aboutsummaryrefslogtreecommitdiff
path: root/lib/krb5
diff options
context:
space:
mode:
Diffstat (limited to 'lib/krb5')
-rw-r--r--lib/krb5/Makefile.am65
-rw-r--r--lib/krb5/Makefile.in4710
-rw-r--r--lib/krb5/NTMakefile54
-rw-r--r--lib/krb5/acache.c212
-rw-r--r--lib/krb5/acl.c2
-rw-r--r--lib/krb5/add_et_list.c6
-rw-r--r--lib/krb5/addr_families.c119
-rw-r--r--lib/krb5/aes-test.c22
-rw-r--r--lib/krb5/an2ln_plugin.h6
-rw-r--r--lib/krb5/aname_to_localname.c21
-rw-r--r--lib/krb5/asn1_glue.c94
-rw-r--r--lib/krb5/auth_context.c75
-rw-r--r--lib/krb5/authdata.c124
-rw-r--r--lib/krb5/build_ap_req.c44
-rw-r--r--lib/krb5/build_auth.c136
-rw-r--r--lib/krb5/cache.c838
-rw-r--r--lib/krb5/ccache_plugin.h7
-rw-r--r--lib/krb5/changepw.c18
-rw-r--r--lib/krb5/config_file.c1019
-rw-r--r--lib/krb5/config_reg.c649
-rw-r--r--lib/krb5/constants.c17
-rw-r--r--lib/krb5/context.c456
-rw-r--r--lib/krb5/convert_creds.c3
-rw-r--r--lib/krb5/creds.c2
-rw-r--r--lib/krb5/crypto-aes-sha1.c11
-rw-r--r--lib/krb5/crypto-aes-sha2.c15
-rw-r--r--lib/krb5/crypto-algs.c5
-rw-r--r--lib/krb5/crypto-arcfour.c68
-rw-r--r--lib/krb5/crypto-des-common.c29
-rw-r--r--lib/krb5/crypto-des.c70
-rw-r--r--lib/krb5/crypto-des3.c31
-rw-r--r--lib/krb5/crypto-evp.c494
-rw-r--r--lib/krb5/crypto-null.c8
-rw-r--r--lib/krb5/crypto-stubs.c3
-rw-r--r--lib/krb5/crypto.c757
-rw-r--r--lib/krb5/crypto.h58
-rw-r--r--lib/krb5/data.c11
-rw-r--r--lib/krb5/db_plugin.c14
-rw-r--r--lib/krb5/db_plugin.h6
-rw-r--r--lib/krb5/dcache.c603
-rw-r--r--lib/krb5/deprecated.c57
-rw-r--r--lib/krb5/doxygen.c2
-rw-r--r--lib/krb5/enomem.c2
-rw-r--r--lib/krb5/error_string.c118
-rw-r--r--lib/krb5/expand_path.c530
-rw-r--r--lib/krb5/fast.c873
-rw-r--r--lib/krb5/fcache.c739
-rw-r--r--lib/krb5/generate_subkey.c2
-rw-r--r--lib/krb5/get_cred.c581
-rw-r--r--lib/krb5/get_default_principal.c122
-rw-r--r--lib/krb5/get_for_creds.c425
-rw-r--r--lib/krb5/get_host_realm.c34
-rw-r--r--lib/krb5/get_in_tkt.c9
-rw-r--r--lib/krb5/heim_err.et53
-rw-r--r--lib/krb5/init_creds.c2
-rw-r--r--lib/krb5/init_creds_pw.c2889
-rw-r--r--lib/krb5/k5e1_err.et13
-rw-r--r--lib/krb5/kcm.c319
-rw-r--r--lib/krb5/kcm.h3
-rw-r--r--lib/krb5/kerberos.89
-rw-r--r--lib/krb5/kerberos.cat857
-rw-r--r--lib/krb5/keyblock.c3
-rw-r--r--lib/krb5/keytab.c56
-rw-r--r--lib/krb5/keytab_any.c4
-rw-r--r--lib/krb5/keytab_file.c165
-rw-r--r--lib/krb5/keytab_keyfile.c2
-rw-r--r--lib/krb5/krb5-plugin.7156
-rw-r--r--lib/krb5/krb5-plugin.cat7167
-rw-r--r--lib/krb5/krb5-private.h733
-rw-r--r--lib/krb5/krb5-protos.h9301
-rw-r--r--lib/krb5/krb5-v4compat.h143
-rw-r--r--lib/krb5/krb5.conf.5673
-rw-r--r--lib/krb5/krb5.conf.cat5840
-rw-r--r--lib/krb5/krb5.h222
-rw-r--r--lib/krb5/krb524_convert_creds_kdc.cat342
-rw-r--r--lib/krb5/krb5_425_conv_principal.cat3139
-rw-r--r--lib/krb5/krb5_acl_match_file.cat360
-rw-r--r--lib/krb5/krb5_aname_to_localname.cat338
-rw-r--r--lib/krb5/krb5_appdefault.cat356
-rw-r--r--lib/krb5/krb5_auth_context.cat3220
-rw-r--r--lib/krb5/krb5_c_make_checksum.cat3141
-rw-r--r--lib/krb5/krb5_ccapi.h4
-rw-r--r--lib/krb5/krb5_check_transited.cat348
-rw-r--r--lib/krb5/krb5_create_checksum.cat3112
-rw-r--r--lib/krb5/krb5_creds.cat357
-rw-r--r--lib/krb5/krb5_digest.cat3145
-rw-r--r--lib/krb5/krb5_eai_to_heim_errno.cat328
-rw-r--r--lib/krb5/krb5_encrypt.cat3137
-rw-r--r--lib/krb5/krb5_err.et45
-rw-r--r--lib/krb5/krb5_find_padata.cat332
-rw-r--r--lib/krb5/krb5_generate_random_block.cat322
-rw-r--r--lib/krb5/krb5_get_all_client_addrs.cat338
-rw-r--r--lib/krb5/krb5_get_credentials.cat396
-rw-r--r--lib/krb5/krb5_get_creds.cat392
-rw-r--r--lib/krb5/krb5_get_forwarded_creds.cat332
-rw-r--r--lib/krb5/krb5_get_in_cred.cat3131
-rw-r--r--lib/krb5/krb5_get_init_creds.cat3248
-rw-r--r--lib/krb5/krb5_get_krbhst.cat355
-rw-r--r--lib/krb5/krb5_getportbyname.cat328
-rw-r--r--lib/krb5/krb5_init_context.cat3184
-rw-r--r--lib/krb5/krb5_is_thread_safe.cat325
-rw-r--r--lib/krb5/krb5_krbhst_init.cat3117
-rw-r--r--lib/krb5/krb5_locl.h137
-rw-r--r--lib/krb5/krb5_mk_req.cat388
-rw-r--r--lib/krb5/krb5_mk_safe.cat335
-rw-r--r--lib/krb5/krb5_openlog.381
-rw-r--r--lib/krb5/krb5_openlog.cat3158
-rw-r--r--lib/krb5/krb5_parse_name.cat330
-rw-r--r--lib/krb5/krb5_principal.cat3259
-rw-r--r--lib/krb5/krb5_rcache.cat383
-rw-r--r--lib/krb5/krb5_rd_error.cat351
-rw-r--r--lib/krb5/krb5_rd_safe.cat334
-rw-r--r--lib/krb5/krb5_set_default_realm.cat369
-rw-r--r--lib/krb5/krb5_set_password.cat365
-rw-r--r--lib/krb5/krb5_string_to_key.cat373
-rw-r--r--lib/krb5/krb5_timeofday.cat354
-rw-r--r--lib/krb5/krb5_verify_init_creds.cat351
-rw-r--r--lib/krb5/krb5_verify_user.cat3140
-rw-r--r--lib/krb5/krbhst-test.c17
-rw-r--r--lib/krb5/krbhst.c190
-rw-r--r--lib/krb5/krcache.c2075
-rw-r--r--lib/krb5/kuserok.c36
-rw-r--r--lib/krb5/kuserok_plugin.h6
-rw-r--r--lib/krb5/kx509.c1323
-rw-r--r--lib/krb5/kx509_err.et39
-rw-r--r--lib/krb5/libkrb5-exports.def.in93
-rw-r--r--lib/krb5/locate_plugin.h6
-rw-r--r--lib/krb5/log.c450
-rw-r--r--lib/krb5/mcache.c157
-rw-r--r--lib/krb5/mit_glue.c17
-rw-r--r--lib/krb5/mk_cred.c324
-rw-r--r--lib/krb5/mk_error.c4
-rw-r--r--lib/krb5/mk_req_ext.c67
-rw-r--r--lib/krb5/pac.c1630
-rw-r--r--lib/krb5/pcache.c17
-rw-r--r--lib/krb5/pkinit-ec.c73
-rw-r--r--lib/krb5/pkinit.c304
-rw-r--r--lib/krb5/plugin.c574
-rw-r--r--lib/krb5/principal.c109
-rw-r--r--lib/krb5/rd_cred.c4
-rw-r--r--lib/krb5/rd_priv.c2
-rw-r--r--lib/krb5/rd_req.c91
-rw-r--r--lib/krb5/rd_safe.c2
-rw-r--r--lib/krb5/recvauth.c7
-rw-r--r--lib/krb5/replay.c8
-rw-r--r--lib/krb5/salt-aes-sha1.c2
-rw-r--r--lib/krb5/salt-aes-sha2.c2
-rw-r--r--lib/krb5/salt-arcfour.c6
-rw-r--r--lib/krb5/salt.c67
-rw-r--r--lib/krb5/scache.c479
-rw-r--r--lib/krb5/send_to_kdc.c101
-rw-r--r--lib/krb5/send_to_kdc_plugin.h5
-rw-r--r--lib/krb5/sendauth.c20
-rwxr-xr-xlib/krb5/sp800-108-kdf.c5
-rw-r--r--lib/krb5/store-int.c2
-rw-r--r--lib/krb5/store.c406
-rw-r--r--lib/krb5/store_emem.c40
-rw-r--r--lib/krb5/store_fd.c23
-rw-r--r--lib/krb5/store_mem.c4
-rw-r--r--lib/krb5/store_sock.c10
-rw-r--r--lib/krb5/store_stdio.c271
-rw-r--r--lib/krb5/test_acl.c2
-rw-r--r--lib/krb5/test_alname.c2
-rw-r--r--lib/krb5/test_ap-req.c3
-rw-r--r--lib/krb5/test_cc.c499
-rw-r--r--lib/krb5/test_expand_toks.c2
-rw-r--r--lib/krb5/test_gic.c2
-rw-r--r--lib/krb5/test_hostname.c4
-rw-r--r--lib/krb5/test_mkforwardable.c191
-rw-r--r--lib/krb5/test_pac.c882
-rw-r--r--lib/krb5/test_plugin.c6
-rw-r--r--lib/krb5/test_princ.c20
-rw-r--r--lib/krb5/test_rfc3961.c310
-rw-r--r--lib/krb5/test_set_kvno0.c5
-rw-r--r--lib/krb5/test_store.c43
-rw-r--r--lib/krb5/test_time.c4
-rw-r--r--lib/krb5/ticket.c124
-rw-r--r--lib/krb5/time.c9
-rw-r--r--lib/krb5/transited.c14
-rw-r--r--lib/krb5/verify_krb5_conf.c27
-rw-r--r--lib/krb5/verify_krb5_conf.cat856
-rw-r--r--lib/krb5/verify_user.c13
-rw-r--r--lib/krb5/version-script.map92
-rw-r--r--lib/krb5/warn.c96
184 files changed, 18504 insertions, 26936 deletions
diff --git a/lib/krb5/Makefile.am b/lib/krb5/Makefile.am
index 74d8ae171c5a..ecce461dd89c 100644
--- a/lib/krb5/Makefile.am
+++ b/lib/krb5/Makefile.am
@@ -2,7 +2,9 @@
include $(top_srcdir)/Makefile.am.common
-AM_CPPFLAGS += -I../com_err -I$(srcdir)/../com_err $(INCLUDE_sqlite3) $(INCLUDE_libintl) $(INCLUDE_openssl_crypto)
+WFLAGS += $(WFLAGS_ENUM_CONV)
+
+AM_CPPFLAGS += -I../com_err -I$(srcdir)/../com_err -I../base -I$(srcdir)/../base $(INCLUDE_sqlite3) $(INCLUDE_libintl) $(INCLUDE_openssl_crypto)
bin_PROGRAMS = verify_krb5_conf
@@ -50,7 +52,8 @@ TESTS = \
check_DATA = test_config_strings.out
-check_PROGRAMS = $(TESTS) test_hostname test_ap-req test_canon test_set_kvno0
+check_PROGRAMS = $(TESTS) test_hostname test_ap-req test_canon test_set_kvno0 \
+ test_mkforwardable
LDADD = libkrb5.la \
$(LIB_hcrypto) \
@@ -58,6 +61,12 @@ LDADD = libkrb5.la \
$(top_builddir)/lib/wind/libwind.la \
$(LIB_heimbase) $(LIB_roken)
+if HAVE_KEYUTILS
+test_cc_LDADD = $(LDADD) -lkeyutils
+else
+test_cc_LDADD = $(LDADD)
+endif
+
if PKINIT
LIB_pkinit = ../hx509/libhx509.la
endif
@@ -71,7 +80,7 @@ libkrb5_la_LIBADD = \
$(top_builddir)/lib/ipc/libheim-ipcc.la \
$(top_builddir)/lib/wind/libwind.la \
$(top_builddir)/lib/base/libheimbase.la \
- $(LIB_pkinit) \
+ $(top_builddir)/lib/hx509/libhx509.la \
$(LIB_openssl_crypto) \
$(use_sqlite) \
$(LIB_com_err) \
@@ -79,8 +88,8 @@ libkrb5_la_LIBADD = \
$(LIB_libintl) \
$(LIBADD_roken) \
$(PTHREAD_LIBADD) \
- $(LIB_door_create) \
- $(LIB_dlopen)
+ $(LIB_add_key) \
+ $(LIB_door_create)
librfc3961_la_LIBADD = \
$(top_builddir)/lib/asn1/libasn1.la \
@@ -93,12 +102,12 @@ librfc3961_la_LIBADD = \
$(LIB_libintl) \
$(LIBADD_roken) \
$(PTHREAD_LIBADD) \
- $(LIB_door_create) \
- $(LIB_dlopen)
+ $(LIB_add_key) \
+ $(LIB_door_create)
lib_LTLIBRARIES = libkrb5.la
-ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c
+ERR_FILES = krb5_err.c krb_err.c k524_err.c k5e1_err.c kx509_err.c
libkrb5_la_CPPFLAGS = \
-DBUILD_KRB5_LIB \
@@ -120,9 +129,11 @@ dist_libkrb5_la_SOURCES = \
appdefault.c \
asn1_glue.c \
auth_context.c \
+ authdata.c \
build_ap_req.c \
build_auth.c \
cache.c \
+ ccache_plugin.h \
changepw.c \
codec.c \
config_file.c \
@@ -182,13 +193,15 @@ dist_libkrb5_la_SOURCES = \
keytab_keyfile.c \
keytab_memory.c \
krb5_locl.h \
- krb5-v4compat.h \
+ krcache.c \
krbhst.c \
kuserok.c \
kuserok_plugin.h \
+ kx509.c \
log.c \
mcache.c \
misc.c \
+ mk_cred.c \
mk_error.c \
mk_priv.c \
mk_rep.c \
@@ -235,6 +248,7 @@ dist_libkrb5_la_SOURCES = \
store_fd.c \
store_mem.c \
store_sock.c \
+ store_stdio.c \
plugin.c \
ticket.c \
time.c \
@@ -252,6 +266,9 @@ libkrb5_la_DEPENDENCIES = \
version-script.map
libkrb5_la_LDFLAGS = -version-info 26:0:0
+if FRAMEWORK_COREFOUNDATION
+libkrb5_la_LDFLAGS += -framework CoreFoundation
+endif
if versionscript
libkrb5_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
@@ -272,7 +289,8 @@ ALL_OBJECTS += $(test_renew_OBJECTS)
ALL_OBJECTS += $(test_rfc3961_OBJECTS)
$(ALL_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
-$(ALL_OBJECTS): krb5_err.h heim_err.h k524_err.h krb5_err.h krb_err.h k524_err.h
+$(ALL_OBJECTS): krb5_err.h k524_err.h k5e1_err.h \
+ krb_err.h k524_err.h kx509_err.h
librfc3961_la_SOURCES = \
crc.c \
@@ -376,11 +394,17 @@ dist_include_HEADERS = \
noinst_HEADERS = $(srcdir)/krb5-private.h
-nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h
+nodist_include_HEADERS = krb5_err.h k524_err.h k5e1_err.h kx509_err.h
# XXX use nobase_include_HEADERS = krb5/locate_plugin.h
krb5dir = $(includedir)/krb5
-krb5_HEADERS = locate_plugin.h send_to_kdc_plugin.h ccache_plugin.h an2ln_plugin.h db_plugin.h
+krb5_HEADERS = \
+ an2ln_plugin.h \
+ ccache_plugin.h \
+ db_plugin.h \
+ kuserok_plugin.h \
+ locate_plugin.h \
+ send_to_kdc_plugin.h
build_HEADERZ = \
$(krb5_HEADERS) \
@@ -391,24 +415,25 @@ CLEANFILES = \
test-store-data \
krb5_err.c krb5_err.h \
krb_err.c krb_err.h \
- heim_err.c heim_err.h \
- k524_err.c k524_err.h
+ k524_err.c k524_err.h \
+ k5e1_err.c k5e1_err.h \
+ kx509_err.c kx509_err.h
-$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h
+$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h k524_err.h k5e1_err.h kx509_err.h
test_config_strings.out: test_config_strings.cfg
$(CP) $(srcdir)/test_config_strings.cfg test_config_strings.out
EXTRA_DIST = \
NTMakefile \
- config_reg.c \
dll.c \
libkrb5-exports.def.in \
verify_krb5_conf-version.rc \
krb5_err.et \
krb_err.et \
- heim_err.et \
k524_err.et \
+ k5e1_err.et \
+ kx509_err.et \
$(man_MANS) \
version-script.map \
test_config_strings.cfg \
@@ -422,6 +447,8 @@ krb5_err.h: krb5_err.et
krb_err.h: krb_err.et
-heim_err.h: heim_err.et
-
k524_err.h: k524_err.et
+
+k5e1_err.h: k5e1_err.et
+
+kx509_err.h: kx509_err.et
diff --git a/lib/krb5/Makefile.in b/lib/krb5/Makefile.in
deleted file mode 100644
index cc7f98b0d8ab..000000000000
--- a/lib/krb5/Makefile.in
+++ /dev/null
@@ -1,4710 +0,0 @@
-# Makefile.in generated by automake 1.16.5 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-# $Id$
-
-# $Id$
-
-# $Id$
-
-
-
-VPATH = @srcdir@
-am__is_gnu_make = { \
- if test -z '$(MAKELEVEL)'; then \
- false; \
- elif test -n '$(MAKE_HOST)'; then \
- true; \
- elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
- true; \
- else \
- false; \
- fi; \
-}
-am__make_running_with_option = \
- case $${target_option-} in \
- ?) ;; \
- *) echo "am__make_running_with_option: internal error: invalid" \
- "target option '$${target_option-}' specified" >&2; \
- exit 1;; \
- esac; \
- has_opt=no; \
- sane_makeflags=$$MAKEFLAGS; \
- if $(am__is_gnu_make); then \
- sane_makeflags=$$MFLAGS; \
- else \
- case $$MAKEFLAGS in \
- *\\[\ \ ]*) \
- bs=\\; \
- sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
- | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
- esac; \
- fi; \
- skip_next=no; \
- strip_trailopt () \
- { \
- flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
- }; \
- for flg in $$sane_makeflags; do \
- test $$skip_next = yes && { skip_next=no; continue; }; \
- case $$flg in \
- *=*|--*) continue;; \
- -*I) strip_trailopt 'I'; skip_next=yes;; \
- -*I?*) strip_trailopt 'I';; \
- -*O) strip_trailopt 'O'; skip_next=yes;; \
- -*O?*) strip_trailopt 'O';; \
- -*l) strip_trailopt 'l'; skip_next=yes;; \
- -*l?*) strip_trailopt 'l';; \
- -[dEDm]) skip_next=yes;; \
- -[JT]) skip_next=yes;; \
- esac; \
- case $$flg in \
- *$$target_option*) has_opt=yes; break;; \
- esac; \
- done; \
- test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-bin_PROGRAMS = verify_krb5_conf$(EXEEXT)
-noinst_PROGRAMS = krbhst-test$(EXEEXT) test_alname$(EXEEXT) \
- test_crypto$(EXEEXT) test_forward$(EXEEXT) \
- test_get_addrs$(EXEEXT) test_gic$(EXEEXT) \
- test_kuserok$(EXEEXT) test_renew$(EXEEXT) \
- test_rfc3961$(EXEEXT)
-TESTS = aes-test$(EXEEXT) derived-key-test$(EXEEXT) \
- n-fold-test$(EXEEXT) parse-name-test$(EXEEXT) \
- pseudo-random-test$(EXEEXT) store-test$(EXEEXT) \
- string-to-key-test$(EXEEXT) test_acl$(EXEEXT) \
- test_addr$(EXEEXT) test_cc$(EXEEXT) test_config$(EXEEXT) \
- test_fx$(EXEEXT) test_prf$(EXEEXT) test_store$(EXEEXT) \
- test_crypto_wrapping$(EXEEXT) test_keytab$(EXEEXT) \
- test_mem$(EXEEXT) test_pac$(EXEEXT) test_plugin$(EXEEXT) \
- test_princ$(EXEEXT) test_pkinit_dh2key$(EXEEXT) \
- test_pknistkdf$(EXEEXT) test_time$(EXEEXT) \
- test_expand_toks$(EXEEXT) test_x500$(EXEEXT)
-check_PROGRAMS = $(am__EXEEXT_1) test_hostname$(EXEEXT) \
- test_ap-req$(EXEEXT) test_canon$(EXEEXT) \
- test_set_kvno0$(EXEEXT)
-@versionscript_TRUE@am__append_1 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
-subdir = lib/krb5
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
- $(top_srcdir)/cf/auth-modules.m4 \
- $(top_srcdir)/cf/broken-glob.m4 \
- $(top_srcdir)/cf/broken-realloc.m4 \
- $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
- $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
- $(top_srcdir)/cf/capabilities.m4 \
- $(top_srcdir)/cf/check-compile-et.m4 \
- $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
- $(top_srcdir)/cf/check-man.m4 \
- $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
- $(top_srcdir)/cf/check-type-extra.m4 \
- $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/crypto.m4 \
- $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
- $(top_srcdir)/cf/dispatch.m4 $(top_srcdir)/cf/dlopen.m4 \
- $(top_srcdir)/cf/find-func-no-libs.m4 \
- $(top_srcdir)/cf/find-func-no-libs2.m4 \
- $(top_srcdir)/cf/find-func.m4 \
- $(top_srcdir)/cf/find-if-not-broken.m4 \
- $(top_srcdir)/cf/framework-security.m4 \
- $(top_srcdir)/cf/have-struct-field.m4 \
- $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
- $(top_srcdir)/cf/krb-bigendian.m4 \
- $(top_srcdir)/cf/krb-func-getlogin.m4 \
- $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
- $(top_srcdir)/cf/krb-prog-perl.m4 \
- $(top_srcdir)/cf/krb-readline.m4 \
- $(top_srcdir)/cf/krb-struct-spwd.m4 \
- $(top_srcdir)/cf/krb-struct-winsize.m4 \
- $(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/libtool.m4 \
- $(top_srcdir)/cf/ltoptions.m4 $(top_srcdir)/cf/ltsugar.m4 \
- $(top_srcdir)/cf/ltversion.m4 $(top_srcdir)/cf/lt~obsolete.m4 \
- $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
- $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
- $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/pkg.m4 \
- $(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
- $(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
- $(top_srcdir)/cf/roken-frag.m4 \
- $(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
- $(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
- $(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
- $(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
- $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
- $(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(dist_include_HEADERS) \
- $(krb5_HEADERS) $(noinst_HEADERS) $(am__DIST_COMMON)
-mkinstalldirs = $(install_sh) -d
-CONFIG_HEADER = $(top_builddir)/include/config.h
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libdir)" \
- "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" \
- "$(DESTDIR)$(man7dir)" "$(DESTDIR)$(man8dir)" \
- "$(DESTDIR)$(includedir)" "$(DESTDIR)$(krb5dir)" \
- "$(DESTDIR)$(includedir)"
-am__EXEEXT_1 = aes-test$(EXEEXT) derived-key-test$(EXEEXT) \
- n-fold-test$(EXEEXT) parse-name-test$(EXEEXT) \
- pseudo-random-test$(EXEEXT) store-test$(EXEEXT) \
- string-to-key-test$(EXEEXT) test_acl$(EXEEXT) \
- test_addr$(EXEEXT) test_cc$(EXEEXT) test_config$(EXEEXT) \
- test_fx$(EXEEXT) test_prf$(EXEEXT) test_store$(EXEEXT) \
- test_crypto_wrapping$(EXEEXT) test_keytab$(EXEEXT) \
- test_mem$(EXEEXT) test_pac$(EXEEXT) test_plugin$(EXEEXT) \
- test_princ$(EXEEXT) test_pkinit_dh2key$(EXEEXT) \
- test_pknistkdf$(EXEEXT) test_time$(EXEEXT) \
- test_expand_toks$(EXEEXT) test_x500$(EXEEXT)
-PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS)
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
- $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
- *) f=$$p;; \
- esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
- srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
- for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
- for p in $$list; do echo "$$p $$p"; done | \
- sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
- $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
- if (++n[$$2] == $(am__install_max)) \
- { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
- END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
- sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
- sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
- test -z "$$files" \
- || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
- || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
- $(am__cd) "$$dir" && rm -f $$files; }; \
- }
-LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES)
-am__DEPENDENCIES_1 =
-@have_scc_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1)
-dist_libkrb5_la_OBJECTS = libkrb5_la-acache.lo libkrb5_la-acl.lo \
- libkrb5_la-add_et_list.lo libkrb5_la-addr_families.lo \
- libkrb5_la-aname_to_localname.lo libkrb5_la-appdefault.lo \
- libkrb5_la-asn1_glue.lo libkrb5_la-auth_context.lo \
- libkrb5_la-build_ap_req.lo libkrb5_la-build_auth.lo \
- libkrb5_la-cache.lo libkrb5_la-changepw.lo libkrb5_la-codec.lo \
- libkrb5_la-config_file.lo libkrb5_la-convert_creds.lo \
- libkrb5_la-constants.lo libkrb5_la-context.lo \
- libkrb5_la-copy_host_realm.lo libkrb5_la-crc.lo \
- libkrb5_la-creds.lo libkrb5_la-crypto.lo \
- libkrb5_la-crypto-aes-sha1.lo libkrb5_la-crypto-aes-sha2.lo \
- libkrb5_la-crypto-algs.lo libkrb5_la-crypto-arcfour.lo \
- libkrb5_la-crypto-des.lo libkrb5_la-crypto-des-common.lo \
- libkrb5_la-crypto-des3.lo libkrb5_la-crypto-evp.lo \
- libkrb5_la-crypto-null.lo libkrb5_la-crypto-pk.lo \
- libkrb5_la-crypto-rand.lo libkrb5_la-doxygen.lo \
- libkrb5_la-data.lo libkrb5_la-db_plugin.lo \
- libkrb5_la-dcache.lo libkrb5_la-deprecated.lo \
- libkrb5_la-digest.lo libkrb5_la-eai_to_heim_errno.lo \
- libkrb5_la-enomem.lo libkrb5_la-error_string.lo \
- libkrb5_la-expand_hostname.lo libkrb5_la-expand_path.lo \
- libkrb5_la-fast.lo libkrb5_la-fcache.lo libkrb5_la-free.lo \
- libkrb5_la-free_host_realm.lo \
- libkrb5_la-generate_seq_number.lo \
- libkrb5_la-generate_subkey.lo libkrb5_la-get_addrs.lo \
- libkrb5_la-get_cred.lo libkrb5_la-get_default_principal.lo \
- libkrb5_la-get_default_realm.lo libkrb5_la-get_for_creds.lo \
- libkrb5_la-get_host_realm.lo libkrb5_la-get_in_tkt.lo \
- libkrb5_la-get_port.lo libkrb5_la-init_creds.lo \
- libkrb5_la-init_creds_pw.lo libkrb5_la-kcm.lo \
- libkrb5_la-keyblock.lo libkrb5_la-keytab.lo \
- libkrb5_la-keytab_any.lo libkrb5_la-keytab_file.lo \
- libkrb5_la-keytab_keyfile.lo libkrb5_la-keytab_memory.lo \
- libkrb5_la-krbhst.lo libkrb5_la-kuserok.lo libkrb5_la-log.lo \
- libkrb5_la-mcache.lo libkrb5_la-misc.lo libkrb5_la-mk_error.lo \
- libkrb5_la-mk_priv.lo libkrb5_la-mk_rep.lo \
- libkrb5_la-mk_req.lo libkrb5_la-mk_req_ext.lo \
- libkrb5_la-mk_safe.lo libkrb5_la-mit_glue.lo \
- libkrb5_la-net_read.lo libkrb5_la-net_write.lo \
- libkrb5_la-n-fold.lo libkrb5_la-pac.lo libkrb5_la-padata.lo \
- libkrb5_la-pcache.lo libkrb5_la-pkinit.lo \
- libkrb5_la-pkinit-ec.lo libkrb5_la-principal.lo \
- libkrb5_la-prog_setup.lo libkrb5_la-prompter_posix.lo \
- libkrb5_la-rd_cred.lo libkrb5_la-rd_error.lo \
- libkrb5_la-rd_priv.lo libkrb5_la-rd_rep.lo \
- libkrb5_la-rd_req.lo libkrb5_la-rd_safe.lo \
- libkrb5_la-read_message.lo libkrb5_la-recvauth.lo \
- libkrb5_la-replay.lo libkrb5_la-salt.lo \
- libkrb5_la-salt-aes-sha1.lo libkrb5_la-salt-aes-sha2.lo \
- libkrb5_la-salt-arcfour.lo libkrb5_la-salt-des.lo \
- libkrb5_la-salt-des3.lo libkrb5_la-sp800-108-kdf.lo \
- libkrb5_la-scache.lo libkrb5_la-send_to_kdc.lo \
- libkrb5_la-sendauth.lo libkrb5_la-set_default_realm.lo \
- libkrb5_la-sock_principal.lo libkrb5_la-store.lo \
- libkrb5_la-store-int.lo libkrb5_la-store_emem.lo \
- libkrb5_la-store_fd.lo libkrb5_la-store_mem.lo \
- libkrb5_la-store_sock.lo libkrb5_la-plugin.lo \
- libkrb5_la-ticket.lo libkrb5_la-time.lo \
- libkrb5_la-transited.lo libkrb5_la-verify_init.lo \
- libkrb5_la-verify_user.lo libkrb5_la-version.lo \
- libkrb5_la-warn.lo libkrb5_la-write_message.lo
-am__objects_1 = libkrb5_la-krb5_err.lo libkrb5_la-krb_err.lo \
- libkrb5_la-heim_err.lo libkrb5_la-k524_err.lo
-nodist_libkrb5_la_OBJECTS = $(am__objects_1)
-libkrb5_la_OBJECTS = $(dist_libkrb5_la_OBJECTS) \
- $(nodist_libkrb5_la_OBJECTS)
-AM_V_lt = $(am__v_lt_@AM_V@)
-am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
-am__v_lt_0 = --silent
-am__v_lt_1 =
-libkrb5_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
- $(libkrb5_la_LDFLAGS) $(LDFLAGS) -o $@
-librfc3961_la_DEPENDENCIES = $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/ipc/libheim-ipcc.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_pkinit) \
- $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \
- $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
- $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
- $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-am_librfc3961_la_OBJECTS = librfc3961_la-crc.lo \
- librfc3961_la-crypto.lo librfc3961_la-crypto-aes-sha1.lo \
- librfc3961_la-crypto-aes-sha2.lo librfc3961_la-crypto-algs.lo \
- librfc3961_la-crypto-arcfour.lo librfc3961_la-crypto-des.lo \
- librfc3961_la-crypto-des-common.lo \
- librfc3961_la-crypto-des3.lo librfc3961_la-crypto-evp.lo \
- librfc3961_la-crypto-null.lo librfc3961_la-crypto-pk.lo \
- librfc3961_la-crypto-rand.lo librfc3961_la-crypto-stubs.lo \
- librfc3961_la-data.lo librfc3961_la-enomem.lo \
- librfc3961_la-error_string.lo librfc3961_la-keyblock.lo \
- librfc3961_la-n-fold.lo librfc3961_la-salt.lo \
- librfc3961_la-salt-aes-sha1.lo librfc3961_la-salt-aes-sha2.lo \
- librfc3961_la-salt-arcfour.lo librfc3961_la-salt-des.lo \
- librfc3961_la-salt-des3.lo librfc3961_la-sp800-108-kdf.lo \
- librfc3961_la-store-int.lo librfc3961_la-warn.lo
-librfc3961_la_OBJECTS = $(am_librfc3961_la_OBJECTS)
-aes_test_SOURCES = aes-test.c
-aes_test_OBJECTS = aes-test.$(OBJEXT)
-aes_test_LDADD = $(LDADD)
-aes_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-derived_key_test_SOURCES = derived-key-test.c
-derived_key_test_OBJECTS = derived-key-test.$(OBJEXT)
-derived_key_test_LDADD = $(LDADD)
-derived_key_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-krbhst_test_SOURCES = krbhst-test.c
-krbhst_test_OBJECTS = krbhst-test.$(OBJEXT)
-krbhst_test_LDADD = $(LDADD)
-krbhst_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-n_fold_test_SOURCES = n-fold-test.c
-n_fold_test_OBJECTS = n-fold-test.$(OBJEXT)
-n_fold_test_LDADD = $(LDADD)
-n_fold_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-parse_name_test_SOURCES = parse-name-test.c
-parse_name_test_OBJECTS = parse-name-test.$(OBJEXT)
-parse_name_test_LDADD = $(LDADD)
-parse_name_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-pseudo_random_test_SOURCES = pseudo-random-test.c
-pseudo_random_test_OBJECTS = pseudo-random-test.$(OBJEXT)
-pseudo_random_test_LDADD = $(LDADD)
-pseudo_random_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-store_test_SOURCES = store-test.c
-store_test_OBJECTS = store-test.$(OBJEXT)
-store_test_LDADD = $(LDADD)
-store_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-string_to_key_test_SOURCES = string-to-key-test.c
-string_to_key_test_OBJECTS = string-to-key-test.$(OBJEXT)
-string_to_key_test_LDADD = $(LDADD)
-string_to_key_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_acl_SOURCES = test_acl.c
-test_acl_OBJECTS = test_acl.$(OBJEXT)
-test_acl_LDADD = $(LDADD)
-test_acl_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_addr_SOURCES = test_addr.c
-test_addr_OBJECTS = test_addr.$(OBJEXT)
-test_addr_LDADD = $(LDADD)
-test_addr_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_alname_SOURCES = test_alname.c
-test_alname_OBJECTS = test_alname.$(OBJEXT)
-test_alname_LDADD = $(LDADD)
-test_alname_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_ap_req_SOURCES = test_ap-req.c
-test_ap_req_OBJECTS = test_ap-req.$(OBJEXT)
-test_ap_req_LDADD = $(LDADD)
-test_ap_req_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_canon_SOURCES = test_canon.c
-test_canon_OBJECTS = test_canon.$(OBJEXT)
-test_canon_LDADD = $(LDADD)
-test_canon_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_cc_SOURCES = test_cc.c
-test_cc_OBJECTS = test_cc.$(OBJEXT)
-test_cc_LDADD = $(LDADD)
-test_cc_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_config_SOURCES = test_config.c
-test_config_OBJECTS = test_config.$(OBJEXT)
-test_config_LDADD = $(LDADD)
-test_config_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_crypto_SOURCES = test_crypto.c
-test_crypto_OBJECTS = test_crypto.$(OBJEXT)
-test_crypto_LDADD = $(LDADD)
-test_crypto_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_crypto_wrapping_SOURCES = test_crypto_wrapping.c
-test_crypto_wrapping_OBJECTS = test_crypto_wrapping.$(OBJEXT)
-test_crypto_wrapping_LDADD = $(LDADD)
-test_crypto_wrapping_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_expand_toks_SOURCES = test_expand_toks.c
-test_expand_toks_OBJECTS = test_expand_toks.$(OBJEXT)
-test_expand_toks_LDADD = $(LDADD)
-test_expand_toks_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_forward_SOURCES = test_forward.c
-test_forward_OBJECTS = test_forward.$(OBJEXT)
-test_forward_LDADD = $(LDADD)
-test_forward_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_fx_SOURCES = test_fx.c
-test_fx_OBJECTS = test_fx.$(OBJEXT)
-test_fx_LDADD = $(LDADD)
-test_fx_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_get_addrs_SOURCES = test_get_addrs.c
-test_get_addrs_OBJECTS = test_get_addrs.$(OBJEXT)
-test_get_addrs_LDADD = $(LDADD)
-test_get_addrs_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_gic_SOURCES = test_gic.c
-test_gic_OBJECTS = test_gic.$(OBJEXT)
-test_gic_LDADD = $(LDADD)
-test_gic_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_hostname_SOURCES = test_hostname.c
-test_hostname_OBJECTS = test_hostname.$(OBJEXT)
-test_hostname_LDADD = $(LDADD)
-test_hostname_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_keytab_SOURCES = test_keytab.c
-test_keytab_OBJECTS = test_keytab.$(OBJEXT)
-test_keytab_LDADD = $(LDADD)
-test_keytab_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_kuserok_SOURCES = test_kuserok.c
-test_kuserok_OBJECTS = test_kuserok.$(OBJEXT)
-test_kuserok_LDADD = $(LDADD)
-test_kuserok_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_mem_SOURCES = test_mem.c
-test_mem_OBJECTS = test_mem.$(OBJEXT)
-test_mem_LDADD = $(LDADD)
-test_mem_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_pac_SOURCES = test_pac.c
-test_pac_OBJECTS = test_pac.$(OBJEXT)
-test_pac_LDADD = $(LDADD)
-test_pac_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_pkinit_dh2key_SOURCES = test_pkinit_dh2key.c
-test_pkinit_dh2key_OBJECTS = test_pkinit_dh2key.$(OBJEXT)
-test_pkinit_dh2key_LDADD = $(LDADD)
-test_pkinit_dh2key_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_pknistkdf_SOURCES = test_pknistkdf.c
-test_pknistkdf_OBJECTS = test_pknistkdf.$(OBJEXT)
-test_pknistkdf_LDADD = $(LDADD)
-test_pknistkdf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_plugin_SOURCES = test_plugin.c
-test_plugin_OBJECTS = test_plugin.$(OBJEXT)
-test_plugin_LDADD = $(LDADD)
-test_plugin_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_prf_SOURCES = test_prf.c
-test_prf_OBJECTS = test_prf.$(OBJEXT)
-test_prf_LDADD = $(LDADD)
-test_prf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_princ_SOURCES = test_princ.c
-test_princ_OBJECTS = test_princ.$(OBJEXT)
-test_princ_LDADD = $(LDADD)
-test_princ_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_renew_SOURCES = test_renew.c
-test_renew_OBJECTS = test_renew.$(OBJEXT)
-test_renew_LDADD = $(LDADD)
-test_renew_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_rfc3961_SOURCES = test_rfc3961.c
-test_rfc3961_OBJECTS = test_rfc3961.$(OBJEXT)
-test_rfc3961_DEPENDENCIES = librfc3961.la \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) \
- $(am__DEPENDENCIES_1)
-test_set_kvno0_SOURCES = test_set_kvno0.c
-test_set_kvno0_OBJECTS = test_set_kvno0.$(OBJEXT)
-test_set_kvno0_LDADD = $(LDADD)
-test_set_kvno0_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_store_SOURCES = test_store.c
-test_store_OBJECTS = test_store.$(OBJEXT)
-test_store_LDADD = $(LDADD)
-test_store_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_time_SOURCES = test_time.c
-test_time_OBJECTS = test_time.$(OBJEXT)
-test_time_LDADD = $(LDADD)
-test_time_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-test_x500_SOURCES = test_x500.c
-test_x500_OBJECTS = test_x500.$(OBJEXT)
-test_x500_LDADD = $(LDADD)
-test_x500_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-verify_krb5_conf_SOURCES = verify_krb5_conf.c
-verify_krb5_conf_OBJECTS = verify_krb5_conf.$(OBJEXT)
-verify_krb5_conf_LDADD = $(LDADD)
-verify_krb5_conf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
- $(am__DEPENDENCIES_1)
-AM_V_P = $(am__v_P_@AM_V@)
-am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo " GEN " $@;
-am__v_GEN_1 =
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 =
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__maybe_remake_depfiles = depfiles
-am__depfiles_remade = ./$(DEPDIR)/aes-test.Po \
- ./$(DEPDIR)/derived-key-test.Po ./$(DEPDIR)/krbhst-test.Po \
- ./$(DEPDIR)/libkrb5_la-acache.Plo \
- ./$(DEPDIR)/libkrb5_la-acl.Plo \
- ./$(DEPDIR)/libkrb5_la-add_et_list.Plo \
- ./$(DEPDIR)/libkrb5_la-addr_families.Plo \
- ./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo \
- ./$(DEPDIR)/libkrb5_la-appdefault.Plo \
- ./$(DEPDIR)/libkrb5_la-asn1_glue.Plo \
- ./$(DEPDIR)/libkrb5_la-auth_context.Plo \
- ./$(DEPDIR)/libkrb5_la-build_ap_req.Plo \
- ./$(DEPDIR)/libkrb5_la-build_auth.Plo \
- ./$(DEPDIR)/libkrb5_la-cache.Plo \
- ./$(DEPDIR)/libkrb5_la-changepw.Plo \
- ./$(DEPDIR)/libkrb5_la-codec.Plo \
- ./$(DEPDIR)/libkrb5_la-config_file.Plo \
- ./$(DEPDIR)/libkrb5_la-constants.Plo \
- ./$(DEPDIR)/libkrb5_la-context.Plo \
- ./$(DEPDIR)/libkrb5_la-convert_creds.Plo \
- ./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo \
- ./$(DEPDIR)/libkrb5_la-crc.Plo \
- ./$(DEPDIR)/libkrb5_la-creds.Plo \
- ./$(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo \
- ./$(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo \
- ./$(DEPDIR)/libkrb5_la-crypto-algs.Plo \
- ./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo \
- ./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo \
- ./$(DEPDIR)/libkrb5_la-crypto-des.Plo \
- ./$(DEPDIR)/libkrb5_la-crypto-des3.Plo \
- ./$(DEPDIR)/libkrb5_la-crypto-evp.Plo \
- ./$(DEPDIR)/libkrb5_la-crypto-null.Plo \
- ./$(DEPDIR)/libkrb5_la-crypto-pk.Plo \
- ./$(DEPDIR)/libkrb5_la-crypto-rand.Plo \
- ./$(DEPDIR)/libkrb5_la-crypto.Plo \
- ./$(DEPDIR)/libkrb5_la-data.Plo \
- ./$(DEPDIR)/libkrb5_la-db_plugin.Plo \
- ./$(DEPDIR)/libkrb5_la-dcache.Plo \
- ./$(DEPDIR)/libkrb5_la-deprecated.Plo \
- ./$(DEPDIR)/libkrb5_la-digest.Plo \
- ./$(DEPDIR)/libkrb5_la-doxygen.Plo \
- ./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo \
- ./$(DEPDIR)/libkrb5_la-enomem.Plo \
- ./$(DEPDIR)/libkrb5_la-error_string.Plo \
- ./$(DEPDIR)/libkrb5_la-expand_hostname.Plo \
- ./$(DEPDIR)/libkrb5_la-expand_path.Plo \
- ./$(DEPDIR)/libkrb5_la-fast.Plo \
- ./$(DEPDIR)/libkrb5_la-fcache.Plo \
- ./$(DEPDIR)/libkrb5_la-free.Plo \
- ./$(DEPDIR)/libkrb5_la-free_host_realm.Plo \
- ./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo \
- ./$(DEPDIR)/libkrb5_la-generate_subkey.Plo \
- ./$(DEPDIR)/libkrb5_la-get_addrs.Plo \
- ./$(DEPDIR)/libkrb5_la-get_cred.Plo \
- ./$(DEPDIR)/libkrb5_la-get_default_principal.Plo \
- ./$(DEPDIR)/libkrb5_la-get_default_realm.Plo \
- ./$(DEPDIR)/libkrb5_la-get_for_creds.Plo \
- ./$(DEPDIR)/libkrb5_la-get_host_realm.Plo \
- ./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo \
- ./$(DEPDIR)/libkrb5_la-get_port.Plo \
- ./$(DEPDIR)/libkrb5_la-heim_err.Plo \
- ./$(DEPDIR)/libkrb5_la-init_creds.Plo \
- ./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo \
- ./$(DEPDIR)/libkrb5_la-k524_err.Plo \
- ./$(DEPDIR)/libkrb5_la-kcm.Plo \
- ./$(DEPDIR)/libkrb5_la-keyblock.Plo \
- ./$(DEPDIR)/libkrb5_la-keytab.Plo \
- ./$(DEPDIR)/libkrb5_la-keytab_any.Plo \
- ./$(DEPDIR)/libkrb5_la-keytab_file.Plo \
- ./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo \
- ./$(DEPDIR)/libkrb5_la-keytab_memory.Plo \
- ./$(DEPDIR)/libkrb5_la-krb5_err.Plo \
- ./$(DEPDIR)/libkrb5_la-krb_err.Plo \
- ./$(DEPDIR)/libkrb5_la-krbhst.Plo \
- ./$(DEPDIR)/libkrb5_la-kuserok.Plo \
- ./$(DEPDIR)/libkrb5_la-log.Plo \
- ./$(DEPDIR)/libkrb5_la-mcache.Plo \
- ./$(DEPDIR)/libkrb5_la-misc.Plo \
- ./$(DEPDIR)/libkrb5_la-mit_glue.Plo \
- ./$(DEPDIR)/libkrb5_la-mk_error.Plo \
- ./$(DEPDIR)/libkrb5_la-mk_priv.Plo \
- ./$(DEPDIR)/libkrb5_la-mk_rep.Plo \
- ./$(DEPDIR)/libkrb5_la-mk_req.Plo \
- ./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo \
- ./$(DEPDIR)/libkrb5_la-mk_safe.Plo \
- ./$(DEPDIR)/libkrb5_la-n-fold.Plo \
- ./$(DEPDIR)/libkrb5_la-net_read.Plo \
- ./$(DEPDIR)/libkrb5_la-net_write.Plo \
- ./$(DEPDIR)/libkrb5_la-pac.Plo \
- ./$(DEPDIR)/libkrb5_la-padata.Plo \
- ./$(DEPDIR)/libkrb5_la-pcache.Plo \
- ./$(DEPDIR)/libkrb5_la-pkinit-ec.Plo \
- ./$(DEPDIR)/libkrb5_la-pkinit.Plo \
- ./$(DEPDIR)/libkrb5_la-plugin.Plo \
- ./$(DEPDIR)/libkrb5_la-principal.Plo \
- ./$(DEPDIR)/libkrb5_la-prog_setup.Plo \
- ./$(DEPDIR)/libkrb5_la-prompter_posix.Plo \
- ./$(DEPDIR)/libkrb5_la-rd_cred.Plo \
- ./$(DEPDIR)/libkrb5_la-rd_error.Plo \
- ./$(DEPDIR)/libkrb5_la-rd_priv.Plo \
- ./$(DEPDIR)/libkrb5_la-rd_rep.Plo \
- ./$(DEPDIR)/libkrb5_la-rd_req.Plo \
- ./$(DEPDIR)/libkrb5_la-rd_safe.Plo \
- ./$(DEPDIR)/libkrb5_la-read_message.Plo \
- ./$(DEPDIR)/libkrb5_la-recvauth.Plo \
- ./$(DEPDIR)/libkrb5_la-replay.Plo \
- ./$(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo \
- ./$(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo \
- ./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo \
- ./$(DEPDIR)/libkrb5_la-salt-des.Plo \
- ./$(DEPDIR)/libkrb5_la-salt-des3.Plo \
- ./$(DEPDIR)/libkrb5_la-salt.Plo \
- ./$(DEPDIR)/libkrb5_la-scache.Plo \
- ./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo \
- ./$(DEPDIR)/libkrb5_la-sendauth.Plo \
- ./$(DEPDIR)/libkrb5_la-set_default_realm.Plo \
- ./$(DEPDIR)/libkrb5_la-sock_principal.Plo \
- ./$(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo \
- ./$(DEPDIR)/libkrb5_la-store-int.Plo \
- ./$(DEPDIR)/libkrb5_la-store.Plo \
- ./$(DEPDIR)/libkrb5_la-store_emem.Plo \
- ./$(DEPDIR)/libkrb5_la-store_fd.Plo \
- ./$(DEPDIR)/libkrb5_la-store_mem.Plo \
- ./$(DEPDIR)/libkrb5_la-store_sock.Plo \
- ./$(DEPDIR)/libkrb5_la-ticket.Plo \
- ./$(DEPDIR)/libkrb5_la-time.Plo \
- ./$(DEPDIR)/libkrb5_la-transited.Plo \
- ./$(DEPDIR)/libkrb5_la-verify_init.Plo \
- ./$(DEPDIR)/libkrb5_la-verify_user.Plo \
- ./$(DEPDIR)/libkrb5_la-version.Plo \
- ./$(DEPDIR)/libkrb5_la-warn.Plo \
- ./$(DEPDIR)/libkrb5_la-write_message.Plo \
- ./$(DEPDIR)/librfc3961_la-crc.Plo \
- ./$(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo \
- ./$(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo \
- ./$(DEPDIR)/librfc3961_la-crypto-algs.Plo \
- ./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo \
- ./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo \
- ./$(DEPDIR)/librfc3961_la-crypto-des.Plo \
- ./$(DEPDIR)/librfc3961_la-crypto-des3.Plo \
- ./$(DEPDIR)/librfc3961_la-crypto-evp.Plo \
- ./$(DEPDIR)/librfc3961_la-crypto-null.Plo \
- ./$(DEPDIR)/librfc3961_la-crypto-pk.Plo \
- ./$(DEPDIR)/librfc3961_la-crypto-rand.Plo \
- ./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo \
- ./$(DEPDIR)/librfc3961_la-crypto.Plo \
- ./$(DEPDIR)/librfc3961_la-data.Plo \
- ./$(DEPDIR)/librfc3961_la-enomem.Plo \
- ./$(DEPDIR)/librfc3961_la-error_string.Plo \
- ./$(DEPDIR)/librfc3961_la-keyblock.Plo \
- ./$(DEPDIR)/librfc3961_la-n-fold.Plo \
- ./$(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo \
- ./$(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo \
- ./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo \
- ./$(DEPDIR)/librfc3961_la-salt-des.Plo \
- ./$(DEPDIR)/librfc3961_la-salt-des3.Plo \
- ./$(DEPDIR)/librfc3961_la-salt.Plo \
- ./$(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo \
- ./$(DEPDIR)/librfc3961_la-store-int.Plo \
- ./$(DEPDIR)/librfc3961_la-warn.Plo ./$(DEPDIR)/n-fold-test.Po \
- ./$(DEPDIR)/parse-name-test.Po \
- ./$(DEPDIR)/pseudo-random-test.Po ./$(DEPDIR)/store-test.Po \
- ./$(DEPDIR)/string-to-key-test.Po ./$(DEPDIR)/test_acl.Po \
- ./$(DEPDIR)/test_addr.Po ./$(DEPDIR)/test_alname.Po \
- ./$(DEPDIR)/test_ap-req.Po ./$(DEPDIR)/test_canon.Po \
- ./$(DEPDIR)/test_cc.Po ./$(DEPDIR)/test_config.Po \
- ./$(DEPDIR)/test_crypto.Po ./$(DEPDIR)/test_crypto_wrapping.Po \
- ./$(DEPDIR)/test_expand_toks.Po ./$(DEPDIR)/test_forward.Po \
- ./$(DEPDIR)/test_fx.Po ./$(DEPDIR)/test_get_addrs.Po \
- ./$(DEPDIR)/test_gic.Po ./$(DEPDIR)/test_hostname.Po \
- ./$(DEPDIR)/test_keytab.Po ./$(DEPDIR)/test_kuserok.Po \
- ./$(DEPDIR)/test_mem.Po ./$(DEPDIR)/test_pac.Po \
- ./$(DEPDIR)/test_pkinit_dh2key.Po \
- ./$(DEPDIR)/test_pknistkdf.Po ./$(DEPDIR)/test_plugin.Po \
- ./$(DEPDIR)/test_prf.Po ./$(DEPDIR)/test_princ.Po \
- ./$(DEPDIR)/test_renew.Po ./$(DEPDIR)/test_rfc3961.Po \
- ./$(DEPDIR)/test_set_kvno0.Po ./$(DEPDIR)/test_store.Po \
- ./$(DEPDIR)/test_time.Po ./$(DEPDIR)/test_x500.Po \
- ./$(DEPDIR)/verify_krb5_conf.Po
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
- $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
- $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
- $(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_@AM_V@)
-am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
-am__v_CC_0 = @echo " CC " $@;
-am__v_CC_1 =
-CCLD = $(CC)
-LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
- $(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_@AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo " CCLD " $@;
-am__v_CCLD_1 =
-SOURCES = $(dist_libkrb5_la_SOURCES) $(nodist_libkrb5_la_SOURCES) \
- $(librfc3961_la_SOURCES) aes-test.c derived-key-test.c \
- krbhst-test.c n-fold-test.c parse-name-test.c \
- pseudo-random-test.c store-test.c string-to-key-test.c \
- test_acl.c test_addr.c test_alname.c test_ap-req.c \
- test_canon.c test_cc.c test_config.c test_crypto.c \
- test_crypto_wrapping.c test_expand_toks.c test_forward.c \
- test_fx.c test_get_addrs.c test_gic.c test_hostname.c \
- test_keytab.c test_kuserok.c test_mem.c test_pac.c \
- test_pkinit_dh2key.c test_pknistkdf.c test_plugin.c test_prf.c \
- test_princ.c test_renew.c test_rfc3961.c test_set_kvno0.c \
- test_store.c test_time.c test_x500.c verify_krb5_conf.c
-DIST_SOURCES = $(dist_libkrb5_la_SOURCES) $(librfc3961_la_SOURCES) \
- aes-test.c derived-key-test.c krbhst-test.c n-fold-test.c \
- parse-name-test.c pseudo-random-test.c store-test.c \
- string-to-key-test.c test_acl.c test_addr.c test_alname.c \
- test_ap-req.c test_canon.c test_cc.c test_config.c \
- test_crypto.c test_crypto_wrapping.c test_expand_toks.c \
- test_forward.c test_fx.c test_get_addrs.c test_gic.c \
- test_hostname.c test_keytab.c test_kuserok.c test_mem.c \
- test_pac.c test_pkinit_dh2key.c test_pknistkdf.c test_plugin.c \
- test_prf.c test_princ.c test_renew.c test_rfc3961.c \
- test_set_kvno0.c test_store.c test_time.c test_x500.c \
- verify_krb5_conf.c
-am__can_run_installinfo = \
- case $$AM_UPDATE_INFO_DIR in \
- n|no|NO) false;; \
- *) (install-info --version) >/dev/null 2>&1;; \
- esac
-man3dir = $(mandir)/man3
-man5dir = $(mandir)/man5
-man7dir = $(mandir)/man7
-man8dir = $(mandir)/man8
-MANS = $(man_MANS)
-HEADERS = $(dist_include_HEADERS) $(krb5_HEADERS) \
- $(nodist_include_HEADERS) $(noinst_HEADERS)
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-# Read a list of newline-separated strings from the standard input,
-# and print each of them once, without duplicates. Input order is
-# *not* preserved.
-am__uniquify_input = $(AWK) '\
- BEGIN { nonempty = 0; } \
- { items[$$0] = 1; nonempty = 1; } \
- END { if (nonempty) { for (i in items) print i; }; } \
-'
-# Make sure the list of sources is unique. This is necessary because,
-# e.g., the same source file might be shared among _SOURCES variables
-# for different programs/libraries.
-am__define_uniq_tagged_files = \
- list='$(am__tagged_files)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | $(am__uniquify_input)`
-am__tty_colors_dummy = \
- mgn= red= grn= lgn= blu= brg= std=; \
- am__color_tests=no
-am__tty_colors = { \
- $(am__tty_colors_dummy); \
- if test "X$(AM_COLOR_TESTS)" = Xno; then \
- am__color_tests=no; \
- elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
- am__color_tests=yes; \
- elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
- am__color_tests=yes; \
- fi; \
- if test $$am__color_tests = yes; then \
- red=''; \
- grn=''; \
- lgn=''; \
- blu=''; \
- mgn=''; \
- brg=''; \
- std=''; \
- fi; \
-}
-am__recheck_rx = ^[ ]*:recheck:[ ]*
-am__global_test_result_rx = ^[ ]*:global-test-result:[ ]*
-am__copy_in_global_log_rx = ^[ ]*:copy-in-global-log:[ ]*
-# A command that, given a newline-separated list of test names on the
-# standard input, print the name of the tests that are to be re-run
-# upon "make recheck".
-am__list_recheck_tests = $(AWK) '{ \
- recheck = 1; \
- while ((rc = (getline line < ($$0 ".trs"))) != 0) \
- { \
- if (rc < 0) \
- { \
- if ((getline line2 < ($$0 ".log")) < 0) \
- recheck = 0; \
- break; \
- } \
- else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \
- { \
- recheck = 0; \
- break; \
- } \
- else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \
- { \
- break; \
- } \
- }; \
- if (recheck) \
- print $$0; \
- close ($$0 ".trs"); \
- close ($$0 ".log"); \
-}'
-# A command that, given a newline-separated list of test names on the
-# standard input, create the global log from their .trs and .log files.
-am__create_global_log = $(AWK) ' \
-function fatal(msg) \
-{ \
- print "fatal: making $@: " msg | "cat >&2"; \
- exit 1; \
-} \
-function rst_section(header) \
-{ \
- print header; \
- len = length(header); \
- for (i = 1; i <= len; i = i + 1) \
- printf "="; \
- printf "\n\n"; \
-} \
-{ \
- copy_in_global_log = 1; \
- global_test_result = "RUN"; \
- while ((rc = (getline line < ($$0 ".trs"))) != 0) \
- { \
- if (rc < 0) \
- fatal("failed to read from " $$0 ".trs"); \
- if (line ~ /$(am__global_test_result_rx)/) \
- { \
- sub("$(am__global_test_result_rx)", "", line); \
- sub("[ ]*$$", "", line); \
- global_test_result = line; \
- } \
- else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \
- copy_in_global_log = 0; \
- }; \
- if (copy_in_global_log) \
- { \
- rst_section(global_test_result ": " $$0); \
- while ((rc = (getline line < ($$0 ".log"))) != 0) \
- { \
- if (rc < 0) \
- fatal("failed to read from " $$0 ".log"); \
- print line; \
- }; \
- printf "\n"; \
- }; \
- close ($$0 ".trs"); \
- close ($$0 ".log"); \
-}'
-# Restructured Text title.
-am__rst_title = { sed 's/.*/ & /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; }
-# Solaris 10 'make', and several other traditional 'make' implementations,
-# pass "-e" to $(SHELL), and POSIX 2008 even requires this. Work around it
-# by disabling -e (using the XSI extension "set +e") if it's set.
-am__sh_e_setup = case $$- in *e*) set +e;; esac
-# Default flags passed to test drivers.
-am__common_driver_flags = \
- --color-tests "$$am__color_tests" \
- --enable-hard-errors "$$am__enable_hard_errors" \
- --expect-failure "$$am__expect_failure"
-# To be inserted before the command running the test. Creates the
-# directory for the log if needed. Stores in $dir the directory
-# containing $f, in $tst the test, in $log the log. Executes the
-# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and
-# passes TESTS_ENVIRONMENT. Set up options for the wrapper that
-# will run the test scripts (or their associated LOG_COMPILER, if
-# thy have one).
-am__check_pre = \
-$(am__sh_e_setup); \
-$(am__vpath_adj_setup) $(am__vpath_adj) \
-$(am__tty_colors); \
-srcdir=$(srcdir); export srcdir; \
-case "$@" in \
- */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;; \
- *) am__odir=.;; \
-esac; \
-test "x$$am__odir" = x"." || test -d "$$am__odir" \
- || $(MKDIR_P) "$$am__odir" || exit $$?; \
-if test -f "./$$f"; then dir=./; \
-elif test -f "$$f"; then dir=; \
-else dir="$(srcdir)/"; fi; \
-tst=$$dir$$f; log='$@'; \
-if test -n '$(DISABLE_HARD_ERRORS)'; then \
- am__enable_hard_errors=no; \
-else \
- am__enable_hard_errors=yes; \
-fi; \
-case " $(XFAIL_TESTS) " in \
- *[\ \ ]$$f[\ \ ]* | *[\ \ ]$$dir$$f[\ \ ]*) \
- am__expect_failure=yes;; \
- *) \
- am__expect_failure=no;; \
-esac; \
-$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT)
-# A shell command to get the names of the tests scripts with any registered
-# extension removed (i.e., equivalently, the names of the test logs, with
-# the '.log' extension removed). The result is saved in the shell variable
-# '$bases'. This honors runtime overriding of TESTS and TEST_LOGS. Sadly,
-# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)",
-# since that might cause problem with VPATH rewrites for suffix-less tests.
-# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'.
-am__set_TESTS_bases = \
- bases='$(TEST_LOGS)'; \
- bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
- bases=`echo $$bases`
-AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
-RECHECK_LOGS = $(TEST_LOGS)
-AM_RECURSIVE_TARGETS = check recheck
-TEST_SUITE_LOG = test-suite.log
-TEST_EXTENSIONS = @EXEEXT@ .test
-LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS)
-am__set_b = \
- case '$@' in \
- */*) \
- case '$*' in \
- */*) b='$*';; \
- *) b=`echo '$@' | sed 's/\.log$$//'`; \
- esac;; \
- *) \
- b='$*';; \
- esac
-am__test_logs1 = $(TESTS:=.log)
-am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log)
-TEST_LOGS = $(am__test_logs2:.test.log=.log)
-TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
- $(TEST_LOG_FLAGS)
-am__DIST_COMMON = $(srcdir)/Makefile.in \
- $(top_srcdir)/Makefile.am.common \
- $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/depcomp \
- $(top_srcdir)/test-driver
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AR = @AR@
-AS = @AS@
-ASN1_COMPILE = @ASN1_COMPILE@
-ASN1_COMPILE_DEP = @ASN1_COMPILE_DEP@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CANONICAL_HOST = @CANONICAL_HOST@
-CAPNG_CFLAGS = @CAPNG_CFLAGS@
-CAPNG_LIBS = @CAPNG_LIBS@
-CATMAN = @CATMAN@
-CATMANEXT = @CATMANEXT@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CLANG_FORMAT = @CLANG_FORMAT@
-COMPILE_ET = @COMPILE_ET@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
-CYGPATH_W = @CYGPATH_W@
-DB1LIB = @DB1LIB@
-DB3LIB = @DB3LIB@
-DBHEADER = @DBHEADER@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DIR_com_err = @DIR_com_err@
-DIR_hdbdir = @DIR_hdbdir@
-DIR_roken = @DIR_roken@
-DLLTOOL = @DLLTOOL@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-ENABLE_AFS_STRING_TO_KEY = @ENABLE_AFS_STRING_TO_KEY@
-ETAGS = @ETAGS@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-FILECMD = @FILECMD@
-GCD_MIG = @GCD_MIG@
-GREP = @GREP@
-GROFF = @GROFF@
-INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_libedit = @INCLUDE_libedit@
-INCLUDE_libintl = @INCLUDE_libintl@
-INCLUDE_openldap = @INCLUDE_openldap@
-INCLUDE_openssl_crypto = @INCLUDE_openssl_crypto@
-INCLUDE_readline = @INCLUDE_readline@
-INCLUDE_sqlite3 = @INCLUDE_sqlite3@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBADD_roken = @LIBADD_roken@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
-LIB_bswap16 = @LIB_bswap16@
-LIB_bswap32 = @LIB_bswap32@
-LIB_bswap64 = @LIB_bswap64@
-LIB_com_err = @LIB_com_err@
-LIB_com_err_a = @LIB_com_err_a@
-LIB_com_err_so = @LIB_com_err_so@
-LIB_crypt = @LIB_crypt@
-LIB_db_create = @LIB_db_create@
-LIB_dbm_firstkey = @LIB_dbm_firstkey@
-LIB_dbopen = @LIB_dbopen@
-LIB_dispatch_async_f = @LIB_dispatch_async_f@
-LIB_dladdr = @LIB_dladdr@
-LIB_dlopen = @LIB_dlopen@
-LIB_dn_expand = @LIB_dn_expand@
-LIB_dns_search = @LIB_dns_search@
-LIB_door_create = @LIB_door_create@
-LIB_freeaddrinfo = @LIB_freeaddrinfo@
-LIB_gai_strerror = @LIB_gai_strerror@
-LIB_getaddrinfo = @LIB_getaddrinfo@
-LIB_gethostbyname = @LIB_gethostbyname@
-LIB_gethostbyname2 = @LIB_gethostbyname2@
-LIB_getnameinfo = @LIB_getnameinfo@
-LIB_getpwnam_r = @LIB_getpwnam_r@
-LIB_getsockopt = @LIB_getsockopt@
-LIB_hcrypto = @LIB_hcrypto@
-LIB_hcrypto_a = @LIB_hcrypto_a@
-LIB_hcrypto_appl = @LIB_hcrypto_appl@
-LIB_hcrypto_so = @LIB_hcrypto_so@
-LIB_hstrerror = @LIB_hstrerror@
-LIB_kdb = @LIB_kdb@
-LIB_libedit = @LIB_libedit@
-LIB_libintl = @LIB_libintl@
-LIB_loadquery = @LIB_loadquery@
-LIB_logout = @LIB_logout@
-LIB_logwtmp = @LIB_logwtmp@
-LIB_openldap = @LIB_openldap@
-LIB_openpty = @LIB_openpty@
-LIB_openssl_crypto = @LIB_openssl_crypto@
-LIB_otp = @LIB_otp@
-LIB_pidfile = @LIB_pidfile@
-LIB_readline = @LIB_readline@
-LIB_res_ndestroy = @LIB_res_ndestroy@
-LIB_res_nsearch = @LIB_res_nsearch@
-LIB_res_search = @LIB_res_search@
-LIB_roken = @LIB_roken@
-LIB_security = @LIB_security@
-LIB_setsockopt = @LIB_setsockopt@
-LIB_socket = @LIB_socket@
-LIB_sqlite3 = @LIB_sqlite3@
-LIB_syslog = @LIB_syslog@
-LIB_tgetent = @LIB_tgetent@
-LIPO = @LIPO@
-LMDBLIB = @LMDBLIB@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-MAINT = @MAINT@
-MAKEINFO = @MAKEINFO@
-MANIFEST_TOOL = @MANIFEST_TOOL@
-MKDIR_P = @MKDIR_P@
-NDBMLIB = @NDBMLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-NO_AFS = @NO_AFS@
-NROFF = @NROFF@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
-PTHREAD_LDADD = @PTHREAD_LDADD@
-PTHREAD_LIBADD = @PTHREAD_LIBADD@
-PYTHON = @PYTHON@
-PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
-PYTHON_PLATFORM = @PYTHON_PLATFORM@
-PYTHON_PREFIX = @PYTHON_PREFIX@
-PYTHON_VERSION = @PYTHON_VERSION@
-RANLIB = @RANLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SLC = @SLC@
-SLC_DEP = @SLC_DEP@
-STRIP = @STRIP@
-VERSION = @VERSION@
-VERSIONING = @VERSIONING@
-WFLAGS = @WFLAGS@
-WFLAGS_LITE = @WFLAGS_LITE@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_AR = @ac_ct_AR@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-db_type = @db_type@
-db_type_preference = @db_type_preference@
-docdir = @docdir@
-dpagaix_cflags = @dpagaix_cflags@
-dpagaix_ldadd = @dpagaix_ldadd@
-dpagaix_ldflags = @dpagaix_ldflags@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-pkgpyexecdir = @pkgpyexecdir@
-pkgpythondir = @pkgpythondir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-pyexecdir = @pyexecdir@
-pythondir = @pythondir@
-runstatedir = @runstatedir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-subdirs = @subdirs@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-SUFFIXES = .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 \
- .cat5 .cat7 .cat8
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include
-AM_CPPFLAGS = $(INCLUDES_roken) -I../com_err -I$(srcdir)/../com_err \
- $(INCLUDE_sqlite3) $(INCLUDE_libintl) \
- $(INCLUDE_openssl_crypto)
-@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
-AM_CFLAGS = $(WFLAGS)
-CP = cp
-buildinclude = $(top_builddir)/include
-LIB_XauReadAuth = @LIB_XauReadAuth@
-LIB_el_init = @LIB_el_init@
-LIB_getattr = @LIB_getattr@
-LIB_getpwent_r = @LIB_getpwent_r@
-LIB_odm_initialize = @LIB_odm_initialize@
-LIB_setpcred = @LIB_setpcred@
-INCLUDE_krb4 = @INCLUDE_krb4@
-LIB_krb4 = @LIB_krb4@
-libexec_heimdaldir = $(libexecdir)/heimdal
-NROFF_MAN = groff -mandoc -Tascii
-@NO_AFS_FALSE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
-@NO_AFS_TRUE@LIB_kafs =
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la
-
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
-LIB_heimbase = $(top_builddir)/lib/base/libheimbase.la
-@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-
-#silent-rules
-heim_verbose = $(heim_verbose_$(V))
-heim_verbose_ = $(heim_verbose_$(AM_DEFAULT_VERBOSITY))
-heim_verbose_0 = @echo " GEN "$@;
-noinst_LTLIBRARIES = \
- librfc3961.la
-
-check_DATA = test_config_strings.out
-LDADD = libkrb5.la \
- $(LIB_hcrypto) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la \
- $(LIB_heimbase) $(LIB_roken)
-
-@PKINIT_TRUE@LIB_pkinit = ../hx509/libhx509.la
-@have_scc_TRUE@use_sqlite = $(LIB_sqlite3)
-libkrb5_la_LIBADD = \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/ipc/libheim-ipcc.la \
- $(top_builddir)/lib/wind/libwind.la \
- $(top_builddir)/lib/base/libheimbase.la \
- $(LIB_pkinit) \
- $(LIB_openssl_crypto) \
- $(use_sqlite) \
- $(LIB_com_err) \
- $(LIB_hcrypto) \
- $(LIB_libintl) \
- $(LIBADD_roken) \
- $(PTHREAD_LIBADD) \
- $(LIB_door_create) \
- $(LIB_dlopen)
-
-librfc3961_la_LIBADD = \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/ipc/libheim-ipcc.la \
- $(top_builddir)/lib/wind/libwind.la \
- $(LIB_pkinit) \
- $(use_sqlite) \
- $(LIB_com_err) \
- $(LIB_hcrypto) \
- $(LIB_libintl) \
- $(LIBADD_roken) \
- $(PTHREAD_LIBADD) \
- $(LIB_door_create) \
- $(LIB_dlopen)
-
-lib_LTLIBRARIES = libkrb5.la
-ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c
-libkrb5_la_CPPFLAGS = \
- -DBUILD_KRB5_LIB \
- $(AM_CPPFLAGS) \
- -DHEIMDAL_LOCALEDIR='"$(localedir)"'
-
-librfc3961_la_CPPFLAGS = \
- -DBUILD_KRB5_LIB \
- $(AM_CPPFLAGS) \
- -DHEIMDAL_LOCALEDIR='"$(localedir)"'
-
-dist_libkrb5_la_SOURCES = \
- acache.c \
- acl.c \
- add_et_list.c \
- addr_families.c \
- an2ln_plugin.h \
- aname_to_localname.c \
- appdefault.c \
- asn1_glue.c \
- auth_context.c \
- build_ap_req.c \
- build_auth.c \
- cache.c \
- changepw.c \
- codec.c \
- config_file.c \
- convert_creds.c \
- constants.c \
- context.c \
- copy_host_realm.c \
- crc.c \
- creds.c \
- crypto.c \
- crypto.h \
- crypto-aes-sha1.c \
- crypto-aes-sha2.c \
- crypto-algs.c \
- crypto-arcfour.c \
- crypto-des.c \
- crypto-des-common.c \
- crypto-des3.c \
- crypto-evp.c \
- crypto-null.c \
- crypto-pk.c \
- crypto-rand.c \
- doxygen.c \
- data.c \
- db_plugin.c \
- db_plugin.h \
- dcache.c \
- deprecated.c \
- digest.c \
- eai_to_heim_errno.c \
- enomem.c \
- error_string.c \
- expand_hostname.c \
- expand_path.c \
- fast.c \
- fcache.c \
- free.c \
- free_host_realm.c \
- generate_seq_number.c \
- generate_subkey.c \
- get_addrs.c \
- get_cred.c \
- get_default_principal.c \
- get_default_realm.c \
- get_for_creds.c \
- get_host_realm.c \
- get_in_tkt.c \
- get_port.c \
- init_creds.c \
- init_creds_pw.c \
- kcm.c \
- kcm.h \
- keyblock.c \
- keytab.c \
- keytab_any.c \
- keytab_file.c \
- keytab_keyfile.c \
- keytab_memory.c \
- krb5_locl.h \
- krb5-v4compat.h \
- krbhst.c \
- kuserok.c \
- kuserok_plugin.h \
- log.c \
- mcache.c \
- misc.c \
- mk_error.c \
- mk_priv.c \
- mk_rep.c \
- mk_req.c \
- mk_req_ext.c \
- mk_safe.c \
- mit_glue.c \
- net_read.c \
- net_write.c \
- n-fold.c \
- pac.c \
- padata.c \
- pcache.c \
- pkinit.c \
- pkinit-ec.c \
- principal.c \
- prog_setup.c \
- prompter_posix.c \
- rd_cred.c \
- rd_error.c \
- rd_priv.c \
- rd_rep.c \
- rd_req.c \
- rd_safe.c \
- read_message.c \
- recvauth.c \
- replay.c \
- salt.c \
- salt-aes-sha1.c \
- salt-aes-sha2.c \
- salt-arcfour.c \
- salt-des.c \
- salt-des3.c \
- sp800-108-kdf.c \
- scache.c \
- send_to_kdc.c \
- sendauth.c \
- set_default_realm.c \
- sock_principal.c \
- store.c \
- store-int.c \
- store-int.h \
- store_emem.c \
- store_fd.c \
- store_mem.c \
- store_sock.c \
- plugin.c \
- ticket.c \
- time.c \
- transited.c \
- verify_init.c \
- verify_user.c \
- version.c \
- warn.c \
- write_message.c
-
-nodist_libkrb5_la_SOURCES = \
- $(ERR_FILES)
-
-libkrb5_la_DEPENDENCIES = \
- version-script.map
-
-libkrb5_la_LDFLAGS = -version-info 26:0:0 $(am__append_1)
-ALL_OBJECTS = $(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS) \
- $(librfc3961_la_OBJECTS) $(librfc3961_la_OBJECTS) \
- $(krbhst_test_OBJECTS) $(test_alname_OBJECTS) \
- $(test_crypto_OBJECTS) $(test_forward_OBJECTS) \
- $(test_get_addrs_OBJECTS) $(test_gic_OBJECTS) \
- $(test_kuserok_OBJECTS) $(test_renew_OBJECTS) \
- $(test_rfc3961_OBJECTS)
-librfc3961_la_SOURCES = \
- crc.c \
- crypto.c \
- crypto.h \
- crypto-aes-sha1.c \
- crypto-aes-sha2.c \
- crypto-algs.c \
- crypto-arcfour.c \
- crypto-des.c \
- crypto-des-common.c \
- crypto-des3.c \
- crypto-evp.c \
- crypto-null.c \
- crypto-pk.c \
- crypto-rand.c \
- crypto-stubs.c \
- data.c \
- enomem.c \
- error_string.c \
- keyblock.c \
- n-fold.c \
- salt.c \
- salt-aes-sha1.c \
- salt-aes-sha2.c \
- salt-arcfour.c \
- salt-des.c \
- salt-des3.c \
- sp800-108-kdf.c \
- store-int.c \
- warn.c
-
-test_rfc3961_LDADD = \
- librfc3961.la \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la \
- $(LIB_hcrypto) \
- $(LIB_roken)
-
-@DEVELOPER_MODE_TRUE@headerdeps = $(dist_libkrb5_la_SOURCES)
-man_MANS = \
- kerberos.8 \
- krb5.conf.5 \
- krb5-plugin.7 \
- krb524_convert_creds_kdc.3 \
- krb5_425_conv_principal.3 \
- krb5_acl_match_file.3 \
- krb5_aname_to_localname.3 \
- krb5_appdefault.3 \
- krb5_auth_context.3 \
- krb5_c_make_checksum.3 \
- krb5_check_transited.3 \
- krb5_create_checksum.3 \
- krb5_creds.3 \
- krb5_digest.3 \
- krb5_eai_to_heim_errno.3 \
- krb5_encrypt.3 \
- krb5_find_padata.3 \
- krb5_generate_random_block.3 \
- krb5_get_all_client_addrs.3 \
- krb5_get_credentials.3 \
- krb5_get_creds.3 \
- krb5_get_forwarded_creds.3 \
- krb5_get_in_cred.3 \
- krb5_get_init_creds.3 \
- krb5_get_krbhst.3 \
- krb5_getportbyname.3 \
- krb5_init_context.3 \
- krb5_is_thread_safe.3 \
- krb5_krbhst_init.3 \
- krb5_mk_req.3 \
- krb5_mk_safe.3 \
- krb5_openlog.3 \
- krb5_parse_name.3 \
- krb5_principal.3 \
- krb5_rcache.3 \
- krb5_rd_error.3 \
- krb5_rd_safe.3 \
- krb5_set_default_realm.3 \
- krb5_set_password.3 \
- krb5_string_to_key.3 \
- krb5_timeofday.3 \
- krb5_verify_init_creds.3 \
- krb5_verify_user.3 \
- verify_krb5_conf.8
-
-dist_include_HEADERS = \
- krb5.h \
- $(srcdir)/krb5-protos.h \
- krb5_ccapi.h
-
-noinst_HEADERS = $(srcdir)/krb5-private.h
-nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h
-
-# XXX use nobase_include_HEADERS = krb5/locate_plugin.h
-krb5dir = $(includedir)/krb5
-krb5_HEADERS = locate_plugin.h send_to_kdc_plugin.h ccache_plugin.h an2ln_plugin.h db_plugin.h
-build_HEADERZ = \
- $(krb5_HEADERS) \
- krb_err.h
-
-CLEANFILES = \
- test_config_strings.out \
- test-store-data \
- krb5_err.c krb5_err.h \
- krb_err.c krb_err.h \
- heim_err.c heim_err.h \
- k524_err.c k524_err.h
-
-EXTRA_DIST = \
- NTMakefile \
- config_reg.c \
- dll.c \
- libkrb5-exports.def.in \
- verify_krb5_conf-version.rc \
- krb5_err.et \
- krb_err.et \
- heim_err.et \
- k524_err.et \
- $(man_MANS) \
- version-script.map \
- test_config_strings.cfg \
- krb5.moduli
-
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 .cat5 .cat7 .cat8 .c .lo .log .o .obj .test .test$(EXEEXT) .trs
-$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
- @for dep in $?; do \
- case '$(am__configure_deps)' in \
- *$$dep*) \
- ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
- && { if test -f $@; then exit 0; else break; fi; }; \
- exit 1;; \
- esac; \
- done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/krb5/Makefile'; \
- $(am__cd) $(top_srcdir) && \
- $(AUTOMAKE) --foreign lib/krb5/Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
- @case '$?' in \
- *config.status*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
- *) \
- echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
- cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
- esac;
-$(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__empty):
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-binPROGRAMS: $(bin_PROGRAMS)
- @$(NORMAL_INSTALL)
- @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
- if test -n "$$list"; then \
- echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
- fi; \
- for p in $$list; do echo "$$p $$p"; done | \
- sed 's/$(EXEEXT)$$//' | \
- while read p p1; do if test -f $$p \
- || test -f $$p1 \
- ; then echo "$$p"; echo "$$p"; else :; fi; \
- done | \
- sed -e 'p;s,.*/,,;n;h' \
- -e 's|.*|.|' \
- -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
- sed 'N;N;N;s,\n, ,g' | \
- $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
- { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
- if ($$2 == $$4) files[d] = files[d] " " $$1; \
- else { print "f", $$3 "/" $$4, $$1; } } \
- END { for (d in files) print "f", d, files[d] }' | \
- while read type dir files; do \
- if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
- test -z "$$files" || { \
- echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
- $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
- } \
- ; done
-
-uninstall-binPROGRAMS:
- @$(NORMAL_UNINSTALL)
- @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
- files=`for p in $$list; do echo "$$p"; done | \
- sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
- -e 's/$$/$(EXEEXT)/' \
- `; \
- test -n "$$list" || exit 0; \
- echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
- cd "$(DESTDIR)$(bindir)" && rm -f $$files
-
-clean-binPROGRAMS:
- @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
- echo " rm -f" $$list; \
- rm -f $$list || exit $$?; \
- test -n "$(EXEEXT)" || exit 0; \
- list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
- echo " rm -f" $$list; \
- rm -f $$list
-
-clean-checkPROGRAMS:
- @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
- echo " rm -f" $$list; \
- rm -f $$list || exit $$?; \
- test -n "$(EXEEXT)" || exit 0; \
- list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
- echo " rm -f" $$list; \
- rm -f $$list
-
-clean-noinstPROGRAMS:
- @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
- echo " rm -f" $$list; \
- rm -f $$list || exit $$?; \
- test -n "$(EXEEXT)" || exit 0; \
- list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
- echo " rm -f" $$list; \
- rm -f $$list
-
-install-libLTLIBRARIES: $(lib_LTLIBRARIES)
- @$(NORMAL_INSTALL)
- @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
- list2=; for p in $$list; do \
- if test -f $$p; then \
- list2="$$list2 $$p"; \
- else :; fi; \
- done; \
- test -z "$$list2" || { \
- echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \
- echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
- $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
- }
-
-uninstall-libLTLIBRARIES:
- @$(NORMAL_UNINSTALL)
- @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
- for p in $$list; do \
- $(am__strip_dir) \
- echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \
- $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \
- done
-
-clean-libLTLIBRARIES:
- -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
- @list='$(lib_LTLIBRARIES)'; \
- locs=`for p in $$list; do echo $$p; done | \
- sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
- sort -u`; \
- test -z "$$locs" || { \
- echo rm -f $${locs}; \
- rm -f $${locs}; \
- }
-
-clean-noinstLTLIBRARIES:
- -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
- @list='$(noinst_LTLIBRARIES)'; \
- locs=`for p in $$list; do echo $$p; done | \
- sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
- sort -u`; \
- test -z "$$locs" || { \
- echo rm -f $${locs}; \
- rm -f $${locs}; \
- }
-
-libkrb5.la: $(libkrb5_la_OBJECTS) $(libkrb5_la_DEPENDENCIES) $(EXTRA_libkrb5_la_DEPENDENCIES)
- $(AM_V_CCLD)$(libkrb5_la_LINK) -rpath $(libdir) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS)
-
-librfc3961.la: $(librfc3961_la_OBJECTS) $(librfc3961_la_DEPENDENCIES) $(EXTRA_librfc3961_la_DEPENDENCIES)
- $(AM_V_CCLD)$(LINK) $(librfc3961_la_OBJECTS) $(librfc3961_la_LIBADD) $(LIBS)
-
-aes-test$(EXEEXT): $(aes_test_OBJECTS) $(aes_test_DEPENDENCIES) $(EXTRA_aes_test_DEPENDENCIES)
- @rm -f aes-test$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(aes_test_OBJECTS) $(aes_test_LDADD) $(LIBS)
-
-derived-key-test$(EXEEXT): $(derived_key_test_OBJECTS) $(derived_key_test_DEPENDENCIES) $(EXTRA_derived_key_test_DEPENDENCIES)
- @rm -f derived-key-test$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(derived_key_test_OBJECTS) $(derived_key_test_LDADD) $(LIBS)
-
-krbhst-test$(EXEEXT): $(krbhst_test_OBJECTS) $(krbhst_test_DEPENDENCIES) $(EXTRA_krbhst_test_DEPENDENCIES)
- @rm -f krbhst-test$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(krbhst_test_OBJECTS) $(krbhst_test_LDADD) $(LIBS)
-
-n-fold-test$(EXEEXT): $(n_fold_test_OBJECTS) $(n_fold_test_DEPENDENCIES) $(EXTRA_n_fold_test_DEPENDENCIES)
- @rm -f n-fold-test$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(n_fold_test_OBJECTS) $(n_fold_test_LDADD) $(LIBS)
-
-parse-name-test$(EXEEXT): $(parse_name_test_OBJECTS) $(parse_name_test_DEPENDENCIES) $(EXTRA_parse_name_test_DEPENDENCIES)
- @rm -f parse-name-test$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(parse_name_test_OBJECTS) $(parse_name_test_LDADD) $(LIBS)
-
-pseudo-random-test$(EXEEXT): $(pseudo_random_test_OBJECTS) $(pseudo_random_test_DEPENDENCIES) $(EXTRA_pseudo_random_test_DEPENDENCIES)
- @rm -f pseudo-random-test$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(pseudo_random_test_OBJECTS) $(pseudo_random_test_LDADD) $(LIBS)
-
-store-test$(EXEEXT): $(store_test_OBJECTS) $(store_test_DEPENDENCIES) $(EXTRA_store_test_DEPENDENCIES)
- @rm -f store-test$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(store_test_OBJECTS) $(store_test_LDADD) $(LIBS)
-
-string-to-key-test$(EXEEXT): $(string_to_key_test_OBJECTS) $(string_to_key_test_DEPENDENCIES) $(EXTRA_string_to_key_test_DEPENDENCIES)
- @rm -f string-to-key-test$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(string_to_key_test_OBJECTS) $(string_to_key_test_LDADD) $(LIBS)
-
-test_acl$(EXEEXT): $(test_acl_OBJECTS) $(test_acl_DEPENDENCIES) $(EXTRA_test_acl_DEPENDENCIES)
- @rm -f test_acl$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_acl_OBJECTS) $(test_acl_LDADD) $(LIBS)
-
-test_addr$(EXEEXT): $(test_addr_OBJECTS) $(test_addr_DEPENDENCIES) $(EXTRA_test_addr_DEPENDENCIES)
- @rm -f test_addr$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_addr_OBJECTS) $(test_addr_LDADD) $(LIBS)
-
-test_alname$(EXEEXT): $(test_alname_OBJECTS) $(test_alname_DEPENDENCIES) $(EXTRA_test_alname_DEPENDENCIES)
- @rm -f test_alname$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_alname_OBJECTS) $(test_alname_LDADD) $(LIBS)
-
-test_ap-req$(EXEEXT): $(test_ap_req_OBJECTS) $(test_ap_req_DEPENDENCIES) $(EXTRA_test_ap_req_DEPENDENCIES)
- @rm -f test_ap-req$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_ap_req_OBJECTS) $(test_ap_req_LDADD) $(LIBS)
-
-test_canon$(EXEEXT): $(test_canon_OBJECTS) $(test_canon_DEPENDENCIES) $(EXTRA_test_canon_DEPENDENCIES)
- @rm -f test_canon$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_canon_OBJECTS) $(test_canon_LDADD) $(LIBS)
-
-test_cc$(EXEEXT): $(test_cc_OBJECTS) $(test_cc_DEPENDENCIES) $(EXTRA_test_cc_DEPENDENCIES)
- @rm -f test_cc$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_cc_OBJECTS) $(test_cc_LDADD) $(LIBS)
-
-test_config$(EXEEXT): $(test_config_OBJECTS) $(test_config_DEPENDENCIES) $(EXTRA_test_config_DEPENDENCIES)
- @rm -f test_config$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_config_OBJECTS) $(test_config_LDADD) $(LIBS)
-
-test_crypto$(EXEEXT): $(test_crypto_OBJECTS) $(test_crypto_DEPENDENCIES) $(EXTRA_test_crypto_DEPENDENCIES)
- @rm -f test_crypto$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_crypto_OBJECTS) $(test_crypto_LDADD) $(LIBS)
-
-test_crypto_wrapping$(EXEEXT): $(test_crypto_wrapping_OBJECTS) $(test_crypto_wrapping_DEPENDENCIES) $(EXTRA_test_crypto_wrapping_DEPENDENCIES)
- @rm -f test_crypto_wrapping$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_crypto_wrapping_OBJECTS) $(test_crypto_wrapping_LDADD) $(LIBS)
-
-test_expand_toks$(EXEEXT): $(test_expand_toks_OBJECTS) $(test_expand_toks_DEPENDENCIES) $(EXTRA_test_expand_toks_DEPENDENCIES)
- @rm -f test_expand_toks$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_expand_toks_OBJECTS) $(test_expand_toks_LDADD) $(LIBS)
-
-test_forward$(EXEEXT): $(test_forward_OBJECTS) $(test_forward_DEPENDENCIES) $(EXTRA_test_forward_DEPENDENCIES)
- @rm -f test_forward$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_forward_OBJECTS) $(test_forward_LDADD) $(LIBS)
-
-test_fx$(EXEEXT): $(test_fx_OBJECTS) $(test_fx_DEPENDENCIES) $(EXTRA_test_fx_DEPENDENCIES)
- @rm -f test_fx$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_fx_OBJECTS) $(test_fx_LDADD) $(LIBS)
-
-test_get_addrs$(EXEEXT): $(test_get_addrs_OBJECTS) $(test_get_addrs_DEPENDENCIES) $(EXTRA_test_get_addrs_DEPENDENCIES)
- @rm -f test_get_addrs$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_get_addrs_OBJECTS) $(test_get_addrs_LDADD) $(LIBS)
-
-test_gic$(EXEEXT): $(test_gic_OBJECTS) $(test_gic_DEPENDENCIES) $(EXTRA_test_gic_DEPENDENCIES)
- @rm -f test_gic$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_gic_OBJECTS) $(test_gic_LDADD) $(LIBS)
-
-test_hostname$(EXEEXT): $(test_hostname_OBJECTS) $(test_hostname_DEPENDENCIES) $(EXTRA_test_hostname_DEPENDENCIES)
- @rm -f test_hostname$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_hostname_OBJECTS) $(test_hostname_LDADD) $(LIBS)
-
-test_keytab$(EXEEXT): $(test_keytab_OBJECTS) $(test_keytab_DEPENDENCIES) $(EXTRA_test_keytab_DEPENDENCIES)
- @rm -f test_keytab$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_keytab_OBJECTS) $(test_keytab_LDADD) $(LIBS)
-
-test_kuserok$(EXEEXT): $(test_kuserok_OBJECTS) $(test_kuserok_DEPENDENCIES) $(EXTRA_test_kuserok_DEPENDENCIES)
- @rm -f test_kuserok$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_kuserok_OBJECTS) $(test_kuserok_LDADD) $(LIBS)
-
-test_mem$(EXEEXT): $(test_mem_OBJECTS) $(test_mem_DEPENDENCIES) $(EXTRA_test_mem_DEPENDENCIES)
- @rm -f test_mem$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_mem_OBJECTS) $(test_mem_LDADD) $(LIBS)
-
-test_pac$(EXEEXT): $(test_pac_OBJECTS) $(test_pac_DEPENDENCIES) $(EXTRA_test_pac_DEPENDENCIES)
- @rm -f test_pac$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_pac_OBJECTS) $(test_pac_LDADD) $(LIBS)
-
-test_pkinit_dh2key$(EXEEXT): $(test_pkinit_dh2key_OBJECTS) $(test_pkinit_dh2key_DEPENDENCIES) $(EXTRA_test_pkinit_dh2key_DEPENDENCIES)
- @rm -f test_pkinit_dh2key$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_pkinit_dh2key_OBJECTS) $(test_pkinit_dh2key_LDADD) $(LIBS)
-
-test_pknistkdf$(EXEEXT): $(test_pknistkdf_OBJECTS) $(test_pknistkdf_DEPENDENCIES) $(EXTRA_test_pknistkdf_DEPENDENCIES)
- @rm -f test_pknistkdf$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_pknistkdf_OBJECTS) $(test_pknistkdf_LDADD) $(LIBS)
-
-test_plugin$(EXEEXT): $(test_plugin_OBJECTS) $(test_plugin_DEPENDENCIES) $(EXTRA_test_plugin_DEPENDENCIES)
- @rm -f test_plugin$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_plugin_OBJECTS) $(test_plugin_LDADD) $(LIBS)
-
-test_prf$(EXEEXT): $(test_prf_OBJECTS) $(test_prf_DEPENDENCIES) $(EXTRA_test_prf_DEPENDENCIES)
- @rm -f test_prf$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_prf_OBJECTS) $(test_prf_LDADD) $(LIBS)
-
-test_princ$(EXEEXT): $(test_princ_OBJECTS) $(test_princ_DEPENDENCIES) $(EXTRA_test_princ_DEPENDENCIES)
- @rm -f test_princ$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_princ_OBJECTS) $(test_princ_LDADD) $(LIBS)
-
-test_renew$(EXEEXT): $(test_renew_OBJECTS) $(test_renew_DEPENDENCIES) $(EXTRA_test_renew_DEPENDENCIES)
- @rm -f test_renew$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_renew_OBJECTS) $(test_renew_LDADD) $(LIBS)
-
-test_rfc3961$(EXEEXT): $(test_rfc3961_OBJECTS) $(test_rfc3961_DEPENDENCIES) $(EXTRA_test_rfc3961_DEPENDENCIES)
- @rm -f test_rfc3961$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_rfc3961_OBJECTS) $(test_rfc3961_LDADD) $(LIBS)
-
-test_set_kvno0$(EXEEXT): $(test_set_kvno0_OBJECTS) $(test_set_kvno0_DEPENDENCIES) $(EXTRA_test_set_kvno0_DEPENDENCIES)
- @rm -f test_set_kvno0$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_set_kvno0_OBJECTS) $(test_set_kvno0_LDADD) $(LIBS)
-
-test_store$(EXEEXT): $(test_store_OBJECTS) $(test_store_DEPENDENCIES) $(EXTRA_test_store_DEPENDENCIES)
- @rm -f test_store$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_store_OBJECTS) $(test_store_LDADD) $(LIBS)
-
-test_time$(EXEEXT): $(test_time_OBJECTS) $(test_time_DEPENDENCIES) $(EXTRA_test_time_DEPENDENCIES)
- @rm -f test_time$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_time_OBJECTS) $(test_time_LDADD) $(LIBS)
-
-test_x500$(EXEEXT): $(test_x500_OBJECTS) $(test_x500_DEPENDENCIES) $(EXTRA_test_x500_DEPENDENCIES)
- @rm -f test_x500$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_x500_OBJECTS) $(test_x500_LDADD) $(LIBS)
-
-verify_krb5_conf$(EXEEXT): $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_DEPENDENCIES) $(EXTRA_verify_krb5_conf_DEPENDENCIES)
- @rm -f verify_krb5_conf$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS)
-
-mostlyclean-compile:
- -rm -f *.$(OBJEXT)
-
-distclean-compile:
- -rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/derived-key-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/krbhst-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-acache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-acl.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-add_et_list.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-addr_families.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-appdefault.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-asn1_glue.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-auth_context.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-build_ap_req.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-build_auth.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-cache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-changepw.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-codec.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-config_file.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-constants.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-context.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-convert_creds.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crc.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-creds.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-algs.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des3.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-evp.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-null.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-pk.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-rand.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-data.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-db_plugin.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-dcache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-deprecated.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-digest.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-doxygen.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-enomem.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-error_string.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-expand_hostname.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-expand_path.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-fast.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-fcache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-free.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-free_host_realm.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-generate_subkey.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_addrs.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_cred.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_default_principal.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_default_realm.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_for_creds.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_host_realm.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_port.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-heim_err.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-init_creds.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-k524_err.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-kcm.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keyblock.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_any.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_file.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_memory.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krb5_err.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krb_err.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krbhst.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-kuserok.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-log.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mcache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-misc.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mit_glue.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_error.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_priv.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_rep.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_req.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_safe.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-n-fold.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-net_read.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-net_write.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pac.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-padata.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pcache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pkinit-ec.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pkinit.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-plugin.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-principal.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-prog_setup.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-prompter_posix.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_cred.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_error.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_priv.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_rep.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_req.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_safe.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-read_message.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-recvauth.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-replay.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-des.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-des3.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-scache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sendauth.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-set_default_realm.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sock_principal.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store-int.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_emem.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_fd.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_mem.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_sock.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-ticket.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-time.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-transited.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-verify_init.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-verify_user.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-version.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-warn.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-write_message.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crc.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-algs.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des3.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-evp.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-null.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-pk.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-rand.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-data.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-enomem.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-error_string.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-keyblock.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-n-fold.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-des.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-des3.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-store-int.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-warn.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/n-fold-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parse-name-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pseudo-random-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/store-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/string-to-key-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_acl.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_addr.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_alname.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_ap-req.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_canon.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_cc.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_config.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_crypto.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_crypto_wrapping.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_expand_toks.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_forward.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_fx.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_get_addrs.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_gic.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_hostname.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_keytab.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_kuserok.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mem.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pac.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pkinit_dh2key.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pknistkdf.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_plugin.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_prf.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_princ.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_renew.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rfc3961.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_set_kvno0.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_store.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_time.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_x500.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify_krb5_conf.Po@am__quote@ # am--include-marker
-
-$(am__depfiles_remade):
- @$(MKDIR_P) $(@D)
- @echo '# dummy' >$@-t && $(am__mv) $@-t $@
-
-am--depfiles: $(am__depfiles_remade)
-
-.c.o:
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
-
-.c.obj:
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
-
-libkrb5_la-acache.lo: acache.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-acache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-acache.Tpo -c -o libkrb5_la-acache.lo `test -f 'acache.c' || echo '$(srcdir)/'`acache.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-acache.Tpo $(DEPDIR)/libkrb5_la-acache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='acache.c' object='libkrb5_la-acache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-acache.lo `test -f 'acache.c' || echo '$(srcdir)/'`acache.c
-
-libkrb5_la-acl.lo: acl.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-acl.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-acl.Tpo -c -o libkrb5_la-acl.lo `test -f 'acl.c' || echo '$(srcdir)/'`acl.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-acl.Tpo $(DEPDIR)/libkrb5_la-acl.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='acl.c' object='libkrb5_la-acl.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-acl.lo `test -f 'acl.c' || echo '$(srcdir)/'`acl.c
-
-libkrb5_la-add_et_list.lo: add_et_list.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-add_et_list.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-add_et_list.Tpo -c -o libkrb5_la-add_et_list.lo `test -f 'add_et_list.c' || echo '$(srcdir)/'`add_et_list.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-add_et_list.Tpo $(DEPDIR)/libkrb5_la-add_et_list.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='add_et_list.c' object='libkrb5_la-add_et_list.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-add_et_list.lo `test -f 'add_et_list.c' || echo '$(srcdir)/'`add_et_list.c
-
-libkrb5_la-addr_families.lo: addr_families.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-addr_families.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-addr_families.Tpo -c -o libkrb5_la-addr_families.lo `test -f 'addr_families.c' || echo '$(srcdir)/'`addr_families.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-addr_families.Tpo $(DEPDIR)/libkrb5_la-addr_families.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='addr_families.c' object='libkrb5_la-addr_families.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-addr_families.lo `test -f 'addr_families.c' || echo '$(srcdir)/'`addr_families.c
-
-libkrb5_la-aname_to_localname.lo: aname_to_localname.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-aname_to_localname.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-aname_to_localname.Tpo -c -o libkrb5_la-aname_to_localname.lo `test -f 'aname_to_localname.c' || echo '$(srcdir)/'`aname_to_localname.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-aname_to_localname.Tpo $(DEPDIR)/libkrb5_la-aname_to_localname.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='aname_to_localname.c' object='libkrb5_la-aname_to_localname.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-aname_to_localname.lo `test -f 'aname_to_localname.c' || echo '$(srcdir)/'`aname_to_localname.c
-
-libkrb5_la-appdefault.lo: appdefault.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-appdefault.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-appdefault.Tpo -c -o libkrb5_la-appdefault.lo `test -f 'appdefault.c' || echo '$(srcdir)/'`appdefault.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-appdefault.Tpo $(DEPDIR)/libkrb5_la-appdefault.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='appdefault.c' object='libkrb5_la-appdefault.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-appdefault.lo `test -f 'appdefault.c' || echo '$(srcdir)/'`appdefault.c
-
-libkrb5_la-asn1_glue.lo: asn1_glue.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-asn1_glue.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-asn1_glue.Tpo -c -o libkrb5_la-asn1_glue.lo `test -f 'asn1_glue.c' || echo '$(srcdir)/'`asn1_glue.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-asn1_glue.Tpo $(DEPDIR)/libkrb5_la-asn1_glue.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='asn1_glue.c' object='libkrb5_la-asn1_glue.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-asn1_glue.lo `test -f 'asn1_glue.c' || echo '$(srcdir)/'`asn1_glue.c
-
-libkrb5_la-auth_context.lo: auth_context.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-auth_context.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-auth_context.Tpo -c -o libkrb5_la-auth_context.lo `test -f 'auth_context.c' || echo '$(srcdir)/'`auth_context.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-auth_context.Tpo $(DEPDIR)/libkrb5_la-auth_context.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='auth_context.c' object='libkrb5_la-auth_context.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-auth_context.lo `test -f 'auth_context.c' || echo '$(srcdir)/'`auth_context.c
-
-libkrb5_la-build_ap_req.lo: build_ap_req.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-build_ap_req.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-build_ap_req.Tpo -c -o libkrb5_la-build_ap_req.lo `test -f 'build_ap_req.c' || echo '$(srcdir)/'`build_ap_req.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-build_ap_req.Tpo $(DEPDIR)/libkrb5_la-build_ap_req.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='build_ap_req.c' object='libkrb5_la-build_ap_req.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-build_ap_req.lo `test -f 'build_ap_req.c' || echo '$(srcdir)/'`build_ap_req.c
-
-libkrb5_la-build_auth.lo: build_auth.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-build_auth.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-build_auth.Tpo -c -o libkrb5_la-build_auth.lo `test -f 'build_auth.c' || echo '$(srcdir)/'`build_auth.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-build_auth.Tpo $(DEPDIR)/libkrb5_la-build_auth.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='build_auth.c' object='libkrb5_la-build_auth.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-build_auth.lo `test -f 'build_auth.c' || echo '$(srcdir)/'`build_auth.c
-
-libkrb5_la-cache.lo: cache.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-cache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-cache.Tpo -c -o libkrb5_la-cache.lo `test -f 'cache.c' || echo '$(srcdir)/'`cache.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-cache.Tpo $(DEPDIR)/libkrb5_la-cache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cache.c' object='libkrb5_la-cache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-cache.lo `test -f 'cache.c' || echo '$(srcdir)/'`cache.c
-
-libkrb5_la-changepw.lo: changepw.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-changepw.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-changepw.Tpo -c -o libkrb5_la-changepw.lo `test -f 'changepw.c' || echo '$(srcdir)/'`changepw.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-changepw.Tpo $(DEPDIR)/libkrb5_la-changepw.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='changepw.c' object='libkrb5_la-changepw.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-changepw.lo `test -f 'changepw.c' || echo '$(srcdir)/'`changepw.c
-
-libkrb5_la-codec.lo: codec.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-codec.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-codec.Tpo -c -o libkrb5_la-codec.lo `test -f 'codec.c' || echo '$(srcdir)/'`codec.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-codec.Tpo $(DEPDIR)/libkrb5_la-codec.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='codec.c' object='libkrb5_la-codec.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-codec.lo `test -f 'codec.c' || echo '$(srcdir)/'`codec.c
-
-libkrb5_la-config_file.lo: config_file.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-config_file.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-config_file.Tpo -c -o libkrb5_la-config_file.lo `test -f 'config_file.c' || echo '$(srcdir)/'`config_file.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-config_file.Tpo $(DEPDIR)/libkrb5_la-config_file.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='config_file.c' object='libkrb5_la-config_file.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-config_file.lo `test -f 'config_file.c' || echo '$(srcdir)/'`config_file.c
-
-libkrb5_la-convert_creds.lo: convert_creds.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-convert_creds.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-convert_creds.Tpo -c -o libkrb5_la-convert_creds.lo `test -f 'convert_creds.c' || echo '$(srcdir)/'`convert_creds.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-convert_creds.Tpo $(DEPDIR)/libkrb5_la-convert_creds.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='convert_creds.c' object='libkrb5_la-convert_creds.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-convert_creds.lo `test -f 'convert_creds.c' || echo '$(srcdir)/'`convert_creds.c
-
-libkrb5_la-constants.lo: constants.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-constants.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-constants.Tpo -c -o libkrb5_la-constants.lo `test -f 'constants.c' || echo '$(srcdir)/'`constants.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-constants.Tpo $(DEPDIR)/libkrb5_la-constants.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='constants.c' object='libkrb5_la-constants.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-constants.lo `test -f 'constants.c' || echo '$(srcdir)/'`constants.c
-
-libkrb5_la-context.lo: context.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-context.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-context.Tpo -c -o libkrb5_la-context.lo `test -f 'context.c' || echo '$(srcdir)/'`context.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-context.Tpo $(DEPDIR)/libkrb5_la-context.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='context.c' object='libkrb5_la-context.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-context.lo `test -f 'context.c' || echo '$(srcdir)/'`context.c
-
-libkrb5_la-copy_host_realm.lo: copy_host_realm.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-copy_host_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-copy_host_realm.Tpo -c -o libkrb5_la-copy_host_realm.lo `test -f 'copy_host_realm.c' || echo '$(srcdir)/'`copy_host_realm.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-copy_host_realm.Tpo $(DEPDIR)/libkrb5_la-copy_host_realm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='copy_host_realm.c' object='libkrb5_la-copy_host_realm.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-copy_host_realm.lo `test -f 'copy_host_realm.c' || echo '$(srcdir)/'`copy_host_realm.c
-
-libkrb5_la-crc.lo: crc.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crc.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crc.Tpo -c -o libkrb5_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crc.Tpo $(DEPDIR)/libkrb5_la-crc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crc.c' object='libkrb5_la-crc.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c
-
-libkrb5_la-creds.lo: creds.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-creds.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-creds.Tpo -c -o libkrb5_la-creds.lo `test -f 'creds.c' || echo '$(srcdir)/'`creds.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-creds.Tpo $(DEPDIR)/libkrb5_la-creds.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='creds.c' object='libkrb5_la-creds.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-creds.lo `test -f 'creds.c' || echo '$(srcdir)/'`creds.c
-
-libkrb5_la-crypto.lo: crypto.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto.Tpo -c -o libkrb5_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto.Tpo $(DEPDIR)/libkrb5_la-crypto.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto.c' object='libkrb5_la-crypto.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
-
-libkrb5_la-crypto-aes-sha1.lo: crypto-aes-sha1.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-aes-sha1.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-aes-sha1.Tpo -c -o libkrb5_la-crypto-aes-sha1.lo `test -f 'crypto-aes-sha1.c' || echo '$(srcdir)/'`crypto-aes-sha1.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-aes-sha1.Tpo $(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-aes-sha1.c' object='libkrb5_la-crypto-aes-sha1.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-aes-sha1.lo `test -f 'crypto-aes-sha1.c' || echo '$(srcdir)/'`crypto-aes-sha1.c
-
-libkrb5_la-crypto-aes-sha2.lo: crypto-aes-sha2.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-aes-sha2.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-aes-sha2.Tpo -c -o libkrb5_la-crypto-aes-sha2.lo `test -f 'crypto-aes-sha2.c' || echo '$(srcdir)/'`crypto-aes-sha2.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-aes-sha2.Tpo $(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-aes-sha2.c' object='libkrb5_la-crypto-aes-sha2.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-aes-sha2.lo `test -f 'crypto-aes-sha2.c' || echo '$(srcdir)/'`crypto-aes-sha2.c
-
-libkrb5_la-crypto-algs.lo: crypto-algs.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-algs.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-algs.Tpo -c -o libkrb5_la-crypto-algs.lo `test -f 'crypto-algs.c' || echo '$(srcdir)/'`crypto-algs.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-algs.Tpo $(DEPDIR)/libkrb5_la-crypto-algs.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-algs.c' object='libkrb5_la-crypto-algs.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-algs.lo `test -f 'crypto-algs.c' || echo '$(srcdir)/'`crypto-algs.c
-
-libkrb5_la-crypto-arcfour.lo: crypto-arcfour.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-arcfour.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-arcfour.Tpo -c -o libkrb5_la-crypto-arcfour.lo `test -f 'crypto-arcfour.c' || echo '$(srcdir)/'`crypto-arcfour.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-arcfour.Tpo $(DEPDIR)/libkrb5_la-crypto-arcfour.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-arcfour.c' object='libkrb5_la-crypto-arcfour.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-arcfour.lo `test -f 'crypto-arcfour.c' || echo '$(srcdir)/'`crypto-arcfour.c
-
-libkrb5_la-crypto-des.lo: crypto-des.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-des.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-des.Tpo -c -o libkrb5_la-crypto-des.lo `test -f 'crypto-des.c' || echo '$(srcdir)/'`crypto-des.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-des.Tpo $(DEPDIR)/libkrb5_la-crypto-des.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-des.c' object='libkrb5_la-crypto-des.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-des.lo `test -f 'crypto-des.c' || echo '$(srcdir)/'`crypto-des.c
-
-libkrb5_la-crypto-des-common.lo: crypto-des-common.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-des-common.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-des-common.Tpo -c -o libkrb5_la-crypto-des-common.lo `test -f 'crypto-des-common.c' || echo '$(srcdir)/'`crypto-des-common.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-des-common.Tpo $(DEPDIR)/libkrb5_la-crypto-des-common.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-des-common.c' object='libkrb5_la-crypto-des-common.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-des-common.lo `test -f 'crypto-des-common.c' || echo '$(srcdir)/'`crypto-des-common.c
-
-libkrb5_la-crypto-des3.lo: crypto-des3.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-des3.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-des3.Tpo -c -o libkrb5_la-crypto-des3.lo `test -f 'crypto-des3.c' || echo '$(srcdir)/'`crypto-des3.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-des3.Tpo $(DEPDIR)/libkrb5_la-crypto-des3.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-des3.c' object='libkrb5_la-crypto-des3.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-des3.lo `test -f 'crypto-des3.c' || echo '$(srcdir)/'`crypto-des3.c
-
-libkrb5_la-crypto-evp.lo: crypto-evp.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-evp.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-evp.Tpo -c -o libkrb5_la-crypto-evp.lo `test -f 'crypto-evp.c' || echo '$(srcdir)/'`crypto-evp.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-evp.Tpo $(DEPDIR)/libkrb5_la-crypto-evp.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-evp.c' object='libkrb5_la-crypto-evp.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-evp.lo `test -f 'crypto-evp.c' || echo '$(srcdir)/'`crypto-evp.c
-
-libkrb5_la-crypto-null.lo: crypto-null.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-null.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-null.Tpo -c -o libkrb5_la-crypto-null.lo `test -f 'crypto-null.c' || echo '$(srcdir)/'`crypto-null.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-null.Tpo $(DEPDIR)/libkrb5_la-crypto-null.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-null.c' object='libkrb5_la-crypto-null.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-null.lo `test -f 'crypto-null.c' || echo '$(srcdir)/'`crypto-null.c
-
-libkrb5_la-crypto-pk.lo: crypto-pk.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-pk.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-pk.Tpo -c -o libkrb5_la-crypto-pk.lo `test -f 'crypto-pk.c' || echo '$(srcdir)/'`crypto-pk.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-pk.Tpo $(DEPDIR)/libkrb5_la-crypto-pk.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-pk.c' object='libkrb5_la-crypto-pk.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-pk.lo `test -f 'crypto-pk.c' || echo '$(srcdir)/'`crypto-pk.c
-
-libkrb5_la-crypto-rand.lo: crypto-rand.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-rand.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-rand.Tpo -c -o libkrb5_la-crypto-rand.lo `test -f 'crypto-rand.c' || echo '$(srcdir)/'`crypto-rand.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-rand.Tpo $(DEPDIR)/libkrb5_la-crypto-rand.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-rand.c' object='libkrb5_la-crypto-rand.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-rand.lo `test -f 'crypto-rand.c' || echo '$(srcdir)/'`crypto-rand.c
-
-libkrb5_la-doxygen.lo: doxygen.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-doxygen.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-doxygen.Tpo -c -o libkrb5_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-doxygen.Tpo $(DEPDIR)/libkrb5_la-doxygen.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='doxygen.c' object='libkrb5_la-doxygen.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c
-
-libkrb5_la-data.lo: data.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-data.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-data.Tpo -c -o libkrb5_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-data.Tpo $(DEPDIR)/libkrb5_la-data.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='data.c' object='libkrb5_la-data.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c
-
-libkrb5_la-db_plugin.lo: db_plugin.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-db_plugin.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-db_plugin.Tpo -c -o libkrb5_la-db_plugin.lo `test -f 'db_plugin.c' || echo '$(srcdir)/'`db_plugin.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-db_plugin.Tpo $(DEPDIR)/libkrb5_la-db_plugin.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='db_plugin.c' object='libkrb5_la-db_plugin.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-db_plugin.lo `test -f 'db_plugin.c' || echo '$(srcdir)/'`db_plugin.c
-
-libkrb5_la-dcache.lo: dcache.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-dcache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-dcache.Tpo -c -o libkrb5_la-dcache.lo `test -f 'dcache.c' || echo '$(srcdir)/'`dcache.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-dcache.Tpo $(DEPDIR)/libkrb5_la-dcache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='dcache.c' object='libkrb5_la-dcache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-dcache.lo `test -f 'dcache.c' || echo '$(srcdir)/'`dcache.c
-
-libkrb5_la-deprecated.lo: deprecated.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-deprecated.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-deprecated.Tpo -c -o libkrb5_la-deprecated.lo `test -f 'deprecated.c' || echo '$(srcdir)/'`deprecated.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-deprecated.Tpo $(DEPDIR)/libkrb5_la-deprecated.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='deprecated.c' object='libkrb5_la-deprecated.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-deprecated.lo `test -f 'deprecated.c' || echo '$(srcdir)/'`deprecated.c
-
-libkrb5_la-digest.lo: digest.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-digest.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-digest.Tpo -c -o libkrb5_la-digest.lo `test -f 'digest.c' || echo '$(srcdir)/'`digest.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-digest.Tpo $(DEPDIR)/libkrb5_la-digest.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='digest.c' object='libkrb5_la-digest.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-digest.lo `test -f 'digest.c' || echo '$(srcdir)/'`digest.c
-
-libkrb5_la-eai_to_heim_errno.lo: eai_to_heim_errno.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-eai_to_heim_errno.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-eai_to_heim_errno.Tpo -c -o libkrb5_la-eai_to_heim_errno.lo `test -f 'eai_to_heim_errno.c' || echo '$(srcdir)/'`eai_to_heim_errno.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-eai_to_heim_errno.Tpo $(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='eai_to_heim_errno.c' object='libkrb5_la-eai_to_heim_errno.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-eai_to_heim_errno.lo `test -f 'eai_to_heim_errno.c' || echo '$(srcdir)/'`eai_to_heim_errno.c
-
-libkrb5_la-enomem.lo: enomem.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-enomem.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-enomem.Tpo -c -o libkrb5_la-enomem.lo `test -f 'enomem.c' || echo '$(srcdir)/'`enomem.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-enomem.Tpo $(DEPDIR)/libkrb5_la-enomem.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='enomem.c' object='libkrb5_la-enomem.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-enomem.lo `test -f 'enomem.c' || echo '$(srcdir)/'`enomem.c
-
-libkrb5_la-error_string.lo: error_string.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-error_string.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-error_string.Tpo -c -o libkrb5_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-error_string.Tpo $(DEPDIR)/libkrb5_la-error_string.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='error_string.c' object='libkrb5_la-error_string.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c
-
-libkrb5_la-expand_hostname.lo: expand_hostname.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-expand_hostname.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-expand_hostname.Tpo -c -o libkrb5_la-expand_hostname.lo `test -f 'expand_hostname.c' || echo '$(srcdir)/'`expand_hostname.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-expand_hostname.Tpo $(DEPDIR)/libkrb5_la-expand_hostname.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='expand_hostname.c' object='libkrb5_la-expand_hostname.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-expand_hostname.lo `test -f 'expand_hostname.c' || echo '$(srcdir)/'`expand_hostname.c
-
-libkrb5_la-expand_path.lo: expand_path.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-expand_path.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-expand_path.Tpo -c -o libkrb5_la-expand_path.lo `test -f 'expand_path.c' || echo '$(srcdir)/'`expand_path.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-expand_path.Tpo $(DEPDIR)/libkrb5_la-expand_path.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='expand_path.c' object='libkrb5_la-expand_path.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-expand_path.lo `test -f 'expand_path.c' || echo '$(srcdir)/'`expand_path.c
-
-libkrb5_la-fast.lo: fast.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-fast.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-fast.Tpo -c -o libkrb5_la-fast.lo `test -f 'fast.c' || echo '$(srcdir)/'`fast.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-fast.Tpo $(DEPDIR)/libkrb5_la-fast.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='fast.c' object='libkrb5_la-fast.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-fast.lo `test -f 'fast.c' || echo '$(srcdir)/'`fast.c
-
-libkrb5_la-fcache.lo: fcache.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-fcache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-fcache.Tpo -c -o libkrb5_la-fcache.lo `test -f 'fcache.c' || echo '$(srcdir)/'`fcache.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-fcache.Tpo $(DEPDIR)/libkrb5_la-fcache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='fcache.c' object='libkrb5_la-fcache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-fcache.lo `test -f 'fcache.c' || echo '$(srcdir)/'`fcache.c
-
-libkrb5_la-free.lo: free.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-free.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-free.Tpo -c -o libkrb5_la-free.lo `test -f 'free.c' || echo '$(srcdir)/'`free.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-free.Tpo $(DEPDIR)/libkrb5_la-free.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='free.c' object='libkrb5_la-free.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-free.lo `test -f 'free.c' || echo '$(srcdir)/'`free.c
-
-libkrb5_la-free_host_realm.lo: free_host_realm.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-free_host_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-free_host_realm.Tpo -c -o libkrb5_la-free_host_realm.lo `test -f 'free_host_realm.c' || echo '$(srcdir)/'`free_host_realm.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-free_host_realm.Tpo $(DEPDIR)/libkrb5_la-free_host_realm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='free_host_realm.c' object='libkrb5_la-free_host_realm.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-free_host_realm.lo `test -f 'free_host_realm.c' || echo '$(srcdir)/'`free_host_realm.c
-
-libkrb5_la-generate_seq_number.lo: generate_seq_number.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-generate_seq_number.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-generate_seq_number.Tpo -c -o libkrb5_la-generate_seq_number.lo `test -f 'generate_seq_number.c' || echo '$(srcdir)/'`generate_seq_number.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-generate_seq_number.Tpo $(DEPDIR)/libkrb5_la-generate_seq_number.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='generate_seq_number.c' object='libkrb5_la-generate_seq_number.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-generate_seq_number.lo `test -f 'generate_seq_number.c' || echo '$(srcdir)/'`generate_seq_number.c
-
-libkrb5_la-generate_subkey.lo: generate_subkey.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-generate_subkey.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-generate_subkey.Tpo -c -o libkrb5_la-generate_subkey.lo `test -f 'generate_subkey.c' || echo '$(srcdir)/'`generate_subkey.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-generate_subkey.Tpo $(DEPDIR)/libkrb5_la-generate_subkey.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='generate_subkey.c' object='libkrb5_la-generate_subkey.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-generate_subkey.lo `test -f 'generate_subkey.c' || echo '$(srcdir)/'`generate_subkey.c
-
-libkrb5_la-get_addrs.lo: get_addrs.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_addrs.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_addrs.Tpo -c -o libkrb5_la-get_addrs.lo `test -f 'get_addrs.c' || echo '$(srcdir)/'`get_addrs.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_addrs.Tpo $(DEPDIR)/libkrb5_la-get_addrs.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='get_addrs.c' object='libkrb5_la-get_addrs.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_addrs.lo `test -f 'get_addrs.c' || echo '$(srcdir)/'`get_addrs.c
-
-libkrb5_la-get_cred.lo: get_cred.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_cred.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_cred.Tpo -c -o libkrb5_la-get_cred.lo `test -f 'get_cred.c' || echo '$(srcdir)/'`get_cred.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_cred.Tpo $(DEPDIR)/libkrb5_la-get_cred.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='get_cred.c' object='libkrb5_la-get_cred.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_cred.lo `test -f 'get_cred.c' || echo '$(srcdir)/'`get_cred.c
-
-libkrb5_la-get_default_principal.lo: get_default_principal.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_default_principal.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_default_principal.Tpo -c -o libkrb5_la-get_default_principal.lo `test -f 'get_default_principal.c' || echo '$(srcdir)/'`get_default_principal.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_default_principal.Tpo $(DEPDIR)/libkrb5_la-get_default_principal.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='get_default_principal.c' object='libkrb5_la-get_default_principal.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_default_principal.lo `test -f 'get_default_principal.c' || echo '$(srcdir)/'`get_default_principal.c
-
-libkrb5_la-get_default_realm.lo: get_default_realm.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_default_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_default_realm.Tpo -c -o libkrb5_la-get_default_realm.lo `test -f 'get_default_realm.c' || echo '$(srcdir)/'`get_default_realm.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_default_realm.Tpo $(DEPDIR)/libkrb5_la-get_default_realm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='get_default_realm.c' object='libkrb5_la-get_default_realm.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_default_realm.lo `test -f 'get_default_realm.c' || echo '$(srcdir)/'`get_default_realm.c
-
-libkrb5_la-get_for_creds.lo: get_for_creds.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_for_creds.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_for_creds.Tpo -c -o libkrb5_la-get_for_creds.lo `test -f 'get_for_creds.c' || echo '$(srcdir)/'`get_for_creds.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_for_creds.Tpo $(DEPDIR)/libkrb5_la-get_for_creds.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='get_for_creds.c' object='libkrb5_la-get_for_creds.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_for_creds.lo `test -f 'get_for_creds.c' || echo '$(srcdir)/'`get_for_creds.c
-
-libkrb5_la-get_host_realm.lo: get_host_realm.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_host_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_host_realm.Tpo -c -o libkrb5_la-get_host_realm.lo `test -f 'get_host_realm.c' || echo '$(srcdir)/'`get_host_realm.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_host_realm.Tpo $(DEPDIR)/libkrb5_la-get_host_realm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='get_host_realm.c' object='libkrb5_la-get_host_realm.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_host_realm.lo `test -f 'get_host_realm.c' || echo '$(srcdir)/'`get_host_realm.c
-
-libkrb5_la-get_in_tkt.lo: get_in_tkt.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_in_tkt.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_in_tkt.Tpo -c -o libkrb5_la-get_in_tkt.lo `test -f 'get_in_tkt.c' || echo '$(srcdir)/'`get_in_tkt.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_in_tkt.Tpo $(DEPDIR)/libkrb5_la-get_in_tkt.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='get_in_tkt.c' object='libkrb5_la-get_in_tkt.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt.lo `test -f 'get_in_tkt.c' || echo '$(srcdir)/'`get_in_tkt.c
-
-libkrb5_la-get_port.lo: get_port.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_port.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_port.Tpo -c -o libkrb5_la-get_port.lo `test -f 'get_port.c' || echo '$(srcdir)/'`get_port.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_port.Tpo $(DEPDIR)/libkrb5_la-get_port.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='get_port.c' object='libkrb5_la-get_port.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_port.lo `test -f 'get_port.c' || echo '$(srcdir)/'`get_port.c
-
-libkrb5_la-init_creds.lo: init_creds.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-init_creds.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-init_creds.Tpo -c -o libkrb5_la-init_creds.lo `test -f 'init_creds.c' || echo '$(srcdir)/'`init_creds.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-init_creds.Tpo $(DEPDIR)/libkrb5_la-init_creds.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='init_creds.c' object='libkrb5_la-init_creds.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-init_creds.lo `test -f 'init_creds.c' || echo '$(srcdir)/'`init_creds.c
-
-libkrb5_la-init_creds_pw.lo: init_creds_pw.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-init_creds_pw.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-init_creds_pw.Tpo -c -o libkrb5_la-init_creds_pw.lo `test -f 'init_creds_pw.c' || echo '$(srcdir)/'`init_creds_pw.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-init_creds_pw.Tpo $(DEPDIR)/libkrb5_la-init_creds_pw.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='init_creds_pw.c' object='libkrb5_la-init_creds_pw.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-init_creds_pw.lo `test -f 'init_creds_pw.c' || echo '$(srcdir)/'`init_creds_pw.c
-
-libkrb5_la-kcm.lo: kcm.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-kcm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-kcm.Tpo -c -o libkrb5_la-kcm.lo `test -f 'kcm.c' || echo '$(srcdir)/'`kcm.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-kcm.Tpo $(DEPDIR)/libkrb5_la-kcm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kcm.c' object='libkrb5_la-kcm.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-kcm.lo `test -f 'kcm.c' || echo '$(srcdir)/'`kcm.c
-
-libkrb5_la-keyblock.lo: keyblock.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keyblock.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keyblock.Tpo -c -o libkrb5_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-keyblock.Tpo $(DEPDIR)/libkrb5_la-keyblock.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='keyblock.c' object='libkrb5_la-keyblock.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c
-
-libkrb5_la-keytab.lo: keytab.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab.Tpo -c -o libkrb5_la-keytab.lo `test -f 'keytab.c' || echo '$(srcdir)/'`keytab.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-keytab.Tpo $(DEPDIR)/libkrb5_la-keytab.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='keytab.c' object='libkrb5_la-keytab.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab.lo `test -f 'keytab.c' || echo '$(srcdir)/'`keytab.c
-
-libkrb5_la-keytab_any.lo: keytab_any.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab_any.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab_any.Tpo -c -o libkrb5_la-keytab_any.lo `test -f 'keytab_any.c' || echo '$(srcdir)/'`keytab_any.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-keytab_any.Tpo $(DEPDIR)/libkrb5_la-keytab_any.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='keytab_any.c' object='libkrb5_la-keytab_any.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_any.lo `test -f 'keytab_any.c' || echo '$(srcdir)/'`keytab_any.c
-
-libkrb5_la-keytab_file.lo: keytab_file.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab_file.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab_file.Tpo -c -o libkrb5_la-keytab_file.lo `test -f 'keytab_file.c' || echo '$(srcdir)/'`keytab_file.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-keytab_file.Tpo $(DEPDIR)/libkrb5_la-keytab_file.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='keytab_file.c' object='libkrb5_la-keytab_file.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_file.lo `test -f 'keytab_file.c' || echo '$(srcdir)/'`keytab_file.c
-
-libkrb5_la-keytab_keyfile.lo: keytab_keyfile.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab_keyfile.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab_keyfile.Tpo -c -o libkrb5_la-keytab_keyfile.lo `test -f 'keytab_keyfile.c' || echo '$(srcdir)/'`keytab_keyfile.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-keytab_keyfile.Tpo $(DEPDIR)/libkrb5_la-keytab_keyfile.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='keytab_keyfile.c' object='libkrb5_la-keytab_keyfile.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_keyfile.lo `test -f 'keytab_keyfile.c' || echo '$(srcdir)/'`keytab_keyfile.c
-
-libkrb5_la-keytab_memory.lo: keytab_memory.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab_memory.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab_memory.Tpo -c -o libkrb5_la-keytab_memory.lo `test -f 'keytab_memory.c' || echo '$(srcdir)/'`keytab_memory.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-keytab_memory.Tpo $(DEPDIR)/libkrb5_la-keytab_memory.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='keytab_memory.c' object='libkrb5_la-keytab_memory.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_memory.lo `test -f 'keytab_memory.c' || echo '$(srcdir)/'`keytab_memory.c
-
-libkrb5_la-krbhst.lo: krbhst.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-krbhst.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-krbhst.Tpo -c -o libkrb5_la-krbhst.lo `test -f 'krbhst.c' || echo '$(srcdir)/'`krbhst.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-krbhst.Tpo $(DEPDIR)/libkrb5_la-krbhst.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='krbhst.c' object='libkrb5_la-krbhst.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krbhst.lo `test -f 'krbhst.c' || echo '$(srcdir)/'`krbhst.c
-
-libkrb5_la-kuserok.lo: kuserok.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-kuserok.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-kuserok.Tpo -c -o libkrb5_la-kuserok.lo `test -f 'kuserok.c' || echo '$(srcdir)/'`kuserok.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-kuserok.Tpo $(DEPDIR)/libkrb5_la-kuserok.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kuserok.c' object='libkrb5_la-kuserok.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-kuserok.lo `test -f 'kuserok.c' || echo '$(srcdir)/'`kuserok.c
-
-libkrb5_la-log.lo: log.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-log.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-log.Tpo -c -o libkrb5_la-log.lo `test -f 'log.c' || echo '$(srcdir)/'`log.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-log.Tpo $(DEPDIR)/libkrb5_la-log.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='log.c' object='libkrb5_la-log.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-log.lo `test -f 'log.c' || echo '$(srcdir)/'`log.c
-
-libkrb5_la-mcache.lo: mcache.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mcache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mcache.Tpo -c -o libkrb5_la-mcache.lo `test -f 'mcache.c' || echo '$(srcdir)/'`mcache.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mcache.Tpo $(DEPDIR)/libkrb5_la-mcache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mcache.c' object='libkrb5_la-mcache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mcache.lo `test -f 'mcache.c' || echo '$(srcdir)/'`mcache.c
-
-libkrb5_la-misc.lo: misc.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-misc.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-misc.Tpo -c -o libkrb5_la-misc.lo `test -f 'misc.c' || echo '$(srcdir)/'`misc.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-misc.Tpo $(DEPDIR)/libkrb5_la-misc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='misc.c' object='libkrb5_la-misc.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-misc.lo `test -f 'misc.c' || echo '$(srcdir)/'`misc.c
-
-libkrb5_la-mk_error.lo: mk_error.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_error.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_error.Tpo -c -o libkrb5_la-mk_error.lo `test -f 'mk_error.c' || echo '$(srcdir)/'`mk_error.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mk_error.Tpo $(DEPDIR)/libkrb5_la-mk_error.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mk_error.c' object='libkrb5_la-mk_error.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_error.lo `test -f 'mk_error.c' || echo '$(srcdir)/'`mk_error.c
-
-libkrb5_la-mk_priv.lo: mk_priv.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_priv.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_priv.Tpo -c -o libkrb5_la-mk_priv.lo `test -f 'mk_priv.c' || echo '$(srcdir)/'`mk_priv.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mk_priv.Tpo $(DEPDIR)/libkrb5_la-mk_priv.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mk_priv.c' object='libkrb5_la-mk_priv.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_priv.lo `test -f 'mk_priv.c' || echo '$(srcdir)/'`mk_priv.c
-
-libkrb5_la-mk_rep.lo: mk_rep.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_rep.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_rep.Tpo -c -o libkrb5_la-mk_rep.lo `test -f 'mk_rep.c' || echo '$(srcdir)/'`mk_rep.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mk_rep.Tpo $(DEPDIR)/libkrb5_la-mk_rep.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mk_rep.c' object='libkrb5_la-mk_rep.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_rep.lo `test -f 'mk_rep.c' || echo '$(srcdir)/'`mk_rep.c
-
-libkrb5_la-mk_req.lo: mk_req.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_req.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_req.Tpo -c -o libkrb5_la-mk_req.lo `test -f 'mk_req.c' || echo '$(srcdir)/'`mk_req.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mk_req.Tpo $(DEPDIR)/libkrb5_la-mk_req.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mk_req.c' object='libkrb5_la-mk_req.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_req.lo `test -f 'mk_req.c' || echo '$(srcdir)/'`mk_req.c
-
-libkrb5_la-mk_req_ext.lo: mk_req_ext.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_req_ext.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_req_ext.Tpo -c -o libkrb5_la-mk_req_ext.lo `test -f 'mk_req_ext.c' || echo '$(srcdir)/'`mk_req_ext.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mk_req_ext.Tpo $(DEPDIR)/libkrb5_la-mk_req_ext.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mk_req_ext.c' object='libkrb5_la-mk_req_ext.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_req_ext.lo `test -f 'mk_req_ext.c' || echo '$(srcdir)/'`mk_req_ext.c
-
-libkrb5_la-mk_safe.lo: mk_safe.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_safe.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_safe.Tpo -c -o libkrb5_la-mk_safe.lo `test -f 'mk_safe.c' || echo '$(srcdir)/'`mk_safe.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mk_safe.Tpo $(DEPDIR)/libkrb5_la-mk_safe.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mk_safe.c' object='libkrb5_la-mk_safe.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_safe.lo `test -f 'mk_safe.c' || echo '$(srcdir)/'`mk_safe.c
-
-libkrb5_la-mit_glue.lo: mit_glue.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mit_glue.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mit_glue.Tpo -c -o libkrb5_la-mit_glue.lo `test -f 'mit_glue.c' || echo '$(srcdir)/'`mit_glue.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mit_glue.Tpo $(DEPDIR)/libkrb5_la-mit_glue.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mit_glue.c' object='libkrb5_la-mit_glue.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mit_glue.lo `test -f 'mit_glue.c' || echo '$(srcdir)/'`mit_glue.c
-
-libkrb5_la-net_read.lo: net_read.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-net_read.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-net_read.Tpo -c -o libkrb5_la-net_read.lo `test -f 'net_read.c' || echo '$(srcdir)/'`net_read.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-net_read.Tpo $(DEPDIR)/libkrb5_la-net_read.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='net_read.c' object='libkrb5_la-net_read.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-net_read.lo `test -f 'net_read.c' || echo '$(srcdir)/'`net_read.c
-
-libkrb5_la-net_write.lo: net_write.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-net_write.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-net_write.Tpo -c -o libkrb5_la-net_write.lo `test -f 'net_write.c' || echo '$(srcdir)/'`net_write.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-net_write.Tpo $(DEPDIR)/libkrb5_la-net_write.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='net_write.c' object='libkrb5_la-net_write.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-net_write.lo `test -f 'net_write.c' || echo '$(srcdir)/'`net_write.c
-
-libkrb5_la-n-fold.lo: n-fold.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-n-fold.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-n-fold.Tpo -c -o libkrb5_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-n-fold.Tpo $(DEPDIR)/libkrb5_la-n-fold.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='n-fold.c' object='libkrb5_la-n-fold.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c
-
-libkrb5_la-pac.lo: pac.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-pac.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-pac.Tpo -c -o libkrb5_la-pac.lo `test -f 'pac.c' || echo '$(srcdir)/'`pac.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-pac.Tpo $(DEPDIR)/libkrb5_la-pac.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pac.c' object='libkrb5_la-pac.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pac.lo `test -f 'pac.c' || echo '$(srcdir)/'`pac.c
-
-libkrb5_la-padata.lo: padata.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-padata.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-padata.Tpo -c -o libkrb5_la-padata.lo `test -f 'padata.c' || echo '$(srcdir)/'`padata.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-padata.Tpo $(DEPDIR)/libkrb5_la-padata.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='padata.c' object='libkrb5_la-padata.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-padata.lo `test -f 'padata.c' || echo '$(srcdir)/'`padata.c
-
-libkrb5_la-pcache.lo: pcache.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-pcache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-pcache.Tpo -c -o libkrb5_la-pcache.lo `test -f 'pcache.c' || echo '$(srcdir)/'`pcache.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-pcache.Tpo $(DEPDIR)/libkrb5_la-pcache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pcache.c' object='libkrb5_la-pcache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pcache.lo `test -f 'pcache.c' || echo '$(srcdir)/'`pcache.c
-
-libkrb5_la-pkinit.lo: pkinit.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-pkinit.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-pkinit.Tpo -c -o libkrb5_la-pkinit.lo `test -f 'pkinit.c' || echo '$(srcdir)/'`pkinit.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-pkinit.Tpo $(DEPDIR)/libkrb5_la-pkinit.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pkinit.c' object='libkrb5_la-pkinit.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pkinit.lo `test -f 'pkinit.c' || echo '$(srcdir)/'`pkinit.c
-
-libkrb5_la-pkinit-ec.lo: pkinit-ec.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-pkinit-ec.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-pkinit-ec.Tpo -c -o libkrb5_la-pkinit-ec.lo `test -f 'pkinit-ec.c' || echo '$(srcdir)/'`pkinit-ec.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-pkinit-ec.Tpo $(DEPDIR)/libkrb5_la-pkinit-ec.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pkinit-ec.c' object='libkrb5_la-pkinit-ec.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pkinit-ec.lo `test -f 'pkinit-ec.c' || echo '$(srcdir)/'`pkinit-ec.c
-
-libkrb5_la-principal.lo: principal.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-principal.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-principal.Tpo -c -o libkrb5_la-principal.lo `test -f 'principal.c' || echo '$(srcdir)/'`principal.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-principal.Tpo $(DEPDIR)/libkrb5_la-principal.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='principal.c' object='libkrb5_la-principal.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-principal.lo `test -f 'principal.c' || echo '$(srcdir)/'`principal.c
-
-libkrb5_la-prog_setup.lo: prog_setup.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-prog_setup.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-prog_setup.Tpo -c -o libkrb5_la-prog_setup.lo `test -f 'prog_setup.c' || echo '$(srcdir)/'`prog_setup.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-prog_setup.Tpo $(DEPDIR)/libkrb5_la-prog_setup.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='prog_setup.c' object='libkrb5_la-prog_setup.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-prog_setup.lo `test -f 'prog_setup.c' || echo '$(srcdir)/'`prog_setup.c
-
-libkrb5_la-prompter_posix.lo: prompter_posix.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-prompter_posix.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-prompter_posix.Tpo -c -o libkrb5_la-prompter_posix.lo `test -f 'prompter_posix.c' || echo '$(srcdir)/'`prompter_posix.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-prompter_posix.Tpo $(DEPDIR)/libkrb5_la-prompter_posix.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='prompter_posix.c' object='libkrb5_la-prompter_posix.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-prompter_posix.lo `test -f 'prompter_posix.c' || echo '$(srcdir)/'`prompter_posix.c
-
-libkrb5_la-rd_cred.lo: rd_cred.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_cred.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_cred.Tpo -c -o libkrb5_la-rd_cred.lo `test -f 'rd_cred.c' || echo '$(srcdir)/'`rd_cred.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-rd_cred.Tpo $(DEPDIR)/libkrb5_la-rd_cred.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='rd_cred.c' object='libkrb5_la-rd_cred.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_cred.lo `test -f 'rd_cred.c' || echo '$(srcdir)/'`rd_cred.c
-
-libkrb5_la-rd_error.lo: rd_error.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_error.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_error.Tpo -c -o libkrb5_la-rd_error.lo `test -f 'rd_error.c' || echo '$(srcdir)/'`rd_error.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-rd_error.Tpo $(DEPDIR)/libkrb5_la-rd_error.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='rd_error.c' object='libkrb5_la-rd_error.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_error.lo `test -f 'rd_error.c' || echo '$(srcdir)/'`rd_error.c
-
-libkrb5_la-rd_priv.lo: rd_priv.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_priv.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_priv.Tpo -c -o libkrb5_la-rd_priv.lo `test -f 'rd_priv.c' || echo '$(srcdir)/'`rd_priv.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-rd_priv.Tpo $(DEPDIR)/libkrb5_la-rd_priv.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='rd_priv.c' object='libkrb5_la-rd_priv.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_priv.lo `test -f 'rd_priv.c' || echo '$(srcdir)/'`rd_priv.c
-
-libkrb5_la-rd_rep.lo: rd_rep.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_rep.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_rep.Tpo -c -o libkrb5_la-rd_rep.lo `test -f 'rd_rep.c' || echo '$(srcdir)/'`rd_rep.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-rd_rep.Tpo $(DEPDIR)/libkrb5_la-rd_rep.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='rd_rep.c' object='libkrb5_la-rd_rep.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_rep.lo `test -f 'rd_rep.c' || echo '$(srcdir)/'`rd_rep.c
-
-libkrb5_la-rd_req.lo: rd_req.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_req.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_req.Tpo -c -o libkrb5_la-rd_req.lo `test -f 'rd_req.c' || echo '$(srcdir)/'`rd_req.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-rd_req.Tpo $(DEPDIR)/libkrb5_la-rd_req.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='rd_req.c' object='libkrb5_la-rd_req.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_req.lo `test -f 'rd_req.c' || echo '$(srcdir)/'`rd_req.c
-
-libkrb5_la-rd_safe.lo: rd_safe.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_safe.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_safe.Tpo -c -o libkrb5_la-rd_safe.lo `test -f 'rd_safe.c' || echo '$(srcdir)/'`rd_safe.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-rd_safe.Tpo $(DEPDIR)/libkrb5_la-rd_safe.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='rd_safe.c' object='libkrb5_la-rd_safe.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_safe.lo `test -f 'rd_safe.c' || echo '$(srcdir)/'`rd_safe.c
-
-libkrb5_la-read_message.lo: read_message.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-read_message.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-read_message.Tpo -c -o libkrb5_la-read_message.lo `test -f 'read_message.c' || echo '$(srcdir)/'`read_message.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-read_message.Tpo $(DEPDIR)/libkrb5_la-read_message.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='read_message.c' object='libkrb5_la-read_message.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-read_message.lo `test -f 'read_message.c' || echo '$(srcdir)/'`read_message.c
-
-libkrb5_la-recvauth.lo: recvauth.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-recvauth.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-recvauth.Tpo -c -o libkrb5_la-recvauth.lo `test -f 'recvauth.c' || echo '$(srcdir)/'`recvauth.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-recvauth.Tpo $(DEPDIR)/libkrb5_la-recvauth.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='recvauth.c' object='libkrb5_la-recvauth.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-recvauth.lo `test -f 'recvauth.c' || echo '$(srcdir)/'`recvauth.c
-
-libkrb5_la-replay.lo: replay.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-replay.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-replay.Tpo -c -o libkrb5_la-replay.lo `test -f 'replay.c' || echo '$(srcdir)/'`replay.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-replay.Tpo $(DEPDIR)/libkrb5_la-replay.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='replay.c' object='libkrb5_la-replay.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-replay.lo `test -f 'replay.c' || echo '$(srcdir)/'`replay.c
-
-libkrb5_la-salt.lo: salt.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt.Tpo -c -o libkrb5_la-salt.lo `test -f 'salt.c' || echo '$(srcdir)/'`salt.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-salt.Tpo $(DEPDIR)/libkrb5_la-salt.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='salt.c' object='libkrb5_la-salt.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt.lo `test -f 'salt.c' || echo '$(srcdir)/'`salt.c
-
-libkrb5_la-salt-aes-sha1.lo: salt-aes-sha1.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-aes-sha1.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-aes-sha1.Tpo -c -o libkrb5_la-salt-aes-sha1.lo `test -f 'salt-aes-sha1.c' || echo '$(srcdir)/'`salt-aes-sha1.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-salt-aes-sha1.Tpo $(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='salt-aes-sha1.c' object='libkrb5_la-salt-aes-sha1.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-aes-sha1.lo `test -f 'salt-aes-sha1.c' || echo '$(srcdir)/'`salt-aes-sha1.c
-
-libkrb5_la-salt-aes-sha2.lo: salt-aes-sha2.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-aes-sha2.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-aes-sha2.Tpo -c -o libkrb5_la-salt-aes-sha2.lo `test -f 'salt-aes-sha2.c' || echo '$(srcdir)/'`salt-aes-sha2.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-salt-aes-sha2.Tpo $(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='salt-aes-sha2.c' object='libkrb5_la-salt-aes-sha2.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-aes-sha2.lo `test -f 'salt-aes-sha2.c' || echo '$(srcdir)/'`salt-aes-sha2.c
-
-libkrb5_la-salt-arcfour.lo: salt-arcfour.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-arcfour.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-arcfour.Tpo -c -o libkrb5_la-salt-arcfour.lo `test -f 'salt-arcfour.c' || echo '$(srcdir)/'`salt-arcfour.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-salt-arcfour.Tpo $(DEPDIR)/libkrb5_la-salt-arcfour.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='salt-arcfour.c' object='libkrb5_la-salt-arcfour.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-arcfour.lo `test -f 'salt-arcfour.c' || echo '$(srcdir)/'`salt-arcfour.c
-
-libkrb5_la-salt-des.lo: salt-des.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-des.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-des.Tpo -c -o libkrb5_la-salt-des.lo `test -f 'salt-des.c' || echo '$(srcdir)/'`salt-des.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-salt-des.Tpo $(DEPDIR)/libkrb5_la-salt-des.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='salt-des.c' object='libkrb5_la-salt-des.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-des.lo `test -f 'salt-des.c' || echo '$(srcdir)/'`salt-des.c
-
-libkrb5_la-salt-des3.lo: salt-des3.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-des3.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-des3.Tpo -c -o libkrb5_la-salt-des3.lo `test -f 'salt-des3.c' || echo '$(srcdir)/'`salt-des3.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-salt-des3.Tpo $(DEPDIR)/libkrb5_la-salt-des3.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='salt-des3.c' object='libkrb5_la-salt-des3.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-des3.lo `test -f 'salt-des3.c' || echo '$(srcdir)/'`salt-des3.c
-
-libkrb5_la-sp800-108-kdf.lo: sp800-108-kdf.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-sp800-108-kdf.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-sp800-108-kdf.Tpo -c -o libkrb5_la-sp800-108-kdf.lo `test -f 'sp800-108-kdf.c' || echo '$(srcdir)/'`sp800-108-kdf.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-sp800-108-kdf.Tpo $(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sp800-108-kdf.c' object='libkrb5_la-sp800-108-kdf.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sp800-108-kdf.lo `test -f 'sp800-108-kdf.c' || echo '$(srcdir)/'`sp800-108-kdf.c
-
-libkrb5_la-scache.lo: scache.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-scache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-scache.Tpo -c -o libkrb5_la-scache.lo `test -f 'scache.c' || echo '$(srcdir)/'`scache.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-scache.Tpo $(DEPDIR)/libkrb5_la-scache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='scache.c' object='libkrb5_la-scache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-scache.lo `test -f 'scache.c' || echo '$(srcdir)/'`scache.c
-
-libkrb5_la-send_to_kdc.lo: send_to_kdc.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-send_to_kdc.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-send_to_kdc.Tpo -c -o libkrb5_la-send_to_kdc.lo `test -f 'send_to_kdc.c' || echo '$(srcdir)/'`send_to_kdc.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-send_to_kdc.Tpo $(DEPDIR)/libkrb5_la-send_to_kdc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='send_to_kdc.c' object='libkrb5_la-send_to_kdc.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-send_to_kdc.lo `test -f 'send_to_kdc.c' || echo '$(srcdir)/'`send_to_kdc.c
-
-libkrb5_la-sendauth.lo: sendauth.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-sendauth.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-sendauth.Tpo -c -o libkrb5_la-sendauth.lo `test -f 'sendauth.c' || echo '$(srcdir)/'`sendauth.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-sendauth.Tpo $(DEPDIR)/libkrb5_la-sendauth.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sendauth.c' object='libkrb5_la-sendauth.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sendauth.lo `test -f 'sendauth.c' || echo '$(srcdir)/'`sendauth.c
-
-libkrb5_la-set_default_realm.lo: set_default_realm.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-set_default_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-set_default_realm.Tpo -c -o libkrb5_la-set_default_realm.lo `test -f 'set_default_realm.c' || echo '$(srcdir)/'`set_default_realm.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-set_default_realm.Tpo $(DEPDIR)/libkrb5_la-set_default_realm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='set_default_realm.c' object='libkrb5_la-set_default_realm.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-set_default_realm.lo `test -f 'set_default_realm.c' || echo '$(srcdir)/'`set_default_realm.c
-
-libkrb5_la-sock_principal.lo: sock_principal.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-sock_principal.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-sock_principal.Tpo -c -o libkrb5_la-sock_principal.lo `test -f 'sock_principal.c' || echo '$(srcdir)/'`sock_principal.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-sock_principal.Tpo $(DEPDIR)/libkrb5_la-sock_principal.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sock_principal.c' object='libkrb5_la-sock_principal.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sock_principal.lo `test -f 'sock_principal.c' || echo '$(srcdir)/'`sock_principal.c
-
-libkrb5_la-store.lo: store.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store.Tpo -c -o libkrb5_la-store.lo `test -f 'store.c' || echo '$(srcdir)/'`store.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-store.Tpo $(DEPDIR)/libkrb5_la-store.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='store.c' object='libkrb5_la-store.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store.lo `test -f 'store.c' || echo '$(srcdir)/'`store.c
-
-libkrb5_la-store-int.lo: store-int.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store-int.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store-int.Tpo -c -o libkrb5_la-store-int.lo `test -f 'store-int.c' || echo '$(srcdir)/'`store-int.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-store-int.Tpo $(DEPDIR)/libkrb5_la-store-int.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='store-int.c' object='libkrb5_la-store-int.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store-int.lo `test -f 'store-int.c' || echo '$(srcdir)/'`store-int.c
-
-libkrb5_la-store_emem.lo: store_emem.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store_emem.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store_emem.Tpo -c -o libkrb5_la-store_emem.lo `test -f 'store_emem.c' || echo '$(srcdir)/'`store_emem.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-store_emem.Tpo $(DEPDIR)/libkrb5_la-store_emem.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='store_emem.c' object='libkrb5_la-store_emem.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_emem.lo `test -f 'store_emem.c' || echo '$(srcdir)/'`store_emem.c
-
-libkrb5_la-store_fd.lo: store_fd.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store_fd.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store_fd.Tpo -c -o libkrb5_la-store_fd.lo `test -f 'store_fd.c' || echo '$(srcdir)/'`store_fd.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-store_fd.Tpo $(DEPDIR)/libkrb5_la-store_fd.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='store_fd.c' object='libkrb5_la-store_fd.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_fd.lo `test -f 'store_fd.c' || echo '$(srcdir)/'`store_fd.c
-
-libkrb5_la-store_mem.lo: store_mem.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store_mem.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store_mem.Tpo -c -o libkrb5_la-store_mem.lo `test -f 'store_mem.c' || echo '$(srcdir)/'`store_mem.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-store_mem.Tpo $(DEPDIR)/libkrb5_la-store_mem.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='store_mem.c' object='libkrb5_la-store_mem.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_mem.lo `test -f 'store_mem.c' || echo '$(srcdir)/'`store_mem.c
-
-libkrb5_la-store_sock.lo: store_sock.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store_sock.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store_sock.Tpo -c -o libkrb5_la-store_sock.lo `test -f 'store_sock.c' || echo '$(srcdir)/'`store_sock.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-store_sock.Tpo $(DEPDIR)/libkrb5_la-store_sock.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='store_sock.c' object='libkrb5_la-store_sock.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_sock.lo `test -f 'store_sock.c' || echo '$(srcdir)/'`store_sock.c
-
-libkrb5_la-plugin.lo: plugin.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-plugin.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-plugin.Tpo -c -o libkrb5_la-plugin.lo `test -f 'plugin.c' || echo '$(srcdir)/'`plugin.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-plugin.Tpo $(DEPDIR)/libkrb5_la-plugin.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='plugin.c' object='libkrb5_la-plugin.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-plugin.lo `test -f 'plugin.c' || echo '$(srcdir)/'`plugin.c
-
-libkrb5_la-ticket.lo: ticket.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-ticket.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-ticket.Tpo -c -o libkrb5_la-ticket.lo `test -f 'ticket.c' || echo '$(srcdir)/'`ticket.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-ticket.Tpo $(DEPDIR)/libkrb5_la-ticket.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ticket.c' object='libkrb5_la-ticket.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-ticket.lo `test -f 'ticket.c' || echo '$(srcdir)/'`ticket.c
-
-libkrb5_la-time.lo: time.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-time.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-time.Tpo -c -o libkrb5_la-time.lo `test -f 'time.c' || echo '$(srcdir)/'`time.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-time.Tpo $(DEPDIR)/libkrb5_la-time.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='time.c' object='libkrb5_la-time.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-time.lo `test -f 'time.c' || echo '$(srcdir)/'`time.c
-
-libkrb5_la-transited.lo: transited.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-transited.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-transited.Tpo -c -o libkrb5_la-transited.lo `test -f 'transited.c' || echo '$(srcdir)/'`transited.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-transited.Tpo $(DEPDIR)/libkrb5_la-transited.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='transited.c' object='libkrb5_la-transited.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-transited.lo `test -f 'transited.c' || echo '$(srcdir)/'`transited.c
-
-libkrb5_la-verify_init.lo: verify_init.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-verify_init.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-verify_init.Tpo -c -o libkrb5_la-verify_init.lo `test -f 'verify_init.c' || echo '$(srcdir)/'`verify_init.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-verify_init.Tpo $(DEPDIR)/libkrb5_la-verify_init.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='verify_init.c' object='libkrb5_la-verify_init.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-verify_init.lo `test -f 'verify_init.c' || echo '$(srcdir)/'`verify_init.c
-
-libkrb5_la-verify_user.lo: verify_user.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-verify_user.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-verify_user.Tpo -c -o libkrb5_la-verify_user.lo `test -f 'verify_user.c' || echo '$(srcdir)/'`verify_user.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-verify_user.Tpo $(DEPDIR)/libkrb5_la-verify_user.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='verify_user.c' object='libkrb5_la-verify_user.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-verify_user.lo `test -f 'verify_user.c' || echo '$(srcdir)/'`verify_user.c
-
-libkrb5_la-version.lo: version.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-version.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-version.Tpo -c -o libkrb5_la-version.lo `test -f 'version.c' || echo '$(srcdir)/'`version.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-version.Tpo $(DEPDIR)/libkrb5_la-version.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='version.c' object='libkrb5_la-version.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-version.lo `test -f 'version.c' || echo '$(srcdir)/'`version.c
-
-libkrb5_la-warn.lo: warn.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-warn.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-warn.Tpo -c -o libkrb5_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-warn.Tpo $(DEPDIR)/libkrb5_la-warn.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='warn.c' object='libkrb5_la-warn.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c
-
-libkrb5_la-write_message.lo: write_message.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-write_message.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-write_message.Tpo -c -o libkrb5_la-write_message.lo `test -f 'write_message.c' || echo '$(srcdir)/'`write_message.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-write_message.Tpo $(DEPDIR)/libkrb5_la-write_message.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='write_message.c' object='libkrb5_la-write_message.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-write_message.lo `test -f 'write_message.c' || echo '$(srcdir)/'`write_message.c
-
-libkrb5_la-krb5_err.lo: krb5_err.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-krb5_err.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-krb5_err.Tpo -c -o libkrb5_la-krb5_err.lo `test -f 'krb5_err.c' || echo '$(srcdir)/'`krb5_err.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-krb5_err.Tpo $(DEPDIR)/libkrb5_la-krb5_err.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='krb5_err.c' object='libkrb5_la-krb5_err.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krb5_err.lo `test -f 'krb5_err.c' || echo '$(srcdir)/'`krb5_err.c
-
-libkrb5_la-krb_err.lo: krb_err.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-krb_err.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-krb_err.Tpo -c -o libkrb5_la-krb_err.lo `test -f 'krb_err.c' || echo '$(srcdir)/'`krb_err.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-krb_err.Tpo $(DEPDIR)/libkrb5_la-krb_err.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='krb_err.c' object='libkrb5_la-krb_err.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krb_err.lo `test -f 'krb_err.c' || echo '$(srcdir)/'`krb_err.c
-
-libkrb5_la-heim_err.lo: heim_err.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-heim_err.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-heim_err.Tpo -c -o libkrb5_la-heim_err.lo `test -f 'heim_err.c' || echo '$(srcdir)/'`heim_err.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-heim_err.Tpo $(DEPDIR)/libkrb5_la-heim_err.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='heim_err.c' object='libkrb5_la-heim_err.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-heim_err.lo `test -f 'heim_err.c' || echo '$(srcdir)/'`heim_err.c
-
-libkrb5_la-k524_err.lo: k524_err.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-k524_err.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-k524_err.Tpo -c -o libkrb5_la-k524_err.lo `test -f 'k524_err.c' || echo '$(srcdir)/'`k524_err.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-k524_err.Tpo $(DEPDIR)/libkrb5_la-k524_err.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='k524_err.c' object='libkrb5_la-k524_err.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-k524_err.lo `test -f 'k524_err.c' || echo '$(srcdir)/'`k524_err.c
-
-librfc3961_la-crc.lo: crc.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crc.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crc.Tpo -c -o librfc3961_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crc.Tpo $(DEPDIR)/librfc3961_la-crc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crc.c' object='librfc3961_la-crc.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c
-
-librfc3961_la-crypto.lo: crypto.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto.Tpo -c -o librfc3961_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto.Tpo $(DEPDIR)/librfc3961_la-crypto.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto.c' object='librfc3961_la-crypto.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
-
-librfc3961_la-crypto-aes-sha1.lo: crypto-aes-sha1.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-aes-sha1.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-aes-sha1.Tpo -c -o librfc3961_la-crypto-aes-sha1.lo `test -f 'crypto-aes-sha1.c' || echo '$(srcdir)/'`crypto-aes-sha1.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-aes-sha1.Tpo $(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-aes-sha1.c' object='librfc3961_la-crypto-aes-sha1.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-aes-sha1.lo `test -f 'crypto-aes-sha1.c' || echo '$(srcdir)/'`crypto-aes-sha1.c
-
-librfc3961_la-crypto-aes-sha2.lo: crypto-aes-sha2.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-aes-sha2.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-aes-sha2.Tpo -c -o librfc3961_la-crypto-aes-sha2.lo `test -f 'crypto-aes-sha2.c' || echo '$(srcdir)/'`crypto-aes-sha2.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-aes-sha2.Tpo $(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-aes-sha2.c' object='librfc3961_la-crypto-aes-sha2.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-aes-sha2.lo `test -f 'crypto-aes-sha2.c' || echo '$(srcdir)/'`crypto-aes-sha2.c
-
-librfc3961_la-crypto-algs.lo: crypto-algs.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-algs.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-algs.Tpo -c -o librfc3961_la-crypto-algs.lo `test -f 'crypto-algs.c' || echo '$(srcdir)/'`crypto-algs.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-algs.Tpo $(DEPDIR)/librfc3961_la-crypto-algs.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-algs.c' object='librfc3961_la-crypto-algs.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-algs.lo `test -f 'crypto-algs.c' || echo '$(srcdir)/'`crypto-algs.c
-
-librfc3961_la-crypto-arcfour.lo: crypto-arcfour.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-arcfour.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-arcfour.Tpo -c -o librfc3961_la-crypto-arcfour.lo `test -f 'crypto-arcfour.c' || echo '$(srcdir)/'`crypto-arcfour.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-arcfour.Tpo $(DEPDIR)/librfc3961_la-crypto-arcfour.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-arcfour.c' object='librfc3961_la-crypto-arcfour.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-arcfour.lo `test -f 'crypto-arcfour.c' || echo '$(srcdir)/'`crypto-arcfour.c
-
-librfc3961_la-crypto-des.lo: crypto-des.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-des.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-des.Tpo -c -o librfc3961_la-crypto-des.lo `test -f 'crypto-des.c' || echo '$(srcdir)/'`crypto-des.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-des.Tpo $(DEPDIR)/librfc3961_la-crypto-des.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-des.c' object='librfc3961_la-crypto-des.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-des.lo `test -f 'crypto-des.c' || echo '$(srcdir)/'`crypto-des.c
-
-librfc3961_la-crypto-des-common.lo: crypto-des-common.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-des-common.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-des-common.Tpo -c -o librfc3961_la-crypto-des-common.lo `test -f 'crypto-des-common.c' || echo '$(srcdir)/'`crypto-des-common.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-des-common.Tpo $(DEPDIR)/librfc3961_la-crypto-des-common.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-des-common.c' object='librfc3961_la-crypto-des-common.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-des-common.lo `test -f 'crypto-des-common.c' || echo '$(srcdir)/'`crypto-des-common.c
-
-librfc3961_la-crypto-des3.lo: crypto-des3.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-des3.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-des3.Tpo -c -o librfc3961_la-crypto-des3.lo `test -f 'crypto-des3.c' || echo '$(srcdir)/'`crypto-des3.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-des3.Tpo $(DEPDIR)/librfc3961_la-crypto-des3.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-des3.c' object='librfc3961_la-crypto-des3.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-des3.lo `test -f 'crypto-des3.c' || echo '$(srcdir)/'`crypto-des3.c
-
-librfc3961_la-crypto-evp.lo: crypto-evp.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-evp.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-evp.Tpo -c -o librfc3961_la-crypto-evp.lo `test -f 'crypto-evp.c' || echo '$(srcdir)/'`crypto-evp.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-evp.Tpo $(DEPDIR)/librfc3961_la-crypto-evp.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-evp.c' object='librfc3961_la-crypto-evp.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-evp.lo `test -f 'crypto-evp.c' || echo '$(srcdir)/'`crypto-evp.c
-
-librfc3961_la-crypto-null.lo: crypto-null.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-null.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-null.Tpo -c -o librfc3961_la-crypto-null.lo `test -f 'crypto-null.c' || echo '$(srcdir)/'`crypto-null.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-null.Tpo $(DEPDIR)/librfc3961_la-crypto-null.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-null.c' object='librfc3961_la-crypto-null.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-null.lo `test -f 'crypto-null.c' || echo '$(srcdir)/'`crypto-null.c
-
-librfc3961_la-crypto-pk.lo: crypto-pk.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-pk.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-pk.Tpo -c -o librfc3961_la-crypto-pk.lo `test -f 'crypto-pk.c' || echo '$(srcdir)/'`crypto-pk.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-pk.Tpo $(DEPDIR)/librfc3961_la-crypto-pk.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-pk.c' object='librfc3961_la-crypto-pk.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-pk.lo `test -f 'crypto-pk.c' || echo '$(srcdir)/'`crypto-pk.c
-
-librfc3961_la-crypto-rand.lo: crypto-rand.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-rand.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-rand.Tpo -c -o librfc3961_la-crypto-rand.lo `test -f 'crypto-rand.c' || echo '$(srcdir)/'`crypto-rand.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-rand.Tpo $(DEPDIR)/librfc3961_la-crypto-rand.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-rand.c' object='librfc3961_la-crypto-rand.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-rand.lo `test -f 'crypto-rand.c' || echo '$(srcdir)/'`crypto-rand.c
-
-librfc3961_la-crypto-stubs.lo: crypto-stubs.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-stubs.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-stubs.Tpo -c -o librfc3961_la-crypto-stubs.lo `test -f 'crypto-stubs.c' || echo '$(srcdir)/'`crypto-stubs.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-stubs.Tpo $(DEPDIR)/librfc3961_la-crypto-stubs.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto-stubs.c' object='librfc3961_la-crypto-stubs.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-stubs.lo `test -f 'crypto-stubs.c' || echo '$(srcdir)/'`crypto-stubs.c
-
-librfc3961_la-data.lo: data.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-data.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-data.Tpo -c -o librfc3961_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-data.Tpo $(DEPDIR)/librfc3961_la-data.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='data.c' object='librfc3961_la-data.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c
-
-librfc3961_la-enomem.lo: enomem.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-enomem.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-enomem.Tpo -c -o librfc3961_la-enomem.lo `test -f 'enomem.c' || echo '$(srcdir)/'`enomem.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-enomem.Tpo $(DEPDIR)/librfc3961_la-enomem.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='enomem.c' object='librfc3961_la-enomem.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-enomem.lo `test -f 'enomem.c' || echo '$(srcdir)/'`enomem.c
-
-librfc3961_la-error_string.lo: error_string.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-error_string.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-error_string.Tpo -c -o librfc3961_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-error_string.Tpo $(DEPDIR)/librfc3961_la-error_string.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='error_string.c' object='librfc3961_la-error_string.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c
-
-librfc3961_la-keyblock.lo: keyblock.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-keyblock.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-keyblock.Tpo -c -o librfc3961_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-keyblock.Tpo $(DEPDIR)/librfc3961_la-keyblock.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='keyblock.c' object='librfc3961_la-keyblock.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c
-
-librfc3961_la-n-fold.lo: n-fold.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-n-fold.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-n-fold.Tpo -c -o librfc3961_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-n-fold.Tpo $(DEPDIR)/librfc3961_la-n-fold.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='n-fold.c' object='librfc3961_la-n-fold.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c
-
-librfc3961_la-salt.lo: salt.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt.Tpo -c -o librfc3961_la-salt.lo `test -f 'salt.c' || echo '$(srcdir)/'`salt.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-salt.Tpo $(DEPDIR)/librfc3961_la-salt.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='salt.c' object='librfc3961_la-salt.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt.lo `test -f 'salt.c' || echo '$(srcdir)/'`salt.c
-
-librfc3961_la-salt-aes-sha1.lo: salt-aes-sha1.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-aes-sha1.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-aes-sha1.Tpo -c -o librfc3961_la-salt-aes-sha1.lo `test -f 'salt-aes-sha1.c' || echo '$(srcdir)/'`salt-aes-sha1.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-salt-aes-sha1.Tpo $(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='salt-aes-sha1.c' object='librfc3961_la-salt-aes-sha1.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-aes-sha1.lo `test -f 'salt-aes-sha1.c' || echo '$(srcdir)/'`salt-aes-sha1.c
-
-librfc3961_la-salt-aes-sha2.lo: salt-aes-sha2.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-aes-sha2.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-aes-sha2.Tpo -c -o librfc3961_la-salt-aes-sha2.lo `test -f 'salt-aes-sha2.c' || echo '$(srcdir)/'`salt-aes-sha2.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-salt-aes-sha2.Tpo $(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='salt-aes-sha2.c' object='librfc3961_la-salt-aes-sha2.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-aes-sha2.lo `test -f 'salt-aes-sha2.c' || echo '$(srcdir)/'`salt-aes-sha2.c
-
-librfc3961_la-salt-arcfour.lo: salt-arcfour.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-arcfour.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-arcfour.Tpo -c -o librfc3961_la-salt-arcfour.lo `test -f 'salt-arcfour.c' || echo '$(srcdir)/'`salt-arcfour.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-salt-arcfour.Tpo $(DEPDIR)/librfc3961_la-salt-arcfour.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='salt-arcfour.c' object='librfc3961_la-salt-arcfour.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-arcfour.lo `test -f 'salt-arcfour.c' || echo '$(srcdir)/'`salt-arcfour.c
-
-librfc3961_la-salt-des.lo: salt-des.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-des.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-des.Tpo -c -o librfc3961_la-salt-des.lo `test -f 'salt-des.c' || echo '$(srcdir)/'`salt-des.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-salt-des.Tpo $(DEPDIR)/librfc3961_la-salt-des.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='salt-des.c' object='librfc3961_la-salt-des.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-des.lo `test -f 'salt-des.c' || echo '$(srcdir)/'`salt-des.c
-
-librfc3961_la-salt-des3.lo: salt-des3.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-des3.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-des3.Tpo -c -o librfc3961_la-salt-des3.lo `test -f 'salt-des3.c' || echo '$(srcdir)/'`salt-des3.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-salt-des3.Tpo $(DEPDIR)/librfc3961_la-salt-des3.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='salt-des3.c' object='librfc3961_la-salt-des3.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-des3.lo `test -f 'salt-des3.c' || echo '$(srcdir)/'`salt-des3.c
-
-librfc3961_la-sp800-108-kdf.lo: sp800-108-kdf.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-sp800-108-kdf.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-sp800-108-kdf.Tpo -c -o librfc3961_la-sp800-108-kdf.lo `test -f 'sp800-108-kdf.c' || echo '$(srcdir)/'`sp800-108-kdf.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-sp800-108-kdf.Tpo $(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sp800-108-kdf.c' object='librfc3961_la-sp800-108-kdf.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-sp800-108-kdf.lo `test -f 'sp800-108-kdf.c' || echo '$(srcdir)/'`sp800-108-kdf.c
-
-librfc3961_la-store-int.lo: store-int.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-store-int.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-store-int.Tpo -c -o librfc3961_la-store-int.lo `test -f 'store-int.c' || echo '$(srcdir)/'`store-int.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-store-int.Tpo $(DEPDIR)/librfc3961_la-store-int.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='store-int.c' object='librfc3961_la-store-int.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-store-int.lo `test -f 'store-int.c' || echo '$(srcdir)/'`store-int.c
-
-librfc3961_la-warn.lo: warn.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-warn.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-warn.Tpo -c -o librfc3961_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-warn.Tpo $(DEPDIR)/librfc3961_la-warn.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='warn.c' object='librfc3961_la-warn.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c
-
-mostlyclean-libtool:
- -rm -f *.lo
-
-clean-libtool:
- -rm -rf .libs _libs
-install-man3: $(man_MANS)
- @$(NORMAL_INSTALL)
- @list1=''; \
- list2='$(man_MANS)'; \
- test -n "$(man3dir)" \
- && test -n "`echo $$list1$$list2`" \
- || exit 0; \
- echo " $(MKDIR_P) '$(DESTDIR)$(man3dir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(man3dir)" || exit 1; \
- { for i in $$list1; do echo "$$i"; done; \
- if test -n "$$list2"; then \
- for i in $$list2; do echo "$$i"; done \
- | sed -n '/\.3[a-z]*$$/p'; \
- fi; \
- } | while read p; do \
- if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
- echo "$$d$$p"; echo "$$p"; \
- done | \
- sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
- sed 'N;N;s,\n, ,g' | { \
- list=; while read file base inst; do \
- if test "$$base" = "$$inst"; then list="$$list $$file"; else \
- echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \
- $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst" || exit $$?; \
- fi; \
- done; \
- for i in $$list; do echo "$$i"; done | $(am__base_list) | \
- while read files; do \
- test -z "$$files" || { \
- echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man3dir)'"; \
- $(INSTALL_DATA) $$files "$(DESTDIR)$(man3dir)" || exit $$?; }; \
- done; }
-
-uninstall-man3:
- @$(NORMAL_UNINSTALL)
- @list=''; test -n "$(man3dir)" || exit 0; \
- files=`{ for i in $$list; do echo "$$i"; done; \
- l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
- sed -n '/\.3[a-z]*$$/p'; \
- } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
- dir='$(DESTDIR)$(man3dir)'; $(am__uninstall_files_from_dir)
-install-man5: $(man_MANS)
- @$(NORMAL_INSTALL)
- @list1=''; \
- list2='$(man_MANS)'; \
- test -n "$(man5dir)" \
- && test -n "`echo $$list1$$list2`" \
- || exit 0; \
- echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \
- { for i in $$list1; do echo "$$i"; done; \
- if test -n "$$list2"; then \
- for i in $$list2; do echo "$$i"; done \
- | sed -n '/\.5[a-z]*$$/p'; \
- fi; \
- } | while read p; do \
- if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
- echo "$$d$$p"; echo "$$p"; \
- done | \
- sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
- sed 'N;N;s,\n, ,g' | { \
- list=; while read file base inst; do \
- if test "$$base" = "$$inst"; then list="$$list $$file"; else \
- echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
- $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
- fi; \
- done; \
- for i in $$list; do echo "$$i"; done | $(am__base_list) | \
- while read files; do \
- test -z "$$files" || { \
- echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
- $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
- done; }
-
-uninstall-man5:
- @$(NORMAL_UNINSTALL)
- @list=''; test -n "$(man5dir)" || exit 0; \
- files=`{ for i in $$list; do echo "$$i"; done; \
- l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
- sed -n '/\.5[a-z]*$$/p'; \
- } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
- dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir)
-install-man7: $(man_MANS)
- @$(NORMAL_INSTALL)
- @list1=''; \
- list2='$(man_MANS)'; \
- test -n "$(man7dir)" \
- && test -n "`echo $$list1$$list2`" \
- || exit 0; \
- echo " $(MKDIR_P) '$(DESTDIR)$(man7dir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(man7dir)" || exit 1; \
- { for i in $$list1; do echo "$$i"; done; \
- if test -n "$$list2"; then \
- for i in $$list2; do echo "$$i"; done \
- | sed -n '/\.7[a-z]*$$/p'; \
- fi; \
- } | while read p; do \
- if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
- echo "$$d$$p"; echo "$$p"; \
- done | \
- sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
- sed 'N;N;s,\n, ,g' | { \
- list=; while read file base inst; do \
- if test "$$base" = "$$inst"; then list="$$list $$file"; else \
- echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man7dir)/$$inst'"; \
- $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man7dir)/$$inst" || exit $$?; \
- fi; \
- done; \
- for i in $$list; do echo "$$i"; done | $(am__base_list) | \
- while read files; do \
- test -z "$$files" || { \
- echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man7dir)'"; \
- $(INSTALL_DATA) $$files "$(DESTDIR)$(man7dir)" || exit $$?; }; \
- done; }
-
-uninstall-man7:
- @$(NORMAL_UNINSTALL)
- @list=''; test -n "$(man7dir)" || exit 0; \
- files=`{ for i in $$list; do echo "$$i"; done; \
- l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
- sed -n '/\.7[a-z]*$$/p'; \
- } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
- dir='$(DESTDIR)$(man7dir)'; $(am__uninstall_files_from_dir)
-install-man8: $(man_MANS)
- @$(NORMAL_INSTALL)
- @list1=''; \
- list2='$(man_MANS)'; \
- test -n "$(man8dir)" \
- && test -n "`echo $$list1$$list2`" \
- || exit 0; \
- echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
- { for i in $$list1; do echo "$$i"; done; \
- if test -n "$$list2"; then \
- for i in $$list2; do echo "$$i"; done \
- | sed -n '/\.8[a-z]*$$/p'; \
- fi; \
- } | while read p; do \
- if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
- echo "$$d$$p"; echo "$$p"; \
- done | \
- sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
- sed 'N;N;s,\n, ,g' | { \
- list=; while read file base inst; do \
- if test "$$base" = "$$inst"; then list="$$list $$file"; else \
- echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
- $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
- fi; \
- done; \
- for i in $$list; do echo "$$i"; done | $(am__base_list) | \
- while read files; do \
- test -z "$$files" || { \
- echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
- $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
- done; }
-
-uninstall-man8:
- @$(NORMAL_UNINSTALL)
- @list=''; test -n "$(man8dir)" || exit 0; \
- files=`{ for i in $$list; do echo "$$i"; done; \
- l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
- sed -n '/\.8[a-z]*$$/p'; \
- } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
- dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
-install-dist_includeHEADERS: $(dist_include_HEADERS)
- @$(NORMAL_INSTALL)
- @list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
- if test -n "$$list"; then \
- echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
- fi; \
- for p in $$list; do \
- if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
- echo "$$d$$p"; \
- done | $(am__base_list) | \
- while read files; do \
- echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \
- $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \
- done
-
-uninstall-dist_includeHEADERS:
- @$(NORMAL_UNINSTALL)
- @list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
- files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
- dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
-install-krb5HEADERS: $(krb5_HEADERS)
- @$(NORMAL_INSTALL)
- @list='$(krb5_HEADERS)'; test -n "$(krb5dir)" || list=; \
- if test -n "$$list"; then \
- echo " $(MKDIR_P) '$(DESTDIR)$(krb5dir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(krb5dir)" || exit 1; \
- fi; \
- for p in $$list; do \
- if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
- echo "$$d$$p"; \
- done | $(am__base_list) | \
- while read files; do \
- echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(krb5dir)'"; \
- $(INSTALL_HEADER) $$files "$(DESTDIR)$(krb5dir)" || exit $$?; \
- done
-
-uninstall-krb5HEADERS:
- @$(NORMAL_UNINSTALL)
- @list='$(krb5_HEADERS)'; test -n "$(krb5dir)" || list=; \
- files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
- dir='$(DESTDIR)$(krb5dir)'; $(am__uninstall_files_from_dir)
-install-nodist_includeHEADERS: $(nodist_include_HEADERS)
- @$(NORMAL_INSTALL)
- @list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
- if test -n "$$list"; then \
- echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
- fi; \
- for p in $$list; do \
- if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
- echo "$$d$$p"; \
- done | $(am__base_list) | \
- while read files; do \
- echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \
- $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \
- done
-
-uninstall-nodist_includeHEADERS:
- @$(NORMAL_UNINSTALL)
- @list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
- files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
- dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
-
-ID: $(am__tagged_files)
- $(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-am
-TAGS: tags
-
-tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
- set x; \
- here=`pwd`; \
- $(am__define_uniq_tagged_files); \
- shift; \
- if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
- test -n "$$unique" || unique=$$empty_fix; \
- if test $$# -gt 0; then \
- $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- "$$@" $$unique; \
- else \
- $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- $$unique; \
- fi; \
- fi
-ctags: ctags-am
-
-CTAGS: ctags
-ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
- $(am__define_uniq_tagged_files); \
- test -z "$(CTAGS_ARGS)$$unique" \
- || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
- $$unique
-
-GTAGS:
- here=`$(am__cd) $(top_builddir) && pwd` \
- && $(am__cd) $(top_srcdir) \
- && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-am
-
-cscopelist-am: $(am__tagged_files)
- list='$(am__tagged_files)'; \
- case "$(srcdir)" in \
- [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
- *) sdir=$(subdir)/$(srcdir) ;; \
- esac; \
- for i in $$list; do \
- if test -f "$$i"; then \
- echo "$(subdir)/$$i"; \
- else \
- echo "$$sdir/$$i"; \
- fi; \
- done >> $(top_builddir)/cscope.files
-
-distclean-tags:
- -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-# Recover from deleted '.trs' file; this should ensure that
-# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create
-# both 'foo.log' and 'foo.trs'. Break the recipe in two subshells
-# to avoid problems with "make -n".
