS_HELP_STRING([--enable-dce],[if you want support for DCE/DFS PAG's])) if test "$enable_dce" = yes; then AC_DEFINE(DCE, 1, [Define if you want support for DCE/DFS PAG's.]) fi AM_CONDITIONAL(DCE, test "$enable_dce" = yes) ## XXX quite horrible: if test -f /etc/ibmcxx.cfg; then dpagaix_ldadd=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/libraries/{;s/^[[^=]]*=\(.*\)/\1/;s/,/ /gp;}'` dpagaix_cflags=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/options/{;s/^[[^=]]*=\(.*\)/\1/;s/-q[^,]*//;s/,/ /gp;}'` dpagaix_ldflags= else dpagaix_cflags="-D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce" dpagaix_ldadd="-L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r" dpagaix_ldflags="-Wl,-bI:dfspag.exp" fi AC_SUBST(dpagaix_cflags) AC_SUBST(dpagaix_ldadd) AC_SUBST(dpagaix_ldflags) AC_ARG_ENABLE([afs-support], AS_HELP_STRING([--disable-afs-support],[if you don't want support for AFS])) if test "$enable_afs_support" = no; then AC_DEFINE(NO_AFS, 1, [Define if you don't wan't support for AFS.]) NO_AFS="1" fi AC_SUBST(NO_AFS)dnl rk_DB dnl AC_ROKEN(10,[/usr/heimdal /usr/athena],[lib/roken],[$(top_builddir)/lib/roken/libroken.la],[-I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken]) rk_ROKEN(lib/roken) LIBADD_roken="$LIB_roken" AC_SUBST(LIBADD_roken)dnl LIB_roken="\$(top_builddir)/lib/vers/libvers.la $LIB_roken" rk_OTP rk_LIBDISPATCH AC_CHECK_OSFC2 AC_ARG_ENABLE(mmap, AS_HELP_STRING([--disable-mmap],[disable use of mmap])) if test "$enable_mmap" = "no"; then AC_DEFINE(NO_MMAP, 1, [Define if you don't want to use mmap.]) fi AC_ARG_ENABLE(afs-string-to-key, AS_HELP_STRING([--disable-afs-string-to-key], [disable use of weak AFS string-to-key functions]), [], [enable_afs_string_to_key=yes]) if test "$enable_afs_string_to_key" = "yes"; then AC_DEFINE(ENABLE_AFS_STRING_TO_KEY, 1, [Define if want to use the weak AFS string to key functions.]) fi rk_CHECK_MAN rk_TEST_PACKAGE(readline, [#include #if defined(HAVE_READLINE_READLINE_H) #include #elif defined(HAVE_READLINE_H) #include #endif ],-lreadline,,, READLINE,, [readline.h readline/readline.h]) rk_TEST_PACKAGE(libedit, [#include #if defined(HAVE_READLINE_READLINE_H) #include #elif defined(HAVE_READLINE_H) #include #endif ],-ledit,,, READLINE,, [readline.h readline/readline.h]) AC_CONFIG_SUBDIRS([lib/libedit]) rk_TEST_PACKAGE(hesiod,[#include ],-lhesiod,,, HESIOD) KRB_C_BIGENDIAN AC_C_INLINE KRB_CHECK_X AM_CONDITIONAL(HAVE_X, test "$no_x" != yes) AC_CHECK_XAU dnl AM_C_PROTOTYPES dnl Checks for typedefs, structures, and compiler characteristics. AC_C_CONST AC_TYPE_OFF_T AC_CHECK_TYPE_EXTRA(mode_t, unsigned short, []) AC_CHECK_TYPE_EXTRA(sig_atomic_t, int, [#include ]) AC_HAVE_TYPE([long long]) AC_HEADER_TIME AC_STRUCT_TM dnl Checks for header files. AC_HEADER_STDC AC_CHECK_HEADERS([\ CommonCrypto/CommonDigest.h \ CommonCrypto/CommonCryptor.h \ arpa/ftp.h \ arpa/telnet.h \ bind/bitypes.h \ bsdsetjmp.h \ curses.h \ dlfcn.h \ execinfo.h \ fnmatch.h \ inttypes.h \ io.h \ libutil.h \ limits.h \ maillock.h \ netgroup.h \ netinet/in6_machtypes.h \ pthread.h \ pty.h \ sac.h \ sgtty.h \ siad.h \ signal.h \ strings.h \ stropts.h \ sys/bitypes.h \ sys/category.h \ sys/file.h \ sys/filio.h \ sys/ioccom.h \ sys/mman.h \ sys/param.h \ sys/pty.h \ sys/ptyio.h \ sys/select.h \ sys/socket.h \ sys/str_tty.h \ sys/stream.h \ sys/stropts.h \ sys/syscall.h \ sys/termio.h \ sys/timeb.h \ sys/times.h \ sys/types.h \ sys/un.h \ locale.h \ termcap.h \ termio.h \ termios.h \ time.h \ tmpdir.h \ udb.h \ util.h \ utmp.h \ utmpx.h \ ]) dnl On Solaris 8 there's a compilation warning for term.h because dnl it doesn't define `bool'. AC_CHECK_HEADERS(term.h, , , -) dnl aix have asl.h (A/IX screen library) that we don't want AC_CHECK_HEADERS(asl.h, , , [ #include #ifndef ASL_STRING_EMERG #error ASL_STRING_EMERG missing #endif]) AC_CHECK_HEADERS(net/if.h, , , [AC_INCLUDES_DEFAULT #if HAVE_SYS_SOCKET_H #include #endif]) AC_CHECK_HEADERS(sys/ptyvar.h, , , [AC_INCLUDES_DEFAULT #if HAVE_SYS_TTY_H #include #endif]) AC_CHECK_HEADERS(sys/strtty.h, , , [AC_INCLUDES_DEFAULT #if HAVE_TERMIOS_H #include #endif #if HAVE_SYS_STREAM_H #include #endif]) AC_CHECK_HEADERS(sys/ucred.h, , , [AC_INCLUDES_DEFAULT #if HAVE_SYS_TYPES_H #include #endif #if HAVE_SYS_PARAM_H #include #endif]) AC_CHECK_HEADERS(security/pam_modules.h, , , [AC_INCLUDES_DEFAULT #include ]) dnl export symbols rk_WIN32_EXPORT(BUILD_KRB5_LIB, KRB5_LIB) rk_WIN32_EXPORT(BUILD_ROKEN_LIB, ROKEN_LIB) rk_WIN32_EXPORT(BUILD_GSSAPI_LIB, GSSAPI_LIB) dnl Checks for libraries. AC_FIND_FUNC_NO_LIBS(logwtmp, util,[ #ifdef HAVE_UTIL_H #include #endif ],[0,0,0]) AC_FIND_FUNC_NO_LIBS(logout, util,[ #ifdef HAVE_UTIL_H #include #endif ],[0]) AC_FIND_FUNC_NO_LIBS(openpty, util,[ #ifdef HAVE_UTIL_H #include #endif ],[0,0,0,0,0]) AC_FIND_FUNC_NO_LIBS(tgetent, termcap ncurses curses,[ #ifdef HAVE_TERMCAP_H #include #endif #ifdef HAVE_CURSES_H #include #endif ],[0,0]) dnl Checks for library functions. AC_CHECK_FUNCS([ \ _getpty \ _scrsize \ arc4random \ backtrace \ fcntl \ getpeereid \ getpeerucred \ grantpt \ mktime \ ptsname \ rand \ revoke \ select \ setitimer \ setpcred \ setpgid \ setproctitle \ setregid \ setresgid \ setresuid \ setreuid \ setsid \ setutent \ sigaction \ strstr \ ttyname \ ttyslot \ umask \ unlockpt \ vhangup \ yp_get_default_domain \ ]) AC_MSG_CHECKING([checking for __sync_add_and_fetch]) AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[unsigned int foo, bar; bar = __sync_add_and_fetch(&foo, 1);]])], [ac_rk_have___sync_add_and_fetch=yes], [ac_rk_have___sync_add_and_fetch=no]) if test "$ac_rk_have___sync_add_and_fetch" = "yes" ; then AC_DEFINE_UNQUOTED(HAVE___SYNC_ADD_AND_FETCH, 1, [have __sync_add_and_fetch]) fi AC_MSG_RESULT($ac_rk_have___sync_add_and_fetch) AC_FUNC_MMAP KRB_CAPABILITIES rk_DLADDR AC_CHECK_GETPWNAM_R_POSIX dnl detect doors on solaris if test "$enable_pthread_support" != no; then saved_LIBS="$LIBS" LIBS="$LIBS $PTHREADS_LIBS" AC_FIND_FUNC_NO_LIBS(door_create, door) LIBS="$saved_LIBS" fi AC_ARG_ENABLE(kcm, AS_HELP_STRING([--enable-kcm],[enable Kerberos Credentials Manager]), ,[enable_kcm=yes]) if test "$enable_kcm" = yes ; then if test "$ac_cv_header_sys_un_h" != yes -a "$ac_cv_funclib_door_create" != yes ; then enable_kcm=no fi fi if test "$enable_kcm" = yes; then AC_DEFINE(HAVE_KCM, 1, [Define if you want to use the Kerberos Credentials Manager.]) fi AM_CONDITIONAL(KCM, test "$enable_kcm" = yes) dnl Cray stuff AC_CHECK_FUNCS(getudbnam setlim) dnl AC_KRB_FUNC_GETCWD_BROKEN dnl dnl Check for fields in struct utmp dnl AC_HAVE_STRUCT_FIELD(struct utmp, ut_addr, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmp, ut_host, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmp, ut_id, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmp, ut_pid, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmp, ut_type, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmp, ut_user, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmpx, ut_host, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmpx, ut_id, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmpx, ut_line, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmpx, ut_pid, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmpx, ut_tv, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmpx, ut_type, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmpx, ut_user, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmpx, ut_exit, [#include ]) AC_HAVE_STRUCT_FIELD(struct utmpx, ut_syslen, [#include ]) AC_CHECK_TYPES([int8_t, int16_t, int32_t, int64_t, u_int8_t, u_int16_t, u_int32_t, u_int64_t, uint8_t, uint16_t, uint32_t, uint64_t],,,[ #ifdef HAVE_INTTYPES_H #include #endif #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_BITYPES_H #include #endif #ifdef HAVE_BIND_BITYPES_H #include #endif #ifdef HAVE_NETINET_IN6_MACHTYPES_H #include #endif ]) rk_FRAMEWORK_SECURITY KRB_READLINE rk_TELNET dnl Some operating systems already have com_err and compile_et CHECK_COMPILE_ET rk_AUTH_MODULES([sia afskauthlib]) rk_DESTDIRS rk_WFLAGS([-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs]) AH_BOTTOM([#ifdef __APPLE__ #include #endif]) AH_BOTTOM([#ifdef ROKEN_RENAME #include "roken_rename.h" #endif]) AC_ARG_ENABLE(heimdal-documentation, AS_HELP_STRING([--disable-heimdal-documentation], [if you want disable to heimdal documentation])) AM_CONDITIONAL(HEIMDAL_DOCUMENTATION, test "$enable_heimdal_documentation" != no) AC_CONFIG_FILES(Makefile \ etc/Makefile \ include/Makefile \ include/gssapi/Makefile \ include/hcrypto/Makefile \ include/kadm5/Makefile \ lib/Makefile \ lib/base/Makefile \ lib/asn1/Makefile \ lib/com_err/Makefile \ lib/hcrypto/Makefile \ lib/hx509/Makefile \ lib/gssapi/Makefile \ lib/ntlm/Makefile \ lib/hdb/Makefile \ lib/ipc/Makefile \ lib/kadm5/Makefile \ lib/kafs/Makefile \ lib/kdfs/Makefile \ lib/krb5/Makefile \ lib/otp/Makefile \ lib/roken/Makefile \ lib/sl/Makefile \ lib/sqlite/Makefile \ lib/vers/Makefile \ lib/wind/Makefile \ po/Makefile \ kuser/Makefile \ kpasswd/Makefile \ kadmin/Makefile \ admin/Makefile \ kcm/Makefile \ kdc/Makefile \ appl/Makefile \ appl/afsutil/Makefile \ appl/dbutils/Makefile \ appl/ftp/Makefile \ appl/ftp/common/Makefile \ appl/ftp/ftp/Makefile \ appl/ftp/ftpd/Makefile \ appl/gssmask/Makefile \ appl/login/Makefile \ appl/otp/Makefile \ appl/push/Makefile \ appl/su/Makefile \ appl/test/Makefile \ appl/kf/Makefile \ appl/dceutils/Makefile \ tests/Makefile \ tests/bin/Makefile \ tests/can/Makefile \ tests/db/Makefile \ tests/kdc/Makefile \ tests/ldap/Makefile \ tests/gss/Makefile \ tests/java/Makefile \ tests/plugin/Makefile \ packages/Makefile \ packages/mac/Makefile \ doc/Makefile \ tools/Makefile \ ) AC_OUTPUT dnl dnl This is the release version name-number[beta] dnl cat > include/newversion.h.in </dev/null | sed 1q` Date=`date` mv -f include/newversion.h.in include/version.h.in sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h fi heimdal-1.7~git20150920+dfsg/doc/000077500000000000000000000000001257755311500162105ustar00rootroot00000000000000heimdal-1.7~git20150920+dfsg/doc/Makefile.am000066400000000000000000000071131257755311500202460ustar00rootroot00000000000000# $Id$ include $(top_srcdir)/Makefile.am.common AUTOMAKE_OPTIONS = no-texinfo.tex MAKEINFOFLAGS = --css-include=$(srcdir)/heimdal.css TEXI2DVI = true # ARGH, make distcheck can't be disabled to not build dvifiles info_TEXINFOS = heimdal.texi hx509.texi dxy_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \ -e 's,[@]objdir[@],.,g' \ -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' hcrypto.dxy: hcrypto.din Makefile $(dxy_subst) < $(srcdir)/hcrypto.din > hcrypto.dxy.tmp chmod +x hcrypto.dxy.tmp mv hcrypto.dxy.tmp hcrypto.dxy hdb.dxy: hdb.din Makefile $(dxy_subst) < $(srcdir)/hdb.din > hdb.dxy.tmp chmod +x hdb.dxy.tmp mv hdb.dxy.tmp hdb.dxy base.dxy: base.din Makefile $(dxy_subst) < $(srcdir)/base.din > base.dxy.tmp chmod +x base.dxy.tmp mv base.dxy.tmp base.dxy hx509.dxy: hx509.din Makefile $(dxy_subst) < $(srcdir)/hx509.din > hx509.dxy.tmp chmod +x hx509.dxy.tmp mv hx509.dxy.tmp hx509.dxy gssapi.dxy: gssapi.din Makefile $(dxy_subst) < $(srcdir)/gssapi.din > gssapi.dxy.tmp chmod +x gssapi.dxy.tmp mv gssapi.dxy.tmp gssapi.dxy krb5.dxy: krb5.din Makefile $(dxy_subst) < $(srcdir)/krb5.din > krb5.dxy.tmp chmod +x krb5.dxy.tmp mv krb5.dxy.tmp krb5.dxy ntlm.dxy: ntlm.din Makefile $(dxy_subst) < $(srcdir)/ntlm.din > ntlm.dxy.tmp chmod +x ntlm.dxy.tmp mv ntlm.dxy.tmp ntlm.dxy wind.dxy: wind.din Makefile $(dxy_subst) < $(srcdir)/wind.din > wind.dxy.tmp chmod +x wind.dxy.tmp mv wind.dxy.tmp wind.dxy texi_subst = sed -e 's,[@]dbdir[@],$(localstatedir),g' \ -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' vars.texi: vars.tin Makefile $(texi_subst) < $(srcdir)/vars.tin > vars.texi.tmp chmod +x vars.texi.tmp mv vars.texi.tmp vars.texi PROJECTS = base hdb hx509 gssapi krb5 ntlm wind if !HAVE_OPENSSL PROJECTS += hcrypto endif doxyout doxygen: base.dxy hdb.dxy hx509.dxy hcrypto.dxy gssapi.dxy krb5.dxy ntlm.dxy wind.dxy @find $(srcdir)/doxyout -type d ! -perm -200 -exec chmod u+w {} ';' ; \ rm -rf $(srcdir)/doxyout ; \ mkdir $(srcdir)/doxyout ; \ for a in $(PROJECTS) ; do \ echo $$a ; \ doxygen $$a.dxy; \ (cd $(srcdir)/doxyout && find $$a/man -type f > $$a/manpages ) ; \ done install-data-hook: install-doxygen-manpage uninstall-hook: uninstall-doxygen-manpage dist-hook: doxygen install-doxygen-manpage: for a in $(PROJECTS) ; do \ f="$(srcdir)/doxyout/$$a/manpages" ; \ test -f $$f || continue ; \ echo "install $$a manual pages $$(wc -l < $$f)" ; \ while read x ; do \ section=`echo "$$x" | sed 's/.*\.\([0-9]\)/\1/'` ; \ $(mkinstalldirs) "$(DESTDIR)$(mandir)/man$$section" ; \ $(INSTALL_DATA) $(srcdir)/doxyout/$$x "$(DESTDIR)$(mandir)/man$$section" ; \ done < $$f ; \ done ; exit 0 uninstall-doxygen-manpage: @for a in $(PROJECTS) ; do \ f="$(srcdir)/doxyout/$$a/manpages" ; \ test -f $$f || continue ; \ echo "removing $$a manual pages" ; \ while read x ; do \ section=`echo "$$x" | sed 's/.*\.\([0-9]\)/\1/'` ; \ base=`basename $$x` ; \ rm "$(DESTDIR)$(mandir)/man$$section/$$base" ; \ done < $$f ; \ done heimdal_TEXINFOS = \ ack.texi \ apps.texi \ copyright.texi \ heimdal.texi \ install.texi \ intro.texi \ kerberos4.texi \ migration.texi \ misc.texi \ programming.texi \ setup.texi \ vars.texi \ whatis.texi \ win2k.texi EXTRA_DIST = \ NTMakefile \ doxyout \ footer.html \ gssapi.din \ hdb.din \ hcrypto.din \ header.html \ heimdal.css \ base.din \ hx509.din \ krb5.din \ ntlm.din \ init-creds \ latin1.tex \ layman.asc \ doxytmpl.dxy \ wind.din \ vars.tin CLEANFILES = \ hcrypto.dxy* \ base.dxy* \ hx509.dxy* \ hdb.dxy* \ gssapi.dxy* \ krb5.dxy* \ ntlm.dxy* \ wind.dxy* \ vars.texi* heimdal-1.7~git20150920+dfsg/doc/NTMakefile000066400000000000000000000071111257755311500201120ustar00rootroot00000000000000######################################################################## # # Copyright (c) 2009, Secure Endpoints Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # - Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # RELDIR=doc !include ../windows/NTMakefile.w32 heimdal_TEXINFOS = \ $(OBJ)\ack.texi \ $(OBJ)\apps.texi \ $(OBJ)\copyright.texi \ $(OBJ)\heimdal.texi \ $(OBJ)\install.texi \ $(OBJ)\intro.texi \ $(OBJ)\kerberos4.texi \ $(OBJ)\migration.texi \ $(OBJ)\misc.texi \ $(OBJ)\programming.texi \ $(OBJ)\setup.texi \ $(OBJ)\vars.texi \ $(OBJ)\whatis.texi \ $(OBJ)\win2k.texi hx509_TEXINFOS = \ $(OBJ)\hx509.texi {}.texi{$(OBJ)}.texi: $(CP) $** $@ {}.tin{$(OBJ)}.texi: $(SED) -e "s,[@]dbdir[@],x,g" \ -e "s,[@]PACKAGE_VERSION[@],$(VER_PACKAGE_VERSION),g" < $** > $@ MAKEINFOFLAGS = --css-include=$(SRCDIR)/heimdal.css ###################################################################### # Build heimdal.chm # Copyrights-and-Licenses.html is where the table of contents ends up # when generating HTML output using makeinfo. Same goes for # How-to-use-the-PKCS11-module.html below. $(OBJ)\heimdal\index.html $(OBJ)\heimdal\Copyrights-and-Licenses.html: $(heimdal_TEXINFOS) cd $(OBJ) $(MAKEINFO) $(MAKEINFOFLAGS) --html heimdal.texi cd $(SRCDIR) $(OBJ)\heimdal\toc.hhc: $(OBJ)\heimdal\Copyrights-and-Licenses.html $(PERL) $(SRC)\cf\w32-hh-toc-from-info.pl -o$@ $** $(OBJ)\heimdal\heimdal.hhp: heimdal.hhp $(CP) $** $@ $(DOCDIR)\heimdal.chm: $(OBJ)\heimdal\heimdal.hhp $(OBJ)\heimdal\toc.hhc cd $(OBJ)\heimdal -$(HHC) heimdal.hhp $(CP) heimdal.chm $@ cd $(SRCDIR) ###################################################################### # Build hx509.chm $(OBJ)\hx509\index.html $(OBJ)\hx509\How-to-use-the-PKCS11-module.html: $(hx509_TEXINFOS) cd $(OBJ) $(MAKEINFO) $(MAKEINFOFLAGS) --html hx509.texi cd $(SRCDIR) $(OBJ)\hx509\toc.hhc: $(OBJ)\hx509\How-to-use-the-PKCS11-module.html $(PERL) $(SRC)\cf\w32-hh-toc-from-info.pl -o$@ $** $(OBJ)\hx509\hx509.hhp: hx509.hhp $(CP) $** $@ $(DOCDIR)\hx509.chm: $(OBJ)\hx509\hx509.hhp $(OBJ)\hx509\toc.hhc cd $(OBJ)\hx509 -$(HHC) hx509.hhp $(CP) hx509.chm $@ cd $(SRCDIR) !ifndef NO_DOC all:: $(OBJ)\heimdal\index.html $(OBJ)\hx509\index.html \ $(DOCDIR)\heimdal.chm $(DOCDIR)\hx509.chm !endif clean:: -$(RM) $(OBJ)\heimdal\*.* -$(RM) $(OBJ)\hx509\*.* -$(RM) $(DOCDIR)\heimdal.chm -$(RM) $(DOCDIR)\hx509.chm .SUFFIXES: .texi .tin heimdal-1.7~git20150920+dfsg/doc/ack.texi000066400000000000000000000065101257755311500176430ustar00rootroot00000000000000@c $Id$ @node Acknowledgments, Copyrights and Licenses, Migration, Top @comment node-name, next, previous, up @appendix Acknowledgments Eric Young wrote ``libdes''. Heimdal used to use libdes, without it kth-krb would never have existed. Since there are no longer any Eric Young code left in the library, we renamed it to libhcrypto. All functions in libhcrypto have been re-implemented or used available public domain code. The core AES function where written by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto. The core DES SBOX transformation was written by Richard Outerbridge. @code{imath} that is used for public key crypto support is written by Michael J. Fromberger. The University of California at Berkeley initially wrote @code{telnet}, and @code{telnetd}. The authentication and encryption code of @code{telnet} and @code{telnetd} was added by David Borman (then of Cray Research, Inc). The encryption code was removed when this was exported and then added back by Juha Eskelinen. The @code{popper} was also a Berkeley program initially. Some of the functions in @file{libroken} also come from Berkeley by way of NetBSD/FreeBSD. @code{editline} was written by Simmule Turner and Rich Salz. Heimdal contains a modifed copy. The @code{getifaddrs} implementation for Linux was written by Hideaki YOSHIFUJI for the Usagi project. The @code{pkcs11.h} headerfile was written by the Scute project. Bugfixes, documentation, encouragement, and