-.log.trs:
- rm -f $< $@
- $(MAKE) $(AM_MAKEFLAGS) $<
-
-# Leading 'am--fnord' is there to ensure the list of targets does not
-# expand to empty, as could happen e.g. with make check TESTS=''.
-am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck)
-am--force-recheck:
- @:
-
-$(TEST_SUITE_LOG): $(TEST_LOGS)
- @$(am__set_TESTS_bases); \
- am__f_ok () { test -f "$$1" && test -r "$$1"; }; \
- redo_bases=`for i in $$bases; do \
- am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \
- done`; \
- if test -n "$$redo_bases"; then \
- redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \
- redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \
- if $(am__make_dryrun); then :; else \
- rm -f $$redo_logs && rm -f $$redo_results || exit 1; \
- fi; \
- fi; \
- if test -n "$$am__remaking_logs"; then \
- echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
- "recursion detected" >&2; \
- elif test -n "$$redo_logs"; then \
- am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
- fi; \
- if $(am__make_dryrun); then :; else \
- st=0; \
- errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \
- for i in $$redo_bases; do \
- test -f $$i.trs && test -r $$i.trs \
- || { echo "$$errmsg $$i.trs" >&2; st=1; }; \
- test -f $$i.log && test -r $$i.log \
- || { echo "$$errmsg $$i.log" >&2; st=1; }; \
- done; \
- test $$st -eq 0 || exit 1; \
- fi
- @$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \
- ws='[ ]'; \
- results=`for b in $$bases; do echo $$b.trs; done`; \
- test -n "$$results" || results=/dev/null; \
- all=` grep "^$$ws*:test-result:" $$results | wc -l`; \
- pass=` grep "^$$ws*:test-result:$$ws*PASS" $$results | wc -l`; \
- fail=` grep "^$$ws*:test-result:$$ws*FAIL" $$results | wc -l`; \
- skip=` grep "^$$ws*:test-result:$$ws*SKIP" $$results | wc -l`; \
- xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \
- xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \
- error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \
- if test `expr $$fail + $$xpass + $$error` -eq 0; then \
- success=true; \
- else \
- success=false; \
- fi; \
- br='==================='; br=$$br$$br$$br$$br; \
- result_count () \
- { \
- if test x"$$1" = x"--maybe-color"; then \
- maybe_colorize=yes; \
- elif test x"$$1" = x"--no-color"; then \
- maybe_colorize=no; \
- else \
- echo "$@: invalid 'result_count' usage" >&2; exit 4; \
- fi; \
- shift; \
- desc=$$1 count=$$2; \
- if test $$maybe_colorize = yes && test $$count -gt 0; then \
- color_start=$$3 color_end=$$std; \
- else \
- color_start= color_end=; \
- fi; \
- echo "$${color_start}# $$desc $$count$${color_end}"; \
- }; \
- create_testsuite_report () \
- { \
- result_count $$1 "TOTAL:" $$all "$$brg"; \
- result_count $$1 "PASS: " $$pass "$$grn"; \
- result_count $$1 "SKIP: " $$skip "$$blu"; \
- result_count $$1 "XFAIL:" $$xfail "$$lgn"; \
- result_count $$1 "FAIL: " $$fail "$$red"; \
- result_count $$1 "XPASS:" $$xpass "$$red"; \
- result_count $$1 "ERROR:" $$error "$$mgn"; \
- }; \
- { \
- echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" | \
- $(am__rst_title); \
- create_testsuite_report --no-color; \
- echo; \
- echo ".. contents:: :depth: 2"; \
- echo; \
- for b in $$bases; do echo $$b; done \
- | $(am__create_global_log); \
- } >$(TEST_SUITE_LOG).tmp || exit 1; \
- mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG); \
- if $$success; then \
- col="$$grn"; \
- else \
- col="$$red"; \
- test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \
- fi; \
- echo "$${col}$$br$${std}"; \
- echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \
- echo "$${col}$$br$${std}"; \
- create_testsuite_report --maybe-color; \
- echo "$$col$$br$$std"; \
- if $$success; then :; else \
- echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}"; \
- if test -n "$(PACKAGE_BUGREPORT)"; then \
- echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}"; \
- fi; \
- echo "$$col$$br$$std"; \
- fi; \
- $$success || exit 1
-
-check-TESTS: $(check_PROGRAMS) $(check_DATA)
- @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list
- @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
- @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
- @set +e; $(am__set_TESTS_bases); \
- log_list=`for i in $$bases; do echo $$i.log; done`; \
- trs_list=`for i in $$bases; do echo $$i.trs; done`; \
- log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \
- $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \
- exit $$?;
-recheck: all $(check_PROGRAMS) $(check_DATA)
- @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
- @set +e; $(am__set_TESTS_bases); \
- bases=`for i in $$bases; do echo $$i; done \
- | $(am__list_recheck_tests)` || exit 1; \
- log_list=`for i in $$bases; do echo $$i.log; done`; \
- log_list=`echo $$log_list`; \
- $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \
- am__force_recheck=am--force-recheck \
- TEST_LOGS="$$log_list"; \
- exit $$?
-aes-test.log: aes-test$(EXEEXT)
- @p='aes-test$(EXEEXT)'; \
- b='aes-test'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-derived-key-test.log: derived-key-test$(EXEEXT)
- @p='derived-key-test$(EXEEXT)'; \
- b='derived-key-test'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-n-fold-test.log: n-fold-test$(EXEEXT)
- @p='n-fold-test$(EXEEXT)'; \
- b='n-fold-test'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-parse-name-test.log: parse-name-test$(EXEEXT)
- @p='parse-name-test$(EXEEXT)'; \
- b='parse-name-test'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-pseudo-random-test.log: pseudo-random-test$(EXEEXT)
- @p='pseudo-random-test$(EXEEXT)'; \
- b='pseudo-random-test'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-store-test.log: store-test$(EXEEXT)
- @p='store-test$(EXEEXT)'; \
- b='store-test'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-string-to-key-test.log: string-to-key-test$(EXEEXT)
- @p='string-to-key-test$(EXEEXT)'; \
- b='string-to-key-test'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_acl.log: test_acl$(EXEEXT)
- @p='test_acl$(EXEEXT)'; \
- b='test_acl'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_addr.log: test_addr$(EXEEXT)
- @p='test_addr$(EXEEXT)'; \
- b='test_addr'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_cc.log: test_cc$(EXEEXT)
- @p='test_cc$(EXEEXT)'; \
- b='test_cc'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_config.log: test_config$(EXEEXT)
- @p='test_config$(EXEEXT)'; \
- b='test_config'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_fx.log: test_fx$(EXEEXT)
- @p='test_fx$(EXEEXT)'; \
- b='test_fx'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_prf.log: test_prf$(EXEEXT)
- @p='test_prf$(EXEEXT)'; \
- b='test_prf'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_store.log: test_store$(EXEEXT)
- @p='test_store$(EXEEXT)'; \
- b='test_store'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_crypto_wrapping.log: test_crypto_wrapping$(EXEEXT)
- @p='test_crypto_wrapping$(EXEEXT)'; \
- b='test_crypto_wrapping'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_keytab.log: test_keytab$(EXEEXT)
- @p='test_keytab$(EXEEXT)'; \
- b='test_keytab'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_mem.log: test_mem$(EXEEXT)
- @p='test_mem$(EXEEXT)'; \
- b='test_mem'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_pac.log: test_pac$(EXEEXT)
- @p='test_pac$(EXEEXT)'; \
- b='test_pac'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_plugin.log: test_plugin$(EXEEXT)
- @p='test_plugin$(EXEEXT)'; \
- b='test_plugin'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_princ.log: test_princ$(EXEEXT)
- @p='test_princ$(EXEEXT)'; \
- b='test_princ'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_pkinit_dh2key.log: test_pkinit_dh2key$(EXEEXT)
- @p='test_pkinit_dh2key$(EXEEXT)'; \
- b='test_pkinit_dh2key'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_pknistkdf.log: test_pknistkdf$(EXEEXT)
- @p='test_pknistkdf$(EXEEXT)'; \
- b='test_pknistkdf'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_time.log: test_time$(EXEEXT)
- @p='test_time$(EXEEXT)'; \
- b='test_time'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_expand_toks.log: test_expand_toks$(EXEEXT)
- @p='test_expand_toks$(EXEEXT)'; \
- b='test_expand_toks'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_x500.log: test_x500$(EXEEXT)
- @p='test_x500$(EXEEXT)'; \
- b='test_x500'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-.test.log:
- @p='$<'; \
- $(am__set_b); \
- $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-@am__EXEEXT_TRUE@.test$(EXEEXT).log:
-@am__EXEEXT_TRUE@ @p='$<'; \
-@am__EXEEXT_TRUE@ $(am__set_b); \
-@am__EXEEXT_TRUE@ $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
-@am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \
-@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
-@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT)
-distdir: $(BUILT_SOURCES)
- $(MAKE) $(AM_MAKEFLAGS) distdir-am
-
-distdir-am: $(DISTFILES)
- @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
- topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
- list='$(DISTFILES)'; \
- dist_files=`for file in $$list; do echo $$file; done | \
- sed -e "s|^$$srcdirstrip/||;t" \
- -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
- case $$dist_files in \
- */*) $(MKDIR_P) `echo "$$dist_files" | \
- sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
- sort -u` ;; \
- esac; \
- for file in $$dist_files; do \
- if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
- if test -d $$d/$$file; then \
- dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
- if test -d "$(distdir)/$$file"; then \
- find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
- fi; \
- if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
- cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
- find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
- fi; \
- cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
- else \
- test -f "$(distdir)/$$file" \
- || cp -p $$d/$$file "$(distdir)/$$file" \
- || exit 1; \
- fi; \
- done
- $(MAKE) $(AM_MAKEFLAGS) \
- top_distdir="$(top_distdir)" distdir="$(distdir)" \
- dist-hook
-check-am: all-am
- $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(check_DATA)
- $(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
-check: check-am
-all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(HEADERS) \
- all-local
-install-binPROGRAMS: install-libLTLIBRARIES
-
-install-checkPROGRAMS: install-libLTLIBRARIES
-
-installdirs:
- for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man7dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(krb5dir)" "$(DESTDIR)$(includedir)"; do \
- test -z "$$dir" || $(MKDIR_P) "$$dir"; \
- done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
- @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
- if test -z '$(STRIP)'; then \
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- install; \
- else \
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
- fi
-mostlyclean-generic:
- -test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS)
- -test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs)
- -test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-
-clean-generic:
- -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-
-distclean-generic:
- -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
- -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
- @echo "This command is intended for maintainers to use"
- @echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \
- clean-libLTLIBRARIES clean-libtool clean-noinstLTLIBRARIES \
- clean-noinstPROGRAMS mostlyclean-am
-
-distclean: distclean-am
- -rm -f ./$(DEPDIR)/aes-test.Po
- -rm -f ./$(DEPDIR)/derived-key-test.Po
- -rm -f ./$(DEPDIR)/krbhst-test.Po
- -rm -f ./$(DEPDIR)/libkrb5_la-acache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-acl.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-add_et_list.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-addr_families.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-appdefault.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-asn1_glue.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-auth_context.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-build_ap_req.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-build_auth.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-cache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-changepw.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-codec.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-config_file.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-constants.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-context.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-convert_creds.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crc.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-creds.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-algs.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-des.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-des3.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-evp.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-null.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-pk.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-rand.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-data.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-db_plugin.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-dcache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-deprecated.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-digest.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-doxygen.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-enomem.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-error_string.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-expand_hostname.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-expand_path.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-fast.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-fcache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-free.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-free_host_realm.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-generate_subkey.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_addrs.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_cred.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_default_principal.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_default_realm.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_for_creds.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_host_realm.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_port.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-heim_err.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-init_creds.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-k524_err.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-kcm.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-keyblock.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-keytab.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-keytab_any.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-keytab_file.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-keytab_memory.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-krb5_err.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-krb_err.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-krbhst.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-kuserok.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-log.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mcache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-misc.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mit_glue.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mk_error.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mk_priv.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mk_rep.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mk_req.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mk_safe.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-n-fold.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-net_read.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-net_write.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-pac.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-padata.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-pcache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-pkinit-ec.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-pkinit.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-plugin.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-principal.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-prog_setup.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-prompter_posix.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-rd_cred.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-rd_error.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-rd_priv.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-rd_rep.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-rd_req.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-rd_safe.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-read_message.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-recvauth.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-replay.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-salt-des.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-salt-des3.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-salt.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-scache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-sendauth.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-set_default_realm.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-sock_principal.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-store-int.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-store.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-store_emem.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-store_fd.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-store_mem.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-store_sock.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-ticket.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-time.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-transited.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-verify_init.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-verify_user.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-version.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-warn.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-write_message.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crc.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-algs.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-des.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-des3.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-evp.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-null.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-pk.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-rand.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-data.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-enomem.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-error_string.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-keyblock.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-n-fold.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-salt-des.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-salt-des3.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-salt.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-store-int.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-warn.Plo
- -rm -f ./$(DEPDIR)/n-fold-test.Po
- -rm -f ./$(DEPDIR)/parse-name-test.Po
- -rm -f ./$(DEPDIR)/pseudo-random-test.Po
- -rm -f ./$(DEPDIR)/store-test.Po
- -rm -f ./$(DEPDIR)/string-to-key-test.Po
- -rm -f ./$(DEPDIR)/test_acl.Po
- -rm -f ./$(DEPDIR)/test_addr.Po
- -rm -f ./$(DEPDIR)/test_alname.Po
- -rm -f ./$(DEPDIR)/test_ap-req.Po
- -rm -f ./$(DEPDIR)/test_canon.Po
- -rm -f ./$(DEPDIR)/test_cc.Po
- -rm -f ./$(DEPDIR)/test_config.Po
- -rm -f ./$(DEPDIR)/test_crypto.Po
- -rm -f ./$(DEPDIR)/test_crypto_wrapping.Po
- -rm -f ./$(DEPDIR)/test_expand_toks.Po
- -rm -f ./$(DEPDIR)/test_forward.Po
- -rm -f ./$(DEPDIR)/test_fx.Po
- -rm -f ./$(DEPDIR)/test_get_addrs.Po
- -rm -f ./$(DEPDIR)/test_gic.Po
- -rm -f ./$(DEPDIR)/test_hostname.Po
- -rm -f ./$(DEPDIR)/test_keytab.Po
- -rm -f ./$(DEPDIR)/test_kuserok.Po
- -rm -f ./$(DEPDIR)/test_mem.Po
- -rm -f ./$(DEPDIR)/test_pac.Po
- -rm -f ./$(DEPDIR)/test_pkinit_dh2key.Po
- -rm -f ./$(DEPDIR)/test_pknistkdf.Po
- -rm -f ./$(DEPDIR)/test_plugin.Po
- -rm -f ./$(DEPDIR)/test_prf.Po
- -rm -f ./$(DEPDIR)/test_princ.Po
- -rm -f ./$(DEPDIR)/test_renew.Po
- -rm -f ./$(DEPDIR)/test_rfc3961.Po
- -rm -f ./$(DEPDIR)/test_set_kvno0.Po
- -rm -f ./$(DEPDIR)/test_store.Po
- -rm -f ./$(DEPDIR)/test_time.Po
- -rm -f ./$(DEPDIR)/test_x500.Po
- -rm -f ./$(DEPDIR)/verify_krb5_conf.Po
- -rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
- distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-dist_includeHEADERS install-krb5HEADERS \
- install-man install-nodist_includeHEADERS
- @$(NORMAL_INSTALL)
- $(MAKE) $(AM_MAKEFLAGS) install-data-hook
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am: install-binPROGRAMS install-exec-local \
- install-libLTLIBRARIES
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man: install-man3 install-man5 install-man7 install-man8
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
- -rm -f ./$(DEPDIR)/aes-test.Po
- -rm -f ./$(DEPDIR)/derived-key-test.Po
- -rm -f ./$(DEPDIR)/krbhst-test.Po
- -rm -f ./$(DEPDIR)/libkrb5_la-acache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-acl.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-add_et_list.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-addr_families.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-appdefault.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-asn1_glue.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-auth_context.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-build_ap_req.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-build_auth.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-cache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-changepw.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-codec.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-config_file.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-constants.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-context.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-convert_creds.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crc.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-creds.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-algs.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-des.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-des3.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-evp.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-null.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-pk.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto-rand.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-crypto.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-data.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-db_plugin.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-dcache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-deprecated.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-digest.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-doxygen.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-enomem.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-error_string.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-expand_hostname.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-expand_path.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-fast.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-fcache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-free.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-free_host_realm.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-generate_subkey.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_addrs.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_cred.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_default_principal.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_default_realm.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_for_creds.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_host_realm.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-get_port.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-heim_err.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-init_creds.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-k524_err.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-kcm.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-keyblock.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-keytab.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-keytab_any.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-keytab_file.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-keytab_memory.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-krb5_err.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-krb_err.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-krbhst.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-kuserok.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-log.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mcache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-misc.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mit_glue.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mk_error.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mk_priv.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mk_rep.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mk_req.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-mk_safe.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-n-fold.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-net_read.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-net_write.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-pac.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-padata.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-pcache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-pkinit-ec.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-pkinit.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-plugin.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-principal.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-prog_setup.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-prompter_posix.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-rd_cred.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-rd_error.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-rd_priv.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-rd_rep.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-rd_req.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-rd_safe.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-read_message.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-recvauth.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-replay.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-salt-des.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-salt-des3.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-salt.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-scache.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-sendauth.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-set_default_realm.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-sock_principal.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-store-int.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-store.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-store_emem.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-store_fd.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-store_mem.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-store_sock.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-ticket.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-time.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-transited.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-verify_init.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-verify_user.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-version.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-warn.Plo
- -rm -f ./$(DEPDIR)/libkrb5_la-write_message.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crc.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-algs.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-des.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-des3.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-evp.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-null.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-pk.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-rand.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-crypto.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-data.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-enomem.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-error_string.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-keyblock.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-n-fold.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-salt-des.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-salt-des3.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-salt.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-store-int.Plo
- -rm -f ./$(DEPDIR)/librfc3961_la-warn.Plo
- -rm -f ./$(DEPDIR)/n-fold-test.Po
- -rm -f ./$(DEPDIR)/parse-name-test.Po
- -rm -f ./$(DEPDIR)/pseudo-random-test.Po
- -rm -f ./$(DEPDIR)/store-test.Po
- -rm -f ./$(DEPDIR)/string-to-key-test.Po
- -rm -f ./$(DEPDIR)/test_acl.Po
- -rm -f ./$(DEPDIR)/test_addr.Po
- -rm -f ./$(DEPDIR)/test_alname.Po
- -rm -f ./$(DEPDIR)/test_ap-req.Po
- -rm -f ./$(DEPDIR)/test_canon.Po
- -rm -f ./$(DEPDIR)/test_cc.Po
- -rm -f ./$(DEPDIR)/test_config.Po
- -rm -f ./$(DEPDIR)/test_crypto.Po
- -rm -f ./$(DEPDIR)/test_crypto_wrapping.Po
- -rm -f ./$(DEPDIR)/test_expand_toks.Po
- -rm -f ./$(DEPDIR)/test_forward.Po
- -rm -f ./$(DEPDIR)/test_fx.Po
- -rm -f ./$(DEPDIR)/test_get_addrs.Po
- -rm -f ./$(DEPDIR)/test_gic.Po
- -rm -f ./$(DEPDIR)/test_hostname.Po
- -rm -f ./$(DEPDIR)/test_keytab.Po
- -rm -f ./$(DEPDIR)/test_kuserok.Po
- -rm -f ./$(DEPDIR)/test_mem.Po
- -rm -f ./$(DEPDIR)/test_pac.Po
- -rm -f ./$(DEPDIR)/test_pkinit_dh2key.Po
- -rm -f ./$(DEPDIR)/test_pknistkdf.Po
- -rm -f ./$(DEPDIR)/test_plugin.Po
- -rm -f ./$(DEPDIR)/test_prf.Po
- -rm -f ./$(DEPDIR)/test_princ.Po
- -rm -f ./$(DEPDIR)/test_renew.Po
- -rm -f ./$(DEPDIR)/test_rfc3961.Po
- -rm -f ./$(DEPDIR)/test_set_kvno0.Po
- -rm -f ./$(DEPDIR)/test_store.Po
- -rm -f ./$(DEPDIR)/test_time.Po
- -rm -f ./$(DEPDIR)/test_x500.Po
- -rm -f ./$(DEPDIR)/verify_krb5_conf.Po
- -rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
- mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
- uninstall-krb5HEADERS uninstall-libLTLIBRARIES uninstall-man \
- uninstall-nodist_includeHEADERS
- @$(NORMAL_INSTALL)
- $(MAKE) $(AM_MAKEFLAGS) uninstall-hook
-uninstall-man: uninstall-man3 uninstall-man5 uninstall-man7 \
- uninstall-man8
-
-.MAKE: check-am install-am install-data-am install-strip uninstall-am
-
-.PHONY: CTAGS GTAGS TAGS all all-am all-local am--depfiles check \
- check-TESTS check-am check-local clean clean-binPROGRAMS \
- clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \
- clean-libtool clean-noinstLTLIBRARIES clean-noinstPROGRAMS \
- cscopelist-am ctags ctags-am dist-hook distclean \
- distclean-compile distclean-generic distclean-libtool \
- distclean-tags distdir dvi dvi-am html html-am info info-am \
- install install-am install-binPROGRAMS install-data \
- install-data-am install-data-hook install-dist_includeHEADERS \
- install-dvi install-dvi-am install-exec install-exec-am \
- install-exec-local install-html install-html-am install-info \
- install-info-am install-krb5HEADERS install-libLTLIBRARIES \
- install-man install-man3 install-man5 install-man7 \
- install-man8 install-nodist_includeHEADERS install-pdf \
- install-pdf-am install-ps install-ps-am install-strip \
- installcheck installcheck-am installdirs maintainer-clean \
- maintainer-clean-generic mostlyclean mostlyclean-compile \
- mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
- recheck tags tags-am uninstall uninstall-am \
- uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
- uninstall-hook uninstall-krb5HEADERS uninstall-libLTLIBRARIES \
- uninstall-man uninstall-man3 uninstall-man5 uninstall-man7 \
- uninstall-man8 uninstall-nodist_includeHEADERS
-
-.PRECIOUS: Makefile
-
-
-install-suid-programs:
- @foo='$(bin_SUIDS)'; \
- for file in $$foo; do \
- x=$(DESTDIR)$(bindir)/$$file; \
- if chown 0:0 $$x && chmod u+s $$x; then :; else \
- echo "*"; \
- echo "* Failed to install $$x setuid root"; \
- echo "*"; \
- fi; \
- done
-
-install-exec-local: install-suid-programs
-
-codesign-all:
- @if [ X"$$CODE_SIGN_IDENTITY" != X ] ; then \
- foo='$(bin_PROGRAMS) $(sbin_PROGRAMS) $(libexec_PROGRAMS)' ; \
- for file in $$foo ; do \
- echo "CODESIGN $$file" ; \
- codesign -f -s "$$CODE_SIGN_IDENTITY" $$file || exit 1 ; \
- done ; \
- fi
-
-all-local: codesign-all
-
-install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS) $(noinst_HEADERS)
- @foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(noinst_HEADERS)'; \
- for f in $$foo; do \
- f=`basename $$f`; \
- if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
- else file="$$f"; fi; \
- if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \
- : ; else \
- echo " $(CP) $$file $(buildinclude)/$$f"; \
- $(CP) $$file $(buildinclude)/$$f || true; \
- fi ; \
- done ; \
- foo='$(nobase_include_HEADERS)'; \
- for f in $$foo; do \
- if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
- else file="$$f"; fi; \
- $(mkdir_p) $(buildinclude)/`dirname $$f` ; \
- if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \
- : ; else \
- echo " $(CP) $$file $(buildinclude)/$$f"; \
- $(CP) $$file $(buildinclude)/$$f; \
- fi ; \
- done
-
-all-local: install-build-headers
-
-check-local::
- @if test '$(CHECK_LOCAL)' = "no-check-local"; then \
- foo=''; elif test '$(CHECK_LOCAL)'; then \
- foo='$(CHECK_LOCAL)'; else \
- foo='$(PROGRAMS)'; fi; \
- if test "$$foo"; then \
- failed=0; all=0; \
- for i in $$foo; do \
- all=`expr $$all + 1`; \
- if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
- echo "PASS: $$i"; \
- else \
- echo "FAIL: $$i"; \
- failed=`expr $$failed + 1`; \
- fi; \
- done; \
- if test "$$failed" -eq 0; then \
- banner="All $$all tests passed"; \
- else \
- banner="$$failed of $$all tests failed"; \
- fi; \
- dashes=`echo "$$banner" | sed s/./=/g`; \
- echo "$$dashes"; \
- echo "$$banner"; \
- echo "$$dashes"; \
- test "$$failed" -eq 0 || exit 1; \
- fi
-
-# It's useful for debugging to format generated sources. The default for all
-# clang-format styles is to sort includes, but in many cases in-tree we really
-# don't want to do that.
-.x.c:
- @if [ -z "$(CLANG_FORMAT)" ]; then \
- cmp -s $< $@ 2> /dev/null || cp $< $@; \
- else \
- cp $< $@.tmp.c; \
- $(CLANG_FORMAT) -style='{BasedOnStyle: Chromium, SortIncludes: false}' -i $@.tmp.c; \
- cmp -s $@.tmp.c $@ 2> /dev/null || mv $@.tmp.c $@; \
- fi
-
-.hx.h:
- @cmp -s $< $@ 2> /dev/null || cp $< $@;
-#NROFF_MAN = nroff -man
-.1.cat1:
- $(NROFF_MAN) $< > $@
-.3.cat3:
- $(NROFF_MAN) $< > $@
-.5.cat5:
- $(NROFF_MAN) $< > $@
-.7.cat7:
- $(NROFF_MAN) $< > $@
-.8.cat8:
- $(NROFF_MAN) $< > $@
-
-dist-cat1-mans:
- @foo='$(man1_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.1) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-cat3-mans:
- @foo='$(man3_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.3) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-cat5-mans:
- @foo='$(man5_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.5) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-cat7-mans:
- @foo='$(man7_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.7) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat7/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-cat8-mans:
- @foo='$(man8_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.8) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat7-mans dist-cat8-mans
-
-install-cat-mans:
- $(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
-
-uninstall-cat-mans:
- $(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
-
-install-data-hook: install-cat-mans
-uninstall-hook: uninstall-cat-mans
-
-.et.h:
- $(COMPILE_ET) $<
-.et.c:
- $(COMPILE_ET) $<
-
-#
-# Useful target for debugging
-#
-
-check-valgrind:
- tobjdir=`cd $(top_builddir) && pwd` ; \
- tsrcdir=`cd $(top_srcdir) && pwd` ; \
- env TESTS_ENVIRONMENT="$${tsrcdir}/cf/maybe-valgrind.sh -s $${tsrcdir} -o $${tobjdir}" make check
-
-#
-# Target to please samba build farm, builds distfiles in-tree.
-# Will break when automake changes...
-#
-
-distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
- list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
- if test "$$subdir" != .; then \
- (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
- fi ; \
- done
-
-$(ALL_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
-$(ALL_OBJECTS): krb5_err.h heim_err.h k524_err.h krb5_err.h krb_err.h k524_err.h
-
-$(srcdir)/krb5-protos.h: $(headerdeps)
- @cd $(srcdir) && perl ../../cf/make-proto.pl -E KRB5_LIB -q -P comment -o krb5-protos.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-protos.h
-
-$(srcdir)/krb5-private.h: $(headerdeps)
- @cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-private.h
-
-$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h
-
-test_config_strings.out: test_config_strings.cfg
- $(CP) $(srcdir)/test_config_strings.cfg test_config_strings.out
-
-#sysconf_DATA = krb5.moduli
-
-# to help stupid solaris make
-
-krb5_err.h: krb5_err.et
-
-krb_err.h: krb_err.et
-
-heim_err.h: heim_err.et
-
-k524_err.h: k524_err.et
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/lib/krb5/NTMakefile b/lib/krb5/NTMakefile
index b0848716cd1a..993e76fcc23f 100644
--- a/lib/krb5/NTMakefile
+++ b/lib/krb5/NTMakefile
@@ -1,20 +1,20 @@
########################################################################
#
-# Copyright (c) 2009 - 2016, Secure Endpoints Inc.
+# Copyright (c) 2009 - 2017, Secure Endpoints Inc.
# All rights reserved.
-#
+#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
-#
+#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
-#
+#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
-#
+#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
@@ -27,10 +27,12 @@
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
-#
+#
RELDIR=lib\krb5
+intcflags=-I$(SRCDIR) -I$(SRCDIR)\..\com_err -I$(SRCDIR)\..\base
+
!include ../../windows/NTMakefile.w32
libkrb5_OBJS = \
@@ -42,13 +44,13 @@ libkrb5_OBJS = \
$(OBJ)\appdefault.obj \
$(OBJ)\asn1_glue.obj \
$(OBJ)\auth_context.obj \
+ $(OBJ)\authdata.obj \
$(OBJ)\build_ap_req.obj \
$(OBJ)\build_auth.obj \
$(OBJ)\cache.obj \
$(OBJ)\changepw.obj \
$(OBJ)\codec.obj \
$(OBJ)\config_file.obj \
- $(OBJ)\config_reg.obj \
$(OBJ)\constants.obj \
$(OBJ)\context.obj \
$(OBJ)\convert_creds.obj \
@@ -103,10 +105,12 @@ libkrb5_OBJS = \
$(OBJ)\keytab_memory.obj \
$(OBJ)\krbhst.obj \
$(OBJ)\kuserok.obj \
+ $(OBJ)\kx509.obj \
$(OBJ)\log.obj \
$(OBJ)\mcache.obj \
$(OBJ)\misc.obj \
$(OBJ)\mit_glue.obj \
+ $(OBJ)\mk_cred.obj \
$(OBJ)\mk_error.obj \
$(OBJ)\mk_priv.obj \
$(OBJ)\mk_rep.obj \
@@ -152,6 +156,7 @@ libkrb5_OBJS = \
$(OBJ)\store_fd.obj \
$(OBJ)\store_mem.obj \
$(OBJ)\store_sock.obj \
+ $(OBJ)\store_stdio.obj \
$(OBJ)\ticket.obj \
$(OBJ)\time.obj \
$(OBJ)\transited.obj \
@@ -164,12 +169,13 @@ libkrb5_OBJS = \
libkrb5_gen_OBJS= \
$(OBJ)\krb5_err.obj \
$(OBJ)\krb_err.obj \
- $(OBJ)\heim_err.obj \
- $(OBJ)\k524_err.obj
+ $(OBJ)\k524_err.obj \
+ $(OBJ)\k5e1_err.obj
INCFILES= \
- $(INCDIR)\heim_err.h \
$(INCDIR)\k524_err.h \
+ $(INCDIR)\k5e1_err.h \
+ $(INCDIR)\kx509_err.h \
$(INCDIR)\kcm.h \
$(INCDIR)\krb_err.h \
$(INCDIR)\krb5.h \
@@ -178,8 +184,13 @@ INCFILES= \
$(INCDIR)\krb5_locl.h \
$(INCDIR)\krb5-protos.h \
$(INCDIR)\krb5-private.h \
- $(INCDIR)\krb5-v4compat.h \
- $(INCDIR)\crypto.h
+ $(INCDIR)\crypto.h \
+ $(INCDIR)\an2ln_plugin.h \
+ $(INCDIR)\ccache_plugin.h \
+ $(INCDIR)\db_plugin.h \
+ $(INCDIR)\kuserok_plugin.h \
+ $(INCDIR)\locate_plugin.h \
+ $(INCDIR)\send_to_kdc_plugin.h
all:: $(INCFILES)
@@ -195,13 +206,13 @@ dist_libkrb5_la_SOURCES = \
appdefault.c \
asn1_glue.c \
auth_context.c \
+ authdata.c \
build_ap_req.c \
build_auth.c \
cache.c \
changepw.c \
codec.c \
config_file.c \
- config_reg.c \
constants.c \
context.c \
copy_host_realm.c \
@@ -255,12 +266,13 @@ dist_libkrb5_la_SOURCES = \
keytab_keyfile.c \
keytab_memory.c \
krb5_locl.h \
- krb5-v4compat.h \
krbhst.c \
kuserok.c \
+ kx509.c \
log.c \
mcache.c \
misc.c \
+ mk_cred.c \
mk_error.c \
mk_priv.c \
mk_rep.c \
@@ -307,6 +319,7 @@ dist_libkrb5_la_SOURCES = \
store_fd.c \
store_mem.c \
store_sock.c \
+ store_stdio.c \
pcache.c \
plugin.c \
ticket.c \
@@ -334,14 +347,19 @@ $(OBJ)\krb_err.c $(OBJ)\krb_err.h: krb_err.et
$(BINDIR)\compile_et.exe $(SRCDIR)\krb_err.et
cd $(SRCDIR)
-$(OBJ)\heim_err.c $(OBJ)\heim_err.h: heim_err.et
+$(OBJ)\k524_err.c $(OBJ)\k524_err.h: k524_err.et
cd $(OBJ)
- $(BINDIR)\compile_et.exe $(SRCDIR)\heim_err.et
+ $(BINDIR)\compile_et.exe $(SRCDIR)\k524_err.et
cd $(SRCDIR)
-$(OBJ)\k524_err.c $(OBJ)\k524_err.h: k524_err.et
+$(OBJ)\k5e1_err.c $(OBJ)\k5e1_err.h: k5e1_err.et
cd $(OBJ)
- $(BINDIR)\compile_et.exe $(SRCDIR)\k524_err.et
+ $(BINDIR)\compile_et.exe $(SRCDIR)\k5e1_err.et
+ cd $(SRCDIR)
+
+$(OBJ)\kx509_err.c $(OBJ)\kx509_err.h: kx509_err.et
+ cd $(OBJ)
+ $(BINDIR)\compile_et.exe $(SRCDIR)\kx509_err.et
cd $(SRCDIR)
#----------------------------------------------------------------------
diff --git a/lib/krb5/acache.c b/lib/krb5/acache.c
index 9d33df133c27..63d56c400bf5 100644
--- a/lib/krb5/acache.c
+++ b/lib/krb5/acache.c
@@ -35,9 +35,6 @@
#include "krb5_locl.h"
#include <krb5_ccapi.h>
-#ifdef HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
#ifndef KCM_IS_API_CACHE
@@ -52,6 +49,7 @@ static void *cc_handle;
typedef struct krb5_acc {
char *cache_name;
+ char *cache_subsidiary;
cc_context_t context;
cc_ccache_t ccache;
} krb5_acc;
@@ -90,6 +88,7 @@ static krb5_error_code
init_ccapi(krb5_context context)
{
const char *lib = NULL;
+ char *explib = NULL;
HEIMDAL_MUTEX_lock(&acc_mutex);
if (init_func) {
@@ -106,40 +105,25 @@ init_ccapi(krb5_context context)
if (lib == NULL) {
#ifdef __APPLE__
lib = "/System/Library/Frameworks/Kerberos.framework/Kerberos";
-#elif defined(KRB5_USE_PATH_TOKENS) && defined(_WIN32)
+#elif defined(_WIN32)
lib = "%{LIBDIR}/libkrb5_cc.dll";
#else
- lib = "/usr/lib/libkrb5_cc.so";
+ lib = "%{LIBDIR}/libkrb5_cc.so";
#endif
}
#ifdef HAVE_DLOPEN
-#ifndef RTLD_LAZY
-#define RTLD_LAZY 0
-#endif
-#ifndef RTLD_LOCAL
-#define RTLD_LOCAL 0
-#endif
-
-#ifdef KRB5_USE_PATH_TOKENS
- {
- char * explib = NULL;
- if (_krb5_expand_path_tokens(context, lib, 0, &explib) == 0) {
- cc_handle = dlopen(explib, RTLD_LAZY|RTLD_LOCAL);
- free(explib);
- }
+ if (_krb5_expand_path_tokens(context, lib, 0, &explib) == 0) {
+ cc_handle = dlopen(explib, RTLD_LAZY|RTLD_LOCAL|RTLD_GROUP);
+ free(explib);
}
-#else
- cc_handle = dlopen(lib, RTLD_LAZY|RTLD_LOCAL);
-#endif
if (cc_handle == NULL) {
HEIMDAL_MUTEX_unlock(&acc_mutex);
- if (context)
- krb5_set_error_message(context, KRB5_CC_NOSUPP,
- N_("Failed to load API cache module %s", "file"),
- lib);
+ krb5_set_error_message(context, KRB5_CC_NOSUPP,
+ N_("Failed to load API cache module %s", "file"),
+ lib);
return KRB5_CC_NOSUPP;
}
@@ -150,10 +134,9 @@ init_ccapi(krb5_context context)
dlsym(cc_handle, "krb5_ipc_client_clear_target");
HEIMDAL_MUTEX_unlock(&acc_mutex);
if (init_func == NULL) {
- if (context)
- krb5_set_error_message(context, KRB5_CC_NOSUPP,
- N_("Failed to find cc_initialize"
- "in %s: %s", "file, error"), lib, dlerror());
+ krb5_set_error_message(context, KRB5_CC_NOSUPP,
+ N_("Failed to find cc_initialize"
+ "in %s: %s", "file, error"), lib, dlerror());
dlclose(cc_handle);
return KRB5_CC_NOSUPP;
}
@@ -161,9 +144,8 @@ init_ccapi(krb5_context context)
return 0;
#else
HEIMDAL_MUTEX_unlock(&acc_mutex);
- if (context)
- krb5_set_error_message(context, KRB5_CC_NOSUPP,
- N_("no support for shared object", ""));
+ krb5_set_error_message(context, KRB5_CC_NOSUPP,
+ N_("no support for shared object", ""));
return KRB5_CC_NOSUPP;
#endif
}
@@ -452,41 +434,51 @@ get_cc_name(krb5_acc *a)
}
-static const char* KRB5_CALLCONV
-acc_get_name(krb5_context context,
- krb5_ccache id)
+static krb5_error_code KRB5_CALLCONV
+acc_get_name_2(krb5_context context,
+ krb5_ccache id,
+ const char **name,
+ const char **colname,
+ const char **subsidiary)
{
+ krb5_error_code ret = 0;
krb5_acc *a = ACACHE(id);
int32_t error;
- if (a->cache_name == NULL) {
- krb5_error_code ret;
- krb5_principal principal;
- char *name;
+ if (name)
+ *name = NULL;
+ if (colname)
+ *colname = NULL;
+ if (subsidiary)
+ *subsidiary = NULL;
+ if (a->cache_subsidiary == NULL) {
+ krb5_principal principal = NULL;
ret = _krb5_get_default_principal_local(context, &principal);
- if (ret)
- return NULL;
-
- ret = krb5_unparse_name(context, principal, &name);
+ if (ret == 0)
+ ret = krb5_unparse_name(context, principal, &a->cache_subsidiary);
krb5_free_principal(context, principal);
if (ret)
- return NULL;
-
- error = (*a->context->func->create_new_ccache)(a->context,
- cc_credentials_v5,
- name,
- &a->ccache);
- krb5_xfree(name);
- if (error)
- return NULL;
-
- error = get_cc_name(a);
- if (error)
- return NULL;
+ return ret;
}
- return a->cache_name;
+ if (a->cache_name == NULL) {
+ error = (*a->context->func->create_new_ccache)(a->context,
+ cc_credentials_v5,
+ a->cache_subsidiary,
+ &a->ccache);
+ if (error == ccNoError)
+ error = get_cc_name(a);
+ if (error != ccNoError)
+ ret = translate_cc_error(context, error);
+ }
+ if (name)
+ *name = a->cache_name;
+ if (colname)
+ *colname = "";
+ if (subsidiary)
+ *subsidiary = a->cache_subsidiary;
+ return ret;
}
static krb5_error_code KRB5_CALLCONV
@@ -507,6 +499,10 @@ acc_alloc(krb5_context context, krb5_ccache *id)
}
a = ACACHE(*id);
+ a->cache_subsidiary = NULL;
+ a->cache_name = NULL;
+ a->context = NULL;
+ a->ccache = NULL;
error = (*init_func)(&a->context, ccapi_version_3, NULL, NULL);
if (error) {
@@ -514,17 +510,17 @@ acc_alloc(krb5_context context, krb5_ccache *id)
return translate_cc_error(context, error);
}
- a->cache_name = NULL;
-
return 0;
}
static krb5_error_code KRB5_CALLCONV
-acc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+acc_resolve_2(krb5_context context, krb5_ccache *id, const char *res, const char *sub)
{
krb5_error_code ret;
+ cc_time_t offset;
cc_int32 error;
krb5_acc *a;
+ char *s = NULL;
ret = acc_alloc(context, id);
if (ret)
@@ -532,49 +528,60 @@ acc_resolve(krb5_context context, krb5_ccache *id, const char *res)
a = ACACHE(*id);
- error = (*a->context->func->open_ccache)(a->context, res, &a->ccache);
- if (error == ccNoError) {
- cc_time_t offset;
- error = get_cc_name(a);
- if (error != ccNoError) {
+ if (sub) {
+ /*
+ * For API there's no such thing as a collection name, there's only the
+ * default collection. Though we could perhaps put a CCAPI shared
+ * object path in the collection name.
+ *
+ * So we'll treat (res && !sub) and (!res && sub) as the same cases.
+ *
+ * See also the KCM ccache type, where we have similar considerations.
+ */
+ if (asprintf(&s, "%s%s%s", res && *res ? res : "",
+ res && *res ? ":" : "", sub) == -1 || s == NULL ||
+ (a->cache_subsidiary = strdup(sub)) == NULL) {
acc_close(context, *id);
- *id = NULL;
- return translate_cc_error(context, error);
- }
-
- error = (*a->ccache->func->get_kdc_time_offset)(a->ccache,
- cc_credentials_v5,
- &offset);
- if (error == 0)
- context->kdc_sec_offset = offset;
+ free(s);
+ return krb5_enomem(context);
+ }
+ res = s;
+ /*
+ * XXX With a bit of extra refactoring we could use the collection name
+ * as the path to the shared object implementing CCAPI... For now we
+ * ignore the collection name.
+ */
+ }
- } else if (error == ccErrCCacheNotFound) {
- a->ccache = NULL;
- a->cache_name = NULL;
- } else {
- *id = NULL;
- return translate_cc_error(context, error);
+ error = (*a->context->func->open_ccache)(a->context, res, &a->ccache);
+ if (error == ccErrCCacheNotFound) {
+ a->ccache = NULL;
+ a->cache_name = NULL;
+ free(s);
+ return 0;
+ }
+ if (error == ccNoError)
+ error = get_cc_name(a);
+ if (error != ccNoError) {
+ acc_close(context, *id);
+ *id = NULL;
+ free(s);
+ return translate_cc_error(context, error);
}
+ error = (*a->ccache->func->get_kdc_time_offset)(a->ccache,
+ cc_credentials_v5,
+ &offset);
+ if (error == 0)
+ context->kdc_sec_offset = offset;
+ free(s);
return 0;
}
static krb5_error_code KRB5_CALLCONV
acc_gen_new(krb5_context context, krb5_ccache *id)
{
- krb5_error_code ret;
- krb5_acc *a;
-
- ret = acc_alloc(context, id);
- if (ret)
- return ret;
-
- a = ACACHE(*id);
-
- a->ccache = NULL;
- a->cache_name = NULL;
-
- return 0;
+ return acc_alloc(context, id);
}
static krb5_error_code KRB5_CALLCONV
@@ -978,6 +985,7 @@ acc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
static krb5_error_code KRB5_CALLCONV
acc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
{
+ krb5_error_code ret;
krb5_acc *afrom = ACACHE(from);
krb5_acc *ato = ACACHE(to);
int32_t error;
@@ -1001,10 +1009,10 @@ acc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
}
error = (*ato->ccache->func->move)(afrom->ccache, ato->ccache);
-
- acc_destroy(context, from);
-
- return translate_cc_error(context, error);
+ ret = translate_cc_error(context, error);
+ if (ret == 0)
+ krb5_cc_destroy(context, from);
+ return ret;
}
static krb5_error_code KRB5_CALLCONV
@@ -1086,10 +1094,10 @@ acc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime)
*/
KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = {
- KRB5_CC_OPS_VERSION,
+ KRB5_CC_OPS_VERSION_5,
"API",
- acc_get_name,
- acc_resolve,
+ NULL,
+ NULL,
acc_gen_new,
acc_initialize,
acc_destroy,
@@ -1112,6 +1120,8 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = {
acc_lastchange,
NULL,
NULL,
+ acc_get_name_2,
+ acc_resolve_2
};
#endif
diff --git a/lib/krb5/acl.c b/lib/krb5/acl.c
index 4365a7a0f5d8..d3196148287e 100644
--- a/lib/krb5/acl.c
+++ b/lib/krb5/acl.c
@@ -119,7 +119,7 @@ acl_match_field(krb5_context context,
struct acl_field *field)
{
if(field->type == acl_string) {
- return !strcmp(field->u.cstr, string);
+ return strcmp(field->u.cstr, string) == 0;
} else if(field->type == acl_fnmatch) {
return !fnmatch(field->u.cstr, string, 0);
} else if(field->type == acl_retval) {
diff --git a/lib/krb5/add_et_list.c b/lib/krb5/add_et_list.c
index 082014e107a7..1a289eeaec1c 100644
--- a/lib/krb5/add_et_list.c
+++ b/lib/krb5/add_et_list.c
@@ -48,9 +48,7 @@
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_add_et_list (krb5_context context,
- void (*func)(struct et_list **))
+krb5_add_et_list(krb5_context context, void (*func)(struct et_list **))
{
- (*func)(&context->et_list);
- return 0;
+ return heim_add_et_list(context->hcontext, func);
}
diff --git a/lib/krb5/addr_families.c b/lib/krb5/addr_families.c
index 16fe4a8c1e46..7d13211a28db 100644
--- a/lib/krb5/addr_families.c
+++ b/lib/krb5/addr_families.c
@@ -543,7 +543,13 @@ arange_parse_addr (krb5_context context,
return ret;
}
- krb5_data_alloc(&addr->address, sizeof(*a));
+ ret = krb5_data_alloc(&addr->address, sizeof(*a));
+ if (ret) {
+ krb5_free_address(context, &low0);
+ krb5_free_address(context, &high0);
+ return ret;
+ }
+
addr->addr_type = KRB5_ADDRESS_ARANGE;
a = addr->address.data;
@@ -728,7 +734,7 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len)
return ret_len;
}
-static struct addr_operations at[] = {
+static const struct addr_operations at[] = {
{
AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
ipv4_sockaddr2addr,
@@ -804,7 +810,7 @@ static struct addr_operations at[] = {
}
};
-static int num_addrs = sizeof(at) / sizeof(at[0]);
+static const size_t num_addrs = sizeof(at) / sizeof(at[0]);
static size_t max_sockaddr_size = 0;
@@ -812,25 +818,27 @@ static size_t max_sockaddr_size = 0;
* generic functions
*/
-static struct addr_operations *
+static const struct addr_operations *
find_af(int af)
{
- struct addr_operations *a;
+ size_t i;
- for (a = at; a < at + num_addrs; ++a)
- if (af == a->af)
- return a;
+ for (i = 0; i < num_addrs; i++) {
+ if (af == at[i].af)
+ return &at[i];
+ }
return NULL;
}
-static struct addr_operations *
+static const struct addr_operations *
find_atype(krb5_address_type atype)
{
- struct addr_operations *a;
+ size_t i;
- for (a = at; a < at + num_addrs; ++a)
- if (atype == a->atype)
- return a;
+ for (i = 0; i < num_addrs; i++) {
+ if (atype == at[i].atype)
+ return &at[i];
+ }
return NULL;
}
@@ -851,7 +859,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_sockaddr2address (krb5_context context,
const struct sockaddr *sa, krb5_address *addr)
{
- struct addr_operations *a = find_af(sa->sa_family);
+ const struct addr_operations *a = find_af(sa->sa_family);
if (a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
N_("Address family %d not supported", ""),
@@ -879,7 +887,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_sockaddr2port (krb5_context context,
const struct sockaddr *sa, int16_t *port)
{
- struct addr_operations *a = find_af(sa->sa_family);
+ const struct addr_operations *a = find_af(sa->sa_family);
if (a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
N_("Address family %d not supported", ""),
@@ -917,7 +925,7 @@ krb5_addr2sockaddr (krb5_context context,
krb5_socklen_t *sa_size,
int port)
{
- struct addr_operations *a = find_atype(addr->addr_type);
+ const struct addr_operations *a = find_atype(addr->addr_type);
if (a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
@@ -950,10 +958,10 @@ KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
krb5_max_sockaddr_size (void)
{
if (max_sockaddr_size == 0) {
- struct addr_operations *a;
+ size_t i;
- for(a = at; a < at + num_addrs; ++a)
- max_sockaddr_size = max(max_sockaddr_size, a->max_sockaddr_size);
+ for (i = 0; i < num_addrs; i++)
+ max_sockaddr_size = max(max_sockaddr_size, at[i].max_sockaddr_size);
}
return max_sockaddr_size;
}
@@ -973,7 +981,7 @@ krb5_max_sockaddr_size (void)
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_sockaddr_uninteresting(const struct sockaddr *sa)
{
- struct addr_operations *a = find_af(sa->sa_family);
+ const struct addr_operations *a = find_af(sa->sa_family);
if (a == NULL || a->uninteresting == NULL)
return TRUE;
return (*a->uninteresting)(sa);
@@ -982,7 +990,7 @@ krb5_sockaddr_uninteresting(const struct sockaddr *sa)
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_sockaddr_is_loopback(const struct sockaddr *sa)
{
- struct addr_operations *a = find_af(sa->sa_family);
+ const struct addr_operations *a = find_af(sa->sa_family);
if (a == NULL || a->is_loopback == NULL)
return TRUE;
return (*a->is_loopback)(sa);
@@ -1014,7 +1022,7 @@ krb5_h_addr2sockaddr (krb5_context context,
krb5_socklen_t *sa_size,
int port)
{
- struct addr_operations *a = find_af(af);
+ const struct addr_operations *a = find_af(af);
if (a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
"Address family %d not supported", af);
@@ -1043,7 +1051,7 @@ krb5_h_addr2addr (krb5_context context,
int af,
const char *haddr, krb5_address *addr)
{
- struct addr_operations *a = find_af(af);
+ const struct addr_operations *a = find_af(af);
if (a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
N_("Address family %d not supported", ""), af);
@@ -1076,7 +1084,7 @@ krb5_anyaddr (krb5_context context,
krb5_socklen_t *sa_size,
int port)
{
- struct addr_operations *a = find_af (af);
+ const struct addr_operations *a = find_af (af);
if (a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
@@ -1108,7 +1116,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_print_address (const krb5_address *addr,
char *str, size_t len, size_t *ret_len)
{
- struct addr_operations *a = find_atype(addr->addr_type);
+ const struct addr_operations *a = find_atype(addr->addr_type);
int ret;
if (a == NULL || a->print_addr == NULL) {
@@ -1141,6 +1149,32 @@ krb5_print_address (const krb5_address *addr,
return 0;
}
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_parse_address_no_lookup(krb5_context context,
+ const char *string,
+ krb5_addresses *addresses)
+{
+ int i;
+
+ addresses->len = 0;
+ addresses->val = NULL;
+
+ for(i = 0; i < num_addrs; i++) {
+ if(at[i].parse_addr) {
+ krb5_address addr;
+ if((*at[i].parse_addr)(context, string, &addr) == 0) {
+ ALLOC_SEQ(addresses, 1);
+ if (addresses->val == NULL)
+ return krb5_enomem(context);
+ addresses->val[0] = addr;
+ return 0;
+ }
+ }
+ }
+
+ return -1;
+}
+
/**
* krb5_parse_address returns the resolved hostname in string to the
* krb5_addresses addresses .
@@ -1159,6 +1193,7 @@ krb5_parse_address(krb5_context context,
const char *string,
krb5_addresses *addresses)
{
+ krb5_error_code ret;
int i, n;
struct addrinfo *ai, *a;
struct addrinfo hint;
@@ -1168,18 +1203,9 @@ krb5_parse_address(krb5_context context,
addresses->len = 0;
addresses->val = NULL;
- for(i = 0; i < num_addrs; i++) {
- if(at[i].parse_addr) {
- krb5_address addr;
- if((*at[i].parse_addr)(context, string, &addr) == 0) {
- ALLOC_SEQ(addresses, 1);
- if (addresses->val == NULL)
- return krb5_enomem(context);
- addresses->val[0] = addr;
- return 0;
- }
- }
- }
+ ret = _krb5_parse_address_no_lookup(context, string, addresses);
+ if (ret == 0 || ret != -1)
+ return ret;
/* if not parsed as numeric address, do a name lookup */
memset(&hint, 0, sizeof(hint));
@@ -1188,7 +1214,7 @@ krb5_parse_address(krb5_context context,
if (error) {
krb5_error_code ret2;
save_errno = errno;
- ret2 = krb5_eai_to_heim_errno(error, save_errno);
+ ret2 = krb5_eai_to_heim_errno(save_errno, error);
krb5_set_error_message (context, ret2, "%s: %s",
string, gai_strerror(error));
return ret2;
@@ -1241,7 +1267,7 @@ krb5_address_order(krb5_context context,
{
/* this sucks; what if both addresses have order functions, which
should we call? this works for now, though */
- struct addr_operations *a;
+ const struct addr_operations *a;
a = find_atype(addr1->addr_type);
if(a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
@@ -1333,7 +1359,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_free_address(krb5_context context,
krb5_address *address)
{
- struct addr_operations *a = find_atype (address->addr_type);
+ const struct addr_operations *a = find_atype (address->addr_type);
if(a != NULL && a->free_addr != NULL)
return (*a->free_addr)(context, address);
krb5_data_free (&address->address);
@@ -1357,12 +1383,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_free_addresses(krb5_context context,
krb5_addresses *addresses)
{
- size_t i;
- for(i = 0; i < addresses->len; i++)
- krb5_free_address(context, &addresses->val[i]);
- free(addresses->val);
- addresses->len = 0;
- addresses->val = NULL;
+ free_HostAddresses(addresses);
return 0;
}
@@ -1384,7 +1405,7 @@ krb5_copy_address(krb5_context context,
const krb5_address *inaddr,
krb5_address *outaddr)
{
- struct addr_operations *a = find_af (inaddr->addr_type);
+ const struct addr_operations *a = find_af (inaddr->addr_type);
if(a != NULL && a->copy_addr != NULL)
return (*a->copy_addr)(context, inaddr, outaddr);
return copy_HostAddress(inaddr, outaddr);
@@ -1479,6 +1500,8 @@ krb5_make_addrport (krb5_context context,
size_t len = addr->address.length + 2 + 4 * 4;
u_char *p;
+ /* XXX Make this assume port == 0 -> port is absent */
+
*res = malloc (sizeof(**res));
if (*res == NULL)
return krb5_enomem(context);
@@ -1540,7 +1563,7 @@ krb5_address_prefixlen_boundary(krb5_context context,
krb5_address *low,
krb5_address *high)
{
- struct addr_operations *a = find_atype (inaddr->addr_type);
+ const struct addr_operations *a = find_atype (inaddr->addr_type);
if(a != NULL && a->mask_boundary != NULL)
return (*a->mask_boundary)(context, inaddr, prefixlen, low, high);
krb5_set_error_message(context, KRB5_PROG_ATYPE_NOSUPP,
diff --git a/lib/krb5/aes-test.c b/lib/krb5/aes-test.c
index 5526b910fe4f..2d048e426e59 100644
--- a/lib/krb5/aes-test.c
+++ b/lib/krb5/aes-test.c
@@ -756,6 +756,9 @@ krb_enc_test(krb5_context context)
kb.keyvalue.data = krbencs[i].key;
ret = krb5_crypto_init(context, &kb, krbencs[i].enctype, &crypto);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_crypto_init failed with %d for test %d",
+ ret, i);
cipher.length = krbencs[i].elen;
cipher.data = krbencs[i].edata;
@@ -765,20 +768,24 @@ krb_enc_test(krb5_context context)
ret = krb_enc(context, crypto, krbencs[i].usage, &cipher, &plain);
if (ret)
- errx(1, "krb_enc failed with %d for test %d", ret, i);
+ krb5_err(context, 1, ret, "krb_enc failed with %d for test %d",
+ ret, i);
ret = krb_enc_iov(context, crypto, krbencs[i].usage, &cipher, &plain);
if (ret)
- errx(1, "krb_enc_iov failed with %d for test %d", ret, i);
+ krb5_err(context, 1, ret, "krb_enc_iov failed with %d for test %d",
+ ret, i);
ret = krb_enc_iov2(context, crypto, krbencs[i].usage,
cipher.length, &plain);
if (ret)
- errx(1, "krb_enc_iov2 failed with %d for test %d", ret, i);
+ krb5_err(context, 1, ret, "krb_enc_iov2 failed with %d for test %d",
+ ret, i);
ret = krb_checksum_iov(context, crypto, krbencs[i].usage, &plain, NULL);
if (ret)
- errx(1, "krb_checksum_iov failed with %d for test %d", ret, i);
+ krb5_err(context, 1, ret,
+ "krb_checksum_iov failed with %d for test %d", ret, i);
if (krbencs[i].cdata) {
krb5_data checksum;
@@ -789,7 +796,9 @@ krb_enc_test(krb5_context context)
ret = krb_checksum_iov(context, crypto, krbencs[i].usage,
&plain, &checksum);
if (ret)
- errx(1, "krb_checksum_iov(2) failed with %d for test %d", ret, i);
+ krb5_err(context, 1, ret,
+ "krb_checksum_iov(2) failed with %d for test %d",
+ ret, i);
}
krb5_crypto_destroy(context, crypto);
@@ -797,7 +806,8 @@ krb_enc_test(krb5_context context)
ret = krb_enc_mit(context, krbencs[i].enctype, &kb,
krbencs[i].usage, &cipher, &plain);
if (ret)
- errx(1, "krb_enc_mit failed with %d for test %d", ret, i);
+ krb5_err(context, 1, ret, "krb_enc_mit failed with %d for test %d",
+ ret, i);
}
return 0;
diff --git a/lib/krb5/an2ln_plugin.h b/lib/krb5/an2ln_plugin.h
index 89913b5780a3..b592f23b845c 100644
--- a/lib/krb5/an2ln_plugin.h
+++ b/lib/krb5/an2ln_plugin.h
@@ -36,6 +36,8 @@
#ifndef HEIMDAL_KRB5_AN2LN_PLUGIN_H
#define HEIMDAL_KRB5_AN2LN_PLUGIN_H 1
+#include <heimbase-svc.h>
+
#define KRB5_PLUGIN_AN2LN "an2ln"
#define KRB5_PLUGIN_AN2LN_VERSION_0 0
@@ -80,9 +82,7 @@ typedef krb5_error_code (KRB5_LIB_CALL *set_result_f)(void *, const char *);
* @ingroup krb5_support
*/
typedef struct krb5plugin_an2ln_ftable_desc {
- int minor_version;
- krb5_error_code (KRB5_LIB_CALL *init)(krb5_context, void **);
- void (KRB5_LIB_CALL *fini)(void *);
+ HEIM_PLUGIN_FTABLE_COMMON_ELEMENTS(krb5_context);
krb5_error_code (KRB5_LIB_CALL *an2ln)(void *, krb5_context, const char *,
krb5_const_principal, set_result_f, void *);
} krb5plugin_an2ln_ftable;
diff --git a/lib/krb5/aname_to_localname.c b/lib/krb5/aname_to_localname.c
index e4818c360b37..7c546fb382b3 100644
--- a/lib/krb5/aname_to_localname.c
+++ b/lib/krb5/aname_to_localname.c
@@ -31,11 +31,12 @@
* SUCH DAMAGE.
*/
-#include <string.h>
#include "krb5_locl.h"
#include "an2ln_plugin.h"
#include "db_plugin.h"
+#include <string.h>
+
/* Default plugin (DB using binary search of sorted text file) follows */
static krb5_error_code KRB5_LIB_CALL an2ln_def_plug_init(krb5_context, void **);
static void KRB5_LIB_CALL an2ln_def_plug_fini(void *);
@@ -43,7 +44,7 @@ static krb5_error_code KRB5_LIB_CALL an2ln_def_plug_an2ln(void *, krb5_context,
krb5_const_principal, set_result_f,
void *);
-static krb5plugin_an2ln_ftable an2ln_def_plug = {
+static const krb5plugin_an2ln_ftable an2ln_def_plug = {
0,
an2ln_def_plug_init,
an2ln_def_plug_fini,
@@ -80,6 +81,17 @@ plcallback(krb5_context context,
return locate->an2ln(plugctx, context, plctx->rule, plctx->aname, set_res, plctx);
}
+static const char *const an2ln_plugin_deps[] = { "krb5", NULL };
+
+static const struct heim_plugin_data
+an2ln_plugin_data = {
+ "krb5",
+ KRB5_PLUGIN_AN2LN,
+ KRB5_PLUGIN_AN2LN_VERSION_0,
+ an2ln_plugin_deps,
+ krb5_get_instance
+};
+
static krb5_error_code
an2ln_plugin(krb5_context context, const char *rule, krb5_const_principal aname,
size_t lnsize, char *lname)
@@ -96,8 +108,8 @@ an2ln_plugin(krb5_context context, const char *rule, krb5_const_principal aname,
* really be no more than one plugin that can handle any given kind
* rule, so the effect should be deterministic anyways.
*/
- ret = _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_AN2LN,
- KRB5_PLUGIN_AN2LN_VERSION_0, 0, &ctx, plcallback);
+ ret = _krb5_plugin_run_f(context, &an2ln_plugin_data,
+ 0, &ctx, plcallback);
if (ret != 0) {
heim_release(ctx.luser);
return ret;
@@ -409,6 +421,7 @@ an2ln_def_plug_an2ln(void *plug_ctx, krb5_context context,
heim_dict_set_value(db_options, HSTR("read-only"),
heim_number_create(1));
dbh = heim_db_create(NULL, an2ln_db_fname, db_options, &error);
+ heim_release(db_options);
if (dbh == NULL) {
krb5_set_error_message(context, heim_error_get_code(error),
N_("Couldn't open aname2lname-text-db", ""));
diff --git a/lib/krb5/asn1_glue.c b/lib/krb5/asn1_glue.c
index 6df8defbce9a..16eda2f6f73d 100644
--- a/lib/krb5/asn1_glue.c
+++ b/lib/krb5/asn1_glue.c
@@ -38,8 +38,8 @@
#include "krb5_locl.h"
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_principal2principalname (PrincipalName *p,
- const krb5_principal from)
+_krb5_principal2principalname(PrincipalName *p,
+ krb5_const_principal from)
{
return copy_PrincipalName(&from->name, p);
}
@@ -70,3 +70,93 @@ _krb5_principalname2krb5_principal (krb5_context context,
*principal = p;
return 0;
}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_ticket2krb5_principal(krb5_context context,
+ krb5_principal *principal,
+ const EncTicketPart *ticket,
+ const AuthorizationData *authenticator_ad)
+{
+ krb5_error_code ret;
+ krb5_principal p = NULL;
+
+ *principal = NULL;
+
+ ret = _krb5_principalname2krb5_principal(context,
+ &p,
+ ticket->cname,
+ ticket->crealm);
+ if (ret == 0 &&
+ (p->nameattrs = calloc(1, sizeof(p->nameattrs[0]))) == NULL)
+ ret = krb5_enomem(context);
+ if (ret == 0)
+ p->nameattrs->authenticated = 1;
+ if (ret == 0 &&
+ (p->nameattrs->source =
+ calloc(1, sizeof(p->nameattrs->source[0]))) == NULL)
+ ret = krb5_enomem(context);
+ if (ret == 0) {
+ p->nameattrs->source->element =
+ choice_PrincipalNameAttrSrc_enc_ticket_part;
+ ret = copy_EncTicketPart(ticket,
+ &p->nameattrs->source->u.enc_ticket_part);
+ /* NOTE: we don't want to keep a copy of the session key here! */
+ if (ret == 0)
+ der_free_octet_string(&p->nameattrs->source->u.enc_ticket_part.key.keyvalue);
+ }
+ if (ret == 0 && authenticator_ad) {
+ p->nameattrs->authenticator_ad =
+ calloc(1, sizeof(p->nameattrs->authenticator_ad[0]));
+ if (p->nameattrs->authenticator_ad == NULL)
+ ret = krb5_enomem(context);
+ if (ret == 0)
+ ret = copy_AuthorizationData(authenticator_ad,
+ p->nameattrs->authenticator_ad);
+ }
+
+ if (ret == 0)
+ *principal = p;
+ else
+ krb5_free_principal(context, p);
+ return ret;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_kdcrep2krb5_principal(krb5_context context,
+ krb5_principal *principal,
+ const EncKDCRepPart *kdcrep)
+{
+ krb5_error_code ret;
+ krb5_principal p = NULL;
+
+ *principal = NULL;
+
+ ret = _krb5_principalname2krb5_principal(context,
+ &p,
+ kdcrep->sname,
+ kdcrep->srealm);
+ if (ret == 0 &&
+ (p->nameattrs = calloc(1, sizeof(p->nameattrs[0]))) == NULL)
+ ret = krb5_enomem(context);
+ if (ret == 0)
+ p->nameattrs->authenticated = 1;
+ if (ret == 0 &&
+ (p->nameattrs->source =
+ calloc(1, sizeof(p->nameattrs->source[0]))) == NULL)
+ ret = krb5_enomem(context);
+ if (ret == 0) {
+ p->nameattrs->source->element =
+ choice_PrincipalNameAttrSrc_enc_kdc_rep_part;
+ ret = copy_EncKDCRepPart(kdcrep,
+ &p->nameattrs->source->u.enc_kdc_rep_part);
+ /* NOTE: we don't want to keep a copy of the session key here! */
+ if (ret == 0)
+ der_free_octet_string(&p->nameattrs->source->u.enc_kdc_rep_part.key.keyvalue);
+ }
+
+ if (ret == 0)
+ *principal = p;
+ else
+ krb5_free_principal(context, p);
+ return ret;
+}
diff --git a/lib/krb5/auth_context.c b/lib/krb5/auth_context.c
index 9c6c0c40f9e4..8b43b63706c9 100644
--- a/lib/krb5/auth_context.c
+++ b/lib/krb5/auth_context.c
@@ -86,7 +86,8 @@ krb5_auth_con_free(krb5_context context,
krb5_auth_context auth_context)
{
if (auth_context != NULL) {
- krb5_free_authenticator(context, &auth_context->authenticator);
+ if (auth_context->authenticator)
+ krb5_free_authenticator(context, &auth_context->authenticator);
if(auth_context->local_address){
free_HostAddress(auth_context->local_address);
free(auth_context->local_address);
@@ -409,24 +410,79 @@ krb5_auth_con_getkeytype (krb5_context context,
return 0;
}
+krb5_error_code
+_krb5_add_1auth_data(krb5_context context,
+ krb5int32 ad_type, krb5_data *ad_data, int critical,
+ krb5_authdata **dst)
+{
+ AuthorizationDataElement e;
+
+ e.ad_type = ad_type;
+ e.ad_data = *ad_data;
+
+ if (!critical) {
+ AuthorizationData ad;
+ krb5_error_code ret;
+ krb5_data ir;
+ size_t len;
+
+ /* Build an AD-IF-RELEVANT with the new element inside it */
+ ad.len = 0;
+ ad.val = NULL;
+ ret = add_AuthorizationData(&ad, &e);
+
+ /* Encode the AD-IF-RELEVANT */
+ if (ret == 0)
+ ASN1_MALLOC_ENCODE(AuthorizationData, ir.data, ir.length, &ad,
+ &len, ret);
+ if (ret == 0 && ir.length != len)
+ krb5_abortx(context, "internal error in ASN.1 encoder");
+
+ /* Re-enter to add the encoded AD-IF-RELEVANT */
+ ret = _krb5_add_1auth_data(context, KRB5_AUTHDATA_IF_RELEVANT, &ir, 1,
+ dst);
+
+ free_AuthorizationData(&ad);
+ krb5_data_free(&ir);
+ return ret;
+ }
+
+ if (*dst == NULL) {
+ ALLOC(*dst, 1);
+ if (*dst == NULL)
+ return krb5_enomem(context);
+ }
+ return add_AuthorizationData(*dst, &e);
+}
+
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_auth_con_add_AuthorizationData(krb5_context context,
krb5_auth_context auth_context,
int type,
krb5_data *data)
{
- AuthorizationDataElement el;
-
if (auth_context->auth_data == NULL) {
auth_context->auth_data = calloc(1, sizeof(*auth_context->auth_data));
if (auth_context->auth_data == NULL)
return krb5_enomem(context);
}
- el.ad_type = type;
- el.ad_data.data = data->data;
- el.ad_data.length = data->length;
+ return _krb5_add_1auth_data(context, type, data, 1,
+ &auth_context->auth_data);
+}
- return add_AuthorizationData(auth_context->auth_data, &el);
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_auth_con_add_AuthorizationDataIfRelevant(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5int32 type,
+ krb5_data *data)
+{
+ if (auth_context->auth_data == NULL) {
+ auth_context->auth_data = calloc(1, sizeof(*auth_context->auth_data));
+ if (auth_context->auth_data == NULL)
+ return krb5_enomem(context);
+ }
+ return _krb5_add_1auth_data(context, type, data, 0,
+ &auth_context->auth_data);
}
@@ -501,9 +557,8 @@ krb5_auth_con_getauthenticator(krb5_context context,
if (*authenticator == NULL)
return krb5_enomem(context);
- copy_Authenticator(auth_context->authenticator,
- *authenticator);
- return 0;
+ return copy_Authenticator(auth_context->authenticator,
+ *authenticator);
}
diff --git a/lib/krb5/authdata.c b/lib/krb5/authdata.c
new file mode 100644
index 000000000000..ac426618f6ee
--- /dev/null
+++ b/lib/krb5/authdata.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 1997-2021 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * Copyright (c) 2021 Isaac Boukris
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+
+/*
+ * Add the AuthorizationData `data´ of `type´ to the last element in
+ * the sequence of authorization_data in `tkt´ wrapped in an IF_RELEVANT
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_kdc_tkt_add_if_relevant_ad(krb5_context context,
+ EncTicketPart *tkt,
+ int type,
+ const krb5_data *data)
+{
+ krb5_error_code ret;
+ size_t size = 0;
+
+ if (tkt->authorization_data == NULL) {
+ tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data));
+ if (tkt->authorization_data == NULL) {
+ return krb5_enomem(context);
+ }
+ }
+
+ /* add the entry to the last element */
+ {
+ AuthorizationData ad = { 0, NULL };
+ AuthorizationDataElement ade;
+
+ ade.ad_type = type;
+ ade.ad_data = *data;
+
+ ret = add_AuthorizationData(&ad, &ade);
+ if (ret) {
+ krb5_set_error_message(context, ret, "add AuthorizationData failed");
+ return ret;
+ }
+
+ ade.ad_type = KRB5_AUTHDATA_IF_RELEVANT;
+
+ ASN1_MALLOC_ENCODE(AuthorizationData,
+ ade.ad_data.data, ade.ad_data.length,
+ &ad, &size, ret);
+ free_AuthorizationData(&ad);
+ if (ret) {
+ krb5_set_error_message(context, ret, "ASN.1 encode of "
+ "AuthorizationData failed");
+ return ret;
+ }
+ if (ade.ad_data.length != size)
+ krb5_abortx(context, "internal asn.1 encoder error");
+
+ ret = add_AuthorizationData(tkt->authorization_data, &ade);
+ der_free_octet_string(&ade.ad_data);
+ if (ret) {
+ krb5_set_error_message(context, ret, "add AuthorizationData failed");
+ return ret;
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * Insert a PAC wrapped in AD-IF-RELEVANT container as the first AD element,
+ * as some clients such as Windows may fail to parse it otherwise.
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_kdc_tkt_insert_pac(krb5_context context,
+ EncTicketPart *tkt,
+ const krb5_data *data)
+{
+ AuthorizationDataElement ade;
+ unsigned int i;
+ krb5_error_code ret;
+
+ ret = _kdc_tkt_add_if_relevant_ad(context, tkt, KRB5_AUTHDATA_WIN2K_PAC,
+ data);
+ if (ret)
+ return ret;
+
+ heim_assert(tkt->authorization_data->len != 0, "No authorization_data!");
+ ade = tkt->authorization_data->val[tkt->authorization_data->len - 1];
+ for (i = 0; i < tkt->authorization_data->len - 1; i++) {
+ tkt->authorization_data->val[i + 1] = tkt->authorization_data->val[i];
+ }
+ tkt->authorization_data->val[0] = ade;
+
+ return 0;
+}
diff --git a/lib/krb5/build_ap_req.c b/lib/krb5/build_ap_req.c
index d56a0a194e1e..01019520514e 100644
--- a/lib/krb5/build_ap_req.c
+++ b/lib/krb5/build_ap_req.c
@@ -41,34 +41,24 @@ krb5_build_ap_req (krb5_context context,
krb5_data authenticator,
krb5_data *retdata)
{
- krb5_error_code ret = 0;
- AP_REQ ap;
- Ticket t;
- size_t len;
+ krb5_error_code ret = 0;
+ AP_REQ ap;
+ size_t len;
- ap.pvno = 5;
- ap.msg_type = krb_ap_req;
- memset(&ap.ap_options, 0, sizeof(ap.ap_options));
- ap.ap_options.use_session_key = (ap_options & AP_OPTS_USE_SESSION_KEY) > 0;
- ap.ap_options.mutual_required = (ap_options & AP_OPTS_MUTUAL_REQUIRED) > 0;
+ ap.pvno = 5;
+ ap.msg_type = krb_ap_req;
+ memset(&ap.ap_options, 0, sizeof(ap.ap_options));
+ ap.ap_options.use_session_key = (ap_options & AP_OPTS_USE_SESSION_KEY) > 0;
+ ap.ap_options.mutual_required = (ap_options & AP_OPTS_MUTUAL_REQUIRED) > 0;
- ap.ticket.tkt_vno = 5;
- copy_Realm(&cred->server->realm, &ap.ticket.realm);
- copy_PrincipalName(&cred->server->name, &ap.ticket.sname);
-
- decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
- copy_EncryptedData(&t.enc_part, &ap.ticket.enc_part);
- free_Ticket(&t);
-
- ap.authenticator.etype = enctype;
- ap.authenticator.kvno = NULL;
- ap.authenticator.cipher = authenticator;
-
- ASN1_MALLOC_ENCODE(AP_REQ, retdata->data, retdata->length,
- &ap, &len, ret);
- if(ret == 0 && retdata->length != len)
- krb5_abortx(context, "internal error in ASN.1 encoder");
- free_AP_REQ(&ap);
- return ret;
+ decode_Ticket(cred->ticket.data, cred->ticket.length, &ap.ticket, &len);
+ ap.authenticator.etype = enctype;
+ ap.authenticator.kvno = NULL;
+ ap.authenticator.cipher = authenticator;
+ ASN1_MALLOC_ENCODE(AP_REQ, retdata->data, retdata->length, &ap, &len, ret);
+ if (ret == 0 && retdata->length != len)
+ krb5_abortx(context, "internal error in ASN.1 encoder");
+ free_AP_REQ(&ap);
+ return ret;
}
diff --git a/lib/krb5/build_auth.c b/lib/krb5/build_auth.c
index cbc67744a4e1..3e0012562a3c 100644
--- a/lib/krb5/build_auth.c
+++ b/lib/krb5/build_auth.c
@@ -34,15 +34,30 @@
#include "krb5_locl.h"
static krb5_error_code
-make_etypelist(krb5_context context,
- krb5_authdata **auth_data)
+add_auth_data(krb5_context context,
+ AuthorizationData *src,
+ AuthorizationData **dst)
{
+ krb5_error_code ret = 0;
+ size_t i;
+
+ if (*dst == NULL &&
+ (*dst = calloc(1, sizeof(**dst))) == NULL)
+ return krb5_enomem(context);
+ for (i = 0; ret == 0 && i < src->len; i++)
+ ret = add_AuthorizationData(*dst, &src->val[i]);
+ return ret;
+}
+
+static krb5_error_code
+add_etypelist(krb5_context context,
+ krb5_authdata *auth_data)
+{
+ AuthorizationDataElement ade;
EtypeList etypes;
krb5_error_code ret;
- krb5_authdata ad;
- u_char *buf;
+ krb5_data e;
size_t len = 0;
- size_t buf_size;
ret = _krb5_init_etype(context, KRB5_PDU_NONE,
&etypes.len, &etypes.val,
@@ -50,52 +65,98 @@ make_etypelist(krb5_context context,
if (ret)
return ret;
- ASN1_MALLOC_ENCODE(EtypeList, buf, buf_size, &etypes, &len, ret);
+ ASN1_MALLOC_ENCODE(EtypeList, e.data, e.length, &etypes, &len, ret);
if (ret) {
free_EtypeList(&etypes);
return ret;
}
- if(buf_size != len)
+ if(e.length != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
free_EtypeList(&etypes);
- ALLOC_SEQ(&ad, 1);
- if (ad.val == NULL) {
- free(buf);
- return krb5_enomem(context);
- }
+ ade.ad_type = KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION;
+ ade.ad_data = e;
- ad.val[0].ad_type = KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION;
- ad.val[0].ad_data.length = len;
- ad.val[0].ad_data.data = buf;
+ ret = add_AuthorizationData(auth_data, &ade);
- ASN1_MALLOC_ENCODE(AD_IF_RELEVANT, buf, buf_size, &ad, &len, ret);
+ krb5_data_free(&e);
+
+ return ret;
+}
+
+static krb5_error_code
+add_ap_options(krb5_context context,
+ krb5_authdata *auth_data)
+{
+ krb5_error_code ret;
+ AuthorizationDataElement ade;
+ krb5_boolean require_cb;
+ uint8_t ap_options[4];
+
+ require_cb = krb5_config_get_bool_default(context, NULL, FALSE,
+ "libdefaults",
+ "client_aware_channel_bindings",
+ NULL);
+
+ if (!require_cb)
+ return 0;
+
+ ap_options[0] = (KERB_AP_OPTIONS_CBT >> 0 ) & 0xFF;
+ ap_options[1] = (KERB_AP_OPTIONS_CBT >> 8 ) & 0xFF;
+ ap_options[2] = (KERB_AP_OPTIONS_CBT >> 16) & 0xFF;
+ ap_options[3] = (KERB_AP_OPTIONS_CBT >> 24) & 0xFF;
+
+ ade.ad_type = KRB5_AUTHDATA_AP_OPTIONS;
+ ade.ad_data.length = sizeof(ap_options);
+ ade.ad_data.data = ap_options;
+
+ ret = add_AuthorizationData(auth_data, &ade);
+
+ return ret;
+}
+
+static krb5_error_code
+make_ap_authdata(krb5_context context,
+ krb5_authdata **auth_data)
+{
+ krb5_error_code ret;
+ AuthorizationData ad;
+ krb5_data ir;
+ size_t len;
+
+ ad.len = 0;
+ ad.val = NULL;
+
+ ret = add_etypelist(context, &ad);
+ if (ret)
+ return ret;
+
+ /*
+ * Windows has a bug and only looks for first occurrence of AD-IF-RELEVANT
+ * in the AP authenticator when looking for AD-AP-OPTIONS. Make sure to
+ * bundle it together with etypes.
+ */
+ ret = add_ap_options(context, &ad);
if (ret) {
free_AuthorizationData(&ad);
return ret;
}
- if(buf_size != len)
- krb5_abortx(context, "internal error in ASN.1 encoder");
- free_AuthorizationData(&ad);
- ALLOC(*auth_data, 1);
- if (*auth_data == NULL) {
- free(buf);
- return krb5_enomem(context);
+ ASN1_MALLOC_ENCODE(AuthorizationData, ir.data, ir.length, &ad, &len, ret);
+ if (ret) {
+ free_AuthorizationData(&ad);
+ return ret;
}
+ if(ir.length != len)
+ krb5_abortx(context, "internal error in ASN.1 encoder");
- ALLOC_SEQ(*auth_data, 1);
- if ((*auth_data)->val == NULL) {
- free(*auth_data);
- free(buf);
- return krb5_enomem(context);
- }
+ ret = _krb5_add_1auth_data(context, KRB5_AUTHDATA_IF_RELEVANT, &ir, 1,
+ auth_data);
- (*auth_data)->val[0].ad_type = KRB5_AUTHDATA_IF_RELEVANT;
- (*auth_data)->val[0].ad_data.length = len;
- (*auth_data)->val[0].ad_data.data = buf;
+ free_AuthorizationData(&ad);
+ krb5_data_free(&ir);
- return 0;
+ return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
@@ -160,12 +221,19 @@ _krb5_build_authenticator (krb5_context context,
* This is not GSS-API specific, we only enable it for
* GSS for now
*/
- ret = make_etypelist(context, &auth.authorization_data);
+ ret = make_ap_authdata(context, &auth.authorization_data);
if (ret)
goto fail;
}
}
+ /* Copy other authz data from auth_context */
+ if (auth_context->auth_data) {
+ ret = add_auth_data(context, auth_context->auth_data, &auth.authorization_data);
+ if (ret)
+ goto fail;
+ }
+
/* XXX - Copy more to auth_context? */
auth_context->authenticator->ctime = auth.ctime;
diff --git a/lib/krb5/cache.c b/lib/krb5/cache.c
index c43cd0ab7096..4afb0ca5c80d 100644
--- a/lib/krb5/cache.c
+++ b/lib/krb5/cache.c
@@ -100,11 +100,16 @@ main (int argc, char **argv)
* @endcode
*/
+static const krb5_cc_ops *
+cc_get_prefix_ops(krb5_context context,
+ const char *prefix,
+ const char **residual);
+
/**
* Add a new ccache type with operations `ops', overwriting any
* existing one if `override'.
*
- * @param context a Keberos context
+ * @param context a Kerberos context
* @param ops type of plugin symbol
* @param override flag to select if the registration is to overide
* an existing ops with the same name.
@@ -180,74 +185,47 @@ _krb5_cc_allocate(krb5_context context,
*/
static krb5_error_code
-allocate_ccache (krb5_context context,
- const krb5_cc_ops *ops,
- const char *residual,
- krb5_ccache *id)
+allocate_ccache(krb5_context context,
+ const krb5_cc_ops *ops,
+ const char *residual,
+ const char *subsidiary,
+ krb5_ccache *id)
{
- krb5_error_code ret;
-#ifdef KRB5_USE_PATH_TOKENS
- char * exp_residual = NULL;
+ krb5_error_code ret = 0;
+ char *exp_residual = NULL;
int filepath;
filepath = (strcmp("FILE", ops->prefix) == 0
|| strcmp("DIR", ops->prefix) == 0
|| strcmp("SCC", ops->prefix) == 0);
- ret = _krb5_expand_path_tokens(context, residual, filepath, &exp_residual);
- if (ret)
- return ret;
-
- residual = exp_residual;
-#endif
+ if (residual)
+ ret = _krb5_expand_path_tokens(context, residual, filepath, &exp_residual);
+ if (ret == 0)
+ ret = _krb5_cc_allocate(context, ops, id);
- ret = _krb5_cc_allocate(context, ops, id);
- if (ret) {
-#ifdef KRB5_USE_PATH_TOKENS
- if (exp_residual)
- free(exp_residual);
-#endif
- return ret;
+ if (ret == 0) {
+ if ((*id)->ops->version < KRB5_CC_OPS_VERSION_5
+ || (*id)->ops->resolve_2 == NULL) {
+ ret = (*id)->ops->resolve(context, id, exp_residual);
+ } else {
+ ret = (*id)->ops->resolve_2(context, id, exp_residual, subsidiary);
+ }
}
-
- ret = (*id)->ops->resolve(context, id, residual);
- if(ret) {
+ if (ret) {
free(*id);
*id = NULL;
}
-
-#ifdef KRB5_USE_PATH_TOKENS
- if (exp_residual)
- free(exp_residual);
-#endif
-
+ free(exp_residual);
return ret;
}
-static int
-is_possible_path_name(const char * name)
-{
- const char * colon;
-
- if ((colon = strchr(name, ':')) == NULL)
- return TRUE;
-
-#ifdef _WIN32
- /* <drive letter>:\path\to\cache ? */
-
- if (colon == name + 1 &&
- strchr(colon + 1, ':') == NULL)
- return TRUE;
-#endif
-
- return FALSE;
-}
/**
* Find and allocate a ccache in `id' from the specification in `residual'.
* If the ccache name doesn't contain any colon, interpret it as a file name.
*
- * @param context a Keberos context.
+ * @param context a Kerberos context.
* @param name string name of a credential cache.
* @param id return pointer to a found credential cache.
*
@@ -263,27 +241,183 @@ krb5_cc_resolve(krb5_context context,
const char *name,
krb5_ccache *id)
{
- int i;
+ const krb5_cc_ops *ops;
+ const char *residual = NULL;
*id = NULL;
- for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
- size_t prefix_len = strlen(context->cc_ops[i]->prefix);
+ ops = cc_get_prefix_ops(context, name, &residual);
+ if (ops == NULL)
+ ops = &krb5_fcc_ops; /* residual will point to name */
+
+ return allocate_ccache(context, ops, residual, NULL, id);
+}
- if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0
- && name[prefix_len] == ':') {
- return allocate_ccache (context, context->cc_ops[i],
- name + prefix_len + 1,
- id);
+#ifdef _WIN32
+static const char *
+get_default_cc_type_win32(krb5_context context)
+{
+ krb5_error_code ret;
+ krb5_ccache id;
+
+ /*
+ * If the MSLSA ccache type has a principal name,
+ * use it as the default.
+ */
+ ret = krb5_cc_resolve(context, "MSLSA:", &id);
+ if (ret == 0) {
+ krb5_principal princ;
+ ret = krb5_cc_get_principal(context, id, &princ);
+ krb5_cc_close(context, id);
+ if (ret == 0) {
+ krb5_free_principal(context, princ);
+ return "MSLSA";
}
}
- if (is_possible_path_name(name))
- return allocate_ccache (context, &krb5_fcc_ops, name, id);
- else {
+
+ /*
+ * If the API: ccache can be resolved,
+ * use it as the default.
+ */
+ ret = krb5_cc_resolve(context, "API:", &id);
+ if (ret == 0) {
+ krb5_cc_close(context, id);
+ return "API";
+ }
+
+ return NULL;
+}
+#endif /* _WIN32 */
+
+static const char *
+get_default_cc_type(krb5_context context, int simple)
+{
+ const char *def_ccname;
+ const char *def_cctype =
+ krb5_config_get_string_default(context, NULL,
+ secure_getenv("KRB5CCTYPE"),
+ "libdefaults", "default_cc_type", NULL);
+ const char *def_cccol =
+ krb5_config_get_string(context, NULL, "libdefaults",
+ "default_cc_collection", NULL);
+ const krb5_cc_ops *ops;
+
+ if (!simple && (def_ccname = krb5_cc_default_name(context))) {
+ ops = cc_get_prefix_ops(context, def_ccname, NULL);
+ if (ops)
+ return ops->prefix;
+ }
+ if (!def_cctype && def_cccol) {
+ ops = cc_get_prefix_ops(context, def_cccol, NULL);
+ if (ops)
+ return ops->prefix;
+ }
+#ifdef _WIN32
+ if (def_cctype == NULL)
+ def_cctype = get_default_cc_type_win32(context);
+#endif
+ if (def_cctype == NULL)
+ def_cctype = KRB5_DEFAULT_CCTYPE->prefix;
+ return def_cctype;
+}
+
+/**
+ * Find and allocate a ccache in `id' for the subsidiary cache named by
+ * `subsidiary' in the collection named by `collection'.
+ *
+ * @param context a Kerberos context.
+ * @param cctype string name of a credential cache collection type.
+ * @param collection string name of a credential cache collection.
+ * @param subsidiary string name of a credential cache in a collection.
+ * @param id return pointer to a found credential cache.
+ *
+ * @return Return 0 or an error code. In case of an error, id is set
+ * to NULL, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_resolve_sub(krb5_context context,
+ const char *cctype,
+ const char *collection,
+ const char *subsidiary,
+ krb5_ccache *id)
+{
+ const krb5_cc_ops *ops = NULL;
+
+ *id = NULL;
+
+ /* Get the cctype from the collection, maybe */
+ if (cctype == NULL && collection)
+ ops = cc_get_prefix_ops(context, collection, &collection);
+
+ if (ops == NULL)
+ ops = cc_get_prefix_ops(context, get_default_cc_type(context, 0), NULL);
+
+ if (ops == NULL) {
krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
- N_("unknown ccache type %s", "name"), name);
+ N_("unknown ccache type %s", ""), cctype);
return KRB5_CC_UNKNOWN_TYPE;
}
+
+ return allocate_ccache(context, ops, collection, subsidiary, id);
+}
+
+
+/**
+ * Find and allocate a ccache in `id' from the specification in `residual', but
+ * specific to the given principal `principal' by using the principal name as
+ * the name of a "subsidiary" credentials cache in the collection named by
+ * `name'. If the ccache name doesn't contain any colon, interpret it as a
+ * file name.
+ *
+ * @param context a Kerberos context.
+ * @param name string name of a credential cache.
+ * @param principal principal name of desired credentials.
+ * @param id return pointer to a found credential cache.
+ *
+ * @return Return 0 or an error code. In case of an error, id is set
+ * to NULL, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_resolve_for(krb5_context context,
+ const char *cctype,
+ const char *name,
+ krb5_const_principal principal,
+ krb5_ccache *id)
+{
+ krb5_error_code ret;
+ char *p, *s;
+
+ *id = NULL;
+
+ ret = krb5_unparse_name(context, principal, &p);
+ if (ret)
+ return ret;
+ /*
+ * Subsidiary components cannot have various chars in them that are used as
+ * separators. ':' is used for subsidiary separators in all ccache types
+ * except FILE, where '+' is used instead because we can't use ':' in file
+ * paths on Windows and because ':' is not in the POSIX safe set.
+ */
+ for (s = p; *s; s++) {
+ switch (s[0]) {
+ case ':':
+ case '+':
+ case '/':
+ case '\\':
+ s[0] = '-';
+ default: break;
+ }
+ }
+ ret = krb5_cc_resolve_sub(context, cctype, name, p, id);
+ free(p);
+ return ret;
}
/**
@@ -305,6 +439,9 @@ krb5_cc_new_unique(krb5_context context, const char *type,
const krb5_cc_ops *ops;
krb5_error_code ret;
+ if (type == NULL)
+ type = get_default_cc_type(context, 1);
+
ops = krb5_cc_get_prefix_ops(context, type);
if (ops == NULL) {
krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
@@ -334,7 +471,52 @@ KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_cc_get_name(krb5_context context,
krb5_ccache id)
{
- return id->ops->get_name(context, id);
+ const char *name = NULL;
+
+ if (id->ops->version < KRB5_CC_OPS_VERSION_5
+ || id->ops->get_name_2 == NULL)
+ return id->ops->get_name(context, id);
+
+ (void) id->ops->get_name_2(context, id, &name, NULL, NULL);
+ return name;
+}
+
+/**
+ * Return the name of the ccache collection associated with `id'
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
+krb5_cc_get_collection(krb5_context context, krb5_ccache id)
+{
+ const char *name = NULL;
+
+ if (id->ops->version < KRB5_CC_OPS_VERSION_5
+ || id->ops->get_name_2 == NULL)
+ return NULL;
+
+ (void) id->ops->get_name_2(context, id, NULL, &name, NULL);
+ return name;
+}
+
+/**
+ * Return the name of the subsidiary ccache of `id'
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
+krb5_cc_get_subsidiary(krb5_context context, krb5_ccache id)
+{
+ const char *name = NULL;
+
+ if (id->ops->version >= KRB5_CC_OPS_VERSION_5
+ && id->ops->get_name_2 != NULL)
+ (void) id->ops->get_name_2(context, id, NULL, NULL, &name);
+ return name;
}
/**
@@ -354,7 +536,7 @@ krb5_cc_get_type(krb5_context context,
/**
* Return the complete resolvable name the cache
- * @param context a Keberos context
+ * @param context a Kerberos context
* @param id return pointer to a found credential cache
* @param str the returned name of a credential cache, free with krb5_xfree()
*
@@ -443,10 +625,7 @@ environment_changed(krb5_context context)
strncmp(context->default_cc_name, "API:", 4) == 0))
return 1;
- if(issuid())
- return 0;
-
- e = getenv("KRB5CCNAME");
+ e = secure_getenv("KRB5CCNAME");
if (e == NULL) {
if (context->default_cc_name_env) {
free(context->default_cc_name_env);
@@ -478,7 +657,8 @@ krb5_cc_switch(krb5_context context, krb5_ccache id)
_krb5_set_default_cc_name_to_registry(context, id);
#endif
- if (id->ops->set_default == NULL)
+ if (id->ops->version == KRB5_CC_OPS_VERSION_0
+ || id->ops->set_default == NULL)
return 0;
return (*id->ops->set_default)(context, id);
@@ -496,7 +676,7 @@ krb5_cc_support_switch(krb5_context context, const char *type)
const krb5_cc_ops *ops;
ops = krb5_cc_get_prefix_ops(context, type);
- if (ops && ops->set_default)
+ if (ops && ops->version > KRB5_CC_OPS_VERSION_0 && ops->set_default)
return 1;
return FALSE;
}
@@ -511,109 +691,61 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_set_default_name(krb5_context context, const char *name)
{
krb5_error_code ret = 0;
- char *p = NULL, *exp_p = NULL;
- int filepath;
- const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
+ char *p = NULL;
if (name == NULL) {
- const char *e = NULL;
-
- if (!issuid()) {
- e = getenv("KRB5CCNAME");
- if (e) {
- p = strdup(e);
- if (context->default_cc_name_env)
- free(context->default_cc_name_env);
- context->default_cc_name_env = strdup(e);
- }
- }
-
-#ifdef _WIN32
- if (p == NULL) {
- p = _krb5_get_default_cc_name_from_registry(context);
+ const char *e;
+
+ if ((e = secure_getenv("KRB5CCNAME"))) {
+ if ((p = strdup(e)) == NULL)
+ return krb5_enomem(context);
+
+ free(context->default_cc_name_env);
+ context->default_cc_name_env = p;
+
+ if ((p = strdup(e)) == NULL)
+ return krb5_enomem(context);
+
+ /*
+ * We're resetting the default ccache name. Recall that we got
+ * this from the environment, which might change.
+ */
+ context->default_cc_name_set = 0;
+ } else if ((e = krb5_cc_configured_default_name(context))) {
+ if ((p = strdup(e)) == NULL)
+ return krb5_enomem(context);
+
+ /*
+ * Since $KRB5CCNAME was not set, and since we got the default
+ * ccache name from configuration, we'll not want
+ * environment_changed() to return true to avoid re-doing the
+ * krb5_cc_configured_default_name() call unnecessarily.
+ *
+ * XXX Perhaps if we got the ccache name from the registry then
+ * we'd want to recheck it? If so we might need an indication
+ * from krb5_cc_configured_default_name() about that!
+ */
+ context->default_cc_name_set = 1;
}
-#endif
- if (p == NULL) {
- e = krb5_config_get_string(context, NULL, "libdefaults",
- "default_cc_name", NULL);
- if (e) {
- ret = _krb5_expand_default_cc_name(context, e, &p);
- if (ret)
- return ret;
- }
- }
- if (p == NULL) {
- e = krb5_config_get_string(context, NULL, "libdefaults",
- "default_cc_type", NULL);
- if (e) {
- ops = krb5_cc_get_prefix_ops(context, e);
- if (ops == NULL) {
- krb5_set_error_message(context,
- KRB5_CC_UNKNOWN_TYPE,
- "Credential cache type %s "
- "is unknown", e);
- return KRB5_CC_UNKNOWN_TYPE;
- }
- }
- }
-#ifdef _WIN32
- if (p == NULL) {
- /*
- * If the MSLSA ccache type has a principal name,
- * use it as the default.
- */
- krb5_ccache id;
- ret = krb5_cc_resolve(context, "MSLSA:", &id);
- if (ret == 0) {
- krb5_principal princ;
- ret = krb5_cc_get_principal(context, id, &princ);
- if (ret == 0) {
- krb5_free_principal(context, princ);
- p = strdup("MSLSA:");
- }
- krb5_cc_close(context, id);
- }
- }
- if (p == NULL) {
- /*
- * If the API:krb5cc ccache can be resolved,
- * use it as the default.
- */
- krb5_ccache api_id;
- ret = krb5_cc_resolve(context, "API:krb5cc", &api_id);
- if (ret == 0)
- krb5_cc_close(context, api_id);
- }
- /* Otherwise, fallback to the FILE ccache */
-#endif
- if (p == NULL) {
- ret = (*ops->get_default_name)(context, &p);
- if (ret)
- return ret;
- }
- context->default_cc_name_set = 0;
} else {
- p = strdup(name);
- if (p == NULL)
- return krb5_enomem(context);
- context->default_cc_name_set = 1;
- }
-
- filepath = (strncmp("FILE:", p, 5) == 0
- || strncmp("DIR:", p, 4) == 0
- || strncmp("SCC:", p, 4) == 0);
+ int filepath = (strncmp("FILE:", name, 5) == 0 ||
+ strncmp("DIR:", name, 4) == 0 ||
+ strncmp("SCC:", name, 4) == 0);
- ret = _krb5_expand_path_tokens(context, p, filepath, &exp_p);
- free(p);
- p = exp_p;
- if (ret)
- return ret;
+ ret = _krb5_expand_path_tokens(context, name, filepath, &p);
+ if (ret)
+ return ret;
- if (context->default_cc_name)
- free(context->default_cc_name);
+ /*
+ * Since the default ccache name was set explicitly, we won't want
+ * environment_changed() to return true until the default ccache name
+ * is reset.
+ */
+ context->default_cc_name_set = 1;
+ }
+ free(context->default_cc_name);
context->default_cc_name = p;
-
return 0;
}
@@ -636,6 +768,71 @@ krb5_cc_default_name(krb5_context context)
return context->default_cc_name;
}
+KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
+krb5_cc_configured_default_name(krb5_context context)
+{
+ krb5_error_code ret = 0;
+#ifdef _WIN32
+ krb5_ccache id;
+#endif
+ const char *cfg;
+ char *expanded;
+ const krb5_cc_ops *ops;
+
+ if (context->configured_default_cc_name)
+ return context->configured_default_cc_name;
+
+#ifdef _WIN32
+ if ((expanded = _krb5_get_default_cc_name_from_registry(context)))
+ return context->configured_default_cc_name = expanded;
+#endif
+
+ /* If there's a configured default, expand the tokens and use it */
+ cfg = krb5_config_get_string(context, NULL, "libdefaults",
+ "default_cc_name", NULL);
+ if (cfg == NULL)
+ cfg = krb5_config_get_string(context, NULL, "libdefaults",
+ "default_ccache_name", NULL);
+ if (cfg) {
+ ret = _krb5_expand_default_cc_name(context, cfg, &expanded);
+ if (ret) {
+ krb5_set_error_message(context, ret,
+ "token expansion failed for %s", cfg);
+ return NULL;
+ }
+ return context->configured_default_cc_name = expanded;
+ }
+
+ /* Else try a configured default ccache type's default */
+ cfg = get_default_cc_type(context, 1);
+ if ((ops = krb5_cc_get_prefix_ops(context, cfg)) == NULL) {
+ krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
+ "unknown configured credential cache "
+ "type %s", cfg);
+ return NULL;
+ }
+
+ /* The get_default_name() method expands any tokens */
+ ret = (*ops->get_default_name)(context, &expanded);
+ if (ret) {
+ krb5_set_error_message(context, ret, "failed to find a default "
+ "ccache for default ccache type %s", cfg);
+ return NULL;
+ }
+ return context->configured_default_cc_name = expanded;
+}
+
+KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
+krb5_cccol_get_default_ccname(krb5_context context)
+{
+ const char *cfg = get_default_cc_type(context, 1);
+ char *cccol_default_ccname;
+ const krb5_cc_ops *ops = krb5_cc_get_prefix_ops(context, cfg);
+
+ (void) (*ops->get_default_name)(context, &cccol_default_ccname);
+ return cccol_default_ccname;
+}
+
/**
* Open the default ccache in `id'.
*
@@ -644,19 +841,53 @@ krb5_cc_default_name(krb5_context context)
* @ingroup krb5_ccache
*/
-
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_default(krb5_context context,
krb5_ccache *id)
{
const char *p = krb5_cc_default_name(context);
+ *id = NULL;
if (p == NULL)
return krb5_enomem(context);
return krb5_cc_resolve(context, p, id);
}
/**
+ * Open the named subsidiary cache from the default ccache collection in `id'.
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_default_sub(krb5_context context,
+ const char *subsidiary,
+ krb5_ccache *id)
+{
+ return krb5_cc_resolve_sub(context, get_default_cc_type(context, 0), NULL,
+ subsidiary, id);
+}
+
+/**
+ * Open the default ccache in `id' that corresponds to the given principal.
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_default_for(krb5_context context,
+ krb5_const_principal principal,
+ krb5_ccache *id)
+{
+ return krb5_cc_resolve_for(context, get_default_cc_type(context, 0), NULL,
+ principal, id);
+}
+
+/**
* Create a new ccache in `id' for `primary_principal'.
*
* @return Return an error code or 0, see krb5_get_error_message().
@@ -673,8 +904,12 @@ krb5_cc_initialize(krb5_context context,
krb5_error_code ret;
ret = (*id->ops->init)(context, id, primary_principal);
- if (ret == 0)
- id->initialized = 1;
+ if (ret == 0) {
+ id->cc_kx509_done = 0;
+ id->cc_initialized = 1;
+ id->cc_need_start_realm = 1;
+ id->cc_start_tgt_stored = 0;
+ }
return ret;
}
@@ -692,11 +927,32 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_destroy(krb5_context context,
krb5_ccache id)
{
+ krb5_error_code ret2 = 0;
krb5_error_code ret;
+ krb5_data d;
+
+ /*
+ * Destroy associated hx509 PKIX credential store created by krb5_kx509*().
+ */
+ if (krb5_cc_get_config(context, id, NULL, "kx509store", &d) == 0) {
+ char *name;
+
+ if ((name = strndup(d.data, d.length)) == NULL) {
+ ret2 = krb5_enomem(context);
+ } else {
+ hx509_certs certs;
+ ret = hx509_certs_init(context->hx509ctx, name, 0, NULL, &certs);
+ if (ret == 0)
+ ret2 = hx509_certs_destroy(context->hx509ctx, &certs);
+ else
+ hx509_certs_free(&certs);
+ free(name);
+ }
+ }
ret = (*id->ops->destroy)(context, id);
- krb5_cc_close (context, id);
- return ret;
+ (void) krb5_cc_close(context, id);
+ return ret ? ret : ret2;
}
/**
@@ -713,6 +969,52 @@ krb5_cc_close(krb5_context context,
krb5_ccache id)
{
krb5_error_code ret;
+
+ if (!id)
+ return 0;
+
+ /*
+ * We want to automatically acquire a PKIX credential using kx509.
+ *
+ * This can be slow if we're generating an RSA key. Plus it means talking
+ * to the KDC.
+ *
+ * We only want to do this when:
+ *
+ * - krb5_cc_initialize() was called on this ccache handle,
+ * - a start TGT was stored (actually, a cross-realm TGT would do),
+ *
+ * and
+ *
+ * - we aren't creating a gss_cred_id_t for a delegated credential.
+ *
+ * We only have a heuristic for the last condition: that `id' is not a
+ * MEMORY ccache, which is what's used for delegated credentials.
+ *
+ * We really only want to do this when storing a credential in a user's
+ * default ccache, but we leave it to krb5_kx509() to do that check.
+ *
+ * XXX Perhaps we should do what krb5_kx509() does here, and just call
+ * krb5_kx509_ext() (renamed to krb5_kx509()). Then we wouldn't need
+ * the delegated cred handle heuristic.
+ */
+ if (id->cc_initialized && id->cc_start_tgt_stored && !id->cc_kx509_done &&
+ strcmp("MEMORY", krb5_cc_get_type(context, id)) != 0) {
+ krb5_boolean enabled;
+
+ krb5_appdefault_boolean(context, NULL, NULL, "enable_kx509", FALSE,
+ &enabled);
+ if (enabled) {
+ _krb5_debug(context, 2, "attempting to fetch a certificate using "
+ "kx509");
+ ret = krb5_kx509(context, id, NULL);
+ if (ret)
+ _krb5_debug(context, 2, "failed to fetch a certificate");
+ else
+ _krb5_debug(context, 2, "fetched a certificate");
+ }
+ }
+
ret = (*id->ops->close)(context, id);
free(id);
return ret;
@@ -734,31 +1036,54 @@ krb5_cc_store_cred(krb5_context context,
{
krb5_error_code ret;
krb5_data realm;
+ const char *cfg = "";
+
+ /* Automatic cc_config-setting and other actions */
+ if (krb5_principal_get_num_comp(context, creds->server) > 1 &&
+ krb5_is_config_principal(context, creds->server))
+ cfg = krb5_principal_get_comp_string(context, creds->server, 1);
+
+ if (id->cc_initialized && !id->cc_need_start_realm &&
+ strcmp(cfg, "start_realm") == 0)
+ return 0;
ret = (*id->ops->store)(context, id, creds);
+ if (ret)
+ return ret;
- /* Look for and mark the first root TGT's realm as the start realm */
- if (ret == 0 && id->initialized &&
+ if (id->cc_initialized && !id->cc_start_tgt_stored &&
+ id->cc_need_start_realm &&
krb5_principal_is_root_krbtgt(context, creds->server)) {
-
- id->initialized = 0;
+ /* Mark the first root TGT's realm as the start realm */
+ id->cc_start_tgt_stored = 1;
realm.length = strlen(creds->server->realm);
realm.data = creds->server->realm;
(void) krb5_cc_set_config(context, id, NULL, "start_realm", &realm);
- } else if (ret == 0 && id->initialized &&
- krb5_is_config_principal(context, creds->server) &&
- strcmp(creds->server->name.name_string.val[1], "start_realm") == 0) {
-
+ id->cc_need_start_realm = 0;
+ } else if (id->cc_initialized && id->cc_start_tgt_stored &&
+ !id->cc_kx509_done && strcmp(cfg, "kx509cert") == 0) {
/*
- * But if the caller is storing a start_realm ccconfig, then
- * stop looking for root TGTs to mark as the start_realm.
+ * Do not attempt kx509 at cc close time -- we're copying a ccache and
+ * we've already got a cert (and private key).
+ */
+ id->cc_kx509_done = 1;
+ } else if (id->cc_initialized && id->cc_start_tgt_stored &&
+ !id->cc_kx509_done && strcmp(cfg, "kx509_service_status") == 0) {
+ /*
+ * Do not attempt kx509 at cc close time -- we're copying a ccache and
+ * we know the kx509 service is not available.
+ */
+ id->cc_kx509_done = 1;
+ } else if (id->cc_initialized && strcmp(cfg, "start_realm") == 0) {
+ /*
+ * If the caller is storing a start_realm ccconfig, then stop looking
+ * for root TGTs to mark as the start_realm.
*
- * By honoring any start_realm cc config stored, we interop
- * both, with ccache implementations that don't preserve
- * insertion order, and Kerberos implementations that store this
- * cc config before the TGT.
+ * By honoring any start_realm cc config stored, we interop both, with
+ * ccache implementations that don't preserve insertion order, and
+ * Kerberos implementations that store this cc config before the TGT.
*/
- id->initialized = 0;
+ id->cc_need_start_realm = 0;
}
return ret;
}
@@ -1055,9 +1380,35 @@ krb5_cc_clear_mcred(krb5_creds *mcred)
KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
{
- char *p, *p1;
+ return cc_get_prefix_ops(context, prefix, NULL);
+}
+
+/**
+ * Get the cc ops that is registered in `context' to handle the
+ * prefix. prefix can be a complete credential cache name or a
+ * prefix, the function will only use part up to the first colon (:)
+ * if there is one. If prefix the argument is NULL, the default ccache
+ * implementation is returned.
+ *
+ * If residual is non-NULL, it is set to the residual component of
+ * prefix (if present) or the prefix itself.
+ *
+ * @return Returns NULL if ops not found.
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+static const krb5_cc_ops *
+cc_get_prefix_ops(krb5_context context,
+ const char *prefix,
+ const char **residual)
+{
int i;
+ if (residual)
+ *residual = prefix;
+
if (prefix == NULL)
return KRB5_DEFAULT_CCTYPE;
@@ -1067,26 +1418,26 @@ krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
#ifdef _WIN32
/* Is drive letter? */
- if (isalpha(prefix[0]) && prefix[1] == ':')
+ if (isalpha((unsigned char)prefix[0]) && prefix[1] == ':')
return &krb5_fcc_ops;
#endif
- p = strdup(prefix);
- if (p == NULL) {
- krb5_enomem(context);
- return NULL;
- }
- p1 = strchr(p, ':');
- if (p1)
- *p1 = '\0';
-
for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
- if(strcmp(context->cc_ops[i]->prefix, p) == 0) {
- free(p);
+ size_t prefix_len = strlen(context->cc_ops[i]->prefix);
+
+ if (strncmp(context->cc_ops[i]->prefix, prefix, prefix_len) == 0 &&
+ (prefix[prefix_len] == ':' || prefix[prefix_len] == '\0')) {
+ if (residual) {
+ if (prefix[prefix_len] == ':' && prefix[prefix_len + 1] != '\0')
+ *residual = &prefix[prefix_len + 1];
+ else
+ *residual = NULL;
+ }
+
return context->cc_ops[i];
}
}
- free(p);
+
return NULL;
}
@@ -1266,8 +1617,7 @@ krb5_cc_cache_match (krb5_context context,
} else if (cache == NULL) {
char *str;
- krb5_unparse_name(context, client, &str);
-
+ (void) krb5_unparse_name(context, client, &str);
krb5_set_error_message(context, KRB5_CC_NOTFOUND,
N_("Principal %s not found in any "
"credential cache", ""),
@@ -1286,12 +1636,13 @@ krb5_cc_cache_match (krb5_context context,
* Move the content from one credential cache to another. The
* operation is an atomic switch.
*
- * @param context a Keberos context
+ * @param context a Kerberos context
* @param from the credential cache to move the content from
* @param to the credential cache to move the content to
- * @return On sucess, from is freed. On failure, error code is
- * returned and from and to are both still allocated, see krb5_get_error_message().
+ * @return On sucess, from is destroyed and closed. On failure, error code is
+ * returned and from and to are both still allocated; see
+ * krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
@@ -1299,20 +1650,39 @@ krb5_cc_cache_match (krb5_context context,
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
{
- krb5_error_code ret;
+ krb5_error_code ret = ENOTSUP;
+ krb5_principal princ = NULL;
- if (strcmp(from->ops->prefix, to->ops->prefix) != 0) {
- krb5_set_error_message(context, KRB5_CC_NOSUPP,
- N_("Moving credentials between diffrent "
- "types not yet supported", ""));
- return KRB5_CC_NOSUPP;
- }
-
- ret = (*to->ops->move)(context, from, to);
- if (ret == 0) {
- memset(from, 0, sizeof(*from));
- free(from);
- }
+ if (to->ops->move &&
+ strcmp(from->ops->prefix, to->ops->prefix) == 0) {
+ /*
+ * NOTE: to->ops->move() is expected to call
+ * krb5_cc_destroy(context, from) on success.
+ */
+ ret = (*to->ops->move)(context, from, to);
+ if (ret == 0)
+ return 0;
+ if (ret != EXDEV && ret != ENOTSUP && ret != KRB5_CC_NOSUPP &&
+ ret != KRB5_FCC_INTERNAL)
+ return ret;
+ /* Fallback to high-level copy */
+ } /* Else high-level copy */
+
+ /*
+ * Initialize destination, copy the source's contents to the destination,
+ * then destroy the source on success.
+ *
+ * It'd be nice if we could destroy any half-built destination if the copy
+ * fails, but the interface is not documented as doing so.
+ */
+ ret = krb5_cc_get_principal(context, from, &princ);
+ if (ret == 0)
+ ret = krb5_cc_initialize(context, to, princ);
+ krb5_free_principal(context, princ);
+ if (ret == 0)
+ ret = krb5_cc_copy_cache(context, from, to);
+ if (ret == 0)
+ krb5_cc_destroy(context, from);
return ret;
}
@@ -1358,7 +1728,7 @@ build_conf_principals(krb5_context context, krb5_ccache id,
* principal (generated part of krb5_cc_set_config()). Returns FALSE
* (zero) if not a configuration principal.
*
- * @param context a Keberos context
+ * @param context a Kerberos context
* @param principal principal to check if it a configuration principal
*
* @ingroup krb5_ccache
@@ -1382,7 +1752,7 @@ krb5_is_config_principal(krb5_context context,
* Store some configuration for the credential cache in the cache.
* Existing configuration under the same name is over-written.
*
- * @param context a Keberos context
+ * @param context a Kerberos context
* @param id the credential cache to store the data for
* @param principal configuration for a specific principal, if
* NULL, global for the whole cache.
@@ -1406,7 +1776,8 @@ krb5_cc_set_config(krb5_context context, krb5_ccache id,
/* Remove old configuration */
ret = krb5_cc_remove_cred(context, id, 0, &cred);
- if (ret && ret != KRB5_CC_NOTFOUND)
+ if (ret && ret != KRB5_CC_NOTFOUND && ret != KRB5_CC_NOSUPP &&
+ ret != KRB5_FCC_INTERNAL)
goto out;
if (data) {
@@ -1429,12 +1800,14 @@ out:
/**
* Get some configuration for the credential cache in the cache.
*
- * @param context a Keberos context
+ * @param context a Kerberos context
* @param id the credential cache to store the data for
* @param principal configuration for a specific principal, if
* NULL, global for the whole cache.
* @param name name under which the configuraion is stored.
* @param data data to fetched, free with krb5_data_free()
+ * @return 0 on success, KRB5_CC_NOTFOUND or KRB5_CC_END if not found,
+ * or other system error.
*
* @ingroup krb5_ccache
*/
@@ -1480,7 +1853,7 @@ struct krb5_cccol_cursor_data {
* Get a new cache interation cursor that will interate over all
* credentials caches independent of type.
*
- * @param context a Keberos context
+ * @param context a Kerberos context
* @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free().
*
* @return Returns 0 or and error code, see krb5_get_error_message().
@@ -1522,7 +1895,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
krb5_ccache *cache)
{
- krb5_error_code ret;
+ krb5_error_code ret = 0;
*cache = NULL;
@@ -1554,7 +1927,7 @@ krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
return KRB5_CC_END;
}
- return 0;
+ return ret;
}
/**
@@ -1602,6 +1975,11 @@ krb5_cc_last_change_time(krb5_context context,
krb5_timestamp *mtime)
{
*mtime = 0;
+
+ if (id->ops->version < KRB5_CC_OPS_VERSION_2
+ || id->ops->lastchange == NULL)
+ return KRB5_CC_NOSUPP;
+
return (*id->ops->lastchange)(context, id, mtime);
}
@@ -1816,7 +2194,8 @@ krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
{
- if (id->ops->set_kdc_offset == NULL) {
+ if (id->ops->version < KRB5_CC_OPS_VERSION_3
+ || id->ops->set_kdc_offset == NULL) {
context->kdc_sec_offset = offset;
context->kdc_usec_offset = 0;
return 0;
@@ -1841,7 +2220,8 @@ krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset)
{
- if (id->ops->get_kdc_offset == NULL) {
+ if (id->ops->version < KRB5_CC_OPS_VERSION_3
+ || id->ops->get_kdc_offset == NULL) {
*offset = context->kdc_sec_offset;
return 0;
}
@@ -1865,8 +2245,8 @@ _get_default_cc_name_from_registry(krb5_context context, HKEY hkBase)
if (code != ERROR_SUCCESS)
return NULL;
- ccname = _krb5_parse_reg_value_as_string(context, hk_k5, "ccname",
- REG_NONE, 0);
+ ccname = heim_parse_reg_value_as_string(context->hcontext, hk_k5, "ccname",
+ REG_NONE, 0);
RegCloseKey(hk_k5);
@@ -1905,8 +2285,8 @@ _krb5_set_default_cc_name_to_registry(krb5_context context, krb5_ccache id)
if (ret < 0)
goto cleanup;
- ret = _krb5_store_string_to_reg_value(context, hk_k5, "ccname",
- REG_SZ, ccname, -1, 0);
+ ret = heim_store_string_to_reg_value(context->hcontext, hk_k5, "ccname",
+ REG_SZ, ccname, -1, 0);
cleanup:
diff --git a/lib/krb5/ccache_plugin.h b/lib/krb5/ccache_plugin.h
index f6871d65d16b..e0fda4c94a84 100644
--- a/lib/krb5/ccache_plugin.h
+++ b/lib/krb5/ccache_plugin.h
@@ -33,7 +33,14 @@
#define HEIMDAL_KRB5_CCACHE_PLUGIN_H 1
#include <krb5.h>
+#include <common_plugin.h>
#define KRB5_PLUGIN_CCACHE "ccache_ops"
+krb5_error_code KRB5_CALLCONV
+ccache_ops_plugin_load(krb5_context context,
+ krb5_get_instance_func_t *func,
+ size_t *n_ftables,
+ heim_plugin_common_ftable_p **ftables);
+
#endif /* HEIMDAL_KRB5_CCACHE_PLUGIN_H */
diff --git a/lib/krb5/changepw.c b/lib/krb5/changepw.c
index e028753dbcfd..22a1f404c70e 100644
--- a/lib/krb5/changepw.c
+++ b/lib/krb5/changepw.c
@@ -384,7 +384,7 @@ process_reply (krb5_context context,
ap_rep_data.data = reply + 6;
ap_rep_data.length = (reply[4] << 8) | (reply[5]);
- if (reply + len < (u_char *)ap_rep_data.data + ap_rep_data.length) {
+ if (len - 6 < ap_rep_data.length) {
str2data (result_string, "client: wrong AP len in reply");
*result_code = KRB5_KPASSWD_MALFORMED;
return 0;
@@ -478,7 +478,7 @@ typedef krb5_error_code (*kpwd_process_reply) (krb5_context,
krb5_data *,
const char *);
-static struct kpwd_proc {
+static const struct kpwd_proc {
const char *name;
int flags;
#define SUPPORT_TCP 1
@@ -513,7 +513,7 @@ change_password_loop (krb5_context context,
int *result_code,
krb5_data *result_code_string,
krb5_data *result_string,
- struct kpwd_proc *proc)
+ const struct kpwd_proc *proc)
{
krb5_error_code ret;
krb5_auth_context auth_context = NULL;
@@ -662,10 +662,10 @@ change_password_loop (krb5_context context,
#ifndef HEIMDAL_SMALLER
-static struct kpwd_proc *
+static const struct kpwd_proc *
find_chpw_proto(const char *name)
{
- struct kpwd_proc *p;
+ const struct kpwd_proc *p;
for (p = procs; p->name != NULL; p++) {
if (strcmp(p->name, name) == 0)
return p;
@@ -695,9 +695,9 @@ krb5_change_password (krb5_context context,
int *result_code,
krb5_data *result_code_string,
krb5_data *result_string)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_set_password instead")
{
- struct kpwd_proc *p = find_chpw_proto("change password");
+ const struct kpwd_proc *p = find_chpw_proto("change password");
*result_code = KRB5_KPASSWD_MALFORMED;
result_code_string->data = result_string->data = NULL;
@@ -718,7 +718,7 @@ krb5_change_password (krb5_context context,
* @param context a Keberos context
* @param creds The initial kadmin/passwd for the principal or an admin principal
* @param newpw The new password to set
- * @param targprinc if unset, the default principal is used.
+ * @param targprinc if unset, the client principal from creds is used
* @param result_code Result code, KRB5_KPASSWD_SUCCESS is when password is changed.
* @param result_code_string binary message from the server, contains
* at least the result_code.
@@ -748,7 +748,7 @@ krb5_set_password(krb5_context context,
krb5_data_zero(result_string);
if (targprinc == NULL) {
- ret = krb5_get_default_principal(context, &principal);
+ ret = krb5_copy_principal(context, creds->client, &principal);
if (ret)
return ret;
} else
diff --git a/lib/krb5/config_file.c b/lib/krb5/config_file.c
index 6293bd72ddb9..22eff10d27f2 100644
--- a/lib/krb5/config_file.c
+++ b/lib/krb5/config_file.c
@@ -35,370 +35,49 @@
#include "krb5_locl.h"
-#ifdef __APPLE__
+#if defined(HAVE_FRAMEWORK_COREFOUNDATION)
#include <CoreFoundation/CoreFoundation.h>
#endif
-/* Gaah! I want a portable funopen */
-struct fileptr {
- const char *s;
- FILE *f;
-};
-
-static char *
-config_fgets(char *str, size_t len, struct fileptr *ptr)
-{
- /* XXX this is not correct, in that they don't do the same if the
- line is longer than len */
- if(ptr->f != NULL)
- return fgets(str, len, ptr->f);
- else {
- /* this is almost strsep_copy */
- const char *p;
- ssize_t l;
- if(*ptr->s == '\0')
- return NULL;
- p = ptr->s + strcspn(ptr->s, "\n");
- if(*p == '\n')
- p++;
- l = min(len, (size_t)(p - ptr->s));
- if(len > 0) {
- memcpy(str, ptr->s, l);
- str[l] = '\0';
- }
- ptr->s = p;
- return str;
- }
-}
-
-static krb5_error_code parse_section(char *p, krb5_config_section **s,
- krb5_config_section **res,
- const char **err_message);
-static krb5_error_code parse_binding(struct fileptr *f, unsigned *lineno, char *p,
- krb5_config_binding **b,
- krb5_config_binding **parent,
- const char **err_message);
-static krb5_error_code parse_list(struct fileptr *f, unsigned *lineno,
- krb5_config_binding **parent,
- const char **err_message);
-
-KRB5_LIB_FUNCTION krb5_config_section * KRB5_LIB_CALL
-_krb5_config_get_entry(krb5_config_section **parent, const char *name, int type)
-{
- krb5_config_section **q;
-
- for(q = parent; *q != NULL; q = &(*q)->next)
- if(type == krb5_config_list &&
- (unsigned)type == (*q)->type &&
- strcmp(name, (*q)->name) == 0)
- return *q;
- *q = calloc(1, sizeof(**q));
- if(*q == NULL)
- return NULL;
- (*q)->name = strdup(name);
- (*q)->type = type;
- if((*q)->name == NULL) {
- free(*q);
- *q = NULL;
- return NULL;
- }
- return *q;
-}
-
-/*
- * Parse a section:
- *
- * [section]
- * foo = bar
- * b = {
- * a
- * }
- * ...
- *
- * starting at the line in `p', storing the resulting structure in
- * `s' and hooking it into `parent'.
- * Store the error message in `err_message'.
- */
-
-static krb5_error_code
-parse_section(char *p, krb5_config_section **s, krb5_config_section **parent,
- const char **err_message)
-{
- char *p1;
- krb5_config_section *tmp;
-
- p1 = strchr (p + 1, ']');
- if (p1 == NULL) {
- *err_message = "missing ]";
- return KRB5_CONFIG_BADFORMAT;
- }
- *p1 = '\0';
- tmp = _krb5_config_get_entry(parent, p + 1, krb5_config_list);
- if(tmp == NULL) {
- *err_message = "out of memory";
- return KRB5_CONFIG_BADFORMAT;
- }
- *s = tmp;
- return 0;
-}
-
-/*
- * Parse a brace-enclosed list from `f', hooking in the structure at
- * `parent'.
- * Store the error message in `err_message'.
- */
-
-static krb5_error_code
-parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent,
- const char **err_message)
-{
- char buf[KRB5_BUFSIZ];
- krb5_error_code ret;
- krb5_config_binding *b = NULL;
- unsigned beg_lineno = *lineno;
-
- while(config_fgets(buf, sizeof(buf), f) != NULL) {
- char *p;
-
- ++*lineno;
- buf[strcspn(buf, "\r\n")] = '\0';
- p = buf;
- while(isspace((unsigned char)*p))
- ++p;
- if (*p == '#' || *p == ';' || *p == '\0')
- continue;
- while(isspace((unsigned char)*p))
- ++p;
- if (*p == '}')
- return 0;
- if (*p == '\0')
- continue;
- ret = parse_binding (f, lineno, p, &b, parent, err_message);
- if (ret)
- return ret;
- }
- *lineno = beg_lineno;
- *err_message = "unclosed {";
- return KRB5_CONFIG_BADFORMAT;
-}
-
-/*
+/**
+ * Parse configuration files in the given directory and add the result
+ * into res. Only files whose names consist only of alphanumeric
+ * characters, hyphen, and underscore, will be parsed, though files
+ * ending in ".conf" will also be parsed.
+ *
+ * This interface can be used to parse several configuration directories
+ * into one resulting krb5_config_section by calling it repeatably.
+ *
+ * @param context a Kerberos 5 context.
+ * @param dname a directory name to a Kerberos configuration file
+ * @param res the returned result, must be free with krb5_free_config_files().
+ * @return Return an error code or 0, see krb5_get_error_message().
*
+ * @ingroup krb5_support
*/
-static krb5_error_code
-parse_binding(struct fileptr *f, unsigned *lineno, char *p,
- krb5_config_binding **b, krb5_config_binding **parent,
- const char **err_message)
-{
- krb5_config_binding *tmp;
- char *p1, *p2;
- krb5_error_code ret = 0;
-
- p1 = p;
- while (*p && *p != '=' && !isspace((unsigned char)*p))
- ++p;
- if (*p == '\0') {
- *err_message = "missing =";
- return KRB5_CONFIG_BADFORMAT;
- }
- p2 = p;
- while (isspace((unsigned char)*p))
- ++p;
- if (*p != '=') {
- *err_message = "missing =";
- return KRB5_CONFIG_BADFORMAT;
- }
- ++p;
- while(isspace((unsigned char)*p))
- ++p;
- *p2 = '\0';
- if (*p == '{') {
- tmp = _krb5_config_get_entry(parent, p1, krb5_config_list);
- if (tmp == NULL) {
- *err_message = "out of memory";
- return KRB5_CONFIG_BADFORMAT;
- }
- ret = parse_list (f, lineno, &tmp->u.list, err_message);
- } else {
- tmp = _krb5_config_get_entry(parent, p1, krb5_config_string);
- if (tmp == NULL) {
- *err_message = "out of memory";
- return KRB5_CONFIG_BADFORMAT;
- }
- p1 = p;
- p = p1 + strlen(p1);
- while(p > p1 && isspace((unsigned char)*(p-1)))
- --p;
- *p = '\0';
- tmp->u.string = strdup(p1);
- }
- *b = tmp;
- return ret;
-}
-
-#if defined(__APPLE__)
-
-#if MAC_OS_X_VERSION_MIN_REQUIRED >= 1060
-#define HAVE_CFPROPERTYLISTCREATEWITHSTREAM 1
-#endif
-
-static char *
-cfstring2cstring(CFStringRef string)
-{
- CFIndex len;
- char *str;
-
- str = (char *) CFStringGetCStringPtr(string, kCFStringEncodingUTF8);
- if (str)
- return strdup(str);
-
- len = CFStringGetLength(string);
- len = 1 + CFStringGetMaximumSizeForEncoding(len, kCFStringEncodingUTF8);
- str = malloc(len);
- if (str == NULL)
- return NULL;
-
- if (!CFStringGetCString (string, str, len, kCFStringEncodingUTF8)) {
- free (str);
- return NULL;
- }
- return str;
-}
-
-static void
-convert_content(const void *key, const void *value, void *context)
-{
- krb5_config_section *tmp, **parent = context;
- char *k;
-
- if (CFGetTypeID(key) != CFStringGetTypeID())
- return;
-
- k = cfstring2cstring(key);
- if (k == NULL)
- return;
-
- if (CFGetTypeID(value) == CFStringGetTypeID()) {
- tmp = _krb5_config_get_entry(parent, k, krb5_config_string);
- tmp->u.string = cfstring2cstring(value);
- } else if (CFGetTypeID(value) == CFDictionaryGetTypeID()) {
- tmp = _krb5_config_get_entry(parent, k, krb5_config_list);
- CFDictionaryApplyFunction(value, convert_content, &tmp->u.list);
- } else {
- /* log */
- }
- free(k);
-}
-
-static krb5_error_code
-parse_plist_config(krb5_context context, const char *path, krb5_config_section **parent)
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_config_parse_dir_multi(krb5_context context,
+ const char *dname,
+ krb5_config_section **res)
{
- CFReadStreamRef s;
- CFDictionaryRef d;
- CFURLRef url;
-
- url = CFURLCreateFromFileSystemRepresentation(kCFAllocatorDefault, (UInt8 *)path, strlen(path), FALSE);
- if (url == NULL) {
- krb5_clear_error_message(context);
- return ENOMEM;
- }
-
- s = CFReadStreamCreateWithFile(kCFAllocatorDefault, url);
- CFRelease(url);
- if (s == NULL) {
- krb5_clear_error_message(context);
- return ENOMEM;
- }
-
- if (!CFReadStreamOpen(s)) {
- CFRelease(s);
- krb5_clear_error_message(context);
- return ENOENT;
- }
-
-#ifdef HAVE_CFPROPERTYLISTCREATEWITHSTREAM
- d = (CFDictionaryRef)CFPropertyListCreateWithStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL);
-#else
- d = (CFDictionaryRef)CFPropertyListCreateFromStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL);
-#endif
- CFRelease(s);
- if (d == NULL) {
- krb5_clear_error_message(context);
- return ENOENT;
- }
-
- CFDictionaryApplyFunction(d, convert_content, parent);
- CFRelease(d);
-
- return 0;
-}
-
-#endif
-
+ krb5_error_code ret;
+ heim_config_section *section = NULL;
-/*
- * Parse the config file `fname', generating the structures into `res'
- * returning error messages in `err_message'
- */
+ if (res == NULL)
+ return EINVAL;
-static krb5_error_code
-krb5_config_parse_debug (struct fileptr *f,
- krb5_config_section **res,
- unsigned *lineno,
- const char **err_message)
-{
- krb5_config_section *s = NULL;
- krb5_config_binding *b = NULL;
- char buf[KRB5_BUFSIZ];
- krb5_error_code ret;
+ *res = NULL;
- *lineno = 0;
- *err_message = "";
-
- while (config_fgets(buf, sizeof(buf), f) != NULL) {
- char *p;
-
- ++*lineno;
- buf[strcspn(buf, "\r\n")] = '\0';
- p = buf;
- while(isspace((unsigned char)*p))
- ++p;
- if (*p == '#' || *p == ';')
- continue;
- if (*p == '[') {
- ret = parse_section(p, &s, res, err_message);
- if (ret)
- return ret;
- b = NULL;
- } else if (*p == '}') {
- *err_message = "unmatched }";
- return KRB5_CONFIG_BADFORMAT;
- } else if(*p != '\0') {
- if (s == NULL) {
- *err_message = "binding before section";
- return KRB5_CONFIG_BADFORMAT;
- }
- ret = parse_binding(f, lineno, p, &b, &s->u.list, err_message);
- if (ret)
- return ret;
- }
- }
+ ret = heim_config_parse_dir_multi(context->hcontext, dname, &section);
+ if (ret == HEIM_ERR_CONFIG_BADFORMAT)
+ return KRB5_CONFIG_BADFORMAT;
+ if (ret)
+ return ret;
+ *res = (krb5_config_section *)section;
return 0;
}
-static int
-is_plist_file(const char *fname)
-{
- size_t len = strlen(fname);
- char suffix[] = ".plist";
- if (len < sizeof(suffix))
- return 0;
- if (strcasecmp(&fname[len - (sizeof(suffix) - 1)], suffix) != 0)
- return 0;
- return 1;
-}
-
/**
* Parse a configuration file and add the result into res. This
* interface can be used to parse several configuration files into one
@@ -413,139 +92,35 @@ is_plist_file(const char *fname)
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_parse_file_multi (krb5_context context,
- const char *fname,
- krb5_config_section **res)
+krb5_config_parse_file_multi(krb5_context context,
+ const char *fname,
+ krb5_config_section **res)
{
- const char *str;
- char *newfname = NULL;
- unsigned lineno = 0;
krb5_error_code ret;
- struct fileptr f;
-
- /**
- * If the fname starts with "~/" parse configuration file in the
- * current users home directory. The behavior can be disabled and
- * enabled by calling krb5_set_home_dir_access().
- */
- if (ISTILDE(fname[0]) && ISPATHSEP(fname[1])) {
-#ifndef KRB5_USE_PATH_TOKENS
- const char *home = NULL;
-
- if (!_krb5_homedir_access(context)) {
- krb5_set_error_message(context, EPERM,
- "Access to home directory not allowed");
- return EPERM;
- }
-
- if(!issuid())
- home = getenv("HOME");
-
- if (home == NULL) {
- struct passwd *pw = getpwuid(getuid());
- if(pw != NULL)
- home = pw->pw_dir;
- }
- if (home) {
- int aret;
-
- aret = asprintf(&newfname, "%s%s", home, &fname[1]);
- if (aret == -1 || newfname == NULL)
- return krb5_enomem(context);
- fname = newfname;
- }
-#else /* KRB5_USE_PATH_TOKENS */
- if (asprintf(&newfname, "%%{USERCONFIG}%s", &fname[1]) < 0 ||
- newfname == NULL)
- return krb5_enomem(context);
- fname = newfname;
-#endif
- }
-
- if (is_plist_file(fname)) {
-#ifdef __APPLE__
- ret = parse_plist_config(context, fname, res);
- if (ret) {
- krb5_set_error_message(context, ret,
- "Failed to parse plist %s", fname);
- if (newfname)
- free(newfname);
- return ret;
- }
-#else
- krb5_set_error_message(context, ENOENT,
- "no support for plist configuration files");
- return ENOENT;
-#endif
- } else {
-#ifdef KRB5_USE_PATH_TOKENS
- char * exp_fname = NULL;
-
- ret = _krb5_expand_path_tokens(context, fname, 1, &exp_fname);
- if (ret) {
- if (newfname)
- free(newfname);
- return ret;
- }
-
- if (newfname)
- free(newfname);
- fname = newfname = exp_fname;
-#endif
+ heim_config_section *section = NULL;
+
+ if (res == NULL)
+ return EINVAL;
+
+ *res = NULL;
- f.f = fopen(fname, "r");
- f.s = NULL;
- if(f.f == NULL) {
- ret = errno;
- krb5_set_error_message (context, ret, "open %s: %s",
- fname, strerror(ret));
- if (newfname)
- free(newfname);
- return ret;
- }
-
- ret = krb5_config_parse_debug (&f, res, &lineno, &str);
- fclose(f.f);
- if (ret) {
- krb5_set_error_message (context, ret, "%s:%u: %s",
- fname, lineno, str);
- if (newfname)
- free(newfname);
- return ret;
- }
- }
+ ret = heim_config_parse_file_multi(context->hcontext, fname, &section);
+ if (ret == HEIM_ERR_CONFIG_BADFORMAT)
+ return KRB5_CONFIG_BADFORMAT;
+ if (ret)
+ return ret;
+ *res = (krb5_config_section *)section;
return 0;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_parse_file (krb5_context context,
- const char *fname,
- krb5_config_section **res)
+krb5_config_parse_file(krb5_context context,
+ const char *fname,
+ krb5_config_section **res)
{
- *res = NULL;
return krb5_config_parse_file_multi(context, fname, res);
}
-static void
-free_binding (krb5_context context, krb5_config_binding *b)
-{
- krb5_config_binding *next_b;
-
- while (b) {
- free (b->name);
- if (b->type == krb5_config_string)
- free (b->u.string);
- else if (b->type == krb5_config_list)
- free_binding (context, b->u.list);
- else
- krb5_abortx(context, "unknown binding type (%d) in free_binding",
- b->type);
- next_b = b->next;
- free (b);
- b = next_b;
- }
-}
-
/**
* Free configuration file section, the result of
* krb5_config_parse_file() and krb5_config_parse_file_multi().
@@ -560,10 +135,9 @@ free_binding (krb5_context context, krb5_config_binding *b)
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_file_free (krb5_context context, krb5_config_section *s)
+krb5_config_file_free(krb5_context context, krb5_config_section *s)
{
- free_binding (context, s);
- return 0;
+ return heim_config_file_free(context->hcontext, (heim_config_section *)s);
}
#ifndef HEIMDAL_SMALLER
@@ -571,139 +145,81 @@ krb5_config_file_free (krb5_context context, krb5_config_section *s)
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_config_copy(krb5_context context,
krb5_config_section *c,
- krb5_config_section **head)
+ krb5_config_section **res)
{
- krb5_config_binding *d, *previous = NULL;
-
- *head = NULL;
-
- while (c) {
- d = calloc(1, sizeof(*d));
-
- if (*head == NULL)
- *head = d;
-
- d->name = strdup(c->name);
- d->type = c->type;
- if (d->type == krb5_config_string)
- d->u.string = strdup(c->u.string);
- else if (d->type == krb5_config_list)
- _krb5_config_copy (context, c->u.list, &d->u.list);
- else
- krb5_abortx(context,
- "unknown binding type (%d) in krb5_config_copy",
- d->type);
- if (previous)
- previous->next = d;
-
- previous = d;
- c = c->next;
- }
+ krb5_error_code ret;
+ heim_config_section *section = NULL;
+
+ if (res == NULL)
+ return EINVAL;
+
+ *res = NULL;
+ ret = heim_config_copy(context->hcontext, (heim_config_section *)c, &section);
+ if (ret)
+ return ret;
+ *res = (krb5_config_section *)section;
return 0;
}
#endif /* HEIMDAL_SMALLER */
KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_get_next (krb5_context context,
- const krb5_config_section *c,
- const krb5_config_binding **pointer,
- int type,
- ...)
+_krb5_config_get_next(krb5_context context,
+ const krb5_config_section *c,
+ const krb5_config_binding **pointer,
+ int type,
+ ...)
{
const char *ret;
va_list args;
va_start(args, type);
- ret = _krb5_config_vget_next (context, c, pointer, type, args);
+ ret = heim_config_vget_next(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ (const heim_config_binding **)pointer, type, args);
va_end(args);
return ret;
}
-static const void *
-vget_next(krb5_context context,
- const krb5_config_binding *b,
- const krb5_config_binding **pointer,
- int type,
- const char *name,
- va_list args)
-{
- const char *p = va_arg(args, const char *);
- while(b != NULL) {
- if(strcmp(b->name, name) == 0) {
- if(b->type == (unsigned)type && p == NULL) {
- *pointer = b;
- return b->u.generic;
- } else if(b->type == krb5_config_list && p != NULL) {
- return vget_next(context, b->u.list, pointer, type, p, args);
- }
- }
- b = b->next;
- }
- return NULL;
-}
-
KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_vget_next (krb5_context context,
- const krb5_config_section *c,
- const krb5_config_binding **pointer,
- int type,
- va_list args)
+_krb5_config_vget_next(krb5_context context,
+ const krb5_config_section *c,
+ const krb5_config_binding **pointer,
+ int type,
+ va_list args)
{
- const krb5_config_binding *b;
- const char *p;
-
- if(c == NULL)
- c = context->cf;
-
- if (c == NULL)
- return NULL;
-
- if (*pointer == NULL) {
- /* first time here, walk down the tree looking for the right
- section */
- p = va_arg(args, const char *);
- if (p == NULL)
- return NULL;
- return vget_next(context, c, pointer, type, p, args);
- }
-
- /* we were called again, so just look for more entries with the
- same name and type */
- for (b = (*pointer)->next; b != NULL; b = b->next) {
- if(strcmp(b->name, (*pointer)->name) == 0 && b->type == (unsigned)type) {
- *pointer = b;
- return b->u.generic;
- }
- }
- return NULL;
+ return heim_config_vget_next(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ (const heim_config_binding **)pointer, type, args);
}
KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_get (krb5_context context,
- const krb5_config_section *c,
- int type,
- ...)
+_krb5_config_get(krb5_context context,
+ const krb5_config_section *c,
+ int type,
+ ...)
{
const void *ret;
va_list args;
va_start(args, type);
- ret = _krb5_config_vget (context, c, type, args);
+ ret = heim_config_vget(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ type, args);
va_end(args);
return ret;
}
KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_vget (krb5_context context,
- const krb5_config_section *c,
- int type,
- va_list args)
+_krb5_config_vget(krb5_context context,
+ const krb5_config_section *c,
+ int type,
+ va_list args)
{
- const krb5_config_binding *foo = NULL;
-
- return _krb5_config_vget_next (context, c, &foo, type, args);
+ return heim_config_vget(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ type, args);
}
/**
@@ -719,17 +235,19 @@ _krb5_config_vget (krb5_context context,
*/
KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL
-krb5_config_get_list (krb5_context context,
- const krb5_config_section *c,
- ...)
+krb5_config_get_list(krb5_context context,
+ const krb5_config_section *c,
+ ...)
{
- const krb5_config_binding *ret;
+ const heim_config_binding *ret;
va_list args;
va_start(args, c);
- ret = krb5_config_vget_list (context, c, args);
+ ret = heim_config_vget_list(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ args);
va_end(args);
- return ret;
+ return (const krb5_config_binding *)ret;
}
/**
@@ -745,11 +263,16 @@ krb5_config_get_list (krb5_context context,
*/
KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL
-krb5_config_vget_list (krb5_context context,
- const krb5_config_section *c,
- va_list args)
+krb5_config_vget_list(krb5_context context,
+ const krb5_config_section *c,
+ va_list args)
{
- return _krb5_config_vget (context, c, krb5_config_list, args);
+ const heim_config_binding *ret;
+
+ ret = heim_config_vget_list(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ args);
+ return (const krb5_config_binding *)ret;
}
/**
@@ -768,15 +291,17 @@ krb5_config_vget_list (krb5_context context,
*/
KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_get_string (krb5_context context,
- const krb5_config_section *c,
- ...)
+krb5_config_get_string(krb5_context context,
+ const krb5_config_section *c,
+ ...)
{
const char *ret;
va_list args;
va_start(args, c);
- ret = krb5_config_vget_string (context, c, args);
+ ret = heim_config_vget_string(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ args);
va_end(args);
return ret;
}
@@ -794,11 +319,13 @@ krb5_config_get_string (krb5_context context,
*/
KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_vget_string (krb5_context context,
- const krb5_config_section *c,
- va_list args)
+krb5_config_vget_string(krb5_context context,
+ const krb5_config_section *c,
+ va_list args)
{
- return _krb5_config_vget (context, c, krb5_config_string, args);
+ return heim_config_vget_string(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ args);
}
/**
@@ -817,17 +344,14 @@ krb5_config_vget_string (krb5_context context,
*/
KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_vget_string_default (krb5_context context,
- const krb5_config_section *c,
- const char *def_value,
- va_list args)
+krb5_config_vget_string_default(krb5_context context,
+ const krb5_config_section *c,
+ const char *def_value,
+ va_list args)
{
- const char *ret;
-
- ret = krb5_config_vget_string (context, c, args);
- if (ret == NULL)
- ret = def_value;
- return ret;
+ return heim_config_vget_string_default(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ def_value, args);
}
/**
@@ -846,64 +370,22 @@ krb5_config_vget_string_default (krb5_context context,
*/
KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_get_string_default (krb5_context context,
- const krb5_config_section *c,
- const char *def_value,
- ...)
+krb5_config_get_string_default(krb5_context context,
+ const krb5_config_section *c,
+ const char *def_value,
+ ...)
{
const char *ret;
va_list args;
va_start(args, def_value);
- ret = krb5_config_vget_string_default (context, c, def_value, args);
+ ret = heim_config_vget_string_default(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ def_value, args);
va_end(args);
return ret;
}
-static char *
-next_component_string(char * begin, const char * delims, char **state)
-{
- char * end;
-
- if (begin == NULL)
- begin = *state;
-
- if (*begin == '\0')
- return NULL;
-
- end = begin;
- while (*end == '"') {
- char * t = strchr(end + 1, '"');
-
- if (t)
- end = ++t;
- else
- end += strlen(end);
- }
-
- if (*end != '\0') {
- size_t pos;
-
- pos = strcspn(end, delims);
- end = end + pos;
- }
-
- if (*end != '\0') {
- *end = '\0';
- *state = end + 1;
- if (*begin == '"' && *(end - 1) == '"' && begin + 1 < end) {
- begin++; *(end - 1) = '\0';
- }
- return begin;
- }
-
- *state = end;
- if (*begin == '"' && *(end - 1) == '"' && begin + 1 < end) {
- begin++; *(end - 1) = '\0';
- }
- return begin;
-}
-
/**
* Get a list of configuration strings, free the result with
* krb5_config_free_strings().
@@ -922,50 +404,9 @@ krb5_config_vget_strings(krb5_context context,
const krb5_config_section *c,
va_list args)
{
- char **strings = NULL;
- int nstr = 0;
- const krb5_config_binding *b = NULL;
- const char *p;
-
- while((p = _krb5_config_vget_next(context, c, &b,
- krb5_config_string, args))) {
- char *tmp = strdup(p);
- char *pos = NULL;
- char *s;
- if(tmp == NULL)
- goto cleanup;
- s = next_component_string(tmp, " \t", &pos);
- while(s){
- char **tmp2 = realloc(strings, (nstr + 1) * sizeof(*strings));
- if(tmp2 == NULL) {
- free(tmp);
- goto cleanup;
- }
- strings = tmp2;
- strings[nstr] = strdup(s);
- nstr++;
- if(strings[nstr-1] == NULL) {
- free(tmp);
- goto cleanup;
- }
- s = next_component_string(NULL, " \t", &pos);
- }
- free(tmp);
- }
- if(nstr){
- char **tmp = realloc(strings, (nstr + 1) * sizeof(*strings));
- if(tmp == NULL)
- goto cleanup;
- strings = tmp;
- strings[nstr] = NULL;
- }
- return strings;
-cleanup:
- while(nstr--)
- free(strings[nstr]);
- free(strings);
- return NULL;
-
+ return heim_config_vget_strings(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ args);
}
/**
@@ -989,7 +430,9 @@ krb5_config_get_strings(krb5_context context,
va_list ap;
char **ret;
va_start(ap, c);
- ret = krb5_config_vget_strings(context, c, ap);
+ ret = heim_config_vget_strings(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ ap);
va_end(ap);
return ret;
}
@@ -1006,12 +449,7 @@ krb5_config_get_strings(krb5_context context,
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_config_free_strings(char **strings)
{
- char **s = strings;
- while(s && *s){
- free(*s);
- s++;
- }
- free(strings);
+ heim_config_free_strings(strings);
}
/**
@@ -1033,19 +471,14 @@ krb5_config_free_strings(char **strings)
*/
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_vget_bool_default (krb5_context context,
- const krb5_config_section *c,
- krb5_boolean def_value,
- va_list args)
+krb5_config_vget_bool_default(krb5_context context,
+ const krb5_config_section *c,
+ krb5_boolean def_value,
+ va_list args)
{
- const char *str;
- str = krb5_config_vget_string (context, c, args);
- if(str == NULL)
- return def_value;
- if(strcasecmp(str, "yes") == 0 ||
- strcasecmp(str, "true") == 0 ||
- atoi(str)) return TRUE;
- return FALSE;
+ return heim_config_vget_bool_default(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ def_value, args);
}
/**
@@ -1063,11 +496,13 @@ krb5_config_vget_bool_default (krb5_context context,
*/
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_vget_bool (krb5_context context,
- const krb5_config_section *c,
- va_list args)
+krb5_config_vget_bool(krb5_context context,
+ const krb5_config_section *c,
+ va_list args)
{
- return krb5_config_vget_bool_default (context, c, FALSE, args);
+ return heim_config_vget_bool_default(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ FALSE, args);
}
/**
@@ -1087,15 +522,17 @@ krb5_config_vget_bool (krb5_context context,
*/
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_get_bool_default (krb5_context context,
- const krb5_config_section *c,
- krb5_boolean def_value,
- ...)
+krb5_config_get_bool_default(krb5_context context,
+ const krb5_config_section *c,
+ krb5_boolean def_value,
+ ...)
{
va_list ap;
krb5_boolean ret;
va_start(ap, def_value);
- ret = krb5_config_vget_bool_default(context, c, def_value, ap);
+ ret = heim_config_vget_bool_default(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ def_value, ap);
va_end(ap);
return ret;
}
@@ -1147,20 +584,14 @@ krb5_config_get_bool (krb5_context context,
*/
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_time_default (krb5_context context,
- const krb5_config_section *c,
- int def_value,
- va_list args)
+krb5_config_vget_time_default(krb5_context context,
+ const krb5_config_section *c,
+ int def_value,
+ va_list args)
{
- const char *str;
- krb5_deltat t;
-
- str = krb5_config_vget_string (context, c, args);
- if(str == NULL)
- return def_value;
- if (krb5_string_to_deltat(str, &t))
- return def_value;
- return t;
+ return heim_config_vget_time_default(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ def_value, args);
}
/**
@@ -1176,11 +607,13 @@ krb5_config_vget_time_default (krb5_context context,
*/
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_time (krb5_context context,
- const krb5_config_section *c,
- va_list args)
+krb5_config_vget_time(krb5_context context,
+ const krb5_config_section *c,
+ va_list args)
{
- return krb5_config_vget_time_default (context, c, -1, args);
+ return heim_config_vget_time_default(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ -1, args);
}
/**
@@ -1198,15 +631,17 @@ krb5_config_vget_time (krb5_context context,
*/
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_time_default (krb5_context context,
- const krb5_config_section *c,
- int def_value,
- ...)
+krb5_config_get_time_default(krb5_context context,
+ const krb5_config_section *c,
+ int def_value,
+ ...)
{
va_list ap;
int ret;
va_start(ap, def_value);
- ret = krb5_config_vget_time_default(context, c, def_value, ap);
+ ret = heim_config_vget_time_default(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ def_value, ap);
va_end(ap);
return ret;
}
@@ -1224,78 +659,75 @@ krb5_config_get_time_default (krb5_context context,
*/
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_time (krb5_context context,
- const krb5_config_section *c,
- ...)
+krb5_config_get_time(krb5_context context,
+ const krb5_config_section *c,
+ ...)
{
va_list ap;
int ret;
va_start(ap, c);
- ret = krb5_config_vget_time (context, c, ap);
+ ret = heim_config_vget_time(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ ap);
va_end(ap);
return ret;
}
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_int_default (krb5_context context,
- const krb5_config_section *c,
- int def_value,
- va_list args)
+krb5_config_vget_int_default(krb5_context context,
+ const krb5_config_section *c,
+ int def_value,
+ va_list args)
{
- const char *str;
- str = krb5_config_vget_string (context, c, args);
- if(str == NULL)
- return def_value;
- else {
- char *endptr;
- long l;
- l = strtol(str, &endptr, 0);
- if (endptr == str)
- return def_value;
- else
- return l;
- }
+ return heim_config_vget_int_default(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ def_value, args);
}
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_int (krb5_context context,
- const krb5_config_section *c,
- va_list args)
+krb5_config_vget_int(krb5_context context,
+ const krb5_config_section *c,
+ va_list args)
{
- return krb5_config_vget_int_default (context, c, -1, args);
+ return heim_config_vget_int_default(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ -1, args);
}
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_int_default (krb5_context context,
- const krb5_config_section *c,
- int def_value,
- ...)
+krb5_config_get_int_default(krb5_context context,
+ const krb5_config_section *c,
+ int def_value,
+ ...)
{
va_list ap;
int ret;
va_start(ap, def_value);
- ret = krb5_config_vget_int_default(context, c, def_value, ap);
+ ret = heim_config_vget_int_default(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ def_value, ap);
va_end(ap);
return ret;
}
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_int (krb5_context context,
- const krb5_config_section *c,
- ...)
+krb5_config_get_int(krb5_context context,
+ const krb5_config_section *c,
+ ...)
{
va_list ap;
int ret;
va_start(ap, c);
- ret = krb5_config_vget_int (context, c, ap);
+ ret = heim_config_vget_int(context->hcontext,
+ (const heim_config_section *)(c ? c : context->cf),
+ ap);
va_end(ap);
return ret;
}
#ifndef HEIMDAL_SMALLER
-
/**
* Deprecated: configuration files are not strings
*
@@ -1308,20 +740,19 @@ krb5_config_parse_string_multi(krb5_context context,
krb5_config_section **res)
KRB5_DEPRECATED_FUNCTION("Use X instead")
{
- const char *str;
- unsigned lineno = 0;
krb5_error_code ret;
- struct fileptr f;
- f.f = NULL;
- f.s = string;
-
- ret = krb5_config_parse_debug (&f, res, &lineno, &str);
- if (ret) {
- krb5_set_error_message (context, ret, "%s:%u: %s",
- "<constant>", lineno, str);
+ heim_config_section *section = NULL;
+
+ if (res == NULL)
+ return EINVAL;
+
+ *res = NULL;
+ ret = heim_config_parse_string_multi(context->hcontext, string, &section);
+ if (ret == HEIM_ERR_CONFIG_BADFORMAT)
+ return KRB5_CONFIG_BADFORMAT;
+ if (ret)
return ret;
- }
+ *res = (krb5_config_section *)section;
return 0;
}
-
#endif
diff --git a/lib/krb5/config_reg.c b/lib/krb5/config_reg.c
deleted file mode 100644
index 6ee6a6496f4b..000000000000
--- a/lib/krb5/config_reg.c
+++ /dev/null
@@ -1,649 +0,0 @@
-/***********************************************************************
- * Copyright (c) 2010, Secure Endpoints Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * - Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * - Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- **********************************************************************/
-
-#include "krb5_locl.h"
-
-#ifndef _WIN32
-#error config_reg.c is only for Windows
-#endif
-
-#include <shlwapi.h>
-
-#ifndef MAX_DWORD
-#define MAX_DWORD 0xFFFFFFFF
-#endif
-
-#define REGPATH_KERBEROS "SOFTWARE\\Kerberos"
-#define REGPATH_HEIMDAL "SOFTWARE\\Heimdal"
-
-/**
- * Store a string as a registry value of the specified type
- *
- * The following registry types are handled:
- *
- * - REG_DWORD: The string is converted to a number.
- *
- * - REG_SZ: The string is stored as is.
- *
- * - REG_EXPAND_SZ: The string is stored as is.
- *
- * - REG_MULTI_SZ:
- *
- * . If a separator is specified, the input string is broken
- * up into multiple strings and stored as a multi-sz.
- *
- * . If no separator is provided, the input string is stored
- * as a multi-sz.
- *
- * - REG_NONE:
- *
- * . If the string is all numeric, it will be stored as a
- * REG_DWORD.
- *
- * . Otherwise, the string is stored as a REG_SZ.
- *
- * Other types are rejected.
- *
- * If cb_data is MAX_DWORD, the string pointed to by data must be nul-terminated
- * otherwise a buffer overrun will occur.
- *
- * @param [in]valuename Name of the registry value to be modified or created
- * @param [in]type Type of the value. REG_NONE if unknown
- * @param [in]data The input string to be stored in the registry.
- * @param [in]cb_data Size of the input string in bytes. MAX_DWORD if unknown.
- * @param [in]separator Separator character for parsing strings.
- *
- * @retval 0 if success or non-zero on error.
- * If non-zero is returned, an error message has been set using
- * krb5_set_error_message().
- *
- */
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-_krb5_store_string_to_reg_value(krb5_context context,
- HKEY key, const char * valuename,
- DWORD type, const char *data, DWORD cb_data,
- const char * separator)
-{
- LONG rcode;
- DWORD dwData;
- BYTE static_buffer[16384];
- BYTE *pbuffer = &static_buffer[0];
-
- if (data == NULL)
- {
- if (context)
- krb5_set_error_message(context, 0,
- "'data' must not be NULL");
- return -1;
- }
-
- if (cb_data == MAX_DWORD)
- {
- cb_data = (DWORD)strlen(data) + 1;
- }
- else if ((type == REG_MULTI_SZ && cb_data >= sizeof(static_buffer) - 1) ||
- cb_data >= sizeof(static_buffer))
- {
- if (context)
- krb5_set_error_message(context, 0, "cb_data too big");
- return -1;
- }
- else if (data[cb_data-1] != '\0')
- {
- memcpy(static_buffer, data, cb_data);
- static_buffer[cb_data++] = '\0';
- if (type == REG_MULTI_SZ)
- static_buffer[cb_data++] = '\0';
- data = static_buffer;
- }
-
- if (type == REG_NONE)
- {
- /*
- * If input is all numeric, convert to DWORD and save as REG_DWORD.
- * Otherwise, store as REG_SZ.
- */
- if ( StrToIntExA( data, STIF_SUPPORT_HEX, &dwData) )
- {
- type = REG_DWORD;
- } else {
- type = REG_SZ;
- }
- }
-
- switch (type) {
- case REG_SZ:
- case REG_EXPAND_SZ:
- rcode = RegSetValueEx(key, valuename, 0, type, data, cb_data);
- if (rcode)
- {
- if (context)
- krb5_set_error_message(context, 0,
- "Unexpected error when setting registry value %s gle 0x%x",
- valuename,
- GetLastError());
- return -1;
- }
- break;
- case REG_MULTI_SZ:
- if (separator && *separator)
- {
- char *cp;
-
- if (data != static_buffer)
- static_buffer[cb_data++] = '\0';
-
- for ( cp = static_buffer; cp < static_buffer+cb_data; cp++)
- {
- if (*cp == *separator)
- *cp = '\0';
- }
-
- rcode = RegSetValueEx(key, valuename, 0, type, data, cb_data);
- if (rcode)
- {
- if (context)
- krb5_set_error_message(context, 0,
- "Unexpected error when setting registry value %s gle 0x%x",
- valuename,
- GetLastError());
- return -1;
- }
- }
- break;
- case REG_DWORD:
- if ( !StrToIntExA( data, STIF_SUPPORT_HEX, &dwData) )
- {
- if (context)
- krb5_set_error_message(context, 0,
- "Unexpected error when parsing %s as number gle 0x%x",
- data,
- GetLastError());
- }
-
- rcode = RegSetValueEx(key, valuename, 0, type, (BYTE *)&dwData, sizeof(DWORD));
- if (rcode)
- {
- if (context)
- krb5_set_error_message(context, 0,
- "Unexpected error when setting registry value %s gle 0x%x",
- valuename,
- GetLastError());
- return -1;
- }
- break;
- default:
- return -1;
- }
-
- return 0;
-}
-
-/**
- * Parse a registry value as a string
- *
- * @see _krb5_parse_reg_value_as_multi_string()
- */
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
-_krb5_parse_reg_value_as_string(krb5_context context,
- HKEY key, const char * valuename,
- DWORD type, DWORD cb_data)
-{
- return _krb5_parse_reg_value_as_multi_string(context, key, valuename,
- type, cb_data, " ");
-}
-
-/**
- * Parse a registry value as a multi string
- *
- * The following registry value types are handled:
- *
- * - REG_DWORD: The decimal string representation is used as the
- * value.
- *
- * - REG_SZ: The string is used as-is.
- *
- * - REG_EXPAND_SZ: Environment variables in the string are expanded
- * and the result is used as the value.
- *
- * - REG_MULTI_SZ: The list of strings is concatenated using the
- * separator. No quoting is performed.
- *
- * Any other value type is rejected.
- *
- * @param [in]valuename Name of the registry value to be queried
- * @param [in]type Type of the value. REG_NONE if unknown
- * @param [in]cbdata Size of value. 0 if unknown.
- * @param [in]separator Separator character for concatenating strings.
- *
- * @a type and @a cbdata are only considered valid if both are
- * specified.
- *
- * @retval The registry value string, or NULL if there was an error.
- * If NULL is returned, an error message has been set using
- * krb5_set_error_message().
- */
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
-_krb5_parse_reg_value_as_multi_string(krb5_context context,
- HKEY key, const char * valuename,
- DWORD type, DWORD cb_data, char *separator)
-{
- LONG rcode = ERROR_MORE_DATA;
-
- BYTE static_buffer[16384];
- BYTE *pbuffer = &static_buffer[0];
- DWORD cb_alloc = sizeof(static_buffer);
- char *ret_string = NULL;
-
- /* If we know a type and cb_data from a previous call to
- * RegEnumValue(), we use it. Otherwise we use the
- * static_buffer[] and query directly. We do this to minimize the
- * number of queries. */
-
- if (type == REG_NONE || cb_data == 0) {
-
- pbuffer = &static_buffer[0];
- cb_alloc = cb_data = sizeof(static_buffer);
- rcode = RegQueryValueExA(key, valuename, NULL, &type, pbuffer, &cb_data);
-
- if (rcode == ERROR_SUCCESS &&
-
- ((type != REG_SZ &&
- type != REG_EXPAND_SZ) || cb_data + 1 <= sizeof(static_buffer)) &&
-
- (type != REG_MULTI_SZ || cb_data + 2 <= sizeof(static_buffer)))
- goto have_data;
-
- if (rcode != ERROR_MORE_DATA && rcode != ERROR_SUCCESS)
- return NULL;
- }
-
- /* Either we don't have the data or we aren't sure of the size
- * (due to potentially missing terminating NULs). */
-
- switch (type) {
- case REG_DWORD:
- if (cb_data != sizeof(DWORD)) {
- if (context)
- krb5_set_error_message(context, 0,
- "Unexpected size while reading registry value %s",
- valuename);
- return NULL;
- }
- break;
-
- case REG_SZ:
- case REG_EXPAND_SZ:
-
- if (rcode == ERROR_SUCCESS && cb_data > 0 && pbuffer[cb_data - 1] == '\0')
- goto have_data;
-
- cb_data += sizeof(char); /* Accout for potential missing NUL
- * terminator. */
- break;
-
- case REG_MULTI_SZ:
-
- if (rcode == ERROR_SUCCESS && cb_data > 0 && pbuffer[cb_data - 1] == '\0' &&
- (cb_data == 1 || pbuffer[cb_data - 2] == '\0'))
- goto have_data;
-
- cb_data += sizeof(char) * 2; /* Potential missing double NUL
- * terminator. */
- break;
-
- default:
- if (context)
- krb5_set_error_message(context, 0,
- "Unexpected type while reading registry value %s",
- valuename);
- return NULL;
- }
-
- if (cb_data <= sizeof(static_buffer))
- pbuffer = &static_buffer[0];
- else {
- pbuffer = malloc(cb_data);
- if (pbuffer == NULL)
- return NULL;
- }
-
- cb_alloc = cb_data;
- rcode = RegQueryValueExA(key, valuename, NULL, NULL, pbuffer, &cb_data);
-
- if (rcode != ERROR_SUCCESS) {
-
- /* This can potentially be from a race condition. I.e. some
- * other process or thread went and modified the registry
- * value between the time we queried its size and queried for
- * its value. Ideally we would retry the query in a loop. */
-
- if (context)
- krb5_set_error_message(context, 0,
- "Unexpected error while reading registry value %s",
- valuename);
- goto done;
- }
-
- if (cb_data > cb_alloc || cb_data == 0) {
- if (context)
- krb5_set_error_message(context, 0,
- "Unexpected size while reading registry value %s",
- valuename);
- goto done;
- }
-
-have_data:
- switch (type) {
- case REG_DWORD:
- asprintf(&ret_string, "%d", *((DWORD *) pbuffer));
- break;
-
- case REG_SZ:
- {
- char * str = (char *) pbuffer;
-
- if (str[cb_data - 1] != '\0') {
- if (cb_data < cb_alloc)
- str[cb_data] = '\0';
- else
- break;
- }
-
- if (pbuffer != static_buffer) {
- ret_string = (char *) pbuffer;
- pbuffer = NULL;
- } else {
- ret_string = strdup((char *) pbuffer);
- }
- }
- break;
-
- case REG_EXPAND_SZ:
- {
- char *str = (char *) pbuffer;
- char expsz[32768]; /* Size of output buffer for
- * ExpandEnvironmentStrings() is
- * limited to 32K. */
-
- if (str[cb_data - 1] != '\0') {
- if (cb_data < cb_alloc)
- str[cb_data] = '\0';
- else
- break;
- }
-
- if (ExpandEnvironmentStrings(str, expsz, sizeof(expsz)/sizeof(char)) != 0) {
- ret_string = strdup(expsz);
- } else {
- if (context)
- krb5_set_error_message(context, 0,
- "Overflow while expanding environment strings "
- "for registry value %s", valuename);
- }
- }
- break;
-
- case REG_MULTI_SZ:
- {
- char * str = (char *) pbuffer;
- char * iter;
-
- str[cb_alloc - 1] = '\0';
- str[cb_alloc - 2] = '\0';
-
- for (iter = str; *iter;) {
- size_t len = strlen(iter);
-
- iter += len;
- if (iter[1] != '\0')
- *iter++ = *separator;
- else
- break;
- }
-
- if (pbuffer != static_buffer) {
- ret_string = str;
- pbuffer = NULL;
- } else {
- ret_string = strdup(str);
- }
- }
- break;
-
- default:
- if (context)
- krb5_set_error_message(context, 0,
- "Unexpected type while reading registry value %s",
- valuename);
- }
-
-done:
- if (pbuffer != static_buffer && pbuffer != NULL)
- free(pbuffer);
-
- return ret_string;
-}
-
-/**
- * Parse a registry value as a configuration value
- *
- * @see parse_reg_value_as_string()
- */
-static krb5_error_code
-parse_reg_value(krb5_context context,
- HKEY key, const char * valuename,
- DWORD type, DWORD cbdata, krb5_config_section ** parent)
-{
- char *reg_string = NULL;
- krb5_config_section *value;
- krb5_error_code code = 0;
-
- reg_string = _krb5_parse_reg_value_as_string(context, key, valuename, type, cbdata);
-
- if (reg_string == NULL)
- return KRB5_CONFIG_BADFORMAT;
-
- value = _krb5_config_get_entry(parent, valuename, krb5_config_string);
- if (value == NULL) {
- code = ENOMEM;
- goto done;
- }
-
- if (value->u.string != NULL)
- free(value->u.string);
-
- value->u.string = reg_string;
- reg_string = NULL;
-
-done:
- if (reg_string != NULL)
- free(reg_string);
-
- return code;
-}
-
-static krb5_error_code
-parse_reg_values(krb5_context context,
- HKEY key,
- krb5_config_section ** parent)
-{
- DWORD index;
- LONG rcode;
-
- for (index = 0; ; index ++) {
- char name[16385];
- DWORD cch = sizeof(name)/sizeof(name[0]);
- DWORD type;
- DWORD cbdata = 0;
- krb5_error_code code;
-
- rcode = RegEnumValue(key, index, name, &cch, NULL,
- &type, NULL, &cbdata);
- if (rcode != ERROR_SUCCESS)
- break;
-
- if (cbdata == 0)
- continue;
-
- code = parse_reg_value(context, key, name, type, cbdata, parent);
- if (code != 0)
- return code;
- }
-
- return 0;
-}
-
-static krb5_error_code
-parse_reg_subkeys(krb5_context context,
- HKEY key,
- krb5_config_section ** parent)
-{
- DWORD index;
- LONG rcode;
-
- for (index = 0; ; index ++) {
- HKEY subkey = NULL;
- char name[256];
- DWORD cch = sizeof(name)/sizeof(name[0]);
- krb5_config_section *section = NULL;
- krb5_error_code code;
-
- rcode = RegEnumKeyEx(key, index, name, &cch, NULL, NULL, NULL, NULL);
- if (rcode != ERROR_SUCCESS)
- break;
-
- rcode = RegOpenKeyEx(key, name, 0, KEY_READ, &subkey);
- if (rcode != ERROR_SUCCESS)
- continue;
-
- section = _krb5_config_get_entry(parent, name, krb5_config_list);
- if (section == NULL) {
- RegCloseKey(subkey);
- return ENOMEM;
- }
-
- code = parse_reg_values(context, subkey, &section->u.list);
- if (code) {
- RegCloseKey(subkey);
- return code;
- }
-
- code = parse_reg_subkeys(context, subkey, &section->u.list);
- if (code) {
- RegCloseKey(subkey);
- return code;
- }
-
- RegCloseKey(subkey);
- }
-
- return 0;
-}
-
-static krb5_error_code
-parse_reg_root(krb5_context context,
- HKEY key,
- krb5_config_section ** parent)
-{
- krb5_config_section *libdefaults = NULL;
- krb5_error_code code = 0;
-
- libdefaults = _krb5_config_get_entry(parent, "libdefaults", krb5_config_list);
- if (libdefaults == NULL)
- return krb5_enomem(context);
-
- code = parse_reg_values(context, key, &libdefaults->u.list);
- if (code)
- return code;
-
- return parse_reg_subkeys(context, key, parent);
-}
-
-static krb5_error_code
-load_config_from_regpath(krb5_context context,
- HKEY hk_root,
- const char* key_path,
- krb5_config_section ** res)
-{
- HKEY key = NULL;
- LONG rcode;
- krb5_error_code code = 0;
-
- rcode = RegOpenKeyEx(hk_root, key_path, 0, KEY_READ, &key);
- if (rcode == ERROR_SUCCESS) {
- code = parse_reg_root(context, key, res);
- RegCloseKey(key);
- key = NULL;
- }
-
- return code;
-}
-
-/**
- * Load configuration from registry
- *
- * The registry keys 'HKCU\Software\Heimdal' and
- * 'HKLM\Software\Heimdal' are treated as krb5.conf files. Each
- * registry key corresponds to a configuration section (or bound list)
- * and each value in a registry key is treated as a bound value. The
- * set of values that are directly under the Heimdal key are treated
- * as if they were defined in the [libdefaults] section.
- *
- * @see parse_reg_value() for details about how each type of value is handled.
- */
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_load_config_from_registry(krb5_context context,
- krb5_config_section ** res)
-{
- krb5_error_code code;
-
- code = load_config_from_regpath(context, HKEY_LOCAL_MACHINE,
- REGPATH_KERBEROS, res);
- if (code)
- return code;
-
- code = load_config_from_regpath(context, HKEY_LOCAL_MACHINE,
- REGPATH_HEIMDAL, res);
- if (code)
- return code;
-
- code = load_config_from_regpath(context, HKEY_CURRENT_USER,
- REGPATH_KERBEROS, res);
- if (code)
- return code;
-
- code = load_config_from_regpath(context, HKEY_CURRENT_USER,
- REGPATH_HEIMDAL, res);
- if (code)
- return code;
- return 0;
-}
diff --git a/lib/krb5/constants.c b/lib/krb5/constants.c
index 87147c22bcb7..43b8f54eb165 100644
--- a/lib/krb5/constants.c
+++ b/lib/krb5/constants.c
@@ -35,7 +35,7 @@
#include "krb5_locl.h"
-KRB5_LIB_VARIABLE const char *krb5_config_file =
+KRB5_LIB_VARIABLE const char *const krb5_config_file =
#ifdef KRB5_DEFAULT_CONFIG_FILE
KRB5_DEFAULT_CONFIG_FILE
#else
@@ -56,11 +56,12 @@ SYSCONFDIR "/krb5.conf" PATH_SEP
#endif /* KRB5_DEFAULT_CONFIG_FILE */
;
-KRB5_LIB_VARIABLE const char *krb5_defkeyname = KEYTAB_DEFAULT;
+KRB5_LIB_VARIABLE const char *const krb5_defkeyname = KEYTAB_DEFAULT;
-KRB5_LIB_VARIABLE const char *krb5_cc_type_api = "API";
-KRB5_LIB_VARIABLE const char *krb5_cc_type_file = "FILE";
-KRB5_LIB_VARIABLE const char *krb5_cc_type_memory = "MEMORY";
-KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm = "KCM";
-KRB5_LIB_VARIABLE const char *krb5_cc_type_scc = "SCC";
-KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc = "DIR";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_api = "API";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_file = "FILE";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_memory = "MEMORY";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_kcm = "KCM";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_scc = "SCC";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_dcc = "DIR";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_keyring = "KEYRING";
diff --git a/lib/krb5/context.c b/lib/krb5/context.c
index 58ed4761056f..19548d4130db 100644
--- a/lib/krb5/context.c
+++ b/lib/krb5/context.c
@@ -33,10 +33,15 @@
* SUCH DAMAGE.
*/
+#undef KRB5_DEPRECATED_FUNCTION
+#define KRB5_DEPRECATED_FUNCTION(x)
+
#include "krb5_locl.h"
#include <assert.h>
#include <com_err.h>
+static void _krb5_init_ets(krb5_context);
+
#define INIT_FIELD(C, T, E, D, F) \
(C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
"libdefaults", F, NULL)
@@ -179,7 +184,8 @@ init_context_from_config_file(krb5_context context)
INIT_FIELD(context, bool, log_utc,
FALSE, "log_utc");
-
+ context->no_ticket_store =
+ getenv("KRB5_NO_TICKET_STORE") != NULL;
/* init dns-proxy slime */
tmp = krb5_config_get_string(context, NULL, "libdefaults",
@@ -233,29 +239,35 @@ init_context_from_config_file(krb5_context context)
INIT_FIELD(context, int, max_msg_size, 1000 * 1024, "maximum_message_size");
INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
+ INIT_FLAG(context, flags, KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE, FALSE, "enforce_ok_as_delegate");
+ INIT_FLAG(context, flags, KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME, FALSE, "report_canonical_client_name");
- if (context->default_cc_name)
- free(context->default_cc_name);
+ /* report_canonical_client_name implies check_pac */
+ if (context->flags & KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME)
+ context->flags |= KRB5_CTX_F_CHECK_PAC;
+
+ free(context->default_cc_name);
context->default_cc_name = NULL;
context->default_cc_name_set = 0;
+ free(context->configured_default_cc_name);
+ context->configured_default_cc_name = NULL;
+ tmp = secure_getenv("KRB5_TRACE");
+ if (tmp)
+ heim_add_debug_dest(context->hcontext, "libkrb5", tmp);
s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
- if(s) {
+ if (s) {
char **p;
- if (context->debug_dest)
- krb5_closelog(context, context->debug_dest);
-
- krb5_initlog(context, "libkrb5", &context->debug_dest);
- for(p = s; *p; p++)
- krb5_addlog_dest(context, context->debug_dest, *p);
- krb5_config_free_strings(s);
+ for (p = s; *p; p++)
+ heim_add_debug_dest(context->hcontext, "libkrb5", *p);
+ krb5_config_free_strings(s);
}
tmp = krb5_config_get_string(context, NULL, "libdefaults",
"check-rd-req-server", NULL);
- if (tmp == NULL && !issuid())
- tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
+ if (tmp == NULL)
+ tmp = secure_getenv("KRB5_CHECK_RD_REQ_SERVER");
if(tmp) {
if (strcasecmp(tmp, "ignore") == 0)
context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
@@ -290,6 +302,9 @@ cc_ops_register(krb5_context context)
#endif
krb5_cc_register(context, &krb5_kcm_ops, TRUE);
#endif
+#if defined(HAVE_KEYUTILS_H)
+ krb5_cc_register(context, &krb5_krcc_ops, TRUE);
+#endif
_krb5_load_ccache_plugins(context);
return 0;
}
@@ -357,7 +372,7 @@ kt_ops_copy(krb5_context context, const krb5_context src_context)
return 0;
}
-static const char *sysplugin_dirs[] = {
+static const char *const sysplugin_dirs[] = {
#ifdef _WIN32
"$ORIGIN",
#else
@@ -396,7 +411,6 @@ init_context_once(void *ctx)
bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
}
-
/**
* Initializes the context structure and reads the configuration file
* /etc/krb5.conf. The structure should be freed by calling
@@ -441,9 +455,13 @@ krb5_init_context(krb5_context *context)
if(!p)
return ENOMEM;
- HEIMDAL_MUTEX_init(&p->mutex);
+ if ((p->hcontext = heim_context_init()) == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
- p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
+ if (!issuid())
+ p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
ret = krb5_get_default_config_files(&files);
if(ret)
@@ -457,7 +475,7 @@ krb5_init_context(krb5_context *context)
heim_base_once_f(&init_context, p, init_context_once);
/* init error tables */
- krb5_init_ets(p);
+ _krb5_init_ets(p);
cc_ops_register(p);
kt_ops_register(p);
@@ -470,9 +488,11 @@ krb5_init_context(krb5_context *context)
p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
out:
- if(ret) {
+ if (ret) {
krb5_free_context(p);
p = NULL;
+ } else {
+ heim_context_set_log_utc(p->hcontext, p->log_utc);
}
*context = p;
return ret;
@@ -525,7 +545,7 @@ copy_etypes (krb5_context context,
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_copy_context(krb5_context context, krb5_context *out)
{
- krb5_error_code ret;
+ krb5_error_code ret = 0;
krb5_context p;
*out = NULL;
@@ -534,70 +554,80 @@ krb5_copy_context(krb5_context context, krb5_context *out)
if (p == NULL)
return krb5_enomem(context);
- HEIMDAL_MUTEX_init(&p->mutex);
-
- if (context->default_cc_name)
- p->default_cc_name = strdup(context->default_cc_name);
- if (context->default_cc_name_env)
- p->default_cc_name_env = strdup(context->default_cc_name_env);
+ p->cc_ops = NULL;
+ p->etypes = NULL;
+ p->kt_types = NULL;
+ p->cfg_etypes = NULL;
+ p->etypes_des = NULL;
+ p->default_realms = NULL;
+ p->extra_addresses = NULL;
+ p->ignore_addresses = NULL;
+
+ if ((p->hcontext = heim_context_init()) == NULL)
+ ret = ENOMEM;
+
+ if (ret == 0) {
+ heim_context_set_log_utc(p->hcontext, context->log_utc);
+ ret = _krb5_config_copy(context, context->cf, &p->cf);
+ }
+ if (ret == 0)
+ ret = init_context_from_config_file(p);
+ if (ret == 0 && context->default_cc_name) {
+ free(p->default_cc_name);
+ if ((p->default_cc_name = strdup(context->default_cc_name)) == NULL)
+ ret = ENOMEM;
+ }
+ if (ret == 0 && context->default_cc_name_env) {
+ free(p->default_cc_name_env);
+ if ((p->default_cc_name_env =
+ strdup(context->default_cc_name_env)) == NULL)
+ ret = ENOMEM;
+ }
+ if (ret == 0 && context->configured_default_cc_name) {
+ free(p->configured_default_cc_name);
+ if ((p->configured_default_cc_name =
+ strdup(context->configured_default_cc_name)) == NULL)
+ ret = ENOMEM;
+ }
- if (context->etypes) {
+ if (ret == 0 && context->etypes) {
+ free(p->etypes);
ret = copy_etypes(context, context->etypes, &p->etypes);
- if (ret)
- goto out;
}
- if (context->cfg_etypes) {
+ if (ret == 0 && context->cfg_etypes) {
+ free(p->cfg_etypes);
ret = copy_etypes(context, context->cfg_etypes, &p->cfg_etypes);
- if (ret)
- goto out;
}
- if (context->etypes_des) {
+ if (ret == 0 && context->etypes_des) {
+ free(p->etypes_des);
ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
- if (ret)
- goto out;
}
- if (context->default_realms) {
+ if (ret == 0 && context->default_realms) {
+ krb5_free_host_realm(context, p->default_realms);
ret = krb5_copy_host_realm(context,
context->default_realms, &p->default_realms);
- if (ret)
- goto out;
}
- ret = _krb5_config_copy(context, context->cf, &p->cf);
- if (ret)
- goto out;
-
/* XXX should copy */
- krb5_init_ets(p);
-
- cc_ops_copy(p, context);
- kt_ops_copy(p, context);
-
-#if 0 /* XXX */
- if(context->warn_dest != NULL)
- ;
- if(context->debug_dest != NULL)
- ;
-#endif
-
- ret = krb5_set_extra_addresses(p, context->extra_addresses);
- if (ret)
- goto out;
- ret = krb5_set_extra_addresses(p, context->ignore_addresses);
- if (ret)
- goto out;
-
- ret = _krb5_copy_send_to_kdc_func(p, context);
- if (ret)
- goto out;
-
- *out = p;
-
- return 0;
-
- out:
- krb5_free_context(p);
+ if (ret == 0)
+ _krb5_init_ets(p);
+
+ if (ret == 0)
+ ret = cc_ops_copy(p, context);
+ if (ret == 0)
+ ret = kt_ops_copy(p, context);
+ if (ret == 0)
+ ret = krb5_set_extra_addresses(p, context->extra_addresses);
+ if (ret == 0)
+ ret = krb5_set_extra_addresses(p, context->ignore_addresses);
+ if (ret == 0)
+ ret = _krb5_copy_send_to_kdc_func(p, context);
+
+ if (ret == 0)
+ *out = p;
+ else
+ krb5_free_context(p);
return ret;
}
@@ -615,37 +645,33 @@ KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_free_context(krb5_context context)
{
_krb5_free_name_canon_rules(context, context->name_canon_rules);
- if (context->default_cc_name)
- free(context->default_cc_name);
- if (context->default_cc_name_env)
- free(context->default_cc_name_env);
+ free(context->default_cc_name);
+ free(context->default_cc_name_env);
+ free(context->configured_default_cc_name);
free(context->etypes);
free(context->cfg_etypes);
free(context->etypes_des);
+ free(context->permitted_enctypes);
+ free(context->tgs_etypes);
+ free(context->as_etypes);
krb5_free_host_realm (context, context->default_realms);
krb5_config_file_free (context, context->cf);
- free_error_table (context->et_list);
free(rk_UNCONST(context->cc_ops));
free(context->kt_types);
krb5_clear_error_message(context);
- if(context->warn_dest != NULL)
- krb5_closelog(context, context->warn_dest);
- if(context->debug_dest != NULL)
- krb5_closelog(context, context->debug_dest);
krb5_set_extra_addresses(context, NULL);
krb5_set_ignore_addresses(context, NULL);
krb5_set_send_to_kdc_func(context, NULL, NULL);
#ifdef PKINIT
- if (context->hx509ctx)
- hx509_context_free(&context->hx509ctx);
+ hx509_context_free(&context->hx509ctx);
#endif
- HEIMDAL_MUTEX_destroy(&context->mutex);
if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
rk_SOCK_EXIT();
}
+ heim_context_free(&context->hcontext);
memset(context, 0, sizeof(*context));
free(context);
}
@@ -666,58 +692,51 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_config_files(krb5_context context, char **filenames)
{
krb5_error_code ret;
+ heim_config_binding *tmp = NULL;
+
+ if ((ret = heim_set_config_files(context->hcontext, filenames,
+ &tmp)))
+ return ret;
+ krb5_config_file_free(context, context->cf);
+ context->cf = (krb5_config_binding *)tmp;
+ return init_context_from_config_file(context);
+}
+
+#ifndef HEIMDAL_SMALLER
+/**
+ * Reinit the context from configuration file contents in a C string.
+ * This should only be used in tests.
+ *
+ * @param context context to add configuration too.
+ * @param config configuration.
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_set_config(krb5_context context, const char *config)
+{
+ krb5_error_code ret;
krb5_config_binding *tmp = NULL;
- while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
- ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
- if (ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM
- && ret != KRB5_CONFIG_BADFORMAT) {
- krb5_config_file_free(context, tmp);
- return ret;
- }
- filenames++;
- }
+
+ if ((ret = krb5_config_parse_string_multi(context, config, &tmp)))
+ return ret;
#if 0
/* with this enabled and if there are no config files, Kerberos is
considererd disabled */
- if(tmp == NULL)
+ if (tmp == NULL)
return ENXIO;
#endif
-#ifdef _WIN32
- _krb5_load_config_from_registry(context, &tmp);
-#endif
-
krb5_config_file_free(context, context->cf);
context->cf = tmp;
ret = init_context_from_config_file(context);
return ret;
}
-
-static krb5_error_code
-add_file(char ***pfilenames, int *len, char *file)
-{
- char **pp = *pfilenames;
- int i;
-
- for(i = 0; i < *len; i++) {
- if(strcmp(pp[i], file) == 0) {
- free(file);
- return 0;
- }
- }
-
- pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp));
- if (pp == NULL) {
- free(file);
- return ENOMEM;
- }
-
- pp[*len] = file;
- pp[*len + 1] = NULL;
- *pfilenames = pp;
- *len += 1;
- return 0;
-}
+#endif
/*
* `pq' isn't free, it's up the the caller
@@ -726,54 +745,7 @@ add_file(char ***pfilenames, int *len, char *file)
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
{
- krb5_error_code ret;
- const char *p, *q;
- char **pp;
- int len;
- char *fn;
-
- pp = NULL;
-
- len = 0;
- p = filelist;
- while(1) {
- ssize_t l;
- q = p;
- l = strsep_copy(&q, PATH_SEP, NULL, 0);
- if(l == -1)
- break;
- fn = malloc(l + 1);
- if(fn == NULL) {
- krb5_free_config_files(pp);
- return ENOMEM;
- }
- (void)strsep_copy(&p, PATH_SEP, fn, l + 1);
- ret = add_file(&pp, &len, fn);
- if (ret) {
- krb5_free_config_files(pp);
- return ret;
- }
- }
-
- if (pq != NULL) {
- int i;
-
- for (i = 0; pq[i] != NULL; i++) {
- fn = strdup(pq[i]);
- if (fn == NULL) {
- krb5_free_config_files(pp);
- return ENOMEM;
- }
- ret = add_file(&pp, &len, fn);
- if (ret) {
- krb5_free_config_files(pp);
- return ret;
- }
- }
- }
-
- *ret_pp = pp;
- return 0;
+ return heim_prepend_config_files(filelist, pq, ret_pp);
}
/**
@@ -791,61 +763,10 @@ krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
{
- krb5_error_code ret;
- char **defpp, **pp = NULL;
-
- ret = krb5_get_default_config_files(&defpp);
- if (ret)
- return ret;
-
- ret = krb5_prepend_config_files(filelist, defpp, &pp);
- krb5_free_config_files(defpp);
- if (ret) {
- return ret;
- }
- *pfilenames = pp;
- return 0;
-}
-
-#ifdef _WIN32
-
-/**
- * Checks the registry for configuration file location
- *
- * Kerberos for Windows and other legacy Kerberos applications expect
- * to find the configuration file location in the
- * SOFTWARE\MIT\Kerberos registry key under the value "config".
- */
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
-_krb5_get_default_config_config_files_from_registry()
-{
- static const char * KeyName = "Software\\MIT\\Kerberos";
- char *config_file = NULL;
- LONG rcode;
- HKEY key;
-
- rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key);
- if (rcode == ERROR_SUCCESS) {
- config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
- REG_NONE, 0, PATH_SEP);
- RegCloseKey(key);
- }
-
- if (config_file)
- return config_file;
-
- rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key);
- if (rcode == ERROR_SUCCESS) {
- config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
- REG_NONE, 0, PATH_SEP);
- RegCloseKey(key);
- }
-
- return config_file;
+ return heim_prepend_config_files_default(filelist, krb5_config_file,
+ "KRB5_CONFIG", pfilenames);
}
-#endif
-
/**
* Get the global configuration list.
*
@@ -860,32 +781,10 @@ _krb5_get_default_config_config_files_from_registry()
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_default_config_files(char ***pfilenames)
{
- const char *files = NULL;
-
if (pfilenames == NULL)
return EINVAL;
- if(!issuid())
- files = getenv("KRB5_CONFIG");
-
-#ifdef _WIN32
- if (files == NULL) {
- char * reg_files;
- reg_files = _krb5_get_default_config_config_files_from_registry();
- if (reg_files != NULL) {
- krb5_error_code code;
-
- code = krb5_prepend_config_files(reg_files, NULL, pfilenames);
- free(reg_files);
-
- return code;
- }
- }
-#endif
-
- if (files == NULL)
- files = krb5_config_file;
-
- return krb5_prepend_config_files(files, NULL, pfilenames);
+ return heim_get_default_config_files(krb5_config_file, "KRB5_CONFIG",
+ pfilenames);
}
/**
@@ -903,10 +802,7 @@ krb5_get_default_config_files(char ***pfilenames)
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_free_config_files(char **filenames)
{
- char **p;
- for(p = filenames; p && *p != NULL; p++)
- free(*p);
- free(filenames);
+ heim_free_config_files(filenames);
}
/**
@@ -1107,27 +1003,31 @@ krb5_get_default_in_tkt_etypes(krb5_context context,
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_init_ets(krb5_context context)
{
- if(context->et_list == NULL){
- krb5_add_et_list(context, initialize_krb5_error_table_r);
- krb5_add_et_list(context, initialize_asn1_error_table_r);
- krb5_add_et_list(context, initialize_heim_error_table_r);
+}
- krb5_add_et_list(context, initialize_k524_error_table_r);
+static void
+_krb5_init_ets(krb5_context context)
+{
+ heim_add_et_list(context->hcontext, initialize_krb5_error_table_r);
+ heim_add_et_list(context->hcontext, initialize_asn1_error_table_r);
+ heim_add_et_list(context->hcontext, initialize_heim_error_table_r);
+
+ heim_add_et_list(context->hcontext, initialize_k524_error_table_r);
+ heim_add_et_list(context->hcontext, initialize_k5e1_error_table_r);
#ifdef COM_ERR_BINDDOMAIN_krb5
- bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
- bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
- bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
- bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
+ bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
+ bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
+ bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
+ bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
#endif
#ifdef PKINIT
- krb5_add_et_list(context, initialize_hx_error_table_r);
+ heim_add_et_list(context->hcontext, initialize_hx_error_table_r);
#ifdef COM_ERR_BINDDOMAIN_hx
- bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
+ bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
#endif
#endif
- }
}
/**
@@ -1527,24 +1427,15 @@ _krb5_init_etype(krb5_context context,
}
/*
- * Allow homedir accces
+ * Allow homedir access
*/
-static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
-static krb5_boolean allow_homedir = TRUE;
-
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
_krb5_homedir_access(krb5_context context)
{
- krb5_boolean allow;
-
- if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
- return FALSE;
-
- HEIMDAL_MUTEX_lock(&homedir_mutex);
- allow = allow_homedir;
- HEIMDAL_MUTEX_unlock(&homedir_mutex);
- return allow;
+ if (context)
+ return !!(context->flags & KRB5_CTX_F_HOMEDIR_ACCESS);
+ return !issuid();
}
/**
@@ -1566,19 +1457,16 @@ _krb5_homedir_access(krb5_context context)
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
{
- krb5_boolean old;
+ krb5_boolean old = _krb5_homedir_access(context);
+
if (context) {
- old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
if (allow)
context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
else
context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
- } else {
- HEIMDAL_MUTEX_lock(&homedir_mutex);
- old = allow_homedir;
- allow_homedir = allow;
- HEIMDAL_MUTEX_unlock(&homedir_mutex);
+ heim_context_set_homedir_access(context->hcontext, allow ? 1 : 0);
}
return old;
}
+
diff --git a/lib/krb5/convert_creds.c b/lib/krb5/convert_creds.c
index fc371c637764..56261b29fa68 100644
--- a/lib/krb5/convert_creds.c
+++ b/lib/krb5/convert_creds.c
@@ -32,7 +32,6 @@
*/
#include "krb5_locl.h"
-#include "krb5-v4compat.h"
#ifndef HEIMDAL_SMALLER
@@ -58,7 +57,6 @@ krb524_convert_creds_kdc(krb5_context context,
struct credentials *v4creds)
KRB5_DEPRECATED_FUNCTION("Use X instead")
{
- memset(v4creds, 0, sizeof(*v4creds));
krb5_set_error_message(context, EINVAL,
N_("krb524_convert_creds_kdc not supported", ""));
return EINVAL;
@@ -86,7 +84,6 @@ krb524_convert_creds_kdc_ccache(krb5_context context,
struct credentials *v4creds)
KRB5_DEPRECATED_FUNCTION("Use X instead")
{
- memset(v4creds, 0, sizeof(*v4creds));
krb5_set_error_message(context, EINVAL,
N_("krb524_convert_creds_kdc_ccache not supported", ""));
return EINVAL;
diff --git a/lib/krb5/creds.c b/lib/krb5/creds.c
index 16e3f5780802..d62a70acb45f 100644
--- a/lib/krb5/creds.c
+++ b/lib/krb5/creds.c
@@ -190,7 +190,7 @@ krb5_times_equal(const krb5_times *a, const krb5_times *b)
* - KRB5_TC_MATCH_TIMES Compares only the expiration times of the creds.
* - KRB5_TC_MATCH_AUTHDATA Compares the authdata fields.
* - KRB5_TC_MATCH_2ND_TKT Compares the second tickets (used by user-to-user authentication).
- * - KRB5_TC_MATCH_IS_SKEY Compares the existance of the second ticket.
+ * - KRB5_TC_MATCH_IS_SKEY Compares the existence of the second ticket.
*
* @param context Kerberos 5 context.
* @param whichfields which fields to compare.
diff --git a/lib/krb5/crypto-aes-sha1.c b/lib/krb5/crypto-aes-sha1.c
index 30df0ee86b84..1f3760d18f77 100644
--- a/lib/krb5/crypto-aes-sha1.c
+++ b/lib/krb5/crypto-aes-sha1.c
@@ -72,7 +72,7 @@ struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes128 = {
12,
F_KEYED | F_CPROOF | F_DERIVED,
_krb5_SP_HMAC_SHA1_checksum,
- NULL
+ _krb5_SP_HMAC_SHA1_verify
};
struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes256 = {
@@ -82,7 +82,7 @@ struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes256 = {
12,
F_KEYED | F_CPROOF | F_DERIVED,
_krb5_SP_HMAC_SHA1_checksum,
- NULL
+ _krb5_SP_HMAC_SHA1_verify
};
static krb5_error_code
@@ -92,6 +92,7 @@ AES_SHA1_PRF(krb5_context context,
krb5_data *out)
{
struct _krb5_checksum_type *ct = crypto->et->checksum;
+ struct krb5_crypto_iov iov[1];
krb5_error_code ret;
Checksum result;
krb5_keyblock *derived;
@@ -103,7 +104,9 @@ AES_SHA1_PRF(krb5_context context,
return ret;
}
- ret = (*ct->checksum)(context, NULL, in->data, in->length, 0, &result);
+ iov[0].data = *in;
+ iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
+ ret = (*ct->checksum)(context, crypto, NULL, 0, iov, 1, &result);
if (ret) {
krb5_data_free(&result.checksum);
return ret;
@@ -151,6 +154,7 @@ struct _krb5_encryption_type _krb5_enctype_aes128_cts_hmac_sha1 = {
&_krb5_checksum_hmac_sha1_aes128,
F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF,
_krb5_evp_encrypt_cts,
+ _krb5_evp_encrypt_iov_cts,
16,
AES_SHA1_PRF
};
@@ -167,6 +171,7 @@ struct _krb5_encryption_type _krb5_enctype_aes256_cts_hmac_sha1 = {
&_krb5_checksum_hmac_sha1_aes256,
F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF,
_krb5_evp_encrypt_cts,
+ _krb5_evp_encrypt_iov_cts,
16,
AES_SHA1_PRF
};
diff --git a/lib/krb5/crypto-aes-sha2.c b/lib/krb5/crypto-aes-sha2.c
index 4630ce071527..94ec9a1d6e5e 100644
--- a/lib/krb5/crypto-aes-sha2.c
+++ b/lib/krb5/crypto-aes-sha2.c
@@ -58,10 +58,11 @@ _krb5_aes_sha2_md_for_enctype(krb5_context context,
static krb5_error_code
SP_HMAC_SHA2_checksum(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
- unsigned usage,
+ unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *result)
{
krb5_error_code ret;
@@ -73,8 +74,10 @@ SP_HMAC_SHA2_checksum(krb5_context context,
if (ret)
return ret;
- HMAC(md, key->key->keyvalue.data, key->key->keyvalue.length,
- data, len, hmac, &hmaclen);
+ ret = _krb5_evp_hmac_iov(context, crypto, key, iov, niov, hmac,
+ &hmaclen, md, NULL);
+ if (ret)
+ return ret;
heim_assert(result->checksum.length <= hmaclen, "SHA2 internal error");
@@ -173,6 +176,7 @@ struct _krb5_encryption_type _krb5_enctype_aes128_cts_hmac_sha256_128 = {
&_krb5_checksum_hmac_sha256_128_aes128,
F_DERIVED | F_ENC_THEN_CKSUM | F_SP800_108_HMAC_KDF,
_krb5_evp_encrypt_cts,
+ NULL,
16,
AES_SHA2_PRF
};
@@ -189,6 +193,7 @@ struct _krb5_encryption_type _krb5_enctype_aes256_cts_hmac_sha384_192 = {
&_krb5_checksum_hmac_sha384_192_aes256,
F_DERIVED | F_ENC_THEN_CKSUM | F_SP800_108_HMAC_KDF,
_krb5_evp_encrypt_cts,
+ NULL,
16,
AES_SHA2_PRF
};
diff --git a/lib/krb5/crypto-algs.c b/lib/krb5/crypto-algs.c
index c0540257a441..eb21fcef0713 100644
--- a/lib/krb5/crypto-algs.c
+++ b/lib/krb5/crypto-algs.c
@@ -55,7 +55,10 @@ struct _krb5_checksum_type *_krb5_checksum_types[] = {
&_krb5_checksum_hmac_sha1_aes256,
&_krb5_checksum_hmac_sha256_128_aes128,
&_krb5_checksum_hmac_sha384_192_aes256,
- &_krb5_checksum_hmac_md5
+ &_krb5_checksum_hmac_md5,
+ &_krb5_checksum_sha256,
+ &_krb5_checksum_sha384,
+ &_krb5_checksum_sha512
};
int _krb5_num_checksums
diff --git a/lib/krb5/crypto-arcfour.c b/lib/krb5/crypto-arcfour.c
index ae576eccfea5..28fc52e4cbf2 100644
--- a/lib/krb5/crypto-arcfour.c
+++ b/lib/krb5/crypto-arcfour.c
@@ -57,10 +57,11 @@ static struct _krb5_key_type keytype_arcfour = {
krb5_error_code
_krb5_HMAC_MD5_checksum(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *result)
{
EVP_MD_CTX *m;
@@ -73,18 +74,24 @@ _krb5_HMAC_MD5_checksum(krb5_context context,
unsigned char tmp[16];
unsigned char ksign_c_data[16];
krb5_error_code ret;
+ int i;
+
+ if (crypto != NULL) {
+ if (crypto->mdctx == NULL)
+ crypto->mdctx = EVP_MD_CTX_create();
+ if (crypto->mdctx == NULL)
+ return krb5_enomem(context);
+ m = crypto->mdctx;
+ } else
+ m = EVP_MD_CTX_create();
- m = EVP_MD_CTX_create();
- if (m == NULL)
- return krb5_enomem(context);
ksign_c.checksum.length = sizeof(ksign_c_data);
ksign_c.checksum.data = ksign_c_data;
- ret = _krb5_internal_hmac(context, c, signature, sizeof(signature),
+ ret = _krb5_internal_hmac(context, crypto, c, signature, sizeof(signature),
0, key, &ksign_c);
- if (ret) {
- EVP_MD_CTX_destroy(m);
- return ret;
- }
+ if (ret)
+ goto out;
+
ksign.key = &kb;
kb.keyvalue = ksign_c.checksum;
EVP_DigestInit_ex(m, EVP_md5(), NULL);
@@ -93,14 +100,18 @@ _krb5_HMAC_MD5_checksum(krb5_context context,
t[2] = (usage >> 16) & 0xFF;
t[3] = (usage >> 24) & 0xFF;
EVP_DigestUpdate(m, t, 4);
- EVP_DigestUpdate(m, data, len);
+ for (i = 0; i < niov; i++) {
+ if (_krb5_crypto_iov_should_sign(&iov[i]))
+ EVP_DigestUpdate(m, iov[i].data.data, iov[i].data.length);
+ }
EVP_DigestFinal_ex (m, tmp, NULL);
- EVP_MD_CTX_destroy(m);
- ret = _krb5_internal_hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result);
- if (ret)
- return ret;
- return 0;
+ ret = _krb5_internal_hmac(context, crypto, c, tmp, sizeof(tmp), 0, &ksign, result);
+out:
+ if (crypto == NULL)
+ EVP_MD_CTX_destroy(m);
+
+ return ret;
}
struct _krb5_checksum_type _krb5_checksum_hmac_md5 = {
@@ -137,6 +148,10 @@ ARCFOUR_subencrypt(krb5_context context,
unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
krb5_error_code ret;
+ if (len < 16) {
+ return KRB5KRB_AP_ERR_INAPP_CKSUM;
+ }
+
t[0] = (usage >> 0) & 0xFF;
t[1] = (usage >> 8) & 0xFF;
t[2] = (usage >> 16) & 0xFF;
@@ -145,7 +160,7 @@ ARCFOUR_subencrypt(krb5_context context,
k1_c.checksum.length = sizeof(k1_c_data);
k1_c.checksum.data = k1_c_data;
- ret = _krb5_internal_hmac(context, c, t, sizeof(t), 0, key, &k1_c);
+ ret = _krb5_internal_hmac(context, NULL, c, t, sizeof(t), 0, key, &k1_c);
if (ret)
krb5_abortx(context, "hmac failed");
@@ -160,7 +175,7 @@ ARCFOUR_subencrypt(krb5_context context,
cksum.checksum.length = 16;
cksum.checksum.data = data;
- ret = _krb5_internal_hmac(context, c, cdata + 16, len - 16, 0, &ke, &cksum);
+ ret = _krb5_internal_hmac(context, NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
if (ret)
krb5_abortx(context, "hmac failed");
@@ -170,7 +185,7 @@ ARCFOUR_subencrypt(krb5_context context,
k3_c.checksum.length = sizeof(k3_c_data);
k3_c.checksum.data = k3_c_data;
- ret = _krb5_internal_hmac(context, c, data, 16, 0, &ke, &k3_c);
+ ret = _krb5_internal_hmac(context, NULL, c, data, 16, 0, &ke, &k3_c);
if (ret)
krb5_abortx(context, "hmac failed");
@@ -205,6 +220,10 @@ ARCFOUR_subdecrypt(krb5_context context,
unsigned char cksum_data[16];
krb5_error_code ret;
+ if (len < 16) {
+ return KRB5KRB_AP_ERR_INAPP_CKSUM;
+ }
+
t[0] = (usage >> 0) & 0xFF;
t[1] = (usage >> 8) & 0xFF;
t[2] = (usage >> 16) & 0xFF;
@@ -213,7 +232,7 @@ ARCFOUR_subdecrypt(krb5_context context,
k1_c.checksum.length = sizeof(k1_c_data);
k1_c.checksum.data = k1_c_data;
- ret = _krb5_internal_hmac(context, c, t, sizeof(t), 0, key, &k1_c);
+ ret = _krb5_internal_hmac(context, NULL, c, t, sizeof(t), 0, key, &k1_c);
if (ret)
krb5_abortx(context, "hmac failed");
@@ -228,7 +247,7 @@ ARCFOUR_subdecrypt(krb5_context context,
k3_c.checksum.length = sizeof(k3_c_data);
k3_c.checksum.data = k3_c_data;
- ret = _krb5_internal_hmac(context, c, cdata, 16, 0, &ke, &k3_c);
+ ret = _krb5_internal_hmac(context, NULL, c, cdata, 16, 0, &ke, &k3_c);
if (ret)
krb5_abortx(context, "hmac failed");
@@ -243,7 +262,7 @@ ARCFOUR_subdecrypt(krb5_context context,
cksum.checksum.length = 16;
cksum.checksum.data = cksum_data;
- ret = _krb5_internal_hmac(context, c, cdata + 16, len - 16, 0, &ke, &cksum);
+ ret = _krb5_internal_hmac(context, NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
if (ret)
krb5_abortx(context, "hmac failed");
@@ -324,7 +343,7 @@ ARCFOUR_prf(krb5_context context,
res.checksum.data = out->data;
res.checksum.length = out->length;
- ret = _krb5_internal_hmac(context, c, in->data, in->length, 0, &crypto->key, &res);
+ ret = _krb5_internal_hmac(context, crypto, c, in->data, in->length, 0, &crypto->key, &res);
if (ret)
krb5_data_free(out);
return 0;
@@ -341,8 +360,9 @@ struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5 = {
&keytype_arcfour,
&_krb5_checksum_hmac_md5,
&_krb5_checksum_hmac_md5,
- F_SPECIAL | F_WEAK,
+ F_SPECIAL | F_WEAK | F_OLD,
ARCFOUR_encrypt,
+ NULL,
0,
ARCFOUR_prf
};
diff --git a/lib/krb5/crypto-des-common.c b/lib/krb5/crypto-des-common.c
index 95f6389d1e84..a8344ae5bc75 100644
--- a/lib/krb5/crypto-des-common.c
+++ b/lib/krb5/crypto-des-common.c
@@ -57,13 +57,14 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_des_checksum(krb5_context context,
const EVP_MD *evp_md,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *cksum)
{
struct _krb5_evp_schedule *ctx = key->schedule->data;
EVP_MD_CTX *m;
DES_cblock ivec;
+ int i;
unsigned char *p = cksum->checksum.data;
krb5_generate_random_block(p, 8);
@@ -74,7 +75,10 @@ _krb5_des_checksum(krb5_context context,
EVP_DigestInit_ex(m, evp_md, NULL);
EVP_DigestUpdate(m, p, 8);
- EVP_DigestUpdate(m, data, len);
+ for (i = 0; i < niov; i++) {
+ if (_krb5_crypto_iov_should_sign(&iov[i]))
+ EVP_DigestUpdate(m, iov[i].data.data, iov[i].data.length);
+ }
EVP_DigestFinal_ex (m, p + 8, NULL);
EVP_MD_CTX_destroy(m);
memset_s(&ivec, sizeof(ivec), 0, sizeof(ivec));
@@ -88,8 +92,8 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_des_verify(krb5_context context,
const EVP_MD *evp_md,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *C)
{
struct _krb5_evp_schedule *ctx = key->schedule->data;
@@ -98,6 +102,7 @@ _krb5_des_verify(krb5_context context,
unsigned char res[16];
DES_cblock ivec;
krb5_error_code ret = 0;
+ int i;
m = EVP_MD_CTX_create();
if (m == NULL)
@@ -109,7 +114,10 @@ _krb5_des_verify(krb5_context context,
EVP_DigestInit_ex(m, evp_md, NULL);
EVP_DigestUpdate(m, tmp, 8); /* confounder */
- EVP_DigestUpdate(m, data, len);
+ for (i = 0; i < niov; i++) {
+ if (_krb5_crypto_iov_should_sign(&iov[i]))
+ EVP_DigestUpdate(m, iov[i].data.data, iov[i].data.length);
+ }
EVP_DigestFinal_ex (m, res, NULL);
EVP_MD_CTX_destroy(m);
if(ct_memcmp(res, tmp + 8, sizeof(res)) != 0) {
@@ -125,14 +133,17 @@ _krb5_des_verify(krb5_context context,
static krb5_error_code
RSA_MD5_checksum(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *C)
{
- if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md5(), NULL) != 1)
+ if (_krb5_evp_digest_iov(crypto, iov, niov, C->checksum.data,
+ NULL, EVP_md5(), NULL) != 1)
krb5_abortx(context, "md5 checksum failed");
+
return 0;
}
diff --git a/lib/krb5/crypto-des.c b/lib/krb5/crypto-des.c
index 8ea145b56d4b..c5692954c48a 100644
--- a/lib/krb5/crypto-des.c
+++ b/lib/krb5/crypto-des.c
@@ -98,16 +98,24 @@ static struct _krb5_key_type keytype_des = {
static krb5_error_code
CRC32_checksum(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *C)
{
- uint32_t crc;
+ uint32_t crc = 0;
unsigned char *r = C->checksum.data;
+ int i;
+
_krb5_crc_init_table ();
- crc = _krb5_crc_update (data, len, 0);
+
+ for (i = 0; i < niov; i++) {
+ if (_krb5_crypto_iov_should_sign(&iov[i]))
+ crc = _krb5_crc_update(iov[i].data.data, iov[i].data.length, crc);
+ }
+
r[0] = crc & 0xff;
r[1] = (crc >> 8) & 0xff;
r[2] = (crc >> 16) & 0xff;
@@ -117,59 +125,65 @@ CRC32_checksum(krb5_context context,
static krb5_error_code
RSA_MD4_checksum(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *C)
{
- if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md4(), NULL) != 1)
+ if (_krb5_evp_digest_iov(crypto, iov, niov, C->checksum.data,
+ NULL, EVP_md4(), NULL) != 1)
krb5_abortx(context, "md4 checksum failed");
return 0;
}
static krb5_error_code
RSA_MD4_DES_checksum(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *cksum)
{
- return _krb5_des_checksum(context, EVP_md4(), key, data, len, cksum);
+ return _krb5_des_checksum(context, EVP_md4(), key, iov, niov, cksum);
}
static krb5_error_code
RSA_MD4_DES_verify(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *C)
{
- return _krb5_des_verify(context, EVP_md4(), key, data, len, C);
+ return _krb5_des_verify(context, EVP_md4(), key, iov, niov, C);
}
static krb5_error_code
RSA_MD5_DES_checksum(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *C)
{
- return _krb5_des_checksum(context, EVP_md5(), key, data, len, C);
+ return _krb5_des_checksum(context, EVP_md5(), key, iov, niov, C);
}
static krb5_error_code
RSA_MD5_DES_verify(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *C)
{
- return _krb5_des_verify(context, EVP_md5(), key, data, len, C);
+ return _krb5_des_verify(context, EVP_md5(), key, iov, niov, C);
}
struct _krb5_checksum_type _krb5_checksum_crc32 = {
@@ -295,8 +309,9 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_crc = {
&keytype_des,
&_krb5_checksum_crc32,
NULL,
- F_DISABLED|F_WEAK,
+ F_DISABLED|F_WEAK|F_OLD,
evp_des_encrypt_key_ivec,
+ NULL,
0,
NULL
};
@@ -311,8 +326,9 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_md4 = {
&keytype_des,
&_krb5_checksum_rsa_md4,
&_krb5_checksum_rsa_md4_des,
- F_DISABLED|F_WEAK,
+ F_DISABLED|F_WEAK|F_OLD,
evp_des_encrypt_null_ivec,
+ NULL,
0,
NULL
};
@@ -327,8 +343,9 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_md5 = {
&keytype_des,
&_krb5_checksum_rsa_md5,
&_krb5_checksum_rsa_md5_des,
- F_DISABLED|F_WEAK,
+ F_DISABLED|F_WEAK|F_OLD,
evp_des_encrypt_null_ivec,
+ NULL,
0,
NULL
};
@@ -343,8 +360,9 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_none = {
&keytype_des,
&_krb5_checksum_none,
NULL,
- F_PSEUDO|F_DISABLED|F_WEAK,
+ F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
evp_des_encrypt_null_ivec,
+ NULL,
0,
NULL
};
@@ -359,8 +377,9 @@ struct _krb5_encryption_type _krb5_enctype_des_cfb64_none = {
&keytype_des_old,
&_krb5_checksum_none,
NULL,
- F_PSEUDO|F_DISABLED|F_WEAK,
+ F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
DES_CFB64_encrypt_null_ivec,
+ NULL,
0,
NULL
};
@@ -375,8 +394,9 @@ struct _krb5_encryption_type _krb5_enctype_des_pcbc_none = {
&keytype_des_old,
&_krb5_checksum_none,
NULL,
- F_PSEUDO|F_DISABLED|F_WEAK,
+ F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
DES_PCBC_encrypt_key_ivec,
+ NULL,
0,
NULL
};
diff --git a/lib/krb5/crypto-des3.c b/lib/krb5/crypto-des3.c
index ed3e7c960e99..d231921d6dbf 100644
--- a/lib/krb5/crypto-des3.c
+++ b/lib/krb5/crypto-des3.c
@@ -59,6 +59,7 @@ DES3_prf(krb5_context context,
krb5_data *out)
{
struct _krb5_checksum_type *ct = crypto->et->checksum;
+ struct krb5_crypto_iov iov[1];
krb5_error_code ret;
Checksum result;
krb5_keyblock *derived;
@@ -70,7 +71,9 @@ DES3_prf(krb5_context context,
return ret;
}
- ret = (*ct->checksum)(context, NULL, in->data, in->length, 0, &result);
+ iov[0].data = *in;
+ iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
+ ret = (*ct->checksum)(context, crypto, NULL, 0, iov, 1, &result);
if (ret) {
krb5_data_free(&result.checksum);
return ret;
@@ -139,24 +142,26 @@ static struct _krb5_key_type keytype_des3_derived = {
#ifdef DES3_OLD_ENCTYPE
static krb5_error_code
RSA_MD5_DES3_checksum(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *C)
{
- return _krb5_des_checksum(context, EVP_md5(), key, data, len, C);
+ return _krb5_des_checksum(context, EVP_md5(), key, iov, niov, C);
}
static krb5_error_code
RSA_MD5_DES3_verify(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *C)
{
- return _krb5_des_verify(context, EVP_md5(), key, data, len, C);
+ return _krb5_des_verify(context, EVP_md5(), key, iov, niov, C);
}
struct _krb5_checksum_type _krb5_checksum_rsa_md5_des3 = {
@@ -191,8 +196,9 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_md5 = {
&keytype_des3,
&_krb5_checksum_rsa_md5,
&_krb5_checksum_rsa_md5_des3,
- 0,
+ F_OLD,
_krb5_evp_encrypt,
+ _krb5_evp_encrypt_iov,
0,
NULL
};
@@ -208,8 +214,9 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_sha1 = {
&keytype_des3_derived,
&_krb5_checksum_sha1,
&_krb5_checksum_hmac_sha1_des3,
- F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF,
+ F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF | F_OLD,
_krb5_evp_encrypt,
+ _krb5_evp_encrypt_iov,
16,
DES3_prf
};
@@ -225,8 +232,9 @@ struct _krb5_encryption_type _krb5_enctype_old_des3_cbc_sha1 = {
&keytype_des3,
&_krb5_checksum_sha1,
&_krb5_checksum_hmac_sha1_des3,
- 0,
+ F_OLD,
_krb5_evp_encrypt,
+ _krb5_evp_encrypt_iov,
0,
NULL
};
@@ -242,8 +250,9 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_none = {
&keytype_des3_derived,
&_krb5_checksum_none,
NULL,
- F_PSEUDO,
+ F_PSEUDO | F_OLD,
_krb5_evp_encrypt,
+ _krb5_evp_encrypt_iov,
0,
NULL
};
diff --git a/lib/krb5/crypto-evp.c b/lib/krb5/crypto-evp.c
index cab7c29061f7..0ed749a243cc 100644
--- a/lib/krb5/crypto-evp.c
+++ b/lib/krb5/crypto-evp.c
@@ -56,6 +56,119 @@ _krb5_evp_cleanup(krb5_context context, struct _krb5_key_data *kd)
EVP_CIPHER_CTX_cleanup(&key->dctx);
}
+int
+_krb5_evp_digest_iov(krb5_crypto crypto,
+ const struct krb5_crypto_iov *iov,
+ int niov,
+ void *hash,
+ unsigned int *hsize,
+ const EVP_MD *md,
+ ENGINE *engine)
+{
+ EVP_MD_CTX *ctx;
+ int ret, i;
+ krb5_data current = {0,0};
+
+ if (crypto != NULL) {
+ if (crypto->mdctx == NULL)
+ crypto->mdctx = EVP_MD_CTX_create();
+ if (crypto->mdctx == NULL)
+ return 0;
+ ctx = crypto->mdctx;
+ } else
+ ctx = EVP_MD_CTX_create();
+
+ ret = EVP_DigestInit_ex(ctx, md, engine);
+ if (ret != 1)
+ goto out;
+
+ /* Minimize EVP calls by coalescing contiguous iovec elements */
+ for (i = 0; i < niov; i++) {
+ if (_krb5_crypto_iov_should_sign(&iov[i])) {
+ if (current.data &&
+ (char *)current.data + current.length == iov[i].data.data) {
+ current.length += iov[i].data.length;
+ } else {
+ if (current.data) {
+ ret = EVP_DigestUpdate(ctx, current.data, current.length);
+ if (ret != 1)
+ goto out;
+ }
+ current = iov[i].data;
+ }
+ }
+ }
+
+ if (current.data) {
+ ret = EVP_DigestUpdate(ctx, current.data, current.length);
+ if (ret != 1)
+ goto out;
+ }
+
+ ret = EVP_DigestFinal_ex(ctx, hash, hsize);
+
+out:
+ if (crypto == NULL)
+ EVP_MD_CTX_destroy(ctx);
+
+ return ret;
+}
+
+krb5_error_code
+_krb5_evp_hmac_iov(krb5_context context,
+ krb5_crypto crypto,
+ struct _krb5_key_data *key,
+ const struct krb5_crypto_iov *iov,
+ int niov,
+ void *hmac,
+ unsigned int *hmaclen,
+ const EVP_MD *md,
+ ENGINE *engine)
+{
+ HMAC_CTX *ctx;
+ krb5_data current = {0, 0};
+ int i;
+
+ if (crypto != NULL) {
+ if (crypto->hmacctx == NULL)
+ crypto->hmacctx = HMAC_CTX_new();
+ ctx = crypto->hmacctx;
+ } else {
+ ctx = HMAC_CTX_new();
+ }
+ if (ctx == NULL)
+ return krb5_enomem(context);
+
+ if (HMAC_Init_ex(ctx, key->key->keyvalue.data, key->key->keyvalue.length,
+ md, engine) == 0) {
+ HMAC_CTX_free(ctx);
+ return krb5_enomem(context);
+ }
+
+ for (i = 0; i < niov; i++) {
+ if (_krb5_crypto_iov_should_sign(&iov[i])) {
+ if (current.data &&
+ (char *)current.data + current.length == iov[i].data.data) {
+ current.length += iov[i].data.length;
+ } else {
+ if (current.data)
+ HMAC_Update(ctx, current.data, current.length);
+ current = iov[i].data;
+ }
+ }
+ }
+
+ if (current.data)
+ HMAC_Update(ctx, current.data, current.length);
+
+ HMAC_Final(ctx, hmac, hmaclen);
+
+ if (crypto == NULL)
+ HMAC_CTX_free(ctx);
+
+ return 0;
+}
+
krb5_error_code
_krb5_evp_encrypt(krb5_context context,
struct _krb5_key_data *key,
@@ -83,8 +196,389 @@ _krb5_evp_encrypt(krb5_context context,
return 0;
}
+struct _krb5_evp_iov_cursor
+{
+ struct krb5_crypto_iov *iov;
+ int niov;
+ krb5_data current;
+ int nextidx;
+};
+
static const unsigned char zero_ivec[EVP_MAX_BLOCK_LENGTH] = { 0 };
+static inline int
+_krb5_evp_iov_should_encrypt(struct krb5_crypto_iov *iov)
+{
+ return (iov->flags == KRB5_CRYPTO_TYPE_DATA
+ || iov->flags == KRB5_CRYPTO_TYPE_HEADER
+ || iov->flags == KRB5_CRYPTO_TYPE_PADDING);
+}
+/*
+ * If we have a group of iovecs which have been split up from
+ * a single common buffer, expand the 'current' iovec out to
+ * be as large as possible.