code has been contributed by: @table @asis @item Alexander Boström @item Allan McRae @item Andrew Bartlett @item Andrew Cobaugh @item Andrew Tridge @item Anton Lundin @item Asanka Herath @item Björn Grönvall @item Björn Sandell @item Björn Schlögl @item Brandon S. Allbery KF8NH @item Brian A May @item Buck Huppmann @item Cacdric Schieli @item Chaskiel M Grundman @item Christos Zoulas @item Cizzi Storm @item Daniel Kouril @item David Love @item David Markey @item David R Boldt @item Derrick J Brashear @item Donald Norwood @item Douglas E Engert @item Frank van der Linden @item Gabor Gombas @item Guido Günther @item Guillaume Rousse @item Harald Barth @item Ingo Schwarze @item Jacques A. Vidrine @item Jaideep Padhye @item Jan Rekorajski @item Jason McIntyre @item Jeffrey Altman @item Jelmer Vernooij @item Joerg Pulz @item Johan Danielsson @item Johan Gadsjö @item Johan Ihrén @item John Center @item Jun-ichiro itojun Hagino @item KAMADA Ken'ichi @item Kamen Mazdrashki @item Karolin Seeger @item Ken Hornstein @item Love Hörnquist Åstrand @item Luke Howard @item Magnus Ahltorp @item Magnus Holmberg @item Marc Horowitz @item Mario Strasser @item Mark Eichin @item Martin von Gagern @item Matthias Dieter Wallnöfer @item Matthieu Patou @item Mattias Amnefelt @item Michael B Allen @item Michael Fromberger @item Michal Vocu @item Milosz Kmieciak @item Miroslav Ruda @item Mustafa A. Hashmi @item Nicolas Williams @item Patrik Lundin @item Petr Holub @item Phil Fisher @item Rafal Malinowski @item Ragnar Sundblad @item Rainer Toebbicke @item Richard Nyberg @item Roland C. Dowdeswell @item Roman Divacky @item Russ Allbery @item Sho Hosoda, 細田 将 @item Simon Wilkinson @item Stefan Metzmacher @item Ted Percival @item Tom Payerle @item Victor Guerra @item Zeqing Xia @item Åke Sandgren @item and we hope that those not mentioned here will forgive us. @end table All bugs were introduced by ourselves. heimdal-1.7~git20150920+dfsg/doc/apps.texi000066400000000000000000000241521257755311500200520ustar00rootroot00000000000000@c $Id$ @node Applications, Things in search for a better place, Setting up a realm, Top @chapter Applications @menu * Authentication modules:: * AFS:: @end menu @node Authentication modules, AFS, Applications, Applications @section Authentication modules The problem of having different authentication mechanisms has been recognised by several vendors, and several solutions have appeared. In most cases these solutions involve some kind of shared modules that are loaded at run-time. Modules for some of these systems can be found in @file{lib/auth}. Presently there are modules for Digital's SIA, and IRIX' @code{login} and @code{xdm} (in @file{lib/auth/afskauthlib}). @menu * Digital SIA:: * IRIX:: @end menu @node Digital SIA, IRIX, Authentication modules, Authentication modules @subsection Digital SIA How to install the SIA module depends on which OS version you're running. Tru64 5.0 has a new command, @file{siacfg}, which makes this process quite simple. If you have this program, you should just be able to run: @example siacfg -a KRB5 /usr/athena/lib/libsia_krb5.so @end example On older versions, or if you want to do it by hand, you have to do the following (not tested by us on Tru64 5.0): @itemize @bullet @item Make sure @file{libsia_krb5.so} is available in @file{/usr/athena/lib}. If @file{/usr/athena} is not on local disk, you might want to put it in @file{/usr/shlib} or someplace else. If you do, you'll have to edit @file{krb5_matrix.conf} to reflect the new location (you will also have to do this if you installed in some other directory than @file{/usr/athena}). If you built with shared libraries, you will have to copy the shared @file{libkrb.so}, @file{libdes.so}, @file{libkadm.so}, and @file{libkafs.so} to a place where the loader can find them (such as @file{/usr/shlib}). @item Copy (your possibly edited) @file{krb5_matrix.conf} to @file{/etc/sia}. @item Apply @file{security.patch} to @file{/sbin/init.d/security}. @item Turn on KRB5 security by issuing @kbd{rcmgr set SECURITY KRB5} and @kbd{rcmgr set KRB5_MATRIX_CONF krb5_matrix.conf}. @item Digital thinks you should reboot your machine, but that really shouldn't be necessary. It's usually sufficient just to run @kbd{/sbin/init.d/security start} (and restart any applications that use SIA, like @code{xdm}.) @end itemize Users with local passwords (like @samp{root}) should be able to login safely. When using Digital's xdm the @samp{KRB5CCNAME} environment variable isn't passed along as it should (since xdm zaps the environment). Instead you have to set @samp{KRB5CCNAME} to the correct value in @file{/usr/lib/X11/xdm/Xsession}. Add a line similar to @example KRB5CCNAME=FILE:/tmp/krb5cc`id -u`_`ps -o ppid= -p $$`; export KRB5CCNAME @end example If you use CDE, @code{dtlogin} allows you to specify which additional environment variables it should export. To add @samp{KRB5CCNAME} to this list, edit @file{/usr/dt/config/Xconfig}, and look for the definition of @samp{exportList}. You want to add something like: @example Dtlogin.exportList: KRB5CCNAME @end example @subsubheading Notes to users with Enhanced security Digital's @samp{ENHANCED} (C2) security, and Kerberos solve two different problems. C2 deals with local security, adds better control of who can do what, auditing, and similar things. Kerberos deals with network security. To make C2 security work with Kerberos you will have to do the following. @itemize @bullet @item Replace all occurrences of @file{krb5_matrix.conf} with @file{krb5+c2_matrix.conf} in the directions above. @item You must enable ``vouching'' in the @samp{default} database. This will make the OSFC2 module trust other SIA modules, so you can login without giving your C2 password. To do this use @samp{edauth} to edit the default entry @kbd{/usr/tcb/bin/edauth -dd default}, and add a @samp{d_accept_alternate_vouching} capability, if not already present. @item For each user who does @emph{not} have a local C2 password, you should set the password expiration field to zero. You can do this for each user, or in the @samp{default} table. To do this use @samp{edauth} to set (or change) the @samp{u_exp} capability to @samp{u_exp#0}. @item You also need to be aware that the shipped @file{login}, @file{rcp}, and @file{rshd}, don't do any particular C2 magic (such as checking for various forms of disabled accounts), so if you rely on those features, you shouldn't use those programs. If you configure with @samp{--enable-osfc2}, these programs will, however, set the login UID. Still: use at your own risk. @end itemize At present @samp{su} does not accept the vouching flag, so it will not work as expected. Also, kerberised ftp will not work with C2 passwords. You can solve this by using both Digital's ftpd and our on different ports. @strong{Remember}, if you do these changes you will get a system that most certainly does @emph{not} fulfil the requirements of a C2 system. If C2 is what you want, for instance if someone else is forcing you to use it, you're out of luck. If you use enhanced security because you want a system that is more secure than it would otherwise be, you probably got an even more secure system. Passwords will not be sent in the clear, for instance. @node IRIX, , Digital SIA, Authentication modules @subsection IRIX The IRIX support is a module that is compatible with Transarc's @file{afskauthlib.so}. It should work with all programs that use this library. This should include @command{login} and @command{xdm}. The interface is not very documented but it seems that you have to copy @file{libkafs.so}, @file{libkrb.so}, and @file{libdes.so} to @file{/usr/lib}, or build your @file{afskauthlib.so} statically. The @file{afskauthlib.so} itself is able to reside in @file{/usr/vice/etc}, @file{/usr/afsws/lib}, or the current directory (wherever that is). IRIX 6.4 and newer seem to have all programs (including @command{xdm} and @command{login}) in the N32 object format, whereas in older versions they were O32. For it to work, the @file{afskauthlib.so} library has to be in the same object format as the program that tries to load it. This might require that you have to configure and build for O32 in addition to the default N32. Apart from this it should ``just work''; there are no configuration files. Note that recent Irix 6.5 versions (at least 6.5.22) have PAM, including a @file{pam_krb5.so} module. Not all relevant programs use PAM, though, e.g.