+ */
+
+static inline void
+_krb5_evp_iov_cursor_expand(struct _krb5_evp_iov_cursor *cursor)
+{
+ if (cursor->nextidx == cursor->niov)
+ return;
+
+ while (_krb5_evp_iov_should_encrypt(&cursor->iov[cursor->nextidx])) {
+ if (cursor->iov[cursor->nextidx].data.length != 0 &&
+ ((char *)cursor->current.data + cursor->current.length
+ != cursor->iov[cursor->nextidx].data.data)) {
+ return;
+ }
+ cursor->current.length += cursor->iov[cursor->nextidx].data.length;
+ cursor->nextidx++;
+ }
+
+ return;
+}
+
+/* Move the cursor along to the start of the next block to be
+ * encrypted */
+static inline void
+_krb5_evp_iov_cursor_nextcrypt(struct _krb5_evp_iov_cursor *cursor)
+{
+ for (; cursor->nextidx < cursor->niov; cursor->nextidx++) {
+ if (_krb5_evp_iov_should_encrypt(&cursor->iov[cursor->nextidx])
+ && cursor->iov[cursor->nextidx].data.length != 0) {
+ cursor->current = cursor->iov[cursor->nextidx].data;
+ cursor->nextidx++;
+ _krb5_evp_iov_cursor_expand(cursor);
+ return;
+ }
+ }
+
+ cursor->current.length = 0; /* No matches, so we're done here */
+}
+
+static inline void
+_krb5_evp_iov_cursor_init(struct _krb5_evp_iov_cursor *cursor,
+ struct krb5_crypto_iov *iov, int niov)
+{
+ memset(cursor, 0, sizeof(struct _krb5_evp_iov_cursor));
+
+ cursor->iov = iov;
+ cursor->niov = niov;
+ cursor->nextidx = 0;
+
+ /* Move along to the first block we're going to be encrypting */
+ _krb5_evp_iov_cursor_nextcrypt(cursor);
+}
+
+static inline void
+_krb5_evp_iov_cursor_advance(struct _krb5_evp_iov_cursor *cursor,
+ size_t amount)
+{
+ while (amount > 0) {
+ if (cursor->current.length > amount) {
+ cursor->current.data = (char *)cursor->current.data + amount;
+ cursor->current.length -= amount;
+ return;
+ }
+ amount -= cursor->current.length;
+ _krb5_evp_iov_cursor_nextcrypt(cursor);
+ }
+}
+
+static inline int
+_krb5_evp_iov_cursor_done(struct _krb5_evp_iov_cursor *cursor)
+{
+ return (cursor->nextidx == cursor->niov && cursor->current.length == 0);
+}
+
+/* Fill a memory buffer with data from one or more iovecs. Doesn't
+ * advance the passed in cursor - use outcursor for the position
+ * at the end
+ */
+static inline void
+_krb5_evp_iov_cursor_fillbuf(struct _krb5_evp_iov_cursor *cursor,
+ unsigned char *buf, size_t length,
+ struct _krb5_evp_iov_cursor *outcursor)
+{
+ struct _krb5_evp_iov_cursor cursorint;
+
+ cursorint = *cursor;
+
+ while (length > 0 && !_krb5_evp_iov_cursor_done(&cursorint)) {
+ if (cursorint.current.length > length) {
+ memcpy(buf, cursorint.current.data, length);
+ _krb5_evp_iov_cursor_advance(&cursorint, length);
+ length = 0;
+ } else {
+ memcpy(buf, cursorint.current.data, cursorint.current.length);
+ length -= cursorint.current.length;
+ buf += cursorint.current.length;
+ _krb5_evp_iov_cursor_nextcrypt(&cursorint);
+ }
+ }
+
+ if (outcursor != NULL)
+ *outcursor = cursorint;
+}
+
+/* Fill an iovec from a memory buffer. Always advances the cursor to
+ * the end of the filled region
+ */
+static inline void
+_krb5_evp_iov_cursor_fillvec(struct _krb5_evp_iov_cursor *cursor,
+ unsigned char *buf, size_t length)
+{
+ while (length > 0 && !_krb5_evp_iov_cursor_done(cursor)) {
+ if (cursor->current.length > length) {
+ memcpy(cursor->current.data, buf, length);
+ _krb5_evp_iov_cursor_advance(cursor, length);
+ length = 0;
+ } else {
+ memcpy(cursor->current.data, buf, cursor->current.length);
+ length -= cursor->current.length;
+ buf += cursor->current.length;
+ _krb5_evp_iov_cursor_nextcrypt(cursor);
+ }
+ }
+}
+
+static size_t
+_krb5_evp_iov_cryptlength(struct krb5_crypto_iov *iov, int niov)
+{
+ int i;
+ size_t length = 0;
+
+ for (i = 0; i < niov; i++) {
+ if (_krb5_evp_iov_should_encrypt(&iov[i]))
+ length += iov[i].data.length;
+ }
+
+ return length;
+}
+
+int
+_krb5_evp_encrypt_iov(krb5_context context,
+ struct _krb5_key_data *key,
+ struct krb5_crypto_iov *iov,
+ int niov,
+ krb5_boolean encryptp,
+ int usage,
+ void *ivec)
+{
+ size_t blocksize, blockmask, wholeblocks;
+ struct _krb5_evp_schedule *ctx = key->schedule->data;
+ unsigned char tmp[EVP_MAX_BLOCK_LENGTH];
+ EVP_CIPHER_CTX *c;
+ struct _krb5_evp_iov_cursor cursor;
+
+ c = encryptp ? &ctx->ectx : &ctx->dctx;
+
+ blocksize = EVP_CIPHER_CTX_block_size(c);
+
+ blockmask = ~(blocksize - 1);
+
+ if (ivec)
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1);
+ else
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+
+ _krb5_evp_iov_cursor_init(&cursor, iov, niov);
+
+ while (!_krb5_evp_iov_cursor_done(&cursor)) {
+
+ /* Number of bytes of data in this iovec that are in whole blocks */
+ wholeblocks = cursor.current.length & ~blockmask;
+
+ if (wholeblocks != 0) {
+ EVP_Cipher(c, cursor.current.data,
+ cursor.current.data, wholeblocks);
+ _krb5_evp_iov_cursor_advance(&cursor, wholeblocks);
+ }
+
+ /* If there's a partial block of data remaining in the current
+ * iovec, steal enough from subsequent iovecs to form a whole block */
+ if (cursor.current.length > 0 && cursor.current.length < blocksize) {
+ /* Build up a block's worth of data in tmp, leaving the cursor
+ * pointing at where we started */
+ _krb5_evp_iov_cursor_fillbuf(&cursor, tmp, blocksize, NULL);
+
+ EVP_Cipher(c, tmp, tmp, blocksize);
+
+ /* Copy the data in tmp back into the iovecs that it came from,
+ * advancing the cursor */
+ _krb5_evp_iov_cursor_fillvec(&cursor, tmp, blocksize);
+ }
+ }
+
+ return 0;
+}
+
+int
+_krb5_evp_encrypt_iov_cts(krb5_context context,
+ struct _krb5_key_data *key,
+ struct krb5_crypto_iov *iov,
+ int niov,
+ krb5_boolean encryptp,
+ int usage,
+ void *ivec)
+{
+ size_t blocksize, blockmask, wholeblocks, length;
+ size_t remaining, partiallen;
+ struct _krb5_evp_iov_cursor cursor, lastpos;
+ struct _krb5_evp_schedule *ctx = key->schedule->data;
+ unsigned char tmp[EVP_MAX_BLOCK_LENGTH], tmp2[EVP_MAX_BLOCK_LENGTH];
+ unsigned char tmp3[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH];
+ EVP_CIPHER_CTX *c;
+ int i;
+
+ c = encryptp ? &ctx->ectx : &ctx->dctx;
+
+ blocksize = EVP_CIPHER_CTX_block_size(c);
+ blockmask = ~(blocksize - 1);
+
+ length = _krb5_evp_iov_cryptlength(iov, niov);
+
+ if (length < blocksize) {
+ krb5_set_error_message(context, EINVAL,
+ "message block too short");
+ return EINVAL;
+ }
+
+ if (length == blocksize)
+ return _krb5_evp_encrypt_iov(context, key, iov, niov,
+ encryptp, usage, ivec);
+
+ if (ivec)
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1);
+ else
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+
+ if (encryptp) {
+ /* On our first pass, we want to process everything but the
+ * final partial block */
+ remaining = ((length - 1) & blockmask);
+ partiallen = length - remaining;
+
+ memset(&lastpos, 0, sizeof(lastpos)); /* Keep the compiler happy */
+ } else {
+ /* Decryption needs to leave 2 whole blocks and a partial for
+ * further processing */
+ if (length > 2 * blocksize) {
+ remaining = (((length - 1) / blocksize) * blocksize) - (blocksize*2);
+ partiallen = length - remaining - (blocksize * 2);
+ } else {
+ remaining = 0;
+ partiallen = length - blocksize;
+ }
+ }
+
+ _krb5_evp_iov_cursor_init(&cursor, iov, niov);
+ while (remaining > 0) {
+ /* If the iovec has more data than we need, just use it */
+ if (cursor.current.length >= remaining) {
+ EVP_Cipher(c, cursor.current.data, cursor.current.data, remaining);
+
+ if (encryptp) {
+ /* We've just encrypted the last block of data. Make a copy
+ * of it (and its location) for the CTS dance, below */
+ lastpos = cursor;
+ _krb5_evp_iov_cursor_advance(&lastpos, remaining - blocksize);
+ memcpy(ivec2, lastpos.current.data, blocksize);
+ }
+
+ _krb5_evp_iov_cursor_advance(&cursor, remaining);
+ remaining = 0;
+ } else {
+ /* Use as much as we can, firstly all of the whole blocks */
+ wholeblocks = cursor.current.length & blockmask;
+
+ if (wholeblocks > 0) {
+ EVP_Cipher(c, cursor.current.data, cursor.current.data,
+ wholeblocks);
+ _krb5_evp_iov_cursor_advance(&cursor, wholeblocks);
+ remaining -= wholeblocks;
+ }
+
+ /* Then, if we have partial data left, steal enough from subsequent
+ * iovecs to make a whole block */
+ if (cursor.current.length > 0 && cursor.current.length < blocksize) {
+ if (encryptp && remaining == blocksize)
+ lastpos = cursor;
+
+ _krb5_evp_iov_cursor_fillbuf(&cursor, ivec2, blocksize, NULL);
+ EVP_Cipher(c, ivec2, ivec2, blocksize);
+ _krb5_evp_iov_cursor_fillvec(&cursor, ivec2, blocksize);
+
+ remaining -= blocksize;
+ }
+ }
+ }
+
+ /* Encryption */
+ if (encryptp) {
+ /* Copy the partial block into tmp */
+ _krb5_evp_iov_cursor_fillbuf(&cursor, tmp, partiallen, NULL);
+
+ /* XOR the final partial block with ivec2 */
+ for (i = 0; i < partiallen; i++)
+ tmp[i] = tmp[i] ^ ivec2[i];
+ for (; i < blocksize; i++)
+ tmp[i] = 0 ^ ivec2[i]; /* XOR 0s if partial block exhausted */
+
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+ EVP_Cipher(c, tmp, tmp, blocksize);
+
+ _krb5_evp_iov_cursor_fillvec(&lastpos, tmp, blocksize);
+ _krb5_evp_iov_cursor_fillvec(&cursor, ivec2, partiallen);
+
+ if (ivec)
+ memcpy(ivec, tmp, blocksize);
+
+ return 0;
+ }
+
+ /* Decryption */
+
+ /* Make a copy of the 2nd last full ciphertext block in ivec2 before
+ * decrypting it. If no such block exists, use ivec or zero_ivec */
+ if (length <= blocksize * 2) {
+ if (ivec)
+ memcpy(ivec2, ivec, blocksize);
+ else
+ memcpy(ivec2, zero_ivec, blocksize);
+ } else {
+ _krb5_evp_iov_cursor_fillbuf(&cursor, ivec2, blocksize, NULL);
+ EVP_Cipher(c, tmp, ivec2, blocksize);
+ _krb5_evp_iov_cursor_fillvec(&cursor, tmp, blocksize);
+ }
+
+ lastpos = cursor; /* Remember where the last block is */
+ _krb5_evp_iov_cursor_fillbuf(&cursor, tmp, blocksize, &cursor);
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+ EVP_Cipher(c, tmp2, tmp, blocksize); /* tmp eventually becomes output ivec */
+
+ _krb5_evp_iov_cursor_fillbuf(&cursor, tmp3, partiallen, NULL);
+
+ memcpy(tmp3 + partiallen, tmp2 + partiallen, blocksize - partiallen); /* xor 0 */
+ for (i = 0; i < partiallen; i++)
+ tmp2[i] = tmp2[i] ^ tmp3[i];
+
+ _krb5_evp_iov_cursor_fillvec(&cursor, tmp2, partiallen);
+
+ EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+ EVP_Cipher(c, tmp3, tmp3, blocksize);
+
+ for (i = 0; i < blocksize; i++)
+ tmp3[i] ^= ivec2[i];
+
+ _krb5_evp_iov_cursor_fillvec(&lastpos, tmp3, blocksize);
+
+ if (ivec)
+ memcpy(ivec, tmp, blocksize);
+
+ return 0;
+}
+
krb5_error_code
_krb5_evp_encrypt_cts(krb5_context context,
struct _krb5_key_data *key,
diff --git a/lib/krb5/crypto-null.c b/lib/krb5/crypto-null.c
index 96b77994708c..a62a57ffccb0 100644
--- a/lib/krb5/crypto-null.c
+++ b/lib/krb5/crypto-null.c
@@ -53,10 +53,11 @@ static struct _krb5_key_type keytype_null = {
static krb5_error_code
NONE_checksum(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *C)
{
return 0;
@@ -94,8 +95,9 @@ struct _krb5_encryption_type _krb5_enctype_null = {
&keytype_null,
&_krb5_checksum_none,
NULL,
- F_DISABLED,
+ F_DISABLED | F_OLD,
NULL_encrypt,
+ NULL,
0,
NULL
};
diff --git a/lib/krb5/crypto-stubs.c b/lib/krb5/crypto-stubs.c
index 2398a4630a04..5251f8857a8c 100644
--- a/lib/krb5/crypto-stubs.c
+++ b/lib/krb5/crypto-stubs.c
@@ -49,8 +49,6 @@ krb5_init_context(krb5_context *context)
if(!p)
return ENOMEM;
- HEIMDAL_MUTEX_init(&p->mutex);
-
*context = p;
return 0;
}
@@ -60,7 +58,6 @@ krb5_free_context(krb5_context context)
{
krb5_clear_error_message(context);
- HEIMDAL_MUTEX_destroy(&context->mutex);
if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
rk_SOCK_EXIT();
}
diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c
index 1c30629db704..ba7e132254a5 100644
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -51,7 +51,7 @@ static void free_key_schedule(krb5_context,
struct _krb5_key_data *,
struct _krb5_encryption_type *);
-/*
+/*
* Converts etype to a user readable string and sets as a side effect
* the krb5_error_message containing this string. Returns
* KRB5_PROG_ETYPE_NOSUPP in not the conversion of the etype failed in
@@ -132,9 +132,14 @@ _key_schedule(krb5_context context,
struct _krb5_key_data *key)
{
krb5_error_code ret;
- struct _krb5_encryption_type *et = _krb5_find_enctype(key->key->keytype);
+ struct _krb5_encryption_type *et;
struct _krb5_key_type *kt;
+ if (key->schedule != NULL)
+ return 0;
+
+ et = _krb5_find_enctype(key->key->keytype);
+
if (et == NULL) {
return unsupported_enctype (context,
key->key->keytype);
@@ -144,8 +149,6 @@ _key_schedule(krb5_context context,
if(kt->schedule == NULL)
return 0;
- if (key->schedule != NULL)
- return 0;
ALLOC(key->schedule, 1);
if (key->schedule == NULL)
return krb5_enomem(context);
@@ -164,50 +167,91 @@ _key_schedule(krb5_context context,
************************************************************/
static krb5_error_code
-SHA1_checksum(krb5_context context,
- struct _krb5_key_data *key,
- const void *data,
- size_t len,
- unsigned usage,
- Checksum *C)
-{
- if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_sha1(), NULL) != 1)
- krb5_abortx(context, "sha1 checksum failed");
+EVP_unkeyed_checksum(krb5_context context,
+ krb5_crypto crypto,
+ struct _krb5_key_data *key,
+ unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
+ Checksum *C,
+ const EVP_MD *md)
+{
+ if (_krb5_evp_digest_iov(crypto,
+ iov, niov,
+ C->checksum.data, NULL,
+ md, NULL) != 1)
+ krb5_abortx(context, "unkeyed checksum failed");
+
return 0;
}
+#define EVP_SHA_CHECKSUM(name) \
+ \
+ static krb5_error_code \
+ SHA ## name ##_checksum(krb5_context context, \
+ krb5_crypto crypto, \
+ struct _krb5_key_data *key, \
+ unsigned usage, \
+ const struct krb5_crypto_iov *iov, \
+ int niov, \
+ Checksum *C) \
+ { \
+ return EVP_unkeyed_checksum(context, crypto, key, \
+ usage, iov, niov, \
+ C, EVP_sha##name()); \
+ }
+
+EVP_SHA_CHECKSUM(1)
+EVP_SHA_CHECKSUM(256)
+EVP_SHA_CHECKSUM(384)
+EVP_SHA_CHECKSUM(512)
+
/* HMAC according to RFC2104 */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_internal_hmac(krb5_context context,
- struct _krb5_checksum_type *cm,
- const void *data,
- size_t len,
- unsigned usage,
- struct _krb5_key_data *keyblock,
- Checksum *result)
+_krb5_internal_hmac_iov(krb5_context context,
+ krb5_crypto crypto,
+ struct _krb5_checksum_type *cm,
+ unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
+ struct _krb5_key_data *keyblock,
+ Checksum *result)
{
unsigned char *ipad, *opad;
unsigned char *key;
+ struct krb5_crypto_iov *working;
size_t key_len;
size_t i;
- ipad = malloc(cm->blocksize + len);
+ ipad = malloc(cm->blocksize);
if (ipad == NULL)
return ENOMEM;
+
opad = malloc(cm->blocksize + cm->checksumsize);
if (opad == NULL) {
free(ipad);
return ENOMEM;
}
+
+ working = calloc(niov + 1, sizeof(struct krb5_crypto_iov));
+ if (working == NULL) {
+ free(ipad);
+ free(opad);
+ return ENOMEM;
+ }
+
memset(ipad, 0x36, cm->blocksize);
memset(opad, 0x5c, cm->blocksize);
if(keyblock->key->keyvalue.length > cm->blocksize){
+ working[0].data = keyblock->key->keyvalue;
+ working[0].flags = KRB5_CRYPTO_TYPE_DATA;
(*cm->checksum)(context,
+ crypto,
keyblock,
- keyblock->key->keyvalue.data,
- keyblock->key->keyvalue.length,
usage,
+ working,
+ 1,
result);
key = result->checksum.data;
key_len = result->checksum.length;
@@ -219,22 +263,50 @@ _krb5_internal_hmac(krb5_context context,
ipad[i] ^= key[i];
opad[i] ^= key[i];
}
- memcpy(ipad + cm->blocksize, data, len);
- (*cm->checksum)(context, keyblock, ipad, cm->blocksize + len,
- usage, result);
+
+ working[0].data.data = ipad;
+ working[0].data.length = cm->blocksize;
+ working[0].flags = KRB5_CRYPTO_TYPE_DATA;
+ for (i = 0; i < niov; i++)
+ working[i + 1] = iov[i];
+
+ (*cm->checksum)(context, crypto, keyblock, usage, working, niov + 1, result);
memcpy(opad + cm->blocksize, result->checksum.data,
result->checksum.length);
- (*cm->checksum)(context, keyblock, opad,
- cm->blocksize + cm->checksumsize, usage, result);
- memset(ipad, 0, cm->blocksize + len);
+
+ working[0].data.data = opad;
+ working[0].data.length = cm->blocksize + cm->checksumsize;
+ working[0].flags = KRB5_CRYPTO_TYPE_DATA;
+ (*cm->checksum)(context, crypto, keyblock, usage, working, 1, result);
+ memset(ipad, 0, cm->blocksize);
free(ipad);
memset(opad, 0, cm->blocksize + cm->checksumsize);
free(opad);
+ free(working);
return 0;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_internal_hmac(krb5_context context,
+ krb5_crypto crypto,
+ struct _krb5_checksum_type *cm,
+ const void *data,
+ size_t len,
+ unsigned usage,
+ struct _krb5_key_data *keyblock,
+ Checksum *result)
+{
+ struct krb5_crypto_iov iov[1];
+
+ iov[0].data.data = (void *) data;
+ iov[0].data.length = len;
+ iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
+ return _krb5_internal_hmac_iov(context, crypto, cm, usage, iov, 1,
+ keyblock, result);
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_hmac(krb5_context context,
krb5_cksumtype cktype,
const void *data,
@@ -245,6 +317,7 @@ krb5_hmac(krb5_context context,
{
struct _krb5_checksum_type *c = _krb5_find_checksum(cktype);
struct _krb5_key_data kd;
+
krb5_error_code ret;
if (c == NULL) {
@@ -257,7 +330,7 @@ krb5_hmac(krb5_context context,
kd.key = key;
kd.schedule = NULL;
- ret = _krb5_internal_hmac(context, c, data, len, usage, &kd, result);
+ ret = _krb5_internal_hmac(context, NULL, c, data, len, usage, &kd, result);
if (kd.schedule)
krb5_free_data(context, kd.schedule);
@@ -267,36 +340,72 @@ krb5_hmac(krb5_context context,
krb5_error_code
_krb5_SP_HMAC_SHA1_checksum(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *data,
- size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
Checksum *result)
{
- struct _krb5_checksum_type *c = _krb5_find_checksum(CKSUMTYPE_SHA1);
- Checksum res;
- char sha1_data[20];
krb5_error_code ret;
+ unsigned char hmac[EVP_MAX_MD_SIZE];
+ unsigned int hmaclen = sizeof(hmac);
+
+ ret = _krb5_evp_hmac_iov(context, crypto, key, iov, niov, hmac, &hmaclen,
+ EVP_sha1(), NULL);
+ if (ret)
+ return ret;
+
+ heim_assert(result->checksum.length <= hmaclen,
+ "SHA1 checksum too short");
+ memcpy(result->checksum.data, hmac, result->checksum.length);
- res.checksum.data = sha1_data;
- res.checksum.length = sizeof(sha1_data);
+ return 0;
+}
+
+krb5_error_code
+_krb5_SP_HMAC_SHA1_verify(krb5_context context,
+ krb5_crypto crypto,
+ struct _krb5_key_data *key,
+ unsigned usage,
+ const struct krb5_crypto_iov *iov,
+ int niov,
+ Checksum *verify)
+{
+ krb5_error_code ret;
+ unsigned char hmac[EVP_MAX_MD_SIZE];
+ unsigned int hmaclen = sizeof(hmac);
+ krb5_data data;
- ret = _krb5_internal_hmac(context, c, data, len, usage, key, &res);
+ ret = _krb5_evp_hmac_iov(context, crypto, key, iov, niov, hmac, &hmaclen,
+ EVP_sha1(), NULL);
if (ret)
- krb5_abortx(context, "hmac failed");
- memcpy(result->checksum.data, res.checksum.data, result->checksum.length);
+ return ret;
+
+ data.data = hmac;
+ data.length = min(hmaclen, verify->checksum.length);
+
+ if(krb5_data_ct_cmp(&data, &verify->checksum) != 0)
+ return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+
return 0;
}
-struct _krb5_checksum_type _krb5_checksum_sha1 = {
- CKSUMTYPE_SHA1,
- "sha1",
- 64,
- 20,
- F_CPROOF,
- SHA1_checksum,
- NULL
-};
+#define SHA_CHECKSUM(name, blocksize, outputsize) \
+ struct _krb5_checksum_type _krb5_checksum_sha##name = { \
+ CKSUMTYPE_SHA##name, \
+ "sha" #name, \
+ blocksize, \
+ outputsize, \
+ F_CPROOF, \
+ SHA##name##_checksum, \
+ NULL \
+ };
+
+SHA_CHECKSUM(1, 64, 20);
+SHA_CHECKSUM(256, 64, 32);
+SHA_CHECKSUM(384, 128, 48);
+SHA_CHECKSUM(512, 128, 64);
KRB5_LIB_FUNCTION struct _krb5_checksum_type * KRB5_LIB_CALL
_krb5_find_checksum(krb5_cksumtype type)
@@ -316,6 +425,24 @@ get_checksum_key(krb5_context context,
struct _krb5_key_data **key)
{
krb5_error_code ret = 0;
+ struct _krb5_checksum_type *kct = NULL;
+
+ if (crypto == NULL) {
+ krb5_set_error_message(context, KRB5_BAD_ENCTYPE,
+ N_("Checksum type %s is keyed but no "
+ "crypto context (key) was passed in", ""),
+ ct->name);
+ return KRB5_BAD_ENCTYPE;
+ }
+ kct = crypto->et->keyed_checksum;
+ if (kct == NULL || kct->type != ct->type) {
+ krb5_set_error_message(context, KRB5_BAD_ENCTYPE,
+ N_("Checksum type %s is keyed, but "
+ "the key type %s passed didnt have that checksum "
+ "type as the keyed type", ""),
+ ct->name, crypto->et->name);
+ return KRB5_BAD_ENCTYPE;
+ }
if(ct->flags & F_DERIVED)
ret = _get_derived_key(context, crypto, usage, key);
@@ -339,41 +466,58 @@ get_checksum_key(krb5_context context,
}
static krb5_error_code
-create_checksum (krb5_context context,
- struct _krb5_checksum_type *ct,
- krb5_crypto crypto,
- unsigned usage,
- void *data,
- size_t len,
- Checksum *result)
+create_checksum_iov(krb5_context context,
+ struct _krb5_checksum_type *ct,
+ krb5_crypto crypto,
+ unsigned usage,
+ struct krb5_crypto_iov *iov,
+ int niov,
+ krb5_flags flags,
+ Checksum *result)
{
krb5_error_code ret;
struct _krb5_key_data *dkey;
- int keyed_checksum;
if (ct->flags & F_DISABLED) {
krb5_clear_error_message (context);
return KRB5_PROG_SUMTYPE_NOSUPP;
}
- keyed_checksum = (ct->flags & F_KEYED) != 0;
- if(keyed_checksum && crypto == NULL) {
- krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
- N_("Checksum type %s is keyed but no "
- "crypto context (key) was passed in", ""),
- ct->name);
- return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
- }
- if(keyed_checksum) {
+ if (ct->flags & F_KEYED) {
ret = get_checksum_key(context, crypto, usage, ct, &dkey);
if (ret)
return ret;
+ } else if ((flags & KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM) == 0) {
+ return EINVAL;
} else
dkey = NULL;
+
result->cksumtype = ct->type;
+
+ return (*ct->checksum)(context, crypto, dkey, usage, iov, niov, result);
+}
+
+static krb5_error_code
+create_checksum (krb5_context context,
+ struct _krb5_checksum_type *ct,
+ krb5_crypto crypto,
+ unsigned usage,
+ void *data,
+ size_t len,
+ krb5_flags flags,
+ Checksum *result)
+{
+ int ret;
+ struct krb5_crypto_iov iov[1];
+
ret = krb5_data_alloc(&result->checksum, ct->checksumsize);
if (ret)
- return (ret);
- return (*ct->checksum)(context, dkey, data, len, usage, result);
+ return ret;
+
+ iov[0].data.data = data;
+ iov[0].data.length = len;
+ iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
+
+ return create_checksum_iov(context, ct, crypto, usage, iov, 1, flags, result);
}
static int
@@ -383,6 +527,16 @@ arcfour_checksum_p(struct _krb5_checksum_type *ct, krb5_crypto crypto)
(crypto->key.key->keytype == KEYTYPE_ARCFOUR);
}
+static inline krb5_flags
+crypto_flags(krb5_crypto crypto)
+{
+ /* If caller didn't specify a key, unkeyed checksums are the only option */
+ if (crypto == NULL)
+ return KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM;
+ else
+ return crypto->flags;
+}
+
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_create_checksum(krb5_context context,
krb5_crypto crypto,
@@ -417,21 +571,21 @@ krb5_create_checksum(krb5_context context,
} else
keyusage = CHECKSUM_USAGE(usage);
- return create_checksum(context, ct, crypto, keyusage,
- data, len, result);
+ return create_checksum(context, ct, crypto, keyusage, data, len,
+ crypto_flags(crypto), result);
}
static krb5_error_code
-verify_checksum(krb5_context context,
- krb5_crypto crypto,
- unsigned usage, /* not krb5_key_usage */
- void *data,
- size_t len,
- Checksum *cksum)
+verify_checksum_iov(krb5_context context,
+ krb5_crypto crypto,
+ unsigned usage, /* not krb5_key_usage */
+ struct krb5_crypto_iov *iov,
+ int niov,
+ krb5_flags flags,
+ Checksum *cksum)
{
krb5_error_code ret;
struct _krb5_key_data *dkey;
- int keyed_checksum;
Checksum c;
struct _krb5_checksum_type *ct;
@@ -452,29 +606,17 @@ verify_checksum(krb5_context context,
return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */
}
- keyed_checksum = (ct->flags & F_KEYED) != 0;
- if(keyed_checksum) {
- struct _krb5_checksum_type *kct;
- if (crypto == NULL) {
- krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
- N_("Checksum type %s is keyed but no "
- "crypto context (key) was passed in", ""),
- ct->name);
- return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
- }
- kct = crypto->et->keyed_checksum;
- if (kct == NULL || kct->type != ct->type) {
- krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
- N_("Checksum type %s is keyed, but "
- "the key type %s passed didnt have that checksum "
- "type as the keyed type", ""),
- ct->name, crypto->et->name);
- return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
- }
-
+ if (ct->flags & F_KEYED) {
ret = get_checksum_key(context, crypto, usage, ct, &dkey);
if (ret)
return ret;
+ } else if ((flags & KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM) == 0) {
+ krb5_clear_error_message (context);
+ krb5_set_error_message(context, KRB5KRB_AP_ERR_INAPP_CKSUM,
+ N_("Unkeyed checksum type %s provided where keyed "
+ "checksum was expected", ""), ct->name);
+
+ return KRB5KRB_AP_ERR_INAPP_CKSUM;
} else
dkey = NULL;
@@ -484,7 +626,7 @@ verify_checksum(krb5_context context,
*/
if(ct->verify) {
- ret = (*ct->verify)(context, dkey, data, len, usage, cksum);
+ ret = (*ct->verify)(context, crypto, dkey, usage, iov, niov, cksum);
if (ret)
krb5_set_error_message(context, ret,
N_("Decrypt integrity check failed for checksum "
@@ -497,7 +639,7 @@ verify_checksum(krb5_context context,
if (ret)
return ret;
- ret = (*ct->checksum)(context, dkey, data, len, usage, &c);
+ ret = (*ct->checksum)(context, crypto, dkey, usage, iov, niov, &c);
if (ret) {
krb5_data_free(&c.checksum);
return ret;
@@ -516,6 +658,24 @@ verify_checksum(krb5_context context,
return ret;
}
+static krb5_error_code
+verify_checksum(krb5_context context,
+ krb5_crypto crypto,
+ unsigned usage, /* not krb5_key_usage */
+ void *data,
+ size_t len,
+ krb5_flags flags,
+ Checksum *cksum)
+{
+ struct krb5_crypto_iov iov[1];
+
+ iov[0].data.data = data;
+ iov[0].data.length = len;
+ iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
+
+ return verify_checksum_iov(context, crypto, usage, iov, 1, flags, cksum);
+}
+
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_verify_checksum(krb5_context context,
krb5_crypto crypto,
@@ -542,7 +702,7 @@ krb5_verify_checksum(krb5_context context,
keyusage = CHECKSUM_USAGE(usage);
return verify_checksum(context, crypto, keyusage,
- data, len, cksum);
+ data, len, crypto_flags(crypto), cksum);
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
@@ -699,7 +859,7 @@ krb5_enctype_to_keytype(krb5_context context,
if(e == NULL) {
return unsupported_enctype (context, etype);
}
- *keytype = e->keytype->type; /* XXX */
+ *keytype = (krb5_keytype)e->keytype->type;
return 0;
}
@@ -836,6 +996,7 @@ encrypt_internal_derived(krb5_context context,
INTEGRITY_USAGE(usage),
p,
block_sz,
+ 0,
&cksum);
if(ret == 0 && cksum.checksum.length != checksum_sz) {
free_Checksum (&cksum);
@@ -923,6 +1084,7 @@ encrypt_internal_enc_then_cksum(krb5_context context,
INTEGRITY_USAGE(usage),
ivc,
et->blocksize + block_sz,
+ 0,
&cksum);
if(ret == 0 && cksum.checksum.length != checksum_sz) {
free_Checksum (&cksum);
@@ -979,6 +1141,7 @@ encrypt_internal(krb5_context context,
0,
p,
block_sz,
+ KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM,
&cksum);
if(ret == 0 && cksum.checksum.length != checksum_sz) {
krb5_clear_error_message (context);
@@ -1104,6 +1267,7 @@ decrypt_internal_derived(krb5_context context,
INTEGRITY_USAGE(usage),
p,
len,
+ 0,
&cksum);
if(ret) {
free(p);
@@ -1111,11 +1275,7 @@ decrypt_internal_derived(krb5_context context,
}
l = len - et->confoundersize;
memmove(p, p + et->confoundersize, l);
- result->data = realloc(p, l);
- if(result->data == NULL && l != 0) {
- free(p);
- return krb5_enomem(context);
- }
+ result->data = p;
result->length = l;
return 0;
}
@@ -1171,6 +1331,7 @@ decrypt_internal_enc_then_cksum(krb5_context context,
INTEGRITY_USAGE(usage),
p,
et->blocksize + len,
+ 0,
&cksum);
if(ret) {
free(p);
@@ -1195,11 +1356,7 @@ decrypt_internal_enc_then_cksum(krb5_context context,
l = len - et->confoundersize;
memmove(p, p + et->blocksize + et->confoundersize, l);
- result->data = realloc(p, l);
- if(result->data == NULL && l != 0) {
- free(p);
- return krb5_enomem(context);
- }
+ result->data = p;
result->length = l;
return 0;
}
@@ -1252,7 +1409,8 @@ decrypt_internal(krb5_context context,
}
memset(p + et->confoundersize, 0, checksum_sz);
cksum.cksumtype = CHECKSUMTYPE(et->checksum);
- ret = verify_checksum(context, NULL, 0, p, len, &cksum);
+ ret = verify_checksum(context, NULL, 0, p, len,
+ KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM, &cksum);
free_Checksum(&cksum);
if(ret) {
free(p);
@@ -1260,11 +1418,7 @@ decrypt_internal(krb5_context context,
}
l = len - et->confoundersize - checksum_sz;
memmove(p, p + et->confoundersize + checksum_sz, l);
- result->data = realloc(p, l);
- if(result->data == NULL && l != 0) {
- free(p);
- return krb5_enomem(context);
- }
+ result->data = p;
result->length = l;
return 0;
}
@@ -1307,11 +1461,7 @@ decrypt_internal_special(krb5_context context,
}
memmove (p, p + cksum_sz + et->confoundersize, sz);
- result->data = realloc(p, sz);
- if(result->data == NULL && sz != 0) {
- free(p);
- return krb5_enomem(context);
- }
+ result->data = p;
result->length = sz;
return 0;
}
@@ -1346,10 +1496,11 @@ iov_sign_data_len(krb5_crypto_iov *data, int num_data)
size_t i, len;
for (len = 0, i = 0; i < num_data; i++) {
- if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
- data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
- continue;
- len += data[i].data.length;
+ /* Can't use should_sign, because we must only count data, not
+ * header/trailer */
+ if (data[i].flags == KRB5_CRYPTO_TYPE_DATA ||
+ data[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY)
+ len += data[i].data.length;
}
return len;
@@ -1465,7 +1616,7 @@ iov_pad_validate(const struct _krb5_encryption_type *et,
return KRB5_BAD_MSIZE;
piv->data.length = pad_sz;
if (pad_sz)
- memset(piv->data.data, pad_sz, pad_sz);
+ memset(piv->data.data, 0, pad_sz);
else
piv = NULL;
}
@@ -1552,9 +1703,8 @@ krb5_encrypt_iov_ivec(krb5_context context,
unsigned char old_ivec[EVP_MAX_IV_LENGTH];
krb5_data ivec_data;
- ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
- if(ret)
- goto cleanup;
+ heim_assert(et->blocksize <= sizeof(old_ivec),
+ "blocksize too big for ivec buffer");
ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
if(ret)
@@ -1564,22 +1714,30 @@ krb5_encrypt_iov_ivec(krb5_context context,
if(ret)
goto cleanup;
- heim_assert(et->blocksize <= sizeof(old_ivec),
- "blocksize too big for ivec buffer");
-
if (ivec)
memcpy(old_ivec, ivec, et->blocksize);
else
memset(old_ivec, 0, et->blocksize);
- ret = (*et->encrypt)(context, dkey, enc_data.data, enc_data.length,
- 1, usage, ivec);
- if(ret)
- goto cleanup;
+ if (et->encrypt_iov != NULL) {
+ ret = (*et->encrypt_iov)(context, dkey, data, num_data, 1, usage,
+ ivec);
+ if (ret)
+ goto cleanup;
+ } else {
+ ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
+ if (ret)
+ goto cleanup;
- ret = iov_uncoalesce(context, &enc_data, data, num_data);
- if(ret)
- goto cleanup;
+ ret = (*et->encrypt)(context, dkey, enc_data.data, enc_data.length,
+ 1, usage, ivec);
+ if (ret)
+ goto cleanup;
+
+ ret = iov_uncoalesce(context, &enc_data, data, num_data);
+ if (ret)
+ goto cleanup;
+ }
ivec_data.length = et->blocksize;
ivec_data.data = old_ivec;
@@ -1587,36 +1745,43 @@ krb5_encrypt_iov_ivec(krb5_context context,
ret = iov_coalesce(context, &ivec_data, data, num_data, TRUE, &sign_data);
if(ret)
goto cleanup;
- } else {
- ret = iov_coalesce(context, NULL, data, num_data, TRUE, &sign_data);
- if(ret)
- goto cleanup;
- }
-
- ret = create_checksum(context,
- et->keyed_checksum,
- crypto,
- INTEGRITY_USAGE(usage),
- sign_data.data,
- sign_data.length,
- &cksum);
- if(ret == 0 && cksum.checksum.length != trailersz) {
- free_Checksum (&cksum);
- krb5_clear_error_message (context);
- ret = KRB5_CRYPTO_INTERNAL;
- }
- if(ret)
- goto cleanup;
-
- /* save cksum at end */
- memcpy(tiv->data.data, cksum.checksum.data, cksum.checksum.length);
- free_Checksum (&cksum);
- if (!(et->flags & F_ENC_THEN_CKSUM)) {
- ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
- if(ret)
- goto cleanup;
+ ret = create_checksum(context,
+ et->keyed_checksum,
+ crypto,
+ INTEGRITY_USAGE(usage),
+ sign_data.data,
+ sign_data.length,
+ 0,
+ &cksum);
+
+ if(ret == 0 && cksum.checksum.length != trailersz) {
+ free_Checksum (&cksum);
+ krb5_clear_error_message (context);
+ ret = KRB5_CRYPTO_INTERNAL;
+ }
+ if (ret)
+ goto cleanup;
+
+ /* save cksum at end */
+ memcpy(tiv->data.data, cksum.checksum.data, cksum.checksum.length);
+ free_Checksum (&cksum);
+ } else {
+ cksum.checksum = tiv->data;
+ ret = create_checksum_iov(context,
+ et->keyed_checksum,
+ crypto,
+ INTEGRITY_USAGE(usage),
+ data,
+ num_data,
+ 0,
+ &cksum);
+ if (ret)
+ goto cleanup;
+
+ /* create_checksum may realloc the derived key space, so any keys
+ * obtained before it was called may no longer be valid */
ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
if(ret)
goto cleanup;
@@ -1625,14 +1790,25 @@ krb5_encrypt_iov_ivec(krb5_context context,
if(ret)
goto cleanup;
- ret = (*et->encrypt)(context, dkey, enc_data.data, enc_data.length,
- 1, usage, ivec);
- if(ret)
- goto cleanup;
+ if (et->encrypt_iov != NULL) {
+ ret = (*et->encrypt_iov)(context, dkey, data, num_data, 1, usage,
+ ivec);
+ if (ret)
+ goto cleanup;
+ } else {
+ ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
+ if (ret)
+ goto cleanup;
- ret = iov_uncoalesce(context, &enc_data, data, num_data);
- if(ret)
- goto cleanup;
+ ret = (*et->encrypt)(context, dkey, enc_data.data, enc_data.length,
+ 1, usage, ivec);
+ if (ret)
+ goto cleanup;
+
+ ret = iov_uncoalesce(context, &enc_data, data, num_data);
+ if (ret)
+ goto cleanup;
+ }
}
cleanup:
@@ -1708,10 +1884,6 @@ krb5_decrypt_iov_ivec(krb5_context context,
krb5_data_zero(&sign_data);
if (!(et->flags & F_ENC_THEN_CKSUM)) {
- ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
- if(ret)
- goto cleanup;
-
ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
if(ret)
goto cleanup;
@@ -1720,47 +1892,62 @@ krb5_decrypt_iov_ivec(krb5_context context,
if(ret)
goto cleanup;
- ret = (*et->encrypt)(context, dkey, enc_data.data, enc_data.length,
- 0, usage, ivec);
- if(ret)
- goto cleanup;
+ if (et->encrypt_iov != NULL) {
+ ret = (*et->encrypt_iov)(context, dkey, data, num_data,
+ 0, usage, ivec);
+ if(ret)
+ goto cleanup;
+ } else {
+ ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
+ if(ret)
+ goto cleanup;
+
+ ret = (*et->encrypt)(context, dkey, enc_data.data, enc_data.length,
+ 0, usage, ivec);
+ if(ret)
+ goto cleanup;
+
+ ret = iov_uncoalesce(context, &enc_data, data, num_data);
+ if(ret)
+ goto cleanup;
+ }
- ret = iov_uncoalesce(context, &enc_data, data, num_data);
- if(ret)
- goto cleanup;
+ cksum.checksum.data = tiv->data.data;
+ cksum.checksum.length = tiv->data.length;
+ cksum.cksumtype = CHECKSUMTYPE(et->keyed_checksum);
- ret = iov_coalesce(context, NULL, data, num_data, TRUE, &sign_data);
+ ret = verify_checksum_iov(context, crypto, INTEGRITY_USAGE(usage),
+ data, num_data, 0, &cksum);
if(ret)
goto cleanup;
} else {
krb5_data ivec_data;
- static unsigned char zero_ivec[EVP_MAX_IV_LENGTH];
+ static const unsigned char zero_ivec[EVP_MAX_IV_LENGTH];
heim_assert(et->blocksize <= sizeof(zero_ivec),
"blocksize too big for ivec buffer");
ivec_data.length = et->blocksize;
- ivec_data.data = ivec ? ivec : zero_ivec;
+ ivec_data.data = ivec ? ivec : rk_UNCONST(zero_ivec);
ret = iov_coalesce(context, &ivec_data, data, num_data, TRUE, &sign_data);
if(ret)
goto cleanup;
- }
- cksum.checksum.data = tiv->data.data;
- cksum.checksum.length = tiv->data.length;
- cksum.cksumtype = CHECKSUMTYPE(et->keyed_checksum);
-
- ret = verify_checksum(context,
- crypto,
- INTEGRITY_USAGE(usage),
- sign_data.data,
- sign_data.length,
- &cksum);
- if(ret)
- goto cleanup;
+ cksum.checksum.data = tiv->data.data;
+ cksum.checksum.length = tiv->data.length;
+ cksum.cksumtype = CHECKSUMTYPE(et->keyed_checksum);
+
+ ret = verify_checksum(context,
+ crypto,
+ INTEGRITY_USAGE(usage),
+ sign_data.data,
+ sign_data.length,
+ 0,
+ &cksum);
+ if(ret)
+ goto cleanup;
- if (et->flags & F_ENC_THEN_CKSUM) {
ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
if(ret)
goto cleanup;
@@ -1819,58 +2006,44 @@ krb5_create_checksum_iov(krb5_context context,
{
Checksum cksum;
krb5_crypto_iov *civ;
+ struct _krb5_checksum_type *ct;
+ unsigned keyusage;
krb5_error_code ret;
- size_t i;
- size_t len;
- char *p, *q;
-
- if(!derived_crypto(context, crypto)) {
- krb5_clear_error_message(context);
- return KRB5_CRYPTO_INTERNAL;
- }
civ = iov_find(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
if (civ == NULL)
return KRB5_BAD_MSIZE;
- len = 0;
- for (i = 0; i < num_data; i++) {
- if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
- data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
- continue;
- len += data[i].data.length;
- }
-
- p = q = malloc(len);
+ ct = crypto->et->keyed_checksum;
+ if (ct == NULL)
+ ct = crypto->et->checksum;
- for (i = 0; i < num_data; i++) {
- if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
- data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
- continue;
- memcpy(q, data[i].data.data, data[i].data.length);
- q += data[i].data.length;
+ if(ct == NULL) {
+ krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
+ N_("checksum type not found", ""));
+ return KRB5_PROG_SUMTYPE_NOSUPP;
}
- ret = krb5_create_checksum(context, crypto, usage, 0, p, len, &cksum);
- free(p);
- if (ret)
- return ret;
-
- if (type)
- *type = cksum.cksumtype;
+ if (arcfour_checksum_p(ct, crypto)) {
+ keyusage = usage;
+ _krb5_usage2arcfour(context, &keyusage);
+ } else
+ keyusage = CHECKSUM_USAGE(usage);
- if (cksum.checksum.length > civ->data.length) {
+ if (ct->checksumsize > civ->data.length) {
krb5_set_error_message(context, KRB5_BAD_MSIZE,
N_("Checksum larger then input buffer", ""));
- free_Checksum(&cksum);
return KRB5_BAD_MSIZE;
}
- civ->data.length = cksum.checksum.length;
- memcpy(civ->data.data, cksum.checksum.data, civ->data.length);
- free_Checksum(&cksum);
+ cksum.checksum = civ->data;
+ ret = create_checksum_iov(context, ct, crypto, keyusage,
+ data, num_data, crypto_flags(crypto), &cksum);
- return 0;
+ if (ret == 0 && type)
+ *type = cksum.cksumtype;
+
+ return ret;
}
/**
@@ -1896,46 +2069,36 @@ krb5_verify_checksum_iov(krb5_context context,
krb5_cksumtype *type)
{
struct _krb5_encryption_type *et = crypto->et;
+ struct _krb5_checksum_type *ct;
Checksum cksum;
krb5_crypto_iov *civ;
krb5_error_code ret;
- size_t i;
- size_t len;
- char *p, *q;
-
- if(!derived_crypto(context, crypto)) {
- krb5_clear_error_message(context);
- return KRB5_CRYPTO_INTERNAL;
- }
+ unsigned keyusage;
civ = iov_find(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
if (civ == NULL)
return KRB5_BAD_MSIZE;
- len = 0;
- for (i = 0; i < num_data; i++) {
- if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
- data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
- continue;
- len += data[i].data.length;
- }
-
- p = q = malloc(len);
-
- for (i = 0; i < num_data; i++) {
- if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
- data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
- continue;
- memcpy(q, data[i].data.data, data[i].data.length);
- q += data[i].data.length;
- }
-
cksum.cksumtype = CHECKSUMTYPE(et->keyed_checksum);
cksum.checksum.length = civ->data.length;
cksum.checksum.data = civ->data.data;
- ret = krb5_verify_checksum(context, crypto, usage, p, len, &cksum);
- free(p);
+ ct = _krb5_find_checksum(cksum.cksumtype);
+ if(ct == NULL) {
+ krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
+ N_("checksum type %d not supported", ""),
+ cksum.cksumtype);
+ return KRB5_PROG_SUMTYPE_NOSUPP;
+ }
+
+ if (arcfour_checksum_p(ct, crypto)) {
+ keyusage = usage;
+ _krb5_usage2arcfour(context, &keyusage);
+ } else
+ keyusage = CHECKSUM_USAGE(usage);
+
+ ret = verify_checksum_iov(context, crypto, keyusage, data, num_data,
+ crypto_flags(crypto), &cksum);
if (ret == 0 && type)
*type = cksum.cksumtype;
@@ -1973,7 +2136,10 @@ krb5_crypto_length(krb5_context context,
*len = 0;
return 0;
case KRB5_CRYPTO_TYPE_TRAILER:
- *len = CHECKSUMSIZE(crypto->et->keyed_checksum);
+ if (crypto->et->keyed_checksum)
+ *len = CHECKSUMSIZE(crypto->et->keyed_checksum);
+ else
+ *len = 0;
return 0;
case KRB5_CRYPTO_TYPE_CHECKSUM:
if (crypto->et->keyed_checksum)
@@ -2159,8 +2325,12 @@ derive_key_rfc3961(krb5_context context,
memcpy(k + i * et->blocksize,
k + (i - 1) * et->blocksize,
et->blocksize);
- (*et->encrypt)(context, key, k + i * et->blocksize, et->blocksize,
- 1, 0, NULL);
+ ret = (*et->encrypt)(context, key, k + i * et->blocksize,
+ et->blocksize, 1, 0, NULL);
+ if (ret) {
+ krb5_set_error_message(context, ret, N_("encrypt failed", ""));
+ goto out;
+ }
}
} else {
/* this case is probably broken, but won't be run anyway */
@@ -2172,7 +2342,12 @@ derive_key_rfc3961(krb5_context context,
goto out;
}
memcpy(c, constant, len);
- (*et->encrypt)(context, key, c, len, 1, 0, NULL);
+ ret = (*et->encrypt)(context, key, c, len, 1, 0, NULL);
+ if (ret) {
+ free(c);
+ krb5_set_error_message(context, ret, N_("encrypt failed", ""));
+ goto out;
+ }
k = malloc(res_len);
if(res_len != 0 && k == NULL) {
free(c);
@@ -2384,7 +2559,7 @@ krb5_crypto_init(krb5_context context,
ALLOC(*crypto, 1);
if (*crypto == NULL)
return krb5_enomem(context);
- if(etype == (krb5_enctype)ETYPE_NULL)
+ if(etype == ETYPE_NULL)
etype = key->keytype;
(*crypto)->et = _krb5_find_enctype(etype);
if((*crypto)->et == NULL || ((*crypto)->et->flags & F_DISABLED)) {
@@ -2408,6 +2583,7 @@ krb5_crypto_init(krb5_context context,
(*crypto)->key.schedule = NULL;
(*crypto)->num_key_usage = 0;
(*crypto)->key_usage = NULL;
+ (*crypto)->flags = 0;
return 0;
}
@@ -2461,6 +2637,13 @@ krb5_crypto_destroy(krb5_context context,
free_key_usage(context, &crypto->key_usage[i], crypto->et);
free(crypto->key_usage);
_krb5_free_key_data(context, &crypto->key, crypto->et);
+
+ if (crypto->mdctx)
+ EVP_MD_CTX_destroy(crypto->mdctx);
+
+ if (crypto->hmacctx)
+ HMAC_CTX_free(crypto->hmacctx);
+
free (crypto);
return 0;
}
@@ -2652,6 +2835,26 @@ krb5_is_enctype_weak(krb5_context context, krb5_enctype enctype)
}
/**
+ * Returns whether the encryption type is new or old
+ *
+ * @param context Kerberos 5 context
+ * @param enctype encryption type to probe
+ *
+ * @return Returns true if encryption type is old or is not supported.
+ *
+ * @ingroup krb5_crypto
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_is_enctype_old(krb5_context context, krb5_enctype enctype)
+{
+ struct _krb5_encryption_type *et = _krb5_find_enctype(enctype);
+ if (!et || (et->flags & F_OLD))
+ return TRUE;
+ return FALSE;
+}
+
+/**
* Returns whether the encryption type should use randomly generated salts
*
* @param context Kerberos 5 context
@@ -2856,7 +3059,7 @@ krb5_crypto_prf(krb5_context context,
return (*et->prf)(context, crypto, input, output);
}
-static krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_crypto_prfplus(krb5_context context,
const krb5_crypto crypto,
const krb5_data *input,
@@ -2970,7 +3173,13 @@ krb5_crypto_fx_cf2(krb5_context context,
return ret;
}
-
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+_krb5_crypto_set_flags(krb5_context context,
+ krb5_crypto crypto,
+ krb5_flags flags)
+{
+ crypto->flags |= flags;
+}
#ifndef HEIMDAL_SMALLER
diff --git a/lib/krb5/crypto.h b/lib/krb5/crypto.h
index ede0338442ec..d02f841305bd 100644
--- a/lib/krb5/crypto.h
+++ b/lib/krb5/crypto.h
@@ -42,13 +42,6 @@ struct _krb5_key_data {
struct _krb5_key_usage;
-struct krb5_crypto_data {
- struct _krb5_encryption_type *et;
- struct _krb5_key_data key;
- int num_key_usage;
- struct _krb5_key_usage *key_usage;
-};
-
#define CRYPTO_ETYPE(C) ((C)->et->type)
/* bits for `flags' below */
@@ -59,6 +52,7 @@ struct krb5_crypto_data {
#define F_PSEUDO 0x0010 /* not a real protocol type */
#define F_DISABLED 0x0020 /* enctype/checksum disabled */
#define F_WEAK 0x0040 /* enctype is considered weak */
+#define F_OLD 0x0080 /* enctype is old */
#define F_RFC3961_ENC 0x0100 /* RFC3961 simplified profile */
#define F_SPECIAL 0x0200 /* backwards */
@@ -97,14 +91,16 @@ struct _krb5_checksum_type {
size_t checksumsize;
unsigned flags;
krb5_error_code (*checksum)(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *buf, size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov, int niov,
Checksum *csum);
krb5_error_code (*verify)(krb5_context context,
+ krb5_crypto crypto,
struct _krb5_key_data *key,
- const void *buf, size_t len,
unsigned usage,
+ const struct krb5_crypto_iov *iov, int niov,
Checksum *csum);
};
@@ -125,14 +121,20 @@ struct _krb5_encryption_type {
krb5_boolean encryptp,
int usage,
void *ivec);
+ krb5_error_code (*encrypt_iov)(krb5_context context,
+ struct _krb5_key_data *key,
+ krb5_crypto_iov *iov, int niov,
+ krb5_boolean encryptp,
+ int usage,
+ void *ivec);
size_t prf_length;
krb5_error_code (*prf)(krb5_context,
krb5_crypto, const krb5_data *, krb5_data *);
};
-#define ENCRYPTION_USAGE(U) ((int32_t)((((uint32_t)(U)) << 8)) | 0xAA)
-#define INTEGRITY_USAGE(U) ((int32_t)((((uint32_t)(U)) << 8)) | 0x55)
-#define CHECKSUM_USAGE(U) ((int32_t)((((uint32_t)(U)) << 8)) | 0x99)
+#define ENCRYPTION_USAGE(U) (((uint32_t)(U) << 8) | 0xAA)
+#define INTEGRITY_USAGE(U) (((uint32_t)(U) << 8) | 0x55)
+#define CHECKSUM_USAGE(U) (((uint32_t)(U) << 8) | 0x99)
/* Checksums */
@@ -150,7 +152,9 @@ extern struct _krb5_checksum_type _krb5_checksum_hmac_sha256_128_aes128;
extern struct _krb5_checksum_type _krb5_checksum_hmac_sha384_192_aes256;
extern struct _krb5_checksum_type _krb5_checksum_hmac_md5;
extern struct _krb5_checksum_type _krb5_checksum_sha1;
-extern struct _krb5_checksum_type _krb5_checksum_sha2;
+extern struct _krb5_checksum_type _krb5_checksum_sha256;
+extern struct _krb5_checksum_type _krb5_checksum_sha384;
+extern struct _krb5_checksum_type _krb5_checksum_sha512;
extern struct _krb5_checksum_type *_krb5_checksum_types[];
extern int _krb5_num_checksums;
@@ -187,15 +191,41 @@ extern struct _krb5_encryption_type _krb5_enctype_null;
extern struct _krb5_encryption_type *_krb5_etypes[];
extern int _krb5_num_etypes;
+static inline int
+_krb5_crypto_iov_should_sign(const struct krb5_crypto_iov *iov)
+{
+ return (iov->flags == KRB5_CRYPTO_TYPE_DATA
+ || iov->flags == KRB5_CRYPTO_TYPE_SIGN_ONLY
+ || iov->flags == KRB5_CRYPTO_TYPE_HEADER
+ || iov->flags == KRB5_CRYPTO_TYPE_PADDING);
+}
+
/* NO_HCRYPTO_POLLUTION is defined in pkinit-ec.c. See commentary there. */
#ifndef NO_HCRYPTO_POLLUTION
/* Interface to the EVP crypto layer provided by hcrypto */
struct _krb5_evp_schedule {
/*
* Normally we'd say EVP_CIPHER_CTX here, but! this header gets
- * included in lib/krb5/pkinit-ec.ck
+ * included in lib/krb5/pkinit-ec.c
*/
EVP_CIPHER_CTX ectx;
EVP_CIPHER_CTX dctx;
};
+
+struct krb5_crypto_data {
+ struct _krb5_encryption_type *et;
+ struct _krb5_key_data key;
+ EVP_MD_CTX *mdctx;
+ HMAC_CTX *hmacctx;
+ int num_key_usage;
+ struct _krb5_key_usage *key_usage;
+ krb5_flags flags;
+};
+
+/*
+ * Allow generation and verification of unkeyed checksums even when
+ * key material is available.
+ */
+#define KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM 0x01
+
#endif
diff --git a/lib/krb5/data.c b/lib/krb5/data.c
index d49685d94d4f..abfa0531f0ef 100644
--- a/lib/krb5/data.c
+++ b/lib/krb5/data.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
/**
- * Reset the (potentially uninitalized) krb5_data structure.
+ * Reset the (potentially uninitialized) krb5_data structure.
*
* @param p krb5_data to reset.
*
@@ -148,7 +148,7 @@ krb5_data_copy(krb5_data *p, const void *data, size_t len)
if (len) {
if(krb5_data_alloc(p, len))
return ENOMEM;
- memmove(p->data, data, len);
+ memcpy(p->data, data, len);
} else
p->data = NULL;
p->length = len;
@@ -200,9 +200,12 @@ krb5_copy_data(krb5_context context,
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
krb5_data_cmp(const krb5_data *data1, const krb5_data *data2)
{
- if (data1->length != data2->length)
+ size_t len = data1->length < data2->length ? data1->length : data2->length;
+ int cmp = memcmp(data1->data, data2->data, len);
+
+ if (cmp == 0)
return data1->length - data2->length;
- return memcmp(data1->data, data2->data, data1->length);
+ return cmp;
}
/**
diff --git a/lib/krb5/db_plugin.c b/lib/krb5/db_plugin.c
index a46bbc1f0106..e997d3d286cd 100644
--- a/lib/krb5/db_plugin.c
+++ b/lib/krb5/db_plugin.c
@@ -14,12 +14,22 @@ db_plugins_plcallback(krb5_context context, const void *plug, void *plugctx,
return 0;
}
+static const char *const db_plugin_deps[] = { "krb5", NULL };
+
+static const struct heim_plugin_data
+db_plugin_data = {
+ "krb5",
+ KRB5_PLUGIN_DB,
+ KRB5_PLUGIN_DB_VERSION_0,
+ db_plugin_deps,
+ krb5_get_instance
+};
+
static void
db_plugins_init(void *arg)
{
krb5_context context = arg;
- (void)_krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_DB,
- KRB5_PLUGIN_DB_VERSION_0, 0, NULL,
+ (void)_krb5_plugin_run_f(context, &db_plugin_data, 0, NULL,
db_plugins_plcallback);
}
diff --git a/lib/krb5/db_plugin.h b/lib/krb5/db_plugin.h
index 730c06095558..ab676d51a6fa 100644
--- a/lib/krb5/db_plugin.h
+++ b/lib/krb5/db_plugin.h
@@ -33,6 +33,8 @@
#ifndef HEIMDAL_KRB5_DB_PLUGIN_H
#define HEIMDAL_KRB5_DB_PLUGIN_H 1
+#include <heimbase-svc.h>
+
#define KRB5_PLUGIN_DB "krb5_db_plug"
#define KRB5_PLUGIN_DB_VERSION_0 0
@@ -59,9 +61,7 @@
* @ingroup krb5_support
*/
typedef struct krb5plugin_db_ftable_desc {
- int minor_version;
- krb5_error_code (KRB5_LIB_CALL *init)(krb5_context, void **);
- void (KRB5_LIB_CALL *fini)(void *);
+ HEIM_PLUGIN_FTABLE_COMMON_ELEMENTS(krb5_context);
} krb5plugin_db_ftable;
#endif /* HEIMDAL_KRB5_DB_PLUGIN_H */
diff --git a/lib/krb5/dcache.c b/lib/krb5/dcache.c
index c89e157de5a3..77ccda13e72b 100644
--- a/lib/krb5/dcache.c
+++ b/lib/krb5/dcache.c
@@ -37,8 +37,10 @@
typedef struct krb5_dcache{
krb5_ccache fcache;
- char *dir;
char *name;
+ char *dir;
+ char *sub;
+ unsigned int default_candidate:1;
} krb5_dcache;
#define DCACHE(X) ((krb5_dcache*)(X)->data.data)
@@ -46,16 +48,56 @@ typedef struct krb5_dcache{
static krb5_error_code KRB5_CALLCONV dcc_close(krb5_context, krb5_ccache);
static krb5_error_code KRB5_CALLCONV dcc_get_default_name(krb5_context, char **);
+static krb5_error_code KRB5_CALLCONV dcc_set_default(krb5_context, krb5_ccache);
+
+/*
+ * Make subsidiary filesystem safe by mapping / and : to -. If the subsidiary
+ * is longer than 128 bytes, then truncate.
+ * In all cases, "tkt." is prefixed to be compatible with the DIR requirement
+ * that subsidiary ccache files be named tkt*.
+ *
+ * Thus host/foo.bar.baz@BAR.BAZ -> tkt.host-foo.bar.baz@BAR.BAZ.
+ *
+ * In particular, no filesystem component separators will be emitted, and . and
+ * .. will never be traversed.
+ */
+static krb5_error_code
+fs_encode_subsidiary(krb5_context context,
+ krb5_dcache *dc,
+ const char *subsidiary,
+ char **res)
+{
+ size_t len = strlen(subsidiary);
+ size_t i;
+
+ *res = NULL;
+ if (asprintf(res, "tkt.%s", subsidiary) == -1 || *res == NULL)
+ return krb5_enomem(context);
+ for (i = sizeof("tkt.") - 1; i < len; i++) {
+ switch ((*res)[i]) {
+#ifdef WIN32
+ case '\\': (*res)[0] = '-'; break;
+#endif
+ case '/': (*res)[0] = '-'; break;
+ case ':': (*res)[0] = '-'; break;
+ default: break;
+ }
+ }
+ /* Hopefully this will work on all filesystems */
+ if (len > 128 - sizeof("tkt.") - 1)
+ (*res)[127] = '\0';
+ return 0;
+}
static char *
primary_create(krb5_dcache *dc)
{
char *primary = NULL;
-
- asprintf(&primary, "%s/primary", dc->dir);
- if (primary == NULL)
+ int asprintf_ret = asprintf(&primary, "%s/primary", dc->dir);
+ if (asprintf_ret == -1 || primary == NULL) {
return NULL;
+ }
return primary;
}
@@ -63,8 +105,14 @@ primary_create(krb5_dcache *dc)
static int
is_filename_cacheish(const char *name)
{
- return strncmp(name, "tkt", 3) == 0;
-
+ size_t i;
+
+ if (strncmp(name, "tkt", sizeof("tkt") - 1) != 0)
+ return 0;
+ for (i = sizeof("tkt") - 1; name[i]; i++)
+ if (ISPATHSEP(name[i]))
+ return 0;
+ return 1;
}
static krb5_error_code
@@ -75,16 +123,12 @@ set_default_cache(krb5_context context, krb5_dcache *dc, const char *residual)
struct iovec iov[2];
size_t len;
int fd = -1;
+ int asprintf_ret;
- if (!is_filename_cacheish(residual)) {
- krb5_set_error_message(context, KRB5_CC_FORMAT,
- "name %s is not a cache (doesn't start with tkt)", residual);
- return KRB5_CC_FORMAT;
- }
-
- asprintf(&path, "%s/primary-XXXXXX", dc->dir);
- if (path == NULL)
+ asprintf_ret = asprintf(&path, "%s/primary-XXXXXX", dc->dir);
+ if (asprintf_ret == -1 || path == NULL) {
return krb5_enomem(context);
+ }
fd = mkstemp(path);
if (fd < 0) {
@@ -139,14 +183,18 @@ set_default_cache(krb5_context context, krb5_dcache *dc, const char *residual)
}
static krb5_error_code
-get_default_cache(krb5_context context, krb5_dcache *dc, char **residual)
+get_default_cache(krb5_context context, krb5_dcache *dc,
+ const char *subsidiary, char **residual)
{
krb5_error_code ret;
char buf[MAXPATHLEN];
- char *primary;
+ char *primary = NULL;
FILE *f;
*residual = NULL;
+ if (subsidiary)
+ return fs_encode_subsidiary(context, dc, subsidiary, residual);
+
primary = primary_create(dc);
if (primary == NULL)
return krb5_enomem(context);
@@ -195,12 +243,22 @@ get_default_cache(krb5_context context, krb5_dcache *dc, char **residual)
-static const char* KRB5_CALLCONV
-dcc_get_name(krb5_context context,
- krb5_ccache id)
+static krb5_error_code KRB5_CALLCONV
+dcc_get_name_2(krb5_context context,
+ krb5_ccache id,
+ const char **name,
+ const char **dir,
+ const char **sub)
{
krb5_dcache *dc = DCACHE(id);
- return dc->name;
+
+ if (name)
+ *name = dc->name;
+ if (dir)
+ *dir = dc->dir;
+ if (sub)
+ *sub = dc->sub;
+ return 0;
}
@@ -209,19 +267,24 @@ verify_directory(krb5_context context, const char *path)
{
struct stat sb;
+ if (!path[0]) {
+ krb5_set_error_message(context, EINVAL,
+ N_("DIR empty directory component", ""));
+ return EINVAL;
+ }
+
+ /* XXX should use mkdirx_np() */
+ if (rk_mkdir(path, S_IRWXU) == 0)
+ return 0;
+
if (stat(path, &sb) != 0) {
if (errno == ENOENT) {
- /* XXX should use mkdirx_np() */
- if (rk_mkdir(path, S_IRWXU) == 0)
- return 0;
-
krb5_set_error_message(context, ENOENT,
N_("DIR directory %s doesn't exists", ""), path);
return ENOENT;
} else {
- int ret = errno;
- krb5_set_error_message(context, ret,
- N_("DIR directory %s is bad: %s", ""), path, strerror(ret));
+ krb5_set_error_message(context, errno,
+ N_("DIR directory %s is bad: %s", ""), path, strerror(errno));
return errno;
}
}
@@ -239,116 +302,176 @@ dcc_release(krb5_context context, krb5_dcache *dc)
{
if (dc->fcache)
krb5_cc_close(context, dc->fcache);
- if (dc->dir)
- free(dc->dir);
- if (dc->name)
- free(dc->name);
+ free(dc->sub);
+ free(dc->dir);
+ free(dc->name);
memset(dc, 0, sizeof(*dc));
free(dc);
}
-static krb5_error_code KRB5_CALLCONV
-dcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+static krb5_error_code
+get_default_dir(krb5_context context, char **res)
{
- char *filename = NULL;
krb5_error_code ret;
- krb5_dcache *dc;
- const char *p;
-
- p = res;
- do {
- p = strstr(p, "..");
- if (p && (p == res || ISPATHSEP(p[-1])) && (ISPATHSEP(p[2]) || p[2] == '\0')) {
- krb5_set_error_message(context, KRB5_CC_FORMAT,
- N_("Path contains a .. component", ""));
- return KRB5_CC_FORMAT;
- }
- if (p)
- p += 3;
- } while (p);
-
- dc = calloc(1, sizeof(*dc));
- if (dc == NULL) {
- krb5_set_error_message(context, KRB5_CC_NOMEM,
- N_("malloc: out of memory", ""));
- return KRB5_CC_NOMEM;
+ char *s;
+
+ if ((ret = dcc_get_default_name(context, &s)))
+ return ret;
+ if (strncmp(s, "DIR:", sizeof("DIR:") - 1) != 0) {
+ *res = s;
+ s = NULL;
+ } else if ((*res = strdup(s + sizeof("DIR:") - 1)) == NULL) {
+ ret = krb5_enomem(context);
}
-
- /* check for explicit component */
- if (res[0] == ':') {
- char *q;
+ free(s);
+ return ret;
+}
- dc->dir = strdup(&res[1]);
-#ifdef _WIN32
- q = strrchr(dc->dir, '\\');
- if (q == NULL)
+static krb5_error_code KRB5_CALLCONV
+dcc_resolve_2(krb5_context context,
+ krb5_ccache *id,
+ const char *res,
+ const char *sub)
+{
+ krb5_error_code ret;
+ krb5_dcache *dc = NULL;
+ char *filename = NULL;
+ size_t len;
+ int has_pathsep = 0;
+
+ if (sub) {
+ /*
+ * Here `res' has the directory name (or, if NULL, refers to the
+ * default DIR cccol), and `sub' has the "subsidiary" name, to which
+ * we'll prefix "tkt." (though we will insist only on "tkt" later).
+ */
+ if ((dc = calloc(1, sizeof(*dc))) == NULL ||
+ asprintf(&dc->sub, "tkt.%s", sub) == -1 || dc->sub == NULL) {
+ free(dc);
+ return krb5_enomem(context);
+ }
+ if (res && res[0] && (dc->dir = strdup(res)) == NULL) {
+ free(dc->sub);
+ free(dc);
+ return krb5_enomem(context);
+ } else if ((!res || !res[0]) && (ret = get_default_dir(context, &dc->dir))) {
+ free(dc->sub);
+ free(dc);
+ return ret;
+ }
+ } else {
+ const char *p;
+ int is_drive_letter_colon = 0;
+
+ /*
+ * Here `res' has whatever string followed "DIR:", and we need to parse
+ * it into `dc->dir' and `dc->sub'.
+ *
+ * Conventions we support for DIR cache naming:
+ *
+ * - DIR:path:NAME ---> FILE:path/tktNAME
+ * - DIR::path/tktNAME ---> FILE:path/tktNAME
+ * - DIR::NAME ---> FILE:${default_DIR_cccol_path}/tktNAME
+ * \-> FILE:/tmp/krb5cc_${uid}_dir/tktNAME
+ * - DIR:path ---> FILE:path/$(cat primary) or FILE:path/tkt
+ *
+ */
+
+ if (res == NULL || *res == '\0' || (res[0] == ':' && res[1] == '\0')) {
+ /* XXX Why not? */
+ krb5_set_error_message(context, KRB5_CC_FORMAT,
+ N_("\"DIR:\" is not a valid ccache name", ""));
+ return KRB5_CC_FORMAT;
+ }
+
+#ifdef WIN32
+ has_pathsep = strchr(res, '\\') != NULL;
#endif
- q = strrchr(dc->dir, '/');
- if (q) {
- *q++ = '\0';
- } else {
- krb5_set_error_message(context, KRB5_CC_FORMAT, N_("Cache not an absolute path: %s", ""), dc->dir);
- dcc_release(context, dc);
- return KRB5_CC_FORMAT;
- }
+ has_pathsep |= strchr(res, '/') != NULL;
- if (!is_filename_cacheish(q)) {
- krb5_set_error_message(context, KRB5_CC_FORMAT,
- N_("Name %s is not a cache (doesn't start with tkt)", ""), q);
- dcc_release(context, dc);
- return KRB5_CC_FORMAT;
- }
-
- ret = verify_directory(context, dc->dir);
- if (ret) {
- dcc_release(context, dc);
- return ret;
- }
-
- dc->name = strdup(res);
- if (dc->name == NULL) {
- dcc_release(context, dc);
- return krb5_enomem(context);
- }
+ if ((dc = calloc(1, sizeof(*dc))) == NULL)
+ return krb5_enomem(context);
- } else {
- char *residual;
- size_t len;
-
- dc->dir = strdup(res);
- if (dc->dir == NULL) {
- dcc_release(context, dc);
- return krb5_enomem(context);
- }
+ p = strrchr(res, ':');
+#ifdef WIN32
+ is_drive_letter_colon =
+ p && ((res[0] == ':' && res[1] != ':' && p - res == 2) ||
+ (res[0] != ':' && p - res == 1));
+#endif
- len = strlen(dc->dir);
+ if (res[0] != ':' && p && !is_drive_letter_colon) {
+ /* DIR:path:NAME */
+ if ((dc->dir = strndup(res, (p - res))) == NULL ||
+ asprintf(&dc->sub, "tkt.%s", p + 1) < 0 || dc->sub == NULL) {
+ dcc_release(context, dc);
+ return krb5_enomem(context);
+ }
+ } else if (res[0] == ':' && has_pathsep) {
+ char *q;
+
+ /* DIR::path/tktNAME (the "tkt" must be there; we'll check) */
+ if ((dc->dir = strdup(&res[1])) == NULL) {
+ dcc_release(context, dc);
+ return krb5_enomem(context);
+ }
+#ifdef _WIN32
+ q = strrchr(dc->dir, '\\');
+ if (q == NULL || ((p = strrchr(dc->dir, '/')) && q < p))
+#endif
+ q = strrchr(dc->dir, '/');
+ *q++ = '\0';
+ if ((dc->sub = strdup(q)) == NULL) {
+ dcc_release(context, dc);
+ return krb5_enomem(context);
+ }
+ } else if (res[0] == ':') {
+ /* DIR::NAME -- no path component separators in NAME */
+ if ((ret = get_default_dir(context, &dc->dir))) {
+ dcc_release(context, dc);
+ return ret;
+ }
+ if (asprintf(&dc->sub, "tkt.%s", res + 1) < 0 || dc->sub == NULL) {
+ dcc_release(context, dc);
+ return krb5_enomem(context);
+ }
+ } else {
+ /* DIR:path */
+ if ((dc->dir = strdup(res)) == NULL) {
+ dcc_release(context, dc);
+ return krb5_enomem(context);
+ }
+
+ if ((ret = get_default_cache(context, dc, NULL, &dc->sub))) {
+ dcc_release(context, dc);
+ return ret;
+ }
+ }
+ }
- if (ISPATHSEP(dc->dir[len - 1]))
- dc->dir[len - 1] = '\0';
+ /* Strip off extra slashes on the end */
+ for (len = strlen(dc->dir);
+ len && ISPATHSEP(dc->dir[len - 1]);
+ len--)
+ dc->dir[len - 1] = '\0';
- ret = verify_directory(context, dc->dir);
- if (ret) {
- dcc_release(context, dc);
- return ret;
- }
+ /* If we got here then `dc->dir' and `dc->sub' must both be set */
- ret = get_default_cache(context, dc, &residual);
- if (ret) {
- dcc_release(context, dc);
- return ret;
- }
- asprintf(&dc->name, ":%s/%s", dc->dir, residual);
- free(residual);
- if (dc->name == NULL) {
- dcc_release(context, dc);
- return krb5_enomem(context);
- }
+ if ((ret = verify_directory(context, dc->dir))) {
+ dcc_release(context, dc);
+ return ret;
}
-
- asprintf(&filename, "FILE%s", dc->name);
- if (filename == NULL) {
- dcc_release(context, dc);
- return krb5_enomem(context);
+ if (!is_filename_cacheish(dc->sub)) {
+ krb5_set_error_message(context, KRB5_CC_FORMAT,
+ N_("Name %s is not a cache "
+ "(doesn't start with tkt)", ""), dc->sub);
+ dcc_release(context, dc);
+ return KRB5_CC_FORMAT;
+ }
+ if (asprintf(&dc->name, ":%s/%s", dc->dir, dc->sub) == -1 ||
+ dc->name == NULL ||
+ asprintf(&filename, "FILE%s", dc->name) == -1 || filename == NULL) {
+ dcc_release(context, dc);
+ return krb5_enomem(context);
}
ret = krb5_cc_resolve(context, filename, &dc->fcache);
@@ -358,85 +481,36 @@ dcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
return ret;
}
-
+ dc->default_candidate = 1;
(*id)->data.data = dc;
(*id)->data.length = sizeof(*dc);
return 0;
}
-static char *
-copy_default_dcc_cache(krb5_context context)
-{
- const char *defname;
- krb5_error_code ret;
- char *name = NULL;
- size_t len;
-
- len = strlen(krb5_dcc_ops.prefix);
-
- defname = krb5_cc_default_name(context);
- if (defname == NULL ||
- strncmp(defname, krb5_dcc_ops.prefix, len) != 0 ||
- defname[len] != ':')
- {
- ret = dcc_get_default_name(context, &name);
- if (ret)
- return NULL;
-
- return name;
- } else {
- return strdup(&defname[len + 1]);
- }
-}
-
-
static krb5_error_code KRB5_CALLCONV
dcc_gen_new(krb5_context context, krb5_ccache *id)
{
krb5_error_code ret;
+ char *def_dir = NULL;
char *name = NULL;
- krb5_dcache *dc;
- int fd;
- size_t len;
-
- name = copy_default_dcc_cache(context);
- if (name == NULL) {
- krb5_set_error_message(context, KRB5_CC_FORMAT,
- N_("Can't generate DIR caches unless its the default type", ""));
- return KRB5_CC_FORMAT;
- }
+ int fd = -1;
- len = strlen(krb5_dcc_ops.prefix);
- if (strncmp(name, krb5_dcc_ops.prefix, len) == 0 && name[len] == ':')
- ++len;
- else
- len = 0;
+ ret = get_default_dir(context, &def_dir);
+ if (ret == 0)
+ ret = verify_directory(context, def_dir);
+ if (ret == 0 &&
+ (asprintf(&name, "DIR::%s/tktXXXXXX", def_dir) == -1 || name == NULL))
+ ret = krb5_enomem(context);
+ if (ret == 0 && (fd = mkstemp(name + sizeof("DIR::") - 1)) == -1)
+ ret = errno;
+ if (ret == 0)
+ ret = dcc_resolve_2(context, id, name + sizeof("DIR:") - 1, NULL);
- ret = dcc_resolve(context, id, name + len);
+ free(def_dir);
free(name);
- name = NULL;
- if (ret)
- return ret;
-
- dc = DCACHE((*id));
-
- asprintf(&name, ":%s/tktXXXXXX", dc->dir);
- if (name == NULL) {
- dcc_close(context, *id);
- return krb5_enomem(context);
- }
-
- fd = mkstemp(&name[1]);
- if (fd < 0) {
- dcc_close(context, *id);
- return krb5_enomem(context);
- }
- close(fd);
-
- free(dc->name);
- dc->name = name;
-
- return 0;
+ if (fd != -1)
+ close(fd);
+ return ret;
}
static krb5_error_code KRB5_CALLCONV
@@ -452,6 +526,25 @@ static krb5_error_code KRB5_CALLCONV
dcc_close(krb5_context context,
krb5_ccache id)
{
+ krb5_dcache *dc = DCACHE(id);
+ krb5_principal p = NULL;
+ struct stat st;
+ char *primary = NULL;
+
+ /*
+ * If there's no default cache, but we're closing one, and the one we're
+ * closing has been initialized, then make it the default. This makes the
+ * first cache created the default.
+ *
+ * FIXME We should check if `D2FCACHE(dc)' has live credentials.
+ */
+ if (dc->default_candidate && D2FCACHE(dc) &&
+ krb5_cc_get_principal(context, D2FCACHE(dc), &p) == 0 &&
+ (primary = primary_create(dc)) &&
+ (stat(primary, &st) == -1 || !S_ISREG(st.st_mode) || st.st_size == 0))
+ dcc_set_default(context, id);
+ krb5_free_principal(context, p);
+ free(primary);
dcc_release(context, DCACHE(id));
return 0;
}
@@ -540,39 +633,61 @@ dcc_get_version(krb5_context context,
}
struct dcache_iter {
- int first;
+ char *primary;
krb5_dcache *dc;
+ DIR *d;
+ unsigned int first:1;
};
static krb5_error_code KRB5_CALLCONV
dcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
{
- struct dcache_iter *iter;
- krb5_error_code ret;
- char *name;
+ struct dcache_iter *iter = NULL;
+ const char *name = krb5_cc_default_name(context);
+ size_t len;
+ char *p;
*cursor = NULL;
- iter = calloc(1, sizeof(*iter));
- if (iter == NULL)
- return krb5_enomem(context);
- iter->first = 1;
- name = copy_default_dcc_cache(context);
- if (name == NULL) {
- free(iter);
+ if (strncmp(name, "DIR:", sizeof("DIR:") - 1) != 0) {
krb5_set_error_message(context, KRB5_CC_FORMAT,
- N_("Can't generate DIR caches unless its the default type", ""));
+ N_("Can't list DIR caches unless its the default type", ""));
return KRB5_CC_FORMAT;
}
- ret = dcc_resolve(context, NULL, name);
- free(name);
- if (ret) {
+ if ((iter = calloc(1, sizeof(*iter))) == NULL ||
+ (iter->dc = calloc(1, sizeof(iter->dc[0]))) == NULL ||
+ (iter->dc->dir = strdup(name + sizeof("DIR:") - 1)) == NULL) {
+ if (iter)
+ free(iter->dc);
free(iter);
- return ret;
+ return krb5_enomem(context);
+ }
+ iter->first = 1;
+ p = strrchr(iter->dc->dir, ':');
+#ifdef WIN32
+ if (p == iter->dc->dir + 1)
+ p = NULL;
+#endif
+ if (p)
+ *p = '\0';
+
+ /* Strip off extra slashes on the end */
+ for (len = strlen(iter->dc->dir);
+ len && ISPATHSEP(iter->dc->dir[len - 1]);
+ len--) {
+ iter->dc->dir[len - 1] = '\0';
}
- /* XXX We need to opendir() here */
+ if ((iter->d = opendir(iter->dc->dir)) == NULL) {
+ krb5_set_error_message(context, KRB5_CC_FORMAT,
+ N_("Can't open DIR %s: %s", ""),
+ iter->dc->dir, strerror(errno));
+ free(iter->dc->dir);
+ free(iter->dc);
+ free(iter);
+ return KRB5_CC_FORMAT;
+ }
*cursor = iter;
return 0;
@@ -582,18 +697,49 @@ static krb5_error_code KRB5_CALLCONV
dcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
{
struct dcache_iter *iter = cursor;
+ krb5_error_code ret;
+ struct stat st;
+ struct dirent *dentry;
+ char *p = NULL;
+ *id = NULL;
if (iter == NULL)
return krb5_einval(context, 2);
- if (!iter->first) {
- krb5_clear_error_message(context);
- return KRB5_CC_END;
+ /* Emit primary subsidiary first */
+ if (iter->first &&
+ get_default_cache(context, iter->dc, NULL, &iter->primary) == 0 &&
+ iter->primary && is_filename_cacheish(iter->primary)) {
+ iter->first = 0;
+ ret = KRB5_CC_END;
+ if (asprintf(&p, "FILE:%s/%s", iter->dc->dir, iter->primary) > -1 && p != NULL &&
+ stat(p + sizeof("FILE:") - 1, &st) == 0 && S_ISREG(st.st_mode))
+ ret = krb5_cc_resolve(context, p, id);
+ if (p == NULL)
+ return krb5_enomem(context);
+ free(p);
+ if (ret == 0)
+ return ret;
+ p = NULL;
}
- /* XXX We need to readdir() here */
iter->first = 0;
-
+ for (dentry = readdir(iter->d); dentry; dentry = readdir(iter->d)) {
+ if (!is_filename_cacheish(dentry->d_name) ||
+ (iter->primary && strcmp(dentry->d_name, iter->primary) == 0))
+ continue;
+ p = NULL;
+ ret = KRB5_CC_END;
+ if (asprintf(&p, "FILE:%s/%s", iter->dc->dir, dentry->d_name) > -1 &&
+ p != NULL &&
+ stat(p + sizeof("FILE:") - 1, &st) == 0 && S_ISREG(st.st_mode))
+ ret = krb5_cc_resolve(context, p, id);
+ free(p);
+ if (p == NULL)
+ return krb5_enomem(context);
+ if (ret == 0)
+ return ret;
+ }
return KRB5_CC_END;
}
@@ -605,9 +751,10 @@ dcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
if (iter == NULL)
return krb5_einval(context, 2);
- /* XXX We need to closedir() here */
- if (iter->dc)
- dcc_release(context, iter->dc);
+ (void) closedir(iter->d);
+ free(iter->dc->dir);
+ free(iter->dc);
+ free(iter->primary);
free(iter);
return 0;
}
@@ -617,28 +764,34 @@ dcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
{
krb5_dcache *dcfrom = DCACHE(from);
krb5_dcache *dcto = DCACHE(to);
+
+ dcfrom->default_candidate = 0;
+ dcto->default_candidate = 1;
return krb5_cc_move(context, D2FCACHE(dcfrom), D2FCACHE(dcto));
}
static krb5_error_code KRB5_CALLCONV
dcc_get_default_name(krb5_context context, char **str)
{
- return _krb5_expand_default_cc_name(context,
- KRB5_DEFAULT_CCNAME_DIR,
- str);
+ const char *def_cc_colname =
+ krb5_config_get_string_default(context, NULL, KRB5_DEFAULT_CCNAME_DIR,
+ "libdefaults", "default_cc_collection",
+ NULL);
+
+ /* [libdefaults] default_cc_collection is for testing */
+ if (strncmp(def_cc_colname, "DIR:", sizeof("DIR:") - 1) != 0)
+ def_cc_colname = KRB5_DEFAULT_CCNAME_DIR;
+ return _krb5_expand_default_cc_name(context, def_cc_colname, str);
}
static krb5_error_code KRB5_CALLCONV
dcc_set_default(krb5_context context, krb5_ccache id)
{
krb5_dcache *dc = DCACHE(id);
- const char *name;
- name = krb5_cc_get_name(context, D2FCACHE(dc));
- if (name == NULL)
+ if (dc->sub == NULL)
return ENOENT;
-
- return set_default_cache(context, dc, name);
+ return set_default_cache(context, dc, dc->sub);
}
static krb5_error_code KRB5_CALLCONV
@@ -670,10 +823,10 @@ dcc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset
*/
KRB5_LIB_VARIABLE const krb5_cc_ops krb5_dcc_ops = {
- KRB5_CC_OPS_VERSION,
+ KRB5_CC_OPS_VERSION_5,
"DIR",
- dcc_get_name,
- dcc_resolve,
+ NULL,
+ NULL,
dcc_gen_new,
dcc_initialize,
dcc_destroy,
@@ -695,5 +848,7 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_dcc_ops = {
dcc_set_default,
dcc_lastchange,
dcc_set_kdc_offset,
- dcc_get_kdc_offset
+ dcc_get_kdc_offset,
+ dcc_get_name_2,
+ dcc_resolve_2
};
diff --git a/lib/krb5/deprecated.c b/lib/krb5/deprecated.c
index 0871aaf71db3..172f089175cc 100644
--- a/lib/krb5/deprecated.c
+++ b/lib/krb5/deprecated.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2009 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2009 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -57,7 +57,7 @@
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_free_data_contents(krb5_context context, krb5_data *data)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_data_free instead")
{
krb5_data_free(data);
}
@@ -120,7 +120,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_keytype_to_string(krb5_context context,
krb5_keytype keytype,
char **string)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_enctype_to_string instead")
{
const char *name = NULL;
int i;
@@ -154,7 +154,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_string_to_keytype(krb5_context context,
const char *string,
krb5_keytype *keytype)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_string_to_enctype instead")
{
char *end;
int i;
@@ -386,7 +386,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_gen_new(krb5_context context,
const krb5_cc_ops *ops,
krb5_ccache *id)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_cc_new_unique instead")
{
return krb5_cc_new_unique(context, ops->prefix, NULL, id);
}
@@ -400,7 +400,7 @@ krb5_cc_gen_new(krb5_context context,
KRB5_LIB_FUNCTION krb5_realm * KRB5_LIB_CALL
krb5_princ_realm(krb5_context context,
krb5_principal principal)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_principal_get_realm instead")
{
return &principal->realm;
}
@@ -416,7 +416,7 @@ KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_princ_set_realm(krb5_context context,
krb5_principal principal,
krb5_realm *realm)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_principal_set_realm instead")
{
principal->realm = *realm;
}
@@ -430,7 +430,7 @@ krb5_princ_set_realm(krb5_context context,
/* keep this for compatibility with older code */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_free_creds_contents (krb5_context context, krb5_creds *c)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_free_cred_contents instead")
{
return krb5_free_cred_contents (context, c);
}
@@ -448,7 +448,7 @@ krb5_free_creds_contents (krb5_context context, krb5_creds *c)
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_free_error_string(krb5_context context, char *str)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_free_error_message instead")
{
krb5_free_error_message(context, str);
}
@@ -456,7 +456,7 @@ krb5_free_error_string(krb5_context context, char *str)
/**
* Set the error message returned by krb5_get_error_string().
*
- * Deprecated: use krb5_get_error_message()
+ * Deprecated: use krb5_set_error_message()
*
* @param context Kerberos context
* @param fmt error message to free
@@ -469,7 +469,7 @@ krb5_free_error_string(krb5_context context, char *str)
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_error_string(krb5_context context, const char *fmt, ...)
__attribute__ ((__format__ (__printf__, 2, 3)))
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_set_error_message instead")
{
va_list ap;
@@ -480,8 +480,7 @@ krb5_set_error_string(krb5_context context, const char *fmt, ...)
}
/**
- * Set the error message returned by krb5_get_error_string(),
- * deprecated, use krb5_set_error_message().
+ * Set the error message returned by krb5_get_error_string().
*
* Deprecated: use krb5_vset_error_message()
*
@@ -497,7 +496,7 @@ krb5_set_error_string(krb5_context context, const char *fmt, ...)
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_vset_error_string(krb5_context context, const char *fmt, va_list args)
__attribute__ ((__format__ (__printf__, 2, 0)))
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_vset_error_message instead")
{
krb5_vset_error_message(context, 0, fmt, args);
return 0;
@@ -515,7 +514,7 @@ krb5_vset_error_string(krb5_context context, const char *fmt, va_list args)
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_clear_error_string(krb5_context context)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_clear_error_message instead")
{
krb5_clear_error_message(context);
}
@@ -533,11 +532,11 @@ krb5_get_cred_from_kdc_opt(krb5_context context,
krb5_creds **out_creds,
krb5_creds ***ret_tgts,
krb5_flags flags)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_get_credentials_with_flags instead")
{
krb5_kdc_flags f;
f.i = flags;
- return _krb5_get_cred_kdc_any(context, f, ccache,
+ return _krb5_get_cred_kdc_any(context, f, ccache, NULL,
in_creds, NULL, NULL,
out_creds, ret_tgts);
}
@@ -554,7 +553,7 @@ krb5_get_cred_from_kdc(krb5_context context,
krb5_creds *in_creds,
krb5_creds **out_creds,
krb5_creds ***ret_tgts)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_get_credentials_with_flags instead")
{
return krb5_get_cred_from_kdc_opt(context, ccache,
in_creds, out_creds, ret_tgts, 0);
@@ -568,7 +567,7 @@ krb5_get_cred_from_kdc(krb5_context context,
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_free_unparsed_name(krb5_context context, char *str)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_xfree instead")
{
krb5_xfree(str);
}
@@ -583,7 +582,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_generate_subkey(krb5_context context,
const krb5_keyblock *key,
krb5_keyblock **subkey)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_generate_subkey_extended instead")
{
return krb5_generate_subkey_extended(context, key, ETYPE_NULL, subkey);
}
@@ -598,7 +597,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_auth_getremoteseqnumber(krb5_context context,
krb5_auth_context auth_context,
int32_t *seqnumber)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_auth_con_getremoteseqnumber instead")
{
*seqnumber = auth_context->remote_seqnumber;
return 0;
@@ -616,28 +615,18 @@ krb5_auth_getremoteseqnumber(krb5_context context,
* @ingroup krb5_error
*/
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
+KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
krb5_get_error_string(krb5_context context)
KRB5_DEPRECATED_FUNCTION("Use krb5_get_error_message instead")
{
- char *ret = NULL;
-
- HEIMDAL_MUTEX_lock(&context->mutex);
- if (context->error_string)
- ret = strdup(context->error_string);
- HEIMDAL_MUTEX_unlock(&context->mutex);
- return ret;
+ return heim_get_error_string(context->hcontext);
}
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_have_error_string(krb5_context context)
KRB5_DEPRECATED_FUNCTION("Use krb5_get_error_message instead")
{
- char *str;
- HEIMDAL_MUTEX_lock(&context->mutex);
- str = context->error_string;
- HEIMDAL_MUTEX_unlock(&context->mutex);
- return str != NULL;
+ return heim_have_error_string(context->hcontext);
}
struct send_to_kdc {
diff --git a/lib/krb5/doxygen.c b/lib/krb5/doxygen.c
index d3ee52fe9bcc..e9266c919400 100644
--- a/lib/krb5/doxygen.c
+++ b/lib/krb5/doxygen.c
@@ -572,7 +572,7 @@
* Fields and their types are:
*
* @code
- * Quoted princial (quote character is \) [string]
+ * Quoted principal (quote character is \) [string]
* Keys [keys]
* Created by [event]
* Modified by [event optional]
diff --git a/lib/krb5/enomem.c b/lib/krb5/enomem.c
index 7f0aaeb35f83..b4444e5a2cdc 100644
--- a/lib/krb5/enomem.c
+++ b/lib/krb5/enomem.c
@@ -34,7 +34,7 @@
#include "krb5_locl.h"
#undef krb5_enomem
-krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_enomem(krb5_context context)
{
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
diff --git a/lib/krb5/error_string.c b/lib/krb5/error_string.c
index fa181733d1e9..da86b375f83c 100644
--- a/lib/krb5/error_string.c
+++ b/lib/krb5/error_string.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2001, 2003, 2005 - 2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 2001, 2003, 2005 - 2020 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -47,12 +47,7 @@
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_clear_error_message(krb5_context context)
{
- HEIMDAL_MUTEX_lock(&context->mutex);
- if (context->error_string)
- free(context->error_string);
- context->error_code = 0;
- context->error_string = NULL;
- HEIMDAL_MUTEX_unlock(&context->mutex);
+ heim_clear_error_message(context->hcontext);
}
/**
@@ -96,27 +91,21 @@ krb5_set_error_message(krb5_context context, krb5_error_code ret,
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_vset_error_message (krb5_context context, krb5_error_code ret,
- const char *fmt, va_list args)
+krb5_vset_error_message(krb5_context context, krb5_error_code ret,
+ const char *fmt, va_list args)
__attribute__ ((__format__ (__printf__, 3, 0)))
{
- int r;
+ const char *msg;
if (context == NULL)
return;
- HEIMDAL_MUTEX_lock(&context->mutex);
- if (context->error_string) {
- free(context->error_string);
- context->error_string = NULL;
+ heim_vset_error_message(context->hcontext, ret, fmt, args);
+ msg = heim_get_error_message(context->hcontext, ret);
+ if (msg) {
+ _krb5_debug(context, 100, "error message: %s: %d", msg, ret);
+ heim_free_error_message(context->hcontext, msg);
}
- context->error_code = ret;
- r = vasprintf(&context->error_string, fmt, args);
- if (r < 0)
- context->error_string = NULL;
- HEIMDAL_MUTEX_unlock(&context->mutex);
- if (context->error_string)
- _krb5_debug(context, 100, "error message: %s: %d", context->error_string, ret);
}
/**
@@ -163,33 +152,8 @@ krb5_vprepend_error_message(krb5_context context, krb5_error_code ret,
const char *fmt, va_list args)
__attribute__ ((__format__ (__printf__, 3, 0)))
{
- char *str = NULL, *str2 = NULL;
-
- if (context == NULL)
- return;
-
- HEIMDAL_MUTEX_lock(&context->mutex);
- if (context->error_code != ret) {
- HEIMDAL_MUTEX_unlock(&context->mutex);
- return;
- }
- if (vasprintf(&str, fmt, args) < 0 || str == NULL) {
- HEIMDAL_MUTEX_unlock(&context->mutex);
- return;
- }
- if (context->error_string) {
- int e;
-
- e = asprintf(&str2, "%s: %s", str, context->error_string);
- free(context->error_string);
- if (e < 0 || str2 == NULL)
- context->error_string = NULL;
- else
- context->error_string = str2;
- free(str);
- } else
- context->error_string = str;
- HEIMDAL_MUTEX_unlock(&context->mutex);
+ if (context)
+ heim_vprepend_error_message(context->hcontext, ret, fmt, args);
}
/**
@@ -208,10 +172,7 @@ krb5_vprepend_error_message(krb5_context context, krb5_error_code ret,
KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
krb5_get_error_message(krb5_context context, krb5_error_code code)
{
- char *str = NULL;
const char *cstr = NULL;
- char buf[128];
- int free_context = 0;
if (code == 0)
return strdup("Success");
@@ -224,42 +185,15 @@ krb5_get_error_message(krb5_context context, krb5_error_code code)
* might be provided is if the krb5_init_context() call itself
* failed.
*/
- if (context)
- {
- HEIMDAL_MUTEX_lock(&context->mutex);
- if (context->error_string &&
- (code == context->error_code || context->error_code == 0))
- {
- str = strdup(context->error_string);
- }
- HEIMDAL_MUTEX_unlock(&context->mutex);
-
- if (str)
- return str;
- }
- else
- {
- if (krb5_init_context(&context) == 0)
- free_context = 1;
- }
-
- if (context)
- cstr = com_right_r(context->et_list, code, buf, sizeof(buf));
-
- if (free_context)
+ if (context == NULL && krb5_init_context(&context) == 0) {
+ cstr = heim_get_error_message(context->hcontext, code);
krb5_free_context(context);
-
- if (cstr)
- return strdup(cstr);
-
- cstr = error_message(code);
- if (cstr)
- return strdup(cstr);
-
- if (asprintf(&str, "<unknown error: %d>", (int)code) == -1 || str == NULL)
- return NULL;
-
- return str;
+ } else if (context) {
+ cstr = heim_get_error_message(context->hcontext, code);
+ } else {
+ cstr = heim_get_error_message(NULL, code);
+ }
+ return cstr;
}
@@ -276,7 +210,7 @@ krb5_get_error_message(krb5_context context, krb5_error_code code)
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_free_error_message(krb5_context context, const char *msg)
{
- free(rk_UNCONST(msg));
+ heim_free_error_message(context ? context->hcontext : NULL, msg);
}
@@ -298,13 +232,5 @@ KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_get_err_text(krb5_context context, krb5_error_code code)
KRB5_DEPRECATED_FUNCTION("Use krb5_get_error_message instead")
{
- const char *p = NULL;
- if(context != NULL)
- p = com_right(context->et_list, code);
- if(p == NULL)
- p = strerror(code);
- if (p == NULL)
- p = "Unknown error";
- return p;
+ return krb5_get_error_message(context, code);
}
-
diff --git a/lib/krb5/expand_path.c b/lib/krb5/expand_path.c
index 43b8dfeb3a91..a0402350d0f3 100644
--- a/lib/krb5/expand_path.c
+++ b/lib/krb5/expand_path.c
@@ -34,381 +34,6 @@
#include <stdarg.h>
-typedef int PTYPE;
-
-#ifdef _WIN32
-#include <shlobj.h>
-#include <sddl.h>
-
-/*
- * Expand a %{TEMP} token
- *
- * The %{TEMP} token expands to the temporary path for the current
- * user as returned by GetTempPath().
- *
- * @note: Since the GetTempPath() function relies on the TMP or TEMP
- * environment variables, this function will failover to the system
- * temporary directory until the user profile is loaded. In addition,
- * the returned path may or may not exist.
- */
-static krb5_error_code
-_expand_temp_folder(krb5_context context, PTYPE param, const char *postfix, char **ret)
-{
- TCHAR tpath[MAX_PATH];
- size_t len;
-
- if (!GetTempPath(sizeof(tpath)/sizeof(tpath[0]), tpath)) {
- if (context)
- krb5_set_error_message(context, EINVAL,
- "Failed to get temporary path (GLE=%d)",
- GetLastError());
- return EINVAL;
- }
-
- len = strlen(tpath);
-
- if (len > 0 && tpath[len - 1] == '\\')
- tpath[len - 1] = '\0';
-
- *ret = strdup(tpath);
-
- if (*ret == NULL)
- return krb5_enomem(context);
-
- return 0;
-}
-
-extern HINSTANCE _krb5_hInstance;
-
-/*
- * Expand a %{BINDIR} token
- *
- * This is also used to expand a few other tokens on Windows, since
- * most of the executable binaries end up in the same directory. The
- * "bin" directory is considered to be the directory in which the
- * krb5.dll is located.
- */
-static krb5_error_code
-_expand_bin_dir(krb5_context context, PTYPE param, const char *postfix, char **ret)
-{
- TCHAR path[MAX_PATH];
- TCHAR *lastSlash;
- DWORD nc;
-
- nc = GetModuleFileName(_krb5_hInstance, path, sizeof(path)/sizeof(path[0]));
- if (nc == 0 ||
- nc == sizeof(path)/sizeof(path[0])) {
- return EINVAL;
- }
-
- lastSlash = strrchr(path, '\\');
- if (lastSlash != NULL) {
- TCHAR *fslash = strrchr(lastSlash, '/');
-
- if (fslash != NULL)
- lastSlash = fslash;
-
- *lastSlash = '\0';
- }
-
- if (postfix) {
- if (strlcat(path, postfix, sizeof(path)/sizeof(path[0])) >= sizeof(path)/sizeof(path[0]))
- return EINVAL;
- }
-
- *ret = strdup(path);
- if (*ret == NULL)
- return krb5_enomem(context);
-
- return 0;
-}
-
-/*
- * Expand a %{USERID} token
- *
- * The %{USERID} token expands to the string representation of the
- * user's SID. The user account that will be used is the account
- * corresponding to the current thread's security token. This means
- * that:
- *
- * - If the current thread token has the anonymous impersonation
- * level, the call will fail.
- *
- * - If the current thread is impersonating a token at
- * SecurityIdentification level the call will fail.
- *
- */
-static krb5_error_code
-_expand_userid(krb5_context context, PTYPE param, const char *postfix, char **ret)
-{
- int rv = EINVAL;
- HANDLE hThread = NULL;
- HANDLE hToken = NULL;
- PTOKEN_OWNER pOwner = NULL;
- DWORD len = 0;
- LPTSTR strSid = NULL;
-
- hThread = GetCurrentThread();
-
- if (!OpenThreadToken(hThread, TOKEN_QUERY,
- FALSE, /* Open the thread token as the
- current thread user. */
- &hToken)) {
-
- DWORD le = GetLastError();
-
- if (le == ERROR_NO_TOKEN) {
- HANDLE hProcess = GetCurrentProcess();
-
- le = 0;
- if (!OpenProcessToken(hProcess, TOKEN_QUERY, &hToken))
- le = GetLastError();
- }
-
- if (le != 0) {
- if (context)
- krb5_set_error_message(context, rv,
- "Can't open thread token (GLE=%d)", le);
- goto _exit;
- }
- }
-
- if (!GetTokenInformation(hToken, TokenOwner, NULL, 0, &len)) {
- if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
- if (context)
- krb5_set_error_message(context, rv,
- "Unexpected error reading token information (GLE=%d)",
- GetLastError());
- goto _exit;
- }
-
- if (len == 0) {
- if (context)
- krb5_set_error_message(context, rv,
- "GetTokenInformation() returned truncated buffer");
- goto _exit;
- }
-
- pOwner = malloc(len);
- if (pOwner == NULL) {
- if (context)
- krb5_set_error_message(context, rv, "Out of memory");
- goto _exit;
- }
- } else {
- if (context)
- krb5_set_error_message(context, rv, "GetTokenInformation() returned truncated buffer");
- goto _exit;
- }
-
- if (!GetTokenInformation(hToken, TokenOwner, pOwner, len, &len)) {
- if (context)
- krb5_set_error_message(context, rv, "GetTokenInformation() failed. GLE=%d", GetLastError());
- goto _exit;
- }
-
- if (!ConvertSidToStringSid(pOwner->Owner, &strSid)) {
- if (context)
- krb5_set_error_message(context, rv, "Can't convert SID to string. GLE=%d", GetLastError());
- goto _exit;
- }
-
- *ret = strdup(strSid);
- if (*ret == NULL && context)
- krb5_set_error_message(context, rv, "Out of memory");
-
- rv = 0;
-
- _exit:
- if (hToken != NULL)
- CloseHandle(hToken);
-
- if (pOwner != NULL)
- free (pOwner);
-
- if (strSid != NULL)
- LocalFree(strSid);
-
- return rv;
-}
-
-/*
- * Expand a folder identified by a CSIDL
- */
-
-static krb5_error_code
-_expand_csidl(krb5_context context, PTYPE folder, const char *postfix, char **ret)
-{
- TCHAR path[MAX_PATH];
- size_t len;
-
- if (SHGetFolderPath(NULL, folder, NULL, SHGFP_TYPE_CURRENT, path) != S_OK) {
- if (context)
- krb5_set_error_message(context, EINVAL, "Unable to determine folder path");
- return EINVAL;
- }
-
- len = strlen(path);
-
- if (len > 0 && path[len - 1] == '\\')
- path[len - 1] = '\0';
-
- if (postfix &&
- strlcat(path, postfix, sizeof(path)/sizeof(path[0])) >= sizeof(path)/sizeof(path[0]))
- return krb5_enomem(context);
-
- *ret = strdup(path);
- if (*ret == NULL)
- return krb5_enomem(context);
- return 0;
-}
-
-#else
-
-static krb5_error_code
-_expand_path(krb5_context context, PTYPE param, const char *postfix, char **ret)
-{
- *ret = strdup(postfix);
- if (*ret == NULL)
- return krb5_enomem(context);
- return 0;
-}
-
-static krb5_error_code
-_expand_temp_folder(krb5_context context, PTYPE param, const char *postfix, char **ret)
-{
- const char *p = NULL;
-
- if (!issuid())
- p = getenv("TEMP");
-
- if (p)
- *ret = strdup(p);
- else
- *ret = strdup("/tmp");
- if (*ret == NULL)
- return krb5_enomem(context);
- return 0;
-}
-
-static krb5_error_code
-_expand_userid(krb5_context context, PTYPE param, const char *postfix, char **str)
-{
- int ret = asprintf(str, "%ld", (unsigned long)getuid());
- if (ret < 0 || *str == NULL)
- return krb5_enomem(context);
- return 0;
-}
-
-
-#endif /* _WIN32 */
-
-/**
- * Expand an extra token
- */
-
-static krb5_error_code
-_expand_extra_token(krb5_context context, const char *value, char **ret)
-{
- *ret = strdup(value);
- if (*ret == NULL)
- return krb5_enomem(context);
- return 0;
-}
-
-/**
- * Expand a %{null} token
- *
- * The expansion of a %{null} token is always the empty string.
- */
-
-static krb5_error_code
-_expand_null(krb5_context context, PTYPE param, const char *postfix, char **ret)
-{
- *ret = strdup("");
- if (*ret == NULL)
- return krb5_enomem(context);
- return 0;
-}
-
-
-static const struct {
- const char * tok;
- int ftype;
-#define FTYPE_CSIDL 0
-#define FTYPE_SPECIAL 1
-
- PTYPE param;
- const char * postfix;
-
- int (*exp_func)(krb5_context, PTYPE, const char *, char **);
-
-#define SPECIALP(f, P) FTYPE_SPECIAL, 0, P, f
-#define SPECIAL(f) SPECIALP(f, NULL)
-
-} tokens[] = {
-#ifdef _WIN32
-#define CSIDLP(C,P) FTYPE_CSIDL, C, P, _expand_csidl
-#define CSIDL(C) CSIDLP(C, NULL)
-
- {"APPDATA", CSIDL(CSIDL_APPDATA)}, /* Roaming application data (for current user) */
- {"COMMON_APPDATA", CSIDL(CSIDL_COMMON_APPDATA)}, /* Application data (all users) */
- {"LOCAL_APPDATA", CSIDL(CSIDL_LOCAL_APPDATA)}, /* Local application data (for current user) */
- {"SYSTEM", CSIDL(CSIDL_SYSTEM)}, /* Windows System folder (e.g. %WINDIR%\System32) */
- {"WINDOWS", CSIDL(CSIDL_WINDOWS)}, /* Windows folder */
- {"USERCONFIG", CSIDLP(CSIDL_APPDATA, "\\" PACKAGE)}, /* Per user Heimdal configuration file path */
- {"COMMONCONFIG", CSIDLP(CSIDL_COMMON_APPDATA, "\\" PACKAGE)}, /* Common Heimdal configuration file path */
- {"LIBDIR", SPECIAL(_expand_bin_dir)},
- {"BINDIR", SPECIAL(_expand_bin_dir)},
- {"LIBEXEC", SPECIAL(_expand_bin_dir)},
- {"SBINDIR", SPECIAL(_expand_bin_dir)},
-#else
- {"LIBDIR", FTYPE_SPECIAL, 0, LIBDIR, _expand_path},
- {"BINDIR", FTYPE_SPECIAL, 0, BINDIR, _expand_path},
- {"LIBEXEC", FTYPE_SPECIAL, 0, LIBEXECDIR, _expand_path},
- {"SBINDIR", FTYPE_SPECIAL, 0, SBINDIR, _expand_path},
-#endif
- {"TEMP", SPECIAL(_expand_temp_folder)},
- {"USERID", SPECIAL(_expand_userid)},
- {"uid", SPECIAL(_expand_userid)},
- {"null", SPECIAL(_expand_null)}
-};
-
-static krb5_error_code
-_expand_token(krb5_context context,
- const char *token,
- const char *token_end,
- char **extra_tokens,
- char **ret)
-{
- size_t i;
- char **p;
-
- *ret = NULL;
-
- if (token[0] != '%' || token[1] != '{' || token_end[0] != '}' ||
- token_end - token <= 2) {
- if (context)
- krb5_set_error_message(context, EINVAL,"Invalid token.");
- return EINVAL;
- }
-
- for (p = extra_tokens; p && p[0]; p += 2) {
- if (strncmp(token+2, p[0], (token_end - token) - 2) == 0)
- return _expand_extra_token(context, p[1], ret);
- }
-
- for (i = 0; i < sizeof(tokens)/sizeof(tokens[0]); i++) {
- if (!strncmp(token+2, tokens[i].tok, (token_end - token) - 2))
- return tokens[i].exp_func(context, tokens[i].param,
- tokens[i].postfix, ret);
- }
-
- if (context)
- krb5_set_error_message(context, EINVAL, "Invalid token.");
- return EINVAL;
-}
-
/**
* Internal function to expand tokens in paths.
*
@@ -416,6 +41,9 @@ _expand_token(krb5_context context,
*
* @context A krb5_context
* @path_in The path to expand tokens from
+ * @filepath True if the value is a filesystem path (converts slashes to
+ * backslashes on Windows)
+ * @ppath_out The expanded path
*
* Outputs:
*
@@ -427,17 +55,8 @@ _krb5_expand_path_tokens(krb5_context context,
int filepath,
char **ppath_out)
{
- return _krb5_expand_path_tokensv(context, path_in, filepath, ppath_out, NULL);
-}
-
-static void
-free_extra_tokens(char **extra_tokens)
-{
- char **p;
-
- for (p = extra_tokens; p && *p; p++)
- free(*p);
- free(extra_tokens);
+ return heim_expand_path_tokens(context ? context->hcontext : NULL, path_in,
+ filepath, ppath_out, NULL);
}
/**
@@ -447,6 +66,8 @@ free_extra_tokens(char **extra_tokens)
*
* @context A krb5_context
* @path_in The path to expand tokens from
+ * @filepath True if the value is a filesystem path (converts slashes to
+ * backslashes on Windows)
* @ppath_out The expanded path
* @... Variable number of pairs of strings, the first of each
* being a token (e.g., "luser") and the second a string to
@@ -462,143 +83,12 @@ _krb5_expand_path_tokensv(krb5_context context,
int filepath,
char **ppath_out, ...)
{
- char *tok_begin, *tok_end, *append;
- char **extra_tokens = NULL;
- const char *path_left;
- size_t nargs = 0;
- size_t len = 0;
+ krb5_error_code ret;
va_list ap;
- if (path_in == NULL || *path_in == '\0') {
- *ppath_out = strdup("");
- return 0;
- }
-
- *ppath_out = NULL;
-
va_start(ap, ppath_out);
- while (va_arg(ap, const char *)) {
- nargs++;
- va_arg(ap, const char *);
- }
+ ret = heim_expand_path_tokensv(context->hcontext, path_in, filepath, ppath_out, ap);
va_end(ap);
- nargs *= 2;
-
- /* Get extra tokens */
- if (nargs) {
- size_t i;
-
- extra_tokens = calloc(nargs + 1, sizeof (*extra_tokens));
- if (extra_tokens == NULL)
- return krb5_enomem(context);
- va_start(ap, ppath_out);
- for (i = 0; i < nargs; i++) {
- const char *s = va_arg(ap, const char *); /* token key */
- if (s == NULL)
- break;
- extra_tokens[i] = strdup(s);
- if (extra_tokens[i++] == NULL) {
- va_end(ap);
- free_extra_tokens(extra_tokens);
- return krb5_enomem(context);
- }
- s = va_arg(ap, const char *); /* token value */
- if (s == NULL)
- s = "";
- extra_tokens[i] = strdup(s);
- if (extra_tokens[i] == NULL) {
- va_end(ap);
- free_extra_tokens(extra_tokens);
- return krb5_enomem(context);
- }
- }
- va_end(ap);
- }
-
- for (path_left = path_in; path_left && *path_left; ) {
-
- tok_begin = strstr(path_left, "%{");
-
- if (tok_begin && tok_begin != path_left) {
-
- append = malloc((tok_begin - path_left) + 1);
- if (append) {
- memcpy(append, path_left, tok_begin - path_left);
- append[tok_begin - path_left] = '\0';
- }
- path_left = tok_begin;
-
- } else if (tok_begin) {
-
- tok_end = strchr(tok_begin, '}');
- if (tok_end == NULL) {
- free_extra_tokens(extra_tokens);
- if (*ppath_out)
- free(*ppath_out);
- *ppath_out = NULL;
- if (context)
- krb5_set_error_message(context, EINVAL, "variable missing }");
- return EINVAL;
- }
-
- if (_expand_token(context, tok_begin, tok_end, extra_tokens,
- &append)) {
- free_extra_tokens(extra_tokens);
- if (*ppath_out)
- free(*ppath_out);
- *ppath_out = NULL;
- return EINVAL;
- }
-
- path_left = tok_end + 1;
- } else {
-
- append = strdup(path_left);
- path_left = NULL;
-
- }
-
- if (append == NULL) {
-
- free_extra_tokens(extra_tokens);
- if (*ppath_out)
- free(*ppath_out);
- *ppath_out = NULL;
- return krb5_enomem(context);
-
- }
-
- {
- size_t append_len = strlen(append);
- char * new_str = realloc(*ppath_out, len + append_len + 1);
-
- if (new_str == NULL) {
- free_extra_tokens(extra_tokens);
- free(append);
- if (*ppath_out)
- free(*ppath_out);
- *ppath_out = NULL;
- return krb5_enomem(context);
- }
-
- *ppath_out = new_str;
- memcpy(*ppath_out + len, append, append_len + 1);
- len = len + append_len;
- free(append);
- }
- }
-
-#ifdef _WIN32
- /* Also deal with slashes */
- if (filepath && *ppath_out) {
- char * c;
-
- for (c = *ppath_out; *c; c++)
- if (*c == '/')
- *c = '\\';
- }
-#endif
- free_extra_tokens(extra_tokens);
- return 0;
+ return ret;
}
diff --git a/lib/krb5/fast.c b/lib/krb5/fast.c
index c30d5442f73a..338c4facfcca 100644
--- a/lib/krb5/fast.c
+++ b/lib/krb5/fast.c
@@ -32,7 +32,9 @@
*/
#include "krb5_locl.h"
-
+#ifndef WIN32
+#include <heim-ipc.h>
+#endif
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_fast_cf2(krb5_context context,
@@ -93,3 +95,872 @@ _krb5_fast_armor_key(krb5_context context,
armorkey,
armor_crypto);
}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_fast_explicit_armor_key(krb5_context context,
+ krb5_keyblock *armorkey,
+ krb5_keyblock *subkey,
+ krb5_keyblock *explicit_armorkey,
+ krb5_crypto *explicit_armor_crypto)
+{
+ return _krb5_fast_cf2(context,
+ armorkey,
+ "explicitarmor",
+ subkey,
+ "tgsarmor",
+ explicit_armorkey,
+ explicit_armor_crypto);
+}
+
+static krb5_error_code
+check_fast(krb5_context context, struct krb5_fast_state *state)
+{
+ if (state && (state->flags & KRB5_FAST_EXPECTED)) {
+ krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
+ "Expected FAST, but no FAST "
+ "was in the response from the KDC");
+ return KRB5KRB_AP_ERR_MODIFIED;
+ }
+ return 0;
+}
+
+static krb5_error_code
+make_local_fast_ap_fxarmor(krb5_context context,
+ krb5_ccache armor_ccache,
+ krb5_const_realm realm,
+ krb5_data *armor_value,
+ krb5_keyblock *armor_key,
+ krb5_crypto *armor_crypto)
+{
+ krb5_auth_context auth_context = NULL;
+ krb5_creds cred, *credp = NULL;
+ krb5_error_code ret;
+ krb5_data empty;
+ krb5_const_realm tgs_realm;
+
+ if (armor_ccache == NULL) {
+ krb5_set_error_message(context, EINVAL,
+ "Armor credential cache required");
+ return EINVAL;
+ }
+
+ krb5_data_zero(&empty);
+ memset(&cred, 0, sizeof(cred));
+
+ ret = krb5_auth_con_init (context, &auth_context);
+ if (ret)
+ goto out;
+
+ ret = krb5_cc_get_principal(context, armor_ccache, &cred.client);
+ if (ret)
+ goto out;
+
+ /*
+ * Make sure we don't ask for a krbtgt/WELLKNOWN:ANONYMOUS
+ */
+ if (krb5_principal_is_anonymous(context, cred.client,
+ KRB5_ANON_MATCH_UNAUTHENTICATED))
+ tgs_realm = realm;
+ else
+ tgs_realm = cred.client->realm;
+
+ ret = krb5_make_principal(context, &cred.server,
+ tgs_realm,
+ KRB5_TGS_NAME,
+ tgs_realm,
+ NULL);
+ if (ret)
+ goto out;
+
+ ret = krb5_get_credentials(context, 0, armor_ccache, &cred, &credp);
+ if (ret)
+ goto out;
+
+ ret = krb5_auth_con_add_AuthorizationData(context, auth_context,
+ KRB5_AUTHDATA_FX_FAST_ARMOR,
+ &empty);
+ if (ret)
+ goto out;
+
+ ret = krb5_mk_req_extended(context,
+ &auth_context,
+ AP_OPTS_USE_SUBKEY,
+ NULL,
+ credp,
+ armor_value);
+ if (ret)
+ goto out;
+
+ ret = _krb5_fast_armor_key(context,
+ auth_context->local_subkey,
+ auth_context->keyblock,
+ armor_key,
+ armor_crypto);
+ if (ret)
+ goto out;
+
+ out:
+ if (auth_context)
+ krb5_auth_con_free(context, auth_context);
+ if (credp)
+ krb5_free_creds(context, credp);
+ krb5_free_principal(context, cred.server);
+ krb5_free_principal(context, cred.client);
+
+ return ret;
+}
+
+#ifndef WIN32
+static heim_base_once_t armor_service_once = HEIM_BASE_ONCE_INIT;
+static heim_ipc armor_service = NULL;
+
+static void
+fast_armor_init_ipc(void *ctx)
+{
+ heim_ipc *ipc = ctx;
+ heim_ipc_init_context("ANY:org.h5l.armor-service", ipc);
+}
+#endif
+
+static krb5_error_code
+make_fast_ap_fxarmor(krb5_context context,
+ struct krb5_fast_state *state,
+ krb5_const_realm realm,
+ KrbFastArmor **armor)
+{
+ KrbFastArmor *fxarmor = NULL;
+ krb5_error_code ret;
+
+ *armor = NULL;
+
+ ALLOC(fxarmor, 1);
+ if (fxarmor == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
+
+ if (state->flags & KRB5_FAST_AP_ARMOR_SERVICE) {
+#ifdef WIN32
+ krb5_set_error_message(context, ENOTSUP, "Fast armor IPC service not supportted yet on Windows");
+ ret = ENOTSUP;
+ goto out;
+#else
+ KERB_ARMOR_SERVICE_REPLY msg;
+ krb5_data request, reply;
+
+ heim_base_once_f(&armor_service_once, &armor_service, fast_armor_init_ipc);
+ if (armor_service == NULL) {
+ krb5_set_error_message(context, ENOENT, "Failed to open fast armor service");
+ ret = ENOENT;
+ goto out;
+ }
+
+ krb5_data_zero(&reply);
+
+ request.data = rk_UNCONST(realm);
+ request.length = strlen(realm);
+
+ ret = heim_ipc_call(armor_service, &request, &reply, NULL);
+ if (ret) {
+ krb5_set_error_message(context, ret, "Failed to get armor service credential");
+ goto out;
+ }
+
+ ret = decode_KERB_ARMOR_SERVICE_REPLY(reply.data, reply.length, &msg, NULL);
+ krb5_data_free(&reply);
+ if (ret)
+ goto out;
+
+ ret = copy_KrbFastArmor(fxarmor, &msg.armor);
+ if (ret) {
+ free_KERB_ARMOR_SERVICE_REPLY(&msg);
+ goto out;
+ }
+
+ ret = krb5_copy_keyblock_contents(context, &msg.armor_key, &state->armor_key);
+ free_KERB_ARMOR_SERVICE_REPLY(&msg);
+ if (ret)
+ goto out;
+
+ ret = krb5_crypto_init(context, &state->armor_key, 0, &state->armor_crypto);
+ if (ret)
+ goto out;
+#endif /* WIN32 */
+ } else {
+ fxarmor->armor_type = 1;
+
+ ret = make_local_fast_ap_fxarmor(context,
+ state->armor_ccache,
+ realm,
+ &fxarmor->armor_value,
+ &state->armor_key,
+ &state->armor_crypto);
+ if (ret)
+ goto out;
+ }
+
+
+ *armor = fxarmor;
+ fxarmor = NULL;
+
+ out:
+ if (fxarmor) {
+ free_KrbFastArmor(fxarmor);
+ free(fxarmor);
+ }
+ return ret;
+}
+
+static krb5_error_code
+unwrap_fast_rep(krb5_context context,
+ struct krb5_fast_state *state,
+ PA_DATA *pa,
+ KrbFastResponse *fastrep)
+{
+ PA_FX_FAST_REPLY fxfastrep;
+ krb5_error_code ret;
+
+ memset(&fxfastrep, 0, sizeof(fxfastrep));
+
+ ret = decode_PA_FX_FAST_REPLY(pa->padata_value.data,
+ pa->padata_value.length,
+ &fxfastrep, NULL);
+ if (ret)
+ return ret;
+
+ if (fxfastrep.element == choice_PA_FX_FAST_REPLY_armored_data) {
+ krb5_data data;
+
+ ret = krb5_decrypt_EncryptedData(context,
+ state->armor_crypto,
+ KRB5_KU_FAST_REP,
+ &fxfastrep.u.armored_data.enc_fast_rep,
+ &data);
+ if (ret)
+ goto out;
+
+ ret = decode_KrbFastResponse(data.data, data.length, fastrep, NULL);
+ krb5_data_free(&data);
+ if (ret)
+ goto out;
+
+ } else {
+ ret = KRB5KDC_ERR_PREAUTH_FAILED;
+ goto out;
+ }
+
+ out:
+ free_PA_FX_FAST_REPLY(&fxfastrep);
+
+ return ret;
+}
+
+static krb5_error_code
+set_anon_principal(krb5_context context, PrincipalName **p)
+{
+
+ ALLOC((*p), 1);
+ if (*p == NULL)
+ goto fail;
+
+ (*p)->name_type = KRB5_NT_PRINCIPAL;
+
+ ALLOC_SEQ(&(*p)->name_string, 2);
+ if ((*p)->name_string.val == NULL)
+ goto fail;
+
+ (*p)->name_string.val[0] = strdup(KRB5_WELLKNOWN_NAME);
+ if ((*p)->name_string.val[0] == NULL)
+ goto fail;
+
+ (*p)->name_string.val[1] = strdup(KRB5_ANON_NAME);
+ if ((*p)->name_string.val[1] == NULL)
+ goto fail;
+
+ return 0;
+ fail:
+ if (*p) {
+ if ((*p)->name_string.val) {
+ free((*p)->name_string.val[0]);
+ free((*p)->name_string.val[1]);
+ free((*p)->name_string.val);
+ }
+ free(*p);
+ }
+
+ return krb5_enomem(context);
+}
+
+krb5_error_code
+_krb5_fast_create_armor(krb5_context context,
+ struct krb5_fast_state *state,
+ const char *realm)
+{
+ krb5_error_code ret;
+
+ if (state->armor_crypto == NULL) {
+ if (state->armor_ccache || state->armor_ac || (state->flags & KRB5_FAST_AP_ARMOR_SERVICE)) {
+ /*
+ * Instead of keeping state in FX_COOKIE in the KDC, we
+ * rebuild a new armor key for every request, because this
+ * is what the MIT KDC expect and RFC6113 is vage about
+ * what the behavior should be.
+ */
+ state->type = choice_PA_FX_FAST_REQUEST_armored_data;
+ } else {
+ return check_fast(context, state);
+ }
+ }
+
+ if (state->type == choice_PA_FX_FAST_REQUEST_armored_data) {
+ if (state->armor_crypto) {
+ krb5_crypto_destroy(context, state->armor_crypto);
+ state->armor_crypto = NULL;
+ }
+ if (state->strengthen_key) {
+ krb5_free_keyblock(context, state->strengthen_key);
+ state->strengthen_key = NULL;
+ }
+ krb5_free_keyblock_contents(context, &state->armor_key);
+
+ /*
+ * If we have a armor auth context, its because the caller
+ * wants us to do an implicit FAST armor (TGS-REQ).
+ */
+ if (state->armor_ac) {
+ heim_assert((state->flags & KRB5_FAST_AS_REQ) == 0, "FAST AS with AC");
+
+ ret = _krb5_fast_armor_key(context,
+ state->armor_ac->local_subkey,
+ state->armor_ac->keyblock,
+ &state->armor_key,
+ &state->armor_crypto);
+ if (ret)
+ goto out;
+ } else {
+ heim_assert((state->flags & KRB5_FAST_AS_REQ) != 0, "FAST TGS without AC");
+
+ if (state->armor_data) {
+ free_KrbFastArmor(state->armor_data);
+ free(state->armor_data);
+ state->armor_data = NULL;
+ }
+ ret = make_fast_ap_fxarmor(context, state, realm,
+ &state->armor_data);
+ if (ret)
+ goto out;
+ }
+ } else {
+ heim_abort("unknown state type: %d", (int)state->type);
+ }
+ out:
+ return ret;
+}
+
+
+krb5_error_code
+_krb5_fast_wrap_req(krb5_context context,
+ struct krb5_fast_state *state,
+ KDC_REQ *req)
+{
+ PA_FX_FAST_REQUEST fxreq;
+ krb5_error_code ret;
+ KrbFastReq fastreq;
+ krb5_data data, aschecksum_data, tgschecksum_data;
+ const krb5_data *checksum_data = NULL;
+ size_t size = 0;
+ krb5_boolean readd_padata_to_outer = FALSE;
+
+ if (state->flags & KRB5_FAST_DISABLED) {
+ _krb5_debug(context, 10, "fast disabled, not doing any fast wrapping");
+ return 0;
+ }
+
+ memset(&fxreq, 0, sizeof(fxreq));
+ memset(&fastreq, 0, sizeof(fastreq));
+ krb5_data_zero(&data);
+ krb5_data_zero(&aschecksum_data);
+ krb5_data_zero(&tgschecksum_data);
+
+ if (state->armor_crypto == NULL)
+ return check_fast(context, state);
+
+ state->flags |= KRB5_FAST_EXPECTED;
+
+ fastreq.fast_options.hide_client_names = 1;
+
+ ret = copy_KDC_REQ_BODY(&req->req_body, &fastreq.req_body);
+ if (ret)
+ goto out;
+
+ /*
+ * In the case of a AS-REQ, remove all account names. Want to this
+ * for TGS-REQ too, but due to layering this is tricky.
+ *
+ * 1. TGS-REQ need checksum of REQ-BODY
+ * 2. FAST needs checksum of TGS-REQ, so, FAST needs to happen after TGS-REQ
+ * 3. FAST privacy mangaling needs to happen before TGS-REQ does the checksum in 1.
+ *
+ * So lets not modify the bits for now for TGS-REQ
+ */
+ if (state->flags & KRB5_FAST_AS_REQ) {
+ free_KDC_REQ_BODY(&req->req_body);
+
+ req->req_body.realm = strdup(KRB5_ANON_REALM);
+ if (req->req_body.realm == NULL) {
+ ret = krb5_enomem(context);
+ goto out;
+ }
+
+ ret = set_anon_principal(context, &req->req_body.cname);
+ if (ret)
+ goto out;
+
+ ALLOC(req->req_body.till, 1);
+ *req->req_body.till = 0;
+
+ ASN1_MALLOC_ENCODE(KDC_REQ_BODY,
+ aschecksum_data.data,
+ aschecksum_data.length,
+ &req->req_body,
+ &size, ret);
+ if (ret)
+ goto out;
+ heim_assert(aschecksum_data.length == size, "ASN.1 internal error");
+
+ checksum_data = &aschecksum_data;
+
+ if (req->padata) {
+ ret = copy_METHOD_DATA(req->padata, &fastreq.padata);
+ free_METHOD_DATA(req->padata);
+ if (ret)
+ goto out;
+ }
+ } else {
+ const PA_DATA *tgs_req_ptr = NULL;
+ int tgs_req_idx = 0;
+ size_t i;
+
+ heim_assert(req->padata != NULL, "req->padata is NULL");
+
+ tgs_req_ptr = krb5_find_padata(req->padata->val,
+ req->padata->len,
+ KRB5_PADATA_TGS_REQ,
+ &tgs_req_idx);
+ heim_assert(tgs_req_ptr != NULL, "KRB5_PADATA_TGS_REQ not found");
+ heim_assert(tgs_req_idx == 0, "KRB5_PADATA_TGS_REQ not first");
+
+ tgschecksum_data.data = tgs_req_ptr->padata_value.data;
+ tgschecksum_data.length = tgs_req_ptr->padata_value.length;
+ checksum_data = &tgschecksum_data;
+
+ /*
+ * Now copy all remaining once to
+ * the fastreq.padata and clear
+ * them in the outer req first,
+ * and remember to readd them later.
+ */
+ readd_padata_to_outer = TRUE;
+
+ for (i = 1; i < req->padata->len; i++) {
+ PA_DATA *val = &req->padata->val[i];
+
+ ret = krb5_padata_add(context,
+ &fastreq.padata,
+ val->padata_type,
+ val->padata_value.data,
+ val->padata_value.length);
+ if (ret) {
+ krb5_set_error_message(context, ret,
+ N_("malloc: out of memory", ""));
+ goto out;
+ }
+ val->padata_value.data = NULL;
+ val->padata_value.length = 0;
+ }
+
+ /*
+ * Only TGS-REQ remaining
+ */
+ req->padata->len = 1;
+ }
+
+ if (req->padata == NULL) {
+ ALLOC(req->padata, 1);
+ if (req->padata == NULL) {
+ ret = krb5_enomem(context);
+ goto out;
+ }
+ }
+
+ ASN1_MALLOC_ENCODE(KrbFastReq, data.data, data.length, &fastreq, &size, ret);
+ if (ret)
+ goto out;
+ heim_assert(data.length == size, "ASN.1 internal error");
+
+ fxreq.element = state->type;
+
+ if (state->type == choice_PA_FX_FAST_REQUEST_armored_data) {
+ fxreq.u.armored_data.armor = state->armor_data;
+ state->armor_data = NULL;
+
+ heim_assert(state->armor_crypto != NULL,
+ "FAST armor key missing when FAST started");
+
+ ret = krb5_create_checksum(context, state->armor_crypto,
+ KRB5_KU_FAST_REQ_CHKSUM, 0,
+ checksum_data->data,
+ checksum_data->length,
+ &fxreq.u.armored_data.req_checksum);
+ if (ret)
+ goto out;
+
+ ret = krb5_encrypt_EncryptedData(context, state->armor_crypto,
+ KRB5_KU_FAST_ENC,
+ data.data,
+ data.length,
+ 0,
+ &fxreq.u.armored_data.enc_fast_req);
+ krb5_data_free(&data);
+ if (ret)
+ goto out;
+
+ } else {
+ krb5_data_free(&data);
+ heim_assert(false, "unknown FAST type, internal error");
+ }
+
+ ASN1_MALLOC_ENCODE(PA_FX_FAST_REQUEST, data.data, data.length, &fxreq, &size, ret);
+ if (ret)
+ goto out;
+ heim_assert(data.length == size, "ASN.1 internal error");
+
+
+ ret = krb5_padata_add(context, req->padata, KRB5_PADATA_FX_FAST, data.data, data.length);
+ if (ret)
+ goto out;
+ krb5_data_zero(&data);
+
+ if (readd_padata_to_outer) {
+ size_t i;
+
+ for (i = 0; i < fastreq.padata.len; i++) {
+ PA_DATA *val = &fastreq.padata.val[i];
+
+ ret = krb5_padata_add(context,
+ req->padata,
+ val->padata_type,
+ val->padata_value.data,
+ val->padata_value.length);
+ if (ret) {
+ krb5_set_error_message(context, ret,
+ N_("malloc: out of memory", ""));
+ goto out;
+ }
+ val->padata_value.data = NULL;
+ val->padata_value.length = 0;
+ }
+ }
+
+ out:
+ free_KrbFastReq(&fastreq);
+ free_PA_FX_FAST_REQUEST(&fxreq);
+ krb5_data_free(&data);
+ krb5_data_free(&aschecksum_data);
+
+ return ret;
+}
+
+krb5_error_code
+_krb5_fast_unwrap_error(krb5_context context,
+ int32_t nonce,
+ struct krb5_fast_state *state,
+ METHOD_DATA *md,
+ KRB_ERROR *error)
+{
+ KrbFastResponse fastrep;
+ krb5_error_code ret;
+ PA_DATA *pa;
+ int idx;
+
+ if (state->armor_crypto == NULL)
+ return check_fast(context, state);
+
+ memset(&fastrep, 0, sizeof(fastrep));
+
+ if (error->error_code != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED)
+ _krb5_debug(context, 10, "using FAST without FAST outer error code");
+
+ idx = 0;
+ pa = krb5_find_padata(md->val, md->len, KRB5_PADATA_FX_FAST, &idx);
+ if (pa == NULL) {
+ ret = KRB5_KDCREP_MODIFIED;
+ krb5_set_error_message(context, ret,
+ N_("FAST fast response is missing FX-FAST", ""));
+ goto out;
+ }
+
+ ret = unwrap_fast_rep(context, state, pa, &fastrep);
+ if (ret)
+ goto out;
+
+ if (fastrep.strengthen_key || nonce != (int32_t)fastrep.nonce) {
+ ret = KRB5KDC_ERR_PREAUTH_FAILED;
+ goto out;
+ }
+
+ idx = 0;
+ pa = krb5_find_padata(fastrep.padata.val, fastrep.padata.len, KRB5_PADATA_FX_ERROR, &idx);
+ if (pa == NULL) {
+ ret = KRB5_KDCREP_MODIFIED;
+ krb5_set_error_message(context, ret, N_("No wrapped error", ""));
+ goto out;
+ }
+
+ free_KRB_ERROR(error);
+
+ ret = krb5_rd_error(context, &pa->padata_value, error);
+ if (ret)
+ goto out;
+
+ if (error->e_data)
+ _krb5_debug(context, 10, "FAST wrapped KBB_ERROR contained e_data: %d",
+ (int)error->e_data->length);
+
+ free_METHOD_DATA(md);
+ md->val = fastrep.padata.val;
+ md->len = fastrep.padata.len;
+
+ fastrep.padata.val = NULL;
+ fastrep.padata.len = 0;
+
+ out:
+ free_KrbFastResponse(&fastrep);
+ return ret;
+}
+
+krb5_error_code
+_krb5_fast_unwrap_kdc_rep(krb5_context context, int32_t nonce,
+ krb5_data *chksumdata,
+ struct krb5_fast_state *state, AS_REP *rep)
+{
+ KrbFastResponse fastrep;
+ krb5_error_code ret;
+ PA_DATA *pa = NULL;
+ int idx = 0;
+
+ if (state == NULL || state->armor_crypto == NULL || rep->padata == NULL)
+ return check_fast(context, state);
+
+ /* find PA_FX_FAST_REPLY */
+
+ pa = krb5_find_padata(rep->padata->val, rep->padata->len,
+ KRB5_PADATA_FX_FAST, &idx);
+ if (pa == NULL)
+ return check_fast(context, state);
+
+ memset(&fastrep, 0, sizeof(fastrep));
+
+ ret = unwrap_fast_rep(context, state, pa, &fastrep);
+ if (ret)
+ goto out;
+
+ free_METHOD_DATA(rep->padata);
+ ret = copy_METHOD_DATA(&fastrep.padata, rep->padata);
+ if (ret)
+ goto out;
+
+ if (fastrep.strengthen_key) {
+ if (state->strengthen_key)
+ krb5_free_keyblock(context, state->strengthen_key);
+
+ ret = krb5_copy_keyblock(context, fastrep.strengthen_key, &state->strengthen_key);
+ if (ret)
+ goto out;
+ }
+
+ if (nonce != (int32_t)fastrep.nonce) {
+ ret = KRB5KDC_ERR_PREAUTH_FAILED;
+ goto out;
+ }
+ if (fastrep.finished) {
+ PrincipalName cname;
+ krb5_realm crealm = NULL;
+
+ if (chksumdata == NULL) {
+ ret = KRB5KDC_ERR_PREAUTH_FAILED;
+ goto out;
+ }
+
+ ret = krb5_verify_checksum(context, state->armor_crypto,
+ KRB5_KU_FAST_FINISHED,
+ chksumdata->data, chksumdata->length,
+ &fastrep.finished->ticket_checksum);
+ if (ret)
+ goto out;
+
+ /* update */
+ ret = copy_Realm(&fastrep.finished->crealm, &crealm);
+ if (ret)
+ goto out;
+ free_Realm(&rep->crealm);
+ rep->crealm = crealm;
+
+ ret = copy_PrincipalName(&fastrep.finished->cname, &cname);
+ if (ret)
+ goto out;
+ free_PrincipalName(&rep->cname);
+ rep->cname = cname;
+ } else if (chksumdata) {
+ /* expected fastrep.finish but didn't get it */
+ ret = KRB5KDC_ERR_PREAUTH_FAILED;
+ }
+
+ out:
+ free_KrbFastResponse(&fastrep);
+ return ret;
+}
+
+void
+_krb5_fast_free(krb5_context context, struct krb5_fast_state *state)
+{
+ if (state->armor_ccache) {
+ if (state->flags & KRB5_FAST_ANON_PKINIT_ARMOR)
+ krb5_cc_destroy(context, state->armor_ccache);
+ else
+ krb5_cc_close(context, state->armor_ccache);
+ }
+ if (state->armor_service)
+ krb5_free_principal(context, state->armor_service);
+ if (state->armor_crypto)
+ krb5_crypto_destroy(context, state->armor_crypto);
+ if (state->strengthen_key)
+ krb5_free_keyblock(context, state->strengthen_key);
+ krb5_free_keyblock_contents(context, &state->armor_key);
+ if (state->armor_data) {
+ free_KrbFastArmor(state->armor_data);
+ free(state->armor_data);
+ }
+
+ if (state->anon_pkinit_ctx)
+ krb5_init_creds_free(context, state->anon_pkinit_ctx);
+ if (state->anon_pkinit_opt)
+ krb5_get_init_creds_opt_free(context, state->anon_pkinit_opt);
+
+ memset(state, 0, sizeof(*state));
+}
+
+krb5_error_code
+_krb5_fast_anon_pkinit_step(krb5_context context,
+ krb5_init_creds_context ctx,
+ struct krb5_fast_state *state,
+ const krb5_data *in,
+ krb5_data *out,
+ krb5_realm *out_realm,
+ unsigned int *flags)
+{
+ krb5_error_code ret;
+ krb5_const_realm realm = _krb5_init_creds_get_cred_client(context, ctx)->realm;
+ krb5_init_creds_context anon_pk_ctx;
+ krb5_principal principal = NULL, anon_pk_client;
+ krb5_ccache ccache = NULL;
+ krb5_creds cred;
+ krb5_data data = { 3, rk_UNCONST("yes") };
+
+ krb5_data_zero(out);
+ *out_realm = NULL;
+
+ memset(&cred, 0, sizeof(cred));
+
+ if (state->anon_pkinit_opt == NULL) {
+ ret = krb5_get_init_creds_opt_alloc(context, &state->anon_pkinit_opt);
+ if (ret)
+ goto out;
+
+ krb5_get_init_creds_opt_set_tkt_life(state->anon_pkinit_opt, 60);
+ krb5_get_init_creds_opt_set_anonymous(state->anon_pkinit_opt, TRUE);
+
+ ret = krb5_make_principal(context, &principal, realm,
+ KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME, NULL);
+ if (ret)
+ goto out;
+
+ ret = krb5_get_init_creds_opt_set_pkinit(context,
+ state->anon_pkinit_opt,
+ principal,
+ NULL, NULL, NULL, NULL,
+ KRB5_GIC_OPT_PKINIT_ANONYMOUS |
+ KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR,
+ NULL, NULL, NULL);
+ if (ret)
+ goto out;
+
+ ret = krb5_init_creds_init(context, principal, NULL, NULL,
+ _krb5_init_creds_get_cred_starttime(context, ctx),
+ state->anon_pkinit_opt,
+ &state->anon_pkinit_ctx);
+ if (ret)
+ goto out;
+ }
+
+ anon_pk_ctx = state->anon_pkinit_ctx;
+
+ ret = krb5_init_creds_step(context, anon_pk_ctx, in, out, out_realm, flags);
+ if (ret ||
+ (*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE))
+ goto out;
+
+ ret = krb5_process_last_request(context, state->anon_pkinit_opt, anon_pk_ctx);
+ if (ret)
+ goto out;
+
+ ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache);
+ if (ret)
+ goto out;
+
+ ret = krb5_init_creds_get_creds(context, anon_pk_ctx, &cred);
+ if (ret)
+ goto out;
+
+ if (!cred.flags.b.enc_pa_rep) {
+ ret = KRB5KDC_ERR_BADOPTION; /* KDC does not support FAST */
+ goto out;
+ }
+
+ anon_pk_client = _krb5_init_creds_get_cred_client(context, anon_pk_ctx);
+
+ ret = krb5_cc_initialize(context, ccache, anon_pk_client);
+ if (ret)
+ goto out;
+
+ ret = krb5_cc_store_cred(context, ccache, &cred);
+ if (ret)
+ goto out;
+
+ ret = krb5_cc_set_config(context, ccache, cred.server,
+ "fast_avail", &data);
+ if (ret && ret != KRB5_CC_NOSUPP)
+ return ret;
+
+ if (_krb5_pk_is_kdc_verified(context, state->anon_pkinit_opt))
+ state->flags |= KRB5_FAST_KDC_VERIFIED;
+ else
+ state->flags &= ~(KRB5_FAST_KDC_VERIFIED);
+
+ state->armor_ccache = ccache;
+ ccache = NULL;
+
+ krb5_init_creds_free(context, state->anon_pkinit_ctx);
+ state->anon_pkinit_ctx = NULL;
+
+ krb5_get_init_creds_opt_free(context, state->anon_pkinit_opt);
+ state->anon_pkinit_opt = NULL;
+
+out:
+ krb5_free_principal(context, principal);
+ krb5_free_cred_contents(context, &cred);
+ if (ccache)
+ krb5_cc_destroy(context, ccache);
+
+ return ret;
+}
diff --git a/lib/krb5/fcache.c b/lib/krb5/fcache.c
index ab5d1c137f74..20c335db3beb 100644
--- a/lib/krb5/fcache.c
+++ b/lib/krb5/fcache.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2017 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -37,6 +37,9 @@
typedef struct krb5_fcache{
char *filename;
+ char *res;
+ char *sub;
+ char *tmpfn;
int version;
}krb5_fcache;
@@ -57,17 +60,29 @@ struct fcc_cursor {
#define FCACHE(X) ((krb5_fcache*)(X)->data.data)
#define FILENAME(X) (FCACHE(X)->filename)
+#define TMPFILENAME(X) (FCACHE(X)->tmpfn)
+#define RESFILENAME(X) (FCACHE(X)->res)
+#define SUBFILENAME(X) (FCACHE(X)->sub)
#define FCC_CURSOR(C) ((struct fcc_cursor*)(C))
-static const char* KRB5_CALLCONV
-fcc_get_name(krb5_context context,
- krb5_ccache id)
+static krb5_error_code KRB5_CALLCONV
+fcc_get_name_2(krb5_context context,
+ krb5_ccache id,
+ const char **name,
+ const char **colname,
+ const char **sub)
{
if (FCACHE(id) == NULL)
- return NULL;
-
- return FILENAME(id);
+ return KRB5_CC_NOTFOUND;
+
+ if (name)
+ *name = FILENAME(id);
+ if (colname)
+ *colname = FILENAME(id);
+ if (sub)
+ *sub = NULL;
+ return 0;
}
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
@@ -176,35 +191,78 @@ static krb5_error_code KRB5_CALLCONV
fcc_lock(krb5_context context, krb5_ccache id,
int fd, krb5_boolean exclusive)
{
- return _krb5_xlock(context, fd, exclusive, fcc_get_name(context, id));
+ krb5_error_code ret;
+ const char *name;
+
+ if (exclusive == FALSE)
+ return 0;
+ ret = fcc_get_name_2(context, id, &name, NULL, NULL);
+ if (ret == 0)
+ ret = _krb5_xlock(context, fd, exclusive, name);
+ return ret;
}
static krb5_error_code KRB5_CALLCONV
-fcc_unlock(krb5_context context, int fd)
-{
- return _krb5_xunlock(context, fd);
-}
+fcc_get_default_name(krb5_context, char **);
+
+/*
+ * This is the character used to separate the residual from the subsidiary name
+ * when both are given. It's tempting to use ':' just as we do in the ccache
+ * names, but we can't on Windows.
+ */
+#define FILESUBSEP "+"
+#define FILESUBSEPCHR ((FILESUBSEP)[0])
static krb5_error_code KRB5_CALLCONV
-fcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+fcc_resolve_2(krb5_context context,
+ krb5_ccache *id,
+ const char *res,
+ const char *sub)
{
krb5_fcache *f;
- f = malloc(sizeof(*f));
- if(f == NULL) {
- krb5_set_error_message(context, KRB5_CC_NOMEM,
- N_("malloc: out of memory", ""));
- return KRB5_CC_NOMEM;
+ char *freeme = NULL;
+
+ if (res == NULL && sub == NULL)
+ return krb5_einval(context, 3);
+ if (res == NULL) {
+ krb5_error_code ret;
+
+ if ((ret = fcc_get_default_name(context, &freeme)))
+ return ret;
+ res = freeme + sizeof("FILE:") - 1;
+ } else if (!sub && (sub = strchr(res, FILESUBSEPCHR))) {
+ if (sub[1] == '\0') {
+ sub = NULL;
+ } else {
+ /* `res' has a subsidiary component, so split on it */
+ if ((freeme = strndup(res, sub - res)) == NULL)
+ return krb5_enomem(context);
+ res = freeme;
+ sub++;
+ }
}
- f->filename = strdup(res);
- if(f->filename == NULL){
- free(f);
- krb5_set_error_message(context, KRB5_CC_NOMEM,
- N_("malloc: out of memory", ""));
- return KRB5_CC_NOMEM;
+
+ if ((f = calloc(1, sizeof(*f))) == NULL ||
+ (f->res = strdup(res)) == NULL ||
+ (f->sub = sub ? strdup(sub) : NULL) == (sub ? NULL : "") ||
+ asprintf(&f->filename, "%s%s%s",
+ res, sub ? FILESUBSEP : "", sub ? sub : "") == -1 ||
+ f->filename == NULL) {
+ if (f) {
+ free(f->filename);
+ free(f->res);
+ free(f->sub);
+ }
+ free(f);
+ free(freeme);
+ return krb5_enomem(context);
}
+ f->tmpfn = NULL;
f->version = 0;
(*id)->data.data = f;
(*id)->data.length = sizeof(*f);
+
+ free(freeme);
return 0;
}
@@ -258,8 +316,12 @@ _krb5_erase_file(krb5_context context, const char *filename)
int ret;
ret = lstat (filename, &sb1);
- if (ret < 0)
- return errno;
+ if (ret < 0) {
+ if(errno == ENOENT)
+ return 0;
+ else
+ return errno;
+ }
fd = open(filename, O_RDWR | O_BINARY | O_CLOEXEC | O_NOFOLLOW);
if(fd < 0) {
@@ -276,7 +338,6 @@ _krb5_erase_file(krb5_context context, const char *filename)
}
if (unlink(filename) < 0) {
ret = errno;
- _krb5_xunlock(context, fd);
close (fd);
krb5_set_error_message(context, errno,
N_("krb5_cc_destroy: unlinking \"%s\": %s", ""),
@@ -286,7 +347,6 @@ _krb5_erase_file(krb5_context context, const char *filename)
ret = fstat(fd, &sb2);
if (ret < 0) {
ret = errno;
- _krb5_xunlock(context, fd);
close (fd);
return ret;
}
@@ -294,7 +354,6 @@ _krb5_erase_file(krb5_context context, const char *filename)
/* check if someone was playing with symlinks */
if (sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) {
- _krb5_xunlock(context, fd);
close(fd);
return EPERM;
}
@@ -302,18 +361,11 @@ _krb5_erase_file(krb5_context context, const char *filename)
/* there are still hard links to this file */
if (sb2.st_nlink != 0) {
- _krb5_xunlock(context, fd);
close(fd);
return 0;
}
ret = scrub_file(fd);
- if (ret) {
- _krb5_xunlock(context, fd);
- close(fd);
- return ret;
- }
- ret = _krb5_xunlock(context, fd);
close(fd);
return ret;
}
@@ -326,12 +378,18 @@ fcc_gen_new(krb5_context context, krb5_ccache *id)
krb5_fcache *f;
int fd;
- f = malloc(sizeof(*f));
+ f = calloc(1, sizeof(*f));
if(f == NULL) {
krb5_set_error_message(context, KRB5_CC_NOMEM,
N_("malloc: out of memory", ""));
return KRB5_CC_NOMEM;
}
+ f->tmpfn = NULL;
+ /*
+ * XXX We should asprintf(&file, "%s:XXXXXX", KRB5_DEFAULT_CCNAME_FILE)
+ * instead so that new unique FILE ccaches can be found in the user's
+ * default collection.
+ * */
ret = asprintf(&file, "%sXXXXXX", KRB5_DEFAULT_CCFILE_ROOT);
if(ret < 0 || file == NULL) {
free(f);
@@ -348,7 +406,7 @@ fcc_gen_new(krb5_context context, krb5_ccache *id)
file = exp_file;
- fd = mkstemp(exp_file);
+ fd = mkostemp(exp_file, O_CLOEXEC);
if(fd < 0) {
ret = (krb5_error_code)errno;
krb5_set_error_message(context, ret, N_("mkstemp %s failed", ""), exp_file);
@@ -358,6 +416,8 @@ fcc_gen_new(krb5_context context, krb5_ccache *id)
}
close(fd);
f->filename = exp_file;
+ f->res = strdup(exp_file); /* XXX See above commentary about collection */
+ f->sub = NULL;
f->version = 0;
(*id)->data.data = f;
(*id)->data.length = sizeof(*f);
@@ -416,12 +476,37 @@ fcc_open(krb5_context context,
if (FCACHE(id) == NULL)
return krb5_einval(context, 2);
- filename = FILENAME(id);
+ if ((flags & O_EXCL)) {
+ /*
+ * FIXME Instead of mkostemp()... we could instead try to use a .new
+ * file... with care. Or the O_TMPFILE / linkat() extensions. We need
+ * a roken / heimbase abstraction for that.
+ */
+ if (TMPFILENAME(id))
+ (void) unlink(TMPFILENAME(id));
+ free(TMPFILENAME(id));
+ TMPFILENAME(id) = NULL;
+ if (asprintf(&TMPFILENAME(id), "%s-XXXXXX", FILENAME(id)) < 0 ||
+ TMPFILENAME(id) == NULL)
+ return krb5_enomem(context);
+ if ((fd = mkostemp(TMPFILENAME(id), O_CLOEXEC)) == -1) {
+ krb5_set_error_message(context, ret = errno,
+ N_("Could not make temp ccache FILE:%s", ""),
+ TMPFILENAME(id));
+ free(TMPFILENAME(id));
+ TMPFILENAME(id) = NULL;
+ return ret;
+ }
+ goto out;
+ }
+ filename = TMPFILENAME(id) ? TMPFILENAME(id) : FILENAME(id);
strict_checking = (flags & O_CREAT) == 0 &&
(context->flags & KRB5_CTX_F_FCACHE_STRICT_CHECKING) != 0;
+#ifndef WIN32
again:
+#endif
memset(&sb1, 0, sizeof(sb1));
ret = lstat(filename, &sb1);
if (ret == 0) {
@@ -496,7 +581,7 @@ again:
* locations on tmpfs "run" directories. But we don't know here
* that this is the case. Thus: no hard-links, no symlinks.
*/
- if (sb2.st_nlink != 1) {
+ if (sb2.st_nlink > 1) {
krb5_set_error_message(context, EPERM, N_("Refuses to open hardlinks for caches FILE:%s", ""), filename);
close(fd);
return EPERM;
@@ -527,6 +612,7 @@ again:
#endif
}
+out:
if((ret = fcc_lock(context, id, fd, exclusive)) != 0) {
close(fd);
return ret;
@@ -547,41 +633,54 @@ fcc_initialize(krb5_context context,
if (f == NULL)
return krb5_einval(context, 2);
- unlink (f->filename);
-
+ /*
+ * fcc_open() will notice the O_EXCL and will make a temporary file that
+ * will later be renamed into place.
+ */
ret = fcc_open(context, id, "initialize", &fd, O_RDWR | O_CREAT | O_EXCL, 0600);
if(ret)
return ret;
{
krb5_storage *sp;
sp = krb5_storage_emem();
+ if (sp == NULL)
+ return krb5_enomem(context);
krb5_storage_set_eof_code(sp, KRB5_CC_END);
if(context->fcache_vno != 0)
f->version = context->fcache_vno;
else
f->version = KRB5_FCC_FVNO_4;
- ret |= krb5_store_int8(sp, 5);
- ret |= krb5_store_int8(sp, f->version);
+ if (ret == 0)
+ ret = krb5_store_int8(sp, 5);
+ if (ret == 0)
+ ret = krb5_store_int8(sp, f->version);
storage_set_flags(context, sp, f->version);
if(f->version == KRB5_FCC_FVNO_4 && ret == 0) {
/* V4 stuff */
if (context->kdc_sec_offset) {
- ret |= krb5_store_int16 (sp, 12); /* length */
- ret |= krb5_store_int16 (sp, FCC_TAG_DELTATIME); /* Tag */
- ret |= krb5_store_int16 (sp, 8); /* length of data */
- ret |= krb5_store_int32 (sp, context->kdc_sec_offset);
- ret |= krb5_store_int32 (sp, context->kdc_usec_offset);
+ if (ret == 0)
+ ret = krb5_store_int16 (sp, 12); /* length */
+ if (ret == 0)
+ ret = krb5_store_int16 (sp, FCC_TAG_DELTATIME); /* Tag */
+ if (ret == 0)
+ ret = krb5_store_int16 (sp, 8); /* length of data */
+ if (ret == 0)
+ ret = krb5_store_int32 (sp, context->kdc_sec_offset);
+ if (ret == 0)
+ ret = krb5_store_int32 (sp, context->kdc_usec_offset);
} else {
- ret |= krb5_store_int16 (sp, 0);
+ if (ret == 0)
+ ret = krb5_store_int16 (sp, 0);
}
}
- ret |= krb5_store_principal(sp, primary_principal);
+ if (ret == 0)
+ ret = krb5_store_principal(sp, primary_principal);
- ret |= write_storage(context, sp, fd);
+ if (ret == 0)
+ ret = write_storage(context, sp, fd);
krb5_storage_free(sp);
}
- fcc_unlock(context, fd);
if (close(fd) < 0)
if (ret == 0) {
char buf[128];
@@ -600,7 +699,12 @@ fcc_close(krb5_context context,
if (FCACHE(id) == NULL)
return krb5_einval(context, 2);
- free (FILENAME(id));
+ if (TMPFILENAME(id))
+ (void) unlink(TMPFILENAME(id));
+ free(TMPFILENAME(id));
+ free(RESFILENAME(id));
+ free(SUBFILENAME(id));
+ free(FILENAME(id));
krb5_data_free(&id->data);
return 0;
}
@@ -612,6 +716,8 @@ fcc_destroy(krb5_context context,
if (FCACHE(id) == NULL)
return krb5_einval(context, 2);
+ if (TMPFILENAME(id))
+ (void) _krb5_erase_file(context, TMPFILENAME(id));
return _krb5_erase_file(context, FILENAME(id));
}
@@ -630,6 +736,8 @@ fcc_store_cred(krb5_context context,
krb5_storage *sp;
sp = krb5_storage_emem();
+ if (sp == NULL)
+ return krb5_enomem(context);
krb5_storage_set_eof_code(sp, KRB5_CC_END);
storage_set_flags(context, sp, FCACHE(id)->version);
ret = krb5_store_creds(sp, creds);
@@ -637,7 +745,6 @@ fcc_store_cred(krb5_context context,
ret = write_storage(context, sp, fd);
krb5_storage_free(sp);
}
- fcc_unlock(context, fd);
if (close(fd) < 0) {
if (ret == 0) {
char buf[128];
@@ -647,6 +754,21 @@ fcc_store_cred(krb5_context context,
FILENAME(id), buf);
}
}
+ if (ret == 0 && TMPFILENAME(id) &&
+ !krb5_is_config_principal(context, creds->server)) {
+
+ /*
+ * Portability note: there's no need to have WIN32 or other code here
+ * for odd rename cases because rk_rename() is meant to handle that.
+ */
+ ret = rk_rename(TMPFILENAME(id), FILENAME(id));
+ if (ret == 0) {
+ free(TMPFILENAME(id));
+ TMPFILENAME(id) = NULL;
+ } else {
+ ret = errno;
+ }
+ }
return ret;
}
@@ -672,7 +794,7 @@ init_fcc(krb5_context context,
if(ret)
return ret;
- sp = krb5_storage_from_fd(fd);
+ sp = krb5_storage_stdio_from_fd(fd, "r");
if(sp == NULL) {
krb5_clear_error_message(context);
ret = ENOMEM;
@@ -798,7 +920,6 @@ init_fcc(krb5_context context,
out:
if(sp != NULL)
krb5_storage_free(sp);
- fcc_unlock(context, fd);
close(fd);
return ret;
}
@@ -819,20 +940,19 @@ fcc_get_principal(krb5_context context,
if (ret)
krb5_clear_error_message(context);
krb5_storage_free(sp);
- fcc_unlock(context, fd);
close(fd);
return ret;
}
static krb5_error_code KRB5_CALLCONV
-fcc_end_get (krb5_context context,
- krb5_ccache id,
- krb5_cc_cursor *cursor);
+fcc_end_get(krb5_context context,
+ krb5_ccache id,
+ krb5_cc_cursor *cursor);
static krb5_error_code KRB5_CALLCONV
-fcc_get_first (krb5_context context,
- krb5_ccache id,
- krb5_cc_cursor *cursor)
+fcc_get_first(krb5_context context,
+ krb5_ccache id,
+ krb5_cc_cursor *cursor)
{
krb5_error_code ret;
krb5_principal principal;
@@ -840,14 +960,13 @@ fcc_get_first (krb5_context context,
if (FCACHE(id) == NULL)
return krb5_einval(context, 2);
- *cursor = malloc(sizeof(struct fcc_cursor));
+ *cursor = calloc(1, sizeof(struct fcc_cursor));
if (*cursor == NULL) {
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
return ENOMEM;
}
- memset(*cursor, 0, sizeof(struct fcc_cursor));
- ret = init_fcc(context, id, "get-frist", &FCC_CURSOR(*cursor)->sp,
+ ret = init_fcc(context, id, "get-first", &FCC_CURSOR(*cursor)->sp,
&FCC_CURSOR(*cursor)->fd, NULL);
if (ret) {
free(*cursor);
@@ -861,7 +980,6 @@ fcc_get_first (krb5_context context,
return ret;
}
krb5_free_principal (context, principal);
- fcc_unlock(context, FCC_CURSOR(*cursor)->fd);
return 0;
}
@@ -879,19 +997,16 @@ fcc_get_next (krb5_context context,
if (FCC_CURSOR(*cursor) == NULL)
return krb5_einval(context, 3);
- if((ret = fcc_lock(context, id, FCC_CURSOR(*cursor)->fd, FALSE)) != 0)
- return ret;
- FCC_CURSOR(*cursor)->cred_start = lseek(FCC_CURSOR(*cursor)->fd,
- 0, SEEK_CUR);
+ FCC_CURSOR(*cursor)->cred_start =
+ krb5_storage_seek(FCC_CURSOR(*cursor)->sp, 0, SEEK_CUR);
ret = krb5_ret_creds(FCC_CURSOR(*cursor)->sp, creds);
if (ret)
krb5_clear_error_message(context);
- FCC_CURSOR(*cursor)->cred_end = lseek(FCC_CURSOR(*cursor)->fd,
- 0, SEEK_CUR);
+ FCC_CURSOR(*cursor)->cred_end =
+ krb5_storage_seek(FCC_CURSOR(*cursor)->sp, 0, SEEK_CUR);
- fcc_unlock(context, FCC_CURSOR(*cursor)->fd);
return ret;
}
@@ -1025,7 +1140,6 @@ cred_delete(krb5_context context,
ret = write_storage(context, sp, fd);
out:
if (fd > -1) {
- fcc_unlock(context, fd);
if (close(fd) < 0 && ret == 0) {
krb5_set_error_message(context, errno, N_("close %s", ""),
FILENAME(id));
@@ -1062,7 +1176,7 @@ fcc_remove_cred(krb5_context context,
krb5_free_cred_contents(context, &found_cred);
}
ret2 = krb5_cc_end_seq_get(context, id, &cursor);
- if (ret == 0)
+ if (ret2) /* not expected to fail */
return ret2;
if (ret == KRB5_CC_END)
return 0;
@@ -1090,62 +1204,326 @@ fcc_get_version(krb5_context context,
return FCACHE(id)->version;
}
+static const char *
+my_basename(const char *fn)
+{
+ const char *base, *p;
+
+ if (strncmp(fn, "FILE:", sizeof("FILE:") - 1) == 0)
+ fn += sizeof("FILE:") - 1;
+ for (p = base = fn; *p; p++) {
+#ifdef WIN32
+ if (*p == '/' || *p == '\\')
+ base = p + 1;
+#else
+ if (*p == '/')
+ base = p + 1;
+#endif
+ }
+ return base;
+}
+
+/* We could use an rk_dirname()... */
+static char *
+my_dirname(const char *fn)
+{
+ size_t len, i;
+ char *dname;
+
+ if (strncmp(fn, "FILE:", sizeof("FILE:") - 1) == 0)
+ fn += sizeof("FILE:") - 1;
+
+ if ((dname = strdup(fn)) == NULL)
+ return NULL;
+ len = strlen(dname);
+ for (i = 0; i < len; i++) {
+#ifdef WIN32
+ if (dname[len - i] == '\\' ||
+ dname[len - i] == '/') {
+ dname[len - i] = '\0';
+ break;
+ }
+#else
+ if (dname[len - i] == '/') {
+ dname[len - i] = '\0';
+ break;
+ }
+#endif
+ }
+ if (i < len)
+ return dname;
+ free(dname);
+ return strdup(".");
+}
+
+/*
+ * This checks that a directory entry matches a required basename and has a
+ * non-empty subsidiary component.
+ */
+static int
+matchbase(const char *fn, const char *base, size_t baselen)
+{
+ return strncmp(fn, base, baselen) == 0 &&
+ (fn[baselen] == FILESUBSEPCHR && fn[baselen + 1] != '\0');
+}
+
+/*
+ * Check if `def_locs' contains `name' (which must be the default ccache name),
+ * in which case the caller may look for subsidiaries of all of `def_locs'.
+ *
+ * This is needed because the collection iterators don't take a base location
+ * as an argument, so we can only search default locations, but only if the
+ * current default ccache name is indeed a default (as opposed to from
+ * KRB5CCNAME being set in the environment pointing to a non-default name).
+ */
+static krb5_error_code
+is_default_collection(krb5_context context, const char *name,
+ const char * const *def_locs, int *res)
+{
+ krb5_error_code ret;
+ const char *def_loc[2] = { KRB5_DEFAULT_CCNAME_FILE, NULL };
+ const char *sep;
+ size_t namelen;
+ size_t i;
+
+ *res = 0;
+ if (name == NULL) {
+ *res = 1;
+ return 0;
+ }
+ if ((sep = strchr(name, FILESUBSEPCHR)))
+ namelen = (size_t)(sep - name);
+ else
+ namelen = strlen(name);
+ if (def_locs == NULL)
+ def_locs = def_loc;
+ for (i = 0; !(*res) && def_locs[i]; i++) {
+ char *e = NULL;
+
+ if ((ret = _krb5_expand_default_cc_name(context, def_locs[i], &e)))
+ return ret;
+ *res = strncmp(e, name, namelen) == 0 &&
+ (sep == NULL || e[namelen] == FILESUBSEPCHR || e[namelen] == '\0');
+ free(e);
+ }
+ return 0;
+}
+
+/*
+ * Collection iterator cursor.
+ *
+ * There may be an array of locations, and for each location we'll try
+ * resolving it, as well as doing a readdir() of the dirname of it and output
+ * all ccache names in that directory that begin with the current location and
+ * end in "+${subsidiary}".
+ */
struct fcache_iter {
- int first;
+ const char *curr_location;
+ char *def_ccname; /* The default ccname */
+ char **locations; /* All the other places we'll look for a ccache */
+ char *dname; /* dirname() of curr_location */
+ DIR *d;
+ struct dirent *dentry;
+ int location; /* Index of `locations' */
+ unsigned int first:1;
+ unsigned int dead:1;
};
+/* Initiate FILE collection iteration */
static krb5_error_code KRB5_CALLCONV
fcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
{
- struct fcache_iter *iter;
+ struct fcache_iter *iter = NULL;
+ krb5_error_code ret;
+ const char *def_ccname = NULL;
+ char **def_locs = NULL;
+ int is_def_coll = 0;
+
+ if (krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults",
+ "enable_file_cache_iteration", NULL)) {
+ def_ccname = krb5_cc_default_name(context);
+ def_locs = krb5_config_get_strings(context, NULL, "libdefaults",
+ "default_file_cache_collections",
+ NULL);
+ }
- iter = calloc(1, sizeof(*iter));
- if (iter == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
+ /*
+ * Note: do not allow krb5_cc_default_name() to recurse via
+ * krb5_cc_cache_match().
+ * Note that context->default_cc_name will be NULL even though
+ * KRB5CCNAME is set in the environment if neither krb5_cc_default_name()
+ * nor krb5_cc_set_default_name() have been called.
+ */
+
+ /*
+ * Figure out if the current default ccache name is a really a default one
+ * so we know whether to search any other default FILE collection
+ * locations.
+ */
+ if ((ret = is_default_collection(context, def_ccname,
+ (const char **)def_locs,
+ &is_def_coll)))
+ goto out;
+
+ /* Setup the cursor */
+ if ((iter = calloc(1, sizeof(*iter))) == NULL ||
+ (def_ccname && (iter->def_ccname = strdup(def_ccname)) == NULL)) {
+ ret = krb5_enomem(context);
+ goto out;
}
+
+ if (is_def_coll) {
+ /* Since def_ccname is in the `def_locs', we'll include those */
+ iter->locations = def_locs;
+ free(iter->def_ccname);
+ iter->def_ccname = NULL;
+ def_locs = NULL;
+ } else {
+ /* Since def_ccname is NOT in the `def_locs', we'll exclude those */
+ iter->locations = NULL;
+ }
+ iter->curr_location = NULL;
+ iter->location = -1; /* Pre-incremented */
iter->first = 1;
+ iter->dname = NULL;
+ iter->d = NULL;
*cursor = iter;
+ iter = NULL;
+ ret = 0;
+
+out:
+ krb5_config_free_strings(def_locs);
+ free(iter);
+ return ret;
+}
+
+/* Pick the next location as the `iter->curr_location' */
+static krb5_error_code
+next_location(krb5_context context, struct fcache_iter *iter)
+{
+ if (iter->first && iter->def_ccname) {
+ iter->curr_location = iter->def_ccname;
+ iter->first = 0;
+ return 0;
+ }
+ iter->first = 0;
+
+ if (iter->d)
+ closedir(iter->d);
+ iter->d = NULL;
+ iter->curr_location = NULL;
+ if (iter->locations &&
+ (iter->curr_location = iter->locations[++(iter->location)]))
+ return 0;
+
+ iter->dead = 1; /* Do not run off the end of iter->locations */
+ return KRB5_CC_END;
+}
+
+/* Output the next match for `iter->curr_location' from readdir() */
+static krb5_error_code
+next_dir_match(krb5_context context, struct fcache_iter *iter, char **fn)
+{
+ struct stat st;
+ const char *base = my_basename(iter->curr_location);
+ size_t baselen = strlen(base);
+ char *s;
+
+ *fn = NULL;
+ if (iter->d == NULL)
+ return 0;
+ for (iter->dentry = readdir(iter->d);
+ iter->dentry;
+ iter->dentry = readdir(iter->d)) {
+ if (!matchbase(iter->dentry->d_name, base, baselen))
+ continue;
+ if (asprintf(&s, "FILE:%s/%s", iter->dname, iter->dentry->d_name) == -1 ||
+ s == NULL)
+ return krb5_enomem(context);
+ if (stat(s + sizeof("FILE:") - 1, &st) == 0 && S_ISREG(st.st_mode)) {
+ *fn = s;
+ return 0;
+ }
+ free(s);
+ }
+ iter->curr_location = NULL;
+ closedir(iter->d);
+ iter->d = NULL;
+ return 0;
+}
+
+/* See if the given `ccname' is a FILE ccache we can resolve */
+static krb5_error_code
+try1(krb5_context context, const char *ccname, krb5_ccache *id)
+{
+ krb5_error_code ret;
+ krb5_ccache cc;
+
+ ret = krb5_cc_resolve(context, ccname, &cc);
+ if (ret == ENOMEM)
+ return ret;
+ if (ret == 0) {
+ if (strcmp(krb5_cc_get_type(context, cc), "FILE") == 0) {
+ *id = cc;
+ cc = NULL;
+ }
+ krb5_cc_close(context, cc);
+ }
return 0;
}
+/* Output the next FILE ccache in the FILE ccache collection */
static krb5_error_code KRB5_CALLCONV
fcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
{
struct fcache_iter *iter = cursor;
krb5_error_code ret;
- const char *fn, *cc_type;
- krb5_ccache cc;
+ char *name = NULL;
+ *id = NULL;
if (iter == NULL)
return krb5_einval(context, 2);
- if (!iter->first) {
- krb5_clear_error_message(context);
- return KRB5_CC_END;
- }
- iter->first = 0;
-
- /*
- * Note: do not allow krb5_cc_default_name() to recurse via
- * krb5_cc_cache_match().
- * Note that context->default_cc_name will be NULL even though
- * KRB5CCNAME is set in the environment if
- * krb5_cc_set_default_name() hasn't
- */
- fn = krb5_cc_default_name(context);
- ret = krb5_cc_resolve(context, fn, &cc);
- if (ret != 0)
- return ret;
- cc_type = krb5_cc_get_type(context, cc);
- if (strcmp(cc_type, "FILE") != 0) {
- krb5_cc_close(context, cc);
+ /* Do not run off the end of iter->locations */
+ if (iter->dead)
return KRB5_CC_END;
+
+ if (!iter->curr_location) {
+ /* Next base location */
+ if ((ret = next_location(context, iter)))
+ return ret;
+ /* Output the current base location */
+ if ((ret = try1(context, iter->curr_location, id)) || *id)
+ return ret;
}
- *id = cc;
+ /* Look for subsidiaries of iter->curr_location */
+ if (!iter->d) {
+ free(iter->dname);
+ if ((iter->dname = my_dirname(iter->curr_location)) == NULL)
+ return krb5_enomem(context);
+ if ((iter->d = opendir(iter->dname)) == NULL) {
+ /* Dirname ENOENT -> next location */
+ if ((ret = next_location(context, iter)))
+ return ret;
+ /* Tail-recurse */
+ return fcc_get_cache_next(context, cursor, id);
+ }
+ }
+ for (ret = next_dir_match(context, iter, &name);
+ ret == 0 && name != NULL;
+ ret = next_dir_match(context, iter, &name)) {
+ if ((ret = try1(context, name, id)) || *id) {
+ free(name);
+ return ret;
+ }
+ free(name);
+ }
- return 0;
+ /* Directory listing exhausted -> go to next location, tail-recurse */
+ if ((ret = next_location(context, iter)))
+ return ret;
+ return fcc_get_cache_next(context, cursor, id);
}
static krb5_error_code KRB5_CALLCONV
@@ -1156,6 +1534,11 @@ fcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
if (iter == NULL)
return krb5_einval(context, 2);
+ krb5_config_free_strings(iter->locations);
+ if (iter->d)
+ closedir(iter->d);
+ free(iter->def_ccname);
+ free(iter->dname);
free(iter);
return 0;
}
@@ -1164,82 +1547,32 @@ static krb5_error_code KRB5_CALLCONV
fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
{
krb5_error_code ret = 0;
-
- ret = rk_rename(FILENAME(from), FILENAME(to));
-
- if (ret && errno != EXDEV) {
- char buf[128];
- ret = errno;
- rk_strerror_r(ret, buf, sizeof(buf));
- krb5_set_error_message(context, ret,
- N_("Rename of file from %s "
- "to %s failed: %s", ""),
- FILENAME(from), FILENAME(to), buf);
- return ret;
- } else if (ret && errno == EXDEV) {
- /* make a copy and delete the orignal */
- krb5_ssize_t sz1, sz2;
- int fd1, fd2;
- char buf[BUFSIZ];
-
- ret = fcc_open(context, from, "move/from", &fd1, O_RDONLY, 0);
- if(ret)
- return ret;
-
- unlink(FILENAME(to));
-
- ret = fcc_open(context, to, "move/to", &fd2,
- O_WRONLY | O_CREAT | O_EXCL, 0600);
- if(ret)
- goto out1;
-
- while((sz1 = read(fd1, buf, sizeof(buf))) > 0) {
- sz2 = write(fd2, buf, sz1);
- if (sz1 != sz2) {
- ret = EIO;
- krb5_set_error_message(context, ret,
- N_("Failed to write data from one file "
- "credential cache to the other", ""));
- goto out2;
- }
- }
- if (sz1 < 0) {
- ret = EIO;
- krb5_set_error_message(context, ret,
- N_("Failed to read data from one file "
- "credential cache to the other", ""));
- goto out2;
- }
- out2:
- fcc_unlock(context, fd2);
- close(fd2);
-
- out1:
- fcc_unlock(context, fd1);
- close(fd1);
-
- _krb5_erase_file(context, FILENAME(from));
-
- if (ret) {
- _krb5_erase_file(context, FILENAME(to));
- return ret;
- }
- }
-
- /* make sure ->version is uptodate */
- {
- krb5_storage *sp;
- int fd;
- if ((ret = init_fcc (context, to, "move", &sp, &fd, NULL)) == 0) {
- if (sp)
- krb5_storage_free(sp);
- fcc_unlock(context, fd);
- close(fd);
- }
+ krb5_fcache *f = FCACHE(from);
+ krb5_fcache *t = FCACHE(to);
+
+ if (f->tmpfn) {
+ /*
+ * If `from' has a temp file and we haven't renamed it into place yet,
+ * then we should rename TMPFILENAME(from) to FILENAME(to).
+ *
+ * This can only happen if we're moving a ccache where only cc config
+ * entries, or no entries, have been written. That's not likely.
+ */
+ if (rk_rename(f->tmpfn, t->filename)) {
+ ret = errno;
+ } else {
+ free(f->tmpfn);
+ f->tmpfn = NULL;
+ }
+ } else if (rk_rename(f->filename, t->filename)) {
+ ret = errno;
}
-
- fcc_close(context, from);
-
+ /*
+ * We need only close from -- we can't destroy it since the rename
+ * succeeded, which "destroyed" it at its old name.
+ */
+ if (ret == 0)
+ krb5_cc_close(context, from);
return ret;
}
@@ -1252,6 +1585,35 @@ fcc_get_default_name(krb5_context context, char **str)
}
static krb5_error_code KRB5_CALLCONV
+fcc_set_default_cache(krb5_context context, krb5_ccache id)
+{
+ krb5_error_code ret;
+ krb5_ccache dest;
+ char *s = NULL;
+
+ if (SUBFILENAME(id) == NULL)
+ return 0; /* Already a primary */
+ if (asprintf(&s, "FILE:%s", RESFILENAME(id)) == -1 || s == NULL)
+ return krb5_enomem(context);
+
+ /*
+ * We can't hard-link, since we refuse to open ccaches with st_nlink > 1,
+ * and we can't rename() the ccache because the old name should remain
+ * available. Ergo, we copy the ccache.
+ */
+ ret = krb5_cc_resolve(context, s, &dest);
+ if (ret == 0)
+ ret = krb5_cc_copy_cache(context, id, dest);
+ free(s);
+ if (ret)
+ krb5_set_error_message(context, ret,
+ N_("Failed to copy subsidiary cache file %s to "
+ "default %s", ""), FILENAME(id),
+ RESFILENAME(id));
+ return ret;
+}
+
+static krb5_error_code KRB5_CALLCONV
fcc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime)
{
krb5_error_code ret;
@@ -1287,7 +1649,6 @@ fcc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset
ret = init_fcc(context, id, "get-kdc-offset", &sp, &fd, kdc_offset);
if (sp)
krb5_storage_free(sp);
- fcc_unlock(context, fd);
close(fd);
return ret;
@@ -1301,10 +1662,10 @@ fcc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset
*/
KRB5_LIB_VARIABLE const krb5_cc_ops krb5_fcc_ops = {
- KRB5_CC_OPS_VERSION,
+ KRB5_CC_OPS_VERSION_5,
"FILE",
- fcc_get_name,
- fcc_resolve,
+ NULL,
+ NULL,
fcc_gen_new,
fcc_initialize,
fcc_destroy,
@@ -1323,8 +1684,10 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_fcc_ops = {
fcc_end_cache_get,
fcc_move,
fcc_get_default_name,
- NULL,
+ fcc_set_default_cache,
fcc_lastchange,
fcc_set_kdc_offset,
- fcc_get_kdc_offset
+ fcc_get_kdc_offset,
+ fcc_get_name_2,
+ fcc_resolve_2
};
diff --git a/lib/krb5/generate_subkey.c b/lib/krb5/generate_subkey.c
index 07047461ee77..767d94cf7fe6 100644
--- a/lib/krb5/generate_subkey.c
+++ b/lib/krb5/generate_subkey.c
@@ -58,7 +58,7 @@ krb5_generate_subkey_extended(krb5_context context,
if (*subkey == NULL)
return krb5_enomem(context);
- if (etype == (krb5_enctype)ETYPE_NULL)
+ if (etype == ETYPE_NULL)
etype = key->keytype; /* use session key etype */
/* XXX should we use the session key as input to the RF? */
diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index 70b3e5f41447..6e48846bcb3a 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -3,7 +3,7 @@
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
- * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ * Portions Copyright (c) 2009 - 2010 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -38,8 +38,10 @@
static krb5_error_code
get_cred_kdc_capath(krb5_context, krb5_kdc_flags,
- krb5_ccache, krb5_creds *, krb5_principal,
- Ticket *, krb5_creds **, krb5_creds ***);
+ krb5_ccache, struct krb5_fast_state *,
+ krb5_creds *, krb5_principal,
+ Ticket *, const char *, const char *,
+ krb5_creds **, krb5_creds ***);
/*
* Take the `body' and encode it into `padata' using the credentials
@@ -48,35 +50,33 @@ get_cred_kdc_capath(krb5_context, krb5_kdc_flags,
static krb5_error_code
make_pa_tgs_req(krb5_context context,
- krb5_auth_context ac,
+ krb5_auth_context *ac,
KDC_REQ_BODY *body,
- PA_DATA *padata,
- krb5_creds *creds)
+ krb5_ccache ccache,
+ krb5_creds *creds,
+ krb5_data *tgs_req)
{
- u_char *buf;
+ krb5_error_code ret;
+ krb5_data in_data;
size_t buf_size;
size_t len = 0;
- krb5_data in_data;
- krb5_error_code ret;
+ uint8_t *buf;
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret);
if (ret)
- goto out;
+ return ret;
+
if(buf_size != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
in_data.length = len;
in_data.data = buf;
- ret = _krb5_mk_req_internal(context, &ac, 0, &in_data, creds,
- &padata->padata_value,
+ ret = _krb5_mk_req_internal(context, ac, 0, &in_data,
+ creds, tgs_req,
KRB5_KU_TGS_REQ_AUTH_CKSUM,
KRB5_KU_TGS_REQ_AUTH);
- out:
free (buf);
- if(ret)
- return ret;
- padata->padata_type = KRB5_PADATA_TGS_REQ;
- return 0;
+ return ret;
}
/*
@@ -114,19 +114,20 @@ set_auth_data (krb5_context context,
req_body->enc_authorization_data = NULL;
return ret;
}
- krb5_encrypt_EncryptedData(context,
- crypto,
- KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
- buf,
- len,
- 0,
- req_body->enc_authorization_data);
+ ret = krb5_encrypt_EncryptedData(context,
+ crypto,
+ KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
+ buf,
+ len,
+ 0,
+ req_body->enc_authorization_data);
free (buf);
krb5_crypto_destroy(context, crypto);
+ return ret;
} else {
req_body->enc_authorization_data = NULL;
+ return 0;
}
- return 0;
}
/*
@@ -138,6 +139,7 @@ set_auth_data (krb5_context context,
static krb5_error_code
init_tgs_req (krb5_context context,
krb5_ccache ccache,
+ struct krb5_fast_state *state,
krb5_addresses *addresses,
krb5_kdc_flags flags,
Ticket *second_ticket,
@@ -150,8 +152,11 @@ init_tgs_req (krb5_context context,
{
krb5_auth_context ac = NULL;
krb5_error_code ret = 0;
+ krb5_data tgs_req;
+ krb5_data_zero(&tgs_req);
memset(t, 0, sizeof(*t));
+
t->pvno = 5;
t->msg_type = krb_tgs_req;
if (in_creds->session.keytype) {
@@ -234,21 +239,80 @@ init_tgs_req (krb5_context context,
if (ret)
goto fail;
}
- ALLOC(t->padata, 1);
- if (t->padata == NULL) {
- ret = krb5_enomem(context);
+
+ ret = krb5_auth_con_init(context, &ac);
+ if(ret)
+ goto fail;
+
+ ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session);
+ if (ret)
goto fail;
+
+ if (state) {
+ krb5_data empty;
+
+ krb5_data_zero(&empty);
+ ret = krb5_auth_con_add_AuthorizationData(context, ac,
+ KRB5_AUTHDATA_FX_FAST_USED,
+ &empty);
+ if (ret)
+ goto fail;
}
- ALLOC_SEQ(t->padata, 1 + padata->len);
- if (t->padata->val == NULL) {
- ret = krb5_enomem(context);
+
+ ret = set_auth_data(context, &t->req_body,
+ &in_creds->authdata, ac->local_subkey);
+ if (ret)
goto fail;
+
+ ret = make_pa_tgs_req(context,
+ &ac,
+ &t->req_body,
+ ccache,
+ krbtgt,
+ &tgs_req);
+ if(ret)
+ goto fail;
+
+ /*
+ * Add KRB5_PADATA_TGS_REQ first
+ * followed by all others.
+ */
+
+ if (t->padata == NULL) {
+ ALLOC(t->padata, 1);
+ if (t->padata == NULL) {
+ ret = krb5_enomem(context);
+ goto fail;
+ }
}
+
+ ret = krb5_padata_add(context, t->padata, KRB5_PADATA_TGS_REQ,
+ tgs_req.data, tgs_req.length);
+ if (ret)
+ goto fail;
+
+ krb5_data_zero(&tgs_req);
+
{
size_t i;
for (i = 0; i < padata->len; i++) {
- ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
+ const PA_DATA *val1 = &padata->val[i];
+ PA_DATA val2;
+
+ ret = copy_PA_DATA(val1, &val2);
+ if (ret) {
+ krb5_set_error_message(context, ret,
+ N_("malloc: out of memory", ""));
+ goto fail;
+ }
+
+ ret = krb5_padata_add(context, t->padata,
+ val2.padata_type,
+ val2.padata_value.data,
+ val2.padata_value.length);
if (ret) {
+ free_PA_DATA(&val2);
+
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
@@ -256,26 +320,20 @@ init_tgs_req (krb5_context context,
}
}
- ret = krb5_auth_con_init(context, &ac);
- if(ret)
- goto fail;
-
- ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session);
- if (ret)
- goto fail;
+ if (state) {
+ state->armor_ac = ac;
+ ret = _krb5_fast_create_armor(context, state, NULL);
+ state->armor_ac = NULL;
+ if (ret)
+ goto fail;
- ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
- ac->local_subkey);
- if (ret)
- goto fail;
+ ret = _krb5_fast_wrap_req(context, state, t);
+ if (ret)
+ goto fail;
- ret = make_pa_tgs_req(context,
- ac,
- &t->req_body,
- &t->padata->val[0],
- krbtgt);
- if(ret)
- goto fail;
+ /* Its ok if there is no fast in the TGS-REP, older heimdal only support it in the AS code path */
+ state->flags &= ~KRB5_FAST_EXPECTED;
+ }
ret = krb5_auth_con_getlocalsubkey(context, ac, subkey);
if (ret)
@@ -288,6 +346,8 @@ fail:
t->req_body.addresses = NULL;
free_TGS_REQ (t);
}
+ krb5_data_free(&tgs_req);
+
return ret;
}
@@ -306,6 +366,9 @@ _krb5_get_krbtgt(krb5_context context,
if (ret)
return ret;
+ if (realm == NULL)
+ realm = tmp_cred.client->realm;
+
ret = krb5_make_principal(context,
&tmp_cred.server,
realm,
@@ -333,6 +396,42 @@ _krb5_get_krbtgt(krb5_context context,
return 0;
}
+static krb5_error_code
+fast_tgs_strengthen_key(krb5_context context,
+ struct krb5_fast_state *state,
+ krb5_keyblock *reply_key,
+ krb5_keyblock *extract_key)
+{
+ krb5_error_code ret;
+
+ if (state && state->strengthen_key) {
+ _krb5_debug(context, 5, "_krb5_fast_tgs_strengthen_key");
+
+ if (state->strengthen_key->keytype != reply_key->keytype) {
+ krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
+ N_("strengthen_key %d not same enctype as reply key %d", ""),
+ state->strengthen_key->keytype, reply_key->keytype);
+ return KRB5KRB_AP_ERR_MODIFIED;
+ }
+
+ ret = _krb5_fast_cf2(context,
+ state->strengthen_key,
+ "strengthenkey",
+ reply_key,
+ "replykey",
+ extract_key,
+ NULL);
+ if (ret)
+ return ret;
+ } else {
+ ret = krb5_copy_keyblock_contents(context, reply_key, extract_key);
+ if (ret)
+ return ret;
+ }
+
+ return 0;
+}
+
/* DCE compatible decrypt proc */
static krb5_error_code KRB5_CALLCONV
decrypt_tkt_with_subkey (krb5_context context,
@@ -341,11 +440,14 @@ decrypt_tkt_with_subkey (krb5_context context,
krb5_const_pointer skey,
krb5_kdc_rep *dec_rep)
{
- const krb5_keyblock *subkey = skey;
+ struct krb5_decrypt_tkt_with_subkey_state *state;
krb5_error_code ret = 0;
krb5_data data;
size_t size;
krb5_crypto crypto;
+ krb5_keyblock extract_key;
+
+ state = (struct krb5_decrypt_tkt_with_subkey_state *)skey;
assert(usage == 0);
@@ -354,8 +456,14 @@ decrypt_tkt_with_subkey (krb5_context context,
/*
* start out with trying with subkey if we have one
*/
- if (subkey) {
- ret = krb5_crypto_init(context, subkey, 0, &crypto);
+ if (state->subkey) {
+ ret = fast_tgs_strengthen_key(context, state->fast_state,
+ state->subkey, &extract_key);
+ if (ret)
+ return ret;
+
+ ret = krb5_crypto_init(context, &extract_key, 0, &crypto);
+ krb5_free_keyblock_contents(context, &extract_key);
if (ret)
return ret;
ret = krb5_decrypt_EncryptedData (context,
@@ -367,7 +475,7 @@ decrypt_tkt_with_subkey (krb5_context context,
* If the is Windows 2000 DC, we need to retry with key usage
* 8 when doing ARCFOUR.
*/
- if (ret && subkey->keytype == ETYPE_ARCFOUR_HMAC_MD5) {
+ if (ret && state->subkey->keytype == ETYPE_ARCFOUR_HMAC_MD5) {
ret = krb5_decrypt_EncryptedData(context,
crypto,
8,
@@ -376,7 +484,11 @@ decrypt_tkt_with_subkey (krb5_context context,
}
krb5_crypto_destroy(context, crypto);
}
- if (subkey == NULL || ret) {
+ if (state->subkey == NULL || ret) {
+ ret = fast_tgs_strengthen_key(context, state->fast_state, key, &extract_key);
+ if (ret)
+ return ret;
+
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret)
return ret;
@@ -409,19 +521,21 @@ decrypt_tkt_with_subkey (krb5_context context,
static krb5_error_code
get_cred_kdc(krb5_context context,
krb5_ccache id,
+ struct krb5_fast_state *fast_state,
krb5_kdc_flags flags,
krb5_addresses *addresses,
krb5_creds *in_creds,
krb5_creds *krbtgt,
krb5_principal impersonate_principal,
Ticket *second_ticket,
+ const char *kdc_hostname,
+ const char *sitename,
krb5_creds *out_creds)
{
TGS_REQ req;
krb5_data enc;
krb5_data resp;
- krb5_kdc_rep rep = {0};
- KRB_ERROR error;
+ krb5_kdc_rep rep;
krb5_error_code ret;
unsigned nonce;
krb5_keyblock *subkey = NULL;
@@ -429,6 +543,7 @@ get_cred_kdc(krb5_context context,
Ticket second_ticket_data;
METHOD_DATA padata;
+ memset(&rep, 0, sizeof(rep));
krb5_data_zero(&resp);
krb5_data_zero(&enc);
padata.val = NULL;
@@ -500,6 +615,7 @@ get_cred_kdc(krb5_context context,
ret = init_tgs_req (context,
id,
+ fast_state,
addresses,
flags,
second_ticket,
@@ -532,6 +648,11 @@ get_cred_kdc(krb5_context context,
return ret;
krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL);
+ if (kdc_hostname)
+ krb5_sendto_set_hostname(context, stctx, kdc_hostname);
+ if (sitename)
+ krb5_sendto_set_sitename(context, stctx, sitename);
+
ret = krb5_sendto_context (context, stctx, &enc,
krbtgt->server->name.name_string.val[1],
&resp);
@@ -541,18 +662,33 @@ get_cred_kdc(krb5_context context,
goto out;
if(decode_TGS_REP(resp.data, resp.length, &rep.kdc_rep, &len) == 0) {
+ struct krb5_decrypt_tkt_with_subkey_state state;
unsigned eflags = 0;
+ krb5_data data;
+ size_t size;
+
+ ASN1_MALLOC_ENCODE(Ticket, data.data, data.length,
+ &rep.kdc_rep.ticket, &size, ret);
+ if (ret)
+ goto out;
+ heim_assert(data.length == size, "ASN.1 internal error");
+
+ ret = _krb5_fast_unwrap_kdc_rep(context, nonce, &data,
+ fast_state, &rep.kdc_rep);
+ krb5_data_free(&data);
+ if (ret)
+ goto out;
ret = krb5_copy_principal(context,
in_creds->client,
&out_creds->client);
if(ret)
- goto out2;
+ goto out;
ret = krb5_copy_principal(context,
in_creds->server,
&out_creds->server);
if(ret)
- goto out2;
+ goto out;
/* this should go someplace else */
out_creds->times.endtime = in_creds->times.endtime;
@@ -562,6 +698,9 @@ get_cred_kdc(krb5_context context,
if (flags.b.request_anonymous)
eflags |= EXTRACT_TICKET_MATCH_ANON;
+ state.subkey = subkey;
+ state.fast_state = fast_state;
+
ret = _krb5_extract_ticket(context,
&rep,
out_creds,
@@ -573,12 +712,36 @@ get_cred_kdc(krb5_context context,
eflags,
NULL,
decrypt_tkt_with_subkey,
- subkey);
- out2:
- krb5_free_kdc_rep(context, &rep);
- } else if(krb5_rd_error(context, &resp, &error) == 0) {
- ret = krb5_error_from_rd_error(context, &error, in_creds);
- krb5_free_error_contents(context, &error);
+ &state);
+ } else if(krb5_rd_error(context, &resp, &rep.error) == 0) {
+ METHOD_DATA md;
+
+ memset(&md, 0, sizeof(md));
+
+ if (rep.error.e_data) {
+ ret = decode_METHOD_DATA(rep.error.e_data->data,
+ rep.error.e_data->length,
+ &md, NULL);
+ if (ret) {
+ krb5_set_error_message(context, ret,
+ N_("Failed to decode METHOD-DATA", ""));
+ goto out;
+ }
+ }
+
+ ret = _krb5_fast_unwrap_error(context, nonce, fast_state, &md, &rep.error);
+ free_METHOD_DATA(&md);
+ if (ret)
+ goto out;
+
+ ret = krb5_error_from_rd_error(context, &rep.error, in_creds);
+
+ /* log the failure */
+ if (_krb5_have_debug(context, 5)) {
+ const char *str = krb5_get_error_message(context, ret);
+ _krb5_debug(context, 5, "parse_tgs_rep: KRB-ERROR %d/%s", ret, str);
+ krb5_free_error_message(context, str);
+ }
} else if(resp.length > 0 && ((char*)resp.data)[0] == 4) {
ret = KRB5KRB_AP_ERR_V4_REPLY;
krb5_clear_error_message(context);
@@ -588,6 +751,7 @@ get_cred_kdc(krb5_context context,
}
out:
+ krb5_free_kdc_rep(context, &rep);
if (second_ticket == &second_ticket_data)
free_Ticket(&second_ticket_data);
free_METHOD_DATA(&padata);
@@ -607,12 +771,15 @@ out:
static krb5_error_code
get_cred_kdc_address(krb5_context context,
krb5_ccache id,
+ struct krb5_fast_state *fast_state,
krb5_kdc_flags flags,
krb5_addresses *addrs,
krb5_creds *in_creds,
krb5_creds *krbtgt,
krb5_principal impersonate_principal,
Ticket *second_ticket,
+ const char *kdc_hostname,
+ const char *sitename,
krb5_creds *out_creds)
{
krb5_error_code ret;
@@ -630,16 +797,18 @@ get_cred_kdc_address(krb5_context context,
"no-addresses", FALSE, &noaddr);
if (!noaddr) {
- krb5_get_all_client_addrs(context, &addresses);
+ ret = krb5_get_all_client_addrs(context, &addresses);
+ if (ret)
+ return ret;
/* XXX this sucks. */
addrs = &addresses;
if(addresses.len == 0)
addrs = NULL;
}
}
- ret = get_cred_kdc(context, id, flags, addrs, in_creds,
- krbtgt, impersonate_principal,
- second_ticket, out_creds);
+ ret = get_cred_kdc(context, id, fast_state, flags, addrs,
+ in_creds, krbtgt, impersonate_principal,
+ second_ticket, kdc_hostname, sitename, out_creds);
krb5_free_addresses(context, &addresses);
return ret;
}
@@ -656,6 +825,9 @@ krb5_get_kdc_cred(krb5_context context,
{
krb5_error_code ret;
krb5_creds *krbtgt;
+ struct krb5_fast_state fast_state;
+
+ memset(&fast_state, 0, sizeof(fast_state));
*out_creds = calloc(1, sizeof(**out_creds));
if(*out_creds == NULL)
@@ -669,9 +841,11 @@ krb5_get_kdc_cred(krb5_context context,
*out_creds = NULL;
return ret;
}
- ret = get_cred_kdc(context, id, flags, addresses,
- in_creds, krbtgt, NULL, NULL, *out_creds);
+ ret = get_cred_kdc(context, id, &fast_state, flags,
+ addresses, in_creds, krbtgt,
+ NULL, NULL, NULL, NULL, *out_creds);
krb5_free_creds (context, krbtgt);
+ _krb5_fast_free(context, &fast_state);
if(ret) {
free(*out_creds);
*out_creds = NULL;
@@ -683,16 +857,17 @@ static int
not_found(krb5_context context, krb5_const_principal p, krb5_error_code code)
{
krb5_error_code ret;
- const char *err;
char *str;
+ const char *err;
- err = krb5_get_error_message(context, code);
ret = krb5_unparse_name(context, p, &str);
if(ret) {
krb5_clear_error_message(context);
return code;
}
+ err = krb5_get_error_message(context, code);
krb5_set_error_message(context, code, N_("%s (%s)", ""), err, str);
+ krb5_free_error_message(context, err);
free(str);
return code;
}
@@ -748,10 +923,13 @@ static krb5_error_code
get_cred_kdc_capath_worker(krb5_context context,
krb5_kdc_flags flags,
krb5_ccache ccache,
+ struct krb5_fast_state *fast_state,
krb5_creds *in_creds,
krb5_const_realm try_realm,
krb5_principal impersonate_principal,
Ticket *second_ticket,
+ const char *kdc_hostname,
+ const char *sitename,
krb5_creds **out_creds,
krb5_creds ***ret_tgts)
{
@@ -798,11 +976,14 @@ get_cred_kdc_capath_worker(krb5_context context,
ok_as_delegate = tgts.flags.b.ok_as_delegate;
}
- ret = get_cred_kdc_address(context, ccache, flags, NULL,
- in_creds, &tgts,
- impersonate_principal,
- second_ticket,
- *out_creds);
+ ret = get_cred_kdc_address(context, ccache, fast_state,
+ flags, NULL,
+ in_creds, &tgts,
+ impersonate_principal,
+ second_ticket,
+ kdc_hostname,
+ sitename,
+ *out_creds);
krb5_free_cred_contents(context, &tgts);
if (ret == 0 &&
!krb5_principal_compare(context, in_creds->server,
@@ -834,8 +1015,10 @@ get_cred_kdc_capath_worker(krb5_context context,
while (1) {
heim_general_string tgt_inst;
- ret = get_cred_kdc_capath(context, flags, ccache, &tmp_creds,
- NULL, NULL, &tgt, ret_tgts);
+ ret = get_cred_kdc_capath(context, flags, ccache, fast_state,
+ &tmp_creds, NULL, NULL,
+ kdc_hostname, sitename,
+ &tgt, ret_tgts);
if (ret)
goto out;
@@ -866,9 +1049,9 @@ get_cred_kdc_capath_worker(krb5_context context,
goto out;
}
- ret = get_cred_kdc_address(context, ccache, flags, NULL,
+ ret = get_cred_kdc_address(context, ccache, fast_state, flags, NULL,
in_creds, tgt, impersonate_principal,
- second_ticket, *out_creds);
+ second_ticket, kdc_hostname, sitename, *out_creds);
if (ret == 0 &&
!krb5_principal_compare(context, in_creds->server,
(*out_creds)->server)) {
@@ -911,9 +1094,12 @@ static krb5_error_code
get_cred_kdc_capath(krb5_context context,
krb5_kdc_flags flags,
krb5_ccache ccache,
+ struct krb5_fast_state *fast_state,
krb5_creds *in_creds,
krb5_principal impersonate_principal,
Ticket *second_ticket,
+ const char *kdc_hostname,
+ const char *sitename,
krb5_creds **out_creds,
krb5_creds ***ret_tgts)
{
@@ -924,24 +1110,32 @@ get_cred_kdc_capath(krb5_context context,
server_realm = krb5_principal_get_realm(context, in_creds->server);
try_realm = client_realm;
- ret = get_cred_kdc_capath_worker(context, flags, ccache, in_creds, try_realm,
- impersonate_principal, second_ticket, out_creds,
- ret_tgts);
+ ret = get_cred_kdc_capath_worker(context, flags, ccache, fast_state,
+ in_creds, try_realm, impersonate_principal,
+ second_ticket, kdc_hostname, sitename,
+ out_creds, ret_tgts);
if (ret == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
try_realm = krb5_config_get_string(context, NULL, "capaths",
client_realm, server_realm, NULL);
- if (try_realm != NULL && strcmp(try_realm, client_realm)) {
- ret = get_cred_kdc_capath_worker(context, flags, ccache, in_creds,
- try_realm, impersonate_principal,
- second_ticket, out_creds, ret_tgts);
+ if (try_realm != NULL && strcmp(try_realm, client_realm) != 0) {
+ ret = get_cred_kdc_capath_worker(context, flags, ccache, fast_state,
+ in_creds, try_realm, impersonate_principal,
+ second_ticket, kdc_hostname, sitename,
+ out_creds, ret_tgts);
}
}
return ret;
}
+static krb5_boolean skip_referrals(krb5_principal server,
+ krb5_kdc_flags *flags)
+{
+ return server->name.name_string.len < 2 && !flags->b.canonicalize;
+}
+
/*
* Get a service ticket from a KDC by chasing referrals from a start realm.
*
@@ -953,9 +1147,12 @@ static krb5_error_code
get_cred_kdc_referral(krb5_context context,
krb5_kdc_flags flags,
krb5_ccache ccache,
+ struct krb5_fast_state *fast_state,
krb5_creds *in_creds,
krb5_principal impersonate_principal,
Ticket *second_ticket,
+ const char *kdc_hostname,
+ const char *sitename,
krb5_creds **out_creds)
{
krb5_realm start_realm = NULL;
@@ -965,9 +1162,10 @@ get_cred_kdc_referral(krb5_context context,
krb5_creds **referral_tgts = NULL; /* used for loop detection */
int loop = 0;
int ok_as_delegate = 1;
+ int want_tgt;
size_t i;
- if (in_creds->server->name.name_string.len < 2 && !flags.b.canonicalize) {
+ if (skip_referrals(in_creds->server, &flags)) {
krb5_set_error_message(context, KRB5KDC_ERR_PATH_NOT_ACCEPTED,
N_("Name too short to do referals, skipping", ""));
return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
@@ -1013,14 +1211,34 @@ get_cred_kdc_referral(krb5_context context,
}
}
+ /*
+ * If the desired service principal service/host@REALM is not a TGT, start
+ * by asking for a ticket for service/host@START_REALM and process referrals
+ * from there.
+ *
+ * However, when we ask for a TGT, krbtgt/A@B, we're actually looking for a
+ * path to realm B, so that we can explicitly obtain a ticket for krbtgt/A
+ * from B, and not some other realm. Therefore, in this case our starting
+ * point will be krbtgt/B@START_REALM. Only once we obtain a ticket for
+ * krbtgt/B@some-transit, do we switch to requesting krbtgt/A@B on our
+ * final request.
+ */
referral = *in_creds;
- ret = krb5_copy_principal(context, in_creds->server, &referral.server);
+ want_tgt = in_creds->server->realm[0] != '\0' &&
+ krb5_principal_is_krbtgt(context, in_creds->server);
+ if (!want_tgt)
+ ret = krb5_copy_principal(context, in_creds->server, &referral.server);
+ else
+ ret = krb5_make_principal(context, &referral.server, start_realm,
+ KRB5_TGS_NAME, in_creds->server->realm, NULL);
+
if (ret) {
krb5_free_cred_contents(context, &tgt);
free(start_realm);
return ret;
}
- ret = krb5_principal_set_realm(context, referral.server, start_realm);
+ if (!want_tgt)
+ ret = krb5_principal_set_realm(context, referral.server, start_realm);
free(start_realm);
start_realm = NULL;
if (ret) {
@@ -1035,7 +1253,7 @@ get_cred_kdc_referral(krb5_context context,
char *referral_realm;
/* Use cache if we are not doing impersonation or contrained deleg */
- if (impersonate_principal == NULL || flags.b.cname_in_addl_tkt) {
+ if (impersonate_principal == NULL && !flags.b.cname_in_addl_tkt) {
krb5_cc_clear_mcred(&mcreds);
mcreds.server = referral.server;
krb5_timeofday(context, &mcreds.times.endtime);
@@ -1045,17 +1263,32 @@ get_cred_kdc_referral(krb5_context context,
ret = EINVAL;
if (ret) {
- ret = get_cred_kdc_address(context, ccache, flags, NULL,
+ ret = get_cred_kdc_address(context, ccache, fast_state, flags, NULL,
&referral, &tgt, impersonate_principal,
- second_ticket, &ticket);
+ second_ticket, kdc_hostname, sitename, &ticket);
if (ret)
goto out;
}
- /* Did we get the right ticket ? */
- if (krb5_principal_compare_any_realm(context,
- referral.server,
- ticket.server))
+ /*
+ * Did we get the right ticket?
+ *
+ * If we weren't asking for a TGT, then we don't mind if we took a realm
+ * change (referral.server has a referral realm, not necessarily the
+ * original).
+ *
+ * However, if we were looking for a TGT (which wouldn't be the start
+ * TGT, since that one must be in the ccache) then we actually want the
+ * one from the realm we wanted, since otherwise a _referral_ will
+ * confuse us and we will store that referral. In Heimdal we mostly
+ * never ask krb5_get_cred*() for TGTs, but some sites have code to ask
+ * for a ktbgt/REMOTE.REALM@REMOTE.REALM, and one could always use
+ * kgetcred(1) to get here asking for a krbtgt/C@D and we need to handle
+ * the case where last hop we get is krbtgt/C@B (in which case we must
+ * stop so we don't beat up on B for the remaining tries).
+ */
+ if (!want_tgt &&
+ krb5_principal_compare(context, referral.server, ticket.server))
break;
if (!krb5_principal_is_krbtgt(context, ticket.server)) {
@@ -1107,9 +1340,21 @@ get_cred_kdc_referral(krb5_context context,
goto out;
/* try realm in the referral */
- ret = krb5_principal_set_realm(context,
- referral.server,
- referral_realm);
+ if (!want_tgt || strcmp(referral_realm, in_creds->server->realm) != 0)
+ ret = krb5_principal_set_realm(context,
+ referral.server,
+ referral_realm);
+ else {
+ /*
+ * Now that we have a ticket for the desired realm, we reset
+ * want_tgt and reinstate the desired principal so that the we can
+ * match it and break out of the loop.
+ */
+ want_tgt = 0;
+ krb5_free_principal(context, referral.server);
+ referral.server = NULL;
+ ret = krb5_copy_principal(context, in_creds->server, &referral.server);
+ }
krb5_free_cred_contents(context, &tgt);
tgt = ticket;
memset(&ticket, 0, sizeof(ticket));
@@ -1139,14 +1384,43 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_get_cred_kdc_any(krb5_context context,
krb5_kdc_flags flags,
krb5_ccache ccache,
+ struct krb5_fast_state *fast_state,
krb5_creds *in_creds,
krb5_principal impersonate_principal,
Ticket *second_ticket,
krb5_creds **out_creds,
krb5_creds ***ret_tgts)
{
+ char *kdc_hostname = NULL;
+ char *sitename = NULL;
krb5_error_code ret;
krb5_deltat offset;
+ krb5_data data;
+
+ krb5_data_zero(&data);
+
+ /*
+ * If we are using LKDC, lets pull out the addreses from the
+ * ticket and use that.
+ */
+
+ ret = krb5_cc_get_config(context, ccache, NULL, "lkdc-hostname", &data);
+ if (ret == 0) {
+ if ((kdc_hostname = strndup(data.data, data.length)) == NULL) {
+ ret = krb5_enomem(context);
+ goto out;
+ }
+ krb5_data_free(&data);
+ }
+
+ ret = krb5_cc_get_config(context, ccache, NULL, "sitename", &data);
+ if (ret == 0) {
+ if ((sitename = strndup(data.data, data.length)) == NULL) {
+ ret = krb5_enomem(context);
+ goto out;
+ }
+ krb5_data_free(&data);
+ }
ret = krb5_cc_get_kdc_offset(context, ccache, &offset);
if (ret == 0) {
@@ -1161,24 +1435,36 @@ _krb5_get_cred_kdc_any(krb5_context context,
*/
ret = get_cred_kdc_capath(context,
flags,
- ccache,
- in_creds,
- impersonate_principal,
- second_ticket,
- out_creds,
- ret_tgts);
- if (ret == 0)
- return ret;
+ ccache,
+ fast_state,
+ in_creds,
+ impersonate_principal,
+ second_ticket,
+ kdc_hostname,
+ sitename,
+ out_creds,
+ ret_tgts);
+ if (ret == 0 || skip_referrals(in_creds->server, &flags))
+ goto out;
}
/* Otherwise try referrals */
- return get_cred_kdc_referral(context,
- flags,
- ccache,
- in_creds,
- impersonate_principal,
- second_ticket,
- out_creds);
+ ret = get_cred_kdc_referral(context,
+ flags,
+ ccache,
+ fast_state,
+ in_creds,
+ impersonate_principal,
+ second_ticket,
+ kdc_hostname,
+ sitename,
+ out_creds);
+
+out:
+ krb5_data_free(&data);
+ free(kdc_hostname);
+ free(sitename);
+ return ret;
}
static krb5_error_code
@@ -1224,6 +1510,33 @@ check_cc(krb5_context context, krb5_flags options, krb5_ccache ccache,
if (options & KRB5_GC_ANONYMOUS)
krb5_free_principal(context, mcreds.client);
+ if (ret == 0 && out_creds->server->realm &&
+ out_creds->server->realm[0] == '\0') {
+ Ticket ticket;
+
+ /*
+ * We only write tickets to the ccache that have been validated, as in,
+ * the sname/srealm from the KDC-REP enc-part have been checked to
+ * match the sname/realm from the Ticket from the KDC-REP.
+ *
+ * Our caller needs the canonical realm of the service in order to be
+ * able to get forwarded credentials for it when destination-TGT
+ * forwarding is enabled.
+ *
+ * As well, gss_init_sec_context() ought to arrange for
+ * gss_inquire_context() to output the canonical acceptor name on the
+ * initiator side.
+ */
+ ret = decode_Ticket(out_creds->ticket.data, out_creds->ticket.length,
+ &ticket, NULL);
+ if (ret == 0) {
+ ret = krb5_principal_set_realm(context, out_creds->server,
+ ticket.realm);
+ free_Ticket(&ticket);
+ } else {
+ krb5_free_cred_contents(context, out_creds);
+ }
+ }
return ret;
}
@@ -1231,7 +1544,10 @@ static void
store_cred(krb5_context context, krb5_ccache ccache,
krb5_const_principal server_princ, krb5_creds *creds)
{
- if (!krb5_principal_compare(context, creds->server, server_princ)) {
+ if (context->no_ticket_store)
+ return;
+ if (!krb5_principal_compare(context, creds->server, server_princ) &&
+ !krb5_principal_is_krbtgt(context, server_princ)) {
krb5_principal tmp_princ = creds->server;
/*
* Store the cred with the pre-canon server princ first so it
@@ -1254,6 +1570,7 @@ krb5_get_credentials_with_flags(krb5_context context,
krb5_creds *in_creds,
krb5_creds **out_creds)
{
+ struct krb5_fast_state fast_state;
krb5_error_code ret;
krb5_name_canon_iterator name_canon_iter = NULL;
krb5_name_canon_rule_options rule_opts;
@@ -1263,6 +1580,8 @@ krb5_get_credentials_with_flags(krb5_context context,
krb5_creds *res_creds;
int i;
+ memset(&fast_state, 0, sizeof(fast_state));
+
if (_krb5_have_debug(context, 5)) {
char *unparsed;
@@ -1292,7 +1611,7 @@ krb5_get_credentials_with_flags(krb5_context context,
ret = krb5_name_canon_iterator_start(context, in_creds->server,
&name_canon_iter);
if (ret)
- return ret;
+ goto out;
next_rule:
krb5_free_cred_contents(context, res_creds);
@@ -1328,7 +1647,7 @@ next_rule:
options |= KRB5_GC_NO_STORE;
tgts = NULL;
- ret = _krb5_get_cred_kdc_any(context, flags, ccache,
+ ret = _krb5_get_cred_kdc_any(context, flags, ccache, &fast_state,
in_creds, NULL, NULL, out_creds, &tgts);
for (i = 0; tgts && tgts[i]; i++) {
if ((options & KRB5_GC_NO_STORE) == 0)
@@ -1363,6 +1682,7 @@ out:
in_creds->server = save_princ;
krb5_free_creds(context, res_creds);
krb5_free_name_canon_iterator(context, name_canon_iter);
+ _krb5_fast_free(context, &fast_state);
if (ret)
return not_found(context, in_creds->server, ret);
return 0;
@@ -1481,6 +1801,7 @@ krb5_get_creds(krb5_context context,
krb5_const_principal inprinc,
krb5_creds **out_creds)
{
+ struct krb5_fast_state fast_state;
krb5_kdc_flags flags;
krb5_flags options;
krb5_creds in_creds;
@@ -1494,6 +1815,7 @@ krb5_get_creds(krb5_context context,
int type;
const char *comp;
+ memset(&fast_state, 0, sizeof(fast_state));
memset(&in_creds, 0, sizeof(in_creds));
in_creds.server = rk_UNCONST(inprinc);
@@ -1559,13 +1881,15 @@ next_rule:
goto out;
}
- ret = check_cc(context, options, ccache, &in_creds, res_creds);
- if (ret == 0) {
- *out_creds = res_creds;
- res_creds = NULL;
- goto out;
- } else if (ret != KRB5_CC_END) {
- goto out;
+ if ((options & KRB5_GC_CONSTRAINED_DELEGATION) == 0) {
+ ret = check_cc(context, options, ccache, &in_creds, res_creds);
+ if (ret == 0) {
+ *out_creds = res_creds;
+ res_creds = NULL;
+ goto out;
+ } else if (ret != KRB5_CC_END) {
+ goto out;
+ }
}
if (options & KRB5_GC_CACHED)
goto next_rule;
@@ -1593,7 +1917,7 @@ next_rule:
flags.b.request_anonymous = 1;
tgts = NULL;
- ret = _krb5_get_cred_kdc_any(context, flags, ccache,
+ ret = _krb5_get_cred_kdc_any(context, flags, ccache, &fast_state,
&in_creds, opt ? opt->self : 0,
opt ? opt->ticket : 0, out_creds,
&tgts);
@@ -1627,6 +1951,7 @@ next_rule:
}
out:
+ _krb5_fast_free(context, &fast_state);
krb5_free_creds(context, res_creds);
krb5_free_principal(context, in_creds.client);
krb5_free_name_canon_iterator(context, name_canon_iter);
diff --git a/lib/krb5/get_default_principal.c b/lib/krb5/get_default_principal.c
index e102e5a1fad8..35480740f6fc 100644
--- a/lib/krb5/get_default_principal.c
+++ b/lib/krb5/get_default_principal.c
@@ -37,112 +37,42 @@
* Try to find out what's a reasonable default principal.
*/
-static const char*
-get_env_user(void)
-{
- const char *user = getenv("USER");
- if(user == NULL)
- user = getenv("LOGNAME");
- if(user == NULL)
- user = getenv("USERNAME");
- return user;
-}
-
-#ifndef _WIN32
-
-/*
- * Will only use operating-system dependant operation to get the
- * default principal, for use of functions that in ccache layer to
- * avoid recursive calls.
- */
-
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_get_default_principal_local (krb5_context context,
krb5_principal *princ)
{
- krb5_error_code ret;
- const char *user;
- uid_t uid;
+ const char *user = NULL;
+ const char *second_component = NULL;
+ char userbuf[128];
*princ = NULL;
- uid = getuid();
- if(uid == 0) {
- user = getlogin();
- if(user == NULL)
- user = get_env_user();
- if(user != NULL && strcmp(user, "root") != 0)
- ret = krb5_make_principal(context, princ, NULL, user, "root", NULL);
- else
- ret = krb5_make_principal(context, princ, NULL, "root", NULL);
- } else {
- struct passwd *pw = getpwuid(uid);
- if(pw != NULL)
- user = pw->pw_name;
- else {
- user = get_env_user();
- if(user == NULL)
- user = getlogin();
- }
- if(user == NULL) {
- krb5_set_error_message(context, ENOTTY,
- N_("unable to figure out current "
- "principal", ""));
- return ENOTTY; /* XXX */
- }
- ret = krb5_make_principal(context, princ, NULL, user, NULL);
- }
- return ret;
-}
-
-#else /* _WIN32 */
-
-#define SECURITY_WIN32
-#include <security.h>
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_get_default_principal_local(krb5_context context,
- krb5_principal *princ)
-{
- /* See if we can get the principal first. We only expect this to
- work if logged into a domain. */
- {
- char username[1024];
- ULONG sz = sizeof(username);
-
- if (GetUserNameEx(NameUserPrincipal, username, &sz)) {
- return krb5_parse_name_flags(context, username,
- KRB5_PRINCIPAL_PARSE_ENTERPRISE,
- princ);
- }
- }
-
- /* Just get the Windows username. This should pretty much always
- work. */
- {
- char username[1024];
- DWORD dsz = sizeof(username);
-
- if (GetUserName(username, &dsz)) {
- return krb5_make_principal(context, princ, NULL, username, NULL);
- }
- }
-
- /* Failing that, we look at the environment */
- {
- const char * username = get_env_user();
-
- if (username == NULL) {
- krb5_set_error_string(context,
- "unable to figure out current principal");
- return ENOTTY; /* Really? */
- }
-
- return krb5_make_principal(context, princ, NULL, username, NULL);
+ /*
+ * NOTE: We prefer getlogin_r() (via roken_get_loginname()) to using $USER,
+ * $LOGNAME, or getpwuid_r() (via roken_get_username()), in that
+ * order, otherwise we won't figure out to output
+ * <username>/root@DEFAULT_REALM.
+ */
+#ifndef WIN32
+ if (geteuid() == 0)
+ user = roken_get_loginname(userbuf, sizeof(userbuf));
+#endif
+ if (user == NULL)
+ user = roken_get_username(userbuf, sizeof(userbuf));
+ if (user == NULL) {
+ krb5_set_error_message(context, ENOTTY,
+ N_("unable to figure out current principal",
+ ""));
+ return ENOTTY; /* XXX */
}
-}
+#ifndef WIN32
+ if (!issuid() && getuid() == 0 && strcmp(user, "root") != 0)
+ second_component = "root"; /* We'll use <user>/root */
#endif
+ return krb5_make_principal(context, princ, NULL, user,
+ second_component, NULL);
+}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_default_principal (krb5_context context,
diff --git a/lib/krb5/get_for_creds.c b/lib/krb5/get_for_creds.c
index 43265d827fe5..3a6be1090062 100644
--- a/lib/krb5/get_for_creds.c
+++ b/lib/krb5/get_for_creds.c
@@ -33,6 +33,14 @@
#include "krb5_locl.h"
+static krb5_error_code set_tgs_creds(krb5_context, krb5_ccache,
+ krb5_const_principal,
+ krb5_const_principal, krb5_creds *);
+static krb5_error_code get_cred(krb5_context, krb5_ccache, krb5_creds *,
+ krb5_flags, const char *, krb5_creds **);
+static krb5_error_code get_addresses(krb5_context, krb5_ccache, krb5_creds *,
+ const char *, krb5_addresses *);
+
static krb5_error_code
add_addrs(krb5_context context,
krb5_addresses *addr,
@@ -81,10 +89,16 @@ fail:
}
/**
- * Forward credentials for client to host hostname , making them
+ * Forward credentials for client to host hostname, making them
* forwardable if forwardable, and returning the blob of data to sent
* in out_data. If hostname == NULL, pick it from server.
*
+ * If the server's realm is configured for delegation of destination
+ * TGTs, forward a TGT for the server realm, rather than the client
+ * realm. This works better with destinations on the far side of a
+ * firewall. We also forward the destination TGT when the client
+ * TGT is not available (we may have just the destination TGT).
+ *
* @param context A kerberos 5 context.
* @param auth_context the auth context with the key to encrypt the out_data.
* @param hostname the host to forward the tickets too.
@@ -100,19 +114,18 @@ fail:
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_fwd_tgt_creds (krb5_context context,
- krb5_auth_context auth_context,
- const char *hostname,
- krb5_principal client,
- krb5_principal server,
- krb5_ccache ccache,
- int forwardable,
- krb5_data *out_data)
+krb5_fwd_tgt_creds(krb5_context context,
+ krb5_auth_context auth_context,
+ const char *hostname,
+ krb5_const_principal client,
+ krb5_const_principal server,
+ krb5_ccache ccache,
+ int forwardable,
+ krb5_data *out_data)
{
krb5_flags flags = 0;
krb5_creds creds;
krb5_error_code ret;
- krb5_const_realm client_realm;
flags |= KDC_OPT_FORWARDED;
@@ -131,17 +144,11 @@ krb5_fwd_tgt_creds (krb5_context context,
hostname = host;
}
- client_realm = krb5_principal_get_realm(context, client);
-
- memset (&creds, 0, sizeof(creds));
- creds.client = client;
-
- ret = krb5_make_principal(context,
- &creds.server,
- client_realm,
- KRB5_TGS_NAME,
- client_realm,
- NULL);
+ /*
+ * Fill-in the request creds, the server principal will be the TGS
+ * of either the client's or the server's realm.
+ */
+ ret = set_tgs_creds(context, ccache, client, server, &creds);
if (ret)
return ret;
@@ -152,6 +159,8 @@ krb5_fwd_tgt_creds (krb5_context context,
hostname,
&creds,
out_data);
+
+ krb5_free_cred_contents(context, &creds);
return ret;
}
@@ -192,273 +201,167 @@ krb5_get_forwarded_creds (krb5_context context,
krb5_data *out_data)
{
krb5_error_code ret;
- krb5_creds *out_creds;
- krb5_addresses addrs, *paddrs;
- KRB_CRED cred;
- KrbCredInfo *krb_cred_info;
- EncKrbCredPart enc_krb_cred_part;
- size_t len;
- unsigned char *buf;
- size_t buf_size;
- krb5_kdc_flags kdc_flags;
- krb5_crypto crypto;
- struct addrinfo *ai;
- krb5_creds *ticket;
+ krb5_creds *creds;
- paddrs = NULL;
- addrs.len = 0;
- addrs.val = NULL;
-
- ret = krb5_get_credentials(context, 0, ccache, in_creds, &ticket);
- if(ret == 0) {
- if (ticket->addresses.len)
- paddrs = &addrs;
- krb5_free_creds (context, ticket);
- } else {
- krb5_boolean noaddr;
- krb5_appdefault_boolean(context, NULL,
- krb5_principal_get_realm(context,
- in_creds->client),
- "no-addresses", KRB5_ADDRESSLESS_DEFAULT,
- &noaddr);
- if (!noaddr)
- paddrs = &addrs;
- }
-
- /*
- * If tickets have addresses, get the address of the remote host.
- */
-
- if (paddrs != NULL) {
+ /* Obtain the requested TGT */
+ ret = get_cred(context, ccache, in_creds, flags, hostname, &creds);
+ if (ret)
+ return ret;
- ret = getaddrinfo (hostname, NULL, NULL, &ai);
- if (ret) {
- krb5_error_code ret2 = krb5_eai_to_heim_errno(ret, errno);
- krb5_set_error_message(context, ret2,
- N_("resolving host %s failed: %s",
- "hostname, error"),
- hostname, gai_strerror(ret));
- return ret2;
- }
+ /* Forward obtained creds */
+ ret = _krb5_mk_1cred(context, auth_context, creds, out_data, NULL);
+ krb5_free_creds(context, creds);
+ return ret;
+}
- ret = add_addrs (context, &addrs, ai);
- freeaddrinfo (ai);
- if (ret)
- return ret;
- }
+/*
+ * Get a TGT for forwarding to hostname. If the client TGT is
+ * addressless, the forwarded ticket will also be addressless.
+ *
+ * If the TGT has any addresses, hostname will be used to determine
+ * the address to forward the ticket to. Thus, since this might use DNS,
+ * it's insecure and also may not capture all the addresses of the host.
+ * In general addressless tickets are more robust, be it at a small
+ * security penalty.
+ *
+ * @param context A kerberos 5 context.
+ * @param ccache The credential cache to use
+ * @param creds Creds with client and server principals
+ * @param flags The flags to control the resulting ticket flags
+ * @param hostname The hostname of server
+ * @param out_creds The resulting credential
+ *
+ * @return Return an error code or 0.
+ */
- kdc_flags.b = int2KDCOptions(flags);
+static krb5_error_code
+get_cred(krb5_context context,
+ krb5_ccache ccache,
+ krb5_creds *creds,
+ krb5_flags flags,
+ const char *hostname,
+ krb5_creds **out_creds)
+{
+ krb5_error_code ret;
+ krb5_kdc_flags kdc_flags;
+ krb5_addresses addrs;
- ret = krb5_get_kdc_cred (context,
- ccache,
- kdc_flags,
- paddrs,
- NULL,
- in_creds,
- &out_creds);
- krb5_free_addresses (context, &addrs);
+ addrs.len = 0;
+ addrs.val = NULL;
+ ret = get_addresses(context, ccache, creds, hostname, &addrs);
if (ret)
return ret;
- memset (&cred, 0, sizeof(cred));
- cred.pvno = 5;
- cred.msg_type = krb_cred;
- ALLOC_SEQ(&cred.tickets, 1);
- if (cred.tickets.val == NULL) {
- ret = krb5_enomem(context);
- goto out2;
- }
- ret = decode_Ticket(out_creds->ticket.data,
- out_creds->ticket.length,
- cred.tickets.val, &len);
- if (ret)
- goto out3;
+ kdc_flags.b = int2KDCOptions(flags);
+ ret = krb5_get_kdc_cred(context, ccache, kdc_flags, &addrs, NULL,
+ creds, out_creds);
- memset (&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
- ALLOC_SEQ(&enc_krb_cred_part.ticket_info, 1);
- if (enc_krb_cred_part.ticket_info.val == NULL) {
- ret = krb5_enomem(context);
- goto out4;
- }
+ krb5_free_addresses(context, &addrs);
+ return ret;
+}
- if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
- krb5_timestamp sec;
- int32_t usec;
+static krb5_error_code
+set_tgs_creds(krb5_context context,
+ krb5_ccache ccache,
+ krb5_const_principal client,
+ krb5_const_principal server,
+ krb5_creds *creds)
+{
+ krb5_error_code ret;
+ krb5_const_realm client_realm;
+ krb5_const_realm server_realm;
+ krb5_boolean fwd_dest_tgt;
+ krb5_creds *client_tgt;
- krb5_us_timeofday (context, &sec, &usec);
+ client_realm = krb5_principal_get_realm(context, client);
+ server_realm = krb5_principal_get_realm(context, server);
- ALLOC(enc_krb_cred_part.timestamp, 1);
- if (enc_krb_cred_part.timestamp == NULL) {
- ret = krb5_enomem(context);
- goto out4;
- }
- *enc_krb_cred_part.timestamp = sec;
- ALLOC(enc_krb_cred_part.usec, 1);
- if (enc_krb_cred_part.usec == NULL) {
- ret = krb5_enomem(context);
- goto out4;
- }
- *enc_krb_cred_part.usec = usec;
- } else {
- enc_krb_cred_part.timestamp = NULL;
- enc_krb_cred_part.usec = NULL;
+ memset (creds, 0, sizeof(*creds));
+ ret = krb5_copy_principal(context, client, &creds->client);
+ if (ret)
+ return ret;
+ ret = krb5_make_principal(context, &creds->server, client_realm,
+ KRB5_TGS_NAME, client_realm, NULL);
+ if (ret) {
+ krb5_free_principal(context, creds->client);
+ return ret;
}
- if (auth_context->local_address && auth_context->local_port && paddrs) {
-
- ret = krb5_make_addrport (context,
- &enc_krb_cred_part.s_address,
- auth_context->local_address,
- auth_context->local_port);
- if (ret)
- goto out4;
- }
+ /*
+ * Optionally delegate a TGT for the server's realm, rather than
+ * the client's. Do this also when we don't have a client realm TGT.
+ *
+ * XXX: Note, when we have a start-realm, and delegate-destination-tgt
+ * is not set, we must use the start-realm.
+ */
+ krb5_appdefault_boolean(context, NULL, server_realm,
+ "delegate-destination-tgt", FALSE, &fwd_dest_tgt);
- if (auth_context->remote_address) {
- if (auth_context->remote_port) {
- krb5_boolean noaddr;
- krb5_const_realm srealm;
-
- srealm = krb5_principal_get_realm(context, out_creds->server);
- /* Is this correct, and should we use the paddrs == NULL
- trick here as well? Having an address-less ticket may
- indicate that we don't know our own global address, but
- it does not necessary mean that we don't know the
- server's. */
- krb5_appdefault_boolean(context, NULL, srealm, "no-addresses",
- FALSE, &noaddr);
- if (!noaddr) {
- ret = krb5_make_addrport (context,
- &enc_krb_cred_part.r_address,
- auth_context->remote_address,
- auth_context->remote_port);
- if (ret)
- goto out4;
- }
- } else {
- ALLOC(enc_krb_cred_part.r_address, 1);
- if (enc_krb_cred_part.r_address == NULL) {
- ret = krb5_enomem(context);
- goto out4;
- }
-
- ret = krb5_copy_address (context, auth_context->remote_address,
- enc_krb_cred_part.r_address);
- if (ret)
- goto out4;
+ if (!fwd_dest_tgt) {
+ ret = krb5_get_credentials(context, KRB5_GC_CACHED, ccache, creds,
+ &client_tgt);
+ if (ret == 0) {
+ krb5_free_creds(context, client_tgt);
+ return ret;
}
}
- /* fill ticket_info.val[0] */
+ /*
+ * Client TGT inapplicable or unavailable
+ */
+ krb5_free_principal(context, creds->server);
+ creds->server = 0;
+ return krb5_make_principal(context, &creds->server, server_realm,
+ KRB5_TGS_NAME, server_realm, NULL);
+}
- enc_krb_cred_part.ticket_info.len = 1;
+/*
+ * Obtain address list for hostname if server realm policy is not addressless.
+ */
+static krb5_error_code
+get_addresses(krb5_context context,
+ krb5_ccache ccache,
+ krb5_creds *creds,
+ const char *hostname,
+ krb5_addresses *addrs)
+{
+ krb5_error_code ret;
+ krb5_creds *ticket;
+ krb5_const_realm realm;
+ krb5_boolean noaddr;
+ struct addrinfo *ai;
+ int eai;
- krb_cred_info = enc_krb_cred_part.ticket_info.val;
+ if (hostname == 0)
+ return 0;
- ret = copy_EncryptionKey (&out_creds->session, &krb_cred_info->key);
- if (ret)
- goto out4;
- ALLOC(krb_cred_info->prealm, 1);
- ret = copy_Realm (&out_creds->client->realm, krb_cred_info->prealm);
- if (ret)
- goto out4;
- ALLOC(krb_cred_info->pname, 1);
- ret = copy_PrincipalName(&out_creds->client->name, krb_cred_info->pname);
- if (ret)
- goto out4;
- ALLOC(krb_cred_info->flags, 1);
- *krb_cred_info->flags = out_creds->flags.b;
- ALLOC(krb_cred_info->authtime, 1);
- *krb_cred_info->authtime = out_creds->times.authtime;
- ALLOC(krb_cred_info->starttime, 1);
- *krb_cred_info->starttime = out_creds->times.starttime;
- ALLOC(krb_cred_info->endtime, 1);
- *krb_cred_info->endtime = out_creds->times.endtime;
- ALLOC(krb_cred_info->renew_till, 1);
- *krb_cred_info->renew_till = out_creds->times.renew_till;
- ALLOC(krb_cred_info->srealm, 1);
- ret = copy_Realm (&out_creds->server->realm, krb_cred_info->srealm);
- if (ret)
- goto out4;
- ALLOC(krb_cred_info->sname, 1);
- ret = copy_PrincipalName (&out_creds->server->name, krb_cred_info->sname);
- if (ret)
- goto out4;
- ALLOC(krb_cred_info->caddr, 1);
- ret = copy_HostAddresses (&out_creds->addresses, krb_cred_info->caddr);
- if (ret)
- goto out4;
+ ret = krb5_get_credentials(context, 0, ccache, creds, &ticket);
+ if (ret == 0) {
+ noaddr = (ticket->addresses.len == 0) ? TRUE : FALSE;
+ krb5_free_creds(context, ticket);
+ } else {
+ realm = krb5_principal_get_realm(context, creds->server);
+ krb5_appdefault_boolean(context, NULL, realm, "no-addresses",
+ KRB5_ADDRESSLESS_DEFAULT, &noaddr);
+ }
- krb5_free_creds (context, out_creds);
+ if (noaddr)
+ return 0;
- /* encode EncKrbCredPart */
+ /* Need addresses, get the address of the remote host. */
- ASN1_MALLOC_ENCODE(EncKrbCredPart, buf, buf_size,
- &enc_krb_cred_part, &len, ret);
- free_EncKrbCredPart (&enc_krb_cred_part);
- if (ret) {
- free_KRB_CRED(&cred);
+ eai = getaddrinfo (hostname, NULL, NULL, &ai);
+ if (eai) {
+ ret = krb5_eai_to_heim_errno(eai, errno);
+ krb5_set_error_message(context, ret,
+ N_("resolving host %s failed: %s",
+ "hostname, error"),
+ hostname, gai_strerror(eai));
return ret;
}
- if(buf_size != len)
- krb5_abortx(context, "internal error in ASN.1 encoder");
-
- /**
- * Some older of the MIT gssapi library used clear-text tickets
- * (warped inside AP-REQ encryption), use the krb5_auth_context
- * flag KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED to support those
- * tickets. The session key is used otherwise to encrypt the
- * forwarded ticket.
- */
- if (auth_context->flags & KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED) {
- cred.enc_part.etype = KRB5_ENCTYPE_NULL;
- cred.enc_part.kvno = NULL;
- cred.enc_part.cipher.data = buf;
- cred.enc_part.cipher.length = buf_size;
- } else {
- /*
- * Here older versions then 0.7.2 of Heimdal used the local or
- * remote subkey. That is wrong, the session key should be
- * used. Heimdal 0.7.2 and newer have code to try both in the
- * receiving end.
- */
-
- ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
- if (ret) {
- free(buf);
- free_KRB_CRED(&cred);
- return ret;
- }
- ret = krb5_encrypt_EncryptedData (context,
- crypto,
- KRB5_KU_KRB_CRED,
- buf,
- len,
- 0,
- &cred.enc_part);
- free(buf);
- krb5_crypto_destroy(context, crypto);
- if (ret) {
- free_KRB_CRED(&cred);
- return ret;
- }
- }
+ ret = add_addrs(context, addrs, ai);
+ freeaddrinfo(ai);
- ASN1_MALLOC_ENCODE(KRB_CRED, buf, buf_size, &cred, &len, ret);
- free_KRB_CRED (&cred);
- if (ret)
- return ret;
- if(buf_size != len)
- krb5_abortx(context, "internal error in ASN.1 encoder");
- out_data->length = len;
- out_data->data = buf;
- return 0;
- out4:
- free_EncKrbCredPart(&enc_krb_cred_part);
- out3:
- free_KRB_CRED(&cred);
- out2:
- krb5_free_creds (context, out_creds);
return ret;
}
diff --git a/lib/krb5/get_host_realm.c b/lib/krb5/get_host_realm.c
index 955d5462d418..7b58fe9a4f56 100644
--- a/lib/krb5/get_host_realm.c
+++ b/lib/krb5/get_host_realm.c
@@ -109,17 +109,17 @@ dns_find_realm(krb5_context context,
const char *domain,
krb5_realm **realms)
{
- static const char *default_labels[] = { "_kerberos", NULL };
+ static const char *const default_labels[] = { "_kerberos", NULL };
char dom[MAXHOSTNAMELEN];
struct rk_dns_reply *r;
- const char **labels;
+ const char *const *labels;
char **config_labels;
int i, ret = 0;
config_labels = krb5_config_get_strings(context, NULL, "libdefaults",
"dns_lookup_realm_labels", NULL);
if(config_labels != NULL)
- labels = (const char **)config_labels;
+ labels = (const char *const *)config_labels;
else
labels = default_labels;
if(*domain == '.')
@@ -185,20 +185,21 @@ _krb5_get_host_realm_int(krb5_context context,
{
const char *p, *q;
const char *port;
+ char *freeme = NULL;
krb5_boolean dns_locate_enable;
krb5_error_code ret = 0;
/* Strip off any trailing ":port" suffix. */
port = strchr(host, ':');
- if (port != NULL) {
- host = strndup(host, port - host);
+ if (port != NULL && port != host && port[1] != '\0') {
+ host = freeme = strndup(host, port - host);
if (host == NULL)
return krb5_enomem(context);
}
dns_locate_enable = krb5_config_get_bool_default(context, NULL, TRUE,
"libdefaults", "dns_lookup_realm", NULL);
- for (p = host; p != NULL; p = strchr (p + 1, '.')) {
+ for (p = host; p != NULL && p[0] != '\0'; p = strchr (p + 1, '.')) {
if (config_find_realm(context, p, realms) == 0) {
if (strcasecmp(*realms[0], "dns_locate") != 0)
break;
@@ -219,11 +220,20 @@ _krb5_get_host_realm_int(krb5_context context,
/*
* If 'p' is NULL, we did not find an explicit realm mapping in either the
- * configuration file or DNS. Try the hostname suffix as a last resort.
+ * configuration file or DNS. Try the hostname suffix -upcased- as a realm
+ * as a last resort.
*
- * XXX: If we implement a KDC-specific variant of this function just for
- * referrals, we could check whether we have a cross-realm TGT for the
- * realm in question, and if not try the parent (loop again).
+ * NOTE: If we implement a KDC-specific variant of this function just for
+ * referrals, we could check whether we have a cross-realm TGT for the
+ * realm in question, and if not try the parent (loop again). Such a
+ * variant would have to have access to the HDB, naturally.
+ *
+ * We should start by adding an argument to this function that
+ * indicates whether this fallback here is desired (the KDC wouldn't
+ * desire it). Then when the KDC gets KRB5_ERR_HOST_REALM_UNKNOWN
+ * from this function, the KDC would search the HDB for cross-realm
+ * krbtgt principals that denote a hierarchical path to a realm that
+ * matches the host's domain suffix (or a suffix of it...).
*/
if (p == NULL) {
p = strchr(host, '.');
@@ -246,9 +256,7 @@ _krb5_get_host_realm_int(krb5_context context,
}
}
- /* If 'port' is not NULL, we have a copy of 'host' to free. */
- if (port)
- free((void *)host);
+ free(freeme);
return ret;
}
diff --git a/lib/krb5/get_in_tkt.c b/lib/krb5/get_in_tkt.c
index 19a638fb3bf3..476844cc83d8 100644
--- a/lib/krb5/get_in_tkt.c
+++ b/lib/krb5/get_in_tkt.c
@@ -115,7 +115,7 @@ add_padata(krb5_context context,
if (!enctypes) {
enctypes = context->etypes;
netypes = 0;
- for (ep = enctypes; *ep != (krb5_enctype)ETYPE_NULL; ep++)
+ for (ep = enctypes; *ep != ETYPE_NULL; ep++)
netypes++;
}
pa2 = realloc (md->val, (md->len + netypes) * sizeof(*md->val));
@@ -319,7 +319,9 @@ set_ptypes(krb5_context context,
krb5_preauthdata **preauth)
{
static krb5_preauthdata preauth2;
- static krb5_preauthtype ptypes2[] = { KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE };
+ static const krb5_preauthtype ptypes2[] = {
+ KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE
+ };
if(error->e_data) {
METHOD_DATA md;
@@ -438,9 +440,6 @@ krb5_get_in_cred(krb5_context context,
one more try */
if (!ptypes && !preauth
&& ret == KRB5KDC_ERR_PREAUTH_REQUIRED
-#if 0
- || ret == KRB5KDC_ERR_BADOPTION
-#endif
&& set_ptypes(context, &error, &ptypes, &my_preauth)) {
done = 0;
preauth = my_preauth;
diff --git a/lib/krb5/heim_err.et b/lib/krb5/heim_err.et
deleted file mode 100644
index 69039bb4dfe0..000000000000
--- a/lib/krb5/heim_err.et
+++ /dev/null
@@ -1,53 +0,0 @@
-#
-# Error messages for the krb5 library
-#
-# This might look like a com_err file, but is not
-#
-id "$Id$"
-
-error_table heim
-
-prefix HEIM_ERR
-
-error_code LOG_PARSE, "Error parsing log destination"
-error_code V4_PRINC_NO_CONV, "Failed to convert v4 principal"
-error_code SALTTYPE_NOSUPP, "Salt type is not supported by enctype"
-error_code NOHOST, "Host not found"
-error_code OPNOTSUPP, "Operation not supported"
-error_code EOF, "End of file"
-error_code BAD_MKEY, "Failed to get the master key"
-error_code SERVICE_NOMATCH, "Unacceptable service used"
-error_code NOT_SEEKABLE, "File descriptor not seekable"
-error_code TOO_BIG, "Offset too large"
-error_code BAD_HDBENT_ENCODING, "Invalid HDB entry encoding"
-error_code RANDOM_OFFLINE, "No random source available"
-
-index 64
-prefix HEIM_PKINIT
-error_code NO_CERTIFICATE, "Certificate missing"
-error_code NO_PRIVATE_KEY, "Private key missing"
-error_code NO_VALID_CA, "No valid certificate authority"
-error_code CERTIFICATE_INVALID, "Certificate invalid"
-error_code PRIVATE_KEY_INVALID, "Private key invalid"
-
-index 128
-prefix HEIM_EAI
-#error_code NOERROR, "no error"
-error_code UNKNOWN, "unknown error from getaddrinfo"
-error_code ADDRFAMILY, "address family for nodename not supported"
-error_code AGAIN, "temporary failure in name resolution"
-error_code BADFLAGS, "invalid value for ai_flags"
-error_code FAIL, "non-recoverable failure in name resolution"
-error_code FAMILY, "ai_family not supported"
-error_code MEMORY, "memory allocation failure"
-error_code NODATA, "no address associated with nodename"
-error_code NONAME, "nodename nor servname provided, or not known"
-error_code SERVICE, "servname not supported for ai_socktype"
-error_code SOCKTYPE, "ai_socktype not supported"
-error_code SYSTEM, "system error returned in errno"
-
-index 192
-prefix HEIM_NET
-error_code CONN_REFUSED, "connection refused"
-
-end
diff --git a/lib/krb5/init_creds.c b/lib/krb5/init_creds.c
index b34e3eb325c8..b2d0d39a3dc3 100644
--- a/lib/krb5/init_creds.c
+++ b/lib/krb5/init_creds.c
@@ -408,7 +408,7 @@ krb5_get_init_creds_opt_set_process_last_req(krb5_context context,
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
- KRB5_DEPRECATED_FUNCTION("Use X instead")
+ KRB5_DEPRECATED_FUNCTION("Use krb5_get_init_creds_opt_alloc instead")
{
memset (opt, 0, sizeof(*opt));
}
diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c
index 4e1088be182b..1a649dfa965d 100644
--- a/lib/krb5/init_creds_pw.c
+++ b/lib/krb5/init_creds_pw.c
@@ -3,7 +3,8 @@
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
- * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ * Portions Copyright (c) 2009 - 2010 Apple Inc. All rights reserved.
+ * Portions Copyright (c) 2021, PADL Software Pty Ltd. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -34,14 +35,33 @@
*/
#include "krb5_locl.h"
-#ifndef WIN32
-#include <heim-ipc.h>
-#endif /* WIN32 */
-typedef struct krb5_get_init_creds_ctx {
+#include <heimbasepriv.h>
+
+struct pa_info_data {
+ krb5_enctype etype;
+ krb5_salt salt;
+ krb5_data *s2kparams;
+};
+
+struct krb5_gss_init_ctx_data {
+ krb5_gssic_step step;
+ krb5_gssic_finish finish;
+ krb5_gssic_release_cred release_cred;
+ krb5_gssic_delete_sec_context delete_sec_context;
+
+ const struct gss_OID_desc_struct *mech;
+ struct gss_cred_id_t_desc_struct *cred;
+
+ struct {
+ unsigned int release_cred : 1;
+ } flags;
+};
+
+struct krb5_get_init_creds_ctx {
KDCOptions flags;
krb5_creds cred;
- krb5_addresses *addrs;
+ const krb5_addresses *addrs;
krb5_enctype *etypes;
krb5_preauthtype *pre_auth_types;
char *in_tkt_service;
@@ -62,53 +82,43 @@ typedef struct krb5_get_init_creds_ctx {
krb5_get_init_creds_tristate req_pac;
krb5_pk_init_ctx pk_init_ctx;
+ krb5_gss_init_ctx gss_init_ctx;
int ic_flags;
+ char *kdc_hostname;
+ char *sitename;
+
struct {
- unsigned change_password:1;
+ unsigned int change_password:1;
+ unsigned int change_password_prompt:1;
+ unsigned int allow_enc_pa_rep:1;
+ unsigned int allow_save_as_reply_key:1;
} runflags;
- int used_pa_types;
-#define USED_PKINIT 1
-#define USED_PKINIT_W2K 2
-#define USED_ENC_TS_GUESS 4
-#define USED_ENC_TS_INFO 8
+ struct pa_info_data paid;
METHOD_DATA md;
KRB_ERROR error;
- AS_REP as_rep;
EncKDCRepPart enc_part;
krb5_prompter_fct prompter;
void *prompter_data;
+ int warned_user;
struct pa_info_data *ppaid;
- struct fast_state {
- enum PA_FX_FAST_REQUEST_enum type;
- unsigned int flags;
-#define KRB5_FAST_REPLY_KEY_USE_TO_ENCRYPT_THE_REPLY 1
-#define KRB5_FAST_REPLY_KEY_USE_IN_TRANSACTION 2
-#define KRB5_FAST_KDC_REPLY_KEY_REPLACED 4
-#define KRB5_FAST_REPLY_REPLY_VERIFED 8
-#define KRB5_FAST_STRONG 16
-#define KRB5_FAST_EXPECTED 32 /* in exchange with KDC, fast was discovered */
-#define KRB5_FAST_REQUIRED 64 /* fast required by action of caller */
-#define KRB5_FAST_DISABLED 128
-#define KRB5_FAST_AP_ARMOR_SERVICE 256
- krb5_keyblock *reply_key;
- krb5_ccache armor_ccache;
- krb5_principal armor_service;
- krb5_crypto armor_crypto;
- krb5_keyblock armor_key;
- krb5_keyblock *strengthen_key;
- } fast_state;
-} krb5_get_init_creds_ctx;
+ struct krb5_fast_state fast_state;
+ krb5_enctype as_enctype;
+ krb5_keyblock *as_reply_key;
-struct pa_info_data {
- krb5_enctype etype;
- krb5_salt salt;
- krb5_data *s2kparams;
+ /* current and available pa mechansm in this exchange */
+ struct pa_auth_mech *pa_mech;
+ heim_array_t available_pa_mechs;
+ const char *pa_used;
+
+ struct {
+ struct timeval run_time;
+ } stats;
};
static void
@@ -117,6 +127,7 @@ free_paid(krb5_context context, struct pa_info_data *ppaid)
krb5_free_salt(context, ppaid->salt);
if (ppaid->s2kparams)
krb5_free_data(context, ppaid->s2kparams);
+ memset(ppaid, 0, sizeof(*ppaid));
}
static krb5_error_code KRB5_CALLCONV
@@ -129,10 +140,18 @@ default_s2k_func(krb5_context context, krb5_enctype type,
krb5_data password;
krb5_data opaque;
- _krb5_debug(context, 5, "krb5_get_init_creds: using default_s2k_func");
+ if (_krb5_have_debug(context, 5)) {
+ char *str = NULL;
+ ret = krb5_enctype_to_string(context, type, &str);
+ if (ret)
+ return ret;
+
+ _krb5_debug(context, 5, "krb5_get_init_creds: using default_s2k_func: %s (%d)", str, (int)type);
+ free(str);
+ }
password.data = rk_UNCONST(keyseed);
- password.length = strlen(keyseed);
+ password.length = keyseed ? strlen(keyseed) : 0;
if (s2kparms)
opaque = *s2kparms;
else
@@ -140,7 +159,7 @@ default_s2k_func(krb5_context context, krb5_enctype type,
*key = malloc(sizeof(**key));
if (*key == NULL)
- return ENOMEM;
+ return krb5_enomem(context);
ret = krb5_string_to_key_data_salt_opaque(context, type, password,
salt, opaque, *key);
if (ret) {
@@ -151,6 +170,17 @@ default_s2k_func(krb5_context context, krb5_enctype type,
}
static void
+free_gss_init_ctx(krb5_context context, krb5_gss_init_ctx gssic)
+{
+ if (gssic == NULL)
+ return;
+
+ if (gssic->flags.release_cred)
+ gssic->release_cred(context, gssic, gssic->cred);
+ free(gssic);
+}
+
+static void
free_init_creds_ctx(krb5_context context, krb5_init_creds_context ctx)
{
if (ctx->etypes)
@@ -167,40 +197,37 @@ free_init_creds_ctx(krb5_context context, krb5_init_creds_context ctx)
memset_s(ctx->password, len, 0, len);
free(ctx->password);
}
+ free_gss_init_ctx(context, ctx->gss_init_ctx);
/*
- * FAST state (we don't close the armor_ccache because we might have
- * to destroy it, and how would we know? also, the caller should
- * take care of cleaning up the armor_ccache).
+ * FAST state
*/
- if (ctx->fast_state.armor_service)
- krb5_free_principal(context, ctx->fast_state.armor_service);
- if (ctx->fast_state.armor_crypto)
- krb5_crypto_destroy(context, ctx->fast_state.armor_crypto);
- if (ctx->fast_state.strengthen_key)
- krb5_free_keyblock(context, ctx->fast_state.strengthen_key);
- krb5_free_keyblock_contents(context, &ctx->fast_state.armor_key);
+ _krb5_fast_free(context, &ctx->fast_state);
+ if (ctx->as_reply_key)
+ krb5_free_keyblock(context, ctx->as_reply_key);
krb5_data_free(&ctx->req_buffer);
krb5_free_cred_contents(context, &ctx->cred);
free_METHOD_DATA(&ctx->md);
- free_AS_REP(&ctx->as_rep);
free_EncKDCRepPart(&ctx->enc_part);
free_KRB_ERROR(&ctx->error);
free_AS_REQ(&ctx->as_req);
- if (ctx->ppaid) {
- free_paid(context, ctx->ppaid);
- free(ctx->ppaid);
- }
+
+ heim_release(ctx->available_pa_mechs);
+ heim_release(ctx->pa_mech);
+ ctx->pa_mech = NULL;
+ free(ctx->kdc_hostname);
+ free(ctx->sitename);
+ free_paid(context, &ctx->paid);
memset_s(ctx, sizeof(*ctx), 0, sizeof(*ctx));
}
-static int
+static krb5_deltat
get_config_time (krb5_context context,
const char *realm,
const char *name,
int def)
{
- int ret;
+ krb5_deltat ret;
ret = krb5_config_get_time (context, NULL,
"realms",
@@ -226,7 +253,7 @@ init_cred (krb5_context context,
krb5_get_init_creds_opt *options)
{
krb5_error_code ret;
- int tmp;
+ krb5_deltat tmp;
krb5_timestamp now;
krb5_timeofday (context, &now);
@@ -238,7 +265,7 @@ init_cred (krb5_context context,
else
ret = krb5_get_default_principal(context, &cred->client);
if (ret)
- goto out;
+ goto out;
if (start_time)
cred->times.starttime = now + start_time;
@@ -297,18 +324,13 @@ krb5_process_last_request(krb5_context context,
krb5_get_init_creds_opt *options,
krb5_init_creds_context ctx)
{
- krb5_const_realm realm;
LastReq *lr;
- krb5_boolean reported = FALSE;
- krb5_timestamp sec;
- time_t t;
size_t i;
/*
* First check if there is a API consumer.
*/
- realm = krb5_principal_get_realm (context, ctx->cred.client);
lr = &ctx->enc_part.last_req;
if (options && options->opt_private && options->opt_private->lr.func) {
@@ -317,6 +339,7 @@ krb5_process_last_request(krb5_context context,
lre = calloc(lr->len + 1, sizeof(*lre));
if (lre == NULL)
return krb5_enomem(context);
+
for (i = 0; i < lr->len; i++) {
lre[i] = calloc(1, sizeof(*lre[i]));
if (lre[i] == NULL)
@@ -333,15 +356,44 @@ krb5_process_last_request(krb5_context context,
free(lre);
}
- /*
- * Now check if we should prompt the user
- */
+ return krb5_init_creds_warn_user(context, ctx);
+}
+
+/**
+ * Warn the user using prompter in the krb5_init_creds_context about
+ * possible password and account expiration.
+ *
+ * @param context a Kerberos 5 context.
+ * @param ctx a krb5_init_creds_context context.
+ *
+ * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
+ * @ingroup krb5_credential
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_init_creds_warn_user(krb5_context context,
+ krb5_init_creds_context ctx)
+{
+ krb5_timestamp sec;
+ krb5_const_realm realm;
+ krb5_enctype weak_enctype = KRB5_ENCTYPE_NULL;
+ LastReq *lr;
+ unsigned i;
+ time_t t;
if (ctx->prompter == NULL)
- return 0;
+ return 0;
+
+ if (ctx->warned_user)
+ return 0;
+
+ ctx->warned_user = 1;
krb5_timeofday (context, &sec);
+ realm = krb5_principal_get_realm (context, ctx->cred.client);
+ lr = &ctx->enc_part.last_req;
+
t = sec + get_config_time (context,
realm,
"warn_pwexpire",
@@ -355,37 +407,53 @@ krb5_process_last_request(krb5_context context,
ctx->prompter_data,
"Your password will expire at ",
lr->val[i].lr_value);
- reported = TRUE;
break;
case LR_ACCT_EXPTIME :
report_expiration(context, ctx->prompter,
ctx->prompter_data,
"Your account will expire at ",
lr->val[i].lr_value);
- reported = TRUE;
break;
- default:
- break;
+ default:
+ break;
}
}
}
- if (!reported
- && ctx->enc_part.key_expiration
- && *ctx->enc_part.key_expiration <= t) {
- report_expiration(context, ctx->prompter,
- ctx->prompter_data,
- "Your password/account will expire at ",
- *ctx->enc_part.key_expiration);
+ if (krb5_is_enctype_weak(context, ctx->as_enctype))
+ weak_enctype = ctx->as_enctype;
+ else if (krb5_is_enctype_weak(context, ctx->cred.session.keytype))
+ weak_enctype = ctx->cred.session.keytype;
+
+ if (ctx->prompter && weak_enctype != KRB5_ENCTYPE_NULL) {
+ int suppress = krb5_config_get_bool_default(context, NULL, false,
+ "libdefaults",
+ "suppress_weak_enctype", NULL);
+ if (!suppress) {
+ char *str = NULL, *p = NULL;
+ int aret;
+
+ (void) krb5_enctype_to_string(context, weak_enctype, &str);
+ aret = asprintf(&p, "Encryption type %s(%d) used for authentication is weak and will be deprecated",
+ str ? str : "unknown", weak_enctype);
+ if (aret >= 0 && p) {
+ (*ctx->prompter)(context, ctx->prompter_data, NULL, p, 0, NULL);
+ free(p);
+ }
+ free(str);
+ }
}
+
return 0;
}
-static krb5_addresses no_addrs = { 0, NULL };
+static const krb5_addresses no_addrs = { 0, NULL };
static krb5_error_code
get_init_creds_common(krb5_context context,
krb5_principal client,
+ krb5_prompter_fct prompter,
+ void *prompter_data,
krb5_deltat start_time,
krb5_get_init_creds_opt *options,
krb5_init_creds_context ctx)
@@ -400,7 +468,9 @@ get_init_creds_common(krb5_context context,
if (options == NULL) {
const char *realm = krb5_principal_get_realm(context, client);
- krb5_get_init_creds_opt_alloc (context, &default_opt);
+ ret = krb5_get_init_creds_opt_alloc(context, &default_opt);
+ if (ret)
+ return ret;
options = default_opt;
krb5_get_init_creds_opt_set_default_flags(context, NULL, realm, options);
}
@@ -423,9 +493,7 @@ get_init_creds_common(krb5_context context,
if (ctx->keyproc == NULL)
ctx->keyproc = default_s2k_func;
- /* Enterprise name implicitly turns on canonicalize */
- if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) ||
- krb5_principal_get_type(context, client) == KRB5_NT_ENTERPRISE_PRINCIPAL)
+ if (ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE)
ctx->flags.canonicalize = 1;
ctx->pre_auth_types = NULL;
@@ -434,11 +502,8 @@ get_init_creds_common(krb5_context context,
ctx->pre_auth_types = NULL;
ret = init_cred(context, &ctx->cred, client, start_time, options);
- if (ret) {
- if (default_opt)
- krb5_get_init_creds_opt_free(context, default_opt);
- return ret;
- }
+ if (ret)
+ goto out;
ret = krb5_init_creds_set_service(context, ctx, NULL);
if (ret)
@@ -502,9 +567,16 @@ get_init_creds_common(krb5_context context,
}
if (options->flags & KRB5_GET_INIT_CREDS_OPT_ANONYMOUS)
ctx->flags.request_anonymous = options->anonymous;
- if (default_opt)
- krb5_get_init_creds_opt_free(context, default_opt);
- return 0;
+
+ ctx->prompter = prompter;
+ ctx->prompter_data = prompter_data;
+
+ if ((options->flags & KRB5_GET_INIT_CREDS_OPT_CHANGE_PASSWORD_PROMPT) &&
+ !options->change_password_prompt)
+ ctx->runflags.change_password_prompt = 0;
+ else
+ ctx->runflags.change_password_prompt = ctx->prompter != NULL;
+
out:
if (default_opt)
krb5_get_init_creds_opt_free(context, default_opt);
@@ -608,27 +680,27 @@ change_password (krb5_context context,
&result_string);
if (ret)
goto out;
+
if (asprintf(&p, "%s: %.*s\n",
result_code ? "Error" : "Success",
(int)result_string.length,
result_string.length > 0 ? (char*)result_string.data : "") < 0)
{
- ret = ENOMEM;
+ ret = krb5_enomem(context);
goto out;
}
/* return the result */
(*prompter) (context, data, NULL, p, 0, NULL);
- free (p);
if (result_code == 0) {
strlcpy (newpw, buf1, newpw_sz);
ret = 0;
} else {
- ret = ENOTTY;
- krb5_set_error_message(context, ret,
- N_("failed changing password", ""));
+ krb5_set_error_message(context, ret = KRB5_CHPW_FAIL,
+ N_("failed changing password: %s", ""), p);
}
+ free (p);
out:
memset_s(buf1, sizeof(buf1), 0, sizeof(buf1));
@@ -669,12 +741,12 @@ init_as_req (krb5_context context,
a->pvno = 5;
a->msg_type = krb_as_req;
a->req_body.kdc_options = opts;
- a->req_body.cname = malloc(sizeof(*a->req_body.cname));
+ a->req_body.cname = calloc(1, sizeof(*a->req_body.cname));
if (a->req_body.cname == NULL) {
ret = krb5_enomem(context);
goto fail;
}
- a->req_body.sname = malloc(sizeof(*a->req_body.sname));
+ a->req_body.sname = calloc(1, sizeof(*a->req_body.sname));
if (a->req_body.sname == NULL) {
ret = krb5_enomem(context);
goto fail;
@@ -774,7 +846,7 @@ set_paid(struct pa_info_data *paid, krb5_context context,
paid->salt.saltvalue.data = malloc(salt_len + 1);
if (paid->salt.saltvalue.data == NULL) {
krb5_clear_error_message(context);
- return ENOMEM;
+ return krb5_enomem(context);
}
memcpy(paid->salt.saltvalue.data, salt_string, salt_len);
((char *)paid->salt.saltvalue.data)[salt_len] = '\0';
@@ -814,6 +886,10 @@ pa_etype_info2(krb5_context context,
goto out;
for (j = 0; j < asreq->req_body.etype.len; j++) {
for (i = 0; i < e.len; i++) {
+
+ if (krb5_enctype_valid(context, e.val[i].etype) != 0)
+ continue;
+
if (asreq->req_body.etype.val[j] == e.val[i].etype) {
krb5_salt salt;
if (e.val[i].salt == NULL)
@@ -863,6 +939,10 @@ pa_etype_info(krb5_context context,
goto out;
for (j = 0; j < asreq->req_body.etype.len; j++) {
for (i = 0; i < e.len; i++) {
+
+ if (krb5_enctype_valid(context, e.val[i].etype) != 0)
+ continue;
+
if (asreq->req_body.etype.val[j] == e.val[i].etype) {
krb5_salt salt;
salt.salttype = KRB5_PW_SALT;
@@ -905,6 +985,9 @@ pa_pw_or_afs3_salt(krb5_context context,
krb5_error_code ret;
if (paid->etype == KRB5_ENCTYPE_NULL)
return NULL;
+ if (krb5_enctype_valid(context, paid->etype) != 0)
+ return NULL;
+
ret = set_paid(paid, context,
paid->etype,
paid->salt.salttype,
@@ -917,55 +1000,6 @@ pa_pw_or_afs3_salt(krb5_context context,
}
-struct pa_info {
- krb5_preauthtype type;
- struct pa_info_data *(*salt_info)(krb5_context,
- const krb5_principal,
- const AS_REQ *,
- struct pa_info_data *,
- heim_octet_string *);
-};
-
-static struct pa_info pa_prefs[] = {
- { KRB5_PADATA_ETYPE_INFO2, pa_etype_info2 },
- { KRB5_PADATA_ETYPE_INFO, pa_etype_info },
- { KRB5_PADATA_PW_SALT, pa_pw_or_afs3_salt },
- { KRB5_PADATA_AFS3_SALT, pa_pw_or_afs3_salt }
-};
-
-static PA_DATA *
-find_pa_data(const METHOD_DATA *md, unsigned type)
-{
- size_t i;
- if (md == NULL)
- return NULL;
- for (i = 0; i < md->len; i++)
- if (md->val[i].padata_type == type)
- return &md->val[i];
- return NULL;
-}
-
-static struct pa_info_data *
-process_pa_info(krb5_context context,
- const krb5_principal client,
- const AS_REQ *asreq,
- struct pa_info_data *paid,
- METHOD_DATA *md)
-{
- struct pa_info_data *p = NULL;
- size_t i;
-
- for (i = 0; p == NULL && i < sizeof(pa_prefs)/sizeof(pa_prefs[0]); i++) {
- PA_DATA *pa = find_pa_data(md, pa_prefs[i].type);
- if (pa == NULL)
- continue;
- paid->salt.salttype = (krb5_salttype)pa_prefs[i].type;
- p = (*pa_prefs[i].salt_info)(context, client, asreq,
- paid, &pa->padata_value);
- }
- return p;
-}
-
static krb5_error_code
make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md,
krb5_enctype etype, krb5_keyblock *key)
@@ -1036,6 +1070,8 @@ add_enc_ts_padata(krb5_context context,
krb5_enctype *ep;
size_t i;
+ memset(&salt2, 0, sizeof(salt2));
+
if(salt == NULL) {
/* default to standard salt */
ret = krb5_get_pw_salt (context, client, &salt2);
@@ -1046,7 +1082,7 @@ add_enc_ts_padata(krb5_context context,
if (!enctypes) {
enctypes = context->etypes;
netypes = 0;
- for (ep = enctypes; *ep != (krb5_enctype)ETYPE_NULL; ep++)
+ for (ep = enctypes; *ep != ETYPE_NULL; ep++)
netypes++;
}
@@ -1073,7 +1109,7 @@ static krb5_error_code
pa_data_to_md_ts_enc(krb5_context context,
const AS_REQ *a,
const krb5_principal client,
- krb5_get_init_creds_ctx *ctx,
+ krb5_init_creds_context ctx,
struct pa_info_data *ppaid,
METHOD_DATA *md)
{
@@ -1110,7 +1146,7 @@ pa_data_to_md_ts_enc(krb5_context context,
static krb5_error_code
pa_data_to_key_plain(krb5_context context,
const krb5_principal client,
- krb5_get_init_creds_ctx *ctx,
+ krb5_init_creds_context ctx,
krb5_salt salt,
krb5_data *s2kparams,
krb5_enctype etype,
@@ -1123,13 +1159,18 @@ pa_data_to_key_plain(krb5_context context,
return ret;
}
+struct pkinit_context {
+ unsigned int win2k : 1;
+ unsigned int used_pkinit : 1;
+};
+
static krb5_error_code
pa_data_to_md_pkinit(krb5_context context,
const AS_REQ *a,
const krb5_principal client,
int win2k,
- krb5_get_init_creds_ctx *ctx,
+ krb5_init_creds_context ctx,
METHOD_DATA *md)
{
if (ctx->pk_init_ctx == NULL)
@@ -1150,9 +1191,666 @@ pa_data_to_md_pkinit(krb5_context context,
}
static krb5_error_code
-pa_data_add_pac_request(krb5_context context,
- krb5_get_init_creds_ctx *ctx,
- METHOD_DATA *md)
+pkinit_configure_ietf(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx)
+{
+ struct pkinit_context *pkinit_ctx = pa_ctx;
+
+ pkinit_ctx->win2k = 0;
+
+ if (ctx->pk_init_ctx == NULL)
+ return HEIM_ERR_PA_CANT_CONTINUE;
+
+ return 0;
+}
+
+static krb5_error_code
+pkinit_configure_win(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx)
+{
+ struct pkinit_context *pkinit_ctx = pa_ctx;
+
+ pkinit_ctx->win2k = 1;
+ pkinit_ctx->used_pkinit = 0;
+
+ if (ctx->pk_init_ctx == NULL)
+ return HEIM_ERR_PA_CANT_CONTINUE;
+
+ return 0;
+}
+
+static krb5_error_code
+pkinit_step(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx, PA_DATA *pa, const AS_REQ *a,
+ const AS_REP *rep, METHOD_DATA *in_md, METHOD_DATA *out_md)
+{
+ krb5_error_code ret = HEIM_ERR_PA_CANT_CONTINUE;
+ struct pkinit_context *pkinit_ctx = pa_ctx;
+
+ if (rep == NULL) {
+ if (pkinit_ctx->used_pkinit) {
+ krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
+ "Already tried PKINIT(%s), looping",
+ pkinit_ctx->win2k ? "win2k" : "ietf");
+ } else {
+ ret = pa_data_to_md_pkinit(context, a, ctx->cred.client,
+ (pkinit_ctx->win2k != 0),
+ ctx, out_md);
+ if (ret == 0)
+ ret = HEIM_ERR_PA_CONTINUE_NEEDED;
+
+ pkinit_ctx->used_pkinit = 1;
+ }
+ } else if (pa) {
+ ret = _krb5_pk_rd_pa_reply(context,
+ a->req_body.realm,
+ ctx->pk_init_ctx,
+ rep->enc_part.etype,
+ ctx->pk_nonce,
+ &ctx->req_buffer,
+ pa,
+ &ctx->fast_state.reply_key);
+ if (ret == 0)
+ ctx->runflags.allow_save_as_reply_key = 1;
+ }
+
+ return ret;
+}
+
+static void
+pkinit_release(void *pa_ctx)
+{
+}
+
+/*
+ * GSS-API pre-authentication support
+ */
+
+struct pa_gss_context {
+ struct gss_ctx_id_t_desc_struct *context_handle;
+ int open;
+};
+
+static krb5_error_code
+pa_gss_configure(krb5_context context,
+ krb5_init_creds_context ctx,
+ void *pa_ctx)
+{
+ krb5_gss_init_ctx gssic = ctx->gss_init_ctx;
+ struct pa_gss_context *pa_gss_ctx = pa_ctx;
+
+ if (gssic == NULL)
+ return HEIM_ERR_PA_CANT_CONTINUE;
+
+ pa_gss_ctx->context_handle = NULL;
+ pa_gss_ctx->open = 0;
+
+ return 0;
+}
+
+static krb5_error_code
+pa_data_to_md_gss(krb5_context context,
+ const AS_REQ *a,
+ const krb5_creds *creds,
+ krb5_init_creds_context ctx,
+ struct pa_gss_context *pa_gss_ctx,
+ PA_DATA *pa,
+ METHOD_DATA *out_md)
+{
+ krb5_error_code ret;
+ krb5_gss_init_ctx gssic = ctx->gss_init_ctx;
+ krb5_data req_body;
+ krb5_data *input_token, output_token;
+ size_t len = 0;
+
+ krb5_data_zero(&req_body);
+ krb5_data_zero(&output_token);
+
+ input_token = pa ? &pa->padata_value : NULL;
+
+ if ((input_token == NULL || input_token->length == 0) &&
+ pa_gss_ctx->context_handle) {
+ krb5_set_error_message(context, HEIM_ERR_PA_CANT_CONTINUE,
+ "Missing GSS preauthentication data from KDC");
+ return HEIM_ERR_PA_CANT_CONTINUE;
+ }
+
+ ASN1_MALLOC_ENCODE(KDC_REQ_BODY, req_body.data, req_body.length,
+ &ctx->as_req.req_body, &len, ret);
+ if (ret)
+ goto out;
+ heim_assert(req_body.length == len, "ASN.1 internal error");
+
+ ret = gssic->step(context, gssic, creds, &pa_gss_ctx->context_handle,
+ ctx->flags, &req_body,
+ input_token, &output_token);
+
+ /*
+ * If FAST authenticated the KDC (which will be the case unless anonymous
+ * PKINIT was used without KDC certificate validation) then we can relax
+ * the mutual authentication requirement.
+ */
+ if (ret == KRB5_MUTUAL_FAILED &&
+ (ctx->fast_state.flags & KRB5_FAST_EXPECTED) &&
+ (ctx->fast_state.flags & KRB5_FAST_KDC_VERIFIED))
+ ret = 0;
+ if (ret == 0) {
+ /*
+ * Always require a strengthen key if FAST was used, to avoid a MITM
+ * attack that could result in unintended privilege escalation should
+ * the KDC add positive authorization data from the armor ticket.
+ */
+ if ((ctx->fast_state.flags & KRB5_FAST_EXPECTED) &&
+ ctx->fast_state.strengthen_key == NULL) {
+ krb5_set_error_message(context, HEIM_ERR_PA_CANT_CONTINUE,
+ "FAST GSS pre-authentication without strengthen key");
+ ret = KRB5_KDCREP_MODIFIED;
+ goto out;
+ }
+
+ pa_gss_ctx->open = 1;
+ }
+
+ if (output_token.length) {
+ ret = krb5_padata_add(context, out_md, KRB5_PADATA_GSS,
+ output_token.data, output_token.length);
+ if (ret)
+ goto out;
+
+ krb5_data_zero(&output_token);
+ }
+
+out:
+ krb5_data_free(&output_token);
+ krb5_data_free(&req_body);
+
+ return ret;
+}
+
+static krb5_error_code
+pa_gss_step(krb5_context context,
+ krb5_init_creds_context ctx,
+ void *pa_ctx,
+ PA_DATA *pa,
+ const AS_REQ *a,
+ const AS_REP *rep,
+ METHOD_DATA *in_md,
+ METHOD_DATA *out_md)
+{
+ krb5_error_code ret;
+ krb5_principal cname;
+ krb5_gss_init_ctx gssic = ctx->gss_init_ctx;
+ struct pa_gss_context *pa_gss_ctx = pa_ctx;
+
+ heim_assert(gssic != NULL, "invalid context passed to pa_gss_step");
+
+ if (!pa_gss_ctx->open) {
+ ret = pa_data_to_md_gss(context, a, &ctx->cred, ctx,
+ pa_gss_ctx, pa, out_md);
+ if (ret == HEIM_ERR_PA_CONTINUE_NEEDED && rep) {
+ krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
+ "KDC sent AS-REP before GSS "
+ "pre-authentication completed");
+ ret = KRB5_KDCREP_MODIFIED;
+ } else if (ret == 0 && rep == NULL) {
+ ret = HEIM_ERR_PA_CONTINUE_NEEDED; /* odd number of legs */
+ }
+ if (ret)
+ return ret;
+ } else if (pa && pa->padata_value.length) {
+ krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
+ "Already completed GSS pre-authentication");
+ return KRB5_GET_IN_TKT_LOOP;
+ } else if (rep == NULL) {
+ krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
+ "Completed GSS pre-authentication before KDC");
+ return KRB5_PREAUTH_FAILED;
+ }
+
+ heim_assert(pa_gss_ctx->open,
+ "GSS pre-authentication incomplete");
+
+ ret = gssic->finish(context, gssic, &ctx->cred,
+ pa_gss_ctx->context_handle, ctx->nonce,
+ rep->enc_part.etype, &cname,
+ &ctx->fast_state.reply_key);
+ if (ret)
+ return ret;
+
+ {
+ char *from = NULL;
+ char *to = NULL;
+
+ if (krb5_unparse_name(context, ctx->cred.client, &from) == 0) {
+ if (krb5_unparse_name(context, cname, &to) == 0) {
+ _krb5_debug(context, 1, "pa_gss_step: %s as %s",
+ from, to);
+ krb5_xfree(to);
+ }
+ krb5_xfree(from);
+ }
+ }
+
+ if (krb5_principal_is_federated(context, ctx->cred.client)) {
+ /*
+ * The well-known federated name will be replaced with the cname
+ * in the AS-REP, but save the locally mapped initiator name in the
+ * cred for logging.
+ */
+ krb5_free_principal(context, ctx->cred.client);
+ ctx->cred.client = cname;
+
+ ctx->ic_flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK;
+ } else {
+ krb5_free_principal(context, cname);
+ }
+
+ ctx->runflags.allow_save_as_reply_key = 1;
+
+ gssic->delete_sec_context(context, gssic, pa_gss_ctx->context_handle);
+ pa_gss_ctx->context_handle = NULL;
+ pa_gss_ctx->open = 0;
+
+ return 0;
+}
+
+static krb5_error_code
+pa_gss_restart(krb5_context context,
+ krb5_init_creds_context ctx,
+ void *pa_ctx)
+{
+ krb5_gss_init_ctx gssic = ctx->gss_init_ctx;
+ struct pa_gss_context *pa_gss_ctx = pa_ctx;
+
+ if (gssic == NULL)
+ return HEIM_ERR_PA_CANT_CONTINUE;
+
+ gssic->delete_sec_context(context, gssic, pa_gss_ctx->context_handle);
+ pa_gss_ctx->context_handle = NULL;
+ pa_gss_ctx->open = 0;
+
+ return 0;
+}
+
+static void
+pa_gss_release(void *pa_ctx)
+{
+}
+
+krb5_error_code
+_krb5_make_pa_enc_challenge(krb5_context context,
+ krb5_crypto crypto,
+ krb5_key_usage usage,
+ METHOD_DATA *md)
+{
+ PA_ENC_TS_ENC p;
+ unsigned char *buf;
+ size_t buf_size;
+ size_t len = 0;
+ EncryptedData encdata;
+ krb5_error_code ret;
+ int32_t usec;
+ int usec2;
+
+ krb5_us_timeofday (context, &p.patimestamp, &usec);
+ usec2 = usec;
+ p.pausec = &usec2;
+
+ ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC, buf, buf_size, &p, &len, ret);
+ if (ret)
+ return ret;
+ if(buf_size != len)
+ krb5_abortx(context, "internal error in ASN.1 encoder");
+
+ ret = krb5_encrypt_EncryptedData(context,
+ crypto,
+ usage,
+ buf,
+ len,
+ 0,
+ &encdata);
+ free(buf);
+ if (ret)
+ return ret;
+
+ ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret);
+ free_EncryptedData(&encdata);
+ if (ret)
+ return ret;
+ if(buf_size != len)
+ krb5_abortx(context, "internal error in ASN.1 encoder");
+
+ ret = krb5_padata_add(context, md, KRB5_PADATA_ENCRYPTED_CHALLENGE, buf, len);
+ if (ret)
+ free(buf);
+ return ret;
+}
+
+krb5_error_code
+_krb5_validate_pa_enc_challenge(krb5_context context,
+ krb5_crypto crypto,
+ krb5_key_usage usage,
+ EncryptedData *enc_data,
+ const char *peer_name)
+{
+ krb5_error_code ret;
+ krb5_data ts_data;
+ PA_ENC_TS_ENC p;
+ time_t timestamp;
+ int32_t usec;
+ size_t size;
+
+ ret = krb5_decrypt_EncryptedData(context, crypto, usage, enc_data, &ts_data);
+ if (ret)
+ return ret;
+
+ ret = decode_PA_ENC_TS_ENC(ts_data.data,
+ ts_data.length,
+ &p,
+ &size);
+ krb5_data_free(&ts_data);
+ if(ret){
+ ret = KRB5KDC_ERR_PREAUTH_FAILED;
+ _krb5_debug(context, 5, "Failed to decode PA-ENC-TS_ENC -- %s", peer_name);
+ goto out;
+ }
+
+ krb5_us_timeofday(context, &timestamp, &usec);
+
+ if (krb5_time_abs(timestamp, p.patimestamp) > context->max_skew) {
+ char client_time[100];
+
+ krb5_format_time(context, p.patimestamp,
+ client_time, sizeof(client_time), TRUE);
+
+ ret = KRB5KRB_AP_ERR_SKEW;
+ _krb5_debug(context, 0, "Too large time skew, "
+ "client time %s is out by %u > %d seconds -- %s",
+ client_time,
+ (unsigned)krb5_time_abs(timestamp, p.patimestamp),
+ (int)context->max_skew,
+ peer_name);
+ } else {
+ ret = 0;
+ }
+
+ out:
+ free_PA_ENC_TS_ENC(&p);
+
+ return ret;
+}
+
+
+static struct pa_info_data *
+process_pa_info(krb5_context, const krb5_principal, const AS_REQ *, struct pa_info_data *, METHOD_DATA *);
+
+
+static krb5_error_code
+enc_chal_step(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx, PA_DATA *pa, const AS_REQ *a,
+ const AS_REP *rep, METHOD_DATA *in_md, METHOD_DATA *out_md)
+{
+ struct pa_info_data paid, *ppaid;
+ krb5_keyblock challengekey;
+ krb5_data pepper1, pepper2;
+ krb5_crypto crypto = NULL;
+ krb5_enctype aenctype;
+ krb5_error_code ret;
+
+ memset(&paid, 0, sizeof(paid));
+
+ if (rep == NULL)
+ paid.etype = KRB5_ENCTYPE_NULL;
+ else
+ paid.etype = rep->enc_part.etype;
+ ppaid = process_pa_info(context, ctx->cred.client, a, &paid, in_md);
+
+ /*
+ * If we don't have ppaid, ts because the KDC have not sent any
+ * salt info, lets to the first roundtrip so the KDC have a chance
+ * to send any.
+ */
+ if (ppaid == NULL) {
+ _krb5_debug(context, 5, "no ppaid found");
+ return HEIM_ERR_PA_CONTINUE_NEEDED;
+ }
+ if (ppaid->etype == KRB5_ENCTYPE_NULL) {
+ return HEIM_ERR_PA_CANT_CONTINUE;
+ }
+
+ if (ctx->fast_state.reply_key)
+ krb5_free_keyblock(context, ctx->fast_state.reply_key);
+
+ ret = pa_data_to_key_plain(context, ctx->cred.client, ctx,
+ ppaid->salt, ppaid->s2kparams, ppaid->etype,
+ &ctx->fast_state.reply_key);
+ free_paid(context, &paid);
+ if (ret) {
+ _krb5_debug(context, 5, "enc-chal: failed to build key");
+ return ret;
+ }
+
+ ret = krb5_crypto_init(context, ctx->fast_state.reply_key, 0, &crypto);
+ if (ret)
+ return ret;
+
+ krb5_crypto_getenctype(context, ctx->fast_state.armor_crypto, &aenctype);
+
+ pepper1.data = rep ? "kdcchallengearmor" : "clientchallengearmor";
+ pepper1.length = strlen(pepper1.data);
+ pepper2.data = "challengelongterm";
+ pepper2.length = strlen(pepper2.data);
+
+ ret = krb5_crypto_fx_cf2(context, ctx->fast_state.armor_crypto, crypto,
+ &pepper1, &pepper2, aenctype,
+ &challengekey);
+ krb5_crypto_destroy(context, crypto);
+ if (ret)
+ return ret;
+
+ ret = krb5_crypto_init(context, &challengekey, 0, &crypto);
+ krb5_free_keyblock_contents(context, &challengekey);
+ if (ret)
+ return ret;
+
+ if (rep) {
+ EncryptedData enc_data;
+ size_t size;
+
+ _krb5_debug(context, 5, "ENC_CHAL rep key");
+
+ if (ctx->fast_state.strengthen_key == NULL) {
+ krb5_crypto_destroy(context, crypto);
+ _krb5_debug(context, 5, "ENC_CHAL w/o strengthen_key");
+ return KRB5_KDCREP_MODIFIED;
+ }
+
+ if (pa == NULL) {
+ krb5_crypto_destroy(context, crypto);
+ _krb5_debug(context, 0, "KDC response missing");
+ return HEIM_ERR_PA_CANT_CONTINUE;
+ }
+
+ ret = decode_EncryptedData(pa->padata_value.data,
+ pa->padata_value.length,
+ &enc_data,
+ &size);
+ if (ret) {
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ _krb5_debug(context, 5, "Failed to decode ENC_CHAL KDC reply");
+ return ret;
+ }
+
+ ret = _krb5_validate_pa_enc_challenge(context, crypto,
+ KRB5_KU_ENC_CHALLENGE_KDC,
+ &enc_data,
+ "KDC");
+ free_EncryptedData(&enc_data);
+ krb5_crypto_destroy(context, crypto);
+
+ return ret;
+
+ } else {
+
+ ret = _krb5_make_pa_enc_challenge(context, crypto,
+ KRB5_KU_ENC_CHALLENGE_CLIENT,
+ out_md);
+ krb5_crypto_destroy(context, crypto);
+ if (ret) {
+ _krb5_debug(context, 5, "enc-chal: failed build enc challenge");
+ return ret;
+ }
+
+ return HEIM_ERR_PA_CONTINUE_NEEDED;
+ }
+}
+
+struct enc_ts_context {
+ int used_pa_types;
+#define USED_ENC_TS_GUESS 4
+#define USED_ENC_TS_INFO 8
+#define USED_ENC_TS_RENEG 16
+ krb5_principal user;
+};
+
+static krb5_error_code
+enc_ts_restart(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx)
+{
+ struct enc_ts_context *pactx = (struct enc_ts_context *)pa_ctx;
+ pactx->used_pa_types = 0;
+ krb5_free_principal(context, pactx->user);
+ pactx->user = NULL;
+ return 0;
+}
+
+static krb5_error_code
+enc_ts_step(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx, PA_DATA *pa,
+ const AS_REQ *a,
+ const AS_REP *rep,
+ METHOD_DATA *in_md, METHOD_DATA *out_md)
+{
+ struct enc_ts_context *pactx = (struct enc_ts_context *)pa_ctx;
+ struct pa_info_data paid, *ppaid;
+ krb5_error_code ret;
+ const char *state;
+ unsigned flag;
+
+ /*
+ * Keep track of the user we used so that we can restart
+ * authentication when we get referrals.
+ */
+
+ if (pactx->user && !krb5_principal_compare(context, pactx->user, ctx->cred.client)) {
+ pactx->used_pa_types = 0;
+ krb5_free_principal(context, pactx->user);
+ pactx->user = NULL;
+ }
+
+ if (pactx->user == NULL) {
+ ret = krb5_copy_principal(context, ctx->cred.client, &pactx->user);
+ if (ret)
+ return ret;
+ }
+
+ memset(&paid, 0, sizeof(paid));
+
+ if (rep == NULL)
+ paid.etype = KRB5_ENCTYPE_NULL;
+ else
+ paid.etype = rep->enc_part.etype;
+
+ ppaid = process_pa_info(context, ctx->cred.client, a, &paid, in_md);
+
+ if (rep) {
+ /*
+ * Some KDC's don't send salt info in the reply when there is
+ * success pre-auth happned before, so use cached copy (or
+ * even better, if there is just one pre-auth, save reply-key).
+ */
+ if (ppaid == NULL && ctx->paid.etype != KRB5_ENCTYPE_NULL) {
+ ppaid = &ctx->paid;
+
+ } else if (ppaid == NULL) {
+ _krb5_debug(context, 0, "no paid when building key, build a default salt structure ?");
+ return HEIM_ERR_PA_CANT_CONTINUE;
+ }
+
+ ret = pa_data_to_key_plain(context, ctx->cred.client, ctx,
+ ppaid->salt, ppaid->s2kparams, rep->enc_part.etype,
+ &ctx->fast_state.reply_key);
+ free_paid(context, &paid);
+ return ret;
+ }
+
+ /*
+ * If we don't have ppaid, ts because the KDC have not sent any
+ * salt info, lets to the first roundtrip so the KDC have a chance
+ * to send any.
+ *
+ * Don't bother guessing, it sounds like a good idea until you run
+ * into KDCs that are doing failed auth counting based on the
+ * ENC_TS tries.
+ *
+ * Stashing the salt for the next run is a diffrent issue and
+ * could be considered in the future.
+ */
+
+ if (ppaid == NULL) {
+ _krb5_debug(context, 5,
+ "TS-ENC: waiting for KDC to set pw-salt/etype_info{,2}");
+ return HEIM_ERR_PA_CONTINUE_NEEDED;
+ }
+ if (ppaid->etype == KRB5_ENCTYPE_NULL) {
+ free_paid(context, &paid);
+ _krb5_debug(context, 5,
+ "TS-ENC: kdc proposes enctype NULL ?");
+ return HEIM_ERR_PA_CANT_CONTINUE;
+ }
+
+ /*
+ * We have to allow the KDC to re-negotiate the PA-TS data
+ * once, this is since the in the case of a windows read only
+ * KDC that doesn't have the keys simply guesses what the
+ * master is supposed to support. In the case where this
+ * breaks in when the RO-KDC is a newer version the the RW-KDC
+ * and the RO-KDC announced a enctype that the older doesn't
+ * support.
+ */
+ if (pactx->used_pa_types & USED_ENC_TS_INFO) {
+ flag = USED_ENC_TS_RENEG;
+ state = "reneg";
+ } else {
+ flag = USED_ENC_TS_INFO;
+ state = "info";
+ }
+
+ if (pactx->used_pa_types & flag) {
+ free_paid(context, &paid);
+ krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
+ "Already tried ENC-TS-%s, looping", state);
+ return KRB5_GET_IN_TKT_LOOP;
+ }
+
+ pactx->used_pa_types |= flag;
+
+ free_paid(context, &ctx->paid);
+ ctx->paid = *ppaid;
+
+ ret = pa_data_to_md_ts_enc(context, a, ctx->cred.client, ctx, ppaid, out_md);
+ if (ret)
+ return ret;
+
+ return HEIM_ERR_PA_CONTINUE_NEEDED;
+}
+
+static void
+enc_ts_release(void *pa_ctx)
+{
+ struct enc_ts_context *pactx = (struct enc_ts_context *)pa_ctx;
+
+ if (pactx->user)
+ krb5_free_principal(NULL, pactx->user);
+}
+
+static krb5_error_code
+pa_pac_step(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx, PA_DATA *pa, const AS_REQ *a,
+ const AS_REP *rep, METHOD_DATA *in_md, METHOD_DATA *out_md)
{
size_t len = 0, length;
krb5_error_code ret;
@@ -1173,16 +1871,489 @@ pa_data_add_pac_request(krb5_context context,
&req, &len, ret);
if (ret)
return ret;
- if(len != length)
- krb5_abortx(context, "internal error in ASN.1 encoder");
+ heim_assert(len == length, "internal error in ASN.1 encoder");
- ret = krb5_padata_add(context, md, KRB5_PADATA_PA_PAC_REQUEST, buf, len);
+ ret = krb5_padata_add(context, out_md, KRB5_PADATA_PA_PAC_REQUEST, buf, len);
if (ret)
free(buf);
return 0;
}
+static krb5_error_code
+pa_enc_pa_rep_step(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx, PA_DATA *pa, const AS_REQ *a,
+ const AS_REP *rep, METHOD_DATA *in_md, METHOD_DATA *out_md)
+{
+ if (ctx->runflags.allow_enc_pa_rep)
+ return krb5_padata_add(context, out_md, KRB5_PADATA_REQ_ENC_PA_REP, NULL, 0);
+
+ return 0;
+}
+
+static krb5_error_code
+pa_fx_cookie_step(krb5_context context,
+ krb5_init_creds_context ctx,
+ void *pa_ctx,
+ PA_DATA *pa,
+ const AS_REQ *a,
+ const AS_REP *rep,
+ METHOD_DATA *in_md,
+ METHOD_DATA *out_md)
+{
+ krb5_error_code ret;
+ void *cookie;
+ PA_DATA *pad;
+ int idx = 0;
+
+ pad = krb5_find_padata(in_md->val, in_md->len, KRB5_PADATA_FX_COOKIE, &idx);
+ if (pad == NULL) {
+ /*
+ * RFC 6113 5.4.3: PA-FX-COOKIE MUST be included if the KDC
+ * expects at least one more message from the client.
+ */
+ if (ctx->error.error_code == KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED)
+ return KRB5_PREAUTH_FAILED;
+ else
+ return 0;
+ }
+
+ cookie = malloc(pad->padata_value.length);
+ if (cookie == NULL)
+ return krb5_enomem(context);
+
+ memcpy(cookie, pad->padata_value.data, pad->padata_value.length);
+
+ ret = krb5_padata_add(context, out_md, KRB5_PADATA_FX_COOKIE,
+ cookie, pad->padata_value.length);
+ if (ret)
+ free(cookie);
+ else
+ _krb5_debug(context, 5, "Mirrored FX-COOKIE to KDC");
+
+ return ret;
+}
+
+typedef struct pa_info_data *(*pa_salt_info_f)(krb5_context, const krb5_principal, const AS_REQ *, struct pa_info_data *, heim_octet_string *);
+typedef krb5_error_code (*pa_configure_f)(krb5_context, krb5_init_creds_context, void *);
+typedef krb5_error_code (*pa_restart_f)(krb5_context, krb5_init_creds_context, void *);
+typedef krb5_error_code (*pa_step_f)(krb5_context, krb5_init_creds_context, void *, PA_DATA *, const AS_REQ *, const AS_REP *, METHOD_DATA *, METHOD_DATA *);
+typedef void (*pa_release_f)(void *);
+
+static const struct patype {
+ int type;
+ const char *name;
+ int flags;
+#define PA_F_ANNOUNCE 1
+#define PA_F_CONFIG 2
+#define PA_F_FAST 4 /* available inside FAST */
+#define PA_F_NOT_FAST 8 /* only available without FAST */
+ size_t pa_ctx_size;
+ pa_salt_info_f salt_info;
+ /**
+ * Return 0 if the PA-mechanism is available and optionally set pa_ctx pointer to non-NULL.
+ */
+ pa_configure_f configure;
+ /**
+ * Return 0 if the PA-mechanism can be restarted (time skew, referrals, etc)
+ */
+ pa_restart_f restart;
+ /**
+ * Return 0 if the when complete, HEIM_ERR_PA_CONTINUE_NEEDED if more steps are require
+ */
+ pa_step_f step;
+ pa_release_f release;
+} patypes[] = {
+ {
+ KRB5_PADATA_PK_AS_REP,
+ "PKINIT(IETF)",
+ PA_F_FAST | PA_F_NOT_FAST,
+ sizeof(struct pkinit_context),
+ NULL,
+ pkinit_configure_ietf,
+ NULL,
+ pkinit_step,
+ pkinit_release
+ },
+ {
+ KRB5_PADATA_PK_AS_REP_19,
+ "PKINIT(win)",
+ PA_F_FAST | PA_F_NOT_FAST,
+ sizeof(struct pkinit_context),
+ NULL,
+ pkinit_configure_win,
+ NULL,
+ pkinit_step,
+ pkinit_release
+ },
+ {
+ KRB5_PADATA_GSS,
+ "GSS",
+ PA_F_FAST | PA_F_NOT_FAST,
+ sizeof(struct pa_gss_context),
+ NULL,
+ pa_gss_configure,
+ pa_gss_restart,
+ pa_gss_step,
+ pa_gss_release
+ },
+ {
+ KRB5_PADATA_ENCRYPTED_CHALLENGE,
+ "ENCRYPTED_CHALLENGE",
+ PA_F_FAST,
+ 0,
+ NULL,
+ NULL,
+ NULL,
+ enc_chal_step,
+ NULL
+ },
+ {
+ KRB5_PADATA_ENC_TIMESTAMP,
+ "ENCRYPTED_TIMESTAMP",
+ PA_F_NOT_FAST,
+ sizeof(struct enc_ts_context),
+ NULL,
+ NULL,
+ enc_ts_restart,
+ enc_ts_step,
+ enc_ts_release
+ },
+ {
+ KRB5_PADATA_PA_PAC_REQUEST,
+ "PA_PAC_REQUEST",
+ PA_F_CONFIG,
+ 0,
+ NULL,
+ NULL,
+ NULL,
+ pa_pac_step,
+ NULL
+ },
+ {
+ KRB5_PADATA_REQ_ENC_PA_REP,
+ "REQ-ENC-PA-REP",
+ PA_F_CONFIG,
+ 0,
+ NULL,
+ NULL,
+ NULL,
+ pa_enc_pa_rep_step,
+ NULL
+ },
+ {
+ KRB5_PADATA_FX_COOKIE,
+ "FX-COOKIE",
+ PA_F_CONFIG,
+ 0,
+ NULL,
+ NULL,
+ NULL,
+ pa_fx_cookie_step,
+ NULL
+ },
+#define patype_salt(n, f) { KRB5_PADATA_##n, #n, 0, 0, f, NULL, NULL, NULL, NULL }
+ patype_salt(ETYPE_INFO2, pa_etype_info2),
+ patype_salt(ETYPE_INFO, pa_etype_info),
+ patype_salt(PW_SALT, pa_pw_or_afs3_salt),
+ patype_salt(AFS3_SALT, pa_pw_or_afs3_salt),
+#undef patype_salt
+ /* below are just for pretty printing */
+#define patype_info(n) { KRB5_PADATA_##n, #n, 0, 0, NULL, NULL, NULL, NULL, NULL }
+ patype_info(AUTHENTICATION_SET),
+ patype_info(AUTH_SET_SELECTED),
+ patype_info(FX_FAST),
+ patype_info(FX_ERROR),
+ patype_info(PKINIT_KX),
+ patype_info(PK_AS_REQ)
+#undef patype_info
+};
+
+static const char *
+get_pa_type_name(int type)
+{
+ size_t n;
+ for (n = 0; n < sizeof(patypes)/sizeof(patypes[0]); n++)
+ if (type == patypes[n].type)
+ return patypes[n].name;
+ return "unknown";
+}
+
+/*
+ *
+ */
+
+struct pa_auth_mech {
+ const struct patype *patype;
+ struct pa_auth_mech *next; /* when doing authentication sets */
+ char pactx[1];
+};
+
+/*
+ *
+ */
+
+static struct pa_info_data *
+process_pa_info(krb5_context context,
+ const krb5_principal client,
+ const AS_REQ *asreq,
+ struct pa_info_data *paid,
+ METHOD_DATA *md)
+{
+ struct pa_info_data *p = NULL;
+ PA_DATA *pa;
+ size_t i;
+
+ if (md == NULL)
+ return NULL;
+
+ for (i = 0; p == NULL && i < sizeof(patypes)/sizeof(patypes[0]); i++) {
+ int idx = 0;
+
+ if (patypes[i].salt_info == NULL)
+ continue;
+
+ pa = krb5_find_padata(md->val, md->len, patypes[i].type, &idx);
+ if (pa == NULL)
+ continue;
+
+ paid->salt.salttype = (krb5_salttype)patypes[i].type;
+ p = patypes[i].salt_info(context, client, asreq, paid, &pa->padata_value);
+ }
+ return p;
+}
+
+static krb5_error_code
+pa_announce(krb5_context context,
+ int types,
+ krb5_init_creds_context ctx,
+ METHOD_DATA *in_md,
+ METHOD_DATA *out_md)
+{
+ krb5_error_code ret = 0;
+ size_t n;
+
+ for (n = 0; ret == 0 && n < sizeof(patypes)/sizeof(patypes[0]); n++) {
+ if ((patypes[n].flags & types) == 0)
+ continue;
+
+ if (patypes[n].step)
+ patypes[n].step(context, ctx, NULL, NULL, NULL, NULL, in_md, out_md);
+ else
+ ret = krb5_padata_add(context, out_md, patypes[n].type, NULL, 0);
+ }
+ return ret;
+}
+
+
+static void HEIM_CALLCONV
+mech_dealloc(void *ctx)
+{
+ struct pa_auth_mech *pa_mech = ctx;
+ if (pa_mech->patype->release)
+ pa_mech->patype->release((void *)&pa_mech->pactx[0]);
+}
+
+static const struct heim_type_data pa_auth_mech_object = {
+ HEIM_TID_PA_AUTH_MECH,
+ "heim-pa-mech-context",
+ NULL,
+ mech_dealloc,
+ NULL,
+ NULL,
+ NULL,
+ NULL
+};
+
+static struct pa_auth_mech *
+pa_mech_create(krb5_context context, krb5_init_creds_context ctx, int pa_type)
+{
+ struct pa_auth_mech *pa_mech;
+ const struct patype *patype = NULL;
+ size_t n;
+
+ for (n = 0; patype == NULL && n < sizeof(patypes)/sizeof(patypes[0]); n++) {
+ if (patypes[n].type == pa_type)
+ patype = &patypes[n];
+ }
+ if (patype == NULL)
+ return NULL;
+
+ pa_mech = _heim_alloc_object(&pa_auth_mech_object, sizeof(*pa_mech) - 1 + patype->pa_ctx_size);
+ if (pa_mech == NULL)
+ return NULL;
+
+ pa_mech->patype = patype;
+
+ if (pa_mech->patype->configure) {
+ krb5_error_code ret;
+
+ ret = pa_mech->patype->configure(context, ctx, &pa_mech->pactx[0]);
+ if (ret) {
+ heim_release(pa_mech);
+ return NULL;
+ }
+ }
+
+ _krb5_debug(context, 5, "Adding PA mech: %s", patype->name);
+
+ return pa_mech;
+}
+
+static void
+pa_mech_add(krb5_context context, krb5_init_creds_context ctx, int pa_type)
+{
+ struct pa_auth_mech *mech;
+
+ mech = pa_mech_create(context, ctx, pa_type);
+ if (mech) {
+ heim_array_append_value(ctx->available_pa_mechs, mech);
+ heim_release(mech);
+ }
+}
+
+static krb5_error_code
+pa_configure(krb5_context context,
+ krb5_init_creds_context ctx,
+ METHOD_DATA *in_md)
+{
+ ctx->available_pa_mechs = heim_array_create();
+
+ if (ctx->gss_init_ctx) {
+ pa_mech_add(context, ctx, KRB5_PADATA_GSS);
+ } else if (ctx->pk_init_ctx) {
+ pa_mech_add(context, ctx, KRB5_PADATA_PK_AS_REP);
+ pa_mech_add(context, ctx, KRB5_PADATA_PK_AS_REP_19);
+ } else if (ctx->keyproc || ctx->keyseed || ctx->prompter) {
+ pa_mech_add(context, ctx, KRB5_PADATA_ENCRYPTED_CHALLENGE);
+ pa_mech_add(context, ctx, KRB5_PADATA_ENC_TIMESTAMP);
+ }
+ /* XXX setup context based on KDC reply */
+
+ return 0;
+}
+
+static krb5_error_code
+pa_restart(krb5_context context,
+ krb5_init_creds_context ctx)
+{
+ krb5_error_code ret = HEIM_ERR_PA_CANT_CONTINUE;
+
+ if (ctx->pa_mech && ctx->pa_mech->patype->restart)
+ ret = ctx->pa_mech->patype->restart(context, ctx, (void *)&ctx->pa_mech->pactx[0]);
+
+ return ret;
+}
+
+
+static krb5_error_code
+pa_step(krb5_context context,
+ krb5_init_creds_context ctx,
+ const AS_REQ *a,
+ const AS_REP *rep,
+ METHOD_DATA *in_md,
+ METHOD_DATA *out_md)
+{
+ krb5_error_code ret;
+ PA_DATA *pa = NULL;
+ int idx;
+
+ next:
+ do {
+ if (ctx->pa_mech == NULL) {
+ size_t len = heim_array_get_length(ctx->available_pa_mechs);
+ if (len == 0) {
+ _krb5_debug(context, 0, "no more available_pa_mechs to try");
+ return HEIM_ERR_NO_MORE_PA_MECHS;
+ }
+
+ ctx->pa_mech = heim_array_copy_value(ctx->available_pa_mechs, 0);
+ heim_array_delete_value(ctx->available_pa_mechs, 0);
+ }
+
+ if (ctx->fast_state.armor_crypto) {
+ if ((ctx->pa_mech->patype->flags & PA_F_FAST) == 0) {
+ _krb5_debug(context, 0, "pa-mech %s dropped under FAST (not supported)",
+ ctx->pa_mech->patype->name);
+ heim_release(ctx->pa_mech);
+ ctx->pa_mech = NULL;
+ continue;
+ }
+ } else {
+ if ((ctx->pa_mech->patype->flags & PA_F_NOT_FAST) == 0) {
+ _krb5_debug(context, 0, "dropped pa-mech %s since not running under FAST",
+ ctx->pa_mech->patype->name);
+ heim_release(ctx->pa_mech);
+ ctx->pa_mech = NULL;
+ continue;
+ }
+ }
+
+ _krb5_debug(context, 0, "pa-mech trying: %s, searching for %d",
+ ctx->pa_mech->patype->name, ctx->pa_mech->patype->type);
+
+ idx = 0;
+ if (in_md)
+ pa = krb5_find_padata(in_md->val, in_md->len, ctx->pa_mech->patype->type, &idx);
+ else
+ pa = NULL;
+
+ } while (ctx->pa_mech == NULL);
+
+ _krb5_debug(context, 5, "Stepping pa-mech: %s", ctx->pa_mech->patype->name);
+
+ ret = ctx->pa_mech->patype->step(context, ctx, (void *)&ctx->pa_mech->pactx[0], pa, a, rep, in_md, out_md);
+ _krb5_debug(context, 10, "PA type %s returned %d", ctx->pa_mech->patype->name, ret);
+ if (ret == 0) {
+ struct pa_auth_mech *next_pa = ctx->pa_mech->next;
+
+ if (next_pa) {
+ _krb5_debug(context, 5, "Next PA type in set is: %s",
+ next_pa->patype->name);
+ ret = HEIM_ERR_PA_CONTINUE_NEEDED;
+ } else if (rep == NULL) {
+ _krb5_debug(context, 5, "PA %s done, but no ticket in sight!!!",
+ ctx->pa_mech->patype->name);
+ ret = HEIM_ERR_PA_CANT_CONTINUE;
+ } else {
+ ctx->pa_used = ctx->pa_mech->patype->name;
+ }
+
+ heim_retain(next_pa);
+ heim_release(ctx->pa_mech);
+ ctx->pa_mech = next_pa;
+ }
+
+ if (ret == HEIM_ERR_PA_CANT_CONTINUE) {
+ if (ctx->pa_mech) {
+ _krb5_debug(context, 5, "Dropping PA type %s", ctx->pa_mech->patype->name);
+ heim_release(ctx->pa_mech);
+ ctx->pa_mech = NULL;
+ }
+ goto next;
+ } else if (ret == HEIM_ERR_PA_CONTINUE_NEEDED) {
+ _krb5_debug(context, 5, "Continue needed for %s", ctx->pa_mech->patype->name);
+ } else if (ret != 0) {
+ _krb5_debug(context, 5, "Other error from mech %s: %d", ctx->pa_mech->patype->name, ret);
+ heim_release(ctx->pa_mech);
+ ctx->pa_mech = NULL;
+ }
+
+ return ret;
+}
+
+static void
+log_kdc_pa_types(krb5_context context, METHOD_DATA *in_md)
+{
+ if (_krb5_have_debug(context, 5)) {
+ unsigned i;
+ _krb5_debug(context, 5, "KDC sent %d patypes", in_md->len);
+ for (i = 0; i < in_md->len; i++)
+ _krb5_debug(context, 5, "KDC sent PA-DATA type: %d (%s)",
+ in_md->val[i].padata_type,
+ get_pa_type_name(in_md->val[i].padata_type));
+ }
+}
+
/*
* Assumes caller always will free `out_md', even on error.