@: @command{ssh}. In particular, for console graphical login you need to turn off @samp{visuallogin} and turn on @samp{xdm} with @command{chkconfig}. @node AFS, , Authentication modules, Applications @section AFS @cindex AFS AFS is a distributed filesystem that uses Kerberos for authentication. @cindex OpenAFS @cindex Arla For more information about AFS see OpenAFS @url{http://www.openafs.org/} and Arla @url{http://www.stacken.kth.se/projekt/arla/}. @subsection kafs and afslog @cindex afslog @manpage{afslog,1} will obtains AFS tokens for a number of cells. What cells to get tokens for can either be specified as an explicit list, as file paths to get tokens for, or be left unspecified, in which case will use whatever magic @manpage{kafs,3} decides upon. If not told what cell to get credentials for, @manpage{kafs,3} will search for the files ThisCell and TheseCells in the locations specified in @manpage{kafs,3} and try to get tokens for these cells and the cells specified in $HOME/.TheseCells. More usefully it will look at and ~/.TheseCells in your home directory and for each line which is a cell get afs token for these cells. The TheseCells file defines the the cells to which applications on the local client machine should try to aquire tokens for. It must reside in the directories searched by @manpage{kafs,3} on every AFS client machine. The file is in ASCII format and contains one character string, the cell name, per line. Cell names are case sensitive, but most cell names are lower case. See manpage for @manpage{kafs,3} for search locations of ThisCell and TheseCells. @subsection How to get a KeyFile @file{ktutil -k AFSKEYFILE:KeyFile get afs@@MY.REALM} or you can extract it with kadmin @example kadmin> ext -k AFSKEYFILE:/usr/afs/etc/KeyFile afs@@My.CELL.NAME @end example You have to make sure you have a @code{des-cbc-md5} encryption type since that is the enctype that will be converted. @subsection How to convert a srvtab to a KeyFile You need a @file{/usr/vice/etc/ThisCell} containing the cellname of your AFS-cell. @file{ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile}. If keyfile already exists, this will add the new key in afs-srvtab to KeyFile. @section Using 2b tokens with AFS @subsection What is 2b ? 2b is the name of the proposal that was implemented to give basic Kerberos 5 support to AFS in rxkad. It's not real Kerberos 5 support since it still uses fcrypt for data encryption and not Kerberos encryption types. Its only possible (in all cases) to do this for DES encryption types because only then the token (the AFS equivalent of a ticket) will be smaller than the maximum size that can fit in the token cache in the OpenAFS/Transarc client. It is a so tight fit that some extra wrapping on the ASN1/DER encoding is removed from the Kerberos ticket. 2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for the part of the ticket that is encrypted with the service's key. The client doesn't know what's inside the encrypted data so to the client it doesn't matter. To differentiate between Kerberos 4 tickets and Kerberos 5 tickets, 2b uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens. Its a requirement that all AFS servers that support 2b also support native Kerberos 5 in rxkad. @subsection Configuring a Heimdal kdc to use 2b tokens Support for 2b tokens in the kdc are turned on for specific principals by adding them to the string list option @code{[kdc]use_2b} in the kdc's @file{krb5.conf} file. @example [kdc] use_2b = @{ afs@@SU.SE = yes afs/it.su.se@@SU.SE = yes @} @end example @subsection Configuring AFS clients for 2b support There is no need to configure AFS clients for 2b support. The only software that needs to be installed/upgrade is a Kerberos 5 enabled @file{afslog}. heimdal-1.7~git20150920+dfsg/doc/base.din000066400000000000000000000005751257755311500176250ustar00rootroot00000000000000# Doxyfile 1.5.3 PROJECT_NAME = Heimdal x509 library PROJECT_NUMBER = @PACKAGE_VERSION@ OUTPUT_DIRECTORY = @srcdir@/doxyout/heimbase INPUT = @srcdir@/../base WARN_IF_UNDOCUMENTED = YES PERL_PATH = /usr/bin/perl HTML_HEADER = "@srcdir@/header.html" HTML_FOOTER = "@srcdir@/footer.html" @INCLUDE = "@srcdir@/doxytmpl.dxy" heimdal-1.7~git20150920+dfsg/doc/base.hhp000066400000000000000000000003051257755311500176210ustar00rootroot00000000000000[OPTIONS] Compatibility=1.1 or later Compiled file=heimbase.chm Contents file=toc.hhc Default topic=index.html Display compile progress=No Language=0x409 English (United States) Title=Heimdal Base heimdal-1.7~git20150920+dfsg/doc/copyright.texi000066400000000000000000000466511257755311500211270ustar00rootroot00000000000000 @macro copynext{} @vskip 20pt plus 1fil @end macro @macro copyrightstart{} @end macro @macro copyrightend{} @end macro @node Copyrights and Licenses, , Acknowledgments, Top @comment node-name, next, previous, up @appendix Copyrights and Licenses @heading Kungliga Tekniska Högskolan @copyrightstart @verbatim Copyright (c) 1997-2011 Kungliga Tekniska Högskolan (Royal Institute of Technology, Stockholm, Sweden). All rights reserved. Portions Copyright (c) 2009 Apple Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the Institute nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @end verbatim @copynext @heading Massachusetts Institute of Technology The parts of the libtelnet that handle Kerberos. @verbatim Copyright (C) 1990 by the Massachusetts Institute of Technology Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. @end verbatim @copynext @heading The Regents of the University of California The parts of the libroken, most of libtelnet, telnet, ftp, and popper. @verbatim Copyright (c) 1988, 1990, 1993 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @end verbatim @copynext @heading The Regents of the University of California. libedit @verbatim Copyright (c) 1992, 1993 The Regents of the University of California. All rights reserved. This code is derived from software contributed to Berkeley by Christos Zoulas of Cornell University. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @end verbatim @copynext @heading TomsFastMath / LibTomMath Tom's fast math (bignum support) and LibTomMath @verbatim LibTomMath is hereby released into the Public Domain. @end verbatim @copynext @heading Doug Rabson GSS-API mechglue layer. @verbatim Copyright (c) 2005 Doug Rabson All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @end verbatim @copynext @heading PADL Software Pty Ltd @table @asis @item GSS-API CFX, SPNEGO, naming extensions, API extensions. @item KCM credential cache. @item HDB LDAP backend. @end table @verbatim Copyright (c) 2003-2011, PADL Software Pty Ltd. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of PADL Software nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @end verbatim @copynext @heading Marko Kreen Fortuna in libhcrypto @verbatim Copyright (c) 2005 Marko Kreen All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @end verbatim @copynext @heading NTT (Nippon Telegraph and Telephone Corporation) Camellia in libhcrypto @verbatim Copyright (c) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation) . All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer as the first lines of this file unmodified. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY NTT ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @end verbatim @copynext @heading The NetBSD Foundation, Inc. vis.c in libroken @verbatim Copyright (c) 1999, 2005 The NetBSD Foundation, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @end verbatim @copynext @heading Vincent Rijmen, Antoon Bosselaers, Paulo Barreto AES in libhcrypto @verbatim rijndael-alg-fst.c @version 3.0 (December 2000) Optimised ANSI C code for the Rijndael cipher (now AES) @author Vincent Rijmen @author Antoon Bosselaers @author Paulo Barreto This code is hereby placed in the public domain. THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @end verbatim @copynext @heading Apple, Inc kdc/announce.c @verbatim Copyright (c) 2008 Apple Inc. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Apple Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Apple Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @end verbatim @copynext @heading Richard Outerbridge DES core in libhcrypto @verbatim D3DES (V5.09) - A portable, public domain, version of the Data Encryption Standard. Written with Symantec's THINK (Lightspeed) C by Richard Outerbridge. Thanks to: Dan Hoey for his excellent Initial and Inverse permutation code; Jim Gillogly & Phil Karn for the DES key schedule code; Dennis Ferguson, Eric Young and Dana How for comparing notes; and Ray Lau, for humouring me on. Copyright (c) 1988,1989,1990,1991,1992 by Richard Outerbridge. (GEnie : OUTER; CIS : [71755,204]) Graven Imagery, 1992. @end verbatim @copynext @heading Secure Endpoints Inc Windows support @verbatim Copyright (c) 2009-2015, Secure Endpoints Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @end verbatim @copynext @heading Novell, Inc lib/hcrypto/test_dh.c @verbatim Copyright (c) 2007, Novell, Inc. Author: Matthias Koenig All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the Novell nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @end verbatim @copyrightend heimdal-1.7~git20150920+dfsg/doc/doxytmpl.dxy000066400000000000000000000226361257755311500206270ustar00rootroot00000000000000#--------------------------------------------------------------------------- # Project related configuration options #--------------------------------------------------------------------------- DOXYFILE_ENCODING = UTF-8 CREATE_SUBDIRS = NO OUTPUT_LANGUAGE = English BRIEF_MEMBER_DESC = YES REPEAT_BRIEF = YES ABBREVIATE_BRIEF = "The $name class " \ "The $name widget " \ "The $name file " \ is \ provides \ specifies \ contains \ represents \ a \ an \ the ALWAYS_DETAILED_SEC = NO INLINE_INHERITED_MEMB = NO FULL_PATH_NAMES = YES STRIP_FROM_PATH = /Applications/ STRIP_FROM_INC_PATH = SHORT_NAMES = NO JAVADOC_AUTOBRIEF = NO QT_AUTOBRIEF = NO MULTILINE_CPP_IS_BRIEF = NO DETAILS_AT_TOP = NO INHERIT_DOCS = YES SEPARATE_MEMBER_PAGES = NO TAB_SIZE = 8 ALIASES = OPTIMIZE_OUTPUT_FOR_C = YES OPTIMIZE_OUTPUT_JAVA = NO BUILTIN_STL_SUPPORT = NO CPP_CLI_SUPPORT = NO DISTRIBUTE_GROUP_DOC = NO SUBGROUPING = YES #--------------------------------------------------------------------------- # Build related configuration options #--------------------------------------------------------------------------- EXTRACT_ALL = NO EXTRACT_PRIVATE = NO EXTRACT_STATIC = NO EXTRACT_LOCAL_CLASSES = YES EXTRACT_LOCAL_METHODS = NO EXTRACT_ANON_NSPACES = NO HIDE_UNDOC_MEMBERS = YES HIDE_UNDOC_CLASSES = YES HIDE_FRIEND_COMPOUNDS = NO HIDE_IN_BODY_DOCS = NO INTERNAL_DOCS = NO CASE_SENSE_NAMES = NO HIDE_SCOPE_NAMES = NO SHOW_INCLUDE_FILES = YES INLINE_INFO = YES SORT_MEMBER_DOCS = YES SORT_BRIEF_DOCS = NO SORT_BY_SCOPE_NAME = NO GENERATE_TODOLIST = YES GENERATE_TESTLIST = YES GENERATE_BUGLIST = YES GENERATE_DEPRECATEDLIST= YES ENABLED_SECTIONS = MAX_INITIALIZER_LINES = 30 SHOW_USED_FILES = YES SHOW_DIRECTORIES = NO FILE_VERSION_FILTER = #--------------------------------------------------------------------------- # configuration options related to warning and progress messages #--------------------------------------------------------------------------- QUIET = YES WARNINGS = YES WARN_IF_DOC_ERROR = YES WARN_NO_PARAMDOC = YES WARN_FORMAT = "$file:$line: $text " WARN_LOGFILE = #--------------------------------------------------------------------------- # configuration options related to the input files #--------------------------------------------------------------------------- INPUT_ENCODING = UTF-8 FILE_PATTERNS = *.c \ *.cc \ *.cxx \ *.cpp \ *.c++ \ *.d \ *.java \ *.ii \ *.ixx \ *.ipp \ *.i++ \ *.inl \ *.h \ *.hh \ *.hxx \ *.hpp \ *.h++ \ *.idl \ *.odl \ *.cs \ *.php \ *.php3 \ *.inc \ *.m \ *.mm \ *.dox \ *.py RECURSIVE = YES EXCLUDE = EXCLUDE_SYMLINKS = NO EXCLUDE_PATTERNS = */.svn EXCLUDE_SYMBOLS = EXAMPLE_PATTERNS = * EXAMPLE_RECURSIVE = NO IMAGE_PATH = INPUT_FILTER = FILTER_PATTERNS = FILTER_SOURCE_FILES = NO #--------------------------------------------------------------------------- # configuration options related to source browsing #--------------------------------------------------------------------------- SOURCE_BROWSER = NO INLINE_SOURCES = NO STRIP_CODE_COMMENTS = YES REFERENCED_BY_RELATION = NO REFERENCES_RELATION = NO REFERENCES_LINK_SOURCE = YES USE_HTAGS = NO VERBATIM_HEADERS = NO #--------------------------------------------------------------------------- # configuration options related to the alphabetical class index #--------------------------------------------------------------------------- ALPHABETICAL_INDEX = NO COLS_IN_ALPHA_INDEX = 5 IGNORE_PREFIX = #--------------------------------------------------------------------------- # configuration options related to the HTML output #--------------------------------------------------------------------------- GENERATE_HTML = YES HTML_OUTPUT = html HTML_FILE_EXTENSION = .html HTML_STYLESHEET = HTML_ALIGN_MEMBERS = YES GENERATE_HTMLHELP = NO HTML_DYNAMIC_SECTIONS = NO CHM_FILE = HHC_LOCATION = GENERATE_CHI = NO BINARY_TOC = NO TOC_EXPAND = NO DISABLE_INDEX = NO ENUM_VALUES_PER_LINE = 4 GENERATE_TREEVIEW = NO TREEVIEW_WIDTH = 250 #--------------------------------------------------------------------------- # configuration options related to the LaTeX output #--------------------------------------------------------------------------- GENERATE_LATEX = NO LATEX_OUTPUT = latex LATEX_CMD_NAME = latex MAKEINDEX_CMD_NAME = makeindex COMPACT_LATEX = NO PAPER_TYPE = a4wide EXTRA_PACKAGES = LATEX_HEADER = PDF_HYPERLINKS = NO USE_PDFLATEX = NO LATEX_BATCHMODE = NO LATEX_HIDE_INDICES = NO #--------------------------------------------------------------------------- # configuration options related to the RTF output #--------------------------------------------------------------------------- GENERATE_RTF = NO RTF_OUTPUT = rtf COMPACT_RTF = NO RTF_HYPERLINKS = NO RTF_STYLESHEET_FILE = RTF_EXTENSIONS_FILE = #--------------------------------------------------------------------------- # configuration options related to the man page output #--------------------------------------------------------------------------- GENERATE_MAN = YES MAN_OUTPUT = man MAN_EXTENSION = .3 MAN_LINKS = YES #--------------------------------------------------------------------------- # configuration options related to the XML output #--------------------------------------------------------------------------- GENERATE_XML = NO XML_OUTPUT = xml XML_SCHEMA = XML_DTD = XML_PROGRAMLISTING = YES #--------------------------------------------------------------------------- # configuration options for the AutoGen Definitions output #--------------------------------------------------------------------------- GENERATE_AUTOGEN_DEF = NO #--------------------------------------------------------------------------- # configuration options related to the Perl module output #--------------------------------------------------------------------------- GENERATE_PERLMOD = NO PERLMOD_LATEX = NO PERLMOD_PRETTY = YES PERLMOD_MAKEVAR_PREFIX = #--------------------------------------------------------------------------- # Configuration options related to the preprocessor #--------------------------------------------------------------------------- ENABLE_PREPROCESSING = YES MACRO_EXPANSION = NO EXPAND_ONLY_PREDEF = NO SEARCH_INCLUDES = YES INCLUDE_PATH = INCLUDE_FILE_PATTERNS = PREDEFINED = EXPAND_AS_DEFINED = SKIP_FUNCTION_MACROS = YES #--------------------------------------------------------------------------- # Configuration::additions related to external references #--------------------------------------------------------------------------- TAGFILES = GENERATE_TAGFILE = ALLEXTERNALS = NO EXTERNAL_GROUPS = YES #--------------------------------------------------------------------------- # Configuration options related to the dot tool #--------------------------------------------------------------------------- CLASS_DIAGRAMS = NO MSCGEN_PATH = /Applications/Doxygen.app/Contents/Resources/ HIDE_UNDOC_RELATIONS = YES HAVE_DOT = YES CLASS_GRAPH = YES COLLABORATION_GRAPH = YES GROUP_GRAPHS = YES UML_LOOK = NO TEMPLATE_RELATIONS = NO INCLUDE_GRAPH = YES INCLUDED_BY_GRAPH = YES CALL_GRAPH = NO CALLER_GRAPH = NO GRAPHICAL_HIERARCHY = YES DIRECTORY_GRAPH = YES DOT_IMAGE_FORMAT = png DOT_PATH = /Applications/Doxygen.app/Contents/Resources/ DOTFILE_DIRS = DOT_GRAPH_MAX_NODES = 50 MAX_DOT_GRAPH_DEPTH = 1000 DOT_TRANSPARENT = NO DOT_MULTI_TARGETS = NO GENERATE_LEGEND = YES DOT_CLEANUP = YES #--------------------------------------------------------------------------- # Configuration::additions related to the search engine #--------------------------------------------------------------------------- SEARCHENGINE = NO heimdal-1.7~git20150920+dfsg/doc/footer.html000066400000000000000000000004131257755311500203720ustar00rootroot00000000000000
    Generated on $datetime for $projectname by doxygen $doxygenversion
    heimdal-1.7~git20150920+dfsg/doc/gssapi.din000066400000000000000000000006041257755311500201720ustar00rootroot00000000000000# Doxyfile 1.5.3 PROJECT_NAME = Heimdal GSS-API library PROJECT_NUMBER = @PACKAGE_VERSION@ OUTPUT_DIRECTORY = @srcdir@/doxyout/gssapi INPUT = @srcdir@/../lib/gssapi WARN_IF_UNDOCUMENTED = NO PERL_PATH = /usr/bin/perl HTML_HEADER = "@srcdir@/header.html" HTML_FOOTER = "@srcdir@/footer.html" @INCLUDE = "@srcdir@/doxytmpl.dxy" heimdal-1.7~git20150920+dfsg/doc/hcrypto.din000066400000000000000000000006651257755311500204030ustar00rootroot00000000000000# Doxyfile 1.5.3 PROJECT_NAME = "Heimdal crypto library" PROJECT_NUMBER = @PACKAGE_VERSION@ OUTPUT_DIRECTORY = @srcdir@/doxyout/hcrypto INPUT = @srcdir@/../lib/hcrypto EXAMPLE_PATH = @srcdir@/../lib/hcrypto WARN_IF_UNDOCUMENTED = YES PERL_PATH = /usr/bin/perl HTML_HEADER = "@srcdir@/header.html" HTML_FOOTER = "@srcdir@/footer.html" @INCLUDE = "@srcdir@/doxytmpl.dxy" heimdal-1.7~git20150920+dfsg/doc/hdb.din000066400000000000000000000005721257755311500174450ustar00rootroot00000000000000# Doxyfile 1.5.3 PROJECT_NAME = Heimdal hdb library PROJECT_NUMBER = @PACKAGE_VERSION@ OUTPUT_DIRECTORY = @srcdir@/doxyout/hdb INPUT = @srcdir@/../lib/hdb WARN_IF_UNDOCUMENTED = YES PERL_PATH = /usr/bin/perl HTML_HEADER = "@srcdir@/header.html" HTML_FOOTER = "@srcdir@/footer.html" @INCLUDE = "@srcdir@/doxytmpl.dxy" heimdal-1.7~git20150920+dfsg/doc/header.html000066400000000000000000000007101257755311500203240ustar00rootroot00000000000000 $title