*/
@@ -1191,191 +2362,119 @@ static krb5_error_code
process_pa_data_to_md(krb5_context context,
const krb5_creds *creds,
const AS_REQ *a,
- krb5_get_init_creds_ctx *ctx,
+ krb5_init_creds_context ctx,
METHOD_DATA *in_md,
- METHOD_DATA **out_md,
- krb5_prompter_fct prompter,
- void *prompter_data)
+ METHOD_DATA **out_md)
{
krb5_error_code ret;
ALLOC(*out_md, 1);
- if (*out_md == NULL)
+ if (*out_md == NULL) {
return krb5_enomem(context);
-
+ }
(*out_md)->len = 0;
(*out_md)->val = NULL;
- if (_krb5_have_debug(context, 5)) {
- unsigned i;
- _krb5_debug(context, 5, "KDC send %d patypes", in_md->len);
- for (i = 0; i < in_md->len; i++)
- _krb5_debug(context, 5, "KDC send PA-DATA type: %d", in_md->val[i].padata_type);
+ log_kdc_pa_types(context, in_md);
+
+ ret = pa_step(context, ctx, a, NULL, in_md, *out_md);
+ if (ret == HEIM_ERR_PA_CONTINUE_NEEDED) {
+ _krb5_debug(context, 0, "pamech need more stepping");
+ } else if (ret == 0) {
+ _krb5_debug(context, 0, "pamech done step");
+ } else {
+ return ret;
}
/*
- * Make sure we don't sent both ENC-TS and PK-INIT pa data, no
- * need to expose our password protecting our PKCS12 key.
+ * Send announcement (what we support) and configuration (user
+ * introduced behavior change)
*/
+ ret = pa_announce(context, PA_F_ANNOUNCE|PA_F_CONFIG, ctx, in_md, *out_md);
- if (ctx->pk_init_ctx) {
-
- _krb5_debug(context, 5, "krb5_get_init_creds: "
- "prepareing PKINIT padata (%s)",
- (ctx->used_pa_types & USED_PKINIT_W2K) ? "win2k" : "ietf");
-
- if (ctx->used_pa_types & USED_PKINIT_W2K) {
- krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
- "Already tried pkinit, looping");
- return KRB5_GET_IN_TKT_LOOP;
- }
-
- ret = pa_data_to_md_pkinit(context, a, creds->client,
- (ctx->used_pa_types & USED_PKINIT),
- ctx, *out_md);
- if (ret)
- return ret;
-
- if (ctx->used_pa_types & USED_PKINIT)
- ctx->used_pa_types |= USED_PKINIT_W2K;
- else
- ctx->used_pa_types |= USED_PKINIT;
-
- } else if (in_md->len != 0) {
- struct pa_info_data *paid, *ppaid;
- unsigned flag;
-
- paid = calloc(1, sizeof(*paid));
- if (paid == NULL)
- return krb5_enomem(context);
-
- paid->etype = KRB5_ENCTYPE_NULL;
- ppaid = process_pa_info(context, creds->client, a, paid, in_md);
-
- if (ppaid)
- flag = USED_ENC_TS_INFO;
- else
- flag = USED_ENC_TS_GUESS;
-
- if (ctx->used_pa_types & flag) {
- if (ppaid)
- free_paid(context, ppaid);
- free(paid);
- krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
- "Already tried ENC-TS-%s, looping",
- flag == USED_ENC_TS_INFO ? "info" : "guess");
- return KRB5_GET_IN_TKT_LOOP;
- }
-
- pa_data_to_md_ts_enc(context, a, creds->client, ctx, ppaid, *out_md);
-
- ctx->used_pa_types |= flag;
-
- if (ppaid) {
- if (ctx->ppaid) {
- free_paid(context, ctx->ppaid);
- free(ctx->ppaid);
- }
- ctx->ppaid = ppaid;
- } else
- free(paid);
- }
-
- pa_data_add_pac_request(context, ctx, *out_md);
-
- if ((ctx->fast_state.flags & KRB5_FAST_DISABLED) == 0) {
- ret = krb5_padata_add(context, *out_md, KRB5_PADATA_REQ_ENC_PA_REP, NULL, 0);
- if (ret)
- return ret;
- }
+ /*
+ *
+ */
if ((*out_md)->len == 0) {
free(*out_md);
*out_md = NULL;
}
- return 0;
+ return ret;
}
static krb5_error_code
process_pa_data_to_key(krb5_context context,
- krb5_get_init_creds_ctx *ctx,
+ krb5_init_creds_context ctx,
krb5_creds *creds,
AS_REQ *a,
AS_REP *rep,
- const krb5_krbhst_info *hi,
krb5_keyblock **key)
{
struct pa_info_data paid, *ppaid = NULL;
krb5_error_code ret;
- krb5_enctype etype;
- PA_DATA *pa;
+ krb5_enctype etype = rep->enc_part.etype;
memset(&paid, 0, sizeof(paid));
- etype = rep->enc_part.etype;
+ if (rep->padata)
+ log_kdc_pa_types(context, rep->padata);
if (rep->padata) {
paid.etype = etype;
ppaid = process_pa_info(context, creds->client, a, &paid,
rep->padata);
}
- if (ppaid == NULL)
- ppaid = ctx->ppaid;
if (ppaid == NULL) {
- ret = krb5_get_pw_salt (context, creds->client, &paid.salt);
- if (ret)
- return ret;
- paid.etype = etype;
- paid.s2kparams = NULL;
- ppaid = &paid;
- }
-
- pa = NULL;
- if (rep->padata) {
- int idx = 0;
- pa = krb5_find_padata(rep->padata->val,
- rep->padata->len,
- KRB5_PADATA_PK_AS_REP,
- &idx);
- if (pa == NULL) {
- idx = 0;
- pa = krb5_find_padata(rep->padata->val,
- rep->padata->len,
- KRB5_PADATA_PK_AS_REP_19,
- &idx);
+ if (ctx->paid.etype == KRB5_ENCTYPE_NULL) {
+ ctx->paid.etype = etype;
+ ctx->paid.s2kparams = NULL;
+ ret = krb5_get_pw_salt (context, creds->client, &ctx->paid.salt);
+ if (ret)
+ return ret;
}
}
- if (pa && ctx->pk_init_ctx) {
-#ifdef PKINIT
- _krb5_debug(context, 5, "krb5_get_init_creds: using PKINIT");
- ret = _krb5_pk_rd_pa_reply(context,
- a->req_body.realm,
- ctx->pk_init_ctx,
- etype,
- hi,
- ctx->pk_nonce,
- &ctx->req_buffer,
- pa,
- key);
-#else
- ret = EINVAL;
- krb5_set_error_message(context, ret, N_("no support for PKINIT compiled in", ""));
-#endif
- } else if (ctx->keyseed) {
- _krb5_debug(context, 5, "krb5_get_init_creds: using keyproc");
- ret = pa_data_to_key_plain(context, creds->client, ctx,
- ppaid->salt, ppaid->s2kparams, etype, key);
+ ret = pa_step(context, ctx, a, rep, rep->padata, NULL);
+ if (ret == HEIM_ERR_PA_CONTINUE_NEEDED) {
+ _krb5_debug(context, 0, "In final stretch and pa require more stepping ?");
+ return ret;
+ } else if (ret == 0) {
+ _krb5_debug(context, 0, "final pamech done step");
+ goto out;
} else {
- ret = EINVAL;
- krb5_set_error_message(context, ret, N_("No usable pa data type", ""));
+ return ret;
}
-
+ out:
free_paid(context, &paid);
return ret;
}
+/*
+ *
+ */
+
+static krb5_error_code
+capture_lkdc_domain(krb5_context context,
+ krb5_init_creds_context ctx)
+{
+ size_t len;
+
+ len = strlen(_krb5_wellknown_lkdc);
+
+ if (ctx->kdc_hostname != NULL ||
+ strncmp(ctx->cred.client->realm, _krb5_wellknown_lkdc, len) != 0 ||
+ ctx->cred.client->realm[len] != ':')
+ return 0;
+
+ ctx->kdc_hostname = strdup(&ctx->cred.client->realm[len + 1]);
+
+ _krb5_debug(context, 5, "krb5_get_init_creds: setting LKDC hostname to: %s",
+ ctx->kdc_hostname);
+ return 0;
+}
+
/**
* Start a new context to get a new initial credential.
*
@@ -1412,13 +2511,15 @@ krb5_init_creds_init(krb5_context context,
if (ctx == NULL)
return krb5_enomem(context);
- ret = get_init_creds_common(context, client, start_time, options, ctx);
+ ret = get_init_creds_common(context, client, prompter, prompter_data,
+ start_time, options, ctx);
if (ret) {
free(ctx);
return ret;
}
/* Set a new nonce. */
+ /* FIXME should generate a new nonce for each AS-REQ */
krb5_generate_random_block (&ctx->nonce, sizeof(ctx->nonce));
ctx->nonce &= 0x7fffffff;
/* XXX these just needs to be the same when using Windows PK-INIT */
@@ -1427,12 +2528,66 @@ krb5_init_creds_init(krb5_context context,
ctx->prompter = prompter;
ctx->prompter_data = prompter_data;
+ /* pick up hostname from LKDC realm name */
+ ret = capture_lkdc_domain(context, ctx);
+ if (ret) {
+ free_init_creds_ctx(context, ctx);
+ return ret;
+ }
+
+ ctx->runflags.allow_enc_pa_rep = 1;
+
+ ctx->fast_state.flags |= KRB5_FAST_AS_REQ;
+
*rctx = ctx;
return ret;
}
/**
+ * Set the KDC hostname for the initial request, it will not be
+ * considered in referrals to another KDC.
+ *
+ * @param context a Kerberos 5 context.
+ * @param ctx a krb5_init_creds_context context.
+ * @param hostname the hostname for the KDC of realm
+ *
+ * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
+ * @ingroup krb5_credential
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_init_creds_set_kdc_hostname(krb5_context context,
+ krb5_init_creds_context ctx,
+ const char *hostname)
+{
+ if (ctx->kdc_hostname)
+ free(ctx->kdc_hostname);
+ ctx->kdc_hostname = strdup(hostname);
+ if (ctx->kdc_hostname == NULL)
+ return krb5_enomem(context);
+ return 0;
+}
+
+/**
+ * Set the sitename for the request
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_init_creds_set_sitename(krb5_context context,
+ krb5_init_creds_context ctx,
+ const char *sitename)
+{
+ if (ctx->sitename)
+ free(ctx->sitename);
+ ctx->sitename = strdup(sitename);
+ if (ctx->sitename == NULL)
+ return krb5_enomem(context);
+ return 0;
+}
+
+/**
* Sets the service that the is requested. This call is only neede for
* special initial tickets, by default the a krbtgt is fetched in the default realm.
*
@@ -1461,7 +2616,11 @@ krb5_init_creds_set_service(krb5_context context,
ret = krb5_parse_name (context, service, &principal);
if (ret)
return ret;
- krb5_principal_set_realm (context, principal, client_realm);
+ ret = krb5_principal_set_realm (context, principal, client_realm);
+ if (ret) {
+ krb5_free_principal(context, principal);
+ return ret;
+ }
} else {
ret = krb5_make_principal(context, &principal,
client_realm, KRB5_TGS_NAME, client_realm,
@@ -1531,23 +2690,23 @@ keytab_key_proc(krb5_context context, krb5_enctype enctype,
krb5_keytab keytab = args->keytab;
krb5_principal principal = args->principal;
krb5_error_code ret;
- krb5_keytab real_keytab;
+ krb5_keytab real_keytab = NULL;
krb5_keytab_entry entry;
- if(keytab == NULL)
- krb5_kt_default(context, &real_keytab);
- else
- real_keytab = keytab;
+ if (keytab == NULL) {
+ ret = krb5_kt_default(context, &real_keytab);
+ if (ret)
+ return ret;
+ keytab = real_keytab;
+ }
- ret = krb5_kt_get_entry (context, real_keytab, principal,
- 0, enctype, &entry);
+ ret = krb5_kt_get_entry (context, keytab, principal, 0, enctype, &entry);
if (ret == 0) {
ret = krb5_copy_keyblock(context, &entry.keyblock, key);
krb5_kt_free_entry(context, &entry);
}
- if (keytab == NULL)
- krb5_kt_close (context, real_keytab);
+ krb5_kt_close(context, real_keytab);
return ret;
}
@@ -1575,6 +2734,7 @@ krb5_init_creds_set_keytab(krb5_context context,
krb5_error_code ret;
size_t netypes = 0;
int kvno = 0, found = 0;
+ unsigned n;
a = malloc(sizeof(*a));
if (a == NULL)
@@ -1621,6 +2781,19 @@ krb5_init_creds_set_keytab(krb5_context context,
if (krb5_enctype_valid(context, entry.keyblock.keytype) != 0)
goto next;
+ /*
+ * If user already provided a enctype list, use that as an
+ * additonal filter.
+ */
+ if (ctx->etypes) {
+ for (n = 0; ctx->etypes[n] != KRB5_ENCTYPE_NULL; n++) {
+ if (ctx->etypes[n] == entry.keyblock.keytype)
+ break;
+ }
+ if (ctx->etypes[n] == KRB5_ENCTYPE_NULL)
+ goto next;
+ }
+
/* add enctype to supported list */
ptr = realloc(etypes, sizeof(etypes[0]) * (netypes + 2));
if (ptr == NULL) {
@@ -1681,9 +2854,42 @@ krb5_init_creds_set_fast_ccache(krb5_context context,
{
ctx->fast_state.armor_ccache = fast_ccache;
ctx->fast_state.flags |= KRB5_FAST_REQUIRED;
+ ctx->fast_state.flags |= KRB5_FAST_KDC_VERIFIED;
return 0;
}
+static krb5_error_code
+validate_pkinit_fx(krb5_context context,
+ krb5_init_creds_context ctx,
+ AS_REP *rep,
+ krb5_keyblock *ticket_sessionkey)
+{
+ PA_DATA *pa = NULL;
+ int idx = 0;
+
+ if (rep->padata)
+ pa = krb5_find_padata(rep->padata->val, rep->padata->len, KRB5_PADATA_PKINIT_KX, &idx);
+
+ if (pa == NULL) {
+ if (ctx->flags.request_anonymous && ctx->pk_init_ctx) {
+ /* XXX handle the case where pkinit is not used */
+ krb5_set_error_message(context, KRB5_KDCREP_MODIFIED,
+ N_("Requested anonymous with PKINIT and KDC didn't set PKINIT_KX", ""));
+ return KRB5_KDCREP_MODIFIED;
+ }
+
+ return 0;
+ }
+
+ heim_assert(ctx->fast_state.reply_key != NULL, "must have a reply key at this stage");
+
+ return _krb5_pk_kx_confirm(context,
+ ctx->pk_init_ctx,
+ ctx->fast_state.reply_key,
+ ticket_sessionkey,
+ pa);
+}
+
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_init_creds_set_fast_ap_armor_service(krb5_context context,
krb5_init_creds_context ctx,
@@ -1700,503 +2906,92 @@ krb5_init_creds_set_fast_ap_armor_service(krb5_context context,
} else {
ctx->fast_state.armor_service = NULL;
}
- ctx->fast_state.flags |= KRB5_FAST_REQUIRED | KRB5_FAST_AP_ARMOR_SERVICE;
+ ctx->fast_state.flags |= KRB5_FAST_AP_ARMOR_SERVICE;
return 0;
}
-/*
- * FAST
- */
-
-static krb5_error_code
-check_fast(krb5_context context, struct fast_state *state)
-{
- if (state->flags & KRB5_FAST_EXPECTED) {
- krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
- "Expected FAST, but no FAST "
- "was in the response from the KDC");
- return KRB5KRB_AP_ERR_MODIFIED;
- }
- return 0;
-}
-
-
-static krb5_error_code
-fast_unwrap_as_rep(krb5_context context, int32_t nonce,
- krb5_data *chksumdata,
- struct fast_state *state, AS_REP *rep)
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_init_creds_set_fast_anon_pkinit(krb5_context context,
+ krb5_init_creds_context ctx)
{
- PA_FX_FAST_REPLY fxfastrep;
- KrbFastResponse fastrep;
- krb5_error_code ret;
- PA_DATA *pa = NULL;
- int idx = 0;
-
- if (state->armor_crypto == NULL || rep->padata == NULL)
- return check_fast(context, state);
-
- /* find PA_FX_FAST_REPLY */
-
- pa = krb5_find_padata(rep->padata->val, rep->padata->len,
- KRB5_PADATA_FX_FAST, &idx);
- if (pa == NULL)
- return check_fast(context, state);
-
- memset(&fxfastrep, 0, sizeof(fxfastrep));
- memset(&fastrep, 0, sizeof(fastrep));
-
- ret = decode_PA_FX_FAST_REPLY(pa->padata_value.data, pa->padata_value.length, &fxfastrep, NULL);
- if (ret)
- return ret;
-
- if (fxfastrep.element == choice_PA_FX_FAST_REPLY_armored_data) {
- krb5_data data;
- ret = krb5_decrypt_EncryptedData(context,
- state->armor_crypto,
- KRB5_KU_FAST_REP,
- &fxfastrep.u.armored_data.enc_fast_rep,
- &data);
- if (ret)
- goto out;
-
- ret = decode_KrbFastResponse(data.data, data.length, &fastrep, NULL);
- krb5_data_free(&data);
- if (ret)
- goto out;
-
- } else {
- ret = KRB5KDC_ERR_PREAUTH_FAILED;
- goto out;
- }
-
- free_METHOD_DATA(rep->padata);
- ret = copy_METHOD_DATA(&fastrep.padata, rep->padata);
- if (ret)
- goto out;
-
- if (fastrep.strengthen_key) {
- if (state->strengthen_key)
- krb5_free_keyblock(context, state->strengthen_key);
-
- ret = krb5_copy_keyblock(context, fastrep.strengthen_key, &state->strengthen_key);
- if (ret)
- goto out;
- }
-
- if (nonce != fastrep.nonce) {
- ret = KRB5KDC_ERR_PREAUTH_FAILED;
- goto out;
- }
- if (fastrep.finished) {
- PrincipalName cname;
- krb5_realm crealm = NULL;
+ if (ctx->fast_state.armor_ccache)
+ return EINVAL;
- if (chksumdata == NULL) {
- ret = KRB5KDC_ERR_PREAUTH_FAILED;
- goto out;
- }
-
- ret = krb5_verify_checksum(context, state->armor_crypto,
- KRB5_KU_FAST_FINISHED,
- chksumdata->data, chksumdata->length,
- &fastrep.finished->ticket_checksum);
- if (ret)
- goto out;
-
- /* update */
- ret = copy_Realm(&fastrep.finished->crealm, &crealm);
- if (ret)
- goto out;
- free_Realm(&rep->crealm);
- rep->crealm = crealm;
-
- ret = copy_PrincipalName(&fastrep.finished->cname, &cname);
- if (ret)
- goto out;
- free_PrincipalName(&rep->cname);
- rep->cname = cname;
-
-#if 0 /* store authenticated checksum as kdc-offset */
- fastrep->finished.timestamp;
- fastrep->finished.usec = 0;
-#endif
-
- } else if (chksumdata) {
- /* expected fastrep.finish but didn't get it */
- ret = KRB5KDC_ERR_PREAUTH_FAILED;
- }
-
- out:
- free_PA_FX_FAST_REPLY(&fxfastrep);
-
- return ret;
+ ctx->fast_state.flags |= KRB5_FAST_REQUIRED;
+ ctx->fast_state.flags |= KRB5_FAST_ANON_PKINIT_ARMOR;
+ return 0;
}
-static krb5_error_code
-fast_unwrap_error(krb5_context context, struct fast_state *state, KRB_ERROR *error)
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_init_creds_set_fast_anon_pkinit_optimistic(krb5_context context,
+ krb5_init_creds_context ctx)
{
- if (state->armor_crypto == NULL)
- return check_fast(context, state);
+ if (ctx->fast_state.armor_ccache)
+ return EINVAL;
+ ctx->fast_state.flags |= KRB5_FAST_REQUIRED;
+ ctx->fast_state.flags |= KRB5_FAST_ANON_PKINIT_ARMOR;
+ ctx->fast_state.flags |= KRB5_FAST_OPTIMISTIC;
return 0;
}
-krb5_error_code
-_krb5_make_fast_ap_fxarmor(krb5_context context,
- krb5_ccache armor_ccache,
- krb5_data *armor_value,
- krb5_keyblock *armor_key,
- krb5_crypto *armor_crypto)
-{
- krb5_auth_context auth_context = NULL;
- krb5_creds cred, *credp = NULL;
- krb5_error_code ret;
- krb5_data empty;
-
- krb5_data_zero(&empty);
-
- memset(&cred, 0, sizeof(cred));
-
- ret = krb5_auth_con_init (context, &auth_context);
- if (ret)
- goto out;
-
- ret = krb5_cc_get_principal(context, armor_ccache, &cred.client);
- if (ret)
- goto out;
-
- ret = krb5_make_principal(context, &cred.server,
- cred.client->realm,
- KRB5_TGS_NAME,
- cred.client->realm,
- NULL);
- if (ret) {
- krb5_free_principal(context, cred.client);
- goto out;
- }
-
- ret = krb5_get_credentials(context, 0, armor_ccache, &cred, &credp);
- krb5_free_principal(context, cred.server);
- krb5_free_principal(context, cred.client);
- if (ret)
- goto out;
-
- ret = krb5_auth_con_add_AuthorizationData(context, auth_context, KRB5_PADATA_FX_FAST_ARMOR, &empty);
- if (ret)
- goto out;
-
- ret = krb5_mk_req_extended(context,
- &auth_context,
- AP_OPTS_USE_SUBKEY,
- NULL,
- credp,
- armor_value);
- krb5_free_creds(context, credp);
- if (ret)
- goto out;
-
- ret = _krb5_fast_armor_key(context,
- auth_context->local_subkey,
- auth_context->keyblock,
- armor_key,
- armor_crypto);
- if (ret)
- goto out;
-
- out:
- krb5_auth_con_free(context, auth_context);
- return ret;
-}
-
-#ifndef WIN32
-static heim_base_once_t armor_service_once = HEIM_BASE_ONCE_INIT;
-static heim_ipc armor_service = NULL;
-
-static void
-fast_armor_init_ipc(void *ctx)
+static size_t
+available_padata_count(METHOD_DATA *md)
{
- heim_ipc *ipc = ctx;
- heim_ipc_init_context("ANY:org.h5l.armor-service", ipc);
-}
-#endif /* WIN32 */
-
-
-static krb5_error_code
-make_fast_ap_fxarmor(krb5_context context,
- struct fast_state *state,
- const char *realm,
- KrbFastArmor **armor)
-{
- KrbFastArmor *fxarmor = NULL;
- krb5_error_code ret;
-
- if (state->armor_crypto)
- krb5_crypto_destroy(context, state->armor_crypto);
- krb5_free_keyblock_contents(context, &state->armor_key);
-
-
- ALLOC(fxarmor, 1);
- if (fxarmor == NULL)
- return krb5_enomem(context);
-
- if (state->flags & KRB5_FAST_AP_ARMOR_SERVICE) {
-#ifdef WIN32
- krb5_set_error_message(context, ENOTSUP, "Fast armor IPC service not supportted yet on Windows");
- ret = ENOTSUP;
- goto out;
-#else /* WIN32 */
- KERB_ARMOR_SERVICE_REPLY msg;
- krb5_data request, reply;
-
- heim_base_once_f(&armor_service_once, &armor_service, fast_armor_init_ipc);
- if (armor_service == NULL) {
- krb5_set_error_message(context, ENOENT, "Failed to open fast armor service");
- ret = ENOENT;
- goto out;
- }
-
- krb5_data_zero(&reply);
+ size_t i, count = 0;
- request.data = rk_UNCONST(realm);
- request.length = strlen(realm);
+ for (i = 0; i < md->len; i++) {
+ PA_DATA *pa = &md->val[i];
- ret = heim_ipc_call(armor_service, &request, &reply, NULL);
- heim_release(send);
- if (ret) {
- krb5_set_error_message(context, ret, "Failed to get armor service credential");
- goto out;
- }
-
- ret = decode_KERB_ARMOR_SERVICE_REPLY(reply.data, reply.length, &msg, NULL);
- krb5_data_free(&reply);
- if (ret)
- goto out;
-
- ret = copy_KrbFastArmor(fxarmor, &msg.armor);
- if (ret) {
- free_KERB_ARMOR_SERVICE_REPLY(&msg);
- goto out;
- }
-
- ret = krb5_copy_keyblock_contents(context, &msg.armor_key, &state->armor_key);
- free_KERB_ARMOR_SERVICE_REPLY(&msg);
- if (ret)
- goto out;
-
- ret = krb5_crypto_init(context, &state->armor_key, 0, &state->armor_crypto);
- if (ret)
- goto out;
-#endif /* WIN32 */
- } else {
-
- fxarmor->armor_type = 1;
+ if (pa->padata_type == KRB5_PADATA_FX_COOKIE ||
+ pa->padata_type == KRB5_PADATA_FX_ERROR)
+ continue;
- ret = _krb5_make_fast_ap_fxarmor(context,
- state->armor_ccache,
- &fxarmor->armor_value,
- &state->armor_key,
- &state->armor_crypto);
- if (ret)
- goto out;
+ count++;
}
-
- *armor = fxarmor;
- fxarmor = NULL;
- out:
- if (fxarmor) {
- free_KrbFastArmor(fxarmor);
- free(fxarmor);
- }
- return ret;
+ return count;
}
static krb5_error_code
-fast_wrap_req(krb5_context context, struct fast_state *state, KDC_REQ *req)
-{
- KrbFastArmor *fxarmor = NULL;
- PA_FX_FAST_REQUEST fxreq;
- krb5_error_code ret;
- KrbFastReq fastreq;
- krb5_data data;
- size_t size;
-
- if (state->flags & KRB5_FAST_DISABLED) {
- _krb5_debug(context, 10, "fast disabled, not doing any fast wrapping");
- return 0;
- }
-
- memset(&fxreq, 0, sizeof(fxreq));
- memset(&fastreq, 0, sizeof(fastreq));
- krb5_data_zero(&data);
-
- if (state->armor_crypto == NULL) {
- if (state->armor_ccache) {
- /*
- * Instead of keeping state in FX_COOKIE in the KDC, we
- * rebuild a new armor key for every request, because this
- * is what the MIT KDC expect and RFC6113 is vage about
- * what the behavior should be.
- */
- state->type = choice_PA_FX_FAST_REQUEST_armored_data;
- } else {
- return check_fast(context, state);
- }
- }
-
- state->flags |= KRB5_FAST_EXPECTED;
-
- fastreq.fast_options.hide_client_names = 1;
-
- ret = copy_KDC_REQ_BODY(&req->req_body, &fastreq.req_body);
- free_KDC_REQ_BODY(&req->req_body);
-
- req->req_body.realm = strdup(KRB5_ANON_REALM);
- if ((ALLOC(req->req_body.cname, 1)) != NULL) {
- req->req_body.cname->name_type = KRB5_NT_WELLKNOWN;
- if ((ALLOC(req->req_body.cname->name_string.val, 2)) != NULL) {
- req->req_body.cname->name_string.len = 2;
- req->req_body.cname->name_string.val[0] = strdup(KRB5_WELLKNOWN_NAME);
- req->req_body.cname->name_string.val[1] = strdup(KRB5_ANON_NAME);
- if (req->req_body.cname->name_string.val[0] == NULL ||
- req->req_body.cname->name_string.val[1] == NULL)
- ret = krb5_enomem(context);
- } else
- ret = krb5_enomem(context);
- } else
- ret = krb5_enomem(context);
- if ((ALLOC(req->req_body.till, 1)) != NULL)
- *req->req_body.till = 0;
- else
- ret = krb5_enomem(context);
- if (ret)
- goto out;
-
- if (req->padata) {
- ret = copy_METHOD_DATA(req->padata, &fastreq.padata);
- free_METHOD_DATA(req->padata);
- } else {
- if ((ALLOC(req->padata, 1)) == NULL)
- ret = krb5_enomem(context);
- }
- if (ret)
- goto out;
-
- ASN1_MALLOC_ENCODE(KrbFastReq, data.data, data.length, &fastreq, &size, ret);
- if (ret)
- goto out;
- heim_assert(data.length == size, "ASN.1 internal error");
-
- fxreq.element = state->type;
-
- if (state->type == choice_PA_FX_FAST_REQUEST_armored_data) {
- size_t len;
- void *buf;
-
- ret = make_fast_ap_fxarmor(context, state, fastreq.req_body.realm, &fxreq.u.armored_data.armor);
- if (ret)
- goto out;
-
- heim_assert(state->armor_crypto != NULL, "FAST armor key missing when FAST started");
-
- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, len, &req->req_body, &size, ret);
- if (ret)
- goto out;
- heim_assert(len == size, "ASN.1 internal error");
-
- ret = krb5_create_checksum(context, state->armor_crypto,
- KRB5_KU_FAST_REQ_CHKSUM, 0,
- buf, len,
- &fxreq.u.armored_data.req_checksum);
- free(buf);
- if (ret)
- goto out;
-
- ret = krb5_encrypt_EncryptedData(context, state->armor_crypto,
- KRB5_KU_FAST_ENC,
- data.data,
- data.length,
- 0,
- &fxreq.u.armored_data.enc_fast_req);
- krb5_data_free(&data);
- if (ret)
- goto out;
-
- } else {
- krb5_data_free(&data);
- heim_assert(false, "unknown FAST type, internal error");
- }
-
- ASN1_MALLOC_ENCODE(PA_FX_FAST_REQUEST, data.data, data.length, &fxreq, &size, ret);
- if (ret)
- goto out;
- heim_assert(data.length == size, "ASN.1 internal error");
-
-
- ret = krb5_padata_add(context, req->padata, KRB5_PADATA_FX_FAST, data.data, data.length);
- if (ret)
- goto out;
- krb5_data_zero(&data);
-
- out:
- free_PA_FX_FAST_REQUEST(&fxreq);
- free_KrbFastReq(&fastreq);
- if (fxarmor) {
- free_KrbFastArmor(fxarmor);
- free(fxarmor);
- }
- krb5_data_free(&data);
-
- return ret;
-}
-
-
-/**
- * The core loop if krb5_get_init_creds() function family. Create the
- * packets and have the caller send them off to the KDC.
- *
- * If the caller want all work been done for them, use
- * krb5_init_creds_get() instead.
- *
- * @param context a Kerberos 5 context.
- * @param ctx ctx krb5_init_creds_context context.
- * @param in input data from KDC, first round it should be reset by krb5_data_zer().
- * @param out reply to KDC.
- * @param hostinfo KDC address info, first round it can be NULL.
- * @param flags status of the round, if
- * KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round.
- *
- * @return 0 for success, or an Kerberos 5 error code, see
- * krb5_get_error_message().
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_step(krb5_context context,
- krb5_init_creds_context ctx,
- krb5_data *in,
- krb5_data *out,
- krb5_krbhst_info *hostinfo,
- unsigned int *flags)
+init_creds_step(krb5_context context,
+ krb5_init_creds_context ctx,
+ const krb5_data *in,
+ krb5_data *out,
+ krb5_realm *out_realm,
+ unsigned int *flags)
{
+ struct timeval start_time, end_time;
+ krb5_data checksum_data;
krb5_error_code ret;
size_t len = 0;
size_t size;
AS_REQ req2;
+ gettimeofday(&start_time, NULL);
+
krb5_data_zero(out);
+ *out_realm = NULL;
+ krb5_data_zero(&checksum_data);
if (ctx->as_req.req_body.cname == NULL) {
ret = init_as_req(context, ctx->flags, &ctx->cred,
ctx->addrs, ctx->etypes, &ctx->as_req);
- if (ret) {
- free_init_creds_ctx(context, ctx);
+ if (ret)
return ret;
- }
+ if (ctx->fast_state.flags & KRB5_FAST_REQUIRED)
+ ;
+ else if (ctx->fast_state.flags & KRB5_FAST_AP_ARMOR_SERVICE)
+ /* Check with armor service if there is FAST */;
+ else
+ ctx->fast_state.flags |= KRB5_FAST_DISABLED;
+
+
+ /* XXX should happen after we get back reply from KDC */
+ pa_configure(context, ctx, NULL);
}
-#define MAX_PA_COUNTER 10
+#define MAX_PA_COUNTER 15
if (ctx->pa_counter > MAX_PA_COUNTER) {
krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
N_("Looping %d times while getting "
@@ -2230,8 +3025,8 @@ krb5_init_creds_step(krb5_context context,
goto out;
heim_assert(data.length == size, "ASN.1 internal error");
- ret = fast_unwrap_as_rep(context, ctx->nonce, &data,
- &ctx->fast_state, &rep.kdc_rep);
+ ret = _krb5_fast_unwrap_kdc_rep(context, ctx->nonce, &data,
+ &ctx->fast_state, &rep.kdc_rep);
krb5_data_free(&data);
if (ret)
goto out;
@@ -2251,12 +3046,35 @@ krb5_init_creds_step(krb5_context context,
ret = process_pa_data_to_key(context, ctx, &ctx->cred,
&ctx->as_req, &rep.kdc_rep,
- hostinfo, &ctx->fast_state.reply_key);
+ &ctx->fast_state.reply_key);
if (ret) {
free_AS_REP(&rep.kdc_rep);
goto out;
}
+ if (ctx->fast_state.strengthen_key) {
+ krb5_keyblock result;
+
+ _krb5_debug(context, 5, "krb5_get_init_creds: FAST strengthen_key");
+
+ ret = _krb5_fast_cf2(context,
+ ctx->fast_state.strengthen_key,
+ "strengthenkey",
+ ctx->fast_state.reply_key,
+ "replykey",
+ &result,
+ NULL);
+ if (ret) {
+ free_AS_REP(&rep.kdc_rep);
+ goto out;
+ }
+
+ ctx->runflags.allow_save_as_reply_key = 1;
+
+ krb5_free_keyblock_contents(context, ctx->fast_state.reply_key);
+ *ctx->fast_state.reply_key = result;
+ }
+
_krb5_debug(context, 5, "krb5_get_init_creds: extracting ticket");
ret = _krb5_extract_ticket(context,
@@ -2271,42 +3089,40 @@ krb5_init_creds_step(krb5_context context,
&ctx->req_buffer,
NULL,
NULL);
- if (ret == 0 && ctx->pk_init_ctx) {
- PA_DATA *pa_pkinit_kx;
- int idx = 0;
-
- pa_pkinit_kx =
- krb5_find_padata(rep.kdc_rep.padata->val,
- rep.kdc_rep.padata->len,
- KRB5_PADATA_PKINIT_KX,
- &idx);
-
- ret = _krb5_pk_kx_confirm(context, ctx->pk_init_ctx,
- ctx->fast_state.reply_key,
- &ctx->cred.session,
- pa_pkinit_kx);
- if (ret)
- krb5_set_error_message(context, ret,
- N_("Failed to confirm PA-PKINIT-KX", ""));
- else if (pa_pkinit_kx != NULL)
- ctx->ic_flags |= KRB5_INIT_CREDS_PKINIT_KX_VALID;
- }
+
if (ret == 0)
ret = copy_EncKDCRepPart(&rep.enc_part, &ctx->enc_part);
+ if (ret == 0)
+ ret = validate_pkinit_fx(context, ctx, &rep.kdc_rep, &ctx->cred.session);
- krb5_free_keyblock(context, ctx->fast_state.reply_key);
- ctx->fast_state.reply_key = NULL;
+ ctx->as_enctype = ctx->fast_state.reply_key->keytype;
+
+ if (ctx->runflags.allow_save_as_reply_key) {
+ ctx->as_reply_key = ctx->fast_state.reply_key;
+ ctx->fast_state.reply_key = NULL;
+ } else {
+ krb5_free_keyblock(context, ctx->fast_state.reply_key);
+ ctx->fast_state.reply_key = NULL;
+ }
+ ctx->ic_flags |= KRB5_INIT_CREDS_DONE;
*flags = 0;
free_AS_REP(&rep.kdc_rep);
free_EncASRepPart(&rep.enc_part);
+ gettimeofday(&end_time, NULL);
+ timevalsub(&end_time, &start_time);
+ timevaladd(&ctx->stats.run_time, &end_time);
+
+ _krb5_debug(context, 1, "krb5_get_init_creds: wc: %lld.%06ld",
+ (long long)ctx->stats.run_time.tv_sec,
+ (long)ctx->stats.run_time.tv_usec);
return ret;
} else {
/* let's try to parse it as a KRB-ERROR */
- _krb5_debug(context, 5, "krb5_get_init_creds: got an error");
+ _krb5_debug(context, 5, "krb5_get_init_creds: got an KRB-ERROR from KDC");
free_KRB_ERROR(&ctx->error);
@@ -2319,9 +3135,39 @@ krb5_init_creds_step(krb5_context context,
}
/*
- * Unwrap KRB-ERROR
+ * Unwrap method-data, if there is any,
+ * fast_unwrap_error() below might replace it with a
+ * wrapped version if we are using FAST.
+ */
+
+ free_METHOD_DATA(&ctx->md);
+ memset(&ctx->md, 0, sizeof(ctx->md));
+
+ if (ctx->error.e_data) {
+ krb5_error_code ret2;
+
+ ret2 = decode_METHOD_DATA(ctx->error.e_data->data,
+ ctx->error.e_data->length,
+ &ctx->md,
+ NULL);
+ if (ret2) {
+ /*
+ * Just ignore any error, the error will be pushed
+ * out from krb5_error_from_rd_error() if there
+ * was one.
+ */
+ _krb5_debug(context, 5, N_("Failed to decode METHOD-DATA", ""));
+ }
+ }
+
+ /*
+ * Unwrap KRB-ERROR, we are always calling this so that
+ * FAST can tell us if your peer KDC suddenly dropped FAST
+ * wrapping and its really an attacker's packet (or a bug
+ * in the KDC).
*/
- ret = fast_unwrap_error(context, &ctx->fast_state, &ctx->error);
+ ret = _krb5_fast_unwrap_error(context, ctx->nonce, &ctx->fast_state,
+ &ctx->md, &ctx->error);
if (ret)
goto out;
@@ -2331,30 +3177,36 @@ krb5_init_creds_step(krb5_context context,
ret = krb5_error_from_rd_error(context, &ctx->error, &ctx->cred);
- _krb5_debug(context, 5, "krb5_get_init_creds: KRB-ERROR %d", ret);
+ /* log the failure */
+ if (_krb5_have_debug(context, 5)) {
+ const char *str = krb5_get_error_message(context, ret);
+ _krb5_debug(context, 5, "krb5_get_init_creds: KRB-ERROR %d/%s", ret, str);
+ krb5_free_error_message(context, str);
+ }
/*
- * If no preauth was set and KDC requires it, give it one
- * more try.
+ * Handle special error codes
*/
- if (ret == KRB5KDC_ERR_PREAUTH_REQUIRED) {
-
- free_METHOD_DATA(&ctx->md);
- memset_s(&ctx->md, sizeof(ctx->md), 0, sizeof(ctx->md));
+ if (ret == KRB5KDC_ERR_PREAUTH_REQUIRED
+ || ret == KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
+ || ret == KRB5KDC_ERR_ETYPE_NOSUPP)
+ {
+ /*
+ * If no preauth was set and KDC requires it, give it one
+ * more try.
+ *
+ * If the KDC returned KRB5KDC_ERR_ETYPE_NOSUPP, just loop
+ * one more time since that might mean we are dealing with
+ * a Windows KDC that is confused about what enctypes are
+ * available.
+ */
- if (ctx->error.e_data) {
- ret = decode_METHOD_DATA(ctx->error.e_data->data,
- ctx->error.e_data->length,
- &ctx->md,
- NULL);
- if (ret)
- krb5_set_error_message(context, ret,
- N_("Failed to decode METHOD-DATA", ""));
- } else {
+ if (available_padata_count(&ctx->md) == 0) {
krb5_set_error_message(context, ret,
N_("Preauth required but no preauth "
"options send by KDC", ""));
+ goto out;
}
} else if (ret == KRB5KRB_AP_ERR_SKEW && context->kdc_sec_offset == 0) {
/*
@@ -2365,22 +3217,49 @@ krb5_init_creds_step(krb5_context context,
if (context->kdc_sec_offset)
ret = 0;
- _krb5_debug(context, 10, "init_creds: err skew updateing kdc offset to %d",
+ _krb5_debug(context, 10, "init_creds: err skew updating kdc offset to %d",
context->kdc_sec_offset);
+ if (ret)
+ goto out;
- ctx->used_pa_types = 0;
+ pa_restart(context, ctx);
} else if (ret == KRB5_KDC_ERR_WRONG_REALM && ctx->flags.canonicalize) {
- /* client referal to a new realm */
+ /* client referral to a new realm */
+ char *ref_realm;
if (ctx->error.crealm == NULL) {
krb5_set_error_message(context, ret,
N_("Got a client referral, not but no realm", ""));
goto out;
}
- _krb5_debug(context, 5,
- "krb5_get_init_creds: got referal to realm %s",
- *ctx->error.crealm);
+ ref_realm = *ctx->error.crealm;
+
+ _krb5_debug(context, 5, "krb5_get_init_creds: referral to realm %s",
+ ref_realm);
+
+ /*
+ * If its a krbtgt, lets updat the requested krbtgt too
+ */
+ if (krb5_principal_is_krbtgt(context, ctx->cred.server)) {
+
+ free(ctx->cred.server->name.name_string.val[1]);
+ ctx->cred.server->name.name_string.val[1] = strdup(ref_realm);
+ if (ctx->cred.server->name.name_string.val[1] == NULL) {
+ ret = krb5_enomem(context);
+ goto out;
+ }
+
+ free_PrincipalName(ctx->as_req.req_body.sname);
+ ret = _krb5_principal2principalname(ctx->as_req.req_body.sname, ctx->cred.server);
+ if (ret)
+ goto out;
+ }
+
+ free(ctx->as_req.req_body.realm);
+ ret = copy_Realm(&ref_realm, &ctx->as_req.req_body.realm);
+ if (ret)
+ goto out;
ret = krb5_principal_set_realm(context,
ctx->cred.client,
@@ -2388,31 +3267,30 @@ krb5_init_creds_step(krb5_context context,
if (ret)
goto out;
- if (krb5_principal_is_krbtgt(context, ctx->cred.server)) {
- ret = krb5_init_creds_set_service(context, ctx, NULL);
- if (ret)
- goto out;
+ ret = krb5_unparse_name(context, ctx->cred.client, &ref_realm);
+ if (ret == 0) {
+ _krb5_debug(context, 5, "krb5_get_init_creds: got referral to %s", ref_realm);
+ krb5_xfree(ref_realm);
}
- free_AS_REQ(&ctx->as_req);
- memset_s(&ctx->as_req, sizeof(ctx->as_req), 0, sizeof(ctx->as_req));
+ pa_restart(context, ctx);
- ctx->used_pa_types = 0;
- } else if (ret == KRB5KDC_ERR_KEY_EXP && ctx->runflags.change_password == 0 && ctx->prompter) {
+ } else if (ret == KRB5KDC_ERR_KEY_EXP && ctx->runflags.change_password == 0 &&
+ ctx->runflags.change_password_prompt) {
char buf2[1024];
ctx->runflags.change_password = 1;
ctx->prompter(context, ctx->prompter_data, NULL, N_("Password has expired", ""), 0, NULL);
-
/* try to avoid recursion */
if (ctx->in_tkt_service != NULL && strcmp(ctx->in_tkt_service, "kadmin/changepw") == 0)
goto out;
- /* don't try to change password where then where none */
- if (ctx->prompter == NULL)
- goto out;
+ /* don't include prompter in runtime */
+ gettimeofday(&end_time, NULL);
+ timevalsub(&end_time, &start_time);
+ timevaladd(&ctx->stats.run_time, &end_time);
ret = change_password(context,
ctx->cred.client,
@@ -2425,36 +3303,51 @@ krb5_init_creds_step(krb5_context context,
if (ret)
goto out;
+ gettimeofday(&start_time, NULL);
+
krb5_init_creds_set_password(context, ctx, buf2);
- ctx->used_pa_types = 0;
- ret = 0;
-
- } else if (ret == KRB5KDC_ERR_PREAUTH_FAILED) {
-
- if (ctx->fast_state.flags & KRB5_FAST_DISABLED)
- goto out;
- if (ctx->fast_state.flags & (KRB5_FAST_REQUIRED | KRB5_FAST_EXPECTED))
- goto out;
-
- _krb5_debug(context, 10, "preauth failed with FAST, "
- "and told by KD or user, trying w/o FAST");
-
- ctx->fast_state.flags |= KRB5_FAST_DISABLED;
- ctx->used_pa_types = 0;
- ret = 0;
- }
- if (ret)
- goto out;
- }
- }
+ pa_restart(context, ctx);
- if (ctx->as_req.req_body.cname == NULL) {
- ret = init_as_req(context, ctx->flags, &ctx->cred,
- ctx->addrs, ctx->etypes, &ctx->as_req);
- if (ret) {
- free_init_creds_ctx(context, ctx);
- return ret;
+ } else if (ret == KRB5KDC_ERR_PREAUTH_FAILED) {
+
+ /*
+ * Old MIT KDC can't handle KRB5_PADATA_REQ_ENC_PA_REP,
+ * so drop it and try again. But only try that for MIT
+ * Kerberos servers by keying of no METHOD-DATA.
+ */
+ if (ctx->runflags.allow_enc_pa_rep) {
+ if (ctx->md.len != 0) {
+ _krb5_debug(context, 10, "Server sent PA data with KRB-ERROR, "
+ "so not a pre 1.7 MIT KDC and won't retry w/o ENC-PA-REQ");
+ goto out;
+ }
+ _krb5_debug(context, 10, "Disabling allow_enc_pa_rep and trying again");
+ ctx->runflags.allow_enc_pa_rep = 0;
+ goto retry;
+ }
+
+ if (ctx->fast_state.flags & KRB5_FAST_DISABLED) {
+ _krb5_debug(context, 10, "FAST disabled and got preauth failed");
+ goto out;
+ }
+
+ retry:
+ pa_restart(context, ctx);
+
+ } else if (ctx->fast_state.flags & KRB5_FAST_OPTIMISTIC) {
+ _krb5_debug(context, 10,
+ "Some other error %d failed with optimistic FAST, trying w/o FAST", ret);
+
+ ctx->fast_state.flags &= ~KRB5_FAST_OPTIMISTIC;
+ ctx->fast_state.flags &= ~KRB5_FAST_REQUIRED;
+ ctx->fast_state.flags &= ~KRB5_FAST_ANON_PKINIT_ARMOR;
+ ctx->fast_state.flags |= KRB5_FAST_DISABLED;
+ pa_restart(context, ctx);
+ } else {
+ /* some other error code from the KDC, lets' return it to the user */
+ goto out;
+ }
}
}
@@ -2464,22 +3357,37 @@ krb5_init_creds_step(krb5_context context,
ctx->as_req.padata = NULL;
}
+ ret = _krb5_fast_create_armor(context, &ctx->fast_state,
+ ctx->cred.client->realm);
+ if (ret)
+ goto out;
+
/* Set a new nonce. */
ctx->as_req.req_body.nonce = ctx->nonce;
- /* fill_in_md_data */
+
+ /*
+ * Step and announce PA-DATA
+ */
+
ret = process_pa_data_to_md(context, &ctx->cred, &ctx->as_req, ctx,
- &ctx->md, &ctx->as_req.padata,
- ctx->prompter, ctx->prompter_data);
+ &ctx->md, &ctx->as_req.padata);
if (ret)
goto out;
+
/*
* Wrap with FAST
*/
- copy_AS_REQ(&ctx->as_req, &req2);
+ ret = copy_AS_REQ(&ctx->as_req, &req2);
+ if (ret)
+ goto out;
- ret = fast_wrap_req(context, &ctx->fast_state, &req2);
+ ret = _krb5_fast_wrap_req(context,
+ &ctx->fast_state,
+ &req2);
+
+ krb5_data_free(&checksum_data);
if (ret) {
free_AS_REQ(&req2);
goto out;
@@ -2496,17 +3404,87 @@ krb5_init_creds_step(krb5_context context,
if(len != ctx->req_buffer.length)
krb5_abortx(context, "internal error in ASN.1 encoder");
- out->data = ctx->req_buffer.data;
- out->length = ctx->req_buffer.length;
+ ret = krb5_data_copy(out,
+ ctx->req_buffer.data,
+ ctx->req_buffer.length);
+ if (ret)
+ goto out;
+
+ *out_realm = strdup(ctx->cred.client->realm);
+ if (*out_realm == NULL) {
+ krb5_data_free(out);
+ ret = ENOMEM;
+ goto out;
+ }
*flags = KRB5_INIT_CREDS_STEP_FLAG_CONTINUE;
+ gettimeofday(&end_time, NULL);
+ timevalsub(&end_time, &start_time);
+ timevaladd(&ctx->stats.run_time, &end_time);
+
return 0;
out:
return ret;
}
/**
+ * The core loop if krb5_get_init_creds() function family. Create the
+ * packets and have the caller send them off to the KDC.
+ *
+ * If the caller want all work been done for them, use
+ * krb5_init_creds_get() instead.
+ *
+ * @param context a Kerberos 5 context.
+ * @param ctx ctx krb5_init_creds_context context.
+ * @param in input data from KDC, first round it should be reset by krb5_data_zero().
+ * @param out reply to KDC. The caller needs to call krb5_data_free()
+ * @param out_realm the destination realm for 'out', free with krb5_xfree()
+ * @param flags status of the round, if
+ * KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round.
+ *
+ * @return 0 for success, or an Kerberos 5 error code, see
+ * krb5_get_error_message().
+ *
+ * @ingroup krb5_credential
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_init_creds_step(krb5_context context,
+ krb5_init_creds_context ctx,
+ const krb5_data *in,
+ krb5_data *out,
+ krb5_realm *out_realm,
+ unsigned int *flags)
+{
+ krb5_error_code ret;
+ krb5_data empty;
+
+ krb5_data_zero(&empty);
+ krb5_data_zero(out);
+ *out_realm = NULL;
+
+ if ((ctx->fast_state.flags & KRB5_FAST_ANON_PKINIT_ARMOR) &&
+ ctx->fast_state.armor_ccache == NULL) {
+ ret = _krb5_fast_anon_pkinit_step(context, ctx, &ctx->fast_state,
+ in, out, out_realm, flags);
+ if (ret && (ctx->fast_state.flags & KRB5_FAST_OPTIMISTIC)) {
+ _krb5_debug(context, 5, "Preauth failed with optimistic "
+ "FAST, trying w/o FAST");
+ ctx->fast_state.flags &= ~KRB5_FAST_OPTIMISTIC;
+ ctx->fast_state.flags &= ~KRB5_FAST_REQUIRED;
+ ctx->fast_state.flags &= ~KRB5_FAST_ANON_PKINIT_ARMOR;
+ } else if (ret ||
+ (*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE))
+ return ret;
+
+ in = &empty;
+ }
+
+ return init_creds_step(context, ctx, in, out, out_realm, flags);
+}
+
+/**
* Extract the newly acquired credentials from krb5_init_creds_context
* context.
*
@@ -2526,6 +3504,47 @@ krb5_init_creds_get_creds(krb5_context context,
}
/**
+ * Extract the as-reply key from the context.
+ *
+ * Only allowed when the as-reply-key is not directly derived from the
+ * password like PK-INIT, GSS, FAST hardened key, etc.
+ *
+ * @param context A Kerberos 5 context.
+ * @param ctx ctx krb5_init_creds_context context.
+ * @param as_reply_key keyblock, free with krb5_free_keyblock_contents().
+ *
+ * @return 0 for sucess or An Kerberos error code, see krb5_get_error_message().
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_init_creds_get_as_reply_key(krb5_context context,
+ krb5_init_creds_context ctx,
+ krb5_keyblock *as_reply_key)
+{
+ if (ctx->as_reply_key == NULL)
+ return KRB5KDC_ERR_PREAUTH_REQUIRED;
+ return krb5_copy_keyblock_contents(context, ctx->as_reply_key, as_reply_key);
+}
+
+KRB5_LIB_FUNCTION krb5_timestamp KRB5_LIB_CALL
+_krb5_init_creds_get_cred_starttime(krb5_context context, krb5_init_creds_context ctx)
+{
+ return ctx->cred.times.starttime;
+}
+
+KRB5_LIB_FUNCTION krb5_timestamp KRB5_LIB_CALL
+_krb5_init_creds_get_cred_endtime(krb5_context context, krb5_init_creds_context ctx)
+{
+ return ctx->cred.times.endtime;
+}
+
+KRB5_LIB_FUNCTION krb5_principal KRB5_LIB_CALL
+_krb5_init_creds_get_cred_client(krb5_context context, krb5_init_creds_context ctx)
+{
+ return ctx->cred.client;
+}
+
+/**
* Get the last error from the transaction.
*
* @return Returns 0 or an error code
@@ -2548,6 +3567,47 @@ krb5_init_creds_get_error(krb5_context context,
}
/**
+ * Store config
+ *
+ * @param context A Kerberos 5 context.
+ * @param ctx The krb5_init_creds_context to free.
+ * @param id store
+ *
+ * @return Returns 0 or an error code
+ *
+ * @ingroup krb5_credential
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_init_creds_store_config(krb5_context context,
+ krb5_init_creds_context ctx,
+ krb5_ccache id)
+{
+ krb5_error_code ret;
+
+ if (ctx->kdc_hostname) {
+ krb5_data data;
+ data.length = strlen(ctx->kdc_hostname);
+ data.data = ctx->kdc_hostname;
+
+ ret = krb5_cc_set_config(context, id, NULL, "lkdc-hostname", &data);
+ if (ret)
+ return ret;
+ }
+ if (ctx->sitename) {
+ krb5_data data;
+ data.length = strlen(ctx->sitename);
+ data.data = ctx->sitename;
+
+ ret = krb5_cc_set_config(context, id, NULL, "sitename", &data);
+ if (ret)
+ return ret;
+ }
+
+ return 0;
+}
+
+/**
*
* @ingroup krb5_credential
*/
@@ -2577,11 +3637,11 @@ krb5_init_creds_store(krb5_context context,
krb5_data data = { 3, rk_UNCONST("yes") };
ret = krb5_cc_set_config(context, id, ctx->cred.server,
"fast_avail", &data);
- if (ret)
+ if (ret && ret != KRB5_CC_NOSUPP)
return ret;
}
- return ret;
+ return 0;
}
/**
@@ -2614,7 +3674,6 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx)
{
krb5_sendto_ctx stctx = NULL;
- krb5_krbhst_info *hostinfo = NULL;
krb5_error_code ret;
krb5_data in, out;
unsigned int flags = 0;
@@ -2627,21 +3686,35 @@ krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx)
goto out;
krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL);
+ if (ctx->kdc_hostname)
+ krb5_sendto_set_hostname(context, stctx, ctx->kdc_hostname);
+ if (ctx->sitename)
+ krb5_sendto_set_sitename(context, stctx, ctx->sitename);
+
while (1) {
+ struct timeval nstart, nend;
+ krb5_realm realm = NULL;
+
flags = 0;
- ret = krb5_init_creds_step(context, ctx, &in, &out, hostinfo, &flags);
+ ret = krb5_init_creds_step(context, ctx, &in, &out, &realm, &flags);
krb5_data_free(&in);
if (ret)
goto out;
- if ((flags & 1) == 0)
+ if ((flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE) == 0)
break;
- ret = krb5_sendto_context (context, stctx, &out,
- ctx->cred.client->realm, &in);
+ gettimeofday(&nstart, NULL);
+
+ ret = krb5_sendto_context (context, stctx, &out, realm, &in);
+ krb5_data_free(&out);
+ free(realm);
if (ret)
goto out;
+ gettimeofday(&nend, NULL);
+ timevalsub(&nend, &nstart);
+ timevaladd(&ctx->stats.run_time, &nend);
}
out:
@@ -2734,14 +3807,10 @@ krb5_get_init_creds_password(krb5_context context,
if (in_tkt_service != NULL && strcmp(in_tkt_service, "kadmin/changepw") == 0)
goto out;
- /* don't try to change password where then where none */
- if (prompter == NULL)
+ /* don't try to change password if no prompter or prompting disabled */
+ if (!ctx->runflags.change_password_prompt)
goto out;
- if ((options->flags & KRB5_GET_INIT_CREDS_OPT_CHANGE_PASSWORD_PROMPT) &&
- !options->change_password_prompt)
- goto out;
-
ret = change_password (context,
client,
ctx->password,
@@ -2875,3 +3944,71 @@ krb5_get_init_creds_keytab(krb5_context context,
return ret;
}
+
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+_krb5_init_creds_set_gss_mechanism(krb5_context context,
+ krb5_gss_init_ctx gssic,
+ const struct gss_OID_desc_struct *gss_mech)
+{
+ gssic->mech = gss_mech; /* OIDs are interned, so no copy required */
+}
+
+KRB5_LIB_FUNCTION const struct gss_OID_desc_struct * KRB5_LIB_CALL
+_krb5_init_creds_get_gss_mechanism(krb5_context context,
+ krb5_gss_init_ctx gssic)
+{
+ return gssic->mech;
+}
+
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+_krb5_init_creds_set_gss_cred(krb5_context context,
+ krb5_gss_init_ctx gssic,
+ struct gss_cred_id_t_desc_struct *gss_cred)
+{
+ if (gssic->cred != gss_cred && gssic->flags.release_cred)
+ gssic->release_cred(context, gssic, gssic->cred);
+
+ gssic->cred = gss_cred;
+ gssic->flags.release_cred = 1;
+}
+
+KRB5_LIB_FUNCTION const struct gss_cred_id_t_desc_struct * KRB5_LIB_CALL
+_krb5_init_creds_get_gss_cred(krb5_context context,
+ krb5_gss_init_ctx gssic)
+{
+ return gssic->cred;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_init_creds_init_gss(krb5_context context,
+ krb5_init_creds_context ctx,
+ krb5_gssic_step step,
+ krb5_gssic_finish finish,
+ krb5_gssic_release_cred release_cred,
+ krb5_gssic_delete_sec_context delete_sec_context,
+ const struct gss_cred_id_t_desc_struct *gss_cred,
+ const struct gss_OID_desc_struct *gss_mech,
+ unsigned int flags)
+{
+ krb5_gss_init_ctx gssic;
+
+ gssic = calloc(1, sizeof(*gssic));
+ if (gssic == NULL)
+ return krb5_enomem(context);
+
+ if (ctx->gss_init_ctx)
+ free_gss_init_ctx(context, ctx->gss_init_ctx);
+ ctx->gss_init_ctx = gssic;
+
+ gssic->cred = (struct gss_cred_id_t_desc_struct *)gss_cred;
+ gssic->mech = gss_mech;
+ if (flags & KRB5_GSS_IC_FLAG_RELEASE_CRED)
+ gssic->flags.release_cred = 1;
+
+ gssic->step = step;
+ gssic->finish = finish;
+ gssic->release_cred = release_cred;
+ gssic->delete_sec_context = delete_sec_context;
+
+ return 0;
+}
diff --git a/lib/krb5/k5e1_err.et b/lib/krb5/k5e1_err.et
new file mode 100644
index 000000000000..19414f10a14e
--- /dev/null
+++ b/lib/krb5/k5e1_err.et
@@ -0,0 +1,13 @@
+id "$Id$"
+
+error_table k5e1
+
+index 4
+
+prefix KRB5_DCC
+error_code CANNOT_CREATE, "Can't create new subsidiary cache"
+
+prefix KRB5_KCC
+error_code INVALID_ANCHOR, "Invalid keyring anchor name"
+error_code UNKNOWN_VERSION, "Unknown keyring collection version"
+error_code INVALID_UID, "Invalid UID in persistent keyring name"
diff --git a/lib/krb5/kcm.c b/lib/krb5/kcm.c
index 8e1dfff2d0ca..17a26e34f72e 100644
--- a/lib/krb5/kcm.c
+++ b/lib/krb5/kcm.c
@@ -73,6 +73,8 @@ kcm_send_request(krb5_context context,
krb5_error_code ret = 0;
krb5_data request_data;
+ krb5_data_zero(response_data);
+
HEIMDAL_MUTEX_lock(&kcm_mutex);
if (kcm_ipc == NULL)
ret = heim_ipc_init_context(kcm_ipc_name, &kcm_ipc);
@@ -82,18 +84,11 @@ kcm_send_request(krb5_context context,
ret = krb5_storage_to_data(request, &request_data);
if (ret) {
- krb5_clear_error_message(context);
- return KRB5_CC_NOMEM;
+ return krb5_enomem(context);
}
ret = heim_ipc_call(kcm_ipc, &request_data, response_data, NULL);
krb5_data_free(&request_data);
-
- if (ret) {
- krb5_clear_error_message(context);
- ret = KRB5_CC_NOSUPP;
- }
-
return ret;
}
@@ -108,10 +103,8 @@ krb5_kcm_storage_request(krb5_context context,
*storage_p = NULL;
sp = krb5_storage_emem();
- if (sp == NULL) {
- krb5_set_error_message(context, KRB5_CC_NOMEM, N_("malloc: out of memory", ""));
- return KRB5_CC_NOMEM;
- }
+ if (sp == NULL)
+ return krb5_enomem(context);
/* Send MAJOR | VERSION | OPCODE */
ret = krb5_store_int8(sp, KCM_PROTOCOL_VERSION_MAJOR);
@@ -135,29 +128,165 @@ krb5_kcm_storage_request(krb5_context context,
return ret;
}
+/*
+ * A sort of a state() for caches -- we use this to see if the local default
+ * cache name for KCM happens to exist. See kcm_alloc() below.
+ */
+static krb5_error_code
+kcm_stat(krb5_context context, const char *name)
+{
+ krb5_error_code ret;
+ krb5_storage *request = NULL;
+ krb5_data response_data;
+
+ krb5_data_zero(&response_data);
+
+ ret = krb5_kcm_storage_request(context, KCM_OP_GET_PRINCIPAL, &request);
+ if (ret == 0)
+ ret = krb5_store_stringz(request, name);
+ if (ret == 0)
+ ret = krb5_kcm_call(context, request, NULL, &response_data);
+ krb5_storage_free(request);
+ krb5_data_free(&response_data);
+ return ret;
+}
+
+static krb5_error_code kcm_get_default_name(krb5_context,
+ const krb5_cc_ops *,
+ const char *, char **);
+
static krb5_error_code
-kcm_alloc(krb5_context context, const char *name, krb5_ccache *id)
+kcm_alloc(krb5_context context,
+ const krb5_cc_ops *ops,
+ const char *residual,
+ const char *sub,
+ krb5_ccache *id)
{
+ krb5_error_code ret;
krb5_kcmcache *k;
+ size_t ops_prefix_len = strlen(ops->prefix);
+ size_t plen = 0;
+ size_t local_def_name_len;
+ char *local_def_name = NULL; /* Our idea of default KCM cache name */
+ char *kcm_def_name = NULL; /* KCM's knowledge of default cache name */
+ int aret;
- k = malloc(sizeof(*k));
- if (k == NULL) {
- krb5_set_error_message(context, KRB5_CC_NOMEM,
- N_("malloc: out of memory", ""));
- return KRB5_CC_NOMEM;
+ /* Get the KCM:%{UID} default */
+ if (ops == &krb5_kcm_ops)
+ ret = _krb5_expand_default_cc_name(context, KRB5_DEFAULT_CCNAME_KCM_KCM, &local_def_name);
+ else
+ ret = _krb5_expand_default_cc_name(context, KRB5_DEFAULT_CCNAME_KCM_API, &local_def_name);
+ if (ret)
+ return ret;
+ local_def_name_len = strlen(local_def_name);
+
+ /* Get the default ccache name from KCM if possible */
+ (void) kcm_get_default_name(context, ops, NULL, &kcm_def_name);
+
+ /*
+ * We have a sticky situation in that applications that call
+ * krb5_cc_default() will be getting the locally configured or compiled-in
+ * default KCM cache name, which may not exist in the user's KCM session,
+ * and which the KCM daemon may not be able to alias to the actual default
+ * for the user's session.
+ *
+ * To deal with this we heuristically detect when an application uses the
+ * default KCM ccache name.
+ *
+ * If the residual happens to be the local default KCM name we may end up
+ * using whatever the default KCM cache name is instead of the local
+ * default.
+ *
+ * Note that here `residual' may be any of:
+ *
+ * - %{UID}
+ * - %{UID}:
+ * - %{UID}:<subsidiary>
+ * - <something not starting with %{UID}:>
+ * - <empty string>
+ * - <NULL>
+ *
+ * Only the first two count as "maybe I mean the default KCM cache".
+ */
+ if (residual && !sub &&
+ strncmp(residual, local_def_name + ops_prefix_len + 1,
+ local_def_name_len - (ops_prefix_len + 1)) == 0) {
+ if (residual[local_def_name_len - (ops_prefix_len + 1)] == '\0' ||
+ (residual[local_def_name_len - (ops_prefix_len + 1)] == ':' &&
+ residual[local_def_name_len - ops_prefix_len] == '\0')) {
+ /*
+ * If we got a default cache name from KCM and the requested default
+ * cache does not exist, use the former.
+ */
+ if (kcm_def_name && kcm_stat(context, residual))
+ residual = kcm_def_name + ops_prefix_len + 1;
+ }
}
- if (name != NULL) {
- k->name = strdup(name);
- if (k->name == NULL) {
- free(k);
- krb5_set_error_message(context, KRB5_CC_NOMEM,
- N_("malloc: out of memory", ""));
- return KRB5_CC_NOMEM;
- }
- } else
- k->name = NULL;
+ if (residual && residual[0] == '\0')
+ residual = NULL;
+ if (sub && sub[0] == '\0')
+ sub = NULL;
+
+ if (residual == NULL && sub == NULL) {
+ /* Use the default cache name, either from KCM or local default */
+ if (kcm_def_name)
+ residual = kcm_def_name + ops_prefix_len + 1;
+ else
+ residual = local_def_name + ops_prefix_len + 1;
+ }
+
+ if (residual) {
+ /* KCM cache names must start with {UID} or {UID}: */
+ plen = strspn(residual, "0123456789");
+ if (plen && residual[plen] != ':' && residual[plen] != '\0')
+ plen = 0;
+ /*
+ * If `plen', then residual is such a residual, else we'll want to
+ * prefix the {UID}:.
+ */
+ }
+
+ k = calloc(1, sizeof(*k));
+ if (k == NULL) {
+ free(local_def_name);
+ free(kcm_def_name);
+ return krb5_enomem(context);
+ }
+ k->name = NULL;
+
+ if (residual == NULL && sub == NULL) {
+ /* One more way to get a default */
+ aret = asprintf(&k->name, "%llu", (unsigned long long)getuid());
+ } else if (residual == NULL) {
+ /*
+ * Treat the subsidiary as the residual (maybe this will turn out to be
+ * wrong).
+ */
+ aret = asprintf(&k->name, "%llu:%s", (unsigned long long)getuid(),
+ sub);
+ } else if (plen) {
+ /* The residual is a UID */
+ aret = asprintf(&k->name, "%s%s%s", residual,
+ sub ? ":" : "", sub ? sub : "");
+ } else if (sub == NULL) {
+ /* The residual is NOT a UID */
+ aret = asprintf(&k->name, "%llu:%s", (unsigned long long)getuid(),
+ residual);
+ } else {
+ /* Ditto, plus we have a subsidiary. `residual && sub && !plen' */
+ aret = asprintf(&k->name, "%llu:%s:%s", (unsigned long long)getuid(),
+ residual, sub);
+ }
+ if (aret == -1 || k->name == NULL) {
+ free(local_def_name);
+ free(kcm_def_name);
+ free(k);
+ return krb5_enomem(context);
+ }
+ free(local_def_name);
+ free(kcm_def_name);
(*id)->data.data = k;
(*id)->data.length = sizeof(*k);
@@ -179,10 +308,11 @@ krb5_kcm_call(krb5_context context,
*response_p = NULL;
krb5_data_zero(&response_data);
-
ret = kcm_send_request(context, request, &response_data);
- if (ret)
- return ret;
+ if (ret) {
+ krb5_data_free(&response_data);
+ return ret;
+ }
response = krb5_storage_from_data(&response_data);
if (response == NULL) {
@@ -222,24 +352,63 @@ kcm_free(krb5_context context, krb5_ccache *id)
krb5_kcmcache *k = KCMCACHE(*id);
if (k != NULL) {
- if (k->name != NULL)
- free(k->name);
+ free(k->name);
memset_s(k, sizeof(*k), 0, sizeof(*k));
krb5_data_free(&(*id)->data);
}
}
-static const char *
-kcm_get_name(krb5_context context,
- krb5_ccache id)
+static krb5_error_code KRB5_CALLCONV
+kcm_get_name_2(krb5_context context,
+ krb5_ccache id,
+ const char **name,
+ const char **col,
+ const char **sub)
{
- return CACHENAME(id);
+ /*
+ * TODO:
+ *
+ * - name should be <IPC-name>:<cache-name>
+ * - col should be <IPC-name>
+ * - sub should be <cache-name>
+ */
+ if (name)
+ *name = CACHENAME(id);
+ if (col)
+ *col = NULL;
+ if (sub)
+ *sub = CACHENAME(id);
+ return 0;
}
static krb5_error_code
-kcm_resolve(krb5_context context, krb5_ccache *id, const char *res)
+kcm_resolve_2_kcm(krb5_context context,
+ krb5_ccache *id,
+ const char *res,
+ const char *sub)
{
- return kcm_alloc(context, res, id);
+ /*
+ * For now, for KCM the `res' is the `sub'.
+ *
+ * TODO: We should use `res' as the IPC name instead of the one currently
+ * hard-coded in `kcm_ipc_name'.
+ */
+ return kcm_alloc(context, &krb5_kcm_ops, res, sub, id);
+}
+
+static krb5_error_code
+kcm_resolve_2_api(krb5_context context,
+ krb5_ccache *id,
+ const char *res,
+ const char *sub)
+{
+ /*
+ * For now, for KCM the `res' is the `sub'.
+ *
+ * TODO: We should use `res' as the IPC name instead of the one currently
+ * hard-coded in `kcm_ipc_name'.
+ */
+ return kcm_alloc(context, &krb5_akcm_ops, res, sub, id);
}
/*
@@ -249,14 +418,14 @@ kcm_resolve(krb5_context context, krb5_ccache *id, const char *res)
* NameZ
*/
static krb5_error_code
-kcm_gen_new(krb5_context context, krb5_ccache *id)
+kcm_gen_new(krb5_context context, const krb5_cc_ops *ops, krb5_ccache *id)
{
krb5_kcmcache *k;
krb5_error_code ret;
krb5_storage *request, *response;
krb5_data response_data;
- ret = kcm_alloc(context, NULL, id);
+ ret = kcm_alloc(context, ops, NULL, NULL, id);
if (ret)
return ret;
@@ -275,6 +444,8 @@ kcm_gen_new(krb5_context context, krb5_ccache *id)
return ret;
}
+ free(k->name);
+ k->name = NULL;
ret = krb5_ret_stringz(response, &k->name);
if (ret)
ret = KRB5_CC_IO;
@@ -289,6 +460,18 @@ kcm_gen_new(krb5_context context, krb5_ccache *id)
return ret;
}
+static krb5_error_code
+kcm_gen_new_kcm(krb5_context context, krb5_ccache *id)
+{
+ return kcm_gen_new(context, &krb5_kcm_ops, id);
+}
+
+static krb5_error_code
+kcm_gen_new_api(krb5_context context, krb5_ccache *id)
+{
+ return kcm_gen_new(context, &krb5_akcm_ops, id);
+}
+
/*
* Request:
* NameZ
@@ -639,15 +822,15 @@ kcm_get_next (krb5_context context,
c->offset++;
if (sret != sizeof(c->uuids[c->offset])) {
krb5_storage_free(request);
- krb5_clear_error_message(context);
- return ENOMEM;
+ return krb5_enomem(context);
}
ret = krb5_kcm_call(context, request, &response, &response_data);
krb5_storage_free(request);
if (ret == KRB5_CC_END) {
goto again;
- }
+ } else if (ret)
+ return ret;
ret = krb5_ret_creds(response, creds);
if (ret)
@@ -867,14 +1050,15 @@ kcm_get_cache_next(krb5_context context, krb5_cc_cursor cursor, const krb5_cc_op
c->offset++;
if (sret != sizeof(c->uuids[c->offset])) {
krb5_storage_free(request);
- krb5_clear_error_message(context);
- return ENOMEM;
+ return krb5_enomem(context);
}
ret = krb5_kcm_call(context, request, &response, &response_data);
krb5_storage_free(request);
if (ret == KRB5_CC_END)
goto again;
+ else if (ret)
+ return ret;
ret = krb5_ret_stringz(response, &name);
krb5_storage_free(response);
@@ -883,7 +1067,7 @@ kcm_get_cache_next(krb5_context context, krb5_cc_cursor cursor, const krb5_cc_op
if (ret == 0) {
ret = _krb5_cc_allocate(context, ops, id);
if (ret == 0)
- ret = kcm_alloc(context, name, id);
+ ret = kcm_alloc(context, ops, name, NULL, id);
krb5_xfree(name);
}
@@ -944,6 +1128,9 @@ kcm_move(krb5_context context, krb5_ccache from, krb5_ccache to)
ret = krb5_kcm_call(context, request, NULL, NULL);
krb5_storage_free(request);
+
+ if (ret == 0)
+ krb5_cc_destroy(context, from);
return ret;
}
@@ -965,8 +1152,11 @@ kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops,
ret = krb5_kcm_call(context, request, &response, &response_data);
krb5_storage_free(request);
- if (ret)
- return _krb5_expand_default_cc_name(context, defstr, str);
+ if (ret) {
+ if (defstr)
+ return _krb5_expand_default_cc_name(context, defstr, str);
+ return ret;
+ }
ret = krb5_ret_stringz(response, &name);
krb5_storage_free(response);
@@ -976,8 +1166,8 @@ kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops,
aret = asprintf(str, "%s:%s", ops->prefix, name);
free(name);
- if (aret == -1 || str == NULL)
- return ENOMEM;
+ if (aret == -1 || *str == NULL)
+ return krb5_enomem(context);
return 0;
}
@@ -1096,11 +1286,11 @@ kcm_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset
*/
KRB5_LIB_VARIABLE const krb5_cc_ops krb5_kcm_ops = {
- KRB5_CC_OPS_VERSION,
+ KRB5_CC_OPS_VERSION_5,
"KCM",
- kcm_get_name,
- kcm_resolve,
- kcm_gen_new,
+ NULL,
+ NULL,
+ kcm_gen_new_kcm,
kcm_initialize,
kcm_destroy,
kcm_close,
@@ -1121,15 +1311,17 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_kcm_ops = {
kcm_set_default,
kcm_lastchange,
kcm_set_kdc_offset,
- kcm_get_kdc_offset
+ kcm_get_kdc_offset,
+ kcm_get_name_2,
+ kcm_resolve_2_kcm
};
KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops = {
- KRB5_CC_OPS_VERSION,
+ KRB5_CC_OPS_VERSION_5,
"API",
- kcm_get_name,
- kcm_resolve,
- kcm_gen_new,
+ NULL,
+ NULL,
+ kcm_gen_new_api,
kcm_initialize,
kcm_destroy,
kcm_close,
@@ -1150,10 +1342,11 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops = {
kcm_set_default,
kcm_lastchange,
NULL,
- NULL
+ NULL,
+ kcm_get_name_2,
+ kcm_resolve_2_api
};
-
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
_krb5_kcm_is_running(krb5_context context)
{
@@ -1162,7 +1355,7 @@ _krb5_kcm_is_running(krb5_context context)
krb5_ccache id = &ccdata;
krb5_boolean running;
- ret = kcm_alloc(context, NULL, &id);
+ ret = kcm_alloc(context, &krb5_kcm_ops, NULL, NULL, &id);
if (ret)
return 0;
diff --git a/lib/krb5/kcm.h b/lib/krb5/kcm.h
index 27197fec3eda..ba484b9cab71 100644
--- a/lib/krb5/kcm.h
+++ b/lib/krb5/kcm.h
@@ -78,9 +78,6 @@ typedef enum kcm_operation {
KCM_OP_MAX
} kcm_operation;
-#define _PATH_KCM_SOCKET "/var/run/.kcm_socket"
-#define _PATH_KCM_DOOR "/var/run/.kcm_door"
-
#define KCM_NTLM_FLAG_SESSIONKEY 1
#define KCM_NTLM_FLAG_NTLM2_SESSION 2
#define KCM_NTLM_FLAG_KEYEX 4
diff --git a/lib/krb5/kerberos.8 b/lib/krb5/kerberos.8
index d54ced53ed8c..fdcea0460d6a 100644
--- a/lib/krb5/kerberos.8
+++ b/lib/krb5/kerberos.8
@@ -71,9 +71,12 @@ or
.Ic ftp ,
without giving your password.
.Pp
-For more information on how Kerberos works, and other general Kerberos
-questions see the Kerberos FAQ at
-.Lk http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html .
+For more information on how Kerberos works, see the tutorial at
+.Lk https://kerberos.org/software/tutorial.html
+or the informal
+.Dq dialogue
+at
+.Lk https://web.mit.edu/kerberos/dialogue.html .
.Pp
For setup instructions see the Heimdal Texinfo manual.
.Sh SEE ALSO
diff --git a/lib/krb5/kerberos.cat8 b/lib/krb5/kerberos.cat8
deleted file mode 100644
index 65093c0dce4c..000000000000
--- a/lib/krb5/kerberos.cat8
+++ /dev/null
@@ -1,57 +0,0 @@
-KERBEROS(8) BSD System Manager's Manual KERBEROS(8)
-
-NAME
- kerberos -- introduction to the Kerberos system
-
-DESCRIPTION
- Kerberos is a network authentication system. Its purpose is to securely
- authenticate users and services in an insecure network environment.
-
- This is done with a Kerberos server acting as a trusted third party,
- keeping a database with secret keys for all users and services (collec-
- tively called principals).
-
- Each principal belongs to exactly one realm, which is the administrative
- domain in Kerberos. A realm usually corresponds to an organisation, and
- the realm should normally be derived from that organisation's domain
- name. A realm is served by one or more Kerberos servers.
-
- The authentication process involves exchange of `tickets' and
- `authenticators' which together prove the principal's identity.
-
- When you login to the Kerberos system, either through the normal system
- login or with the kinit(1) program, you acquire a ticket granting ticket
- which allows you to get new tickets for other services, such as telnet or
- ftp, without giving your password.
-
- For more information on how Kerberos works, and other general Kerberos
- questions see the Kerberos FAQ at
- http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html
-
- For setup instructions see the Heimdal Texinfo manual.
-
-SEE ALSO
- ftp(1), kdestroy(1), kinit(1), klist(1), kpasswd(1), telnet(1), krb5(3),
- krb5.conf(5), kadmin(1), kdc(8), ktutil(1)
-
-HISTORY
- The Kerberos authentication system was developed in the late 1980's as
- part of the Athena Project at the Massachusetts Institute of Technology.
- Versions one through three never reached outside MIT, but version 4 was
- (and still is) quite popular, especially in the academic community, but
- is also used in commercial products like the AFS filesystem.
-
- The problems with version 4 are that it has many limitations, the code
- was not too well written (since it had been developed over a long time),
- and it has a number of known security problems. To resolve many of these
- issues work on version five started, and resulted in IETF RFC 1510 in
- 1993. IETF RFC 1510 was obsoleted in 2005 with IETF RFC 4120, also known
- as Kerberos clarifications. With the arrival of IETF RFC 4120, the work
- on adding extensibility and internationalization have started (Kerberos
- extensions), and a new RFC will hopefully appear soon.
-
- This manual page is part of the Heimdal Kerberos 5 distribution, which
- has been in development at the Royal Institute of Technology in Stock-
- holm, Sweden, since about 1997.
-
-HEIMDAL Jun 27, 2013 HEIMDAL
diff --git a/lib/krb5/keyblock.c b/lib/krb5/keyblock.c
index abca3ee059f6..317bed382d77 100644
--- a/lib/krb5/keyblock.c
+++ b/lib/krb5/keyblock.c
@@ -63,7 +63,8 @@ krb5_free_keyblock_contents(krb5_context context,
{
if(keyblock) {
if (keyblock->keyvalue.data != NULL)
- memset(keyblock->keyvalue.data, 0, keyblock->keyvalue.length);
+ memset_s(keyblock->keyvalue.data, keyblock->keyvalue.length,
+ 0, keyblock->keyvalue.length);
krb5_data_free (&keyblock->keyvalue);
keyblock->keytype = KRB5_ENCTYPE_NULL;
}
diff --git a/lib/krb5/keytab.c b/lib/krb5/keytab.c
index 4977a62f21c4..bcb3ed837331 100644
--- a/lib/krb5/keytab.c
+++ b/lib/krb5/keytab.c
@@ -250,8 +250,7 @@ static const char *default_ktname(krb5_context context)
{
const char *tmp = NULL;
- if(!issuid())
- tmp = getenv("KRB5_KTNAME");
+ tmp = secure_getenv("KRB5_KTNAME");
if(tmp != NULL)
return tmp;
return context->default_keytab;
@@ -583,29 +582,31 @@ _krb5_kt_principal_not_found(krb5_context context,
krb5_enctype enctype,
int kvno)
{
- char princ[256], kvno_str[25], *kt_name;
+ char kvno_str[25];
char *enctype_str = NULL;
+ char *kt_name = NULL;
+ char *princ = NULL;
- krb5_unparse_name_fixed (context, principal, princ, sizeof(princ));
- krb5_kt_get_full_name (context, id, &kt_name);
+ (void) krb5_unparse_name(context, principal, &princ);
+ (void) krb5_kt_get_full_name(context, id, &kt_name);
if (enctype)
- krb5_enctype_to_string(context, enctype, &enctype_str);
+ (void) krb5_enctype_to_string(context, enctype, &enctype_str);
if (kvno)
snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno);
else
kvno_str[0] = '\0';
- krb5_set_error_message (context, ret,
- N_("Failed to find %s%s in keytab %s (%s)",
- "principal, kvno, keytab file, enctype"),
- princ,
- kvno_str,
- kt_name ? kt_name : "unknown keytab",
- enctype_str ? enctype_str : "unknown enctype");
+ krb5_set_error_message(context, ret,
+ N_("Failed to find %s%s in keytab %s (%s)",
+ "principal, kvno, keytab file, enctype"),
+ princ ? princ : "<unknown>",
+ kvno_str,
+ kt_name ? kt_name : "unknown keytab",
+ enctype_str ? enctype_str : "unknown enctype");
+ free(princ);
free(kt_name);
- if (enctype_str)
- free(enctype_str);
+ free(enctype_str);
return ret;
}
@@ -688,7 +689,8 @@ krb5_kt_get_entry(krb5_context context,
krb5_name_canon_iterator name_canon_iter;
if (!principal)
- return krb5_kt_get_entry_wrapped(context, id, principal, kvno, enctype,
+ /* Use `NULL' instead of `principal' to quiet static analizers */
+ return krb5_kt_get_entry_wrapped(context, id, NULL, kvno, enctype,
entry);
ret = krb5_name_canon_iterator_start(context, principal, &name_canon_iter);
@@ -708,7 +710,7 @@ krb5_kt_get_entry(krb5_context context,
enctype, entry);
} while (ret == KRB5_KT_NOTFOUND && name_canon_iter);
- if (ret != KRB5_KT_NOTFOUND)
+ if (ret && ret != KRB5_KT_NOTFOUND)
krb5_set_error_message(context, ret,
N_("Name canon failed while searching keytab",
""));
@@ -828,6 +830,7 @@ krb5_kt_next_entry(krb5_context context,
id->prefix);
return HEIM_ERR_OPNOTSUPP;
}
+ memset(entry, 0x0, sizeof(*entry));
return (*id->next_entry)(context, id, entry, cursor);
}
@@ -880,7 +883,8 @@ krb5_kt_add_entry(krb5_context context,
id->prefix);
return KRB5_KT_NOWRITE;
}
- entry->timestamp = time(NULL);
+ if (entry->timestamp == 0)
+ entry->timestamp = time(NULL);
return (*id->add)(context, id,entry);
}
@@ -954,3 +958,19 @@ krb5_kt_have_content(krb5_context context,
}
return KRB5_KT_NOTFOUND;
}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_kt_client_default_name(krb5_context context, char **name)
+{
+ const char *tmp;
+
+ tmp = secure_getenv("KRB5_CLIENT_KTNAME");
+ if (tmp == NULL)
+ tmp = krb5_config_get_string(context, NULL,
+ "libdefaults",
+ "default_client_keytab_name", NULL);
+ if (tmp == NULL)
+ tmp = CLIENT_KEYTAB_DEFAULT;
+
+ return _krb5_expand_path_tokens(context, tmp, 1, name);
+}
diff --git a/lib/krb5/keytab_any.c b/lib/krb5/keytab_any.c
index eea5d64bfb60..6663d171fc83 100644
--- a/lib/krb5/keytab_any.c
+++ b/lib/krb5/keytab_any.c
@@ -222,11 +222,11 @@ any_remove_entry(krb5_context context,
{
struct any_data *a = id->data;
krb5_error_code ret;
- int found = 0;
+ krb5_boolean found = FALSE;
while(a != NULL) {
ret = krb5_kt_remove_entry(context, a->kt, entry);
if(ret == 0)
- found++;
+ found = TRUE;
else {
if(ret != KRB5_KT_NOWRITE && ret != KRB5_KT_NOTFOUND) {
krb5_set_error_message(context, ret,
diff --git a/lib/krb5/keytab_file.c b/lib/krb5/keytab_file.c
index 14b0f6c5987a..61b5d6d29cf8 100644
--- a/lib/krb5/keytab_file.c
+++ b/lib/krb5/keytab_file.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2017 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -52,8 +52,10 @@ krb5_kt_ret_data(krb5_context context,
krb5_storage *sp,
krb5_data *data)
{
- int ret;
+ krb5_error_code ret;
+ krb5_ssize_t bytes;
int16_t size;
+
ret = krb5_ret_int16(sp, &size);
if(ret)
return ret;
@@ -61,9 +63,9 @@ krb5_kt_ret_data(krb5_context context,
data->data = malloc(size);
if (data->data == NULL)
return krb5_enomem(context);
- ret = krb5_storage_read(sp, data->data, size);
- if(ret != size)
- return (ret < 0)? errno : KRB5_KT_END;
+ bytes = krb5_storage_read(sp, data->data, size);
+ if (bytes != size)
+ return (bytes == -1) ? errno : KRB5_KT_END;
return 0;
}
@@ -72,18 +74,20 @@ krb5_kt_ret_string(krb5_context context,
krb5_storage *sp,
heim_general_string *data)
{
- int ret;
+ krb5_error_code ret;
+ krb5_ssize_t bytes;
int16_t size;
+
ret = krb5_ret_int16(sp, &size);
if(ret)
return ret;
*data = malloc(size + 1);
if (*data == NULL)
return krb5_enomem(context);
- ret = krb5_storage_read(sp, *data, size);
+ bytes = krb5_storage_read(sp, *data, size);
(*data)[size] = '\0';
- if(ret != size)
- return (ret < 0)? errno : KRB5_KT_END;
+ if (bytes != size)
+ return (bytes == -1) ? errno : KRB5_KT_END;
return 0;
}
@@ -92,16 +96,15 @@ krb5_kt_store_data(krb5_context context,
krb5_storage *sp,
krb5_data data)
{
- int ret;
+ krb5_error_code ret;
+ krb5_ssize_t bytes;
+
ret = krb5_store_int16(sp, data.length);
- if(ret < 0)
- return ret;
- ret = krb5_storage_write(sp, data.data, data.length);
- if(ret != (int)data.length){
- if(ret < 0)
- return errno;
- return KRB5_KT_END;
- }
+ if (ret != 0)
+ return ret;
+ bytes = krb5_storage_write(sp, data.data, data.length);
+ if (bytes != (int)data.length)
+ return bytes == -1 ? errno : KRB5_KT_END;
return 0;
}
@@ -109,17 +112,16 @@ static krb5_error_code
krb5_kt_store_string(krb5_storage *sp,
heim_general_string data)
{
- int ret;
+ krb5_error_code ret;
+ krb5_ssize_t bytes;
size_t len = strlen(data);
+
ret = krb5_store_int16(sp, len);
- if(ret < 0)
+ if (ret != 0)
return ret;
- ret = krb5_storage_write(sp, data, len);
- if(ret != (int)len){
- if(ret < 0)
- return errno;
- return KRB5_KT_END;
- }
+ bytes = krb5_storage_write(sp, data, len);
+ if (bytes != (int)len)
+ return bytes == -1 ? errno : KRB5_KT_END;
return 0;
}
@@ -367,7 +369,9 @@ fkt_start_seq_get_int(krb5_context context,
int8_t pvno, tag;
krb5_error_code ret;
struct fkt_data *d = id->data;
+ const char *stdio_mode = "rb";
+ memset(c, 0, sizeof(*c));
c->fd = open (d->filename, flags);
if (c->fd < 0) {
ret = errno;
@@ -382,9 +386,14 @@ fkt_start_seq_get_int(krb5_context context,
close(c->fd);
return ret;
}
- c->sp = krb5_storage_from_fd(c->fd);
+ if ((flags & O_ACCMODE) == O_RDWR && (flags & O_APPEND))
+ stdio_mode = "ab+";
+ else if ((flags & O_ACCMODE) == O_RDWR)
+ stdio_mode = "rb+";
+ else if ((flags & O_ACCMODE) == O_WRONLY)
+ stdio_mode = "wb";
+ c->sp = krb5_storage_stdio_from_fd(c->fd, stdio_mode);
if (c->sp == NULL) {
- _krb5_xunlock(context, c->fd);
close(c->fd);
return krb5_enomem(context);
}
@@ -392,14 +401,12 @@ fkt_start_seq_get_int(krb5_context context,
ret = krb5_ret_int8(c->sp, &pvno);
if(ret) {
krb5_storage_free(c->sp);
- _krb5_xunlock(context, c->fd);
close(c->fd);
krb5_clear_error_message(context);
return ret;
}
if(pvno != 5) {
krb5_storage_free(c->sp);
- _krb5_xunlock(context, c->fd);
close(c->fd);
krb5_clear_error_message (context);
return KRB5_KEYTAB_BADVNO;
@@ -407,7 +414,6 @@ fkt_start_seq_get_int(krb5_context context,
ret = krb5_ret_int8(c->sp, &tag);
if (ret) {
krb5_storage_free(c->sp);
- _krb5_xunlock(context, c->fd);
close(c->fd);
krb5_clear_error_message(context);
return ret;
@@ -507,7 +513,6 @@ fkt_end_seq_get(krb5_context context,
krb5_kt_cursor *cursor)
{
krb5_storage_free(cursor->sp);
- _krb5_xunlock(context, cursor->fd);
close(cursor->fd);
return 0;
}
@@ -534,13 +539,14 @@ fkt_add_entry(krb5_context context,
int ret;
int fd;
krb5_storage *sp;
+ krb5_ssize_t bytes;
struct fkt_data *d = id->data;
krb5_data keytab;
int32_t len;
- fd = open (d->filename, O_RDWR | O_BINARY | O_CLOEXEC);
+ fd = open(d->filename, O_RDWR | O_BINARY | O_CLOEXEC);
if (fd < 0) {
- fd = open (d->filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600);
+ fd = open(d->filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600);
if (fd < 0) {
ret = errno;
krb5_set_error_message(context, ret,
@@ -555,10 +561,14 @@ fkt_add_entry(krb5_context context,
close(fd);
return ret;
}
- sp = krb5_storage_from_fd(fd);
+ sp = krb5_storage_stdio_from_fd(fd, "wb+");
+ if (sp == NULL) {
+ close(fd);
+ return krb5_enomem(context);
+ }
krb5_storage_set_eof_code(sp, KRB5_KT_END);
ret = fkt_setup_keytab(context, id, sp);
- if(ret) {
+ if (ret) {
goto out;
}
storage_set_flags(context, sp, id->version);
@@ -572,7 +582,11 @@ fkt_add_entry(krb5_context context,
close(fd);
return ret;
}
- sp = krb5_storage_from_fd(fd);
+ sp = krb5_storage_stdio_from_fd(fd, "wb+");
+ if (sp == NULL) {
+ (void) close(fd);
+ return ret;
+ }
krb5_storage_set_eof_code(sp, KRB5_KT_END);
ret = krb5_ret_int8(sp, &pvno);
if(ret) {
@@ -679,8 +693,21 @@ fkt_add_entry(krb5_context context,
}
while(1) {
+ off_t here;
+
+ here = krb5_storage_seek(sp, 0, SEEK_CUR);
+ if (here == -1) {
+ ret = errno;
+ krb5_set_error_message(context, ret,
+ N_("Failed writing keytab block "
+ "in keytab %s: %s", ""),
+ d->filename, strerror(ret));
+ goto out;
+ }
ret = krb5_ret_int32(sp, &len);
- if(ret == KRB5_KT_END) {
+ if (ret) {
+ /* There could have been a partial length. Recover! */
+ (void) krb5_storage_truncate(sp, here);
len = keytab.length;
break;
}
@@ -694,8 +721,11 @@ fkt_add_entry(krb5_context context,
krb5_storage_seek(sp, len, SEEK_CUR);
}
ret = krb5_store_int32(sp, len);
- if(krb5_storage_write(sp, keytab.data, keytab.length) < 0) {
- ret = errno;
+ if (ret != 0)
+ goto out;
+ bytes = krb5_storage_write(sp, keytab.data, keytab.length);
+ if (bytes != keytab.length) {
+ ret = bytes == -1 ? errno : KRB5_KT_END;
krb5_set_error_message(context, ret,
N_("Failed writing keytab block "
"in keytab %s: %s", ""),
@@ -704,8 +734,9 @@ fkt_add_entry(krb5_context context,
memset(keytab.data, 0, keytab.length);
krb5_data_free(&keytab);
out:
+ if (ret == 0)
+ ret = krb5_storage_fsync(sp);
krb5_storage_free(sp);
- _krb5_xunlock(context, fd);
close(fd);
return ret;
}
@@ -715,6 +746,8 @@ fkt_remove_entry(krb5_context context,
krb5_keytab id,
krb5_keytab_entry *entry)
{
+ struct fkt_data *fkt = id->data;
+ krb5_ssize_t bytes;
krb5_keytab_entry e;
krb5_kt_cursor cursor;
off_t pos_start, pos_end;
@@ -722,34 +755,56 @@ fkt_remove_entry(krb5_context context,
krb5_error_code ret;
ret = fkt_start_seq_get_int(context, id, O_RDWR | O_BINARY | O_CLOEXEC, 1, &cursor);
- if(ret != 0)
- goto out; /* return other error here? */
- while(fkt_next_entry_int(context, id, &e, &cursor,
- &pos_start, &pos_end) == 0) {
- if(krb5_kt_compare(context, &e, entry->principal,
- entry->vno, entry->keyblock.keytype)) {
+ if (ret != 0) {
+ const char *emsg = krb5_get_error_message(context, ret);
+
+ krb5_set_error_message(context, ret,
+ N_("Could not open keytab file for write: %s: %s", ""),
+ fkt->filename,
+ emsg);
+ krb5_free_error_message(context, emsg);
+ return ret;
+ }
+ while (ret == 0 &&
+ (ret = fkt_next_entry_int(context, id, &e, &cursor,
+ &pos_start, &pos_end)) == 0) {
+ if (krb5_kt_compare(context, &e, entry->principal,
+ entry->vno, entry->keyblock.keytype)) {
int32_t len;
unsigned char buf[128];
found = 1;
krb5_storage_seek(cursor.sp, pos_start, SEEK_SET);
len = pos_end - pos_start - 4;
- krb5_store_int32(cursor.sp, -len);
+ ret = krb5_store_int32(cursor.sp, -len);
memset(buf, 0, sizeof(buf));
- while(len > 0) {
- krb5_storage_write(cursor.sp, buf,
+ while (ret == 0 && len > 0) {
+ bytes = krb5_storage_write(cursor.sp, buf,
min((size_t)len, sizeof(buf)));
+ if (bytes != min((size_t)len, sizeof(buf))) {
+ ret = bytes == -1 ? errno : KRB5_KT_END;
+ break;
+ }
len -= min((size_t)len, sizeof(buf));
}
}
krb5_kt_free_entry(context, &e);
}
- krb5_kt_end_seq_get(context, id, &cursor);
- out:
- if (!found) {
- krb5_clear_error_message (context);
+ (void) krb5_kt_end_seq_get(context, id, &cursor);
+ if (ret == KRB5_KT_END)
+ ret = 0;
+ if (ret) {
+ const char *emsg = krb5_get_error_message(context, ret);
+
+ krb5_set_error_message(context, ret,
+ N_("Could not remove keytab entry from %s: %s", ""),
+ fkt->filename,
+ emsg);
+ krb5_free_error_message(context, emsg);
+ } else if (!found) {
+ krb5_clear_error_message(context);
return KRB5_KT_NOTFOUND;
}
- return 0;
+ return ret;
}
const krb5_kt_ops krb5_fkt_ops = {
diff --git a/lib/krb5/keytab_keyfile.c b/lib/krb5/keytab_keyfile.c
index cb865a794c08..af3ac86faf0a 100644
--- a/lib/krb5/keytab_keyfile.c
+++ b/lib/krb5/keytab_keyfile.c
@@ -403,7 +403,7 @@ akf_add_entry(krb5_context context,
ret = errno;
krb5_set_error_message (context, ret,
N_("keytab keyfile failed new length", ""));
- return ret;
+ goto out;
}
if(krb5_storage_seek(sp, (len - 1) * (8 + 4), SEEK_CUR) < 0) {
diff --git a/lib/krb5/krb5-plugin.7 b/lib/krb5/krb5-plugin.7
index 5ba68c645134..0b1e729c1617 100644
--- a/lib/krb5/krb5-plugin.7
+++ b/lib/krb5/krb5-plugin.7
@@ -57,11 +57,54 @@ associated header file, such as, for example,
.Va krb5plugin_kuserok_ftable
and a pointer to which is either registered via
.Xr krb5_plugin_register 3
-or found in a shared object via a symbol lookup for the symbol name
-defined in the associated header file (e.g., "kuserok" for the
-plugin for
+or via a plugin load function exported by a shared object.
+Plugin load functions should be named by concatenating the name defined in the
+associated header file with the string "plugin_load" (e.g.
+"krb5_plugin_kuserok_plugin_load" for the plugin for
.Xr krb5_kuserok 3
).
+The plugin load function must be of type
+.Va heim_plugin_load_ft
+which is:
+.Bd -literal -offset indent
+krb5_error_code HEIM_CALLCONV
+my_plugin_load(heim_pcontext context,
+ krb5_get_instance_func_t *get_instance,
+ size_t *num_plugins,
+ heim_plugin_common_ftable_cp **plugins);
+
+.Ed
+where
+.Va HEIM_CALLCONV
+is
+.Va __stdcall
+on Windows.
+.Pp
+The plugin should set the get_instance output parameter to the a
+function that will return the instances of its library
+dependencies. For example:
+.Bd -literal -offset indent
+static uintptr_t HEIM_LIB_CALL
+my_plugin_get_instance(const char *name)
+{
+ if (strcmp(name, "krb5") == 0)
+ return krb5_get_instance(name);
+ return 0;
+}
+.Ed
+.Pp
+The
+.Va get_instance
+function is used to check that dynamically-linked plugins are
+linked with the same Heimdal shared objects as the one loading
+and running the plugin.
+.Pp
+The output parameters
+.Va plugins
+and
+.Va n_plugins
+output an array of pointers to function tabls, and the number of
+those, respectively.
.Pp
The plugin structs for all plugin types always begin with the same three
common fields:
@@ -72,24 +115,41 @@ common fields:
associated header file.
.It
.Va init
-, a pointer to a function with two arguments, a krb5_context and a
-void **, returning a krb5_error_code. This function will be called to
-initialize a plugin-specific context in the form of a void * that will
-be output through the init function's second argument.
+, a pointer to a function with two arguments, a
+.Va heim_pcontext
+(which for krb5 plugins is actually a krb5_context),
+and a
+.Va void **
+, returning a heim_error_code. This function will be called to
+initialize a plugin-specific context in the form of a
+.Va void *
+that will be output through the init function's second argument.
.It
.Va fini
-, a pointer to a function of one argument, a void *, consisting of the
-plugin's context to be destroyed, and returning void.
+, a pointer to a function of one argument, a
+.Va void *
+, consisting of the plugin's context to be destroyed, and
+returning
+.Va void.
.El
.Pp
-Each plugin type must add zero or more fields to this struct following
-the above three. Plugins are typically invoked in no particular order
-until one succeeds or fails, or all return a special return value such
-as KRB5_PLUGIN_NO_HANDLE to indicate that the plugin was not applicable.
-Most plugin types obtain deterministic plugin behavior in spite of the
-non-deterministic invocation order by, for example, invoking all plugins
-for each "rule" and passing the rule to each plugin with the expectation
-that just one plugin will match any given rule.
+Each plugin type may add fields to this struct following the above
+three. Plugins are typically invoked in no particular order until one
+succeeds or fails, or all return a special return value that indicates
+that the plugin was not applicable. For krb5 plugins,
+.Va KRB5_PLUGIN_NO_HANDLE
+indicates that the plugin was not applicable.
+.Pp
+Heimdal plugin callers either invoke all plugins until one returns an
+error or all return
+.Va KRB5_PLUGIN_NO_HANDLE
+, or invoke all plugins until one returns a value other than
+.Va KRB5_PLUGIN_NO_HANDLE
+with the expectation that only one plugin would return success and all
+oters would return
+.Va KRB5_PLUGIN_NO_HANDLE.
+Thus Heimdal plugin invokation can be deterministic in spite of
+non-deterministic invocation order.
.Pp
There is a database plugin system intended for many of the uses of
databases in Heimdal. The plugin is expected to call
@@ -169,8 +229,9 @@ follows:
.Bd -literal -offset indent
#include <krb5/an2ln_plugin.h>
+/* Note that `context' here is actually a krb5_context value */
static krb5_error_code KRB5_CALLCONV
-nouser_plug_init(krb5_context context, void **ctx)
+nouser_plug_init(heim_pcontext context, void **ctx)
{
*ctx = NULL;
return 0;
@@ -200,6 +261,32 @@ krb5plugin_an2ln_ftable an2ln = {
nouser_plug_fini,
nouser_plug_an2ln,
};
+
+static const krb5plugin_an2ln_ftable *const plugins[] = {
+ &an2ln
+};
+
+static uintptr_t
+an2ln_get_instance(const char *libname)
+{
+ if (strcmp(libname, "krb5") == 0)
+ return krb5_get_instance(libname);
+
+ return 0;
+}
+
+/* Note that `context' here is actually a krb5_context value */
+krb5_error_code
+an2ln_plugin_load(heim_pcontext context,
+ krb5_get_instance_func_t *get_instance,
+ size_t *num_plugins,
+ const krb5plugin_an2ln_ftable * const **pplugins)
+{
+ *get_instance = an2ln_get_instance;
+ *num_plugins = sizeof(plugins) / sizeof(plugins[0]);
+ *pplugins = plugins;
+ return 0;
+}
.Ed
.Pp
An example kuserok plugin that rejects all requests follows. (Note that
@@ -210,8 +297,8 @@ there exists a built-in plugin with this functionality; see
.Bd -literal -offset indent
#include <krb5/kuserok_plugin.h>
-static krb5_error_code KRB5_CALLCONV
-reject_plug_init(krb5_context context, void **ctx)
+static krb5_error_code KRB5_CALLCONV
+reject_plug_init(heim_context context, void **ctx)
{
*ctx = NULL;
return 0;
@@ -232,12 +319,39 @@ reject_plug_kuserok(void *plug_ctx, krb5_context context, const char *rule,
return 0;
}
-krb5plugin_kuserok_ftable kuserok = {
+static krb5plugin_kuserok_ftable kuserok = {
KRB5_PLUGIN_KUSEROK_VERSION_0,
reject_plug_init,
reject_plug_fini,
reject_plug_kuserok,
};
+
+static const krb5plugin_kuserok_ftable *const plugins[] = {
+ &kuserok
+};
+
+static uintptr_t
+kuserok_get_instance(const char *libname)
+{
+ if (strcmp(libname, "krb5") == 0)
+ return krb5_get_instance(libname);
+
+ return 0;
+}
+
+krb5_error_code
+krb5_plugin_kuserok_plugin_load(
+ heim_context context,
+ krb5_get_instance_func_t *get_instance,
+ size_t *num_plugins,
+ const krb5plugin_kuserok_ftable * const **pplugins)
+{
+ *krb5_instance = kuserok_get_instance;
+ *num_plugins = sizeof(plugins) / sizeof(plugins[0]);
+ *pplugins = plugins;
+ return 0;
+}
+
.Ed
.Sh SEE ALSO
.Xr krb5_plugin_register 3
diff --git a/lib/krb5/krb5-plugin.cat7 b/lib/krb5/krb5-plugin.cat7
deleted file mode 100644
index c691ebef47f1..000000000000
--- a/lib/krb5/krb5-plugin.cat7
+++ /dev/null
@@ -1,167 +0,0 @@
-KRB5-PLUGIN(7) BSD Miscellaneous Information Manual KRB5-PLUGIN(7)
-
-NAME
- krb5-plugin -- plugin interface for Heimdal
-
-SYNOPSIS
- #include <krb5.h>
- #include <krb5/an2ln_plugin.h>
- #include <krb5/ccache_plugin.h>
- #include <krb5/db_plugin.h>
- #include <krb5/kuserok_plugin.h>
- #include <krb5/locate_plugin.h>
- #include <krb5/send_to_kdc_plugin.h>
-
-DESCRIPTION
- Heimdal has a plugin interface. Plugins may be statically linked into
- Heimdal and registered via the krb5_plugin_register(3) function, or they
- may be dynamically loaded from shared objects present in the Heimdal
- plugins directories.
-
- Plugins consist of a C struct whose struct name is given in the associ-
- ated header file, such as, for example, krb5plugin_kuserok_ftable and a
- pointer to which is either registered via krb5_plugin_register(3) or
- found in a shared object via a symbol lookup for the symbol name defined
- in the associated header file (e.g., "kuserok" for the plugin for
- krb5_kuserok(3) ).
-
- The plugin structs for all plugin types always begin with the same three
- common fields:
- 1. minor_version , an int. Plugin minor versions are defined in each
- plugin type's associated header file.
- 2. init , a pointer to a function with two arguments, a krb5_context
- and a void **, returning a krb5_error_code. This function will be
- called to initialize a plugin-specific context in the form of a void
- * that will be output through the init function's second argument.
- 3. fini , a pointer to a function of one argument, a void *, consisting
- of the plugin's context to be destroyed, and returning void.
-
- Each plugin type must add zero or more fields to this struct following
- the above three. Plugins are typically invoked in no particular order
- until one succeeds or fails, or all return a special return value such as
- KRB5_PLUGIN_NO_HANDLE to indicate that the plugin was not applicable.
- Most plugin types obtain deterministic plugin behavior in spite of the
- non-deterministic invocation order by, for example, invoking all plugins
- for each "rule" and passing the rule to each plugin with the expectation
- that just one plugin will match any given rule.
-
- There is a database plugin system intended for many of the uses of data-
- bases in Heimdal. The plugin is expected to call heim_db_register(3)
- from its init entry point to register a DB type. The DB plugin's fini
- function must do nothing, and the plugin must not provide any other entry
- points.
-
- The krb5_kuserok plugin adds a single field to its struct: a pointer to a
- function that implements kuserok functionality with the following form:
-
- static krb5_error_code
- kuserok(void *plug_ctx, krb5_context context, const char *rule,
- unsigned int flags, const char *k5login_dir,
- const char *luser, krb5_const_principal principal,
- krb5_boolean *result)
-
- The luser , principal and result arguments are self-explanatory (see
- krb5_kuserok(3) ). The plug_ctx argument is the context output by the
- plugin's init function. The rule argument is a kuserok rule from the
- krb5.conf file; each plugin is invoked once for each rule until all plug-
- ins fail or one succeeds. The k5login_dir argument provides an alterna-
- tive k5login file location, if not NULL. The flags argument indicates
- whether the plugin may call krb5_aname_to_localname(3)
- (KUSEROK_ANAME_TO_LNAME_OK), and whether k5login databases are expected
- to be authoritative (KUSEROK_K5LOGIN_IS_AUTHORITATIVE).
-
- The plugin for krb5_aname_to_localname(3) is named "an2ln" and has a sin-
- gle extra field for the plugin struct:
-
- typedef krb5_error_code (*set_result_f)(void *, const char *);
-
- static krb5_error_code
- an2ln(void *plug_ctx, krb5_context context, const char *rule,
- krb5_const_principal aname, set_result_f set_res_f, void *set_res_ctx)
-
- The arguments for the an2ln plugin are similar to those of the kuserok
- plugin, but the result, being a string, is set by calling the set_res_f
- function argument with the set_res_ctx and result string as arguments.
- The set_res_f function will make a copy of the string.
-
-FILES
- libdir/plugin/krb5/*
- Shared objects containing plugins for Heimdal.
-
-EXAMPLES
- An example an2ln plugin that maps principals to a constant "nouser" fol-
- lows:
-
- #include <krb5/an2ln_plugin.h>
-
- static krb5_error_code KRB5_CALLCONV
- nouser_plug_init(krb5_context context, void **ctx)
- {
- *ctx = NULL;
- return 0;
- }
-
- static void KRB5_CALLCONV nouser_plug_fini(void *ctx) { }
-
- static krb5_error_code KRB5_CALLCONV
- nouser_plug_an2ln(void *plug_ctx, krb5_context context,
- const char *rule,
- krb5_const_principal aname,
- set_result_f set_res_f, void *set_res_ctx)
- {
- krb5_error_code ret;
-
- if (strcmp(rule, "NOUSER") != 0)
- return KRB5_PLUGIN_NO_HANDLE;
-
- ret = set_res_f(set_res_ctx, "nouser");
-
- return ret;
- }
-
- krb5plugin_an2ln_ftable an2ln = {
- KRB5_PLUGIN_AN2LN_VERSION_0,
- nouser_plug_init,
- nouser_plug_fini,
- nouser_plug_an2ln,
- };
-
- An example kuserok plugin that rejects all requests follows. (Note that
- there exists a built-in plugin with this functionality; see
- krb5_kuserok(3) ).
-
- #include <krb5/kuserok_plugin.h>
-
- static krb5_error_code KRB5_CALLCONV
- reject_plug_init(krb5_context context, void **ctx)
- {
- *ctx = NULL;
- return 0;
- }
-
- static void KRB5_CALLCONV reject_plug_fini(void *ctx) { }
-
- static krb5_error_code KRB5_CALLCONV
- reject_plug_kuserok(void *plug_ctx, krb5_context context, const char *rule,
- unsigned int flags, const char *k5login_dir,
- const char *luser, krb5_const_principal principal,
- krb5_boolean *result)
- {
- if (strcmp(rule, "REJECT") != 0)
- return KRB5_PLUGIN_NO_HANDLE;
-
- *result = FALSE;
- return 0;
- }
-
- krb5plugin_kuserok_ftable kuserok = {
- KRB5_PLUGIN_KUSEROK_VERSION_0,
- reject_plug_init,
- reject_plug_fini,
- reject_plug_kuserok,
- };
-
-SEE ALSO
- krb5_plugin_register(3) krb5_kuserok(3) krb5_aname_to_localname(3)
-
-HEIMDAL December 21, 2011 HEIMDAL
diff --git a/lib/krb5/krb5-private.h b/lib/krb5/krb5-private.h
deleted file mode 100644
index 79bd27e9397f..000000000000
--- a/lib/krb5/krb5-private.h
+++ /dev/null
@@ -1,733 +0,0 @@
-/* This is a generated file */
-#ifndef __krb5_private_h__
-#define __krb5_private_h__
-
-#include <stdarg.h>
-
-#if !defined(__GNUC__) && !defined(__attribute__)
-#define __attribute__(x)
-#endif
-
-#ifndef KRB5_DEPRECATED_FUNCTION
-#ifndef __has_extension
-#define __has_extension(x) 0
-#define KRB5_DEPRECATED_FUNCTIONhas_extension 1
-#endif
-#if __has_extension(attribute_deprecated_with_message)
-#define KRB5_DEPRECATED_FUNCTION(x) __attribute__((__deprecated__(x)))
-#elif defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
-#define KRB5_DEPRECATED_FUNCTION(X) __attribute__((__deprecated__))
-#else
-#define KRB5_DEPRECATED_FUNCTION(X)
-#endif
-#ifdef KRB5_DEPRECATED_FUNCTIONhas_extension
-#undef __has_extension
-#undef KRB5_DEPRECATED_FUNCTIONhas_extension
-#endif
-#endif /* KRB5_DEPRECATED_FUNCTION */
-
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_heim_krb5_ipc_client_clear_target (void);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_heim_krb5_ipc_client_set_target_uid (uid_t /*uid*/);
-
-void
-_krb5_DES3_random_to_key (
- krb5_context /*context*/,
- krb5_keyblock */*key*/,
- const void */*data*/,
- size_t /*size*/);
-
-krb5_error_code
-_krb5_HMAC_MD5_checksum (
- krb5_context /*context*/,
- struct _krb5_key_data */*key*/,
- const void */*data*/,
- size_t /*len*/,
- unsigned /*usage*/,
- Checksum */*result*/);
-
-krb5_error_code
-_krb5_SP800_108_HMAC_KDF (
- krb5_context /*context*/,
- const krb5_data */*kdf_K1*/,
- const krb5_data */*kdf_label*/,
- const krb5_data */*kdf_context*/,
- const EVP_MD */*md*/,
- krb5_data */*kdf_K0*/);
-
-krb5_error_code
-_krb5_SP_HMAC_SHA1_checksum (
- krb5_context /*context*/,
- struct _krb5_key_data */*key*/,
- const void */*data*/,
- size_t /*len*/,
- unsigned /*usage*/,
- Checksum */*result*/);
-
-krb5_error_code
-_krb5_aes_sha2_md_for_enctype (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/,
- const EVP_MD **/*md*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_build_authenticator (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_enctype /*enctype*/,
- krb5_creds */*cred*/,
- Checksum */*cksum*/,
- krb5_data */*result*/,
- krb5_key_usage /*usage*/);
-
-krb5_error_code
-_krb5_build_authpack_subjectPK_EC (
- krb5_context /*context*/,
- krb5_pk_init_ctx /*ctx*/,
- AuthPack */*a*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_cc_allocate (
- krb5_context /*context*/,
- const krb5_cc_ops */*ops*/,
- krb5_ccache */*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_config_copy (
- krb5_context /*context*/,
- krb5_config_section */*c*/,
- krb5_config_section **/*head*/);
-
-KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_get (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- int /*type*/,
- ...);
-
-KRB5_LIB_FUNCTION krb5_config_section * KRB5_LIB_CALL
-_krb5_config_get_entry (
- krb5_config_section **/*parent*/,
- const char */*name*/,
- int /*type*/);
-
-KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_get_next (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- const krb5_config_binding **/*pointer*/,
- int /*type*/,
- ...);
-
-KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_vget (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- int /*type*/,
- va_list /*args*/);
-
-KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_vget_next (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- const krb5_config_binding **/*pointer*/,
- int /*type*/,
- va_list /*args*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_copy_send_to_kdc_func (
- krb5_context /*context*/,
- krb5_context /*to*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_crc_init_table (void);
-
-KRB5_LIB_FUNCTION uint32_t KRB5_LIB_CALL
-_krb5_crc_update (
- const char */*p*/,
- size_t /*len*/,
- uint32_t /*res*/);
-
-void KRB5_LIB_FUNCTION
-_krb5_debug (
- krb5_context /*context*/,
- int /*level*/,
- const char */*fmt*/,
- ...)
- __attribute__ ((__format__ (__printf__, 3, 4)));
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_debug_backtrace (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_derive_key (
- krb5_context /*context*/,
- struct _krb5_encryption_type */*et*/,
- struct _krb5_key_data */*key*/,
- const void */*constant*/,
- size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_des_checksum (
- krb5_context /*context*/,
- const EVP_MD */*evp_md*/,
- struct _krb5_key_data */*key*/,
- const void */*data*/,
- size_t /*len*/,
- Checksum */*cksum*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_des_verify (
- krb5_context /*context*/,
- const EVP_MD */*evp_md*/,
- struct _krb5_key_data */*key*/,
- const void */*data*/,
- size_t /*len*/,
- Checksum */*C*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_dh_group_ok (
- krb5_context /*context*/,
- unsigned long /*bits*/,
- heim_integer */*p*/,
- heim_integer */*g*/,
- heim_integer */*q*/,
- struct krb5_dh_moduli **/*moduli*/,
- char **/*name*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_einval (
- krb5_context /*context*/,
- const char */*func*/,
- unsigned long /*argn*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-_krb5_enctype_requires_random_salt (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_erase_file (
- krb5_context /*context*/,
- const char */*filename*/);
-
-void
-_krb5_evp_cleanup (
- krb5_context /*context*/,
- struct _krb5_key_data */*kd*/);
-
-krb5_error_code
-_krb5_evp_encrypt (
- krb5_context /*context*/,
- struct _krb5_key_data */*key*/,
- void */*data*/,
- size_t /*len*/,
- krb5_boolean /*encryptp*/,
- int /*usage*/,
- void */*ivec*/);
-
-krb5_error_code
-_krb5_evp_encrypt_cts (
- krb5_context /*context*/,
- struct _krb5_key_data */*key*/,
- void */*data*/,
- size_t /*len*/,
- krb5_boolean /*encryptp*/,
- int /*usage*/,
- void */*ivec*/);
-
-void
-_krb5_evp_schedule (
- krb5_context /*context*/,
- struct _krb5_key_type */*kt*/,
- struct _krb5_key_data */*kd*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_expand_default_cc_name (
- krb5_context /*context*/,
- const char */*str*/,
- char **/*res*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_expand_path_tokens (
- krb5_context /*context*/,
- const char */*path_in*/,
- int /*filepath*/,
- char **/*ppath_out*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_expand_path_tokensv (
- krb5_context /*context*/,
- const char */*path_in*/,
- int /*filepath*/,
- char **/*ppath_out*/,
- ...);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-_krb5_extract_ticket (
- krb5_context /*context*/,
- krb5_kdc_rep */*rep*/,
- krb5_creds */*creds*/,
- krb5_keyblock */*key*/,
- krb5_const_pointer /*keyseed*/,
- krb5_key_usage /*key_usage*/,
- krb5_addresses */*addrs*/,
- unsigned /*nonce*/,
- unsigned /*flags*/,
- krb5_data */*request*/,
- krb5_decrypt_proc /*decrypt_proc*/,
- krb5_const_pointer /*decryptarg*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_fast_armor_key (
- krb5_context /*context*/,
- krb5_keyblock */*subkey*/,
- krb5_keyblock */*sessionkey*/,
- krb5_keyblock */*armorkey*/,
- krb5_crypto */*armor_crypto*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_fast_cf2 (
- krb5_context /*context*/,
- krb5_keyblock */*key1*/,
- const char */*pepper1*/,
- krb5_keyblock */*key2*/,
- const char */*pepper2*/,
- krb5_keyblock */*armorkey*/,
- krb5_crypto */*armor_crypto*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_find_capath (
- krb5_context /*context*/,
- const char */*client_realm*/,
- const char */*local_realm*/,
- const char */*server_realm*/,
- krb5_boolean /*use_hierarchical*/,
- char ***/*rpath*/,
- size_t */*npath*/);
-
-KRB5_LIB_FUNCTION struct _krb5_checksum_type * KRB5_LIB_CALL
-_krb5_find_checksum (krb5_cksumtype /*type*/);
-
-KRB5_LIB_FUNCTION struct _krb5_encryption_type * KRB5_LIB_CALL
-_krb5_find_enctype (krb5_enctype /*type*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_free_capath (
- krb5_context /*context*/,
- char **/*capath*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_free_key_data (
- krb5_context /*context*/,
- struct _krb5_key_data */*key*/,
- struct _krb5_encryption_type */*et*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_free_krbhst_info (krb5_krbhst_info */*hi*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_free_moduli (struct krb5_dh_moduli **/*moduli*/);
-
-KRB5_LIB_FUNCTION void
-_krb5_free_name_canon_rules (
- krb5_context /*context*/,
- krb5_name_canon_rule /*rules*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_get_ad (
- krb5_context /*context*/,
- const AuthorizationData */*ad*/,
- krb5_keyblock */*sessionkey*/,
- int /*type*/,
- krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_get_cred_kdc_any (
- krb5_context /*context*/,
- krb5_kdc_flags /*flags*/,
- krb5_ccache /*ccache*/,
- krb5_creds */*in_creds*/,
- krb5_principal /*impersonate_principal*/,
- Ticket */*second_ticket*/,
- krb5_creds **/*out_creds*/,
- krb5_creds ***/*ret_tgts*/);
-
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
-_krb5_get_default_cc_name_from_registry (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
-_krb5_get_default_config_config_files_from_registry (void);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_get_default_principal_local (
- krb5_context /*context*/,
- krb5_principal */*princ*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_get_host_realm_int (
- krb5_context /*context*/,
- const char */*host*/,
- krb5_boolean /*use_dns*/,
- krb5_realm **/*realms*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_get_init_creds_opt_free_pkinit (krb5_get_init_creds_opt */*opt*/);
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-_krb5_get_int (
- void */*buffer*/,
- unsigned long */*value*/,
- size_t /*size*/);
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-_krb5_get_int64 (
- void */*buffer*/,
- uint64_t */*value*/,
- size_t /*size*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_get_krbtgt (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_realm /*realm*/,
- krb5_creds **/*cred*/);
-
-KRB5_LIB_FUNCTION krb5_error_code
-_krb5_get_name_canon_rules (
- krb5_context /*context*/,
- krb5_name_canon_rule */*rules*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-_krb5_have_debug (
- krb5_context /*context*/,
- int /*level*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-_krb5_homedir_access (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_init_etype (
- krb5_context /*context*/,
- krb5_pdu /*pdu_type*/,
- unsigned */*len*/,
- krb5_enctype **/*val*/,
- const krb5_enctype */*etypes*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_internal_hmac (
- krb5_context /*context*/,
- struct _krb5_checksum_type */*cm*/,
- const void */*data*/,
- size_t /*len*/,
- unsigned /*usage*/,
- struct _krb5_key_data */*keyblock*/,
- Checksum */*result*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_kcm_get_initial_ticket (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_principal /*server*/,
- krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_kcm_get_ticket (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_kdc_flags /*flags*/,
- krb5_enctype /*enctype*/,
- krb5_principal /*server*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-_krb5_kcm_is_running (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_kcm_noop (
- krb5_context /*context*/,
- krb5_ccache /*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_kdc_retry (
- krb5_context /*context*/,
- krb5_sendto_ctx /*ctx*/,
- void */*data*/,
- const krb5_data */*reply*/,
- int */*action*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_krbhost_info_move (
- krb5_context /*context*/,
- krb5_krbhst_info */*from*/,
- krb5_krbhst_info **/*to*/);
-
-KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
-_krb5_krbhst_get_realm (krb5_krbhst_handle /*handle*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_kt_principal_not_found (
- krb5_context /*context*/,
- krb5_error_code /*ret*/,
- krb5_keytab /*id*/,
- krb5_const_principal /*principal*/,
- krb5_enctype /*enctype*/,
- int /*kvno*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-_krb5_kuserok (
- krb5_context /*context*/,
- krb5_principal /*principal*/,
- const char */*luser*/,
- krb5_boolean /*an2ln_ok*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_load_ccache_plugins (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_load_db_plugins (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_load_plugins (
- krb5_context /*context*/,
- const char */*name*/,
- const char **/*paths*/);
-
-krb5_error_code
-_krb5_make_fast_ap_fxarmor (
- krb5_context /*context*/,
- krb5_ccache /*armor_ccache*/,
- krb5_data */*armor_value*/,
- krb5_keyblock */*armor_key*/,
- krb5_crypto */*armor_crypto*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_mk_req_internal (
- krb5_context /*context*/,
- krb5_auth_context */*auth_context*/,
- const krb5_flags /*ap_req_options*/,
- krb5_data */*in_data*/,
- krb5_creds */*in_creds*/,
- krb5_data */*outbuf*/,
- krb5_key_usage /*checksum_usage*/,
- krb5_key_usage /*encrypt_usage*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_n_fold (
- const void */*str*/,
- size_t /*len*/,
- void */*key*/,
- size_t /*size*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pac_sign (
- krb5_context /*context*/,
- krb5_pac /*p*/,
- time_t /*authtime*/,
- krb5_principal /*principal*/,
- const krb5_keyblock */*server_key*/,
- const krb5_keyblock */*priv_key*/,
- krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_parse_moduli (
- krb5_context /*context*/,
- const char */*file*/,
- struct krb5_dh_moduli ***/*moduli*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_parse_moduli_line (
- krb5_context /*context*/,
- const char */*file*/,
- int /*lineno*/,
- char */*p*/,
- struct krb5_dh_moduli **/*m*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_pk_cert_free (struct krb5_pk_cert */*cert*/);
-
-void
-_krb5_pk_eckey_free (void */*eckey*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_kdf (
- krb5_context /*context*/,
- const struct AlgorithmIdentifier */*ai*/,
- const void */*dhdata*/,
- size_t /*dhsize*/,
- krb5_const_principal /*client*/,
- krb5_const_principal /*server*/,
- krb5_enctype /*enctype*/,
- const krb5_data */*as_req*/,
- const krb5_data */*pk_as_rep*/,
- const Ticket */*ticket*/,
- krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_kx_confirm (
- krb5_context /*context*/,
- krb5_pk_init_ctx /*ctx*/,
- krb5_keyblock */*reply_key*/,
- krb5_keyblock */*session_key*/,
- PA_DATA */*pa_pkinit_kx*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_load_id (
- krb5_context /*context*/,
- struct krb5_pk_identity **/*ret_id*/,
- const char */*user_id*/,
- const char */*anchor_id*/,
- char * const */*chain_list*/,
- char * const */*revoke_list*/,
- krb5_prompter_fct /*prompter*/,
- void */*prompter_data*/,
- char */*password*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_mk_ContentInfo (
- krb5_context /*context*/,
- const krb5_data */*buf*/,
- const heim_oid */*oid*/,
- struct ContentInfo */*content_info*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_mk_padata (
- krb5_context /*context*/,
- void */*c*/,
- int /*ic_flags*/,
- int /*win2k*/,
- const KDC_REQ_BODY */*req_body*/,
- unsigned /*nonce*/,
- METHOD_DATA */*md*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_octetstring2key (
- krb5_context /*context*/,
- krb5_enctype /*type*/,
- const void */*dhdata*/,
- size_t /*dhsize*/,
- const heim_octet_string */*c_n*/,
- const heim_octet_string */*k_n*/,
- krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_rd_pa_reply (
- krb5_context /*context*/,
- const char */*realm*/,
- void */*c*/,
- krb5_enctype /*etype*/,
- const krb5_krbhst_info */*hi*/,
- unsigned /*nonce*/,
- const krb5_data */*req_buffer*/,
- PA_DATA */*pa*/,
- krb5_keyblock **/*key*/);
-
-krb5_error_code
-_krb5_pk_rd_pa_reply_ecdh_compute_key (
- krb5_context /*context*/,
- krb5_pk_init_ctx /*ctx*/,
- const unsigned char */*in*/,
- size_t /*in_sz*/,
- unsigned char **/*out*/,
- int */*out_sz*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_plugin_find (
- krb5_context /*context*/,
- enum krb5_plugin_type /*type*/,
- const char */*name*/,
- struct krb5_plugin **/*list*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_plugin_free (struct krb5_plugin */*list*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_plugin_run_f (
- krb5_context /*context*/,
- const char */*module*/,
- const char */*name*/,
- int /*min_version*/,
- int /*flags*/,
- void */*userctx*/,
- krb5_error_code (KRB5_LIB_CALL *func)(krb5_context, const void *, void *, void *));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_principal2principalname (
- PrincipalName */*p*/,
- const krb5_principal /*from*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-_krb5_principal_compare_PrincipalName (
- krb5_context /*context*/,
- krb5_const_principal /*princ1*/,
- PrincipalName */*princ2*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_principalname2krb5_principal (
- krb5_context /*context*/,
- krb5_principal */*principal*/,
- const PrincipalName /*from*/,
- const Realm /*realm*/);
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-_krb5_put_int (
- void */*buffer*/,
- uint64_t /*value*/,
- size_t /*size*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_s4u2self_to_checksumdata (
- krb5_context /*context*/,
- const PA_S4U2Self */*self*/,
- krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_sendto_ctx_set_krb5hst (
- krb5_context /*context*/,
- krb5_sendto_ctx /*ctx*/,
- krb5_krbhst_handle /*handle*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_sendto_ctx_set_prexmit (
- krb5_sendto_ctx /*ctx*/,
- krb5_sendto_prexmit /*prexmit*/,
- void */*data*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-_krb5_set_default_cc_name_to_registry (
- krb5_context /*context*/,
- krb5_ccache /*id*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_unload_plugins (
- krb5_context /*context*/,
- const char */*name*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_usage2arcfour (
- krb5_context /*context*/,
- unsigned */*usage*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-_krb5_xlock (
- krb5_context /*context*/,
- int /*fd*/,
- krb5_boolean /*exclusive*/,
- const char */*filename*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_xor8 (
- unsigned char */*a*/,
- const unsigned char */*b*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-_krb5_xunlock (
- krb5_context /*context*/,
- int /*fd*/);
-
-#undef KRB5_DEPRECATED_FUNCTION
-#define KRB5_DEPRECATED_FUNCTION(X)
-
-#endif /* __krb5_private_h__ */
diff --git a/lib/krb5/krb5-protos.h b/lib/krb5/krb5-protos.h
deleted file mode 100644
index fb2e0eabe140..000000000000
--- a/lib/krb5/krb5-protos.h
+++ /dev/null
@@ -1,9301 +0,0 @@
-/* This is a generated file */
-#ifndef __krb5_protos_h__
-#define __krb5_protos_h__
-#ifndef DOXY
-
-#include <stdarg.h>
-
-#if !defined(__GNUC__) && !defined(__attribute__)
-#define __attribute__(x)
-#endif
-
-#ifndef KRB5_DEPRECATED_FUNCTION
-#ifndef __has_extension
-#define __has_extension(x) 0
-#define KRB5_DEPRECATED_FUNCTIONhas_extension 1
-#endif
-#if __has_extension(attribute_deprecated_with_message)
-#define KRB5_DEPRECATED_FUNCTION(x) __attribute__((__deprecated__(x)))
-#elif defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
-#define KRB5_DEPRECATED_FUNCTION(X) __attribute__((__deprecated__))
-#else
-#define KRB5_DEPRECATED_FUNCTION(X)
-#endif
-#ifdef KRB5_DEPRECATED_FUNCTIONhas_extension
-#undef __has_extension
-#undef KRB5_DEPRECATED_FUNCTIONhas_extension
-#endif
-#endif /* KRB5_DEPRECATED_FUNCTION */
-
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#ifndef KRB5_LIB
-#ifndef KRB5_LIB_FUNCTION
-#if defined(_WIN32)
-#define KRB5_LIB_FUNCTION __declspec(dllimport)
-#define KRB5_LIB_CALL __stdcall
-#define KRB5_LIB_VARIABLE __declspec(dllimport)
-#else
-#define KRB5_LIB_FUNCTION
-#define KRB5_LIB_CALL
-#define KRB5_LIB_VARIABLE
-#endif
-#endif
-#endif
-/**
- * Convert the v5 credentials in in_cred to v4-dito in v4creds. This
- * is done by sending them to the 524 function in the KDC. If
- * `in_cred' doesn't contain a DES session key, then a new one is
- * gotten from the KDC and stored in the cred cache `ccache'.
- *
- * @param context Kerberos 5 context.
- * @param in_cred the credential to convert
- * @param v4creds the converted credential
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5_v4compat
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb524_convert_creds_kdc (
- krb5_context /*context*/,
- krb5_creds */*in_cred*/,
- struct credentials */*v4creds*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Convert the v5 credentials in in_cred to v4-dito in v4creds,
- * check the credential cache ccache before checking with the KDC.
- *
- * @param context Kerberos 5 context.
- * @param ccache credential cache used to check for des-ticket.