    keyhole logo

    heimdal-1.7~git20150920+dfsg/doc/heimdal.css000066400000000000000000000013321257755311500203240ustar00rootroot00000000000000body { color: black; background-color: #fdfdfd; font-family: serif; max-width: 40em; } h1, h2, h3 { font-family: sans-serif; font-weight: bold; } h1 { padding: 0.5em 0 0.5em 5%; color: white; background: #3366cc; border-bottom: solid 1px black; } h1 { font-size: 200%; } h2 { font-size: 150%; } h3 { font-size: 120%; } h4 { font-weight: bold; } pre.example { margin-left: 2em; padding: 1em 0em; border: 2px dashed #c0c0c0; background: #f0f0f0; } a:link { color: blue; text-decoration: none; } a:visited { color: red; text-decoration: none } a:hover { text-decoration: underline } span.literal { font-family: monospace; } hr { border-style: none; background-color: black; height: 1px; } heimdal-1.7~git20150920+dfsg/doc/heimdal.hhp000066400000000000000000000002761257755311500203210ustar00rootroot00000000000000[OPTIONS] Compatibility=1.1 or later Compiled file=heimdal.chm Contents file=toc.hhc Default topic=index.html Display compile progress=No Language=0x409 English (United States) Title=Heimdalheimdal-1.7~git20150920+dfsg/doc/heimdal.texi000066400000000000000000000062561257755311500205170ustar00rootroot00000000000000\input texinfo @c -*- texinfo -*- @c %**start of header @c $Id$ @setfilename heimdal.info @settitle HEIMDAL @iftex @afourpaper @end iftex @c some sensible characters, please? @tex \input latin1.tex @end tex @setchapternewpage on @syncodeindex pg cp @c %**end of header @include vars.texi @set VERSION @value{PACKAGE_VERSION} @set EDITION 1.0 @ifinfo @dircategory Security @direntry * Heimdal: (heimdal). The Kerberos 5 distribution from KTH @end direntry @end ifinfo @c title page @titlepage @title Heimdal @subtitle Kerberos 5 from KTH @subtitle Edition @value{EDITION}, for version @value{VERSION} @subtitle 2008 @author Johan Danielsson @author Love Hörnquist Åstrand @author Assar Westerlund @end titlepage @macro manpage{man, section} @cite{\man\(\section\)} @end macro @c Less filling! Tastes great! @iftex @parindent=0pt @global@parskip 6pt plus 1pt @global@chapheadingskip = 15pt plus 4pt minus 2pt @global@secheadingskip = 12pt plus 3pt minus 2pt @global@subsecheadingskip = 9pt plus 2pt minus 2pt @end iftex @ifinfo @paragraphindent 0 @end ifinfo @ifnottex @node Top, Introduction, (dir), (dir) @top Heimdal @end ifnottex This manual for version @value{VERSION} of Heimdal. @menu * Introduction:: * What is Kerberos?:: * Building and Installing:: * Setting up a realm:: * Applications:: * Things in search for a better place:: * Kerberos 4 issues:: * Windows compatibility:: * Programming with Kerberos:: * Migration:: * Acknowledgments:: * Copyrights and Licenses:: @detailmenu --- The Detailed Node Listing --- Setting up a realm * Configuration file:: * Creating the database:: * Modifying the database:: * keytabs:: * Remote administration:: * Password changing:: * Testing clients and servers:: * Slave Servers:: * Incremental propagation:: * Encryption types and salting:: * Credential cache server - KCM:: * Cross realm:: * Transit policy:: * Setting up DNS:: * Using LDAP to store the database:: * Providing Kerberos credentials to servers and programs:: * Setting up PK-INIT:: * Debugging Kerberos problems:: Applications * Authentication modules:: * AFS:: Authentication modules * Digital SIA:: * IRIX:: Kerberos 4 issues * Principal conversion issues:: * Converting a version 4 database:: Windows compatibility * Configuring Windows to use a Heimdal KDC:: * Inter-Realm keys (trust) between Windows and a Heimdal KDC:: * Create account mappings:: * Encryption types:: * Authorisation data:: * Quirks of Windows 2000 KDC:: * Useful links when reading about the Windows:: Programming with Kerberos @end detailmenu @end menu @include intro.texi @include whatis.texi @include install.texi @include setup.texi @include apps.texi @include misc.texi @include kerberos4.texi @include win2k.texi @include programming.texi @include migration.texi @include ack.texi @include copyright.texi @c @shortcontents @contents @bye heimdal-1.7~git20150920+dfsg/doc/hx509.din000066400000000000000000000005771257755311500175720ustar00rootroot00000000000000# Doxyfile 1.5.3 PROJECT_NAME = Heimdal x509 library PROJECT_NUMBER = @PACKAGE_VERSION@ OUTPUT_DIRECTORY = @srcdir@/doxyout/hx509 INPUT = @srcdir@/../lib/hx509 WARN_IF_UNDOCUMENTED = YES PERL_PATH = /usr/bin/perl HTML_HEADER = "@srcdir@/header.html" HTML_FOOTER = "@srcdir@/footer.html" @INCLUDE = "@srcdir@/doxytmpl.dxy" heimdal-1.7~git20150920+dfsg/doc/hx509.hhp000066400000000000000000000002721257755311500175670ustar00rootroot00000000000000[OPTIONS] Compatibility=1.1 or later Compiled file=hx509.chm Contents file=toc.hhc Default topic=index.html Display compile progress=No Language=0x409 English (United States) Title=HX509heimdal-1.7~git20150920+dfsg/doc/hx509.texi000066400000000000000000000633061257755311500177700ustar00rootroot00000000000000\input texinfo @c -*- texinfo -*- @c %**start of header @c $Id$ @setfilename hx509.info @settitle HX509 @iftex @afourpaper @end iftex @c some sensible characters, please? @tex \input latin1.tex @end tex @setchapternewpage on @syncodeindex pg cp @c %**end of header @include vars.texi @set VERSION @value{PACKAGE_VERSION} @set EDITION 1.0 @ifinfo @dircategory Security @direntry * hx509: (hx509). The X.509 distribution from KTH @end direntry @end ifinfo @c title page @titlepage @title HX509 @subtitle X.509 distribution from KTH @subtitle Edition @value{EDITION}, for version @value{VERSION} @subtitle 2008 @author Love Hörnquist Åstrand @iftex @def@copynext{@vskip 20pt plus 1fil} @def@copyrightstart{} @def@copyrightend{} @end iftex @macro copynext @end macro @macro copyrightstart @end macro @macro copyrightend @end macro @page @copyrightstart Copyright (c) 1994-2008 Kungliga Tekniska Högskolan (Royal Institute of Technology, Stockholm, Sweden). All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the Institute nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @copynext Copyright (c) 1988, 1990, 1993 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @copynext Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California. Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it freely, subject to the following restrictions: 1. The authors are not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it. 2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear in the documentation. 3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, credits must appear in the documentation. 4. This notice may not be removed or altered. @copynext IMath is Copyright 2002-2005 Michael J. Fromberger You may use it subject to the following Licensing Terms: Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. @copyrightend @end titlepage @macro manpage{man, section} @cite{\man\(\section\)} @end macro @c Less filling! Tastes great! @iftex @parindent=0pt @global@parskip 6pt plus 1pt @global@chapheadingskip = 15pt plus 4pt minus 2pt @global@secheadingskip = 12pt plus 3pt minus 2pt @global@subsecheadingskip = 9pt plus 2pt minus 2pt @end iftex @ifinfo @paragraphindent 0 @end ifinfo @ifnottex @node Top, Introduction, (dir), (dir) @top Heimdal @end ifnottex This manual is for version @value{VERSION} of hx509. @menu * Introduction:: * What is X.509 ?:: * Setting up a CA:: * CMS signing and encryption:: * Certificate matching:: * Software PKCS 11 module:: * Creating a CA certificate:: * Issuing certificates:: * Issuing CRLs:: * Application requirements:: * CMS background:: * Matching syntax:: * How to use the PKCS11 module:: @detailmenu --- The Detailed Node Listing --- Setting up a CA @c * Issuing certificates:: * Creating a CA certificate:: * Issuing certificates:: * Issuing CRLs:: @c * Issuing a proxy certificate:: @c * Creating a user certificate:: @c * Validating a certificate:: @c * Validating a certificate path:: * Application requirements:: CMS signing and encryption * CMS background:: Certificate matching * Matching syntax:: Software PKCS 11 module * How to use the PKCS11 module:: @end detailmenu @end menu @node Introduction, What is X.509 ?, Top, Top @chapter Introduction The goals of a PKI infrastructure (as defined in RFC 3280) is to meet @emph{the needs of deterministic, automated identification, authentication, access control, and authorization}. The administrator should be aware of certain terminologies as explained by the aforementioned RFC before attemping to put in place a PKI infrastructure. Briefly, these are: @itemize @bullet @item CA Certificate Authority @item RA Registration Authority, i.e., an optional system to which a CA delegates certain management functions. @item CRL Issuer An optional system to which a CA delegates the publication of certificate revocation lists. @item Repository A system or collection of distributed systems that stores certificates and CRLs and serves as a means of distributing these certificates and CRLs to end entities @end itemize hx509 (Heimdal x509 support) is a near complete X.509 stack that can handle CMS messages (crypto system used in S/MIME and Kerberos PK-INIT) and basic certificate processing tasks, path construction, path validation, OCSP and CRL validation, PKCS10 message construction, CMS Encrypted (shared secret encrypted), CMS SignedData (certificate signed), and CMS EnvelopedData (certificate encrypted). hx509 can use PKCS11 tokens, PKCS12 files, PEM files, and/or DER encoded files. @node What is X.509 ?, Setting up a CA, Introduction, Top @chapter What is X.509, PKIX, PKCS7 and CMS ? X.509 was created by CCITT (later ITU) for the X.500 directory service. Today, X.509 discussions and implementations commonly reference the IETF's PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 3280. ITU continues to develop the X.509 standard together with the IETF in a rather complicated dance. X.509 is a public key based security system that has associated data stored within a so called certificate. Initially, X.509 was a strict hierarchical system with one root. However, ever evolving requiments and technology advancements saw the inclusion of multiple policy roots, bridges and mesh solutions. x.509 can also be used as a peer to peer system, though often seen as a common scenario. @section Type of certificates There are several flavors of certificate in X.509. @itemize @bullet @item Trust anchors Trust anchors are strictly not certificates, but commonly stored in a certificate format as they become easier to manage. Trust anchors are the keys that an end entity would trust to validate other certificates. This is done by building a path from the certificate you want to validate to to any of the trust anchors you have. @item End Entity (EE) certificates End entity certificates are the most common types of certificates. End entity certificates cannot issue (sign) certificate themselves and are generally used to authenticate and authorize users and services. @item Certification Authority (CA) certificates Certificate authority certificates have the right to issue additional certificates (be it sub-ordinate CA certificates to build an trust anchors or end entity certificates). There is no limit to how many certificates a CA may issue, but there might other restrictions, like the maximum path depth. @item Proxy certificates Remember the statement "End Entity certificates cannot issue certificates"? Well that statement is not entirely true. There is an extension called proxy certificates defined in RFC3820, that allows certificates to be issued by end entity certificates. The service that receives the proxy certificates must have explicitly turned on support for proxy certificates, so their use is somewhat limited. Proxy certificates can be limited by policies stored in the certificate to what they can be used for. This allows users to delegate the proxy certificate to services (by sending over the certificate and private key) so the service can access services on behalf of the user. One example of this would be a print service. The user wants to print a large job in the middle of the night when the printer isn't used that much, so the user creates a proxy certificate with the policy that it can only be used to access files related to this print job, creates the print job description and send both the description and proxy certificate with key over to print service. Later at night when the print service initializes (without any user intervention), access to the files for the print job is granted via the proxy certificate. As a result of (in-place) policy limitations, the certificate cannot be used for any other purposes. @end itemize @section Building a path Before validating a certificate path (or chain), the path needs to be constructed. Given a certificate (EE, CA, Proxy, or any other type), the path construction algorithm will try to find a path to one of the trust anchors. The process starts by looking at the issuing CA of the certificate, by Name or Key Identifier, and tries to find that certificate while at the same time evaluting any policies in-place. @node Setting up a CA, Creating a CA certificate, What is X.509 ?, Top @chapter Setting up a CA Do not let information overload scare you off! If you are simply testing or getting started with a PKI infrastructure, skip all this and go to the next chapter (see: @pxref{Creating a CA certificate}). Creating a CA certificate should be more the just creating a certificate, CA's should define a policy. Again, if you are simply testing a PKI, policies do not matter so much. However, when it comes to trust in an organisation, it will probably matter more whom your users and sysadmins will find it acceptable to trust. At the same time, try to keep things simple, it's not very hard to run a Certificate authority and the process to get new certificates should be simple. You may find it helpful to answer the following policy questions for your organization at a later stage: @itemize @bullet @item How do you trust your CA. @item What is the CA responsibility. @item Review of CA activity. @item How much process should it be to issue certificate. @item Who is allowed to issue certificates. @item Who is allowed to requests certificates. @item How to handle certificate revocation, issuing CRLs and maintain OCSP services. @end itemize @node Creating a CA certificate, Issuing certificates, Setting up a CA, Top @section Creating a CA certificate This section describes how to create a CA certificate and what to think about. @subsection Lifetime CA certificate You probably want to create a CA certificate with a long lifetime, 10 years at the very minimum. This is because you don't want to push out the certificate (as a trust anchor) to all you users again when the old CA certificate expires. Although a trust anchor can't really expire, not all software works in accordance with published standards. Keep in mind the security requirements might be different 10-20 years into the future. For example, SHA1 is going to be withdrawn in 2010, so make sure you have enough buffering in your choice of digest/hash algorithms, signature algorithms and key lengths. @subsection Create a CA certificate This command below can be used to generate a self-signed CA certificate. @example hxtool issue-certificate \ --self-signed \ --issue-ca \ --generate-key=rsa \ --subject="CN=CertificateAuthority,DC=test,DC=h5l,DC=se" \ --lifetime=10years \ --certificate="FILE:ca.pem" @end example @subsection Extending the lifetime of a CA certificate You just realised that your CA certificate is going to expire soon and that you need replace it with a new CA. The easiest way to do that is to extend the lifetime of your existing CA certificate. The example below will extend the CA certificate's lifetime by 10 years. You should compare this new certificate if it contains all the special tweaks as the old certificate had. @example hxtool issue-certificate \ --self-signed \ --issue-ca \ --lifetime="10years" \ --template-certificate="FILE:ca.pem" \ --template-fields="serialNumber,notBefore,subject,SPKI" \ --ca-private-key=FILE:ca.pem \ --certificate="FILE:new-ca.pem" @end example @subsection Subordinate CA This example below creates a new subordinate certificate authority. @example hxtool issue-certificate \ --ca-certificate=FILE:ca.pem \ --issue-ca \ --generate-key=rsa \ --subject="CN=CertificateAuthority,DC=dev,DC=test,DC=h5l,DC=se" \ --certificate="FILE:dev-ca.pem" @end example @node Issuing certificates, Issuing CRLs, Creating a CA certificate, Top @section Issuing certificates First you'll create a CA certificate, after that you have to deal with your users and servers and issue certificates to them. @c I think this section needs a bit of clarity. Can I add a separate @c section which explains CSRs as well? @itemize @bullet @item Do all the work themself Generate the key for the user. This has the problme that the the CA knows the private key of the user. For a paranoid user this might leave feeling of disconfort. @item Have the user do part of the work Receive PKCS10 certificate requests fromusers. PKCS10 is a request for a certificate. The user may specify what DN they want as well as provide a certificate signing request (CSR). To prove the user have the key, the whole