- * @param in_cred the credential to convert
- * @param v4creds the converted credential
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5_v4compat
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb524_convert_creds_kdc_ccache (
- krb5_context /*context*/,
- krb5_ccache /*ccache*/,
- krb5_creds */*in_cred*/,
- struct credentials */*v4creds*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Log a warning to the log, default stderr, include the error from
- * the last failure and then abort.
- *
- * @param context A Kerberos 5 context
- * @param code error code of the last error
- * @param fmt message to print
- * @param ... arguments for format string
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_abort (
- krb5_context /*context*/,
- krb5_error_code /*code*/,
- const char */*fmt*/,
- ...)
- __attribute__ ((__noreturn__, __format__ (__printf__, 3, 4)));
-
-/**
- * Log a warning to the log, default stderr, and then abort.
- *
- * @param context A Kerberos 5 context
- * @param fmt printf format string of message to print
- * @param ... arguments for format string
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_abortx (
- krb5_context /*context*/,
- const char */*fmt*/,
- ...)
- __attribute__ ((__noreturn__, __format__ (__printf__, 2, 3)));
-
-/**
- * krb5_acl_match_file matches ACL format against each line in a file
- * using krb5_acl_match_string(). Lines starting with # are treated
- * like comments and ignored.
- *
- * @param context Kerberos 5 context.
- * @param file file with acl listed in the file.
- * @param format format to match.
- * @param ... parameter to format string.
- *
- * @return Return an error code or 0.
- *
- * @sa krb5_acl_match_string
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_acl_match_file (
- krb5_context /*context*/,
- const char */*file*/,
- const char */*format*/,
- ...);
-
-/**
- * krb5_acl_match_string matches ACL format against a string.
- *
- * The ACL format has three format specifiers: s, f, and r. Each
- * specifier will retrieve one argument from the variable arguments
- * for either matching or storing data. The input string is split up
- * using " " (space) and "\t" (tab) as a delimiter; multiple and "\t"
- * in a row are considered to be the same.
- *
- * List of format specifiers:
- * - s Matches a string using strcmp(3) (case sensitive).
- * - f Matches the string with fnmatch(3). Theflags
- * argument (the last argument) passed to the fnmatch function is 0.
- * - r Returns a copy of the string in the char ** passed in; the copy
- * must be freed with free(3). There is no need to free(3) the
- * string on error: the function will clean up and set the pointer
- * to NULL.
- *
- * @param context Kerberos 5 context
- * @param string string to match with
- * @param format format to match
- * @param ... parameter to format string
- *
- * @return Return an error code or 0.
- *
- *
- * @code
- * char *s;
- *
- * ret = krb5_acl_match_string(context, "foo", "s", "foo");
- * if (ret)
- * krb5_errx(context, 1, "acl didn't match");
- * ret = krb5_acl_match_string(context, "foo foo baz/kaka",
- * "ss", "foo", &s, "foo/\\*");
- * if (ret) {
- * // no need to free(s) on error
- * assert(s == NULL);
- * krb5_errx(context, 1, "acl didn't match");
- * }
- * free(s);
- * @endcode
- *
- * @sa krb5_acl_match_file
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_acl_match_string (
- krb5_context /*context*/,
- const char */*string*/,
- const char */*format*/,
- ...);
-
-/**
- * Add a specified list of error messages to the et list in context.
- * Call func (probably a comerr-generated function) with a pointer to
- * the current et_list.
- *
- * @param context A kerberos context.
- * @param func The generated com_err et function.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_add_et_list (
- krb5_context /*context*/,
- void (*/*func*/)(struct et_list **));
-
-/**
- * Add extra address to the address list that the library will add to
- * the client's address list when communicating with the KDC.
- *
- * @param context Kerberos 5 context.
- * @param addresses addreses to add
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_add_extra_addresses (
- krb5_context /*context*/,
- krb5_addresses */*addresses*/);
-
-/**
- * Add extra addresses to ignore when fetching addresses from the
- * underlaying operating system.
- *
- * @param context Kerberos 5 context.
- * @param addresses addreses to ignore
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_add_ignore_addresses (
- krb5_context /*context*/,
- krb5_addresses */*addresses*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_addlog_dest (
- krb5_context /*context*/,
- krb5_log_facility */*f*/,
- const char */*orig*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_addlog_func (
- krb5_context /*context*/,
- krb5_log_facility */*fac*/,
- int /*min*/,
- int /*max*/,
- krb5_log_log_func_t /*log_func*/,
- krb5_log_close_func_t /*close_func*/,
- void */*data*/);
-
-/**
- * krb5_addr2sockaddr sets the "struct sockaddr sockaddr" from addr
- * and port. The argument sa_size should initially contain the size of
- * the sa and after the call, it will contain the actual length of the
- * address. In case of the sa is too small to fit the whole address,
- * the up to *sa_size will be stored, and then *sa_size will be set to
- * the required length.
- *
- * @param context a Keberos context
- * @param addr the address to copy the from
- * @param sa the struct sockaddr that will be filled in
- * @param sa_size pointer to length of sa, and after the call, it will
- * contain the actual length of the address.
- * @param port set port in sa.
- *
- * @return Return an error code or 0. Will return
- * KRB5_PROG_ATYPE_NOSUPP in case address type is not supported.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_addr2sockaddr (
- krb5_context /*context*/,
- const krb5_address */*addr*/,
- struct sockaddr */*sa*/,
- krb5_socklen_t */*sa_size*/,
- int /*port*/);
-
-/**
- * krb5_address_compare compares the addresses addr1 and addr2.
- * Returns TRUE if the two addresses are the same.
- *
- * @param context a Keberos context
- * @param addr1 address to compare
- * @param addr2 address to compare
- *
- * @return Return an TRUE is the address are the same FALSE if not
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_address_compare (
- krb5_context /*context*/,
- const krb5_address */*addr1*/,
- const krb5_address */*addr2*/);
-
-/**
- * krb5_address_order compares the addresses addr1 and addr2 so that
- * it can be used for sorting addresses. If the addresses are the same
- * address krb5_address_order will return 0. Behavies like memcmp(2).
- *
- * @param context a Keberos context
- * @param addr1 krb5_address to compare
- * @param addr2 krb5_address to compare
- *
- * @return < 0 if address addr1 in "less" then addr2. 0 if addr1 and
- * addr2 is the same address, > 0 if addr2 is "less" then addr1.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_address_order (
- krb5_context /*context*/,
- const krb5_address */*addr1*/,
- const krb5_address */*addr2*/);
-
-/**
- * Calculate the boundary addresses of `inaddr'/`prefixlen' and store
- * them in `low' and `high'.
- *
- * @param context a Keberos context
- * @param inaddr address in prefixlen that the bondery searched
- * @param prefixlen width of boundery
- * @param low lowest address
- * @param high highest address
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_address_prefixlen_boundary (
- krb5_context /*context*/,
- const krb5_address */*inaddr*/,
- unsigned long /*prefixlen*/,
- krb5_address */*low*/,
- krb5_address */*high*/);
-
-/**
- * krb5_address_search checks if the address addr is a member of the
- * address set list addrlist .
- *
- * @param context a Keberos context.
- * @param addr address to search for.
- * @param addrlist list of addresses to look in for addr.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_address_search (
- krb5_context /*context*/,
- const krb5_address */*addr*/,
- const krb5_addresses */*addrlist*/);
-
-/**
- * Enable or disable all weak encryption types
- *
- * @param context Kerberos 5 context
- * @param enable true to enable, false to disable
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_allow_weak_crypto (
- krb5_context /*context*/,
- krb5_boolean /*enable*/);
-
-/**
- * Map a principal name to a local username.
- *
- * Returns 0 on success, KRB5_NO_LOCALNAME if no mapping was found, or
- * some Kerberos or system error.
- *
- * Inputs:
- *
- * @param context A krb5_context
- * @param aname A principal name
- * @param lnsize The size of the buffer into which the username will be written
- * @param lname The buffer into which the username will be written
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_aname_to_localname (
- krb5_context /*context*/,
- krb5_const_principal /*aname*/,
- size_t /*lnsize*/,
- char */*lname*/);
-
-/**
- * krb5_anyaddr fills in a "struct sockaddr sa" that can be used to
- * bind(2) to. The argument sa_size should initially contain the size
- * of the sa, and after the call, it will contain the actual length
- * of the address.
- *
- * @param context a Keberos context
- * @param af address family
- * @param sa sockaddr
- * @param sa_size lenght of sa.
- * @param port for to fill into sa.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_anyaddr (
- krb5_context /*context*/,
- int /*af*/,
- struct sockaddr */*sa*/,
- krb5_socklen_t */*sa_size*/,
- int /*port*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_appdefault_boolean (
- krb5_context /*context*/,
- const char */*appname*/,
- krb5_const_realm /*realm*/,
- const char */*option*/,
- krb5_boolean /*def_val*/,
- krb5_boolean */*ret_val*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_appdefault_string (
- krb5_context /*context*/,
- const char */*appname*/,
- krb5_const_realm /*realm*/,
- const char */*option*/,
- const char */*def_val*/,
- char **/*ret_val*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_appdefault_time (
- krb5_context /*context*/,
- const char */*appname*/,
- krb5_const_realm /*realm*/,
- const char */*option*/,
- time_t /*def_val*/,
- time_t */*ret_val*/);
-
-/**
- * krb5_append_addresses adds the set of addresses in source to
- * dest. While copying the addresses, duplicates are also sorted out.
- *
- * @param context a Keberos context
- * @param dest destination of copy operation
- * @param source adresses that are going to be added to dest
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_append_addresses (
- krb5_context /*context*/,
- krb5_addresses */*dest*/,
- const krb5_addresses */*source*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_add_AuthorizationData (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- int /*type*/,
- krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_addflags (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- int32_t /*addflags*/,
- int32_t */*flags*/);
-
-/**
- * Deallocate an authentication context previously initialized with
- * krb5_auth_con_init().
- *
- * @param context A kerberos context.
- * @param auth_context The authentication context to be deallocated.
- *
- * @return An krb5 error code, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_free (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/);
-
-/**
- * Update the authentication context \a auth_context with the local
- * and remote addresses from socket \a fd, according to \a flags.
- *
- * @return An krb5 error code, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_genaddrs (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_socket_t /*fd*/,
- int /*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_generatelocalsubkey (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getaddrs (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_address **/*local_addr*/,
- krb5_address **/*remote_addr*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getauthenticator (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_authenticator */*authenticator*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getcksumtype (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_cksumtype */*cksumtype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getflags (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- int32_t */*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getkey (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keyblock **/*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getkeytype (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keytype */*keytype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getlocalseqnumber (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- int32_t */*seqnumber*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getlocalsubkey (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keyblock **/*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getrcache (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_rcache */*rcache*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getrecvsubkey (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keyblock **/*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getremoteseqnumber (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- int32_t */*seqnumber*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getremotesubkey (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keyblock **/*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getsendsubkey (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keyblock **/*keyblock*/);
-
-/**
- * Allocate and initialize an autentication context.
- *
- * @param context A kerberos context.
- * @param auth_context The authentication context to be initialized.
- *
- * Use krb5_auth_con_free() to release the memory when done using the context.
- *
- * @return An krb5 error code, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_init (
- krb5_context /*context*/,
- krb5_auth_context */*auth_context*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_removeflags (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- int32_t /*removeflags*/,
- int32_t */*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setaddrs (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_address */*local_addr*/,
- krb5_address */*remote_addr*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setaddrs_from_fd (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- void */*p_fd*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setcksumtype (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_cksumtype /*cksumtype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setflags (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- int32_t /*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setkey (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keyblock */*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setkeytype (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keytype /*keytype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setlocalseqnumber (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- int32_t /*seqnumber*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setlocalsubkey (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keyblock */*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setrcache (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_rcache /*rcache*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setrecvsubkey (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keyblock */*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setremoteseqnumber (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- int32_t /*seqnumber*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setremotesubkey (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keyblock */*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setsendsubkey (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keyblock */*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setuserkey (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_keyblock */*keyblock*/);
-
-/**
- * Deprecated: use krb5_auth_con_getremoteseqnumber()
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_getremoteseqnumber (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- int32_t */*seqnumber*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_build_ap_req (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/,
- krb5_creds */*cred*/,
- krb5_flags /*ap_options*/,
- krb5_data /*authenticator*/,
- krb5_data */*retdata*/);
-
-/**
- * Build a principal using vararg style building
- *
- * @param context A Kerberos context.
- * @param principal returned principal
- * @param rlen length of realm
- * @param realm realm name
- * @param ... a list of components ended with NULL.
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_build_principal (
- krb5_context /*context*/,
- krb5_principal */*principal*/,
- int /*rlen*/,
- krb5_const_realm /*realm*/,
- ...);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_build_principal_ext (
- krb5_context /*context*/,
- krb5_principal */*principal*/,
- int /*rlen*/,
- krb5_const_realm /*realm*/,
- ...);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_build_principal_va (
- krb5_context /*context*/,
- krb5_principal */*principal*/,
- int /*rlen*/,
- krb5_const_realm /*realm*/,
- va_list /*ap*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_build_principal_va_ext (
- krb5_context /*context*/,
- krb5_principal */*principal*/,
- int /*rlen*/,
- krb5_const_realm /*realm*/,
- va_list /*ap*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_block_size (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/,
- size_t */*blocksize*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_checksum_length (
- krb5_context /*context*/,
- krb5_cksumtype /*cksumtype*/,
- size_t */*length*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_decrypt (
- krb5_context /*context*/,
- const krb5_keyblock /*key*/,
- krb5_keyusage /*usage*/,
- const krb5_data */*ivec*/,
- krb5_enc_data */*input*/,
- krb5_data */*output*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_encrypt (
- krb5_context /*context*/,
- const krb5_keyblock */*key*/,
- krb5_keyusage /*usage*/,
- const krb5_data */*ivec*/,
- const krb5_data */*input*/,
- krb5_enc_data */*output*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_encrypt_length (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/,
- size_t /*inputlen*/,
- size_t */*length*/);
-
-/**
- * Deprecated: keytypes doesn't exists, they are really enctypes.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_enctype_compare (
- krb5_context /*context*/,
- krb5_enctype /*e1*/,
- krb5_enctype /*e2*/,
- krb5_boolean */*similar*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_get_checksum (
- krb5_context /*context*/,
- const krb5_checksum */*cksum*/,
- krb5_cksumtype */*type*/,
- krb5_data **/*data*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_c_is_coll_proof_cksum (krb5_cksumtype /*ctype*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_c_is_keyed_cksum (krb5_cksumtype /*ctype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_keylengths (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/,
- size_t */*ilen*/,
- size_t */*keylen*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_make_checksum (
- krb5_context /*context*/,
- krb5_cksumtype /*cksumtype*/,
- const krb5_keyblock */*key*/,
- krb5_keyusage /*usage*/,
- const krb5_data */*input*/,
- krb5_checksum */*cksum*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_make_random_key (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/,
- krb5_keyblock */*random_key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_prf (
- krb5_context /*context*/,
- const krb5_keyblock */*key*/,
- const krb5_data */*input*/,
- krb5_data */*output*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_prf_length (
- krb5_context /*context*/,
- krb5_enctype /*type*/,
- size_t */*length*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_random_make_octets (
- krb5_context /*context*/,
- krb5_data * /*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_set_checksum (
- krb5_context /*context*/,
- krb5_checksum */*cksum*/,
- krb5_cksumtype /*type*/,
- const krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_c_valid_cksumtype (krb5_cksumtype /*ctype*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_c_valid_enctype (krb5_enctype /*etype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_verify_checksum (
- krb5_context /*context*/,
- const krb5_keyblock */*key*/,
- krb5_keyusage /*usage*/,
- const krb5_data */*data*/,
- const krb5_checksum */*cksum*/,
- krb5_boolean */*valid*/);
-
-/**
- * Destroy the cursor `cursor'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_cache_end_seq_get (
- krb5_context /*context*/,
- krb5_cc_cache_cursor /*cursor*/);
-
-/**
- * Start iterating over all caches of specified type. See also
- * krb5_cccol_cursor_new().
-
- * @param context A Kerberos 5 context
- * @param type optional type to iterate over, if NULL, the default cache is used.
- * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_cache_get_first (
- krb5_context /*context*/,
- const char */*type*/,
- krb5_cc_cache_cursor */*cursor*/);
-
-/**
- * Search for a matching credential cache that have the
- * `principal' as the default principal. On success, `id' needs to be
- * freed with krb5_cc_close() or krb5_cc_destroy().
- *
- * @param context A Kerberos 5 context
- * @param client The principal to search for
- * @param id the returned credential cache
- *
- * @return On failure, error code is returned and `id' is set to NULL.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_cache_match (
- krb5_context /*context*/,
- krb5_principal /*client*/,
- krb5_ccache */*id*/);
-
-/**
- * Retrieve the next cache pointed to by (`cursor') in `id'
- * and advance `cursor'.
- *
- * @param context A Kerberos 5 context
- * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first()
- * @param id next ccache
- *
- * @return Return 0 or an error code. Returns KRB5_CC_END when the end
- * of caches is reached, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_cache_next (
- krb5_context /*context*/,
- krb5_cc_cache_cursor /*cursor*/,
- krb5_ccache */*id*/);
-
-/**
- * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_cc_clear_mcred (krb5_creds */*mcred*/);
-
-/**
- * Stop using the ccache `id' and free the related resources.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_close (
- krb5_context /*context*/,
- krb5_ccache /*id*/);
-
-/**
- * Just like krb5_cc_copy_match_f(), but copy everything.
- *
- * @ingroup @krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_copy_cache (
- krb5_context /*context*/,
- const krb5_ccache /*from*/,
- krb5_ccache /*to*/);
-
-/**
- * MIT compat glue
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_copy_creds (
- krb5_context /*context*/,
- const krb5_ccache /*from*/,
- krb5_ccache /*to*/);
-
-/**
- * Copy the contents of `from' to `to' if the given match function
- * return true.
- *
- * @param context A Kerberos 5 context.
- * @param from the cache to copy data from.
- * @param to the cache to copy data to.
- * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied.
- * @param matchctx context passed to match function.
- * @param matched set to true if there was a credential that matched, may be NULL.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_copy_match_f (
- krb5_context /*context*/,
- const krb5_ccache /*from*/,
- krb5_ccache /*to*/,
- krb5_boolean (*/*match*/)(krb5_context, void *, const krb5_creds *),
- void */*matchctx*/,
- unsigned int */*matched*/);
-
-/**
- * Open the default ccache in `id'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_default (
- krb5_context /*context*/,
- krb5_ccache */*id*/);
-
-/**
- * Return a pointer to a context static string containing the default
- * ccache name.
- *
- * @return String to the default credential cache name.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_cc_default_name (krb5_context /*context*/);
-
-/**
- * Remove the ccache `id'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_destroy (
- krb5_context /*context*/,
- krb5_ccache /*id*/);
-
-/**
- * Destroy the cursor `cursor'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_end_seq_get (
- krb5_context /*context*/,
- const krb5_ccache /*id*/,
- krb5_cc_cursor */*cursor*/);
-
-/**
- * Generate a new ccache of type `ops' in `id'.
- *
- * Deprecated: use krb5_cc_new_unique() instead.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_gen_new (
- krb5_context /*context*/,
- const krb5_cc_ops */*ops*/,
- krb5_ccache */*id*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Get some configuration for the credential cache in the cache.
- *
- * @param context a Keberos context
- * @param id the credential cache to store the data for
- * @param principal configuration for a specific principal, if
- * NULL, global for the whole cache.
- * @param name name under which the configuraion is stored.
- * @param data data to fetched, free with krb5_data_free()
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_config (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_const_principal /*principal*/,
- const char */*name*/,
- krb5_data */*data*/);
-
-/**
- * Get the flags of `id', store them in `flags'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_flags (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_flags */*flags*/);
-
-/**
- * Return a friendly name on credential cache. Free the result with krb5_xfree().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_friendly_name (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- char **/*name*/);
-
-/**
- * Return the complete resolvable name the cache
-
- * @param context a Keberos context
- * @param id return pointer to a found credential cache
- * @param str the returned name of a credential cache, free with krb5_xfree()
- *
- * @return Returns 0 or an error (and then *str is set to NULL).
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_full_name (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- char **/*str*/);
-
-/**
- * Get the time offset betwen the client and the KDC
- *
- * If the backend doesn't support KDC offset, use the context global setting.
- *
- * @param context A Kerberos 5 context.
- * @param id a credential cache
- * @param offset the offset in seconds
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_kdc_offset (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_deltat */*offset*/);
-
-/**
- * Get the lifetime of the initial ticket in the cache
- *
- * Get the lifetime of the initial ticket in the cache, if the initial
- * ticket was not found, the error code KRB5_CC_END is returned.
- *
- * @param context A Kerberos 5 context.
- * @param id a credential cache
- * @param t the relative lifetime of the initial ticket
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_lifetime (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- time_t */*t*/);
-
-/**
- * Return the name of the ccache `id'
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_cc_get_name (
- krb5_context /*context*/,
- krb5_ccache /*id*/);
-
-/**
- * Return krb5_cc_ops of a the ccache `id'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
-krb5_cc_get_ops (
- krb5_context /*context*/,
- krb5_ccache /*id*/);
-
-/**
- * Get the cc ops that is registered in `context' to handle the
- * prefix. prefix can be a complete credential cache name or a
- * prefix, the function will only use part up to the first colon (:)
- * if there is one. If prefix the argument is NULL, the default ccache
- * implemtation is returned.
- *
- * @return Returns NULL if ops not found.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
-krb5_cc_get_prefix_ops (
- krb5_context /*context*/,
- const char */*prefix*/);
-
-/**
- * Return the principal of `id' in `principal'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_principal (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_principal */*principal*/);
-
-/**
- * Return the type of the ccache `id'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_cc_get_type (
- krb5_context /*context*/,
- krb5_ccache /*id*/);
-
-/**
- * Return the version of `id'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_version (
- krb5_context /*context*/,
- const krb5_ccache /*id*/);
-
-/**
- * Create a new ccache in `id' for `primary_principal'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_initialize (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_principal /*primary_principal*/);
-
-/**
- * Return the last time the credential cache was modified.
- *
- * @param context A Kerberos 5 context
- * @param id The credential cache to probe
- * @param mtime the last modification time, set to 0 on error.
-
- * @return Return 0 or and error. See krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_last_change_time (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_timestamp */*mtime*/);
-
-/**
- * Move the content from one credential cache to another. The
- * operation is an atomic switch.
- *
- * @param context a Keberos context
- * @param from the credential cache to move the content from
- * @param to the credential cache to move the content to
-
- * @return On sucess, from is freed. On failure, error code is
- * returned and from and to are both still allocated, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_move (
- krb5_context /*context*/,
- krb5_ccache /*from*/,
- krb5_ccache /*to*/);
-
-/**
- * Generates a new unique ccache of `type` in `id'. If `type' is NULL,
- * the library chooses the default credential cache type. The supplied
- * `hint' (that can be NULL) is a string that the credential cache
- * type can use to base the name of the credential on, this is to make
- * it easier for the user to differentiate the credentials.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_new_unique (
- krb5_context /*context*/,
- const char */*type*/,
- const char */*hint*/,
- krb5_ccache */*id*/);
-
-/**
- * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
- * and advance `cursor'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_next_cred (
- krb5_context /*context*/,
- const krb5_ccache /*id*/,
- krb5_cc_cursor */*cursor*/,
- krb5_creds */*creds*/);
-
-/**
- * Add a new ccache type with operations `ops', overwriting any
- * existing one if `override'.
- *
- * @param context a Keberos context
- * @param ops type of plugin symbol
- * @param override flag to select if the registration is to overide
- * an existing ops with the same name.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_register (
- krb5_context /*context*/,
- const krb5_cc_ops */*ops*/,
- krb5_boolean /*override*/);
-
-/**
- * Remove the credential identified by `cred', `which' from `id'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_remove_cred (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_flags /*which*/,
- krb5_creds */*cred*/);
-
-/**
- * Find and allocate a ccache in `id' from the specification in `residual'.
- * If the ccache name doesn't contain any colon, interpret it as a file name.
- *
- * @param context a Keberos context.
- * @param name string name of a credential cache.
- * @param id return pointer to a found credential cache.
- *
- * @return Return 0 or an error code. In case of an error, id is set
- * to NULL, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_resolve (
- krb5_context /*context*/,
- const char */*name*/,
- krb5_ccache */*id*/);
-
-/**
- * Retrieve the credential identified by `mcreds' (and `whichfields')
- * from `id' in `creds'. 'creds' must be free by the caller using
- * krb5_free_cred_contents.
- *
- * @param context A Kerberos 5 context
- * @param id a Kerberos 5 credential cache
- * @param whichfields what fields to use for matching credentials, same
- * flags as whichfields in krb5_compare_creds()
- * @param mcreds template credential to use for comparing
- * @param creds returned credential, free with krb5_free_cred_contents()
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_retrieve_cred (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_flags /*whichfields*/,
- const krb5_creds */*mcreds*/,
- krb5_creds */*creds*/);
-
-/**
- * Store some configuration for the credential cache in the cache.
- * Existing configuration under the same name is over-written.
- *
- * @param context a Keberos context
- * @param id the credential cache to store the data for
- * @param principal configuration for a specific principal, if
- * NULL, global for the whole cache.
- * @param name name under which the configuraion is stored.
- * @param data data to store, if NULL, configure is removed.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_set_config (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_const_principal /*principal*/,
- const char */*name*/,
- krb5_data */*data*/);
-
-/**
- * Set the default cc name for `context' to `name'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_set_default_name (
- krb5_context /*context*/,
- const char */*name*/);
-
-/**
- * Set the flags of `id' to `flags'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_set_flags (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_flags /*flags*/);
-
-/**
- * Set the friendly name on credential cache.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_set_friendly_name (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- const char */*name*/);
-
-/**
- * Set the time offset betwen the client and the KDC
- *
- * If the backend doesn't support KDC offset, use the context global setting.
- *
- * @param context A Kerberos 5 context.
- * @param id a credential cache
- * @param offset the offset in seconds
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_set_kdc_offset (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_deltat /*offset*/);
-
-/**
- * Start iterating over `id', `cursor' is initialized to the
- * beginning. Caller must free the cursor with krb5_cc_end_seq_get().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_start_seq_get (
- krb5_context /*context*/,
- const krb5_ccache /*id*/,
- krb5_cc_cursor */*cursor*/);
-
-/**
- * Store `creds' in the ccache `id'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_store_cred (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_creds */*creds*/);
-
-/**
- * Return true if the default credential cache support switch
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_cc_support_switch (
- krb5_context /*context*/,
- const char */*type*/);
-
-/**
- * Switch the default default credential cache for a specific
- * credcache type (and name for some implementations).
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_switch (
- krb5_context /*context*/,
- krb5_ccache /*id*/);
-
-/**
- * End an iteration and free all resources, can be done before end is reached.
- *
- * @param context A Kerberos 5 context
- * @param cursor the iteration cursor to be freed.
- *
- * @return Return 0 or and error, KRB5_CC_END is returned at the end
- * of iteration. See krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cccol_cursor_free (
- krb5_context /*context*/,
- krb5_cccol_cursor */*cursor*/);
-
-/**
- * Get a new cache interation cursor that will interate over all
- * credentials caches independent of type.
- *
- * @param context a Keberos context
- * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free().
- *
- * @return Returns 0 or and error code, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cccol_cursor_new (
- krb5_context /*context*/,
- krb5_cccol_cursor */*cursor*/);
-
-/**
- * Get next credential cache from the iteration.
- *
- * @param context A Kerberos 5 context
- * @param cursor the iteration cursor
- * @param cache the returned cursor, pointer is set to NULL on failure
- * and a cache on success. The returned cache needs to be freed
- * with krb5_cc_close() or destroyed with krb5_cc_destroy().
- * MIT Kerberos behavies slightly diffrent and sets cache to NULL
- * when all caches are iterated over and return 0.
- *
- * @return Return 0 or and error, KRB5_CC_END is returned at the end
- * of iteration. See krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cccol_cursor_next (
- krb5_context /*context*/,
- krb5_cccol_cursor /*cursor*/,
- krb5_ccache */*cache*/);
-
-/**
- * Return the last modfication time for a cache collection. The query
- * can be limited to a specific cache type. If the function return 0
- * and mtime is 0, there was no credentials in the caches.
- *
- * @param context A Kerberos 5 context
- * @param type The credential cache to probe, if NULL, all type are traversed.
- * @param mtime the last modification time, set to 0 on error.
-
- * @return Return 0 or and error. See krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cccol_last_change_time (
- krb5_context /*context*/,
- const char */*type*/,
- krb5_timestamp */*mtime*/);
-
-/**
- * Deprecated: krb5_change_password() is deprecated, use krb5_set_password().
- *
- * @param context a Keberos context
- * @param creds
- * @param newpw
- * @param result_code
- * @param result_code_string
- * @param result_string
- *
- * @return On sucess password is changed.
-
- * @ingroup @krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_change_password (
- krb5_context /*context*/,
- krb5_creds */*creds*/,
- const char */*newpw*/,
- int */*result_code*/,
- krb5_data */*result_code_string*/,
- krb5_data */*result_string*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_check_transited (
- krb5_context /*context*/,
- krb5_const_realm /*client_realm*/,
- krb5_const_realm /*server_realm*/,
- krb5_realm */*realms*/,
- unsigned int /*num_realms*/,
- int */*bad_realm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_check_transited_realms (
- krb5_context /*context*/,
- const char *const */*realms*/,
- unsigned int /*num_realms*/,
- int */*bad_realm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_checksum_disable (
- krb5_context /*context*/,
- krb5_cksumtype /*type*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_checksum_free (
- krb5_context /*context*/,
- krb5_checksum */*cksum*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_checksum_is_collision_proof (
- krb5_context /*context*/,
- krb5_cksumtype /*type*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_checksum_is_keyed (
- krb5_context /*context*/,
- krb5_cksumtype /*type*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_checksumsize (
- krb5_context /*context*/,
- krb5_cksumtype /*type*/,
- size_t */*size*/);
-
-/**
- * Return the coresponding encryption type for a checksum type.
- *
- * @param context Kerberos context
- * @param ctype The checksum type to get the result enctype for
- * @param etype The returned encryption, when the matching etype is
- * not found, etype is set to ETYPE_NULL.
- *
- * @return Return an error code for an failure or 0 on success.
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cksumtype_to_enctype (
- krb5_context /*context*/,
- krb5_cksumtype /*ctype*/,
- krb5_enctype */*etype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cksumtype_valid (
- krb5_context /*context*/,
- krb5_cksumtype /*ctype*/);
-
-/**
- * Clears the error message from the Kerberos 5 context.
- *
- * @param context The Kerberos 5 context to clear
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_clear_error_message (krb5_context /*context*/);
-
-/**
- * Clear the error message returned by krb5_get_error_string().
- *
- * Deprecated: use krb5_clear_error_message()
- *
- * @param context Kerberos context
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_clear_error_string (krb5_context /*context*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_closelog (
- krb5_context /*context*/,
- krb5_log_facility */*fac*/);
-
-/**
- * Return TRUE if `mcreds' and `creds' are equal (`whichfields'
- * determines what equal means).
- *
- *
- * The following flags, set in whichfields affects the comparison:
- * - KRB5_TC_MATCH_SRV_NAMEONLY Consider all realms equal when comparing the service principal.
- * - KRB5_TC_MATCH_KEYTYPE Compare enctypes.
- * - KRB5_TC_MATCH_FLAGS_EXACT Make sure that the ticket flags are identical.
- * - KRB5_TC_MATCH_FLAGS Make sure that all ticket flags set in mcreds are also present in creds .
- * - KRB5_TC_MATCH_TIMES_EXACT Compares the ticket times exactly.
- * - KRB5_TC_MATCH_TIMES Compares only the expiration times of the creds.
- * - KRB5_TC_MATCH_AUTHDATA Compares the authdata fields.
- * - KRB5_TC_MATCH_2ND_TKT Compares the second tickets (used by user-to-user authentication).
- * - KRB5_TC_MATCH_IS_SKEY Compares the existance of the second ticket.
- *
- * @param context Kerberos 5 context.
- * @param whichfields which fields to compare.
- * @param mcreds cred to compare with.
- * @param creds cred to compare with.
- *
- * @return return TRUE if mcred and creds are equal, FALSE if not.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_compare_creds (
- krb5_context /*context*/,
- krb5_flags /*whichfields*/,
- const krb5_creds * /*mcreds*/,
- const krb5_creds * /*creds*/);
-
-/**
- * Free configuration file section, the result of
- * krb5_config_parse_file() and krb5_config_parse_file_multi().
- *
- * @param context A Kerberos 5 context
- * @param s the configuration section to free
- *
- * @return returns 0 on successes, otherwise an error code, see
- * krb5_get_error_message()
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_file_free (
- krb5_context /*context*/,
- krb5_config_section */*s*/);
-
-/**
- * Free the resulting strings from krb5_config-get_strings() and
- * krb5_config_vget_strings().
- *
- * @param strings strings to free
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_config_free_strings (char **/*strings*/);
-
-/**
- * Like krb5_config_get_bool() but with a va_list list of
- * configuration selection.
- *
- * Configuration value to a boolean value, where yes/true and any
- * non-zero number means TRUE and other value is FALSE.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param ... a list of names, terminated with NULL.
- *
- * @return TRUE or FALSE
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_get_bool (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- ...);
-
-/**
- * krb5_config_get_bool_default() will convert the configuration
- * option value to a boolean value, where yes/true and any non-zero
- * number means TRUE and other value is FALSE.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param def_value the default value to return if no configuration
- * found in the database.
- * @param ... a list of names, terminated with NULL.
- *
- * @return TRUE or FALSE
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_get_bool_default (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- krb5_boolean /*def_value*/,
- ...);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_int (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- ...);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_int_default (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- int /*def_value*/,
- ...);
-
-/**
- * Get a list of configuration binding list for more processing
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param ... a list of names, terminated with NULL.
- *
- * @return NULL if configuration list is not found, a list otherwise
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL
-krb5_config_get_list (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- ...);
-
-/**
- * Returns a "const char *" to a string in the configuration database.
- * The string may not be valid after a reload of the configuration
- * database so a caller should make a local copy if it needs to keep
- * the string.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param ... a list of names, terminated with NULL.
- *
- * @return NULL if configuration string not found, a string otherwise
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_get_string (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- ...);
-
-/**
- * Like krb5_config_get_string(), but instead of returning NULL,
- * instead return a default value.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param def_value the default value to return if no configuration
- * found in the database.
- * @param ... a list of names, terminated with NULL.
- *
- * @return a configuration string
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_get_string_default (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- const char */*def_value*/,
- ...);
-
-/**
- * Get a list of configuration strings, free the result with
- * krb5_config_free_strings().
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param ... a list of names, terminated with NULL.
- *
- * @return TRUE or FALSE
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION char** KRB5_LIB_CALL
-krb5_config_get_strings (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- ...);
-
-/**
- * Get the time from the configuration file using a relative time, for example: 1h30s
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param ... a list of names, terminated with NULL.
- *
- * @return parsed the time or -1 on error
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_time (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- ...);
-
-/**
- * Get the time from the configuration file using a relative time, for example: 1h30s
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param def_value the default value to return if no configuration
- * found in the database.
- * @param ... a list of names, terminated with NULL.
- *
- * @return parsed the time (or def_value on parse error)
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_time_default (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- int /*def_value*/,
- ...);
-
-/**
- * If the fname starts with "~/" parse configuration file in the
- * current users home directory. The behavior can be disabled and
- * enabled by calling krb5_set_home_dir_access().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_parse_file (
- krb5_context /*context*/,
- const char */*fname*/,
- krb5_config_section **/*res*/);
-
-/**
- * Parse a configuration file and add the result into res. This
- * interface can be used to parse several configuration files into one
- * resulting krb5_config_section by calling it repeatably.
- *
- * @param context a Kerberos 5 context.
- * @param fname a file name to a Kerberos configuration file
- * @param res the returned result, must be free with krb5_free_config_files().
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_parse_file_multi (
- krb5_context /*context*/,
- const char */*fname*/,
- krb5_config_section **/*res*/);
-
-/**
- * Deprecated: configuration files are not strings
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_parse_string_multi (
- krb5_context /*context*/,
- const char */*string*/,
- krb5_config_section **/*res*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * krb5_config_get_bool() will convert the configuration
- * option value to a boolean value, where yes/true and any non-zero
- * number means TRUE and other value is FALSE.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param args a va_list of arguments
- *
- * @return TRUE or FALSE
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_vget_bool (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- va_list /*args*/);
-
-/**
- * Like krb5_config_get_bool_default() but with a va_list list of
- * configuration selection.
- *
- * Configuration value to a boolean value, where yes/true and any
- * non-zero number means TRUE and other value is FALSE.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param def_value the default value to return if no configuration
- * found in the database.
- * @param args a va_list of arguments
- *
- * @return TRUE or FALSE
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_vget_bool_default (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- krb5_boolean /*def_value*/,
- va_list /*args*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_int (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- va_list /*args*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_int_default (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- int /*def_value*/,
- va_list /*args*/);
-
-/**
- * Get a list of configuration binding list for more processing
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param args a va_list of arguments
- *
- * @return NULL if configuration list is not found, a list otherwise
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL
-krb5_config_vget_list (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- va_list /*args*/);
-
-/**
- * Like krb5_config_get_string(), but uses a va_list instead of ...
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param args a va_list of arguments
- *
- * @return NULL if configuration string not found, a string otherwise
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_vget_string (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- va_list /*args*/);
-
-/**
- * Like krb5_config_vget_string(), but instead of returning NULL,
- * instead return a default value.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param def_value the default value to return if no configuration
- * found in the database.
- * @param args a va_list of arguments
- *
- * @return a configuration string
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_vget_string_default (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- const char */*def_value*/,
- va_list /*args*/);
-
-/**
- * Get a list of configuration strings, free the result with
- * krb5_config_free_strings().
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param args a va_list of arguments
- *
- * @return TRUE or FALSE
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION char ** KRB5_LIB_CALL
-krb5_config_vget_strings (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- va_list /*args*/);
-
-/**
- * Get the time from the configuration file using a relative time, for example: 1h30s
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param args a va_list of arguments
- *
- * @return parsed the time or -1 on error
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_time (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- va_list /*args*/);
-
-/**
- * Get the time from the configuration file using a relative time.
- *
- * Like krb5_config_get_time_default() but with a va_list list of
- * configuration selection.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param def_value the default value to return if no configuration
- * found in the database.
- * @param args a va_list of arguments
- *
- * @return parsed the time (or def_value on parse error)
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_time_default (
- krb5_context /*context*/,
- const krb5_config_section */*c*/,
- int /*def_value*/,
- va_list /*args*/);
-
-/**
- * krb5_copy_address copies the content of address
- * inaddr to outaddr.
- *
- * @param context a Keberos context
- * @param inaddr pointer to source address
- * @param outaddr pointer to destination address
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_address (
- krb5_context /*context*/,
- const krb5_address */*inaddr*/,
- krb5_address */*outaddr*/);
-
-/**
- * krb5_copy_addresses copies the content of addresses
- * inaddr to outaddr.
- *
- * @param context a Keberos context
- * @param inaddr pointer to source addresses
- * @param outaddr pointer to destination addresses
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_addresses (
- krb5_context /*context*/,
- const krb5_addresses */*inaddr*/,
- krb5_addresses */*outaddr*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_checksum (
- krb5_context /*context*/,
- const krb5_checksum */*old*/,
- krb5_checksum **/*new*/);
-
-/**
- * Make a copy for the Kerberos 5 context, the new krb5_context shoud
- * be freed with krb5_free_context().
- *
- * @param context the Kerberos context to copy
- * @param out the copy of the Kerberos, set to NULL error.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_context (
- krb5_context /*context*/,
- krb5_context */*out*/);
-
-/**
- * Copy krb5_creds.
- *
- * @param context Kerberos 5 context.
- * @param incred source credential
- * @param outcred destination credential, free with krb5_free_creds().
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_creds (
- krb5_context /*context*/,
- const krb5_creds */*incred*/,
- krb5_creds **/*outcred*/);
-
-/**
- * Copy content of krb5_creds.
- *
- * @param context Kerberos 5 context.
- * @param incred source credential
- * @param c destination credential, free with krb5_free_cred_contents().
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_creds_contents (
- krb5_context /*context*/,
- const krb5_creds */*incred*/,
- krb5_creds */*c*/);
-
-/**
- * Copy the data into a newly allocated krb5_data.
- *
- * @param context Kerberos 5 context.
- * @param indata the krb5_data data to copy
- * @param outdata new krb5_date to copy too. Free with krb5_free_data().
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_data (
- krb5_context /*context*/,
- const krb5_data */*indata*/,
- krb5_data **/*outdata*/);
-
-/**
- * Copy the list of realms from `from' to `to'.
- *
- * @param context Kerberos 5 context.
- * @param from list of realms to copy from.
- * @param to list of realms to copy to, free list of krb5_free_host_realm().
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_host_realm (
- krb5_context /*context*/,
- const krb5_realm */*from*/,
- krb5_realm **/*to*/);
-
-/**
- * Copy a keyblock, free the output keyblock with
- * krb5_free_keyblock().
- *
- * @param context a Kerberos 5 context
- * @param inblock the key to copy
- * @param to the output key.
- *
- * @return 0 on success or a Kerberos 5 error code
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_keyblock (
- krb5_context /*context*/,
- const krb5_keyblock */*inblock*/,
- krb5_keyblock **/*to*/);
-
-/**
- * Copy a keyblock, free the output keyblock with
- * krb5_free_keyblock_contents().
- *
- * @param context a Kerberos 5 context
- * @param inblock the key to copy
- * @param to the output key.
- *
- * @return 0 on success or a Kerberos 5 error code
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_keyblock_contents (
- krb5_context /*context*/,
- const krb5_keyblock */*inblock*/,
- krb5_keyblock */*to*/);
-
-/**
- * Copy a principal
- *
- * @param context A Kerberos context.
- * @param inprinc principal to copy
- * @param outprinc copied principal, free with krb5_free_principal()
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_principal (
- krb5_context /*context*/,
- krb5_const_principal /*inprinc*/,
- krb5_principal */*outprinc*/);
-
-/**
- * Copy ticket and content
- *
- * @param context a Kerberos 5 context
- * @param from ticket to copy
- * @param to new copy of ticket, free with krb5_free_ticket()
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_ticket (
- krb5_context /*context*/,
- const krb5_ticket */*from*/,
- krb5_ticket **/*to*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_create_checksum (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- krb5_key_usage /*usage*/,
- int /*type*/,
- void */*data*/,
- size_t /*len*/,
- Checksum */*result*/);
-
-/**
- * Create a Kerberos message checksum.
- *
- * @param context Kerberos context
- * @param crypto Kerberos crypto context
- * @param usage Key usage for this buffer
- * @param data array of buffers to process
- * @param num_data length of array
- * @param type output data
- *
- * @return Return an error code or 0.
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_create_checksum_iov (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- unsigned /*usage*/,
- krb5_crypto_iov */*data*/,
- unsigned int /*num_data*/,
- krb5_cksumtype */*type*/);
-
-/**
- * Returns the ticket flags for the credentials in creds.
- * See also krb5_ticket_get_flags().
- *
- * @param creds credential to get ticket flags from
- *
- * @return ticket flags
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL
-krb5_creds_get_ticket_flags (krb5_creds */*creds*/);
-
-/**
- * Free a crypto context created by krb5_crypto_init().
- *
- * @param context Kerberos context
- * @param crypto crypto context to free
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_destroy (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/);
-
-/**
- * The FX-CF2 key derivation function, used in FAST and preauth framework.
- *
- * @param context Kerberos 5 context
- * @param crypto1 first key to combine
- * @param crypto2 second key to combine
- * @param pepper1 factor to combine with first key to garante uniqueness
- * @param pepper2 factor to combine with second key to garante uniqueness
- * @param enctype the encryption type of the resulting key
- * @param res allocated key, free with krb5_free_keyblock_contents()
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_fx_cf2 (
- krb5_context /*context*/,
- const krb5_crypto /*crypto1*/,
- const krb5_crypto /*crypto2*/,
- krb5_data */*pepper1*/,
- krb5_data */*pepper2*/,
- krb5_enctype /*enctype*/,
- krb5_keyblock */*res*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_get_checksum_type (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- krb5_cksumtype */*type*/);
-
-/**
- * Return the blocksize used algorithm referenced by the crypto context
- *
- * @param context Kerberos context
- * @param crypto crypto context to query
- * @param blocksize the resulting blocksize
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_getblocksize (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- size_t */*blocksize*/);
-
-/**
- * Return the confounder size used by the crypto context
- *
- * @param context Kerberos context
- * @param crypto crypto context to query
- * @param confoundersize the returned confounder size
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_getconfoundersize (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- size_t */*confoundersize*/);
-
-/**
- * Return the encryption type used by the crypto context
- *
- * @param context Kerberos context
- * @param crypto crypto context to query
- * @param enctype the resulting encryption type
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_getenctype (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- krb5_enctype */*enctype*/);
-
-/**
- * Return the padding size used by the crypto context
- *
- * @param context Kerberos context
- * @param crypto crypto context to query
- * @param padsize the return padding size
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_getpadsize (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- size_t */*padsize*/);
-
-/**
- * Create a crypto context used for all encryption and signature
- * operation. The encryption type to use is taken from the key, but
- * can be overridden with the enctype parameter. This can be useful
- * for encryptions types which is compatiable (DES for example).
- *
- * To free the crypto context, use krb5_crypto_destroy().
- *
- * @param context Kerberos context
- * @param key the key block information with all key data
- * @param etype the encryption type
- * @param crypto the resulting crypto context
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_init (
- krb5_context /*context*/,
- const krb5_keyblock */*key*/,
- krb5_enctype /*etype*/,
- krb5_crypto */*crypto*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_length (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- int /*type*/,
- size_t */*len*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_length_iov (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- krb5_crypto_iov */*data*/,
- unsigned int /*num_data*/);
-
-KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
-krb5_crypto_overhead (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_prf (
- krb5_context /*context*/,
- const krb5_crypto /*crypto*/,
- const krb5_data */*input*/,
- krb5_data */*output*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_prf_length (
- krb5_context /*context*/,
- krb5_enctype /*type*/,
- size_t */*length*/);
-
-/**
- * Allocate data of and krb5_data.
- *
- * @param p krb5_data to allocate.
- * @param len size to allocate.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_data_alloc (
- krb5_data */*p*/,
- int /*len*/);
-
-/**
- * Compare to data.
- *
- * @param data1 krb5_data to compare
- * @param data2 krb5_data to compare
- *
- * @return return the same way as memcmp(), useful when sorting.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_data_cmp (
- const krb5_data */*data1*/,
- const krb5_data */*data2*/);
-
-/**
- * Copy the data of len into the krb5_data.
- *
- * @param p krb5_data to copy into.
- * @param data data to copy..
- * @param len new size.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_data_copy (
- krb5_data */*p*/,
- const void */*data*/,
- size_t /*len*/);
-
-/**
- * Compare to data not exposing timing information from the checksum data
- *
- * @param data1 krb5_data to compare
- * @param data2 krb5_data to compare
- *
- * @return returns zero for same data, otherwise non zero.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_data_ct_cmp (
- const krb5_data */*data1*/,
- const krb5_data */*data2*/);
-
-/**
- * Free the content of krb5_data structure, its ok to free a zeroed
- * structure (with memset() or krb5_data_zero()). When done, the
- * structure will be zeroed. The same function is called
- * krb5_free_data_contents() in MIT Kerberos.
- *
- * @param p krb5_data to free.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_data_free (krb5_data */*p*/);
-
-/**
- * Grow (or shrink) the content of krb5_data to a new size.
- *
- * @param p krb5_data to free.
- * @param len new size.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_data_realloc (
- krb5_data */*p*/,
- int /*len*/);
-
-/**
- * Reset the (potentially uninitalized) krb5_data structure.
- *
- * @param p krb5_data to reset.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_data_zero (krb5_data */*p*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_Authenticator (
- krb5_context /*context*/,
- const void */*data*/,
- size_t /*length*/,
- Authenticator */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_ETYPE_INFO (
- krb5_context /*context*/,
- const void */*data*/,
- size_t /*length*/,
- ETYPE_INFO */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_ETYPE_INFO2 (
- krb5_context /*context*/,
- const void */*data*/,
- size_t /*length*/,
- ETYPE_INFO2 */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_EncAPRepPart (
- krb5_context /*context*/,
- const void */*data*/,
- size_t /*length*/,
- EncAPRepPart */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_EncASRepPart (
- krb5_context /*context*/,
- const void */*data*/,
- size_t /*length*/,
- EncASRepPart */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_EncKrbCredPart (
- krb5_context /*context*/,
- const void */*data*/,
- size_t /*length*/,
- EncKrbCredPart */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_EncTGSRepPart (
- krb5_context /*context*/,
- const void */*data*/,
- size_t /*length*/,
- EncTGSRepPart */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_EncTicketPart (
- krb5_context /*context*/,
- const void */*data*/,
- size_t /*length*/,
- EncTicketPart */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_ap_req (
- krb5_context /*context*/,
- const krb5_data */*inbuf*/,
- krb5_ap_req */*ap_req*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decrypt (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- unsigned /*usage*/,
- void */*data*/,
- size_t /*len*/,
- krb5_data */*result*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decrypt_EncryptedData (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- unsigned /*usage*/,
- const EncryptedData */*e*/,
- krb5_data */*result*/);
-
-/**
- * Inline decrypt a Kerberos message.
- *
- * @param context Kerberos context
- * @param crypto Kerberos crypto context
- * @param usage Key usage for this buffer
- * @param data array of buffers to process
- * @param num_data length of array
- * @param ivec initial cbc/cts vector
- *
- * @return Return an error code or 0.
- * @ingroup krb5_crypto
- *
- * 1. KRB5_CRYPTO_TYPE_HEADER
- * 2. one KRB5_CRYPTO_TYPE_DATA and array [0,...] of KRB5_CRYPTO_TYPE_SIGN_ONLY in
- * any order, however the receiver have to aware of the
- * order. KRB5_CRYPTO_TYPE_SIGN_ONLY is commonly used unencrypoted
- * protocol headers and trailers. The output data will be of same
- * size as the input data or shorter.
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decrypt_iov_ivec (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- unsigned /*usage*/,
- krb5_crypto_iov */*data*/,
- unsigned int /*num_data*/,
- void */*ivec*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decrypt_ivec (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- unsigned /*usage*/,
- void */*data*/,
- size_t /*len*/,
- krb5_data */*result*/,
- void */*ivec*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decrypt_ticket (
- krb5_context /*context*/,
- Ticket */*ticket*/,
- krb5_keyblock */*key*/,
- EncTicketPart */*out*/,
- krb5_flags /*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_derive_key (
- krb5_context /*context*/,
- const krb5_keyblock */*key*/,
- krb5_enctype /*etype*/,
- const void */*constant*/,
- size_t /*constant_len*/,
- krb5_keyblock **/*derived_key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_alloc (
- krb5_context /*context*/,
- krb5_digest */*digest*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_digest_free (krb5_digest /*digest*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_get_client_binding (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- char **/*type*/,
- char **/*binding*/);
-
-KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
-krb5_digest_get_identifier (
- krb5_context /*context*/,
- krb5_digest /*digest*/);
-
-KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
-krb5_digest_get_opaque (
- krb5_context /*context*/,
- krb5_digest /*digest*/);
-
-KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
-krb5_digest_get_rsp (
- krb5_context /*context*/,
- krb5_digest /*digest*/);
-
-KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
-krb5_digest_get_server_nonce (
- krb5_context /*context*/,
- krb5_digest /*digest*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_get_session_key (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_get_tickets (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- Ticket **/*tickets*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_init_request (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- krb5_realm /*realm*/,
- krb5_ccache /*ccache*/);
-
-/**
- * Get the supported/allowed mechanism for this principal.
- *
- * @param context A Keberos context.
- * @param realm The realm of the KDC.
- * @param ccache The credential cache to use when talking to the KDC.
- * @param flags The supported mechanism.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_digest
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_probe (
- krb5_context /*context*/,
- krb5_realm /*realm*/,
- krb5_ccache /*ccache*/,
- unsigned */*flags*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_digest_rep_get_status (
- krb5_context /*context*/,
- krb5_digest /*digest*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_request (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- krb5_realm /*realm*/,
- krb5_ccache /*ccache*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_authentication_user (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- krb5_principal /*authentication_user*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_authid (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*authid*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_client_nonce (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*nonce*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_digest (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*dgst*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_hostname (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*hostname*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_identifier (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_method (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*method*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_nonceCount (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*nonce_count*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_opaque (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*opaque*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_qop (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*qop*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_realm (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*realm*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_digest_set_responseData (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*response*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_server_cb (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*type*/,
- const char */*binding*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_server_nonce (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*nonce*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_type (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*type*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_uri (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*uri*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_username (
- krb5_context /*context*/,
- krb5_digest /*digest*/,
- const char */*username*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_domain_x500_decode (
- krb5_context /*context*/,
- krb5_data /*tr*/,
- char ***/*realms*/,
- unsigned int */*num_realms*/,
- const char */*client_realm*/,
- const char */*server_realm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_domain_x500_encode (
- char **/*realms*/,
- unsigned int /*num_realms*/,
- krb5_data */*encoding*/);
-
-/**
- * Convert the getaddrinfo() error code to a Kerberos et error code.
- *
- * @param eai_errno contains the error code from getaddrinfo().
- * @param system_error should have the value of errno after the failed getaddrinfo().
- *
- * @return Kerberos error code representing the EAI errors.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_eai_to_heim_errno (
- int /*eai_errno*/,
- int /*system_error*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_Authenticator (
- krb5_context /*context*/,
- void */*data*/,
- size_t /*length*/,
- Authenticator */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_ETYPE_INFO (
- krb5_context /*context*/,
- void */*data*/,
- size_t /*length*/,
- ETYPE_INFO */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_ETYPE_INFO2 (
- krb5_context /*context*/,
- void */*data*/,
- size_t /*length*/,
- ETYPE_INFO2 */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_EncAPRepPart (
- krb5_context /*context*/,
- void */*data*/,
- size_t /*length*/,
- EncAPRepPart */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_EncASRepPart (
- krb5_context /*context*/,
- void */*data*/,
- size_t /*length*/,
- EncASRepPart */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_EncKrbCredPart (
- krb5_context /*context*/,
- void */*data*/,
- size_t /*length*/,
- EncKrbCredPart */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_EncTGSRepPart (
- krb5_context /*context*/,
- void */*data*/,
- size_t /*length*/,
- EncTGSRepPart */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_EncTicketPart (
- krb5_context /*context*/,
- void */*data*/,
- size_t /*length*/,
- EncTicketPart */*t*/,
- size_t */*len*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encrypt (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- unsigned /*usage*/,
- const void */*data*/,
- size_t /*len*/,
- krb5_data */*result*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encrypt_EncryptedData (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- unsigned /*usage*/,
- void */*data*/,
- size_t /*len*/,
- int /*kvno*/,
- EncryptedData */*result*/);
-
-/**
- * Inline encrypt a kerberos message
- *
- * @param context Kerberos context
- * @param crypto Kerberos crypto context
- * @param usage Key usage for this buffer
- * @param data array of buffers to process
- * @param num_data length of array
- * @param ivec initial cbc/cts vector
- *
- * @return Return an error code or 0.
- * @ingroup krb5_crypto
- *
- * Kerberos encrypted data look like this:
- *
- * 1. KRB5_CRYPTO_TYPE_HEADER
- * 2. array [1,...] KRB5_CRYPTO_TYPE_DATA and array [0,...]
- * KRB5_CRYPTO_TYPE_SIGN_ONLY in any order, however the receiver
- * have to aware of the order. KRB5_CRYPTO_TYPE_SIGN_ONLY is
- * commonly used headers and trailers.
- * 3. KRB5_CRYPTO_TYPE_PADDING, at least on padsize long if padsize > 1
- * 4. KRB5_CRYPTO_TYPE_TRAILER
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encrypt_iov_ivec (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- unsigned /*usage*/,
- krb5_crypto_iov */*data*/,
- int /*num_data*/,
- void */*ivec*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encrypt_ivec (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- unsigned /*usage*/,
- const void */*data*/,
- size_t /*len*/,
- krb5_data */*result*/,
- void */*ivec*/);
-
-/**
- * Disable encryption type
- *
- * @param context Kerberos 5 context
- * @param enctype encryption type to disable
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_disable (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/);
-
-/**
- * Enable encryption type
- *
- * @param context Kerberos 5 context
- * @param enctype encryption type to enable
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_enable (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_keybits (
- krb5_context /*context*/,
- krb5_enctype /*type*/,
- size_t */*keybits*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_keysize (
- krb5_context /*context*/,
- krb5_enctype /*type*/,
- size_t */*keysize*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_to_keytype (
- krb5_context /*context*/,
- krb5_enctype /*etype*/,
- krb5_keytype */*keytype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_to_string (
- krb5_context /*context*/,
- krb5_enctype /*etype*/,
- char **/*string*/);
-
-/**
- * Check if a enctype is valid, return 0 if it is.
- *
- * @param context Kerberos context
- * @param etype enctype to check if its valid or not
- *
- * @return Return an error code for an failure or 0 on success (enctype valid).
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_valid (
- krb5_context /*context*/,
- krb5_enctype /*etype*/);
-
-/**
- * Deprecated: keytypes doesn't exists, they are really enctypes.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_enctypes_compatible_keys (
- krb5_context /*context*/,
- krb5_enctype /*etype1*/,
- krb5_enctype /*etype2*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-krb5_error_code
-krb5_enomem (krb5_context /*context*/);
-
-/**
- * Log a warning to the log, default stderr, include bthe error from
- * the last failure and then exit.
- *
- * @param context A Kerberos 5 context
- * @param eval the exit code to exit with
- * @param code error code of the last error
- * @param fmt message to print
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_err (
- krb5_context /*context*/,
- int /*eval*/,
- krb5_error_code /*code*/,
- const char */*fmt*/,
- ...)
- __attribute__ ((__noreturn__, __format__ (__printf__, 4, 5)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_error_from_rd_error (
- krb5_context /*context*/,
- const krb5_error */*error*/,
- const krb5_creds */*creds*/);
-
-/**
- * Log a warning to the log, default stderr, and then exit.
- *
- * @param context A Kerberos 5 context
- * @param eval the exit code to exit with
- * @param fmt message to print
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_errx (
- krb5_context /*context*/,
- int /*eval*/,
- const char */*fmt*/,
- ...)
- __attribute__ ((__noreturn__, __format__ (__printf__, 3, 4)));
-
-/**
- * krb5_expand_hostname() tries to make orig_hostname into a more
- * canonical one in the newly allocated space returned in
- * new_hostname.
-
- * @param context a Keberos context
- * @param orig_hostname hostname to canonicalise.
- * @param new_hostname output hostname, caller must free hostname with
- * krb5_xfree().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_expand_hostname (
- krb5_context /*context*/,
- const char */*orig_hostname*/,
- char **/*new_hostname*/);
-
-/**
- * krb5_expand_hostname_realms() expands orig_hostname to a name we
- * believe to be a hostname in newly allocated space in new_hostname
- * and return the realms new_hostname is believed to belong to in
- * realms.
- *
- * @param context a Keberos context
- * @param orig_hostname hostname to canonicalise.
- * @param new_hostname output hostname, caller must free hostname with
- * krb5_xfree().
- * @param realms output possible realms, is an array that is terminated
- * with NULL. Caller must free with krb5_free_host_realm().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_expand_hostname_realms (
- krb5_context /*context*/,
- const char */*orig_hostname*/,
- char **/*new_hostname*/,
- char ***/*realms*/);
-
-KRB5_LIB_FUNCTION PA_DATA * KRB5_LIB_CALL
-krb5_find_padata (
- PA_DATA */*val*/,
- unsigned /*len*/,
- int /*type*/,
- int */*idx*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_format_time (
- krb5_context /*context*/,
- time_t /*t*/,
- char */*s*/,
- size_t /*len*/,
- krb5_boolean /*include_time*/);
-
-/**
- * krb5_free_address frees the data stored in the address that is
- * alloced with any of the krb5_address functions.
- *
- * @param context a Keberos context
- * @param address addresss to be freed.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_address (
- krb5_context /*context*/,
- krb5_address */*address*/);
-
-/**
- * krb5_free_addresses frees the data stored in the address that is
- * alloced with any of the krb5_address functions.
- *
- * @param context a Keberos context
- * @param addresses addressses to be freed.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_addresses (
- krb5_context /*context*/,
- krb5_addresses */*addresses*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_ap_rep_enc_part (
- krb5_context /*context*/,
- krb5_ap_rep_enc_part */*val*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_authenticator (
- krb5_context /*context*/,
- krb5_authenticator */*authenticator*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_checksum (
- krb5_context /*context*/,
- krb5_checksum */*cksum*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_checksum_contents (
- krb5_context /*context*/,
- krb5_checksum */*cksum*/);
-
-/**
- * Free a list of configuration files.
- *
- * @param filenames list, terminated with a NULL pointer, to be
- * freed. NULL is an valid argument.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_config_files (char **/*filenames*/);
-
-/**
- * Frees the krb5_context allocated by krb5_init_context().
- *
- * @param context context to be freed.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_context (krb5_context /*context*/);
-
-/**
- * Free content of krb5_creds.
- *
- * @param context Kerberos 5 context.
- * @param c krb5_creds to free.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_cred_contents (
- krb5_context /*context*/,
- krb5_creds */*c*/);
-
-/**
- * Free krb5_creds.
- *
- * @param context Kerberos 5 context.
- * @param c krb5_creds to free.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_creds (
- krb5_context /*context*/,
- krb5_creds */*c*/);
-
-/**
- * Deprecated: use krb5_free_cred_contents()
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_creds_contents (
- krb5_context /*context*/,
- krb5_creds */*c*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Free krb5_data (and its content).
- *
- * @param context Kerberos 5 context.
- * @param p krb5_data to free.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_data (
- krb5_context /*context*/,
- krb5_data */*p*/);
-
-/**
- * Same as krb5_data_free(). MIT compat.
- *
- * Deprecated: use krb5_data_free().
- *
- * @param context Kerberos 5 context.
- * @param data krb5_data to free.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_data_contents (
- krb5_context /*context*/,
- krb5_data */*data*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_default_realm (
- krb5_context /*context*/,
- krb5_realm /*realm*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_error (
- krb5_context /*context*/,
- krb5_error */*error*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_error_contents (
- krb5_context /*context*/,
- krb5_error */*error*/);
-
-/**
- * Free the error message returned by krb5_get_error_message().
- *
- * @param context Kerberos context
- * @param msg error message to free, returned byg
- * krb5_get_error_message().
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_error_message (
- krb5_context /*context*/,
- const char */*msg*/);
-
-/**
- * Free the error message returned by krb5_get_error_string().
- *
- * Deprecated: use krb5_free_error_message()
- *
- * @param context Kerberos context
- * @param str error message to free
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_error_string (
- krb5_context /*context*/,
- char */*str*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Free all memory allocated by `realmlist'
- *
- * @param context A Kerberos 5 context.
- * @param realmlist realmlist to free, NULL is ok
- *
- * @return a Kerberos error code, always 0.
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_host_realm (
- krb5_context /*context*/,
- krb5_realm */*realmlist*/);
-
-/**
- * Variable containing the FILE based credential cache implemention.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_kdc_rep (
- krb5_context /*context*/,
- krb5_kdc_rep */*rep*/);
-
-/**
- * Free a keyblock, also zero out the content of the keyblock, uses
- * krb5_free_keyblock_contents() to free the content.
- *
- * @param context a Kerberos 5 context
- * @param keyblock keyblock to free, NULL is valid argument
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_keyblock (
- krb5_context /*context*/,
- krb5_keyblock */*keyblock*/);
-
-/**
- * Free a keyblock's content, also zero out the content of the keyblock.
- *
- * @param context a Kerberos 5 context
- * @param keyblock keyblock content to free, NULL is valid argument
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_keyblock_contents (
- krb5_context /*context*/,
- krb5_keyblock */*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_krbhst (
- krb5_context /*context*/,
- char **/*hostlist*/);
-
-/**
- * Free a name canonicalization rule iterator.
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_name_canon_iterator (
- krb5_context /*context*/,
- krb5_name_canon_iterator /*iter*/);
-
-/**
- * Frees a Kerberos principal allocated by the library with
- * krb5_parse_name(), krb5_make_principal() or any other related
- * principal functions.
- *
- * @param context A Kerberos context.
- * @param p a principal to free.
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_principal (
- krb5_context /*context*/,
- krb5_principal /*p*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_salt (
- krb5_context /*context*/,
- krb5_salt /*salt*/);
-
-/**
- * Free ticket and content
- *
- * @param context a Kerberos 5 context
- * @param ticket ticket to free
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_ticket (
- krb5_context /*context*/,
- krb5_ticket */*ticket*/);
-
-/**
- * Deprecated: use krb5_xfree().
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_unparsed_name (
- krb5_context /*context*/,
- char */*str*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Forward credentials for client to host hostname , making them
- * forwardable if forwardable, and returning the blob of data to sent
- * in out_data. If hostname == NULL, pick it from server.
- *
- * @param context A kerberos 5 context.
- * @param auth_context the auth context with the key to encrypt the out_data.
- * @param hostname the host to forward the tickets too.
- * @param client the client to delegate from.
- * @param server the server to delegate the credential too.
- * @param ccache credential cache to use.
- * @param forwardable make the forwarded ticket forwabledable.
- * @param out_data the resulting credential.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_fwd_tgt_creds (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- const char */*hostname*/,
- krb5_principal /*client*/,
- krb5_principal /*server*/,
- krb5_ccache /*ccache*/,
- int /*forwardable*/,
- krb5_data */*out_data*/);
-
-/**
- * Fill buffer buf with len bytes of PRNG randomness that is ok to use
- * for key generation, padding and public diclosing the randomness w/o
- * disclosing the randomness source.
- *
- * This function can fail, and callers must check the return value.
- *
- * @param buf a buffer to fill with randomness
- * @param len length of memory that buf points to.
- *
- * @return return 0 on success or HEIM_ERR_RANDOM_OFFLINE if the
- * funcation failed to initialize the randomness source.
- *
- * @ingroup krb5_crypto
- */
-
-HEIMDAL_WARN_UNUSED_RESULT_ATTRIBUTE KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_generate_random (
- void */*buf*/,
- size_t /*len*/);
-
-/**
- * Fill buffer buf with len bytes of PRNG randomness that is ok to use
- * for key generation, padding and public diclosing the randomness w/o
- * disclosing the randomness source.
- *
- * This function can NOT fail, instead it will abort() and program will crash.
- *
- * If this function is called after a successful krb5_init_context(),
- * the chance of it failing is low due to that krb5_init_context()
- * pulls out some random, and quite commonly the randomness sources
- * will not fail once it have started to produce good output,
- * /dev/urandom behavies that way.
- *
- * @param buf a buffer to fill with randomness
- * @param len length of memory that buf points to.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_generate_random_block (
- void */*buf*/,
- size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_generate_random_keyblock (
- krb5_context /*context*/,
- krb5_enctype /*type*/,
- krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_generate_seq_number (
- krb5_context /*context*/,
- const krb5_keyblock */*key*/,
- uint32_t */*seqno*/);
-
-/**
- * Deprecated: use krb5_generate_subkey_extended()
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_generate_subkey (
- krb5_context /*context*/,
- const krb5_keyblock */*key*/,
- krb5_keyblock **/*subkey*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Generate subkey, from keyblock
- *
- * @param context kerberos context
- * @param key session key
- * @param etype encryption type of subkey, if ETYPE_NULL, use key's enctype
- * @param subkey returned new, free with krb5_free_keyblock().
- *
- * @return 0 on success or a Kerberos 5 error code
- *
-* @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_generate_subkey_extended (
- krb5_context /*context*/,
- const krb5_keyblock */*key*/,
- krb5_enctype /*etype*/,
- krb5_keyblock **/*subkey*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_all_client_addrs (
- krb5_context /*context*/,
- krb5_addresses */*res*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_all_server_addrs (
- krb5_context /*context*/,
- krb5_addresses */*res*/);
-
-/**
- * Deprecated: use krb5_get_credentials_with_flags().
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_cred_from_kdc (
- krb5_context /*context*/,
- krb5_ccache /*ccache*/,
- krb5_creds */*in_creds*/,
- krb5_creds **/*out_creds*/,
- krb5_creds ***/*ret_tgts*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: use krb5_get_credentials_with_flags().
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_cred_from_kdc_opt (
- krb5_context /*context*/,
- krb5_ccache /*ccache*/,
- krb5_creds */*in_creds*/,
- krb5_creds **/*out_creds*/,
- krb5_creds ***/*ret_tgts*/,
- krb5_flags /*flags*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_credentials (
- krb5_context /*context*/,
- krb5_flags /*options*/,
- krb5_ccache /*ccache*/,
- krb5_creds */*in_creds*/,
- krb5_creds **/*out_creds*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_credentials_with_flags (
- krb5_context /*context*/,
- krb5_flags /*options*/,
- krb5_kdc_flags /*flags*/,
- krb5_ccache /*ccache*/,
- krb5_creds */*in_creds*/,
- krb5_creds **/*out_creds*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_creds (
- krb5_context /*context*/,
- krb5_get_creds_opt /*opt*/,
- krb5_ccache /*ccache*/,
- krb5_const_principal /*inprinc*/,
- krb5_creds **/*out_creds*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_creds_opt_add_options (
- krb5_context /*context*/,
- krb5_get_creds_opt /*opt*/,
- krb5_flags /*options*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_creds_opt_alloc (
- krb5_context /*context*/,
- krb5_get_creds_opt */*opt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_creds_opt_free (
- krb5_context /*context*/,
- krb5_get_creds_opt /*opt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_creds_opt_set_enctype (
- krb5_context /*context*/,
- krb5_get_creds_opt /*opt*/,
- krb5_enctype /*enctype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_creds_opt_set_impersonate (
- krb5_context /*context*/,
- krb5_get_creds_opt /*opt*/,
- krb5_const_principal /*self*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_creds_opt_set_options (
- krb5_context /*context*/,
- krb5_get_creds_opt /*opt*/,
- krb5_flags /*options*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_creds_opt_set_ticket (
- krb5_context /*context*/,
- krb5_get_creds_opt /*opt*/,
- const Ticket */*ticket*/);
-
-/**
- * Get the global configuration list.
- *
- * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_default_config_files (char ***/*pfilenames*/);
-
-/**
- * Get the default encryption types that will be use in communcation
- * with the KDC, clients and servers.
- *
- * @param context Kerberos 5 context.
- * @param pdu_type request type (AS, TGS or none)
- * @param etypes Encryption types, array terminated with
- * ETYPE_NULL(0), caller should free array with krb5_xfree():
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_default_in_tkt_etypes (
- krb5_context /*context*/,
- krb5_pdu /*pdu_type*/,
- krb5_enctype **/*etypes*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_default_principal (
- krb5_context /*context*/,
- krb5_principal */*princ*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_default_realm (
- krb5_context /*context*/,
- krb5_realm */*realm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_default_realms (
- krb5_context /*context*/,
- krb5_realm **/*realms*/);
-
-/**
- * Get if the library uses DNS to canonicalize hostnames.
- *
- * @param context Kerberos 5 context.
- *
- * @return return non zero if the library uses DNS to canonicalize hostnames.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_get_dns_canonicalize_hostname (krb5_context /*context*/);
-
-/**
- * Return the error string for the error code. The caller must not
- * free the string.
- *
- * This function is deprecated since its not threadsafe.
- *
- * @param context Kerberos 5 context.
- * @param code Kerberos error code.
- *
- * @return the error message matching code
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_get_err_text (
- krb5_context /*context*/,
- krb5_error_code /*code*/)
- KRB5_DEPRECATED_FUNCTION("Use krb5_get_error_message instead");
-
-/**
- * Return the error message for `code' in context. On memory
- * allocation error the function returns NULL.
- *
- * @param context Kerberos 5 context
- * @param code Error code related to the error
- *
- * @return an error string, needs to be freed with
- * krb5_free_error_message(). The functions return NULL on error.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
-krb5_get_error_message (
- krb5_context /*context*/,
- krb5_error_code /*code*/);
-
-/**
- * Return the error message in context. On error or no error string,
- * the function returns NULL.
- *
- * @param context Kerberos 5 context
- *
- * @return an error string, needs to be freed with
- * krb5_free_error_message(). The functions return NULL on error.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
-krb5_get_error_string (krb5_context /*context*/)
- KRB5_DEPRECATED_FUNCTION("Use krb5_get_error_message instead");
-
-/**
- * Get extra address to the address list that the library will add to
- * the client's address list when communicating with the KDC.
- *
- * @param context Kerberos 5 context.
- * @param addresses addreses to set
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_extra_addresses (
- krb5_context /*context*/,
- krb5_addresses */*addresses*/);
-
-/**
- * Get version of fcache that the library should use.
- *
- * @param context Kerberos 5 context.
- * @param version version number.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_fcache_version (
- krb5_context /*context*/,
- int */*version*/);
-
-/**
- * Gets tickets forwarded to hostname. If the tickets that are
- * forwarded are address-less, the forwarded tickets will also be
- * address-less.
- *
- * If the ticket have any address, hostname will be used for figure
- * out the address to forward the ticket too. This since this might
- * use DNS, its insecure and also doesn't represent configured all
- * addresses of the host. For example, the host might have two
- * adresses, one IPv4 and one IPv6 address where the later is not
- * published in DNS. This IPv6 address might be used communications
- * and thus the resulting ticket useless.
- *
- * @param context A kerberos 5 context.
- * @param auth_context the auth context with the key to encrypt the out_data.
- * @param ccache credential cache to use
- * @param flags the flags to control the resulting ticket flags
- * @param hostname the host to forward the tickets too.
- * @param in_creds the in client and server ticket names. The client
- * and server components forwarded to the remote host.
- * @param out_data the resulting credential.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_forwarded_creds (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_ccache /*ccache*/,
- krb5_flags /*flags*/,
- const char */*hostname*/,
- krb5_creds */*in_creds*/,
- krb5_data */*out_data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_host_realm (
- krb5_context /*context*/,
- const char */*targethost*/,
- krb5_realm **/*realms*/);
-
-/**
- * Get extra addresses to ignore when fetching addresses from the
- * underlaying operating system.
- *
- * @param context Kerberos 5 context.
- * @param addresses list addreses ignored
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_ignore_addresses (
- krb5_context /*context*/,
- krb5_addresses */*addresses*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_in_cred (
- krb5_context /*context*/,
- krb5_flags /*options*/,
- const krb5_addresses */*addrs*/,
- const krb5_enctype */*etypes*/,
- const krb5_preauthtype */*ptypes*/,
- const krb5_preauthdata */*preauth*/,
- krb5_key_proc /*key_proc*/,
- krb5_const_pointer /*keyseed*/,
- krb5_decrypt_proc /*decrypt_proc*/,
- krb5_const_pointer /*decryptarg*/,
- krb5_creds */*creds*/,
- krb5_kdc_rep */*ret_as_reply*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_in_tkt (
- krb5_context /*context*/,
- krb5_flags /*options*/,
- const krb5_addresses */*addrs*/,
- const krb5_enctype */*etypes*/,
- const krb5_preauthtype */*ptypes*/,
- krb5_key_proc /*key_proc*/,
- krb5_const_pointer /*keyseed*/,
- krb5_decrypt_proc /*decrypt_proc*/,
- krb5_const_pointer /*decryptarg*/,
- krb5_creds */*creds*/,
- krb5_ccache /*ccache*/,
- krb5_kdc_rep */*ret_as_reply*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: use krb5_get_init_creds() and friends.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_in_tkt_with_keytab (
- krb5_context /*context*/,
- krb5_flags /*options*/,
- krb5_addresses */*addrs*/,
- const krb5_enctype */*etypes*/,
- const krb5_preauthtype */*pre_auth_types*/,
- krb5_keytab /*keytab*/,
- krb5_ccache /*ccache*/,
- krb5_creds */*creds*/,
- krb5_kdc_rep */*ret_as_reply*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: use krb5_get_init_creds() and friends.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_in_tkt_with_password (
- krb5_context /*context*/,
- krb5_flags /*options*/,
- krb5_addresses */*addrs*/,
- const krb5_enctype */*etypes*/,
- const krb5_preauthtype */*pre_auth_types*/,
- const char */*password*/,
- krb5_ccache /*ccache*/,
- krb5_creds */*creds*/,
- krb5_kdc_rep */*ret_as_reply*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: use krb5_get_init_creds() and friends.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_in_tkt_with_skey (
- krb5_context /*context*/,
- krb5_flags /*options*/,
- krb5_addresses */*addrs*/,
- const krb5_enctype */*etypes*/,
- const krb5_preauthtype */*pre_auth_types*/,
- const krb5_keyblock */*key*/,
- krb5_ccache /*ccache*/,
- krb5_creds */*creds*/,
- krb5_kdc_rep */*ret_as_reply*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Get new credentials using keyblock.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_keyblock (
- krb5_context /*context*/,
- krb5_creds */*creds*/,
- krb5_principal /*client*/,
- krb5_keyblock */*keyblock*/,
- krb5_deltat /*start_time*/,
- const char */*in_tkt_service*/,
- krb5_get_init_creds_opt */*options*/);
-
-/**
- * Get new credentials using keytab.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_keytab (
- krb5_context /*context*/,
- krb5_creds */*creds*/,
- krb5_principal /*client*/,
- krb5_keytab /*keytab*/,
- krb5_deltat /*start_time*/,
- const char */*in_tkt_service*/,
- krb5_get_init_creds_opt */*options*/);
-
-/**
- * Allocate a new krb5_get_init_creds_opt structure, free with
- * krb5_get_init_creds_opt_free().
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_alloc (
- krb5_context /*context*/,
- krb5_get_init_creds_opt **/*opt*/);
-
-/**
- * Free krb5_get_init_creds_opt structure.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_free (
- krb5_context /*context*/,
- krb5_get_init_creds_opt */*opt*/);
-
-/**
- * Deprecated: use the new krb5_init_creds_init() and
- * krb5_init_creds_get_error().
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_get_error (
- krb5_context /*context*/,
- krb5_get_init_creds_opt */*opt*/,
- KRB_ERROR **/*error*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: use krb5_get_init_creds_opt_alloc().
- *
- * The reason krb5_get_init_creds_opt_init() is deprecated is that
- * krb5_get_init_creds_opt is a static structure and for ABI reason it
- * can't grow, ie can't add new functionality.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_init (krb5_get_init_creds_opt */*opt*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_address_list (
- krb5_get_init_creds_opt */*opt*/,
- krb5_addresses */*addresses*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_addressless (
- krb5_context /*context*/,
- krb5_get_init_creds_opt */*opt*/,
- krb5_boolean /*addressless*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_anonymous (
- krb5_get_init_creds_opt */*opt*/,
- int /*anonymous*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_canonicalize (
- krb5_context /*context*/,
- krb5_get_init_creds_opt */*opt*/,
- krb5_boolean /*req*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_change_password_prompt (
- krb5_get_init_creds_opt */*opt*/,
- int /*change_password_prompt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_default_flags (
- krb5_context /*context*/,
- const char */*appname*/,
- krb5_const_realm /*realm*/,
- krb5_get_init_creds_opt */*opt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_etype_list (
- krb5_get_init_creds_opt */*opt*/,
- krb5_enctype */*etype_list*/,
- int /*etype_list_length*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_forwardable (
- krb5_get_init_creds_opt */*opt*/,
- int /*forwardable*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_pa_password (
- krb5_context /*context*/,
- krb5_get_init_creds_opt */*opt*/,
- const char */*password*/,
- krb5_s2k_proc /*key_proc*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_pac_request (
- krb5_context /*context*/,
- krb5_get_init_creds_opt */*opt*/,
- krb5_boolean /*req_pac*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_pkinit (
- krb5_context /*context*/,
- krb5_get_init_creds_opt */*opt*/,
- krb5_principal /*principal*/,
- const char */*user_id*/,
- const char */*x509_anchors*/,
- char * const * /*pool*/,
- char * const * /*pki_revoke*/,
- int /*flags*/,
- krb5_prompter_fct /*prompter*/,
- void */*prompter_data*/,
- char */*password*/);
-
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_get_init_creds_opt_set_pkinit_user_certs (
- krb5_context /*context*/,
- krb5_get_init_creds_opt */*opt*/,
- struct hx509_certs_data */*certs*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_preauth_list (
- krb5_get_init_creds_opt */*opt*/,
- krb5_preauthtype */*preauth_list*/,
- int /*preauth_list_length*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_process_last_req (
- krb5_context /*context*/,
- krb5_get_init_creds_opt */*opt*/,
- krb5_gic_process_last_req /*func*/,
- void */*ctx*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_proxiable (
- krb5_get_init_creds_opt */*opt*/,
- int /*proxiable*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_renew_life (
- krb5_get_init_creds_opt */*opt*/,
- krb5_deltat /*renew_life*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_salt (
- krb5_get_init_creds_opt */*opt*/,
- krb5_data */*salt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_tkt_life (
- krb5_get_init_creds_opt */*opt*/,
- krb5_deltat /*tkt_life*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_win2k (
- krb5_context /*context*/,
- krb5_get_init_creds_opt */*opt*/,
- krb5_boolean /*req*/);
-
-/**
- * Get new credentials using password.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_password (
- krb5_context /*context*/,
- krb5_creds */*creds*/,
- krb5_principal /*client*/,
- const char */*password*/,
- krb5_prompter_fct /*prompter*/,
- void */*data*/,
- krb5_deltat /*start_time*/,
- const char */*in_tkt_service*/,
- krb5_get_init_creds_opt */*options*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_kdc_cred (
- krb5_context /*context*/,
- krb5_ccache /*id*/,
- krb5_kdc_flags /*flags*/,
- krb5_addresses */*addresses*/,
- Ticket */*second_ticket*/,
- krb5_creds */*in_creds*/,
- krb5_creds **out_creds );
-
-/**
- * Get current offset in time to the KDC.
- *
- * @param context Kerberos 5 context.
- * @param sec seconds part of offset.
- * @param usec micro seconds part of offset.
- *
- * @return returns zero
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_kdc_sec_offset (
- krb5_context /*context*/,
- int32_t */*sec*/,
- int32_t */*usec*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_krb524hst (
- krb5_context /*context*/,
- const krb5_realm */*realm*/,
- char ***/*hostlist*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_krb_admin_hst (
- krb5_context /*context*/,
- const krb5_realm */*realm*/,
- char ***/*hostlist*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_krb_changepw_hst (
- krb5_context /*context*/,
- const krb5_realm */*realm*/,
- char ***/*hostlist*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_krbhst (
- krb5_context /*context*/,
- const krb5_realm */*realm*/,
- char ***/*hostlist*/);
-
-/**
- * Get max time skew allowed.
- *
- * @param context Kerberos 5 context.
- *
- * @return timeskew in seconds.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
-krb5_get_max_time_skew (krb5_context /*context*/);
-
-/**
- * krb5_init_context() will get one random byte to make sure our
- * random is alive. Assumption is that once the non blocking
- * source allows us to pull bytes, its all seeded and allows us to
- * pull more bytes.
- *
- * Most Kerberos users calls krb5_init_context(), so this is
- * useful point where we can do the checking.
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_permitted_enctypes (
- krb5_context /*context*/,
- krb5_enctype **/*etypes*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_pw_salt (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/,
- krb5_salt */*salt*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_renewed_creds (
- krb5_context /*context*/,
- krb5_creds */*creds*/,
- krb5_const_principal /*client*/,
- krb5_ccache /*ccache*/,
- const char */*in_tkt_service*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_server_rcache (
- krb5_context /*context*/,
- const krb5_data */*piece*/,
- krb5_rcache */*id*/);
-
-/**
- * Make the kerberos library default to the admin KDC.
- *
- * @param context Kerberos 5 context.
- *
- * @return boolean flag to telling the context will use admin KDC as the default KDC.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_get_use_admin_kdc (krb5_context /*context*/);
-
-/**
- * Validate the newly fetch credential, see also krb5_verify_init_creds().
- *
- * @param context a Kerberos 5 context
- * @param creds the credentials to verify
- * @param client the client name to match up
- * @param ccache the credential cache to use
- * @param service a service name to use, used with
- * krb5_sname_to_principal() to build a hostname to use to
- * verify.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_validated_creds (
- krb5_context /*context*/,
- krb5_creds */*creds*/,
- krb5_principal /*client*/,
- krb5_ccache /*ccache*/,
- char */*service*/);
-
-/**
- * Get the default logging facility.
- *
- * @param context A Kerberos 5 context
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_log_facility * KRB5_LIB_CALL
-krb5_get_warn_dest (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
-krb5_get_wrapped_length (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- size_t /*data_len*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_getportbyname (
- krb5_context /*context*/,
- const char */*service*/,
- const char */*proto*/,
- int /*default_port*/);
-
-/**
- * krb5_h_addr2addr works like krb5_h_addr2sockaddr with the exception
- * that it operates on a krb5_address instead of a struct sockaddr.
- *
- * @param context a Keberos context
- * @param af address family
- * @param haddr host address from struct hostent.
- * @param addr returned krb5_address.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_h_addr2addr (
- krb5_context /*context*/,
- int /*af*/,
- const char */*haddr*/,
- krb5_address */*addr*/);
-
-/**
- * krb5_h_addr2sockaddr initializes a "struct sockaddr sa" from af and
- * the "struct hostent" (see gethostbyname(3) ) h_addr_list
- * component. The argument sa_size should initially contain the size
- * of the sa, and after the call, it will contain the actual length of
- * the address.
- *
- * @param context a Keberos context
- * @param af addresses
- * @param addr address
- * @param sa returned struct sockaddr
- * @param sa_size size of sa
- * @param port port to set in sa.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_h_addr2sockaddr (
- krb5_context /*context*/,
- int /*af*/,
- const char */*addr*/,
- struct sockaddr */*sa*/,
- krb5_socklen_t */*sa_size*/,
- int /*port*/);
-
-/**
- * Convert the gethostname() error code (h_error) to a Kerberos et
- * error code.
- *
- * @param eai_errno contains the error code from gethostname().
- *
- * @return Kerberos error code representing the gethostname errors.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_h_errno_to_heim_errno (int /*eai_errno*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_have_error_string (krb5_context /*context*/)
- KRB5_DEPRECATED_FUNCTION("Use krb5_get_error_message instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_hmac (
- krb5_context /*context*/,
- krb5_cksumtype /*cktype*/,
- const void */*data*/,
- size_t /*len*/,
- unsigned /*usage*/,
- krb5_keyblock */*key*/,
- Checksum */*result*/);
-
-/**
- * Initializes the context structure and reads the configuration file
- * /etc/krb5.conf. The structure should be freed by calling
- * krb5_free_context() when it is no longer being used.
- *
- * @param context pointer to returned context
- *
- * @return Returns 0 to indicate success. Otherwise an errno code is
- * returned. Failure means either that something bad happened during
- * initialization (typically ENOMEM) or that Kerberos should not be
- * used ENXIO. If the function returns HEIM_ERR_RANDOM_OFFLINE, the
- * random source is not available and later Kerberos calls might fail.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_context (krb5_context */*context*/);
-
-/**
- * Free the krb5_init_creds_context allocated by krb5_init_creds_init().
- *
- * @param context A Kerberos 5 context.
- * @param ctx The krb5_init_creds_context to free.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_init_creds_free (
- krb5_context /*context*/,
- krb5_init_creds_context /*ctx*/);
-
-/**
- * Get new credentials as setup by the krb5_init_creds_context.
- *
- * @param context A Kerberos 5 context.
- * @param ctx The krb5_init_creds_context to process.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_get (
- krb5_context /*context*/,
- krb5_init_creds_context /*ctx*/);
-
-/**
- * Extract the newly acquired credentials from krb5_init_creds_context
- * context.
- *
- * @param context A Kerberos 5 context.
- * @param ctx
- * @param cred credentials, free with krb5_free_cred_contents().
- *
- * @return 0 for sucess or An Kerberos error code, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_get_creds (
- krb5_context /*context*/,
- krb5_init_creds_context /*ctx*/,
- krb5_creds */*cred*/);
-
-/**
- * Get the last error from the transaction.
- *
- * @return Returns 0 or an error code
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_get_error (
- krb5_context /*context*/,
- krb5_init_creds_context /*ctx*/,
- KRB_ERROR */*error*/);
-
-/**
- * Start a new context to get a new initial credential.
- *
- * @param context A Kerberos 5 context.
- * @param client The Kerberos principal to get the credential for, if
- * NULL is given, the default principal is used as determined by
- * krb5_get_default_principal().
- * @param prompter
- * @param prompter_data
- * @param start_time the time the ticket should start to be valid or 0 for now.
- * @param options a options structure, can be NULL for default options.
- * @param rctx A new allocated free with krb5_init_creds_free().
- *
- * @return 0 for success or an Kerberos 5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_init (
- krb5_context /*context*/,
- krb5_principal /*client*/,
- krb5_prompter_fct /*prompter*/,
- void */*prompter_data*/,
- krb5_deltat /*start_time*/,
- krb5_get_init_creds_opt */*options*/,
- krb5_init_creds_context */*rctx*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_set_fast_ap_armor_service (
- krb5_context /*context*/,
- krb5_init_creds_context /*ctx*/,
- krb5_const_principal /*armor_service*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_set_fast_ccache (
- krb5_context /*context*/,
- krb5_init_creds_context /*ctx*/,
- krb5_ccache /*fast_ccache*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_set_keyblock (
- krb5_context /*context*/,
- krb5_init_creds_context /*ctx*/,
- krb5_keyblock */*keyblock*/);
-
-/**
- * Set the keytab to use for authentication.
- *
- * @param context a Kerberos 5 context.
- * @param ctx ctx krb5_init_creds_context context.
- * @param keytab the keytab to read the key from.
- *
- * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_set_keytab (
- krb5_context /*context*/,
- krb5_init_creds_context /*ctx*/,
- krb5_keytab /*keytab*/);
-
-/**
- * Sets the password that will use for the request.
- *
- * @param context a Kerberos 5 context.
- * @param ctx ctx krb5_init_creds_context context.
- * @param password the password to use.
- *
- * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_set_password (
- krb5_context /*context*/,
- krb5_init_creds_context /*ctx*/,
- const char */*password*/);
-
-/**
- * Sets the service that the is requested. This call is only neede for
- * special initial tickets, by default the a krbtgt is fetched in the default realm.
- *
- * @param context a Kerberos 5 context.
- * @param ctx a krb5_init_creds_context context.
- * @param service the service given as a string, for example
- * "kadmind/admin". If NULL, the default krbtgt in the clients
- * realm is set.
- *
- * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_set_service (
- krb5_context /*context*/,
- krb5_init_creds_context /*ctx*/,
- const char */*service*/);
-
-/**
- * The core loop if krb5_get_init_creds() function family. Create the
- * packets and have the caller send them off to the KDC.
- *
- * If the caller want all work been done for them, use
- * krb5_init_creds_get() instead.
- *
- * @param context a Kerberos 5 context.
- * @param ctx ctx krb5_init_creds_context context.
- * @param in input data from KDC, first round it should be reset by krb5_data_zer().
- * @param out reply to KDC.
- * @param hostinfo KDC address info, first round it can be NULL.
- * @param flags status of the round, if
- * KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round.
- *
- * @return 0 for success, or an Kerberos 5 error code, see
- * krb5_get_error_message().
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_step (
- krb5_context /*context*/,
- krb5_init_creds_context /*ctx*/,
- krb5_data */*in*/,
- krb5_data */*out*/,
- krb5_krbhst_info */*hostinfo*/,
- unsigned int */*flags*/);
-
-/**
- *
- * @ingroup krb5_credential
- */
-
-krb5_error_code
-krb5_init_creds_store (
- krb5_context /*context*/,
- krb5_init_creds_context /*ctx*/,
- krb5_ccache /*id*/);
-
-/**
- * Init the built-in ets in the Kerberos library.
- *
- * @param context kerberos context to add the ets too
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_init_ets (krb5_context /*context*/);
-
-/**
- @struct krb5plugin_kuserok_ftable_desc *
- * @brief Description of the krb5_kuserok(3) plugin facility.
- *
- * The krb5_kuserok(3) function is pluggable. The plugin is named
- * KRB5_PLUGIN_KUSEROK ("krb5_plugin_kuserok"), with a single minor
- * version, KRB5_PLUGIN_KUSEROK_VERSION_0 (0).
- *
- * The plugin for krb5_kuserok(3) consists of a data symbol referencing
- * a structure of type krb5plugin_kuserok_ftable, with four fields:
- *
- * @param init Plugin initialization function (see krb5-plugin(7))
- *
- * @param minor_version The plugin minor version number (0)
- *
- * @param fini Plugin finalization function
- *
- * @param kuserok Plugin kuserok function
- *
- * The kuserok field is the plugin entry point that performs the
- * traditional kuserok operation however the plugin desires. It is
- * invoked in no particular order relative to other kuserok plugins, but
- * it has a 'rule' argument that indicates which plugin is intended to
- * act on the rule. The plugin kuserok function must return
- * KRB5_PLUGIN_NO_HANDLE if the rule is not applicable to it.
- *
- * The plugin kuserok function has the following arguments, in this
- * order:
- *
- * -# plug_ctx, the context value output by the plugin's init function
- * -# context, a krb5_context
- * -# rule, the kuserok rule being evaluated (from krb5.conf(5))
- * -# flags
- * -# k5login_dir, configured location of k5login per-user files if any
- * -# luser, name of the local user account to which principal is attempting to access.
- * -# principal, the krb5_principal trying to access the luser account
- * -# result, a krb5_boolean pointer where the plugin will output its result
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_initlog (
- krb5_context /*context*/,
- const char */*program*/,
- krb5_log_facility **/*fac*/);
-
-/**
- * Return TRUE (non zero) if the principal is a configuration
- * principal (generated part of krb5_cc_set_config()). Returns FALSE
- * (zero) if not a configuration principal.
- *
- * @param context a Keberos context
- * @param principal principal to check if it a configuration principal
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_is_config_principal (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/);
-
-/**
- * Returns is the encryption is strong or weak
- *
- * @param context Kerberos 5 context
- * @param enctype encryption type to probe
- *
- * @return Returns true if encryption type is weak or is not supported.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_is_enctype_weak (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/);
-
-/**
- * Runtime check if the Kerberos library was complied with thread support.
- *
- * @return TRUE if the library was compiled with thread support, FALSE if not.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_is_thread_safe (void);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kcm_call (
- krb5_context /*context*/,
- krb5_storage */*request*/,
- krb5_storage **/*response_p*/,
- krb5_data */*response_data_p*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kcm_storage_request (
- krb5_context /*context*/,
- uint16_t /*opcode*/,
- krb5_storage **/*storage_p*/);
-
-/**
- * Returns the list of Kerberos encryption types sorted in order of
- * most preferred to least preferred encryption type. Note that some
- * encryption types might be disabled, so you need to check with
- * krb5_enctype_valid() before using the encryption type.
- *
- * @return list of enctypes, terminated with ETYPE_NULL. Its a static
- * array completed into the Kerberos library so the content doesn't
- * need to be freed.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
-krb5_kerberos_enctypes (krb5_context /*context*/);
-
-/**
- * Get encryption type of a keyblock.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_enctype KRB5_LIB_CALL
-krb5_keyblock_get_enctype (const krb5_keyblock */*block*/);
-
-/**
- * Fill in `key' with key data of type `enctype' from `data' of length
- * `size'. Key should be freed using krb5_free_keyblock_contents().
- *
- * @return 0 on success or a Kerberos 5 error code
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_keyblock_init (
- krb5_context /*context*/,
- krb5_enctype /*type*/,
- const void */*data*/,
- size_t /*size*/,
- krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_keyblock_key_proc (
- krb5_context /*context*/,
- krb5_keytype /*type*/,
- krb5_data */*salt*/,
- krb5_const_pointer /*keyseed*/,
- krb5_keyblock **/*key*/);
-
-/**
- * Zero out a keyblock
- *
- * @param keyblock keyblock to zero out
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_keyblock_zero (krb5_keyblock */*keyblock*/);
-
-/**
- * Deprecated: use krb5_get_init_creds() and friends.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_CALLCONV
-krb5_keytab_key_proc (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/,
- krb5_salt /*salt*/,
- krb5_const_pointer /*keyseed*/,
- krb5_keyblock **/*key*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: keytypes doesn't exists, they are really enctypes.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_keytype_to_enctypes (
- krb5_context /*context*/,
- krb5_keytype /*keytype*/,
- unsigned */*len*/,
- krb5_enctype **/*val*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: keytypes doesn't exists, they are really enctypes.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_keytype_to_enctypes_default (
- krb5_context /*context*/,
- krb5_keytype /*keytype*/,
- unsigned */*len*/,
- krb5_enctype **/*val*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: keytypes doesn't exists, they are really enctypes in
- * most cases, use krb5_enctype_to_string().
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_keytype_to_string (
- krb5_context /*context*/,
- krb5_keytype /*keytype*/,
- char **/*string*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_format_string (
- krb5_context /*context*/,
- const krb5_krbhst_info */*host*/,
- char */*hostname*/,
- size_t /*hostlen*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_krbhst_free (
- krb5_context /*context*/,
- krb5_krbhst_handle /*handle*/);
-
-/**
- * Return an `struct addrinfo *' for a KDC host.
- *
- * Returns an the struct addrinfo in in that corresponds to the
- * information in `host'. free:ing is handled by krb5_krbhst_free, so
- * the returned ai must not be released.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_get_addrinfo (
- krb5_context /*context*/,
- krb5_krbhst_info */*host*/,
- struct addrinfo **/*ai*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_init (
- krb5_context /*context*/,
- const char */*realm*/,
- unsigned int /*type*/,
- krb5_krbhst_handle */*handle*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_init_flags (
- krb5_context /*context*/,
- const char */*realm*/,
- unsigned int /*type*/,
- int /*flags*/,
- krb5_krbhst_handle */*handle*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_next (
- krb5_context /*context*/,
- krb5_krbhst_handle /*handle*/,
- krb5_krbhst_info **/*host*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_next_as_string (
- krb5_context /*context*/,
- krb5_krbhst_handle /*handle*/,
- char */*hostname*/,
- size_t /*hostlen*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_krbhst_reset (
- krb5_context /*context*/,
- krb5_krbhst_handle /*handle*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_set_hostname (
- krb5_context /*context*/,
- krb5_krbhst_handle /*handle*/,
- const char */*hostname*/);
-
-/**
- * Add the entry in `entry' to the keytab `id'.
- *
- * @param context a Keberos context.
- * @param id a keytab.
- * @param entry the entry to add
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_add_entry (
- krb5_context /*context*/,
- krb5_keytab /*id*/,
- krb5_keytab_entry */*entry*/);
-
-/**
- * Finish using the keytab in `id'. All resources will be released,
- * even on errors.
- *
- * @param context a Keberos context.
- * @param id keytab to close.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_close (
- krb5_context /*context*/,
- krb5_keytab /*id*/);
-
-/**
- * Compare `entry' against `principal, vno, enctype'.
- * Any of `principal, vno, enctype' might be 0 which acts as a wildcard.
- * Return TRUE if they compare the same, FALSE otherwise.
- *
- * @param context a Keberos context.
- * @param entry an entry to match with.
- * @param principal principal to match, NULL matches all principals.
- * @param vno key version to match, 0 matches all key version numbers.
- * @param enctype encryption type to match, 0 matches all encryption types.
- *
- * @return Return TRUE or match, FALSE if not matched.
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_kt_compare (
- krb5_context /*context*/,
- krb5_keytab_entry */*entry*/,
- krb5_const_principal /*principal*/,
- krb5_kvno /*vno*/,
- krb5_enctype /*enctype*/);
-
-/**
- * Copy the contents of `in' into `out'.
- *
- * @param context a Keberos context.
- * @param in the keytab entry to copy.
- * @param out the copy of the keytab entry, free with krb5_kt_free_entry().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_copy_entry_contents (
- krb5_context /*context*/,
- const krb5_keytab_entry */*in*/,
- krb5_keytab_entry */*out*/);
-
-/**
- * Set `id' to the default keytab.
- *
- * @param context a Keberos context.
- * @param id the new default keytab.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_default (
- krb5_context /*context*/,
- krb5_keytab */*id*/);
-
-/**
- * Copy the name of the default modify keytab into `name'.
- *
- * @param context a Keberos context.
- * @param name buffer where the name will be written
- * @param namesize length of name
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_default_modify_name (
- krb5_context /*context*/,
- char */*name*/,
- size_t /*namesize*/);
-
-/**
- * copy the name of the default keytab into `name'.
- *
- * @param context a Keberos context.
- * @param name buffer where the name will be written
- * @param namesize length of name
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_default_name (
- krb5_context /*context*/,
- char */*name*/,
- size_t /*namesize*/);
-
-/**
- * Destroy (remove) the keytab in `id'. All resources will be released,
- * even on errors, does the equvalment of krb5_kt_close() on the resources.
- *
- * @param context a Keberos context.
- * @param id keytab to destroy.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_destroy (
- krb5_context /*context*/,
- krb5_keytab /*id*/);
-
-/**
- * Release all resources associated with `cursor'.
- *
- * @param context a Keberos context.
- * @param id a keytab.
- * @param cursor the cursor to free.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_end_seq_get (
- krb5_context /*context*/,
- krb5_keytab /*id*/,
- krb5_kt_cursor */*cursor*/);
-
-/**
- * Free the contents of `entry'.
- *
- * @param context a Keberos context.
- * @param entry the entry to free
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_free_entry (
- krb5_context /*context*/,
- krb5_keytab_entry */*entry*/);
-
-/**
- * Retrieve the keytab entry for `principal, kvno, enctype' into `entry'
- * from the keytab `id'. Matching is done like krb5_kt_compare().
- *
- * @param context a Keberos context.
- * @param id a keytab.
- * @param principal principal to match, NULL matches all principals.
- * @param kvno key version to match, 0 matches all key version numbers.
- * @param enctype encryption type to match, 0 matches all encryption types.
- * @param entry the returned entry, free with krb5_kt_free_entry().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_get_entry (
- krb5_context /*context*/,
- krb5_keytab /*id*/,
- krb5_const_principal /*principal*/,
- krb5_kvno /*kvno*/,
- krb5_enctype /*enctype*/,
- krb5_keytab_entry */*entry*/);
-
-/**
- * Retrieve the full name of the keytab `keytab' and store the name in
- * `str'.
- *
- * @param context a Keberos context.
- * @param keytab keytab to get name for.
- * @param str the name of the keytab name, usee krb5_xfree() to free
- * the string. On error, *str is set to NULL.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_get_full_name (
- krb5_context /*context*/,
- krb5_keytab /*keytab*/,
- char **/*str*/);
-
-/**
- * Retrieve the name of the keytab `keytab' into `name', `namesize'
- *
- * @param context a Keberos context.
- * @param keytab the keytab to get the name for.
- * @param name name buffer.
- * @param namesize size of name buffer.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_get_name (
- krb5_context /*context*/,
- krb5_keytab /*keytab*/,
- char */*name*/,
- size_t /*namesize*/);
-
-/**
- * Return the type of the `keytab' in the string `prefix of length
- * `prefixsize'.
- *
- * @param context a Keberos context.
- * @param keytab the keytab to get the prefix for
- * @param prefix prefix buffer
- * @param prefixsize length of prefix buffer
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_get_type (
- krb5_context /*context*/,
- krb5_keytab /*keytab*/,
- char */*prefix*/,
- size_t /*prefixsize*/);
-
-/**
- * Return true if the keytab exists and have entries
- *
- * @param context a Keberos context.
- * @param id a keytab.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_have_content (
- krb5_context /*context*/,
- krb5_keytab /*id*/);
-
-/**
- * Get the next entry from keytab, advance the cursor. On last entry
- * the function will return KRB5_KT_END.
- *
- * @param context a Keberos context.
- * @param id a keytab.
- * @param entry the returned entry, free with krb5_kt_free_entry().
- * @param cursor the cursor of the iteration.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_next_entry (
- krb5_context /*context*/,
- krb5_keytab /*id*/,
- krb5_keytab_entry */*entry*/,
- krb5_kt_cursor */*cursor*/);
-
-/**
- * Read the key identified by `(principal, vno, enctype)' from the
- * keytab in `keyprocarg' (the default if == NULL) into `*key'.
- *
- * @param context a Keberos context.
- * @param keyprocarg
- * @param principal
- * @param vno
- * @param enctype
- * @param key
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_read_service_key (
- krb5_context /*context*/,
- krb5_pointer /*keyprocarg*/,
- krb5_principal /*principal*/,
- krb5_kvno /*vno*/,
- krb5_enctype /*enctype*/,
- krb5_keyblock **/*key*/);
-
-/**
- * Register a new keytab backend.
- *
- * @param context a Keberos context.
- * @param ops a backend to register.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_register (
- krb5_context /*context*/,
- const krb5_kt_ops */*ops*/);
-
-/**
- * Remove an entry from the keytab, matching is done using
- * krb5_kt_compare().
-
- * @param context a Keberos context.
- * @param id a keytab.
- * @param entry the entry to remove
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_remove_entry (
- krb5_context /*context*/,
- krb5_keytab /*id*/,
- krb5_keytab_entry */*entry*/);
-
-/**
- * Resolve the keytab name (of the form `type:residual') in `name'
- * into a keytab in `id'.
- *
- * @param context a Keberos context.
- * @param name name to resolve
- * @param id resulting keytab, free with krb5_kt_close().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_resolve (
- krb5_context /*context*/,
- const char */*name*/,
- krb5_keytab */*id*/);
-
-/**
- * Set `cursor' to point at the beginning of `id'.
- *
- * @param context a Keberos context.
- * @param id a keytab.
- * @param cursor a newly allocated cursor, free with krb5_kt_end_seq_get().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_start_seq_get (
- krb5_context /*context*/,
- krb5_keytab /*id*/,
- krb5_kt_cursor */*cursor*/);
-
-/**
- * This function takes the name of a local user and checks if
- * principal is allowed to log in as that user.
- *
- * The user may have a ~/.k5login file listing principals that are
- * allowed to login as that user. If that file does not exist, all
- * principals with a only one component that is identical to the
- * username, and a realm considered local, are allowed access.
- *
- * The .k5login file must contain one principal per line, be owned by
- * user and not be writable by group or other (but must be readable by
- * anyone).
- *
- * Note that if the file exists, no implicit access rights are given
- * to user@@LOCALREALM.
- *
- * Optionally, a set of files may be put in ~/.k5login.d (a
- * directory), in which case they will all be checked in the same
- * manner as .k5login. The files may be called anything, but files
- * starting with a hash (#) , or ending with a tilde (~) are
- * ignored. Subdirectories are not traversed. Note that this directory
- * may not be checked by other Kerberos implementations.
- *
- * If no configuration file exists, match user against local domains,
- * ie luser@@LOCAL-REALMS-IN-CONFIGURATION-FILES.
- *
- * @param context Kerberos 5 context.
- * @param principal principal to check if allowed to login
- * @param luser local user id
- *
- * @return returns TRUE if access should be granted, FALSE otherwise.
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_kuserok (
- krb5_context /*context*/,
- krb5_principal /*principal*/,
- const char */*luser*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_log (
- krb5_context /*context*/,
- krb5_log_facility */*fac*/,
- int /*level*/,
- const char */*fmt*/,
- ...)
- __attribute__ ((__format__ (__printf__, 4, 5)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_log_msg (
- krb5_context /*context*/,
- krb5_log_facility */*fac*/,
- int /*level*/,
- char **/*reply*/,
- const char */*fmt*/,
- ...)
- __attribute__ ((__format__ (__printf__, 5, 6)));
-
-/**
- * Create an address of type KRB5_ADDRESS_ADDRPORT from (addr, port)
- *
- * @param context a Keberos context
- * @param res built address from addr/port
- * @param addr address to use
- * @param port port to use
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_make_addrport (
- krb5_context /*context*/,
- krb5_address **/*res*/,
- const krb5_address */*addr*/,
- int16_t /*port*/);
-
-/**
- * Build a principal using vararg style building
- *
- * @param context A Kerberos context.
- * @param principal returned principal
- * @param realm realm name
- * @param ... a list of components ended with NULL.
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_make_principal (
- krb5_context /*context*/,
- krb5_principal */*principal*/,
- krb5_const_realm /*realm*/,
- ...);
-
-/**
- * krb5_max_sockaddr_size returns the max size of the .Li struct
- * sockaddr that the Kerberos library will return.
- *
- * @return Return an size_t of the maximum struct sockaddr.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
-krb5_max_sockaddr_size (void);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_error (
- krb5_context /*context*/,
- krb5_error_code /*error_code*/,
- const char */*e_text*/,
- const krb5_data */*e_data*/,
- const krb5_principal /*client*/,
- const krb5_principal /*server*/,
- time_t */*client_time*/,
- int */*client_usec*/,
- krb5_data */*reply*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_error_ext (
- krb5_context /*context*/,
- krb5_error_code /*error_code*/,
- const char */*e_text*/,
- const krb5_data */*e_data*/,
- const krb5_principal /*server*/,
- const PrincipalName */*client_name*/,
- const Realm */*client_realm*/,
- time_t */*client_time*/,
- int */*client_usec*/,
- krb5_data */*reply*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_priv (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- const krb5_data */*userdata*/,
- krb5_data */*outbuf*/,
- krb5_replay_data */*outdata*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_rep (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_data */*outbuf*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_req (
- krb5_context /*context*/,
- krb5_auth_context */*auth_context*/,
- const krb5_flags /*ap_req_options*/,
- const char */*service*/,
- const char */*hostname*/,
- krb5_data */*in_data*/,
- krb5_ccache /*ccache*/,
- krb5_data */*outbuf*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_req_exact (
- krb5_context /*context*/,
- krb5_auth_context */*auth_context*/,
- const krb5_flags /*ap_req_options*/,
- const krb5_principal /*server*/,
- krb5_data */*in_data*/,
- krb5_ccache /*ccache*/,
- krb5_data */*outbuf*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_req_extended (
- krb5_context /*context*/,
- krb5_auth_context */*auth_context*/,
- const krb5_flags /*ap_req_options*/,
- krb5_data */*in_data*/,
- krb5_creds */*in_creds*/,
- krb5_data */*outbuf*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_safe (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- const krb5_data */*userdata*/,
- krb5_data */*outbuf*/,
- krb5_replay_data */*outdata*/);
-
-/**
- * Iteratively apply name canon rules, outputing a principal and rule
- * options each time. Iteration completes when the @iter is NULL on
- * return or when an error is returned. Callers must free the iterator
- * if they abandon it mid-way.
- *
- * @param context Kerberos context
- * @param iter name canon rule iterator (input/output)
- * @param try_princ output principal name
- * @param rule_opts output rule options
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_name_canon_iterate (
- krb5_context /*context*/,
- krb5_name_canon_iterator */*iter*/,
- krb5_const_principal */*try_princ*/,
- krb5_name_canon_rule_options */*rule_opts*/);
-
-/**
- * Initialize name canonicalization iterator.
- *
- * @param context Kerberos context
- * @param in_princ principal name to be canonicalized OR
- * @param iter output iterator object
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_name_canon_iterator_start (
- krb5_context /*context*/,
- krb5_const_principal /*in_princ*/,
- krb5_name_canon_iterator */*iter*/);
-
-/**
- * Read \a len bytes from socket \a p_fd into buffer \a buf.
- * Block until \a len bytes are read or until an error.
- *
- * @return If successful, the number of bytes read: \a len.
- * On end-of-file, 0.
- * On error, less than 0 (if single-threaded, the error can be found
- * in the errno global variable).
- */
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-krb5_net_read (
- krb5_context /*context*/,
- void */*p_fd*/,
- void */*buf*/,
- size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-krb5_net_write (
- krb5_context /*context*/,
- void */*p_fd*/,
- const void */*buf*/,
- size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-krb5_net_write_block (
- krb5_context /*context*/,
- void */*p_fd*/,
- const void */*buf*/,
- size_t /*len*/,
- time_t /*timeout*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_alloc (
- krb5_context /*context*/,
- krb5_ntlm */*ntlm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_free (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_init_get_challenge (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- krb5_data */*challenge*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_init_get_flags (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- uint32_t */*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_init_get_opaque (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- krb5_data */*opaque*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_init_get_targetinfo (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_init_get_targetname (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- char **/*name*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_init_request (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- krb5_realm /*realm*/,
- krb5_ccache /*ccache*/,
- uint32_t /*flags*/,
- const char */*hostname*/,
- const char */*domainname*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_rep_get_sessionkey (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_ntlm_rep_get_status (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_flags (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- uint32_t /*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_lm (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- void */*hash*/,
- size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_ntlm (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- void */*hash*/,
- size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_opaque (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- krb5_data */*opaque*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_session (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- void */*sessionkey*/,
- size_t /*length*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_targetname (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- const char */*targetname*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_username (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- const char */*username*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_request (
- krb5_context /*context*/,
- krb5_ntlm /*ntlm*/,
- krb5_realm /*realm*/,
- krb5_ccache /*ccache*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_openlog (
- krb5_context /*context*/,
- const char */*program*/,
- krb5_log_facility **/*fac*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_add_buffer (
- krb5_context /*context*/,
- krb5_pac /*p*/,
- uint32_t /*type*/,
- const krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_pac_free (
- krb5_context /*context*/,
- krb5_pac /*pac*/);
-
-/**
- * Get the PAC buffer of specific type from the pac.
- *
- * @param context Kerberos 5 context.
- * @param p the pac structure returned by krb5_pac_parse().
- * @param type type of buffer to get
- * @param data return data, free with krb5_data_free().
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5_pac
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_get_buffer (
- krb5_context /*context*/,
- krb5_pac /*p*/,
- uint32_t /*type*/,
- krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_get_types (
- krb5_context /*context*/,
- krb5_pac /*p*/,
- size_t */*len*/,
- uint32_t **/*types*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_init (
- krb5_context /*context*/,
- krb5_pac */*pac*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_parse (
- krb5_context /*context*/,
- const void */*ptr*/,
- size_t /*len*/,
- krb5_pac */*pac*/);
-
-/**
- * Verify the PAC.
- *
- * @param context Kerberos 5 context.
- * @param pac the pac structure returned by krb5_pac_parse().
- * @param authtime The time of the ticket the PAC belongs to.
- * @param principal the principal to verify.
- * @param server The service key, most always be given.
- * @param privsvr The KDC key, may be given.
-
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5_pac
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_verify (
- krb5_context /*context*/,
- const krb5_pac /*pac*/,
- time_t /*authtime*/,
- krb5_const_principal /*principal*/,
- const krb5_keyblock */*server*/,
- const krb5_keyblock */*privsvr*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_padata_add (
- krb5_context /*context*/,
- METHOD_DATA */*md*/,
- int /*type*/,
- void */*buf*/,
- size_t /*len*/);
-
-/**
- * krb5_parse_address returns the resolved hostname in string to the
- * krb5_addresses addresses .
- *
- * @param context a Keberos context
- * @param string
- * @param addresses
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_parse_address (
- krb5_context /*context*/,
- const char */*string*/,
- krb5_addresses */*addresses*/);
-
-/**
- * Parse a name into a krb5_principal structure
- *
- * @param context Kerberos 5 context
- * @param name name to parse into a Kerberos principal
- * @param principal returned principal, free with krb5_free_principal().
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_parse_name (
- krb5_context /*context*/,
- const char */*name*/,
- krb5_principal */*principal*/);
-
-/**
- * Parse a name into a krb5_principal structure, flags controls the behavior.
- *
- * @param context Kerberos 5 context
- * @param name name to parse into a Kerberos principal
- * @param flags flags to control the behavior
- * @param principal returned principal, free with krb5_free_principal().
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_parse_name_flags (
- krb5_context /*context*/,
- const char */*name*/,
- int /*flags*/,
- krb5_principal */*principal*/);
-
-/**
- * Parse nametype string and return a nametype integer
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_parse_nametype (
- krb5_context /*context*/,
- const char */*str*/,
- int32_t */*nametype*/);
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_passwd_result_to_string (
- krb5_context /*context*/,
- int /*result*/);
-
-/**
- * Deprecated: use krb5_get_init_creds() and friends.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_CALLCONV
-krb5_password_key_proc (
- krb5_context /*context*/,
- krb5_enctype /*type*/,
- krb5_salt /*salt*/,
- krb5_const_pointer /*keyseed*/,
- krb5_keyblock **/*key*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pk_enterprise_cert (
- krb5_context /*context*/,
- const char */*user_id*/,
- krb5_const_realm /*realm*/,
- krb5_principal */*principal*/,
- struct hx509_certs_data **/*res*/);
-
-/**
- * Register a plugin symbol name of specific type.
- * @param context a Keberos context
- * @param type type of plugin symbol
- * @param name name of plugin symbol
- * @param symbol a pointer to the named symbol
- * @return In case of error a non zero error com_err error is returned
- * and the Kerberos error string is set.
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_plugin_register (
- krb5_context /*context*/,
- enum krb5_plugin_type /*type*/,
- const char */*name*/,
- void */*symbol*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_prepend_config_files (
- const char */*filelist*/,
- char **/*pq*/,
- char ***/*ret_pp*/);
-
-/**
- * Prepend the filename to the global configuration list.
- *
- * @param filelist a filename to add to the default list of filename
- * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_prepend_config_files_default (
- const char */*filelist*/,
- char ***/*pfilenames*/);
-
-/**
- * Prepend the context full error string for a specific error code.
- * The error that is stored should be internationalized.
- *
- * The if context is NULL, no error string is stored.
- *
- * @param context Kerberos 5 context
- * @param ret The error code
- * @param fmt Error string for the error code
- * @param ... printf(3) style parameters.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_prepend_error_message (
- krb5_context /*context*/,
- krb5_error_code /*ret*/,
- const char */*fmt*/,
- ...)
- __attribute__ ((__format__ (__printf__, 3, 4)));
-
-/**
- * Deprecated: use krb5_principal_get_realm()
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_realm * KRB5_LIB_CALL
-krb5_princ_realm (
- krb5_context /*context*/,
- krb5_principal /*principal*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: use krb5_principal_set_realm()
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_princ_set_realm (
- krb5_context /*context*/,
- krb5_principal /*principal*/,
- krb5_realm */*realm*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Compares the two principals, including realm of the principals and returns
- * TRUE if they are the same and FALSE if not.
- *
- * @param context Kerberos 5 context
- * @param princ1 first principal to compare
- * @param princ2 second principal to compare
- *
- * @ingroup krb5_principal
- * @see krb5_principal_compare_any_realm()
- * @see krb5_realm_compare()
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_principal_compare (
- krb5_context /*context*/,
- krb5_const_principal /*princ1*/,
- krb5_const_principal /*princ2*/);
-
-/**
- * Return TRUE iff princ1 == princ2 (without considering the realm)
- *
- * @param context Kerberos 5 context
- * @param princ1 first principal to compare
- * @param princ2 second principal to compare
- *
- * @return non zero if equal, 0 if not
- *
- * @ingroup krb5_principal
- * @see krb5_principal_compare()
- * @see krb5_realm_compare()
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_principal_compare_any_realm (
- krb5_context /*context*/,
- krb5_const_principal /*princ1*/,
- krb5_const_principal /*princ2*/);
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_principal_get_comp_string (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/,
- unsigned int /*component*/);
-
-/**
- * Get number of component is principal.
- *
- * @param context Kerberos 5 context
- * @param principal principal to query
- *
- * @return number of components in string
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION unsigned int KRB5_LIB_CALL
-krb5_principal_get_num_comp (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/);
-
-/**
- * Get the realm of the principal
- *
- * @param context A Kerberos context.
- * @param principal principal to get the realm for
- *
- * @return realm of the principal, don't free or use after krb5_principal is freed
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_principal_get_realm (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/);
-
-/**
- * Get the type of the principal
- *
- * @param context A Kerberos context.
- * @param principal principal to get the type for
- *
- * @return the type of principal
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_principal_get_type (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/);
-
-/**
- * Returns true iff name is WELLKNOWN/ANONYMOUS
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_principal_is_anonymous (
- krb5_context /*context*/,
- krb5_const_principal /*p*/,
- unsigned int /*flags*/);
-
-/**
- * Returns true iff name is an WELLKNOWN:ORG.H5L.HOSTBASED-SERVICE
- *
- * @ingroup krb5_principal
- */
-
-krb5_boolean KRB5_LIB_FUNCTION
-krb5_principal_is_gss_hostbased_service (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/);
-
-/**
- * Check if the cname part of the principal is a krbtgt principal
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_principal_is_krbtgt (
- krb5_context /*context*/,
- krb5_const_principal /*p*/);
-
-/**
- * Returns true if name is Kerberos an LKDC realm
- *
- * @ingroup krb5_principal
- */
-
-krb5_boolean KRB5_LIB_FUNCTION
-krb5_principal_is_lkdc (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/);
-
-/**
- * Returns true if name is Kerberos NULL name
- *
- * @ingroup krb5_principal
- */
-
-krb5_boolean KRB5_LIB_FUNCTION
-krb5_principal_is_null (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/);
-
-/**
- * Returns true if name is Kerberos an LKDC realm
- *
- * @ingroup krb5_principal
- */
-
-krb5_boolean KRB5_LIB_FUNCTION
-krb5_principal_is_pku2u (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/);
-
-/**
- * Check if the cname part of the principal is a initial or renewed krbtgt principal
- *
- * @ingroup krb5_principal
- */
-
-krb5_boolean KRB5_LIB_FUNCTION
-krb5_principal_is_root_krbtgt (
- krb5_context /*context*/,
- krb5_const_principal /*p*/);
-
-/**
- * return TRUE iff princ matches pattern
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_principal_match (
- krb5_context /*context*/,
- krb5_const_principal /*princ*/,
- krb5_const_principal /*pattern*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_principal_set_comp_string (
- krb5_context /*context*/,
- krb5_principal /*principal*/,
- unsigned int /*k*/,
- const char */*component*/);
-
-/**
- * Set a new realm for a principal, and as a side-effect free the
- * previous realm.
- *
- * @param context A Kerberos context.
- * @param principal principal set the realm for
- * @param realm the new realm to set
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_principal_set_realm (
- krb5_context /*context*/,
- krb5_principal /*principal*/,
- krb5_const_realm /*realm*/);
-
-/**
- * Set the type of the principal
- *
- * @param context A Kerberos context.
- * @param principal principal to set the type for
- * @param type the new type
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_principal_set_type (
- krb5_context /*context*/,
- krb5_principal /*principal*/,
- int /*type*/);
-
-/**
- * krb5_print_address prints the address in addr to the string string
- * that have the length len. If ret_len is not NULL, it will be filled
- * with the length of the string if size were unlimited (not including
- * the final NUL) .
- *
- * @param addr address to be printed
- * @param str pointer string to print the address into
- * @param len length that will fit into area pointed to by "str".
- * @param ret_len return length the str.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_print_address (
- const krb5_address */*addr*/,
- char */*str*/,
- size_t /*len*/,
- size_t */*ret_len*/);
-
-krb5_error_code
-krb5_process_last_request (
- krb5_context /*context*/,
- krb5_get_init_creds_opt */*options*/,
- krb5_init_creds_context /*ctx*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_program_setup (
- krb5_context */*context*/,
- int /*argc*/,
- char **/*argv*/,
- struct getargs */*args*/,
- int /*num_args*/,
- void (KRB5_LIB_CALL *usage)(int, struct getargs*, int));
-
-KRB5_LIB_FUNCTION int KRB5_CALLCONV
-krb5_prompter_posix (
- krb5_context /*context*/,
- void */*data*/,
- const char */*name*/,
- const char */*banner*/,
- int /*num_prompts*/,
- krb5_prompt prompts[]);
-
-/**
- * Converts the random bytestring to a protocol key according to
- * Kerberos crypto frame work. It may be assumed that all the bits of
- * the input string are equally random, even though the entropy
- * present in the random source may be limited.
- *
- * @param context Kerberos 5 context
- * @param type the enctype resulting key will be of
- * @param data input random data to convert to a key
- * @param size size of input random data, at least krb5_enctype_keysize() long
- * @param key key, output key, free with krb5_free_keyblock_contents()
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_random_to_key (
- krb5_context /*context*/,
- krb5_enctype /*type*/,
- const void */*data*/,
- size_t /*size*/,
- krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_close (
- krb5_context /*context*/,
- krb5_rcache /*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_default (
- krb5_context /*context*/,
- krb5_rcache */*id*/);
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_rc_default_name (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_rc_default_type (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_destroy (
- krb5_context /*context*/,
- krb5_rcache /*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_expunge (
- krb5_context /*context*/,
- krb5_rcache /*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_get_lifespan (
- krb5_context /*context*/,
- krb5_rcache /*id*/,
- krb5_deltat */*auth_lifespan*/);
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_rc_get_name (
- krb5_context /*context*/,
- krb5_rcache /*id*/);
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_rc_get_type (
- krb5_context /*context*/,
- krb5_rcache /*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_initialize (
- krb5_context /*context*/,
- krb5_rcache /*id*/,
- krb5_deltat /*auth_lifespan*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_recover (
- krb5_context /*context*/,
- krb5_rcache /*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_resolve (
- krb5_context /*context*/,
- krb5_rcache /*id*/,
- const char */*name*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_resolve_full (
- krb5_context /*context*/,
- krb5_rcache */*id*/,
- const char */*string_name*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_resolve_type (
- krb5_context /*context*/,
- krb5_rcache */*id*/,
- const char */*type*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_store (
- krb5_context /*context*/,
- krb5_rcache /*id*/,
- krb5_donot_replay */*rep*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_cred (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_data */*in_data*/,
- krb5_creds ***/*ret_creds*/,
- krb5_replay_data */*outdata*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_cred2 (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- krb5_ccache /*ccache*/,
- krb5_data */*in_data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_error (
- krb5_context /*context*/,
- const krb5_data */*msg*/,
- KRB_ERROR */*result*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_priv (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- const krb5_data */*inbuf*/,
- krb5_data */*outbuf*/,
- krb5_replay_data */*outdata*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_rep (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- const krb5_data */*inbuf*/,
- krb5_ap_rep_enc_part **/*repl*/);
-
-/**
- * Process an AP_REQ message.
- *
- * @param context Kerberos 5 context.
- * @param auth_context authentication context of the peer.
- * @param inbuf the AP_REQ message, obtained for example with krb5_read_message().
- * @param server server principal.
- * @param keytab server keytab.
- * @param ap_req_options set to the AP_REQ options. See the AP_OPTS_* defines.
- * @param ticket on success, set to the authenticated client credentials.
- * Must be deallocated with krb5_free_ticket(). If not
- * interested, pass a NULL value.
- *
- * @return 0 to indicate success. Otherwise a Kerberos error code is
- * returned, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req (
- krb5_context /*context*/,
- krb5_auth_context */*auth_context*/,
- const krb5_data */*inbuf*/,
- krb5_const_principal /*server*/,
- krb5_keytab /*keytab*/,
- krb5_flags */*ap_req_options*/,
- krb5_ticket **/*ticket*/);
-
-/**
- * The core server function that verify application authentication
- * requests from clients.
- *
- * @param context Keberos 5 context.
- * @param auth_context the authentication context, can be NULL, then
- * default values for the authentication context will used.
- * @param inbuf the (AP-REQ) authentication buffer
- *
- * @param server the server to authenticate to. If NULL the function
- * will try to find any available credential in the keytab
- * that will verify the reply. The function will prefer the
- * server specified in the AP-REQ, but if
- * there is no mach, it will try all keytab entries for a
- * match. This has serious performance issues for large keytabs.
- *
- * @param inctx control the behavior of the function, if NULL, the
- * default behavior is used.
- * @param outctx the return outctx, free with krb5_rd_req_out_ctx_free().
- * @return Kerberos 5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_auth
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_ctx (
- krb5_context /*context*/,
- krb5_auth_context */*auth_context*/,
- const krb5_data */*inbuf*/,
- krb5_const_principal /*server*/,
- krb5_rd_req_in_ctx /*inctx*/,
- krb5_rd_req_out_ctx */*outctx*/);
-
-/**
- * Allocate a krb5_rd_req_in_ctx as an input parameter to
- * krb5_rd_req_ctx(). The caller should free the context with
- * krb5_rd_req_in_ctx_free() when done with the context.
- *
- * @param context Keberos 5 context.
- * @param ctx in ctx to krb5_rd_req_ctx().
- *
- * @return Kerberos 5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_auth
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_in_ctx_alloc (
- krb5_context /*context*/,
- krb5_rd_req_in_ctx */*ctx*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_rd_req_in_ctx_free (
- krb5_context /*context*/,
- krb5_rd_req_in_ctx /*ctx*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_in_set_keyblock (
- krb5_context /*context*/,
- krb5_rd_req_in_ctx /*in*/,
- krb5_keyblock */*keyblock*/);
-
-/**
- * Set the keytab that krb5_rd_req_ctx() will use.
- *
- * @param context Keberos 5 context.
- * @param in in ctx to krb5_rd_req_ctx().
- * @param keytab keytab that krb5_rd_req_ctx() will use, only copy the
- * pointer, so the caller must free they keytab after
- * krb5_rd_req_in_ctx_free() is called.
- *
- * @return Kerberos 5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_auth
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_in_set_keytab (
- krb5_context /*context*/,
- krb5_rd_req_in_ctx /*in*/,
- krb5_keytab /*keytab*/);
-
-/**
- * Set if krb5_rq_red() is going to check the Windows PAC or not
- *
- * @param context Keberos 5 context.
- * @param in krb5_rd_req_in_ctx to check the option on.
- * @param flag flag to select if to check the pac (TRUE) or not (FALSE).
- *
- * @return Kerberos 5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_auth
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_in_set_pac_check (
- krb5_context /*context*/,
- krb5_rd_req_in_ctx /*in*/,
- krb5_boolean /*flag*/);
-
-/**
- * Free the krb5_rd_req_out_ctx.
- *
- * @param context Keberos 5 context.
- * @param ctx krb5_rd_req_out_ctx context to free.
- *
- * @ingroup krb5_auth
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_rd_req_out_ctx_free (
- krb5_context /*context*/,
- krb5_rd_req_out_ctx /*ctx*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_out_get_ap_req_options (
- krb5_context /*context*/,
- krb5_rd_req_out_ctx /*out*/,
- krb5_flags */*ap_req_options*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_out_get_keyblock (
- krb5_context /*context*/,
- krb5_rd_req_out_ctx /*out*/,
- krb5_keyblock **/*keyblock*/);
-
-/**
- * Get the principal that was used in the request from the
- * client. Might not match whats in the ticket if krb5_rd_req_ctx()
- * searched in the keytab for a matching key.
- *
- * @param context a Kerberos 5 context.
- * @param out a krb5_rd_req_out_ctx from krb5_rd_req_ctx().
- * @param principal return principal, free with krb5_free_principal().
- *
- * @ingroup krb5_auth
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_out_get_server (
- krb5_context /*context*/,
- krb5_rd_req_out_ctx /*out*/,
- krb5_principal */*principal*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_out_get_ticket (
- krb5_context /*context*/,
- krb5_rd_req_out_ctx /*out*/,
- krb5_ticket **/*ticket*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_with_keyblock (
- krb5_context /*context*/,
- krb5_auth_context */*auth_context*/,
- const krb5_data */*inbuf*/,
- krb5_const_principal /*server*/,
- krb5_keyblock */*keyblock*/,
- krb5_flags */*ap_req_options*/,
- krb5_ticket **/*ticket*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_safe (
- krb5_context /*context*/,
- krb5_auth_context /*auth_context*/,
- const krb5_data */*inbuf*/,
- krb5_data */*outbuf*/,
- krb5_replay_data */*outdata*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_read_message (
- krb5_context /*context*/,
- krb5_pointer /*p_fd*/,
- krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_read_priv_message (
- krb5_context /*context*/,
- krb5_auth_context /*ac*/,
- krb5_pointer /*p_fd*/,
- krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_read_safe_message (
- krb5_context /*context*/,
- krb5_auth_context /*ac*/,
- krb5_pointer /*p_fd*/,
- krb5_data */*data*/);
-
-/**
- * return TRUE iff realm(princ1) == realm(princ2)
- *
- * @param context Kerberos 5 context
- * @param princ1 first principal to compare
- * @param princ2 second principal to compare
- *
- * @ingroup krb5_principal
- * @see krb5_principal_compare_any_realm()
- * @see krb5_principal_compare()
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_realm_compare (
- krb5_context /*context*/,
- krb5_const_principal /*princ1*/,
- krb5_const_principal /*princ2*/);
-
-/**
- * Returns true if name is Kerberos an LKDC realm
- *
- * @ingroup krb5_principal
- */
-
-krb5_boolean KRB5_LIB_FUNCTION
-krb5_realm_is_lkdc (const char */*realm*/);
-
-/**
- * Perform the server side of the sendauth protocol.
- *
- * @param context Kerberos 5 context.
- * @param auth_context authentication context of the peer.
- * @param p_fd socket associated to the connection.
- * @param appl_version server-specific string.
- * @param server server principal.
- * @param flags if KRB5_RECVAUTH_IGNORE_VERSION is set, skip the sendauth version
- * part of the protocol.
- * @param keytab server keytab.
- * @param ticket on success, set to the authenticated client credentials.
- * Must be deallocated with krb5_free_ticket(). If not
- * interested, pass a NULL value.
- *
- * @return 0 to indicate success. Otherwise a Kerberos error code is
- * returned, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_recvauth (
- krb5_context /*context*/,
- krb5_auth_context */*auth_context*/,
- krb5_pointer /*p_fd*/,
- const char */*appl_version*/,
- krb5_principal /*server*/,
- int32_t /*flags*/,
- krb5_keytab /*keytab*/,
- krb5_ticket **/*ticket*/);
-
-/**
- * Perform the server side of the sendauth protocol like krb5_recvauth(), but support
- * a user-specified callback, \a match_appl_version, to perform the match of the application
- * version \a match_data.
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_recvauth_match_version (
- krb5_context /*context*/,
- krb5_auth_context */*auth_context*/,
- krb5_pointer /*p_fd*/,
- krb5_boolean (*/*match_appl_version*/)(const void *, const char*),
- const void */*match_data*/,
- krb5_principal /*server*/,
- int32_t /*flags*/,
- krb5_keytab /*keytab*/,
- krb5_ticket **/*ticket*/);
-
-/**
- * Read a address block from the storage.
- *
- * @param sp the storage buffer to write to
- * @param adr the address block read from storage
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_address (
- krb5_storage */*sp*/,
- krb5_address */*adr*/);
-
-/**
- * Read a addresses block from the storage.
- *
- * @param sp the storage buffer to write to
- * @param adr the addresses block read from storage
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_addrs (
- krb5_storage */*sp*/,
- krb5_addresses */*adr*/);
-
-/**
- * Read a auth data from the storage.
- *
- * @param sp the storage buffer to write to
- * @param auth the auth data block read from storage
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_authdata (
- krb5_storage */*sp*/,
- krb5_authdata */*auth*/);
-
-/**
- * Read a credentials block from the storage.
- *
- * @param sp the storage buffer to write to
- * @param creds the credentials block read from storage
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_creds (
- krb5_storage */*sp*/,
- krb5_creds */*creds*/);
-
-/**
- * Read a tagged credentials block from the storage.
- *
- * @param sp the storage buffer to write to
- * @param creds the credentials block read from storage
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_creds_tag (
- krb5_storage */*sp*/,
- krb5_creds */*creds*/);
-
-/**
- * Parse a data from the storage.
- *
- * @param sp the storage buffer to read from
- * @param data the parsed data
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_data (
- krb5_storage */*sp*/,
- krb5_data */*data*/);
-
-/**
- * Read a int16 from storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_int16 (
- krb5_storage */*sp*/,
- int16_t */*value*/);
-
-/**
- * Read a int32 from storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_int32 (
- krb5_storage */*sp*/,
- int32_t */*value*/);
-
-/**
- * Read a int64 from storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_int64 (
- krb5_storage */*sp*/,
- int64_t */*value*/);
-
-/**
- * Read a int8 from storage
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_int8 (
- krb5_storage */*sp*/,
- int8_t */*value*/);
-
-/**
- * Read a keyblock from the storage.
- *
- * @param sp the storage buffer to write to
- * @param p the keyblock read from storage, free using krb5_free_keyblock()
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_keyblock (
- krb5_storage */*sp*/,
- krb5_keyblock */*p*/);
-
-/**
- * Parse principal from the storage.
- *
- * @param sp the storage buffer to read from
- * @param princ the parsed principal
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_principal (
- krb5_storage */*sp*/,
- krb5_principal */*princ*/);
-
-/**
- * Parse a string from the storage.
- *
- * @param sp the storage buffer to read from
- * @param string the parsed string
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_string (
- krb5_storage */*sp*/,
- char **/*string*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_stringnl (
- krb5_storage */*sp*/,
- char **/*string*/);
-
-/**
- * Parse zero terminated string from the storage.
- *
- * @param sp the storage buffer to read from
- * @param string the parsed string
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_stringz (
- krb5_storage */*sp*/,
- char **/*string*/);
-
-/**
- * Read a times block from the storage.
- *
- * @param sp the storage buffer to write to
- * @param times the times block read from storage
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_times (
- krb5_storage */*sp*/,
- krb5_times */*times*/);
-
-/**
- * Read a int16 from storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_uint16 (
- krb5_storage */*sp*/,
- uint16_t */*value*/);
-
-/**
- * Read a uint32 from storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_uint32 (
- krb5_storage */*sp*/,
- uint32_t */*value*/);
-
-/**
- * Read a uint64 from storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_uint64 (
- krb5_storage */*sp*/,
- uint64_t */*value*/);
-
-/**
- * Read a uint8 from storage
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_uint8 (
- krb5_storage */*sp*/,
- uint8_t */*value*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_salttype_to_string (
- krb5_context /*context*/,
- krb5_enctype /*etype*/,
- krb5_salttype /*stype*/,
- char **/*string*/);
-
-/**
- * Perform the client side of the sendauth protocol.
- *
- * @param context Kerberos 5 context.
- * @param auth_context Authentication context of the peer.
- * @param p_fd Socket associated to the connection.
- * @param appl_version Server-specific string.
- * @param client Client principal. If NULL, use the credentials in \a ccache.
- * @param server Server principal.
- * @param ap_req_options Options for the AP_REQ message. See the AP_OPTS_* defines in krb5.h.
- * @param in_data FIXME
- * @param in_creds FIXME
- * @param ccache Credentials cache. If NULL, use the default credentials cache.
- * @param ret_error If not NULL, will be set to the error reported by server, if any.
- * Must be deallocated with krb5_free_error_contents().
- * @param rep_result If not NULL, will be set to the EncApRepPart of the AP_REP message.
- * Must be deallocated with krb5_free_ap_rep_enc_part().
- * @param out_creds FIXME If not NULL, will be set to FIXME. Must be deallocated with
- * krb5_free_creds().