request is signed by the private key of the user. @end itemize @subsection Name space management @c The explanation given below is slightly unclear. I will re-read the @c RFC and document accordingly What people might want to see. Re-issue certificates just because people moved within the organization. Expose privacy information. Using Sub-component name (+ notation). @subsection Certificate Revocation, CRL and OCSP Certificates that a CA issues may need to be revoked at some stage. As an example, an employee leaves the organization and does not bother handing in his smart card (or even if the smart card is handed back -- the certificate on it must no longer be acceptable to services; the employee has left). You may also want to revoke a certificate for a service which is no longer being offered on your network. Overlooking these scenarios can lead to security holes which will quickly become a nightmare to deal with. There are two primary protocols for dealing with certificate revokation. Namely: @itemize @bullet @item Certificate Revocation List (CRL) @item Online Certificate Status Protocol (OCSP) @end itemize If however the certificate in qeustion has been destroyed, there is no need to revoke the certificate because it can not be used by someone else. This matter since for each certificate you add to CRL, the download time and processing time for clients are longer. CRLs and OCSP responders however greatly help manage compatible services which may authenticate and authorize users (or services) on an on-going basis. As an example, VPN connectivity established via certificates for connecting clients would require your VPN software to make use of a CRL or an OCSP service to ensure revoked certificates belonging to former clients are not allowed access to (formerly subscribed) network services. @node Issuing CRLs, Application requirements, Issuing certificates, Top @section Issuing CRLs Create an empty CRL with no certificates revoked. Default expiration value is one year from now. @example hxtool crl-sign \ --crl-file=crl.der \ --signer=FILE:ca.pem @end example Create a CRL with all certificates in the directory @file{/path/to/revoked/dir} included in the CRL as revoked. Also make it expire one month from now. @example hxtool crl-sign \ --crl-file=crl.der \ --signer=FILE:ca.pem \ --lifetime='1 month' \ DIR:/path/to/revoked/dir @end example @node Application requirements, CMS signing and encryption, Issuing CRLs, Top @section Application requirements Application place different requirements on certificates. This section tries to expand what they are and how to use hxtool to generate certificates for those services. @subsection HTTPS - server @example hxtool issue-certificate \ --subject="CN=www.test.h5l.se,DC=test,DC=h5l,DC=se" \ --type="https-server" \ --hostname="www.test.h5l.se" \ --hostname="www2.test.h5l.se" \ ... @end example @subsection HTTPS - client @example hxtool issue-certificate \ --subject="UID=testus,DC=test,DC=h5l,DC=se" \ --type="https-client" \ ... @end example @subsection S/MIME - email There are two things that should be set in S/MIME certificates, one or more email addresses and an extended eku usage (EKU), emailProtection. The email address format used in S/MIME certificates is defined in RFC2822, section 3.4.1 and it should be an ``addr-spec''. There are two ways to specifify email address in certificates. The old way is in the subject distinguished name, @emph{this should not be used}. The new way is using a Subject Alternative Name (SAN). Even though the email address is stored in certificates, they don't need to be, email reader programs are required to accept certificates that doesn't have either of the two methods of storing email in certificates -- in which case, the email client will try to protect the user by printing the name of the certificate instead. S/MIME certificate can be used in another special way. They can be issued with a NULL subject distinguished name plus the email in SAN, this is a valid certificate. This is used when you wont want to share more information then you need to. hx509 issue-certificate supports adding the email SAN to certificate by using the --email option, --email also gives an implicit emailProtection eku. If you want to create an certificate without an email address, the option --type=email will add the emailProtection EKU. @example hxtool issue-certificate \ --subject="UID=testus-email,DC=test,DC=h5l,DC=se" \ --type=email \ --email="testus@@test.h5l.se" \ ... @end example An example of an certificate without and subject distinguished name with an email address in a SAN. @example hxtool issue-certificate \ --subject="" \ --type=email \ --email="testus@@test.h5l.se" \ ... @end example @subsection PK-INIT A PK-INIT infrastructure allows users and services to pick up kerberos credentials (tickets) based on their certificate. This, for example, allows users to authenticate to their desktops using smartcards while acquiring kerberos tickets in the process. As an example, an office network which offers centrally controlled desktop logins, mail, messaging (xmpp) and openafs would give users single sign-on facilities via smartcard based logins. Once the kerberos ticket has been acquired, all kerberized services would immediately become accessible based on deployed security policies. Let's go over the process of initializing a demo PK-INIT framework: @example hxtool issue-certificate \ --type="pkinit-kdc" \ --pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \ --hostname=kerberos.test.h5l.se \ --ca-certificate="FILE:ca.pem,ca.key" \ --generate-key=rsa \ --certificate="FILE:kdc.pem" \ --subject="cn=kdc" @end example How to create a certificate for a user. @example hxtool issue-certificate \ --type="pkinit-client" \ --pk-init-principal="user@@TEST.H5L.SE" \ --ca-certificate="FILE:ca.pem,ca.key" \ --generate-key=rsa \ --subject="cn=Test User" \ --certificate="FILE:user.pem" @end example The --type field can be specified multiple times. The same certificate can hence house extensions for both pkinit-client as well as S/MIME. To use the PKCS11 module, please see the section: @pxref{How to use the PKCS11 module}. More about how to configure the KDC, see the documentation in the Heimdal manual to set up the KDC. @subsection XMPP/Jabber The jabber server certificate should have a dNSname that is the same as the user entered into the application, not the same as the host name of the machine. @example hxtool issue-certificate \ --subject="CN=xmpp1.test.h5l.se,DC=test,DC=h5l,DC=se" \ --hostname="xmpp1.test.h5l.se" \ --hostname="test.h5l.se" \ ... @end example The certificate may also contain a jabber identifier (JID) that, if the receiver allows it, authorises the server or client to use that JID. When storing a JID inside the certificate, both for server and client, it's stored inside a UTF8String within an otherName entity inside the subjectAltName, using the OID id-on-xmppAddr (1.3.6.1.5.5.7.8.5). To read more about the requirements, see RFC3920, Extensible Messaging and Presence Protocol (XMPP): Core. hxtool issue-certificate have support to add jid to the certificate using the option @kbd{--jid}. @example hxtool issue-certificate \ --subject="CN=Love,DC=test,DC=h5l,DC=se" \ --jid="lha@@test.h5l.se" \ ... @end example @node CMS signing and encryption, CMS background, Application requirements, Top @chapter CMS signing and encryption CMS is the Cryptographic Message System that among other, is used by S/MIME (secure email) and Kerberos PK-INIT. It's an extended version of the RSA, Inc standard PKCS7. @node CMS background, Certificate matching, CMS signing and encryption, Top @section CMS background @node Certificate matching, Matching syntax, CMS background, Top @chapter Certificate matching To match certificates hx509 have a special query language to match certifictes in queries and ACLs. @node Matching syntax, Software PKCS 11 module, Certificate matching, Top @section Matching syntax This is the language definitions somewhat slopply descriped: @example expr = TRUE, FALSE, ! expr, expr AND expr, expr OR expr, ( expr ) compare compare = word == word, word != word, word IN ( word [, word ...]) word IN %@{variable.subvariable@} word = STRING, %@{variable@} @end example @node Software PKCS 11 module, How to use the PKCS11 module, Matching syntax, Top @chapter Software PKCS 11 module PKCS11 is a standard created by RSA, Inc to support hardware and software encryption modules. It can be used by smartcard to expose the crypto primitives inside without exposing the crypto keys. Hx509 includes a software implementation of PKCS11 that runs within the memory space of the process and thus exposes the keys to the application. @node How to use the PKCS11 module, , Software PKCS 11 module, Top @section How to use the PKCS11 module @example $ cat > ~/.soft-pkcs11.rc <