- *
- * @return 0 to indicate success. Otherwise a Kerberos error code is
- * returned, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendauth (
- krb5_context /*context*/,
- krb5_auth_context */*auth_context*/,
- krb5_pointer /*p_fd*/,
- const char */*appl_version*/,
- krb5_principal /*client*/,
- krb5_principal /*server*/,
- krb5_flags /*ap_req_options*/,
- krb5_data */*in_data*/,
- krb5_creds */*in_creds*/,
- krb5_ccache /*ccache*/,
- krb5_error **/*ret_error*/,
- krb5_ap_rep_enc_part **/*rep_result*/,
- krb5_creds **/*out_creds*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendto (
- krb5_context /*context*/,
- const krb5_data */*send_data*/,
- krb5_krbhst_handle /*handle*/,
- krb5_data */*receive*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendto_context (
- krb5_context /*context*/,
- krb5_sendto_ctx /*ctx*/,
- const krb5_data */*send_data*/,
- krb5_const_realm /*realm*/,
- krb5_data */*receive*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_sendto_ctx_add_flags (
- krb5_sendto_ctx /*ctx*/,
- int /*flags*/);
-
-/**
- * @section send_to_kdc Locating and sending packets to the KDC
- *
- * The send to kdc code is responsible to request the list of KDC from
- * the locate-kdc subsystem and then send requests to each of them.
- *
- * - Each second a new hostname is tried.
- * - If the hostname have several addresses, the first will be tried
- * directly then in turn the other will be tried every 3 seconds
- * (host_timeout).
- * - UDP requests are tried 3 times, and it tried with a individual timeout of kdc_timeout / 3.
- * - TCP and HTTP requests are tried 1 time.
- *
- * Total wait time shorter then (number of addresses * 3) + kdc_timeout seconds.
- *
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendto_ctx_alloc (
- krb5_context /*context*/,
- krb5_sendto_ctx */*ctx*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_sendto_ctx_free (
- krb5_context /*context*/,
- krb5_sendto_ctx /*ctx*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_sendto_ctx_get_flags (krb5_sendto_ctx /*ctx*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_sendto_ctx_set_func (
- krb5_sendto_ctx /*ctx*/,
- krb5_sendto_ctx_func /*func*/,
- void */*data*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_sendto_ctx_set_type (
- krb5_sendto_ctx /*ctx*/,
- int /*type*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendto_kdc (
- krb5_context /*context*/,
- const krb5_data */*send_data*/,
- const krb5_realm */*realm*/,
- krb5_data */*receive*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendto_kdc_flags (
- krb5_context /*context*/,
- const krb5_data */*send_data*/,
- const krb5_realm */*realm*/,
- krb5_data */*receive*/,
- int /*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendto_set_hostname (
- krb5_context /*context*/,
- krb5_sendto_ctx /*ctx*/,
- const char */*hostname*/);
-
-/**
- * Reinit the context from a new set of filenames.
- *
- * @param context context to add configuration too.
- * @param filenames array of filenames, end of list is indicated with a NULL filename.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_config_files (
- krb5_context /*context*/,
- char **/*filenames*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_debug_dest (
- krb5_context /*context*/,
- const char */*program*/,
- const char */*log_spec*/);
-
-/**
- * Set the default encryption types that will be use in communcation
- * with the KDC, clients and servers.
- *
- * @param context Kerberos 5 context.
- * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
- * A value of NULL resets the encryption types to the defaults set in the
- * configuration file.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_default_in_tkt_etypes (
- krb5_context /*context*/,
- const krb5_enctype */*etypes*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_default_realm (
- krb5_context /*context*/,
- const char */*realm*/);
-
-/**
- * Set if the library should use DNS to canonicalize hostnames.
- *
- * @param context Kerberos 5 context.
- * @param flag if its dns canonicalizion is used or not.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_set_dns_canonicalize_hostname (
- krb5_context /*context*/,
- krb5_boolean /*flag*/);
-
-/**
- * Set the context full error string for a specific error code.
- * The error that is stored should be internationalized.
- *
- * The if context is NULL, no error string is stored.
- *
- * @param context Kerberos 5 context
- * @param ret The error code
- * @param fmt Error string for the error code
- * @param ... printf(3) style parameters.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_set_error_message (
- krb5_context /*context*/,
- krb5_error_code /*ret*/,
- const char */*fmt*/,
- ...)
- __attribute__ ((__format__ (__printf__, 3, 4)));
-
-/**
- * Set the error message returned by krb5_get_error_string().
- *
- * Deprecated: use krb5_get_error_message()
- *
- * @param context Kerberos context
- * @param fmt error message to free
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_error_string (
- krb5_context /*context*/,
- const char */*fmt*/,
- ...)
- __attribute__ ((__format__ (__printf__, 2, 3))) KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Set extra address to the address list that the library will add to
- * the client's address list when communicating with the KDC.
- *
- * @param context Kerberos 5 context.
- * @param addresses addreses to set
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_extra_addresses (
- krb5_context /*context*/,
- const krb5_addresses */*addresses*/);
-
-/**
- * Set version of fcache that the library should use.
- *
- * @param context Kerberos 5 context.
- * @param version version number.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_fcache_version (
- krb5_context /*context*/,
- int /*version*/);
-
-/**
- * Enable and disable home directory access on either the global state
- * or the krb5_context state. By calling krb5_set_home_dir_access()
- * with context set to NULL, the global state is configured otherwise
- * the state for the krb5_context is modified.
- *
- * For home directory access to be allowed, both the global state and
- * the krb5_context state have to be allowed.
- *
- * @param context a Kerberos 5 context or NULL
- * @param allow allow if TRUE home directory
- * @return the old value
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_set_home_dir_access (
- krb5_context /*context*/,
- krb5_boolean /*allow*/);
-
-/**
- * Set extra addresses to ignore when fetching addresses from the
- * underlaying operating system.
- *
- * @param context Kerberos 5 context.
- * @param addresses addreses to ignore
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_ignore_addresses (
- krb5_context /*context*/,
- const krb5_addresses */*addresses*/);
-
-/**
- * Set current offset in time to the KDC.
- *
- * @param context Kerberos 5 context.
- * @param sec seconds part of offset.
- * @param usec micro seconds part of offset.
- *
- * @return returns zero
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_kdc_sec_offset (
- krb5_context /*context*/,
- int32_t /*sec*/,
- int32_t /*usec*/);
-
-/**
- * Set max time skew allowed.
- *
- * @param context Kerberos 5 context.
- * @param t timeskew in seconds.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_set_max_time_skew (
- krb5_context /*context*/,
- time_t /*t*/);
-
-/**
- * Change password using creds.
- *
- * @param context a Keberos context
- * @param creds The initial kadmin/passwd for the principal or an admin principal
- * @param newpw The new password to set
- * @param targprinc if unset, the default principal is used.
- * @param result_code Result code, KRB5_KPASSWD_SUCCESS is when password is changed.
- * @param result_code_string binary message from the server, contains
- * at least the result_code.
- * @param result_string A message from the kpasswd service or the
- * library in human printable form. The string is NUL terminated.
- *
- * @return On sucess and *result_code is KRB5_KPASSWD_SUCCESS, the password is changed.
-
- * @ingroup @krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_password (
- krb5_context /*context*/,
- krb5_creds */*creds*/,
- const char */*newpw*/,
- krb5_principal /*targprinc*/,
- int */*result_code*/,
- krb5_data */*result_code_string*/,
- krb5_data */*result_string*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_password_using_ccache (
- krb5_context /*context*/,
- krb5_ccache /*ccache*/,
- const char */*newpw*/,
- krb5_principal /*targprinc*/,
- int */*result_code*/,
- krb5_data */*result_code_string*/,
- krb5_data */*result_string*/);
-
-/**
- * Set the absolute time that the caller knows the kdc has so the
- * kerberos library can calculate the relative diffrence beteen the
- * KDC time and local system time.
- *
- * @param context Keberos 5 context.
- * @param sec The applications new of "now" in seconds
- * @param usec The applications new of "now" in micro seconds
-
- * @return Kerberos 5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_real_time (
- krb5_context /*context*/,
- krb5_timestamp /*sec*/,
- int32_t /*usec*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_send_to_kdc_func (
- krb5_context /*context*/,
- krb5_send_to_kdc_func /*func*/,
- void */*data*/);
-
-/**
- * Make the kerberos library default to the admin KDC.
- *
- * @param context Kerberos 5 context.
- * @param flag boolean flag to select if the use the admin KDC or not.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_set_use_admin_kdc (
- krb5_context /*context*/,
- krb5_boolean /*flag*/);
-
-/**
- * Set the default logging facility.
- *
- * @param context A Kerberos 5 context
- * @param fac Facility to use for logging.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_warn_dest (
- krb5_context /*context*/,
- krb5_log_facility */*fac*/);
-
-/**
- * Create a principal for the given service running on the given
- * hostname. If KRB5_NT_SRV_HST is used, the hostname is canonicalized
- * according the configured name canonicalization rules, with
- * canonicalization delayed in some cases. One rule involves DNS, which
- * is insecure unless DNSSEC is used, but we don't use DNSSEC-capable
- * resolver APIs here, so that if DNSSEC is used we wouldn't know it.
- *
- * Canonicalization is immediate (not delayed) only when there is only
- * one canonicalization rule and that rule indicates that we should do a
- * host lookup by name (i.e., DNS).
- *
- * @param context A Kerberos context.
- * @param hostname hostname to use
- * @param sname Service name to use
- * @param type name type of principal, use KRB5_NT_SRV_HST or KRB5_NT_UNKNOWN.
- * @param ret_princ return principal, free with krb5_free_principal().
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sname_to_principal (
- krb5_context /*context*/,
- const char */*hostname*/,
- const char */*sname*/,
- int32_t /*type*/,
- krb5_principal */*ret_princ*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sock_to_principal (
- krb5_context /*context*/,
- int /*sock*/,
- const char */*sname*/,
- int32_t /*type*/,
- krb5_principal */*ret_princ*/);
-
-/**
- * krb5_sockaddr2address stores a address a "struct sockaddr" sa in
- * the krb5_address addr.
- *
- * @param context a Keberos context
- * @param sa a struct sockaddr to extract the address from
- * @param addr an Kerberos 5 address to store the address in.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sockaddr2address (
- krb5_context /*context*/,
- const struct sockaddr */*sa*/,
- krb5_address */*addr*/);
-
-/**
- * krb5_sockaddr2port extracts a port (if possible) from a "struct
- * sockaddr.
- *
- * @param context a Keberos context
- * @param sa a struct sockaddr to extract the port from
- * @param port a pointer to an int16_t store the port in.
- *
- * @return Return an error code or 0. Will return
- * KRB5_PROG_ATYPE_NOSUPP in case address type is not supported.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sockaddr2port (
- krb5_context /*context*/,
- const struct sockaddr */*sa*/,
- int16_t */*port*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_sockaddr_is_loopback (const struct sockaddr */*sa*/);
-
-/**
- * krb5_sockaddr_uninteresting returns TRUE for all .Fa sa that the
- * kerberos library thinks are uninteresting. One example are link
- * local addresses.
- *
- * @param sa pointer to struct sockaddr that might be interesting.
- *
- * @return Return a non zero for uninteresting addresses.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_sockaddr_uninteresting (const struct sockaddr */*sa*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_std_usage (
- int /*code*/,
- struct getargs */*args*/,
- int /*num_args*/);
-
-/**
- * Clear the flags on a storage buffer
- *
- * @param sp the storage buffer to clear the flags on
- * @param flags the flags to clear
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_storage_clear_flags (
- krb5_storage */*sp*/,
- krb5_flags /*flags*/);
-
-/**
- * Create a elastic (allocating) memory storage backend. Memory is
- * allocated on demand. Free returned krb5_storage with
- * krb5_storage_free().
- *
- * @return A krb5_storage on success, or NULL on out of memory error.
- *
- * @ingroup krb5_storage
- *
- * @sa krb5_storage_from_mem()
- * @sa krb5_storage_from_readonly_mem()
- * @sa krb5_storage_from_fd()
- * @sa krb5_storage_from_data()
- * @sa krb5_storage_from_socket()
- */
-
-KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
-krb5_storage_emem (void);
-
-/**
- * Free a krb5 storage.
- *
- * @param sp the storage to free.
- *
- * @return An Kerberos 5 error code.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_storage_free (krb5_storage */*sp*/);
-
-/**
- * Create a fixed size memory storage block
- *
- * @return A krb5_storage on success, or NULL on out of memory error.
- *
- * @ingroup krb5_storage
- *
- * @sa krb5_storage_mem()
- * @sa krb5_storage_from_mem()
- * @sa krb5_storage_from_readonly_mem()
- * @sa krb5_storage_from_fd()
- */
-
-KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
-krb5_storage_from_data (krb5_data */*data*/);
-
-/**
- *
- *
- * @return A krb5_storage on success, or NULL on out of memory error.
- *
- * @ingroup krb5_storage
- *
- * @sa krb5_storage_emem()
- * @sa krb5_storage_from_mem()
- * @sa krb5_storage_from_readonly_mem()
- * @sa krb5_storage_from_data()
- * @sa krb5_storage_from_socket()
- */
-
-KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
-krb5_storage_from_fd (int /*fd_in*/);
-
-/**
- * Create a fixed size memory storage block
- *
- * @return A krb5_storage on success, or NULL on out of memory error.
- *
- * @ingroup krb5_storage
- *
- * @sa krb5_storage_mem()
- * @sa krb5_storage_from_readonly_mem()
- * @sa krb5_storage_from_data()
- * @sa krb5_storage_from_fd()
- * @sa krb5_storage_from_socket()
- */
-
-KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
-krb5_storage_from_mem (
- void */*buf*/,
- size_t /*len*/);
-
-/**
- * Create a fixed size memory storage block that is read only
- *
- * @return A krb5_storage on success, or NULL on out of memory error.
- *
- * @ingroup krb5_storage
- *
- * @sa krb5_storage_mem()
- * @sa krb5_storage_from_mem()
- * @sa krb5_storage_from_data()
- * @sa krb5_storage_from_fd()
- */
-
-KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
-krb5_storage_from_readonly_mem (
- const void */*buf*/,
- size_t /*len*/);
-
-/**
- *
- *
- * @return A krb5_storage on success, or NULL on out of memory error.
- *
- * @ingroup krb5_storage
- *
- * @sa krb5_storage_emem()
- * @sa krb5_storage_from_mem()
- * @sa krb5_storage_from_readonly_mem()
- * @sa krb5_storage_from_data()
- * @sa krb5_storage_from_fd()
- */
-
-KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
-krb5_storage_from_socket (krb5_socket_t /*sock_in*/);
-
-/**
- * Sync the storage buffer to its backing store. If there is no
- * backing store this function will return success.
- *
- * @param sp the storage buffer to sync
- *
- * @return A Kerberos 5 error code
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_storage_fsync (krb5_storage */*sp*/);
-
-/**
- * Return the current byteorder for the buffer. See krb5_storage_set_byteorder() for the list or byte order contants.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_flags KRB5_LIB_CALL
-krb5_storage_get_byteorder (krb5_storage */*sp*/);
-
-/**
- * Get the return code that will be used when end of storage is reached.
- *
- * @param sp the storage
- *
- * @return storage error code
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_storage_get_eof_code (krb5_storage */*sp*/);
-
-/**
- * Return true or false depending on if the storage flags is set or
- * not. NB testing for the flag 0 always return true.
- *
- * @param sp the storage buffer to check flags on
- * @param flags The flags to test for
- *
- * @return true if all the flags are set, false if not.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_storage_is_flags (
- krb5_storage */*sp*/,
- krb5_flags /*flags*/);
-
-/**
- * Read to the storage buffer.
- *
- * @param sp the storage buffer to read from
- * @param buf the buffer to store the data in
- * @param len the length to read
- *
- * @return The length of data read (can be shorter then len), or negative on error.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-krb5_storage_read (
- krb5_storage */*sp*/,
- void */*buf*/,
- size_t /*len*/);
-
-/**
- * Seek to a new offset.
- *
- * @param sp the storage buffer to seek in.
- * @param offset the offset to seek
- * @param whence relateive searching, SEEK_CUR from the current
- * position, SEEK_END from the end, SEEK_SET absolute from the start.
- *
- * @return The new current offset
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION off_t KRB5_LIB_CALL
-krb5_storage_seek (
- krb5_storage */*sp*/,
- off_t /*offset*/,
- int /*whence*/);
-
-/**
- * Set the new byte order of the storage buffer.
- *
- * @param sp the storage buffer to set the byte order for.
- * @param byteorder the new byte order.
- *
- * The byte order are: KRB5_STORAGE_BYTEORDER_BE,
- * KRB5_STORAGE_BYTEORDER_LE and KRB5_STORAGE_BYTEORDER_HOST.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_storage_set_byteorder (
- krb5_storage */*sp*/,
- krb5_flags /*byteorder*/);
-
-/**
- * Set the return code that will be used when end of storage is reached.
- *
- * @param sp the storage
- * @param code the error code to return on end of storage
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_storage_set_eof_code (
- krb5_storage */*sp*/,
- int /*code*/);
-
-/**
- * Add the flags on a storage buffer by or-ing in the flags to the buffer.
- *
- * @param sp the storage buffer to set the flags on
- * @param flags the flags to set
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_storage_set_flags (
- krb5_storage */*sp*/,
- krb5_flags /*flags*/);
-
-/**
- * Set the max alloc value
- *
- * @param sp the storage buffer set the max allow for
- * @param size maximum size to allocate, use 0 to remove limit
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_storage_set_max_alloc (
- krb5_storage */*sp*/,
- size_t /*size*/);
-
-/**
- * Copy the contnent of storage
- *
- * @param sp the storage to copy to a data
- * @param data the copied data, free with krb5_data_free()
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_storage_to_data (
- krb5_storage */*sp*/,
- krb5_data */*data*/);
-
-/**
- * Truncate the storage buffer in sp to offset.
- *
- * @param sp the storage buffer to truncate.
- * @param offset the offset to truncate too.
- *
- * @return An Kerberos 5 error code.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_storage_truncate (
- krb5_storage */*sp*/,
- off_t /*offset*/);
-
-/**
- * Write to the storage buffer.
- *
- * @param sp the storage buffer to write to
- * @param buf the buffer to write to the storage buffer
- * @param len the length to write
- *
- * @return The length of data written (can be shorter then len), or negative on error.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-krb5_storage_write (
- krb5_storage */*sp*/,
- const void */*buf*/,
- size_t /*len*/);
-
-/**
- * Write a address block to storage.
- *
- * @param sp the storage buffer to write to
- * @param p the address block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_address (
- krb5_storage */*sp*/,
- krb5_address /*p*/);
-
-/**
- * Write a addresses block to storage.
- *
- * @param sp the storage buffer to write to
- * @param p the addresses block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_addrs (
- krb5_storage */*sp*/,
- krb5_addresses /*p*/);
-
-/**
- * Write a auth data block to storage.
- *
- * @param sp the storage buffer to write to
- * @param auth the auth data block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_authdata (
- krb5_storage */*sp*/,
- krb5_authdata /*auth*/);
-
-/**
- * Write a credentials block to storage.
- *
- * @param sp the storage buffer to write to
- * @param creds the creds block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_creds (
- krb5_storage */*sp*/,
- krb5_creds */*creds*/);
-
-/**
- * Write a tagged credentials block to storage.
- *
- * @param sp the storage buffer to write to
- * @param creds the creds block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_creds_tag (
- krb5_storage */*sp*/,
- krb5_creds */*creds*/);
-
-/**
- * Store a data to the storage. The data is stored with an int32 as
- * lenght plus the data (not padded).
- *
- * @param sp the storage buffer to write to
- * @param data the buffer to store.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_data (
- krb5_storage */*sp*/,
- krb5_data /*data*/);
-
-/**
- * Store a int16 to storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_int16 (
- krb5_storage */*sp*/,
- int16_t /*value*/);
-
-/**
- * Store a int32 to storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_int32 (
- krb5_storage */*sp*/,
- int32_t /*value*/);
-
-/**
- * Store a int64 to storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_int64 (
- krb5_storage */*sp*/,
- int64_t /*value*/);
-
-/**
- * Store a int8 to storage.
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_int8 (
- krb5_storage */*sp*/,
- int8_t /*value*/);
-
-/**
- * Store a keyblock to the storage.
- *
- * @param sp the storage buffer to write to
- * @param p the keyblock to write
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_keyblock (
- krb5_storage */*sp*/,
- krb5_keyblock /*p*/);
-
-/**
- * Write a principal block to storage.
- *
- * @param sp the storage buffer to write to
- * @param p the principal block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_principal (
- krb5_storage */*sp*/,
- krb5_const_principal /*p*/);
-
-/**
- * Store a string to the buffer. The data is formated as an len:uint32
- * plus the string itself (not padded).
- *
- * @param sp the storage buffer to write to
- * @param s the string to store.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_string (
- krb5_storage */*sp*/,
- const char */*s*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_stringnl (
- krb5_storage */*sp*/,
- const char */*s*/);
-
-/**
- * Store a zero terminated string to the buffer. The data is stored
- * one character at a time until a NUL is stored.
- *
- * @param sp the storage buffer to write to
- * @param s the string to store.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_stringz (
- krb5_storage */*sp*/,
- const char */*s*/);
-
-/**
- * Write a times block to storage.
- *
- * @param sp the storage buffer to write to
- * @param times the times block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_times (
- krb5_storage */*sp*/,
- krb5_times /*times*/);
-
-/**
- * Store a uint16 to storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_uint16 (
- krb5_storage */*sp*/,
- uint16_t /*value*/);
-
-/**
- * Store a uint32 to storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_uint32 (
- krb5_storage */*sp*/,
- uint32_t /*value*/);
-
-/**
- * Store a uint64 to storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_uint64 (
- krb5_storage */*sp*/,
- uint64_t /*value*/);
-
-/**
- * Store a uint8 to storage.
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_uint8 (
- krb5_storage */*sp*/,
- uint8_t /*value*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_deltat (
- const char */*string*/,
- krb5_deltat */*deltat*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_enctype (
- krb5_context /*context*/,
- const char */*string*/,
- krb5_enctype */*etype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/,
- const char */*password*/,
- krb5_principal /*principal*/,
- krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key_data (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/,
- krb5_data /*password*/,
- krb5_principal /*principal*/,
- krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key_data_salt (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/,
- krb5_data /*password*/,
- krb5_salt /*salt*/,
- krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key_data_salt_opaque (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/,
- krb5_data /*password*/,
- krb5_salt /*salt*/,
- krb5_data /*opaque*/,
- krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key_derived (
- krb5_context /*context*/,
- const void */*str*/,
- size_t /*len*/,
- krb5_enctype /*etype*/,
- krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key_salt (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/,
- const char */*password*/,
- krb5_salt /*salt*/,
- krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key_salt_opaque (
- krb5_context /*context*/,
- krb5_enctype /*enctype*/,
- const char */*password*/,
- krb5_salt /*salt*/,
- krb5_data /*opaque*/,
- krb5_keyblock */*key*/);
-
-/**
- * Deprecated: keytypes doesn't exists, they are really enctypes in
- * most cases, use krb5_string_to_enctype().
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_keytype (
- krb5_context /*context*/,
- const char */*string*/,
- krb5_keytype */*keytype*/)
- KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_salttype (
- krb5_context /*context*/,
- krb5_enctype /*etype*/,
- const char */*string*/,
- krb5_salttype */*salttype*/);
-
-/**
- * Extract the authorization data type of type from the ticket. Store
- * the field in data. This function is to use for kerberos
- * applications.
- *
- * @param context a Kerberos 5 context
- * @param ticket Kerberos ticket
- * @param type type to fetch
- * @param data returned data, free with krb5_data_free()
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ticket_get_authorization_data_type (
- krb5_context /*context*/,
- krb5_ticket */*ticket*/,
- int /*type*/,
- krb5_data */*data*/);
-
-/**
- * Return client principal in ticket
- *
- * @param context a Kerberos 5 context
- * @param ticket ticket to copy
- * @param client client principal, free with krb5_free_principal()
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ticket_get_client (
- krb5_context /*context*/,
- const krb5_ticket */*ticket*/,
- krb5_principal */*client*/);
-
-/**
- * Return end time of ticket
- *
- * @param context a Kerberos 5 context
- * @param ticket ticket to copy
- *
- * @return end time of ticket
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
-krb5_ticket_get_endtime (
- krb5_context /*context*/,
- const krb5_ticket */*ticket*/);
-
-/**
- * Get the flags from the Kerberos ticket
- *
- * @param context Kerberos context
- * @param ticket Kerberos ticket
- *
- * @return ticket flags
- *
- * @ingroup krb5_ticket
- */
-
-KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL
-krb5_ticket_get_flags (
- krb5_context /*context*/,
- const krb5_ticket */*ticket*/);
-
-/**
- * Return server principal in ticket
- *
- * @param context a Kerberos 5 context
- * @param ticket ticket to copy
- * @param server server principal, free with krb5_free_principal()
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ticket_get_server (
- krb5_context /*context*/,
- const krb5_ticket */*ticket*/,
- krb5_principal */*server*/);
-
-/**
- * If the caller passes in a negative usec, its assumed to be
- * unknown and the function will use the current time usec.
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_timeofday (
- krb5_context /*context*/,
- krb5_timestamp */*timeret*/);
-
-/**
- * Unparse the Kerberos name into a string
- *
- * @param context Kerberos 5 context
- * @param principal principal to query
- * @param name resulting string, free with krb5_xfree()
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_unparse_name (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/,
- char **/*name*/);
-
-/**
- * Unparse the principal name to a fixed buffer
- *
- * @param context A Kerberos context.
- * @param principal principal to unparse
- * @param name buffer to write name to
- * @param len length of buffer
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_unparse_name_fixed (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/,
- char */*name*/,
- size_t /*len*/);
-
-/**
- * Unparse the principal name with unparse flags to a fixed buffer.
- *
- * @param context A Kerberos context.
- * @param principal principal to unparse
- * @param flags unparse flags
- * @param name buffer to write name to
- * @param len length of buffer
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_unparse_name_fixed_flags (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/,
- int /*flags*/,
- char */*name*/,
- size_t /*len*/);
-
-/**
- * Unparse the principal name to a fixed buffer. The realm is skipped
- * if its a default realm.
- *
- * @param context A Kerberos context.
- * @param principal principal to unparse
- * @param name buffer to write name to
- * @param len length of buffer
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_unparse_name_fixed_short (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/,
- char */*name*/,
- size_t /*len*/);
-
-/**
- * Unparse the Kerberos name into a string
- *
- * @param context Kerberos 5 context
- * @param principal principal to query
- * @param flags flag to determine the behavior
- * @param name resulting string, free with krb5_xfree()
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_unparse_name_flags (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/,
- int /*flags*/,
- char **/*name*/);
-
-/**
- * Unparse the principal name to a allocated buffer. The realm is
- * skipped if its a default realm.
- *
- * @param context A Kerberos context.
- * @param principal principal to unparse
- * @param name returned buffer, free with krb5_xfree()
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_unparse_name_short (
- krb5_context /*context*/,
- krb5_const_principal /*principal*/,
- char **/*name*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_us_timeofday (
- krb5_context /*context*/,
- krb5_timestamp */*sec*/,
- int32_t */*usec*/);
-
-/**
- * Log a warning to the log, default stderr, include bthe error from
- * the last failure and then abort.
- *
- * @param context A Kerberos 5 context
- * @param code error code of the last error
- * @param fmt message to print
- * @param ap arguments
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vabort (
- krb5_context /*context*/,
- krb5_error_code /*code*/,
- const char */*fmt*/,
- va_list /*ap*/)
- __attribute__ ((__noreturn__, __format__ (__printf__, 3, 0)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vabortx (
- krb5_context /*context*/,
- const char */*fmt*/,
- va_list /*ap*/)
- __attribute__ ((__noreturn__, __format__ (__printf__, 2, 0)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_ap_req (
- krb5_context /*context*/,
- krb5_auth_context */*auth_context*/,
- krb5_ap_req */*ap_req*/,
- krb5_const_principal /*server*/,
- krb5_keyblock */*keyblock*/,
- krb5_flags /*flags*/,
- krb5_flags */*ap_req_options*/,
- krb5_ticket **/*ticket*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_ap_req2 (
- krb5_context /*context*/,
- krb5_auth_context */*auth_context*/,
- krb5_ap_req */*ap_req*/,
- krb5_const_principal /*server*/,
- krb5_keyblock */*keyblock*/,
- krb5_flags /*flags*/,
- krb5_flags */*ap_req_options*/,
- krb5_ticket **/*ticket*/,
- krb5_key_usage /*usage*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_authenticator_checksum (
- krb5_context /*context*/,
- krb5_auth_context /*ac*/,
- void */*data*/,
- size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_checksum (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- krb5_key_usage /*usage*/,
- void */*data*/,
- size_t /*len*/,
- Checksum */*cksum*/);
-
-/**
- * Verify a Kerberos message checksum.
- *
- * @param context Kerberos context
- * @param crypto Kerberos crypto context
- * @param usage Key usage for this buffer
- * @param data array of buffers to process
- * @param num_data length of array
- * @param type return checksum type if not NULL
- *
- * @return Return an error code or 0.
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_checksum_iov (
- krb5_context /*context*/,
- krb5_crypto /*crypto*/,
- unsigned /*usage*/,
- krb5_crypto_iov */*data*/,
- unsigned int /*num_data*/,
- krb5_cksumtype */*type*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_init_creds (
- krb5_context /*context*/,
- krb5_creds */*creds*/,
- krb5_principal /*ap_req_server*/,
- krb5_keytab /*ap_req_keytab*/,
- krb5_ccache */*ccache*/,
- krb5_verify_init_creds_opt */*options*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_init_creds_opt_init (krb5_verify_init_creds_opt */*options*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_init_creds_opt_set_ap_req_nofail (
- krb5_verify_init_creds_opt */*options*/,
- int /*ap_req_nofail*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_verify_opt_alloc (
- krb5_context /*context*/,
- krb5_verify_opt **/*opt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_free (krb5_verify_opt */*opt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_init (krb5_verify_opt */*opt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_set_ccache (
- krb5_verify_opt */*opt*/,
- krb5_ccache /*ccache*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_set_flags (
- krb5_verify_opt */*opt*/,
- unsigned int /*flags*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_set_keytab (
- krb5_verify_opt */*opt*/,
- krb5_keytab /*keytab*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_set_secure (
- krb5_verify_opt */*opt*/,
- krb5_boolean /*secure*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_set_service (
- krb5_verify_opt */*opt*/,
- const char */*service*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_user (
- krb5_context /*context*/,
- krb5_principal /*principal*/,
- krb5_ccache /*ccache*/,
- const char */*password*/,
- krb5_boolean /*secure*/,
- const char */*service*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_user_lrealm (
- krb5_context /*context*/,
- krb5_principal /*principal*/,
- krb5_ccache /*ccache*/,
- const char */*password*/,
- krb5_boolean /*secure*/,
- const char */*service*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_user_opt (
- krb5_context /*context*/,
- krb5_principal /*principal*/,
- const char */*password*/,
- krb5_verify_opt */*opt*/);
-
-/**
- * Log a warning to the log, default stderr, include bthe error from
- * the last failure and then exit.
- *
- * @param context A Kerberos 5 context
- * @param eval the exit code to exit with
- * @param code error code of the last error
- * @param fmt message to print
- * @param ap arguments
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verr (
- krb5_context /*context*/,
- int /*eval*/,
- krb5_error_code /*code*/,
- const char */*fmt*/,
- va_list /*ap*/)
- __attribute__ ((__noreturn__, __format__ (__printf__, 4, 0)));
-
-/**
- * Log a warning to the log, default stderr, and then exit.
- *
- * @param context A Kerberos 5 context
- * @param eval the exit code to exit with
- * @param fmt message to print
- * @param ap arguments
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verrx (
- krb5_context /*context*/,
- int /*eval*/,
- const char */*fmt*/,
- va_list /*ap*/)
- __attribute__ ((__noreturn__, __format__ (__printf__, 3, 0)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vlog (
- krb5_context /*context*/,
- krb5_log_facility */*fac*/,
- int /*level*/,
- const char */*fmt*/,
- va_list /*ap*/)
- __attribute__ ((__format__ (__printf__, 4, 0)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vlog_msg (
- krb5_context /*context*/,
- krb5_log_facility */*fac*/,
- char **/*reply*/,
- int /*level*/,
- const char */*fmt*/,
- va_list /*ap*/)
- __attribute__ ((__format__ (__printf__, 5, 0)));
-
-/**
- * Prepend the contexts's full error string for a specific error code.
- *
- * The if context is NULL, no error string is stored.
- *
- * @param context Kerberos 5 context
- * @param ret The error code
- * @param fmt Error string for the error code
- * @param args printf(3) style parameters.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_vprepend_error_message (
- krb5_context /*context*/,
- krb5_error_code /*ret*/,
- const char */*fmt*/,
- va_list /*args*/)
- __attribute__ ((__format__ (__printf__, 3, 0)));
-
-/**
- * Set the context full error string for a specific error code.
- *
- * The if context is NULL, no error string is stored.
- *
- * @param context Kerberos 5 context
- * @param ret The error code
- * @param fmt Error string for the error code
- * @param args printf(3) style parameters.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_vset_error_message (
- krb5_context /*context*/,
- krb5_error_code /*ret*/,
- const char */*fmt*/,
- va_list /*args*/)
- __attribute__ ((__format__ (__printf__, 3, 0)));
-
-/**
- * Set the error message returned by krb5_get_error_string(),
- * deprecated, use krb5_set_error_message().
- *
- * Deprecated: use krb5_vset_error_message()
- *
- * @param context Kerberos context
- * @param fmt error message to free
- * @param args variable argument list vector
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vset_error_string (
- krb5_context /*context*/,
- const char */*fmt*/,
- va_list /*args*/)
- __attribute__ ((__format__ (__printf__, 2, 0))) KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Log a warning to the log, default stderr, include the error from
- * the last failure.
- *
- * @param context A Kerberos 5 context.
- * @param code error code of the last error
- * @param fmt message to print
- * @param ap arguments
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vwarn (
- krb5_context /*context*/,
- krb5_error_code /*code*/,
- const char */*fmt*/,
- va_list /*ap*/)
- __attribute__ ((__format__ (__printf__, 3, 0)));
-
-/**
- * Log a warning to the log, default stderr.
- *
- * @param context A Kerberos 5 context.
- * @param fmt message to print
- * @param ap arguments
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vwarnx (
- krb5_context /*context*/,
- const char */*fmt*/,
- va_list /*ap*/)
- __attribute__ ((__format__ (__printf__, 2, 0)));
-
-/**
- * Log a warning to the log, default stderr, include the error from
- * the last failure.
- *
- * @param context A Kerberos 5 context.
- * @param code error code of the last error
- * @param fmt message to print
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_warn (
- krb5_context /*context*/,
- krb5_error_code /*code*/,
- const char */*fmt*/,
- ...)
- __attribute__ ((__format__ (__printf__, 3, 4)));
-
-/**
- * Log a warning to the log, default stderr.
- *
- * @param context A Kerberos 5 context.
- * @param fmt message to print
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_warnx (
- krb5_context /*context*/,
- const char */*fmt*/,
- ...)
- __attribute__ ((__format__ (__printf__, 2, 3)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_write_message (
- krb5_context /*context*/,
- krb5_pointer /*p_fd*/,
- krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_write_priv_message (
- krb5_context /*context*/,
- krb5_auth_context /*ac*/,
- krb5_pointer /*p_fd*/,
- krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_write_safe_message (
- krb5_context /*context*/,
- krb5_auth_context /*ac*/,
- krb5_pointer /*p_fd*/,
- krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_xfree (void */*ptr*/);
-
-#ifdef __cplusplus
-}
-#endif
-
-#undef KRB5_DEPRECATED_FUNCTION
-
-#endif /* DOXY */
-#endif /* __krb5_protos_h__ */
diff --git a/lib/krb5/krb5-v4compat.h b/lib/krb5/krb5-v4compat.h
deleted file mode 100644
index 324c8c1d3c89..000000000000
--- a/lib/krb5/krb5-v4compat.h
+++ /dev/null
@@ -1,143 +0,0 @@
-/*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* $Id$ */
-
-#ifndef __KRB5_V4COMPAT_H__
-#define __KRB5_V4COMPAT_H__
-
-#include "krb_err.h"
-
-/*
- * This file must only be included with v4 compat glue stuff in
- * heimdal sources.
- *
- * It MUST NOT be installed.
- */
-
-#define KRB_PROT_VERSION 4
-
-#define AUTH_MSG_KDC_REQUEST (1<<1)
-#define AUTH_MSG_KDC_REPLY (2<<1)
-#define AUTH_MSG_APPL_REQUEST (3<<1)
-#define AUTH_MSG_APPL_REQUEST_MUTUAL (4<<1)
-#define AUTH_MSG_ERR_REPLY (5<<1)
-#define AUTH_MSG_PRIVATE (6<<1)
-#define AUTH_MSG_SAFE (7<<1)
-#define AUTH_MSG_APPL_ERR (8<<1)
-#define AUTH_MSG_KDC_FORWARD (9<<1)
-#define AUTH_MSG_KDC_RENEW (10<<1)
-#define AUTH_MSG_DIE (63<<1)
-
-/* General definitions */
-#define KSUCCESS 0
-#define KFAILURE 255
-
-/* */
-
-#define MAX_KTXT_LEN 1250
-
-#define ANAME_SZ 40
-#define REALM_SZ 40
-#define SNAME_SZ 40
-#define INST_SZ 40
-
-struct ktext {
- unsigned int length; /* Length of the text */
- unsigned char dat[MAX_KTXT_LEN]; /* The data itself */
- uint32_t mbz; /* zero to catch runaway strings */
-};
-
-struct credentials {
- char service[ANAME_SZ]; /* Service name */
- char instance[INST_SZ]; /* Instance */
- char realm[REALM_SZ]; /* Auth domain */
- char session[8]; /* Session key */
- int lifetime; /* Lifetime */
- int kvno; /* Key version number */
- struct ktext ticket_st; /* The ticket itself */
- int32_t issue_date; /* The issue time */
- char pname[ANAME_SZ]; /* Principal's name */
- char pinst[INST_SZ]; /* Principal's instance */
-};
-
-#define TKTLIFENUMFIXED 64
-#define TKTLIFEMINFIXED 0x80
-#define TKTLIFEMAXFIXED 0xBF
-#define TKTLIFENOEXPIRE 0xFF
-#define MAXTKTLIFETIME (30*24*3600) /* 30 days */
-#ifndef NEVERDATE
-#define NEVERDATE ((time_t)0x7fffffffL)
-#endif
-
-#define KERB_ERR_NULL_KEY 10
-
-#define CLOCK_SKEW 5*60
-
-#ifndef TKT_ROOT
-#ifdef KRB5_USE_PATH_TOKENS
-#define TKT_ROOT "%{TEMP}/tkt"
-#else
-#define TKT_ROOT "/tmp/tkt"
-#endif
-#endif
-
-struct _krb5_krb_auth_data {
- int8_t k_flags; /* Flags from ticket */
- char *pname; /* Principal's name */
- char *pinst; /* His Instance */
- char *prealm; /* His Realm */
- uint32_t checksum; /* Data checksum (opt) */
- krb5_keyblock session; /* Session Key */
- unsigned char life; /* Life of ticket */
- uint32_t time_sec; /* Time ticket issued */
- uint32_t address; /* Address in ticket */
-};
-
-KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
-_krb5_krb_life_to_time (int, int);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-_krb5_krb_time_to_life (time_t, time_t);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_krb_tf_setup (krb5_context, struct credentials *,
- const char *, int);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_krb_dest_tkt(krb5_context, const char *);
-
-#define krb_time_to_life _krb5_krb_time_to_life
-#define krb_life_to_time _krb5_krb_life_to_time
-
-#endif /* __KRB5_V4COMPAT_H__ */
diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 8a0f0847a487..41b2d3b40791 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -54,6 +54,7 @@ The grammar looks like:
file:
/* empty */
sections
+ includes
sections:
section sections
@@ -76,10 +77,23 @@ binding:
name:
STRING
+includes:
+ 'include' path
+ 'includedir' path
+
+path: STRING
+
.Ed
.Li STRINGs
consists of one or more non-whitespace characters.
.Pp
+Files and directories may be included by absolute path, with percent
+token expansion (see the TOKEN EXPANSION section). Including a
+directory causes all files in the directory to be included as if each
+file had been included separately, but only files whose names consist of
+alphanumeric, hyphen, and underscore are included, though they may also
+end in '.conf'.
+.Pp
STRINGs that are specified later in this man-page uses the following
notation.
.Bl -tag -width "xxx" -offset indent
@@ -91,8 +105,8 @@ Example: 1 month 2 days 30 min.
If no unit is given, seconds is assumed.
.It etypes
valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5,
-des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and
-aes256-cts-hmac-sha1-96 .
+des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96,
+aes128-cts-hmac-sha256-128, and aes256-cts-hmac-sha384-192.
.It address
an address can be either a IPv4 or a IPv6 address.
.El
@@ -148,6 +162,31 @@ If a principal argument is specified, it is used as an explicit realm name for
anonymous pkinit even without an
.Li @
prefix.
+.It Li delegate-destination-tgt = Va boolean
+When forwarding credentials to a remote host, forward a TGT for the
+realm of the destination host rather than a TGT for the user's realm.
+This is useful when hosts in the remote realm should not or cannot
+(e.g. firewalled from user realm's KDC) obtain tickets for services
+in the user's realm. When the user's realm and the host's realm are
+the same, this parameter has no effect. The setting can be applied
+to a single realm as follows:
+.Bd -literal -offset indent
+EXAMPLE.COM = {
+ delegate-destination-tgt = true
+}
+.Ed
+.It Li pkinit_pool = Va HX509-STORE
+This is a multi-valued parameter naming one or more stores of
+intermediate certification authority (CA) certificates for the
+client's end entity certificate.
+.It Li pkinit_anchors = Va HX509-STORE ...
+This is a multi-valued parameter naming one or more stores of
+anchors for PKINIT KDC certificates.
+.It Li pkinit_revoke = Va HX509-STORE ...
+This is a multi-valued parameter naming one or more stores of
+of CRLs for the issuers of PKINIT KDC certificates.
+If no CRLs are configured, then CRLs will not be checked.
+This is because hx509 currently lacks support.
.El
.It Li [libdefaults]
.Bl -tag -width "xxx" -offset indent
@@ -180,10 +219,30 @@ sets the default credentials type.
the default credentials cache name.
If you want to change the type only use
.Li default_cc_type .
-The string can contain variables that are expanded on runtime.
-The Only supported variable currently is
-.Li %{uid}
-which expands to the current user id.
+The string can contain variables that are expanded at runtime. See the TOKEN
+EXPANSION section.
+.It Li default_file_cache_collections = Va FILE:/path/with/tokens ...
+This multi-valued parameter allows more than one path to be
+configured for the FILE credentials cache type to look in. The FILE
+credentials cache type will also consider file names whose prefixes
+match these and end in
+.Va +name
+as subsidiary caches in the collection. The values of this
+parameter are subject to token expansion. See the TOKEN EXPANSION
+section.
+.It Li enable_file_cache_iteration = Va boolean
+If enabled, the
+.Va FILE
+credential cache type will support iteration of all subsidiary
+caches in the default collection, meaning that
+.Xr kinit 1
+.Va -l
+option will list them. This does require scanning the directory
+containing a given
+.Va FILE
+ccache, which, if it is
+.Va /tmp
+may be a slow operation. Defaults to false.
.It Li default_etypes = Va etypes ...
A list of default encryption types to use. (Default: all enctypes if
allow_weak_crypto = TRUE, else all enctypes except single DES enctypes.)
@@ -198,10 +257,25 @@ A list of default encryption types to use when requesting a DES credential.
.It Li default_keytab_name = Va keytab
The keytab to use if no other is specified, default is
.Dq FILE:/etc/krb5.keytab .
+.It Li default_client_keytab_name = Va keytab
+The keytab to use for client credential acquisition if no other is
+specified, default is
+.Dq FILE:%{LOCALSTATEDIR}/user/%{euid}/client.keytab .
+See the TOKEN EXPANSION section.
.It Li dns_lookup_kdc = Va boolean
Use DNS SRV records to lookup KDC services location.
.It Li dns_lookup_realm = Va boolean
Use DNS TXT records to lookup domain to realm mappings.
+.It Li enforce_ok_as_delegate = Va boolean
+If this flag to true, GSSAPI credential delegation will be
+disabled when the
+.Ar ok-as-delegate
+flag is not set in the service ticket.
+If this flag is false, the
+.Ar ok-as-delegate
+ticket flag is only enforced when an application specifically
+requests enforcement.
+The default value is false.
.It Li kdc_timesync = Va boolean
Try to keep track of the time differential between the local machine
and the KDC, and then compensate for that when issuing requests.
@@ -264,7 +338,8 @@ this is very useful when the GSS-API server input the
wrong server name into the gss_accept_sec_context call.
.It Li k5login_directory = Va directory
Alternative location for user .k5login files. This option is provided
-for compatibility with MIT krb5 configuration files.
+for compatibility with MIT krb5 configuration files. This path is
+subject to percent token expansion (see TOKEN EXPANSION).
.It Li k5login_authoritative = Va boolean
If true then if a principal is not found in k5login files then
.Xr krb5_userok 3
@@ -324,6 +399,40 @@ be allowed to run.
.It Li fcache_strict_checking
strict checking in FILE credential caches that owner, no symlink and
permissions is correct.
+.It Li moduli = Va FILE
+Names a file that contains acceptable modular Diffie-Hellman
+groups for PKINIT.
+The given file should contain lines with whitespace-separated
+fields in this order:
+.Va name, nbits, p, g, q .
+Lines starting with a
+.Va #
+are comments.
+.It Li pkinit_dh_min_bits = Va NUMBER
+PKINIT client's minimum acceptable modular Diffie-Hellman public
+key size in bits.
+.It Li enable-kx509 = Va boolean
+Enable use of kx509 so that every TGT that can has a corresponding
+PKIX certificate. Default: false.
+.It Li kx509_gen_key_type = Va public-key-type
+Type of public key for kx509 private key generation. Defaults to
+.Va rsa
+and currently only
+.Va rsa
+is supported.
+.It Li kx509_gen_rsa_key_size = Va number-of-bits
+RSA key size for kx509. Defaults to 2048.
+.It Li kx509_store = path
+A file path into which to write a certificate obtained with
+kx509, and its private key, when attempting kx509 optimistically
+using credentials from a default ccache. Tokens will be
+expanded.
+.It Li kx509_hostname = Va hostname
+If set, then the kx509 client will use this hostname for the
+kx509 service. This can also be set in the
+.Li [realm]
+section on a per-realm basis. If not set then a TGS name will be
+used.
.It Li name_canon_rules = Va rules
One or more service principal name canonicalization rules. Each rule
consists of one or more tokens separated by colon (':'). Currently
@@ -416,9 +525,40 @@ Defaults to true.
Note, absent an explicit setting, hierarchical capaths are always used by
the KDC when generating a referral to a destination with which is no direct
trust.
+.It Li client_aware_channel_bindings = Va boolean
+If this flag is true, then all application protocol authentication
+requests will be flagged to indicate that the application supports
+channel bindings when operating over a secure channel.
+The default value is false.
+.It Li check_pac = Va boolean
+If this flag is true and a Windows Privilege Attribute Certificate (PAC)
+is present in the ticket authorization data, then
+.Xr krb5_rd_req 3
+will validate the PAC before returning success. The default value is true.
+.It Li report_canonical_client_name = Va boolean
+If this flag is true, then the canonical client name from the PAC will
+be used instead of the client name in the ticket. The default value is false.
+Note that setting it to true implicitly sets
+.Va check_pac
+to true.
.El
.It Li [domain_realm]
This is a list of mappings from DNS domain to Kerberos realm.
+.Pp
+It is used by the client and the TGS both to determine the realm
+of host-based service principal names based on the principal's
+hostname component.
+.Pp
+The client may try DNS to determine a host's realm; see the
+`dns_lookup_realm' parameter, and see below.
+.Pp
+The TGS will issue a referral when a host-based service does not
+exist in the requested realm but can be mapped with these rules
+to a different realm.
+The TGS will also issue a referral when a host-based service
+exists in the requested realm as an alias of a service in another
+realm.
+.Pp
Each binding in this section looks like:
.Pp
.Dl domain = realm
@@ -534,6 +674,39 @@ No additional principal to username mapping is done. Note that
and any preceding
.Va auth_to_local
rules have precedence.
+.It Li pkinit_require_eku = BOOL
+If
+.Va true
+then the KDC PKINIT Extended Key Usage (EKU) OID (1.3.6.5.2.3.5)
+must be present in KDCs' PKINIT certificates.
+Defaults to
+.Va true .
+.It Li pkinit_require_krbtgt_otherName = BOOL
+If
+.Va true
+then the PKINIT Subject Alternative Name (SAN) for the TGS must
+be present in KDCs' PKINIT certificates, and must match their
+realm.
+Defaults to
+.Va true .
+.It Li pkinit_require_hostname_match = BOOL
+If
+.Va true
+then KDCs' PKINIT certificates must match their hostnames.
+Defaults to
+.Va false .
+.It Li pkinit_trustedCertifiers = BOOL
+If
+.Va true
+then PKINIT client will tell KDCs which trust anchors it trusts.
+Defaults to
+.Va true .
+.It Li disable_pac = BOOL
+If
+.Va true
+then the KDC will not sign tickets with PAC, which disables S4U2Proxy support.
+Defaults to
+.Va false .
.El
.It Li }
.El
@@ -649,11 +822,180 @@ target service principal's hdb entry's current keyset. Defaults to TRUE.
.It Li check-ticket-addresses = Va BOOL
Verify the addresses in the tickets used in tgs requests.
.\" XXX
+.It Li warn_ticket_addresses = Va BOOL
+Warn about, but allow, usage of tickets from hosts that don't match the
+addresses in the tickets.
.It Li allow-null-ticket-addresses = Va BOOL
Allow address-less tickets.
.\" XXX
+.It Li disable_pac = Va BOOL
+Do not include a PAC in service tickets.
+However, if a service has the
+.Li auth-data-reqd
+attribute then the KDC will include a PAC anyways.
+.It Li enable_fast = Va BOOL
+Enable RFC 6113 FAST support, this is enabled by default.
+.It Li enable_armored_pa_enc_timestamp = Va BOOL
+Enable armored encrypted timestamp pre-authentication with key
+strengthening.
+RFC 6113 says not to use PA-ENC-TIMESTAMP in FAST armored tunnels
+as there is a newer replacement, PA-ENC-CHALLENGE, but for
+interoperability with earlier versions of Heimdal, this is
+enabled by default for now.
+.It Li enable_unarmored_pa_enc_timestamp = Va BOOL
+Enable unarmored encrypted timestamp pre-authentication.
+Enabled by default for now, but in a future release will be
+disabled.
+.It Li enable-pkinit = Va BOOL
+Enable PKINIT (disabled by default).
.It Li allow-anonymous = Va BOOL
If the kdc is allowed to hand out anonymous tickets.
+.It Li synthetic_clients = Va BOOL
+If enabled then the KDC will issue tickets for clients that don't
+exist in the HDB provided that they use PKINIT, that PKINIT is
+enabled, and that the client's have certificates with PKINIT
+subject alternative names (SANs).
+.It Li synthetic_clients_max_life = Va TIME
+Maximum ticket lifetime for synthetic clients.
+Default: 5 minutes.
+.It Li synthetic_clients_max_renew = Va TIME
+Maximum ticket renewable lifetime for synthetic clients.
+Default: 5 minutes.
+.It Li pkinit_identity = Va HX509-STORE
+This is an HX509 store containing the KDC's PKINIT credential
+(private key and end-entity certificate).
+This is single valued, though multiple stores can be specified by
+separating them with commas.
+An
+.Va HX509-STORE
+is of the form
+.Va TYPE:name
+where
+.Va TYPE
+is one of
+.Va FILE, Va PEM-FILE, Va DER-FILE, Va PKCS12, Va PKCS11,
+or on OX X,
+.Va KEYCHAIN .
+The form of the
+.Va name
+depends on the
+.Va TYPE .
+For
+.Va FILE, Va PEM-FILE, Va DER-FILE,
+and
+.Va PKCS12
+the
+.Va name
+is a file path.
+See the Heimdal hx509 documentation for more information.
+.It Li pkinit_pool = Va HX509-STORE
+This is a multi-valued parameter naming one or more stores of
+intermediate certification authority (CA) certificates for the
+KDC's end entity certificate.
+.It Li pkinit_anchors = Va HX509-STORE ...
+This is a multi-valued parameter naming one or more stores of
+anchors for PKINIT client certificates.
+Note that the
+.Va DIR
+type of
+.Va HX509-STORE
+is also supported here.
+.Va DIR
+type stores are OpenSSL-style CA certificate hash directories.
+.It Li pkinit_revoke = Va HX509-STORE ...
+This is a multi-valued parameter naming one or more stores of
+of CRLs for the issuers of PKINIT client certificates.
+If no CRLs are configured, then CRLs will not be checked.
+This is because the KDC will not dereference CRL distribution
+points nor request OCSP responses.
+.It Li pkinit_kdc_ocsp = Va PATH
+This names a file whose contents is the DER encoding of an
+OCSPResponse for the KDC's end entity certificate.
+.It Li pkinit_kdc_friendly_name = Va NAME
+This is an optional friendly name of the KDC's end entity
+certificate.
+This is only helpful when the
+.Li pkinit_identity
+store contains many credentials.
+.It Li pkinit_principal_in_certificate = Va BOOL
+If set to
+.Va true
+then the KDC will match AS-REQ client principal names to the
+PKINIT
+.Va subjectAlternativeName
+values from the clients' certificates.
+Defaults to
+.Va true .
+.It Li pkinit_dh_min_bits = Va NUMBER
+Minimum acceptable modular Diffie-Hellman public key size in
+bits.
+.It Li pkinit_max_life_from_cert_extension = Va BOOL
+If set to
+.Va true
+then the KDC will override the
+.Va max_life
+attribute of the client principal's HDB record with a maximum
+ticket life taken from a certificate extension with OID
+.Va { iso(1) member-body(2) se(752) su(43) heim-pkix(16) 4 }
+and the DER encoding of an
+.Va INTEGER
+number of seconds.
+Alternatively, if the extended key usage OID
+.Va { iso(1) member-body(2) se(752) su(43) heim-pkix(16) 3 }
+is included in the client's certificate, then the
+.Va notAfter
+minus the current time will be used.
+.It Li pkinit_max_life_bound = Va TIME
+If set, this will be a hard bound on the maximum ticket lifetime
+taken from the client's certificate.
+As usual,
+.Va TIME
+can be given as a number followed by a unit, such as
+.Dq 2d
+for
+.Dq two days .
+.It Li pkinit_max_life_from_cert = Va TIME
+If set, this will override the
+.Va max_life
+attribute of the client principal's HDB record with the
+.Va notAfter
+of the client's certificate minus the current time, bounded to
+the given relative
+.Va TIME
+unless the
+.Li pkinit_max_life_from_cert_extension
+parameter is set and the client's certificate has that extension.
+As usual,
+.Va TIME
+can be given as a number followed by a unit, such as
+.Dq 2d
+for
+.Dq two days .
+.It Li enable_gss_preauth = Va boolean
+Enables pre-authentication using a GSS-API mechanism supported by the client and KDC.
+The GSS-API initiator and AS request client names must match, unless the
+.Li WELLKNOWN/FEDERATED
+name was used in the AS request, in which case the AS reply will contain the
+GSS-API initiator name. Authorization and mapping behavior may be customized
+by plugins. If synthetic clients are enabled, then the GSS-API initiator need
+not exist in the local database. GSS-API pre-authentication is disabled by
+default.
+.It Li enable_gss_auth_data = Va boolean
+When using GSS-API pre-authentication, includes a Kerberos authorization data
+element containing naming attributes associated with the GSS-API initiator. This
+is disabled by default as it may significantly increase the size of returned
+tickets.
+.It Li gss_mechanisms_allowed = Va mechs ...
+A list of GSS-API mechanisms that may be used for GSS-API pre-authentication.
+.It Li gss_cross_realm_mechanisms_allowed = Va mechs ...
+A list of GSS-API mechanisms that, when using the default authorization
+mechanism, will be permitted to map Kerberos principals in foreign realms. The
+list is empty by default. Initiator names from mechanisms not on this list will
+be mapped to an enterprise principal in the AS-REQ realm. This option is
+intended to avoid conflating GSS-API pre-authentication and Kerberos
+cross-realm authentication. The behavior is provided by the default
+authorization mechanism and will be overridden by an authorization plugin.
+Mechanisms may be identified by dot-separated OID or a short name.
.It Li historical_anon_realm = Va boolean
Enables pre-7.0 non-RFC-comformant KDC behavior.
With this option set to
@@ -688,26 +1030,125 @@ Should the kdc answer digest requests. The default is FALSE.
.It Li digests_allowed = Va list of digests
Specifies the digests the kdc will reply to. The default is
.Li ntlm-v2 .
-.It Li kx509_ca = Va file
-Specifies the PEM credentials for the kx509 certification authority.
+.It Li enable-kx509 = Va boolean
+Enables kx509 service.
+.Pp
+The kx509 service is configurable for a number of cases:
+.Bl -tag -width "" -offset indent
+.It Li default certificates for user or service principals,
+.It Li non-default certificate requests including subject alternative names (SAN) and extended key usage (EKU) certificate extensions, for either client, server, or mixed usage.
+.El
+.Pp
+Distinct configurations are supported for all of these cases as
+shown below:
+.Bd -literal -offset indent
+[kdc]
+ enable-kx509 = yes | no
+ require_csr = yes | no
+ require_initial_kca_tickets = yes | no
+ realm = {
+ <REALM> = {
+ kx509 = {
+ <label> = {
+ <param> = <value>
+ }
+ hostbased_service = {
+ <service> = {
+ <param> = <value>
+ }
+ }
+ }
+ }
+ }
+.Ed
+where
+.Va label
+is one of:
+.Bl -tag -width "xxx" -offset indent
+.It Li user
+for default certificates for user principals,
+.It Li root_user
+for default certificates for root user principals,
+.It Li admin_user
+for default certificates for admin user principals,
+.It Li hostbased_service
+for default certificates for host-based service principals, in which case the
+service name is used as shown above,
+.It Li client
+for non-default client certificates,
+.It Li server
+for non-default server certificates,
+.It Li mixed
+for non-default client and server certificates.
+.El
+and where the parameters are as follows:
+.Bl -tag -width "xxx" -offset indent
+.It Li ca = Va file
+Specifies the PEM credentials for the kx509 / bx509d certification
+authority.
+If not specified for any specific use-case, then that use-case
+will be disabled.
+.It Li max_cert_lifetime = Va NUMunit
+Specifies the maximum certificate lifetime as a decimal number
+and an optional unit (the default unit is
+.Dq day
+).
+.It Li force_cert_lifetime = Va NUMunit
+Specifies a minimum certificate lifetime as a decimal number and
+an optional unit (the default unit is
+.Dq day
+).
+.It Li allow_extra_lifetime = Va boolean
+Indicates whether a client may request longer lifetimes than
+their authentication credentials.
+Defaults to false.
.It Li require_initial_kca_tickets = Va boolean
Specified whether to require that tickets for the
.Li kca_service
service principal be INITIAL.
This may be set on a per-realm basis as well as globally.
Defaults to true for the global setting.
-.It Li kx509_include_pkinit_san = Va boolean
+.It Li include_pkinit_san = Va boolean
If true then the kx509 client principal's name and realm will be
included in an
.Li id-pkinit-san
-certificate extension.
+subject alternative name certificate extension.
This can be set on a per-realm basis as well as globally.
Defaults to true for the global setting.
-.It Li kx509_template = Va file
-Specifies the PEM file with a template for the certificates to be
-issued.
-The following variables can be interpolated in the subject name using
-${variable} syntax:
+.It Li email_domain = Va domain
+If set then the kx509 client user principal's name at the given
+domain will be included in an
+.Li rfc822Name
+subject alternative name certificate extension.
+This can be set on a per-realm basis as well as globally.
+Defaults to false for the global setting.
+.It Li include_dnsname_san = Va boolean
+If true then a kx509 host-based or domain-based client
+principal's hostname will be included in an
+.Li dNSName
+subject alternative name certificate extension, with the
+downcased realm as the domainname. This can be set on a
+per-realm basis as well as
+globally. Defaults to false for the global setting.
+.It Li ekus = Va OID
+List of OIDs to include as EKUs.
+.It Li subject_name = Va DN
+Specifies a subject name that should either be empty or contain
+variable interpolation as described below for
+.Va template_cert .
+The subject may be the empty string, causing the issued
+certificates' subject names to be empty.
+.It Li template_cert = Va store
+Specifies the hx509 store (e.g.,
+.Va PEM-FILE:path )
+with a template
+for the certificates to be issued to kx509 clients whose
+principal names have one component (i.e., are user principals).
+A template is a certificate with variables to be interpolated in
+the subjectName. The following variables can be interpolated in
+the subject name using
+.Va ${variable}
+syntax:
.Bl -tag -width "xxx" -offset indent
.It principal-name
The full name of the kx509 client principal.
@@ -715,15 +1156,147 @@ The full name of the kx509 client principal.
The full name of the kx509 client principal, excluding the realm name.
.It principal-name-realm
The name of the client principal's realm.
+.It principal-component0
+The first component of the client principal.
+.It principal-component1
+The second component of the client principal.
+.It principal-component2
+The third component of the client principal.
+.It principal-service-name
+The name of the service.
+.It principal-host-name
+The name of the host.
.El
+.Pp
+If a template and subject name are not specified and no default
+SANs are configured, then no certificate will be issued.
+Otherwise if a template and subject name are not specified, then
+subject of the certificate will be empty.
.El
-The
-.Li kx509 ,
-.Li kx509_template ,
-.Li kx509_include_pkinit_san ,
-and
-.Li require_initial_kca_tickets
-parameters may be set on a per-realm basis as well.
+.El
+.Pp
+.It Li [hdb]
+.Bl -tag -width "xxx" -offset indent
+.It Li db-dir = Va path
+This parameter defines a directory that can contain:
+.Bl -tag -width "xxx" -offset indent
+.It Va kdc.conf
+A configuration file with the same format as krb5.conf that will
+be included.
+.It Va m-key
+The master key file.
+.It Va kdc.log
+The default logfile for the KDC when a logfile is not specified in
+.Li [logging]
+.It Va kadm5.acl
+The access controls for
+.Nm kadmind .
+.It Va log
+The (binary) log of transactions used for
+.Nm HDB
+replication via the
+.Nm iprop
+protocol.
+See
+.Nm iprop-log(1)
+for more detail.
+.It Va pki-mapping
+The default PKINIT mapping file if one is not specified in
+.Va [kdc] pkinit_mappings_file .
+.El
+and other files related to
+.Nm iprop
+operation.
+.It Li new_service_key_delay = Va time
+Sets a bias such that new keys are not taken into service until
+after the given time has passed since they were set.
+This is useful for key rotation on concrete principals shared by
+multiple instances of an application: set this time to twice or
+more the keytab fetch period used by applications.
+.It Li enable_virtual_hostbased_princs = Va boolean
+Heimdal supports a notion of virtual host-based service
+principals whose keys are derived from those of a base namespace
+principal of the form
+.Nm WELLKNOWN/HOSTBASED-NAMESPACE/svc/hostname .
+The service name can be wild-carded as
+.Va _ .
+Non-wildcarded services have to be listed in the
+.Li virtual_hostbased_princ_svcs
+parameter (see below).
+This parameter enables this feature, which is disabled by
+default.
+.It Li virtual_hostbased_princ_ndots = Va Integer
+Minimum number of label-separating periods in virtual host-based
+service principals' hostname component.
+.It Li virtual_hostbased_princ_maxdots = Va Integer
+Maximum number of label-separating periods in namespaces'
+hostname component.
+.It Li virtual_hostbased_princ_svcs = Va service-name
+This multi-valued parameter lists service names not to wildcard
+when searching for a namespace for a virtual host-based service
+principal.
+Other service names will have keys derived from a matching
+namespace with a wild-carded service name.
+This allows one to have different attributes for different
+services.
+For example, the
+.Nm "host"
+service can be configured to have the ok-as-delegate flag while
+all others do not.
+.El
+.Pp
+.It Li [bx509]
+This section contains online certification authority configuration, much
+like
+.Li kx509
+in the
+.Li [kdc]
+section, but with the
+.Li kx509
+layer removed.
+.Bd -literal -offset indent
+[kdc]
+ realm = {
+ <REALM> = {
+ ...
+ }
+ }
+.Ed
+.It Li [get-tgt]
+.Bl -tag -width "xxx" -offset indent
+.It Li no_addresses = Va BOOL
+If set to
+.Va true
+then the
+.Va /get-tgt
+end-point of the
+.Xr bx509d 8
+service will issue address-less TGTs.
+If set to
+.Va false
+then the
+.Va /get-tgt
+end-point of the
+.Xr bx509d 8
+service will include the client's IP address in the TGT it issues
+it.
+Defaults to
+.Va true .
+.It Li allow_addresses = Va BOOL
+If set to
+.Va true
+then the
+.Va /get-tgt
+end-point of the
+.Xr bx509d 8
+service will add arbitrary addresses requested by clients to the
+TGTs it issues them.
+Defaults to
+.Va false .
+.El
+.Pp
+Certification authority related parameters are as for
+.Va bx509 .
.It Li [kadmin]
.Bl -tag -width "xxx" -offset indent
.It Li password_lifetime = Va time
@@ -784,6 +1357,60 @@ among other minimum-length, character-class, external-check.
.El
.El
.El
+.Sh TOKEN EXPANSION
+The values of some parameters are subject to percent token expansion.
+Expansions supported on all platforms:
+.Bl -tag -width "xxx" -offset indent
+.It %{LIBDIR}
+The install location of Heimdal libraries.
+.It %{BINDIR}
+The install location of Heimdal user programs.
+.It %{LIBEXEC}
+The install location of Heimdal services.
+.It %{SBINDIR}
+The install location of Heimdal admin programs.
+.It %{username}
+The current username.
+.It %{TEMP}
+A temporary directory.
+.It %{USERID}
+The current user's SID (Windows) or effective user ID (POSIX).
+.It %{uid}
+The current user's SID (Windows) or real user ID (POSIX). On POSIX it is best
+to use the
+.Va %{euid}
+token instead (see below).
+.It %{null}
+The empty string.
+.El
+.Pp
+Expansions supported on POSIX-like platforms:
+.Bl -tag -width "xxx" -offset indent
+.It %{euid}
+The current effective user ID.
+.It %{loginname}
+The username of the logged-in user for this terminal.
+.It %{LOCALSTATEDIR}
+The install location of Heimdal databases.
+.El
+.Pp
+On Windows, several additional tokens can also be expanded:
+.Bl -tag -width "xxx" -offset indent
+.It %{APPDATA}
+Roaming application data (for current user).
+.It %{COMMON_APPDATA}
+Application data (all users).
+.It %{LOCAL_APPDATA}
+Local application data (for current user).
+.It %{SYSTEM}
+Windows System folder.
+.It %{WINDOWS}
+Windows folder.
+.It %{USERCONFIG}
+Per user Heimdal configuration file path.
+.It %{COMMONCONFIG}
+Common Heimdal configuration file path.
+.El
.Sh ENVIRONMENT
.Ev KRB5_CONFIG
points to the configuration file to read.
diff --git a/lib/krb5/krb5.conf.cat5 b/lib/krb5/krb5.conf.cat5
deleted file mode 100644
index 03a2c0ce42a6..000000000000
--- a/lib/krb5/krb5.conf.cat5
+++ /dev/null
@@ -1,840 +0,0 @@
-KRB5.CONF(5) BSD File Formats Manual KRB5.CONF(5)
-
-NAME
- krb5.conf -- configuration file for Kerberos 5
-
-SYNOPSIS
- #include <krb5.h>
-
-DESCRIPTION
- The krb5.conf file specifies several configuration parameters for the
- Kerberos 5 library, as well as for some programs.
-
- The file consists of one or more sections, containing a number of bind-
- ings. The value of each binding can be either a string or a list of
- other bindings. The grammar looks like:
-
- file:
- /* empty */
- sections
-
- sections:
- section sections
- section
-
- section:
- '[' section_name ']' bindings
-
- section_name:
- STRING
-
- bindings:
- binding bindings
- binding
-
- binding:
- name '=' STRING
- name '=' '{' bindings '}'
-
- name:
- STRING
-
- STRINGs consists of one or more non-whitespace characters.
-
- STRINGs that are specified later in this man-page uses the following no-
- tation.
-
- boolean
- values can be either yes/true or no/false.
-
- time
- values can be a list of year, month, day, hour, min, second.
- Example: 1 month 2 days 30 min. If no unit is given, seconds
- is assumed.
-
- etypes
- valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-
- md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96,
- and aes256-cts-hmac-sha1-96 .
-
- address
- an address can be either a IPv4 or a IPv6 address.
-
- Currently recognised sections and bindings are:
-
- [appdefaults]
- Specifies the default values to be used for Kerberos applica-
- tions. You can specify defaults per application, realm, or a
- combination of these. The preference order is:
- 1. application realm option
- 2. application option
- 3. realm option
- 4. option
-
- The supported options are:
-
- forwardable = boolean
- When obtaining initial credentials, make the cre-
- dentials forwardable.
-
- proxiable = boolean
- When obtaining initial credentials, make the cre-
- dentials proxiable.
-
- no-addresses = boolean
- When obtaining initial credentials, request them
- for an empty set of addresses, making the tickets
- valid from any address.
-
- ticket_lifetime = time
- Default ticket lifetime.
-
- renew_lifetime = time
- Default renewable ticket lifetime.
-
- encrypt = boolean
- Use encryption, when available.
-
- forward = boolean
- Forward credentials to remote host (for rsh(1),
- telnet(1), etc).
-
- historical_anon_pkinit = boolean
- Enable legacy anonymous pkinit command-line syntax.
- With this option set to true, the kinit(1)
- --anonymous command with no principal argument
- specified will request an anonymous pkinit ticket
- from the default realm. If a principal argument is
- specified, it is used as an explicit realm name for
- anonymous pkinit even without an @ prefix.
-
- [libdefaults]
-
- default_realm = REALM
- Default realm to use, this is also known as your
- "local realm". The default is the result of
- krb5_get_host_realm(local hostname).
-
- allow_weak_crypto = boolean
- are weak crypto algorithms allowed to be used,
- among others, DES is considered weak.
-
- clockskew = time
- Maximum time differential (in seconds) allowed when
- comparing times. Default is 300 seconds (five min-
- utes).
-
- kdc_timeout = time
- Maximum time to wait for a reply from the kdc, de-
- fault is 3 seconds.
-
- capath = {
-
- destination-realm = next-hop-realm
-
- ...
-
- }
- This is deprecated, see the capaths section below.
-
- default_cc_type = cctype
- sets the default credentials type.
-
- default_cc_name = ccname
- the default credentials cache name. If you want to
- change the type only use default_cc_type. The
- string can contain variables that are expanded on
- runtime. The Only supported variable currently is
- %{uid} which expands to the current user id.
-
- default_etypes = etypes ...
- A list of default encryption types to use. (De-
- fault: all enctypes if allow_weak_crypto = TRUE,
- else all enctypes except single DES enctypes.)
-
- default_as_etypes = etypes ...
- A list of default encryption types to use in AS re-
- quests. (Default: the value of default_etypes.)
-
- default_tgs_etypes = etypes ...
- A list of default encryption types to use in TGS
- requests. (Default: the value of default_etypes.)
-
- default_etypes_des = etypes ...
- A list of default encryption types to use when re-
- questing a DES credential.
-
- default_keytab_name = keytab
- The keytab to use if no other is specified, default
- is "FILE:/etc/krb5.keytab".
-
- dns_lookup_kdc = boolean
- Use DNS SRV records to lookup KDC services loca-
- tion.
-
- dns_lookup_realm = boolean
- Use DNS TXT records to lookup domain to realm map-
- pings.
-
- kdc_timesync = boolean
- Try to keep track of the time differential between
- the local machine and the KDC, and then compensate
- for that when issuing requests.
-
- max_retries = number
- The max number of times to try to contact each KDC.
-
- large_msg_size = number
- The threshold where protocols with tiny maximum
- message sizes are not considered usable to send
- messages to the KDC.
-
- ticket_lifetime = time
- Default ticket lifetime.
-
- renew_lifetime = time
- Default renewable ticket lifetime.
-
- forwardable = boolean
- When obtaining initial credentials, make the cre-
- dentials forwardable. This option is also valid in
- the [realms] section.
-
- proxiable = boolean
- When obtaining initial credentials, make the cre-
- dentials proxiable. This option is also valid in
- the [realms] section.
-
- verify_ap_req_nofail = boolean
- If enabled, failure to verify credentials against a
- local key is a fatal error. The application has to
- be able to read the corresponding service key for
- this to work. Some applications, like su(1), en-
- able this option unconditionally.
-
- warn_pwexpire = time
- How soon to warn for expiring password. Default is
- seven days.
-
- http_proxy = proxy-spec
- A HTTP-proxy to use when talking to the KDC via
- HTTP.
-
- dns_proxy = proxy-spec
- Enable using DNS via HTTP.
-
- extra_addresses = address ...
- A list of addresses to get tickets for along with
- all local addresses.
-
- time_format = string
- How to print time strings in logs, this string is
- passed to strftime(3).
-
- date_format = string
- How to print date strings in logs, this string is
- passed to strftime(3).
-
- log_utc = boolean
- Write log-entries using UTC instead of your local
- time zone.
-
- scan_interfaces = boolean
- Scan all network interfaces for addresses, as op-
- posed to simply using the address associated with
- the system's host name.
-
- fcache_version = int
- Use file credential cache format version specified.
-
- fcc-mit-ticketflags = boolean
- Use MIT compatible format for file credential
- cache. It's the field ticketflags that is stored
- in reverse bit order for older than Heimdal 0.7.
- Setting this flag to TRUE makes it store the MIT
- way, this is default for Heimdal 0.7.
-
- check-rd-req-server
- If set to "ignore", the framework will ignore any
- of the server input to krb5_rd_req(3), this is very
- useful when the GSS-API server input the wrong
- server name into the gss_accept_sec_context call.
-
- k5login_directory = directory
- Alternative location for user .k5login files. This
- option is provided for compatibility with MIT krb5
- configuration files.
-
- k5login_authoritative = boolean
- If true then if a principal is not found in k5login
- files then krb5_userok(3) will not fallback on
- principal to username mapping. This option is pro-
- vided for compatibility with MIT krb5 configuration
- files.
-
- kuserok = rule ...
- Specifies krb5_userok(3) behavior. If multiple
- values are given, then krb5_userok(3) will evaluate
- them in order until one succeeds or all fail.
- Rules are implemented by plugins, with three built-
- in plugins described below. Default: USER-K5LOGIN
- SIMPLE DENY.
-
- kuserok = DENY
- If set and evaluated then krb5_userok(3) will deny
- access to the given username no matter what the
- principal name might be.
-
- kuserok = SIMPLE
- If set and evaluated then krb5_userok(3) will use
- principal to username mapping (see auth_to_local
- below). If the principal maps to the requested
- username then access is allowed.
-
- kuserok = SYSTEM-K5LOGIN[:directory]
- If set and evaluated then krb5_userok(3) will use
- k5login files named after the luser argument to
- krb5_userok(3) in the given directory or in
- /etc/k5login.d/. K5login files are text files,
- with each line containing just a principal name;
- principals apearing in a user's k5login file are
- permitted access to the user's account. Note: this
- rule performs no ownership nor permissions checks
- on k5login files; proper ownership and permis-
- sions/ACLs are expected due to the k5login location
- being a system location.
-
- kuserok = USER-K5LOGIN
- If set and evaluated then krb5_userok(3) will use
- ~luser/.k5login and ~luser/.k5login.d/*. User
- k5login files and directories must be owned by the
- user and must not have world nor group write per-
- missions.
-
- aname2lname-text-db = filename
- The named file must be a sorted (in increasing or-
- der) text file where every line consists of an un-
- parsed principal name optionally followed by white-
- space and a username. The aname2lname function
- will do a binary search on this file, if config-
- ured, looking for lines that match the given prin-
- cipal name, and if found the given username will be
- used, or, if the username is missing, an error will
- be returned. If the file doesn't exist, or if no
- matching line is found then other plugins will be
- allowed to run.
-
- fcache_strict_checking
- strict checking in FILE credential caches that
- owner, no symlink and permissions is correct.
-
- name_canon_rules = rules
- One or more service principal name canonicalization
- rules. Each rule consists of one or more tokens
- separated by colon (':'). Currently these rules
- are used only for hostname canonicalization (usu-
- ally when getting a service ticket, from a ccache
- or a TGS, but also when acquiring GSS initiator
- credentials from a keytab). These rules can be
- used to implement DNS resolver-like search lists
- without having to use DNS.
-
- NOTE: Name canonicalization rules are an experimen-
- tal feature.
-
- The first token is a rule type, one of: as-is,
- qualify, or nss.
-
- Any remaining tokens must be options tokens:
- use_fast (use FAST to protect TGS exchanges; cur-
- rently not supported), use_dnssec (use DNSSEC to
- protect hostname lookups; currently not supported),
- ccache_only , use_referrals, no_referrals,
- lookup_realm, mindots=N, maxdots=N, order=N, do-
- main= domain, realm= realm, match_domain= domain,
- and match_realm= realm.
-
- When trying to obtain a service ticket for a host-
- based service principal name, name canonicalization
- rules are applied to that name in the order given,
- one by one, until one succeds (a service ticket is
- obtained), or all fail. Similarly when acquiring
- GSS initiator credentials from a keytab, and when
- comparing a non-canonical GSS name to a canonical
- one.
-
- For each rule the system checks that the hostname
- has at least mindots periods (if given) in it, at
- most maxdots periods (if given), that the hostname
- ends in the given match_domain (if given), and that
- the realm of the principal matches the match_realm
- (if given).
-
- As-is rules leave the hostname unmodified but may
- set a realm. Qualify rules qualify the hostname
- with the given domain and also may set the realm.
- The nss rule uses the system resolver to lookup the
- host's canonical name and is usually not secure.
- Note that using the nss rule type implies having to
- have principal aliases in the HDB (though not nec-
- essarily in keytabs).
-
- The empty realm denotes "ask the client's realm's
- TGS". The empty realm may be set as well as
- matched.
-
- The order in which rules are applied is as follows:
- first all the rules with explicit order then all
- other rules in the order in which they appear. If
- any two rules have the same explicit order, their
- order of appearance in krb5.conf breaks the tie.
- Explicitly specifying order can be useful where
- tools read and write the configuration file without
- preserving parameter order.
-
- Malformed rules are ignored.
-
- allow_hierarchical_capaths = boolean
- When validating cross-realm transit paths, absent
- any explicit capath from the client realm to the
- server realm, allow a hierarchical transit path via
- the common ancestor domain of the two realms. De-
- faults to true. Note, absent an explicit setting,
- hierarchical capaths are always used by the KDC
- when generating a referral to a destination with
- which is no direct trust.
-
- [domain_realm]
- This is a list of mappings from DNS domain to Kerberos realm.
- Each binding in this section looks like:
-
- domain = realm
-
- The domain can be either a full name of a host or a trailing
- component, in the latter case the domain-string should start
- with a period. The trailing component only matches hosts that
- are in the same domain, ie ".example.com" matches
- "foo.example.com", but not "foo.test.example.com".
-
- The realm may be the token `dns_locate', in which case the ac-
- tual realm will be determined using DNS (independently of the
- setting of the `dns_lookup_realm' option).
-
- [realms]
-
- REALM = {
-
- kdc = [service/]host[:port]
- Specifies a list of kdcs for this realm.
- If the optional port is absent, the de-
- fault value for the "kerberos/udp"
- "kerberos/tcp", and "http/tcp" port (de-
- pending on service) will be used. The
- kdcs will be used in the order that they
- are specified.
-
- The optional service specifies over what
- medium the kdc should be contacted.
- Possible services are "udp", "tcp", and
- "http". Http can also be written as
- "http://". Default service is "udp" and
- "tcp".
-
- admin_server = host[:port]
- Specifies the admin server for this
- realm, where all the modifications to
- the database are performed.
-
- kpasswd_server = host[:port]
- Points to the server where all the pass-
- word changes are performed. If there is
- no such entry, the kpasswd port on the
- admin_server host will be tried.
-
- tgs_require_subkey
- a boolan variable that defaults to
- false. Old DCE secd (pre 1.1) might
- need this to be true.
-
- auth_to_local_names = {
-
- principal_name = username
- The given principal_name will
- be mapped to the given
- username if the REALM is a
- default realm.
-
- }
-
- auth_to_local = HEIMDAL_DEFAULT
- Use the Heimdal default principal to
- username mapping. Applies to principals
- from the REALM if and only if REALM is a
- default realm.
-
- auth_to_local = DEFAULT
- Use the MIT default principal to user-
- name mapping. Applies to principals
- from the REALM if and only if REALM is a
- default realm.
-
- auth_to_local = DB:/path/to/db.txt
- Use a binary search of the given DB.
- The DB must be a flat-text file sortedf
- in the "C" locale, with each record be-
- ing a line (separated by either LF or
- CRLF) consisting of a principal name
- followed by whitespace followed by a
- username. Applies to principals from
- the REALM if and only if REALM is a de-
- fault realm.
-
- auth_to_local = DB:/path/to/db
- Use the given DB, if there's a plugin
- for it. Applies to principals from the
- REALM if and only if REALM is a default
- realm.
-
- auth_to_local = RULE:...
- Use the given rule, if there's a plugin
- for it. Applies to principals from the
- REALM if and only if REALM is a default
- realm.
-
- auth_to_local = NONE
- No additional principal to username map-
- ping is done. Note that
- auth_to_local_names and any preceding
- auth_to_local rules have precedence.
-
- }
-
- [capaths]
-
- client-realm = {
-
- server-realm = hop-realm ...
- This serves two purposes. First the
- first listed hop-realm tells a client
- which realm it should contact in order
- to ultimately obtain credentials for a
- service in the server-realm. Secondly,
- it tells the KDC (and other servers)
- which realms are allowed in a multi-hop
- traversal from client-realm to
- server-realm. Except for the client
- case, the order of the realms are not
- important.
-
- }
-
- [logging]
-
- entity = destination
- Specifies that entity should use the specified
- destination for logging. See the krb5_openlog(3)
- manual page for a list of defined destinations.
-
- [kdc]
-
- database = {
-
- dbname = [DATBASETYPE:]DATABASENAME
- Use this database for this realm. The
- DATABASETYPE should be one of 'lmdb',
- 'db3', 'db1', 'db', 'sqlite', or 'ldap'.
- See the info documetation how to config-
- ure different database backends.
-
- realm = REALM
- Specifies the realm that will be stored
- in this database. It realm isn't set,
- it will used as the default database,
- there can only be one entry that doesn't
- have a realm stanza.
-
- mkey_file = FILENAME
- Use this keytab file for the master key
- of this database. If not specified
- DATABASENAME.mkey will be used.
-
- acl_file = PA FILENAME
- Use this file for the ACL list of this
- database.
-
- log_file = FILENAME
- Use this file as the log of changes per-
- formed to the database. This file is
- used by ipropd-master for propagating
- changes to slaves. It is also used by
- kadmind and kadmin (when used with the
- -l option), and by all applications us-
- ing libkadm5 with the local backend, for
- two-phase commit functionality. Slaves
- also use this. Setting this to
- /dev/null disables two-phase commit and
- incremental propagation. Use iprop-log
- to show the contents of this log file.
-
- log-max-size = number
- When the log reaches this size (in
- bytes), the log will be truncated, sav-
- ing some entries, and keeping the latest
- version number so as to not disrupt in-
- cremental propagation. If set to a neg-
- ative value then automatic log trunca-
- tion will be disabled. Defaults to
- 52428800 (50MB).
-
- }
-
- max-request = SIZE
- Maximum size of a kdc request.
-
- require-preauth = BOOL
- If set pre-authentication is required.
-
- ports = list of ports
- List of ports the kdc should listen to.
-
- addresses = list of interfaces
- List of addresses the kdc should bind to.
-
- enable-http = BOOL
- Should the kdc answer kdc-requests over http.
-
- tgt-use-strongest-session-key = BOOL
- If this is TRUE then the KDC will prefer the
- strongest key from the client's AS-REQ or TGS-REQ
- enctype list for the ticket session key that is
- supported by the KDC and the target principal when
- the target principal is a krbtgt principal. Else
- it will prefer the first key from the client's AS-
- REQ enctype list that is also supported by the KDC
- and the target principal. Defaults to FALSE.
-
- svc-use-strongest-session-key = BOOL
- Like tgt-use-strongest-session-key, but applies to
- the session key enctype of tickets for services
- other than krbtgt principals. Defaults to FALSE.
-
- preauth-use-strongest-session-key = BOOL
- If TRUE then select the strongest possible enctype
- from the client's AS-REQ for PA-ETYPE-INFO2 (i.e.,
- for password-based pre-authentication). Else pick
- the first supported enctype from the client's AS-
- REQ. Defaults to FALSE.
-
- use-strongest-server-key = BOOL
- If TRUE then the KDC picks, for the ticket en-
- crypted part's key, the first supported enctype
- from the target service principal's hdb entry's
- current keyset. Else the KDC picks the first sup-
- ported enctype from the target service principal's
- hdb entry's current keyset. Defaults to TRUE.
-
- check-ticket-addresses = BOOL
- Verify the addresses in the tickets used in tgs re-
- quests.
-
- allow-null-ticket-addresses = BOOL
- Allow address-less tickets.
-
- allow-anonymous = BOOL
- If the kdc is allowed to hand out anonymous tick-
- ets.
-
- historical_anon_realm = boolean
- Enables pre-7.0 non-RFC-comformant KDC behavior.
- With this option set to true the client realm in
- anonymous pkinit AS replies will be the requested
- realm, rather than the RFC-conformant
- WELLKNOWN:ANONYMOUS realm. This can have a secu-
- rity impact on servers that expect to grant access
- to anonymous-but-authenticated to the KDC users of
- the realm in question: they would also grant access
- to unauthenticated anonymous users. As such, it is
- not recommend to set this option to true.
-
- encode_as_rep_as_tgs_rep = BOOL
- Encode as-rep as tgs-rep to be compatible with mis-
- takes older DCE secd did.
-
- kdc_warn_pwexpire = TIME
- The time before expiration that the user should be
- warned that her password is about to expire.
-
- logging = Logging
- What type of logging the kdc should use, see also
- [logging]/kdc.
-
- hdb-ldap-structural-object structural object
- If the LDAP backend is used for storing principals,
- this is the structural object that will be used
- when creating and when reading objects. The de-
- fault value is account .
-
- hdb-ldap-create-base creation dn
- is the dn that will be appended to the principal
- when creating entries. Default value is the search
- dn.
-
- enable-digest = BOOL
- Should the kdc answer digest requests. The default
- is FALSE.
-
- digests_allowed = list of digests
- Specifies the digests the kdc will reply to. The
- default is ntlm-v2.
-
- kx509_ca = file
- Specifies the PEM credentials for the kx509 certi-
- fication authority.
-
- require_initial_kca_tickets = boolean
- Specified whether to require that tickets for the
- kca_service service principal be INITIAL. This may
- be set on a per-realm basis as well as globally.
- Defaults to true for the global setting.
-
- kx509_include_pkinit_san = boolean
- If true then the kx509 client principal's name and
- realm will be included in an id-pkinit-san certifi-
- cate extension. This can be set on a per-realm ba-
- sis as well as globally. Defaults to true for the
- global setting.
-
- kx509_template = file
- Specifies the PEM file with a template for the cer-
- tificates to be issued. The following variables
- can be interpolated in the subject name using
- ${variable} syntax:
-
- principal-name
- The full name of the kx509 client prin-
- cipal.
-
- principal-name-without-realm
- The full name of the kx509 client prin-
- cipal, excluding the realm name.
-
- principal-name-realm
- The name of the client principal's
- realm.
- The kx509, kx509_template, kx509_include_pkinit_san, and
- require_initial_kca_tickets parameters may be set on a per-
- realm basis as well.
-
- [kadmin]
-
- password_lifetime = time
- If a principal already have its password set for
- expiration, this is the time it will be valid for
- after a change.
-
- default_keys = keytypes...
- For each entry in default_keys try to parse it as a
- sequence of etype:salttype:salt syntax of this if
- something like:
-
- [(des|des3|etype):](pw-salt|afs3-salt)[:string]
-
- If etype is omitted it means everything, and if
- string is omitted it means the default salt string
- (for that principal and encryption type). Addi-
- tional special values of keytypes are:
-
- v5 The Kerberos 5 salt pw-salt
-
- default_key_rules = {
-
- globing-rule = keytypes...
- a globbing rule to matching a principal,
- and when true, use the keytypes as spec-
- ified the same format as [kadmin]de-
- fault_keys .
-
- }
-
- prune-key-history = BOOL
- When adding keys to the key history, drop keys that
- are too old to match unexpired tickets (based on
- the principal's maximum ticket lifetime). If the
- KDC keystore is later compromised traffic protected
- with the discarded older keys may remain protected.
- This also keeps the HDB records for principals with
- key history from growing without bound. The de-
- fault (backwards compatible) value is "false".
-
- use_v4_salt = BOOL
- When true, this is the same as
-
- default_keys = des3:pw-salt v4
-
- and is only left for backwards compatibility.
-
- [password_quality]
- Check the Password quality assurance in the info
- documentation for more information.
-
- check_library = library-name
- Library name that contains the password
- check_function
-
- check_function = function-name
- Function name for checking passwords in
- check_library
-
- policy_libraries = library1 ... libraryN
- List of libraries that can do password
- policy checks
-
- policies = policy1 ... policyN
- List of policy names to apply to the
- password. Builtin policies are among
- other minimum-length, character-class,
- external-check.
-
-ENVIRONMENT
- KRB5_CONFIG points to the configuration file to read.
-
-FILES
- /etc/krb5.conf configuration file for Kerberos 5.
-
-EXAMPLES
- [libdefaults]
- default_realm = FOO.SE
- name_canon_rules = as-is:realm=FOO.SE
- name_canon_rules = qualify:domain=foo.se:realm=FOO.SE
- name_canon_rules = qualify:domain=bar.se:realm=FOO.SE
- name_canon_rules = nss
- [domain_realm]
- .foo.se = FOO.SE
- .bar.se = FOO.SE
- [realms]
- FOO.SE = {
- kdc = kerberos.foo.se
- default_domain = foo.se
- }
- [logging]
- kdc = FILE:/var/heimdal/kdc.log
- kdc = SYSLOG:INFO
- default = SYSLOG:INFO:USER
- [kadmin]
- default_key_rules = {
- */ppp@* = arcfour-hmac-md5:pw-salt
- }
-
-DIAGNOSTICS
- Since krb5.conf is read and parsed by the krb5 library, there is not a
- lot of opportunities for programs to report parsing errors in any useful
- format. To help overcome this problem, there is a program
- verify_krb5_conf that reads krb5.conf and tries to emit useful diagnos-
- tics from parsing errors. Note that this program does not have any way
- of knowing what options are actually used and thus cannot warn about un-
- known or misspelled ones.
-
-SEE ALSO
- kinit(1), krb5_openlog(3), strftime(3), verify_krb5_conf(8)
-
-HEIMDAL May 4, 2005 HEIMDAL
diff --git a/lib/krb5/krb5.h b/lib/krb5/krb5.h
index c37af35933b2..593d1a366c25 100644
--- a/lib/krb5/krb5.h
+++ b/lib/krb5/krb5.h
@@ -45,8 +45,11 @@
#include <krb5_err.h>
#include <heim_err.h>
#include <k524_err.h>
+#include <k5e1_err.h>
#include <krb5_asn1.h>
+typedef Krb5Int32 krb5int32;
+typedef Krb5UInt32 krb5uint32;
/* name confusion with MIT */
#ifndef KRB5KDC_ERR_KEY_EXP
@@ -55,8 +58,10 @@
#ifdef _WIN32
#define KRB5_CALLCONV __stdcall
+#define KRB5_LIB_CALL __stdcall
#else
#define KRB5_CALLCONV
+#define KRB5_LIB_CALL
#endif
/* simple constants */
@@ -90,6 +95,7 @@ typedef struct krb5_ntlm_data *krb5_ntlm;
struct krb5_pac_data;
typedef struct krb5_pac_data *krb5_pac;
+typedef const struct krb5_pac_data *krb5_const_pac;
typedef struct krb5_rd_req_in_ctx_data *krb5_rd_req_in_ctx;
typedef struct krb5_rd_req_out_ctx_data *krb5_rd_req_out_ctx;
@@ -117,52 +123,53 @@ typedef struct krb5_enc_data {
} krb5_enc_data;
/* alternative names */
-#define ENCTYPE_NULL KRB5_ENCTYPE_NULL
-#define ENCTYPE_DES_CBC_CRC KRB5_ENCTYPE_DES_CBC_CRC
-#define ENCTYPE_DES_CBC_MD4 KRB5_ENCTYPE_DES_CBC_MD4
-#define ENCTYPE_DES_CBC_MD5 KRB5_ENCTYPE_DES_CBC_MD5
-#define ENCTYPE_DES3_CBC_MD5 KRB5_ENCTYPE_DES3_CBC_MD5
-#define ENCTYPE_OLD_DES3_CBC_SHA1 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1
-#define ENCTYPE_SIGN_DSA_GENERATE KRB5_ENCTYPE_SIGN_DSA_GENERATE
-#define ENCTYPE_ENCRYPT_RSA_PRIV KRB5_ENCTYPE_ENCRYPT_RSA_PRIV
-#define ENCTYPE_ENCRYPT_RSA_PUB KRB5_ENCTYPE_ENCRYPT_RSA_PUB
-#define ENCTYPE_DES3_CBC_SHA1 KRB5_ENCTYPE_DES3_CBC_SHA1
+#define ENCTYPE_NULL KRB5_ENCTYPE_NULL
+#define ENCTYPE_DES_CBC_CRC KRB5_ENCTYPE_DES_CBC_CRC
+#define ENCTYPE_DES_CBC_MD4 KRB5_ENCTYPE_DES_CBC_MD4
+#define ENCTYPE_DES_CBC_MD5 KRB5_ENCTYPE_DES_CBC_MD5
+#define ENCTYPE_DES3_CBC_MD5 KRB5_ENCTYPE_DES3_CBC_MD5
+#define ENCTYPE_OLD_DES3_CBC_SHA1 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1
+#define ENCTYPE_SIGN_DSA_GENERATE KRB5_ENCTYPE_SIGN_DSA_GENERATE
+#define ENCTYPE_ENCRYPT_RSA_PRIV KRB5_ENCTYPE_ENCRYPT_RSA_PRIV
+#define ENCTYPE_ENCRYPT_RSA_PUB KRB5_ENCTYPE_ENCRYPT_RSA_PUB
+#define ENCTYPE_DES3_CBC_SHA1 KRB5_ENCTYPE_DES3_CBC_SHA1
#define ENCTYPE_AES128_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96
#define ENCTYPE_AES256_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96
-#define ENCTYPE_ARCFOUR_HMAC KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
-#define ENCTYPE_ARCFOUR_HMAC_MD5 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
-#define ENCTYPE_ARCFOUR_HMAC_MD5_56 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56
-#define ENCTYPE_ENCTYPE_PK_CROSS KRB5_ENCTYPE_ENCTYPE_PK_CROSS
-#define ENCTYPE_DES_CBC_NONE KRB5_ENCTYPE_DES_CBC_NONE
-#define ENCTYPE_DES3_CBC_NONE KRB5_ENCTYPE_DES3_CBC_NONE
-#define ENCTYPE_DES_CFB64_NONE KRB5_ENCTYPE_DES_CFB64_NONE
-#define ENCTYPE_DES_PCBC_NONE KRB5_ENCTYPE_DES_PCBC_NONE
-#define ETYPE_NULL KRB5_ENCTYPE_NULL
-#define ETYPE_DES_CBC_CRC KRB5_ENCTYPE_DES_CBC_CRC
-#define ETYPE_DES_CBC_MD4 KRB5_ENCTYPE_DES_CBC_MD4
-#define ETYPE_DES_CBC_MD5 KRB5_ENCTYPE_DES_CBC_MD5
-#define ETYPE_DES3_CBC_MD5 KRB5_ENCTYPE_DES3_CBC_MD5
-#define ETYPE_OLD_DES3_CBC_SHA1 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1
-#define ETYPE_SIGN_DSA_GENERATE KRB5_ENCTYPE_SIGN_DSA_GENERATE
-#define ETYPE_ENCRYPT_RSA_PRIV KRB5_ENCTYPE_ENCRYPT_RSA_PRIV
-#define ETYPE_ENCRYPT_RSA_PUB KRB5_ENCTYPE_ENCRYPT_RSA_PUB
-#define ETYPE_DES3_CBC_SHA1 KRB5_ENCTYPE_DES3_CBC_SHA1
-#define ETYPE_AES128_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96
-#define ETYPE_AES256_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96
-#define ETYPE_AES128_CTS_HMAC_SHA256_128 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128
-#define ETYPE_AES256_CTS_HMAC_SHA384_192 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192
-#define ETYPE_ARCFOUR_HMAC_MD5 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
-#define ETYPE_ARCFOUR_HMAC_MD5_56 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56
-#define ETYPE_ENCTYPE_PK_CROSS KRB5_ENCTYPE_ENCTYPE_PK_CROSS
-#define ETYPE_ARCFOUR_MD4 KRB5_ENCTYPE_ARCFOUR_MD4
-#define ETYPE_ARCFOUR_HMAC_OLD KRB5_ENCTYPE_ARCFOUR_HMAC_OLD
-#define ETYPE_ARCFOUR_HMAC_OLD_EXP KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP
-#define ETYPE_DES_CBC_NONE KRB5_ENCTYPE_DES_CBC_NONE
-#define ETYPE_DES3_CBC_NONE KRB5_ENCTYPE_DES3_CBC_NONE
-#define ETYPE_DES_CFB64_NONE KRB5_ENCTYPE_DES_CFB64_NONE
-#define ETYPE_DES_PCBC_NONE KRB5_ENCTYPE_DES_PCBC_NONE
-#define ETYPE_DIGEST_MD5_NONE KRB5_ENCTYPE_DIGEST_MD5_NONE
-#define ETYPE_CRAM_MD5_NONE KRB5_ENCTYPE_CRAM_MD5_NONE
+#define ENCTYPE_ARCFOUR_HMAC KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
+#define ENCTYPE_ARCFOUR_HMAC_MD5 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
+#define ENCTYPE_ARCFOUR_HMAC_MD5_56 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56
+#define ENCTYPE_ENCTYPE_PK_CROSS KRB5_ENCTYPE_ENCTYPE_PK_CROSS
+#define ENCTYPE_DES_CBC_NONE KRB5_ENCTYPE_DES_CBC_NONE
+#define ENCTYPE_DES3_CBC_NONE KRB5_ENCTYPE_DES3_CBC_NONE
+#define ENCTYPE_DES_CFB64_NONE KRB5_ENCTYPE_DES_CFB64_NONE
+#define ENCTYPE_DES_PCBC_NONE KRB5_ENCTYPE_DES_PCBC_NONE
+#define ETYPE_NULL KRB5_ENCTYPE_NULL
+#define ETYPE_DES_CBC_CRC KRB5_ENCTYPE_DES_CBC_CRC
+#define ETYPE_DES_CBC_MD4 KRB5_ENCTYPE_DES_CBC_MD4
+#define ETYPE_DES_CBC_MD5 KRB5_ENCTYPE_DES_CBC_MD5
+#define ETYPE_DES3_CBC_MD5 KRB5_ENCTYPE_DES3_CBC_MD5
+#define ETYPE_OLD_DES3_CBC_SHA1 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1
+#define ETYPE_SIGN_DSA_GENERATE KRB5_ENCTYPE_SIGN_DSA_GENERATE
+#define ETYPE_ENCRYPT_RSA_PRIV KRB5_ENCTYPE_ENCRYPT_RSA_PRIV
+#define ETYPE_ENCRYPT_RSA_PUB KRB5_ENCTYPE_ENCRYPT_RSA_PUB
+#define ETYPE_DES3_CBC_SHA1 KRB5_ENCTYPE_DES3_CBC_SHA1
+#define ETYPE_AES128_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+#define ETYPE_AES256_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+#define ETYPE_AES128_CTS_HMAC_SHA256_128 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128
+#define ETYPE_AES256_CTS_HMAC_SHA384_192 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192
+#define ETYPE_ARCFOUR_HMAC_MD5 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
+#define ETYPE_ARCFOUR_HMAC_MD5_56 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56
+#define ETYPE_ENCTYPE_PK_CROSS KRB5_ENCTYPE_ENCTYPE_PK_CROSS
+#define ETYPE_ARCFOUR_MD4 KRB5_ENCTYPE_ARCFOUR_MD4
+#define ETYPE_ARCFOUR_HMAC_OLD KRB5_ENCTYPE_ARCFOUR_HMAC_OLD
+#define ETYPE_ARCFOUR_HMAC_OLD_EXP KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP
+#define ETYPE_DES_CBC_NONE KRB5_ENCTYPE_DES_CBC_NONE
+#define ETYPE_DES3_CBC_NONE KRB5_ENCTYPE_DES3_CBC_NONE
+#define ETYPE_DES_CFB64_NONE KRB5_ENCTYPE_DES_CFB64_NONE
+#define ETYPE_DES_PCBC_NONE KRB5_ENCTYPE_DES_PCBC_NONE
+#define ETYPE_DIGEST_MD5_NONE KRB5_ENCTYPE_DIGEST_MD5_NONE
+#define ETYPE_CRAM_MD5_NONE KRB5_ENCTYPE_CRAM_MD5_NONE
+#define DOMAIN_X500_COMPRESS domain_X500_Compress
/* PDU types */
typedef enum krb5_pdu {
@@ -268,6 +275,10 @@ typedef enum krb5_key_usage {
KRB5_KU_PA_SERVER_REFERRAL = 26,
/* Keyusage for the server referral in a TGS req */
KRB5_KU_SAM_ENC_NONCE_SAD = 27,
+ /* Defined in [MS-SFU] */
+ KRB5_KU_PA_S4U_X509_USER_REQUEST = 26,
+ /* Defined in [MS-SFU] */
+ KRB5_KU_PA_S4U_X509_USER_REPLY = 27,
/* Encryption of the SAM-NONCE-OR-SAD field */
KRB5_KU_PA_PKINIT_KX = 44,
/* Encryption type of the kdc session contribution in pk-init */
@@ -357,15 +368,7 @@ typedef AP_REQ krb5_ap_req;
struct krb5_cc_ops;
-#ifdef _WIN32
-#define KRB5_USE_PATH_TOKENS 1
-#endif
-
-#ifdef KRB5_USE_PATH_TOKENS
#define KRB5_DEFAULT_CCFILE_ROOT "%{TEMP}/krb5cc_"
-#else
-#define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_"
-#endif
#define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT
@@ -380,7 +383,10 @@ typedef struct krb5_cccol_cursor_data *krb5_cccol_cursor;
typedef struct krb5_ccache_data {
const struct krb5_cc_ops *ops;
krb5_data data;
- int initialized; /* if non-zero: krb5_cc_initialize() called, now empty */
+ unsigned int cc_initialized:1; /* if 1: krb5_cc_initialize() called */
+ unsigned int cc_need_start_realm:1;
+ unsigned int cc_start_tgt_stored:1;
+ unsigned int cc_kx509_done:1;
}krb5_ccache_data;
typedef struct krb5_ccache_data *krb5_ccache;
@@ -436,6 +442,7 @@ typedef union {
/* flags for krb5_verify_ap_req */
#define KRB5_VERIFY_AP_REQ_IGNORE_INVALID (1 << 0)
+#define KRB5_VERIFY_AP_REQ_IGNORE_ADDRS (1 << 1)
#define KRB5_GC_CACHED (1U << 0)
#define KRB5_GC_USER_USER (1U << 1)
@@ -482,9 +489,15 @@ typedef struct krb5_creds {
typedef struct krb5_cc_cache_cursor_data *krb5_cc_cache_cursor;
-#define KRB5_CC_OPS_VERSION 3
+#define KRB5_CC_OPS_VERSION_0 0
+#define KRB5_CC_OPS_VERSION_1 1
+#define KRB5_CC_OPS_VERSION_2 2
+#define KRB5_CC_OPS_VERSION_3 3
+#define KRB5_CC_OPS_VERSION_5 5
+/* Only extend the structure. Do not change signatures. */
typedef struct krb5_cc_ops {
+ /* Version 0 */
int version;
const char *prefix;
const char* (KRB5_CALLCONV * get_name)(krb5_context, krb5_ccache);
@@ -511,27 +524,43 @@ typedef struct krb5_cc_ops {
krb5_error_code (KRB5_CALLCONV * end_cache_get)(krb5_context, krb5_cc_cursor);
krb5_error_code (KRB5_CALLCONV * move)(krb5_context, krb5_ccache, krb5_ccache);
krb5_error_code (KRB5_CALLCONV * get_default_name)(krb5_context, char **);
+ /* Version 1 */
krb5_error_code (KRB5_CALLCONV * set_default)(krb5_context, krb5_ccache);
+ /* Version 2 */
krb5_error_code (KRB5_CALLCONV * lastchange)(krb5_context, krb5_ccache, krb5_timestamp *);
+ /* Version 3 */
krb5_error_code (KRB5_CALLCONV * set_kdc_offset)(krb5_context, krb5_ccache, krb5_deltat);
krb5_error_code (KRB5_CALLCONV * get_kdc_offset)(krb5_context, krb5_ccache, krb5_deltat *);
+ /* Version 5 */
+ krb5_error_code (KRB5_CALLCONV * get_name_2)(krb5_context, krb5_ccache,
+ const char **id, const char **res,
+ const char **sub);
+ krb5_error_code (KRB5_CALLCONV * resolve_2)(krb5_context, krb5_ccache *id, const char *res,
+ const char *sub);
+ /* Add new functions here for versions 6 and above */
} krb5_cc_ops;
-struct krb5_log_facility;
-
+/*
+ * krb5_config_binding is identical to struct heim_config_binding
+ * within heimbase.h. Its format is public and used by callers of
+ * krb5_config_get_list() and krb5_config_vget_list().
+ */
+enum krb5_config_type {
+ krb5_config_string,
+ krb5_config_list,
+};
struct krb5_config_binding {
- enum { krb5_config_string, krb5_config_list } type;
+ enum krb5_config_type type;
char *name;
struct krb5_config_binding *next;
union {
- char *string;
- struct krb5_config_binding *list;
- void *generic;
+ char *string;
+ struct krb5_config_binding *list;
+ void *generic;
} u;
};
typedef struct krb5_config_binding krb5_config_binding;
-
typedef krb5_config_binding krb5_config_section;
typedef struct krb5_ticket {
@@ -552,8 +581,9 @@ typedef Authenticator krb5_donot_replay;
#define KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS 0x02
#define KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE 0x04
#define KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE 0x08
-#define KRB5_STORAGE_BYTEORDER_MASK 0x60
+#define KRB5_STORAGE_BYTEORDER_MASK 0x70
#define KRB5_STORAGE_BYTEORDER_BE 0x00 /* default */
+#define KRB5_STORAGE_BYTEORDER_PACKED 0x10
#define KRB5_STORAGE_BYTEORDER_LE 0x20
#define KRB5_STORAGE_BYTEORDER_HOST 0x40
#define KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER 0x80
@@ -667,16 +697,15 @@ typedef struct {
KRB_ERROR error;
} krb5_kdc_rep;
-extern const char *heimdal_version, *heimdal_long_version;
+extern const char *const heimdal_version, *const heimdal_long_version;
-typedef void (KRB5_CALLCONV * krb5_log_log_func_t)(const char*, const char*, void*);
+typedef void (KRB5_CALLCONV * krb5_log_log_func_t)(krb5_context,
+ const char*,
+ const char*,
+ void*);
typedef void (KRB5_CALLCONV * krb5_log_close_func_t)(void*);
-typedef struct krb5_log_facility {
- char *program;
- int len;
- struct facility *val;
-} krb5_log_facility;
+typedef struct heim_log_facility_s krb5_log_facility;
typedef EncAPRepPart krb5_ap_rep_enc_part;
@@ -689,10 +718,11 @@ typedef EncAPRepPart krb5_ap_rep_enc_part;
#define KRB5_WELLKNOWN_NAME ("WELLKNOWN")
#define KRB5_ANON_NAME ("ANONYMOUS")
#define KRB5_ANON_REALM ("WELLKNOWN:ANONYMOUS")
+#define KRB5_FEDERATED_NAME ("FEDERATED")
+#define KRB5_FEDERATED_REALM ("WELLKNOWN:FEDERATED")
#define KRB5_WELLKNOWN_ORG_H5L_REALM ("WELLKNOWN:ORG.H5L")
#define KRB5_DIGEST_NAME ("digest")
-
#define KRB5_PKU2U_REALM_NAME ("WELLKNOWN:PKU2U")
#define KRB5_LKDC_REALM_NAME ("WELLKNOWN:COM.APPLE.LKDC")
@@ -811,11 +841,13 @@ typedef struct krb5_verify_opt {
struct krb5_krbhst_data;
typedef struct krb5_krbhst_data *krb5_krbhst_handle;
-#define KRB5_KRBHST_KDC 1
-#define KRB5_KRBHST_ADMIN 2
-#define KRB5_KRBHST_CHANGEPW 3
-#define KRB5_KRBHST_KRB524 4
-#define KRB5_KRBHST_KCA 5
+#define KRB5_KRBHST_KDC 1
+#define KRB5_KRBHST_ADMIN 2
+#define KRB5_KRBHST_CHANGEPW 3
+#define KRB5_KRBHST_KRB524 4
+#define KRB5_KRBHST_KCA 5
+#define KRB5_KRBHST_READONLY_ADMIN 6
+#define KRB5_KRBHST_TKTBRIDGEAP 7
typedef struct krb5_krbhst_info {
enum { KRB5_KRBHST_UDP,
@@ -870,14 +902,31 @@ typedef krb5_error_code
(KRB5_CALLCONV * krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *,
const krb5_data *, int *);
-struct krb5_plugin;
enum krb5_plugin_type {
PLUGIN_TYPE_DATA = 1,
- PLUGIN_TYPE_FUNC
+ PLUGIN_TYPE_FUNC /* no longer supported */
};
+/*
+ * Since <krb5/common_plugin.h> is new with Heimdal 8, users looking to write
+ * portable plugins across Heimdal 7 and 8 need a conditional compilation
+ * predicate from a header file that does exist in both major releases. This
+ * is as good a place as any to define a plugin source-compatibility version
+ * number.
+ *
+ * When this macro is defined and is equal to 1, the Heimdal 8 plugin source
+ * API, and <krb5/common_plugin.h> header are available and should be used.
+ *
+ * In Heimdal 7, this macro is not defined, and <krb5/common_plugin.h> may not
+ * be available.
+ */
+#define KRB5_PLUGIN_COMMON_SPI_VERSION 1
+
#define KRB5_PLUGIN_INVOKE_ALL 1
+typedef uintptr_t
+(KRB5_LIB_CALL *krb5_get_instance_func_t)(const char *);
+
struct credentials; /* this is to keep the compiler happy */
struct getargs;
struct sockaddr;
@@ -963,13 +1012,14 @@ typedef struct krb5_name_canon_iterator_data *krb5_name_canon_iterator;
*/
struct hx509_certs_data;
+typedef struct krb5_kx509_req_ctx_data *krb5_kx509_req_ctx;
#include <krb5-protos.h>
/* variables */
-extern KRB5_LIB_VARIABLE const char *krb5_config_file;
-extern KRB5_LIB_VARIABLE const char *krb5_defkeyname;
+extern KRB5_LIB_VARIABLE const char *const krb5_config_file;
+extern KRB5_LIB_VARIABLE const char *const krb5_defkeyname;
extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops;
@@ -979,6 +1029,7 @@ extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_mcc_ops;
extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_kcm_ops;
extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops;
extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops;
+extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_krcc_ops;
extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_fkt_ops;
extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_wrfkt_ops;
@@ -987,12 +1038,13 @@ extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_mkt_ops;
extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_akf_ops;
extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_any_ops;
-extern KRB5_LIB_VARIABLE const char *krb5_cc_type_api;
-extern KRB5_LIB_VARIABLE const char *krb5_cc_type_file;
-extern KRB5_LIB_VARIABLE const char *krb5_cc_type_memory;
-extern KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm;
-extern KRB5_LIB_VARIABLE const char *krb5_cc_type_scc;
-extern KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_api;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_file;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_memory;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_kcm;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_scc;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_dcc;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_keyring;
/* clang analyzer workarounds */
diff --git a/lib/krb5/krb524_convert_creds_kdc.cat3 b/lib/krb5/krb524_convert_creds_kdc.cat3
deleted file mode 100644
index b6992ec07f53..000000000000
--- a/lib/krb5/krb524_convert_creds_kdc.cat3
+++ /dev/null
@@ -1,42 +0,0 @@
-KRB524_CONVERT_CREDS_... BSD Library Functions Manual KRB524_CONVERT_CREDS_...
-
-NAME
- krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache -- converts
- Kerberos 5 credentials to Kerberos 4 credentials
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb524_convert_creds_kdc(krb5_context context, krb5_creds *in_cred,
- struct credentials *v4creds);
-
- krb5_error_code
- krb524_convert_creds_kdc_ccache(krb5_context context, krb5_ccache ccache,
- krb5_creds *in_cred, struct credentials *v4creds);
-
-DESCRIPTION
- Convert the Kerberos 5 credential to Kerberos 4 credential. This is done
- by sending them to the 524 service in the KDC.
-
- krb524_convert_creds_kdc() converts the Kerberos 5 credential in in_cred
- to Kerberos 4 credential that is stored in credentials.
-
- krb524_convert_creds_kdc_ccache() is different from
- krb524_convert_creds_kdc() in that way that if in_cred doesn't contain a
- DES session key, then a new one is fetched from the KDC and stored in the
- cred cache ccache, and then the KDC is queried to convert the credential.
-
- This interfaces are used to make the migration to Kerberos 5 from Ker-
- beros 4 easier. There are few services that still need Kerberos 4, and
- this is mainly for compatibility for those services. Some services, like
- AFS, really have Kerberos 5 supports, but still uses the 524 interface to
- make the migration easier.
-
-SEE ALSO
- krb5(3), krb5.conf(5)
-
-HEIMDAL March 20, 2004 HEIMDAL
diff --git a/lib/krb5/krb5_425_conv_principal.cat3 b/lib/krb5/krb5_425_conv_principal.cat3
deleted file mode 100644
index 3845106ca656..000000000000
--- a/lib/krb5/krb5_425_conv_principal.cat3
+++ /dev/null
@@ -1,139 +0,0 @@
-KRB5_425_CONV_PRINCIP... BSD Library Functions Manual KRB5_425_CONV_PRINCIP...
-
-NAME
- krb5_425_conv_principal, krb5_425_conv_principal_ext,
- krb5_524_conv_principal -- converts to and from version 4 principals
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_425_conv_principal(krb5_context context, const char *name,
- const char *instance, const char *realm, krb5_principal *principal);
-
- krb5_error_code
- krb5_425_conv_principal_ext(krb5_context context, const char *name,
- const char *instance, const char *realm,
- krb5_boolean (*func)(krb5_context, krb5_principal),
- krb5_boolean resolve, krb5_principal *principal);
-
- krb5_error_code
- krb5_524_conv_principal(krb5_context context,
- const krb5_principal principal, char *name, char *instance,
- char *realm);
-
-DESCRIPTION
- Converting between version 4 and version 5 principals can at best be de-
- scribed as a mess.
-
- A version 4 principal consists of a name, an instance, and a realm. A
- version 5 principal consists of one or more components, and a realm. In
- some cases also the first component/name will differ between version 4
- and version 5. Furthermore the second component of a host principal will
- be the fully qualified domain name of the host in question, while the in-
- stance of a version 4 principal will only contain the first part (short
- hostname). Because of these problems the conversion between principals
- will have to be site customized.
-
- krb5_425_conv_principal_ext() will try to convert a version 4 principal,
- given by name, instance, and realm, to a version 5 principal. This can
- result in several possible principals, and if func is non-NULL, it will
- be called for each candidate principal. func should return true if the
- principal was "good". To accomplish this, krb5_425_conv_principal_ext()
- will look up the name in krb5.conf. It first looks in the
- v4_name_convert/host subsection, which should contain a list of version 4
- names whose instance should be treated as a hostname. This list can be
- specified for each realm (in the realms section), or in the libdefaults
- section. If the name is found the resulting name of the principal will
- be the value of this binding. The instance is then first looked up in
- v4_instance_convert for the specified realm. If found the resulting value
- will be used as instance (this can be used for special cases), no further
- attempts will be made to find a conversion if this fails (with func). If
- the resolve parameter is true, the instance will be looked up with
- gethostbyname(). This can be a time consuming, error prone, and unsafe
- operation. Next a list of hostnames will be created from the instance
- and the v4_domains variable, which should contain a list of possible do-
- mains for the specific realm.
-
- On the other hand, if the name is not found in a host section, it is
- looked up in a v4_name_convert/plain binding. If found here the name will
- be converted, but the instance will be untouched.
-
- This list of default host-type conversions is compiled-in:
-
- v4_name_convert = {
- host = {
- ftp = ftp
- hprop = hprop
- imap = imap
- pop = pop
- rcmd = host
- smtp = smtp
- }
- }
-
- It will only be used if there isn't an entry for these names in the con-
- fig file, so you can override these defaults.
-
- krb5_425_conv_principal() will call krb5_425_conv_principal_ext() with
- NULL as func, and the value of v4_instance_resolve (from the libdefaults
- section) as resolve.
-
- krb5_524_conv_principal() basically does the opposite of
- krb5_425_conv_principal(), it just doesn't have to look up any names, but
- will instead truncate instances found to belong to a host principal. The
- name, instance, and realm should be at least 40 characters long.
-
-EXAMPLES
- Since this is confusing an example is in place.
-
- Assume that we have the "foo.com", and "bar.com" domains that have shared
- a single version 4 realm, FOO.COM. The version 4 krb.realms file looked
- like:
-
- foo.com FOO.COM
- .foo.com FOO.COM
- .bar.com FOO.COM
-
- A krb5.conf file that covers this case might look like:
-
- [libdefaults]
- v4_instance_resolve = yes
- [realms]
- FOO.COM = {
- kdc = kerberos.foo.com
- v4_instance_convert = {
- foo = foo.com
- }
- v4_domains = foo.com
- }
-
- With this setup and the following host table:
-
- foo.com
- a-host.foo.com
- b-host.bar.com
- the following conversions will be made:
-
- rcmd.a-host -> host/a-host.foo.com
- ftp.b-host -> ftp/b-host.bar.com
- pop.foo -> pop/foo.com
- ftp.other -> ftp/other.foo.com
- other.a-host -> other/a-host
-
- The first three are what you expect. If you remove the "v4_domains", the
- fourth entry will result in an error (since the host "other" can't be
- found). Even if "a-host" is a valid host name, the last entry will not be
- converted, since the "other" name is not known to represent a host-type
- principal. If you turn off "v4_instance_resolve" the second example will
- result in "ftp/b-host.foo.com" (because of the default domain). And all
- of this is of course only valid if you have working name resolving.
-
-SEE ALSO
- krb5_build_principal(3), krb5_free_principal(3), krb5_parse_name(3),
- krb5_sname_to_principal(3), krb5_unparse_name(3), krb5.conf(5)
-
-HEIMDAL September 3, 2003 HEIMDAL
diff --git a/lib/krb5/krb5_acl_match_file.cat3 b/lib/krb5/krb5_acl_match_file.cat3
deleted file mode 100644
index 40b09c1f16f2..000000000000
--- a/lib/krb5/krb5_acl_match_file.cat3
+++ /dev/null
@@ -1,60 +0,0 @@
-KRB5_ACL_MATCH_FILE(3) BSD Library Functions Manual KRB5_ACL_MATCH_FILE(3)
-
-NAME
- krb5_acl_match_file, krb5_acl_match_string -- ACL matching functions
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- krb5_error_code
- krb5_acl_match_file(krb5_context context, const char *file,
- const char *format, ...);
-
- krb5_error_code
- krb5_acl_match_string(krb5_context context, const char *string,
- const char *format, ...);
-
-DESCRIPTION
- krb5_acl_match_file matches ACL format against each line in a file.
- Lines starting with # are treated like comments and ignored.
-
- krb5_acl_match_string matches ACL format against a string.
-
- The ACL format has three format specifiers: s, f, and r. Each specifier
- will retrieve one argument from the variable arguments for either match-
- ing or storing data. The input string is split up using " " and "\t" as
- a delimiter; multiple " " and "\t" in a row are considered to be the
- same.
-
- s Matches a string using strcmp(3) (case sensitive).
-
- f Matches the string with fnmatch(3). The flags argument (the
- last argument) passed to the fnmatch function is 0.
-
- r Returns a copy of the string in the char ** passed in; the
- copy must be freed with free(3). There is no need to free(3)
- the string on error: the function will clean up and set the
- pointer to NULL.
-
- All unknown format specifiers cause an error.
-
-EXAMPLES
- char *s;
-
- ret = krb5_acl_match_string(context, "foo", "s", "foo");
- if (ret)
- krb5_errx(context, 1, "acl didn't match");
- ret = krb5_acl_match_string(context, "foo foo baz/kaka",
- "ss", "foo", &s, "foo/*");
- if (ret) {
- /* no need to free(s) on error */
- assert(s == NULL);
- krb5_errx(context, 1, "acl didn't match");
- }
- free(s);
-
-SEE ALSO
- krb5(3)
-
-HEIMDAL May 12, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_aname_to_localname.cat3 b/lib/krb5/krb5_aname_to_localname.cat3
deleted file mode 100644
index 6c134bc3995e..000000000000
--- a/lib/krb5/krb5_aname_to_localname.cat3
+++ /dev/null
@@ -1,38 +0,0 @@
-KRB5_ANAME_TO_LOCALNA... BSD Library Functions Manual KRB5_ANAME_TO_LOCALNA...
-
-NAME
- krb5_aname_to_localname -- converts a principal to a system local name
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_boolean
- krb5_aname_to_localname(krb5_context context, krb5_const_principal name,
- size_t lnsize, char *lname);
-
-DESCRIPTION
- This function takes a principal name, verifies that it is in the local
- realm (using krb5_get_default_realms()) and then returns the local name
- of the principal.
-
- If name isn't in one of the local realms an error is returned.
-
- If the size (lnsize) of the local name (lname) is too small, an error is
- returned.
-
- krb5_aname_to_localname() should only be use by an application that im-
- plements protocols that don't transport the login name and thus needs to
- convert a principal to a local name.
-
- Protocols should be designed so that they authenticate using Kerberos,
- send over the login name and then verify the principal that is authenti-
- cated is allowed to login and the login name. A way to check if a user
- is allowed to login is using the function krb5_kuserok().
-
-SEE ALSO
- krb5_get_default_realms(3), krb5_kuserok(3)
-
-HEIMDAL February 18, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_appdefault.cat3 b/lib/krb5/krb5_appdefault.cat3
deleted file mode 100644
index 41674112d170..000000000000
--- a/lib/krb5/krb5_appdefault.cat3
+++ /dev/null
@@ -1,56 +0,0 @@
-KRB5_APPDEFAULT(3) BSD Library Functions Manual KRB5_APPDEFAULT(3)
-
-NAME
- krb5_appdefault_boolean, krb5_appdefault_string, krb5_appdefault_time --
- get application configuration value
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- void
- krb5_appdefault_boolean(krb5_context context, const char *appname,
- krb5_realm realm, const char *option, krb5_boolean def_val,
- krb5_boolean *ret_val);
-
- void
- krb5_appdefault_string(krb5_context context, const char *appname,
- krb5_realm realm, const char *option, const char *def_val,
- char **ret_val);
-
- void
- krb5_appdefault_time(krb5_context context, const char *appname,
- krb5_realm realm, const char *option, time_t def_val,
- time_t *ret_val);
-
-DESCRIPTION
- These functions get application defaults from the appdefaults section of
- the krb5.conf(5) configuration file. These defaults can be specified per
- application, and/or per realm.
-
- These values will be looked for in krb5.conf(5), in order of descending
- importance.
-
- [appdefaults]
- appname = {
- realm = {
- option = value
- }
- }
- appname = {
- option = value
- }
- realm = {
- option = value
- }
- option = value
- appname is the name of the application, and realm is the realm name. If
- the realm is omitted it will not be used for resolving values. def_val
- is the value to return if no value is found in krb5.conf(5).
-
-SEE ALSO
- krb5_config(3), krb5.conf(5)
-
-HEIMDAL July 25, 2000 HEIMDAL
diff --git a/lib/krb5/krb5_auth_context.cat3 b/lib/krb5/krb5_auth_context.cat3
deleted file mode 100644
index 7b0366e42777..000000000000
--- a/lib/krb5/krb5_auth_context.cat3
+++ /dev/null
@@ -1,220 +0,0 @@
-KRB5_AUTH_CONTEXT(3) BSD Library Functions Manual KRB5_AUTH_CONTEXT(3)
-
-NAME
- krb5_auth_con_addflags, krb5_auth_con_free, krb5_auth_con_genaddrs,
- krb5_auth_con_generatelocalsubkey, krb5_auth_con_getaddrs,
- krb5_auth_con_getauthenticator, krb5_auth_con_getflags,
- krb5_auth_con_getkey, krb5_auth_con_getlocalsubkey,
- krb5_auth_con_getrcache, krb5_auth_con_getremotesubkey,
- krb5_auth_con_getuserkey, krb5_auth_con_init, krb5_auth_con_initivector,
- krb5_auth_con_removeflags, krb5_auth_con_setaddrs,
- krb5_auth_con_setaddrs_from_fd, krb5_auth_con_setflags,
- krb5_auth_con_setivector, krb5_auth_con_setkey,
- krb5_auth_con_setlocalsubkey, krb5_auth_con_setrcache,
- krb5_auth_con_setremotesubkey, krb5_auth_con_setuserkey,
- krb5_auth_context, krb5_auth_getcksumtype, krb5_auth_getkeytype,
- krb5_auth_getlocalseqnumber, krb5_auth_getremoteseqnumber,
- krb5_auth_setcksumtype, krb5_auth_setkeytype,
- krb5_auth_setlocalseqnumber, krb5_auth_setremoteseqnumber,
- krb5_free_authenticator -- manage authentication on connection level
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_auth_con_init(krb5_context context,
- krb5_auth_context *auth_context);
-
- void
- krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context);
-
- krb5_error_code
- krb5_auth_con_setflags(krb5_context context,
- krb5_auth_context auth_context, int32_t flags);
-
- krb5_error_code
- krb5_auth_con_getflags(krb5_context context,
- krb5_auth_context auth_context, int32_t *flags);
-
- krb5_error_code
- krb5_auth_con_addflags(krb5_context context,
- krb5_auth_context auth_context, int32_t addflags, int32_t *flags);
-
- krb5_error_code
- krb5_auth_con_removeflags(krb5_context context,
- krb5_auth_context auth_context, int32_t removelags, int32_t *flags);
-
- krb5_error_code
- krb5_auth_con_setaddrs(krb5_context context,
- krb5_auth_context auth_context, krb5_address *local_addr,
- krb5_address *remote_addr);
-
- krb5_error_code
- krb5_auth_con_getaddrs(krb5_context context,
- krb5_auth_context auth_context, krb5_address **local_addr,
- krb5_address **remote_addr);
-
- krb5_error_code
- krb5_auth_con_genaddrs(krb5_context context,
- krb5_auth_context auth_context, int fd, int flags);
-
- krb5_error_code
- krb5_auth_con_setaddrs_from_fd(krb5_context context,
- krb5_auth_context auth_context, void *p_fd);
-
- krb5_error_code
- krb5_auth_con_getkey(krb5_context context,
- krb5_auth_context auth_context, krb5_keyblock **keyblock);
-
- krb5_error_code
- krb5_auth_con_getlocalsubkey(krb5_context context,
- krb5_auth_context auth_context, krb5_keyblock **keyblock);
-
- krb5_error_code
- krb5_auth_con_getremotesubkey(krb5_context context,
- krb5_auth_context auth_context, krb5_keyblock **keyblock);
-
- krb5_error_code
- krb5_auth_con_generatelocalsubkey(krb5_context context,
- krb5_auth_context auth_context, krb5_keyblock, *key");
-
- krb5_error_code
- krb5_auth_con_initivector(krb5_context context,
- krb5_auth_context auth_context);
-
- krb5_error_code
- krb5_auth_con_setivector(krb5_context context,
- krb5_auth_context *auth_context, krb5_pointer ivector);
-
- void
- krb5_free_authenticator(krb5_context context,
- krb5_authenticator *authenticator);
-
-DESCRIPTION
- The krb5_auth_context structure holds all context related to an authenti-
- cated connection, in a similar way to krb5_context that holds the context
- for the thread or process. krb5_auth_context is used by various func-
- tions that are directly related to authentication between the
- server/client. Example of data that this structure contains are various
- flags, addresses of client and server, port numbers, keyblocks (and sub-
- keys), sequence numbers, replay cache, and checksum-type.
-
- krb5_auth_con_init() allocates and initializes the krb5_auth_context
- structure. Default values can be changed with
- krb5_auth_con_setcksumtype() and krb5_auth_con_setflags(). The
- auth_context structure must be freed by krb5_auth_con_free().
-
- krb5_auth_con_getflags(), krb5_auth_con_setflags(),
- krb5_auth_con_addflags() and krb5_auth_con_removeflags() gets and modi-
- fies the flags for a krb5_auth_context structure. Possible flags to set
- are:
-
- KRB5_AUTH_CONTEXT_DO_SEQUENCE
- Generate and check sequence-number on each packet.
-
- KRB5_AUTH_CONTEXT_DO_TIME
- Check timestamp on incoming packets.
-
- KRB5_AUTH_CONTEXT_RET_SEQUENCE, KRB5_AUTH_CONTEXT_RET_TIME
- Return sequence numbers and time stamps in the outdata parame-
- ters.
-
- KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
- will force krb5_get_forwarded_creds() and krb5_fwd_tgt_creds() to
- create unencrypted ) KRB5_ENCTYPE_NULL) credentials. This is for
- use with old MIT server and JAVA based servers as they can't han-
- dle encrypted KRB-CRED. Note that sending such KRB-CRED is clear
- exposes crypto keys and tickets and is insecure, make sure the
- packet is encrypted in the protocol. krb5_rd_cred(3),
- krb5_rd_priv(3), krb5_rd_safe(3), krb5_mk_priv(3) and
- krb5_mk_safe(3). Setting this flag requires that parameter to be
- passed to these functions.
-
- The flags KRB5_AUTH_CONTEXT_DO_TIME also modifies the behavior
- the function krb5_get_forwarded_creds() by removing the timestamp
- in the forward credential message, this have backward compatibil-
- ity problems since not all versions of the heimdal supports time-
- less credentional messages. Is very useful since it always the
- sender of the message to cache forward message and thus avoiding
- a round trip to the KDC for each time a credential is forwarded.
- The same functionality can be obtained by using address-less
- tickets.
-
- krb5_auth_con_setaddrs(), krb5_auth_con_setaddrs_from_fd() and
- krb5_auth_con_getaddrs() gets and sets the addresses that are checked
- when a packet is received. It is mandatory to set an address for the re-
- mote host. If the local address is not set, it iss deduced from the un-
- derlaying operating system. krb5_auth_con_getaddrs() will call
- krb5_free_address() on any address that is passed in local_addr or
- remote_addr. krb5_auth_con_setaddr() allows passing in a NULL pointer as
- local_addr and remote_addr, in that case it will just not set that ad-
- dress.
-
- krb5_auth_con_setaddrs_from_fd() fetches the addresses from a file de-
- scriptor.
-
- krb5_auth_con_genaddrs() fetches the address information from the given
- file descriptor fd depending on the bitmap argument flags.
-
- Possible values on flags are:
-
- KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
- fetches the local address from fd.
-
- KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR
- fetches the remote address from fd.
-
- krb5_auth_con_setkey(), krb5_auth_con_setuserkey() and
- krb5_auth_con_getkey() gets and sets the key used for this auth context.
- The keyblock returned by krb5_auth_con_getkey() should be freed with
- krb5_free_keyblock(). The keyblock send into krb5_auth_con_setkey() is
- copied into the krb5_auth_context, and thus no special handling is
- needed. NULL is not a valid keyblock to krb5_auth_con_setkey().
-
- krb5_auth_con_setuserkey() is only useful when doing user to user authen-
- tication. krb5_auth_con_setkey() is equivalent to
- krb5_auth_con_setuserkey().
-
- krb5_auth_con_getlocalsubkey(), krb5_auth_con_setlocalsubkey(),
- krb5_auth_con_getremotesubkey() and krb5_auth_con_setremotesubkey() gets
- and sets the keyblock for the local and remote subkey. The keyblock re-
- turned by krb5_auth_con_getlocalsubkey() and
- krb5_auth_con_getremotesubkey() must be freed with krb5_free_keyblock().
-
- krb5_auth_setcksumtype() and krb5_auth_getcksumtype() sets and gets the
- checksum type that should be used for this connection.
-
- krb5_auth_con_generatelocalsubkey() generates a local subkey that have
- the same encryption type as key.
-
- krb5_auth_getremoteseqnumber() krb5_auth_setremoteseqnumber(),
- krb5_auth_getlocalseqnumber() and krb5_auth_setlocalseqnumber() gets and
- sets the sequence-number for the local and remote sequence-number
- counter.
-
- krb5_auth_setkeytype() and krb5_auth_getkeytype() gets and gets the key-
- type of the keyblock in krb5_auth_context.
-
- krb5_auth_con_getauthenticator() Retrieves the authenticator that was
- used during mutual authentication. The authenticator returned should be
- freed by calling krb5_free_authenticator().
-
- krb5_auth_con_getrcache() and krb5_auth_con_setrcache() gets and sets the
- replay-cache.
-
- krb5_auth_con_initivector() allocates memory for and zeros the initial
- vector in the auth_context keyblock.
-
- krb5_auth_con_setivector() sets the i_vector portion of auth_context to
- ivector.
-
- krb5_free_authenticator() free the content of authenticator and
- authenticator itself.
-
-SEE ALSO
- krb5_context(3), kerberos(8)
-
-HEIMDAL May 17, 2005 HEIMDAL
diff --git a/lib/krb5/krb5_c_make_checksum.cat3 b/lib/krb5/krb5_c_make_checksum.cat3
deleted file mode 100644
index b83c0e29065a..000000000000
--- a/lib/krb5/krb5_c_make_checksum.cat3
+++ /dev/null
@@ -1,141 +0,0 @@
-KRB5_C_MAKE_CHECKSUM(3) BSD Library Functions Manual KRB5_C_MAKE_CHECKSUM(3)
-
-NAME
- krb5_c_block_size, krb5_c_decrypt, krb5_c_encrypt, krb5_c_encrypt_length,
- krb5_c_enctype_compare, krb5_c_get_checksum, krb5_c_is_coll_proof_cksum,
- krb5_c_is_keyed_cksum, krb5_c_keylength, krb5_c_make_checksum,
- krb5_c_make_random_key, krb5_c_set_checksum, krb5_c_valid_cksumtype,
- krb5_c_valid_enctype, krb5_c_verify_checksum, krb5_c_checksum_length --
- Kerberos 5 crypto API
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_c_block_size(krb5_context context, krb5_enctype enctype,
- size_t *blocksize);
-
- krb5_error_code
- krb5_c_decrypt(krb5_context context, const krb5_keyblock key,
- krb5_keyusage usage, const krb5_data *ivec, krb5_enc_data *input,
- krb5_data *output);
-
- krb5_error_code
- krb5_c_encrypt(krb5_context context, const krb5_keyblock *key,
- krb5_keyusage usage, const krb5_data *ivec, const krb5_data *input,
- krb5_enc_data *output);
-
- krb5_error_code
- krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype,
- size_t inputlen, size_t *length);
-
- krb5_error_code
- krb5_c_enctype_compare(krb5_context context, krb5_enctype e1,
- krb5_enctype e2, krb5_boolean *similar);
-
- krb5_error_code
- krb5_c_make_random_key(krb5_context context, krb5_enctype enctype,
- krb5_keyblock *random_key);
-
- krb5_error_code
- krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
- const krb5_keyblock *key, krb5_keyusage usage,
- const krb5_data *input, krb5_checksum *cksum);
-
- krb5_error_code
- krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
- krb5_keyusage usage, const krb5_data *data,
- const krb5_checksum *cksum, krb5_boolean *valid);
-
- krb5_error_code
- krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype,
- size_t *length);
-
- krb5_error_code
- krb5_c_get_checksum(krb5_context context, const krb5_checksum *cksum,
- krb5_cksumtype *type, krb5_data **data);
-
- krb5_error_code
- krb5_c_set_checksum(krb5_context context, krb5_checksum *cksum,
- krb5_cksumtype type, const krb5_data *data);
-
- krb5_boolean
- krb5_c_valid_enctype(krb5_enctype, etype");
-
- krb5_boolean
- krb5_c_valid_cksumtype(krb5_cksumtype ctype);
-
- krb5_boolean
- krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype);
-
- krb5_boolean
- krb5_c_is_keyed_cksum(krb5_cksumtype ctype);
-
- krb5_error_code
- krb5_c_keylengths(krb5_context context, krb5_enctype enctype,
- size_t *inlength, size_t *keylength);
-
-DESCRIPTION
- The functions starting with krb5_c are compat functions with MIT ker-
- beros.
-
- The krb5_enc_data structure holds and encrypted data. There are two pub-
- lic accessible members of krb5_enc_data. enctype that holds the encryp-
- tion type of the data encrypted and ciphertext that is a krb5_data that
- might contain the encrypted data.
-
- krb5_c_block_size() returns the blocksize of the encryption type.
-
- krb5_c_decrypt() decrypts input and store the data in output. If ivec is
- NULL the default initialization vector for that encryption type will be
- used.
-
- krb5_c_encrypt() encrypts the plaintext in input and store the ciphertext
- in output.
-
- krb5_c_encrypt_length() returns the length the encrypted data given the
- plaintext length.
-
- krb5_c_enctype_compare() compares to encryption types and returns if they
- use compatible encryption key types.
-
- krb5_c_make_checksum() creates a checksum cksum with the checksum type
- cksumtype of the data in data. key and usage are used if the checksum is
- a keyed checksum type. Returns 0 or an error code.
-
- krb5_c_verify_checksum() verifies the checksum of data in cksum that was
- created with key using the key usage usage. verify is set to non-zero if
- the checksum verifies correctly and zero if not. Returns 0 or an error
- code.
-
- krb5_c_checksum_length() returns the length of the checksum.
-
- krb5_c_set_checksum() sets the krb5_checksum structure given type and
- data. The content of cksum should be freeed with
- krb5_c_free_checksum_contents().
-
- krb5_c_get_checksum() retrieves the components of the krb5_checksum.
- structure. data should be free with krb5_free_data(). If some either of
- data or checksum is not needed for the application, NULL can be passed
- in.
-
- krb5_c_valid_enctype() returns true if etype is a valid encryption type.
-
- krb5_c_valid_cksumtype() returns true if ctype is a valid checksum type.
-
- krb5_c_is_keyed_cksum() return true if ctype is a keyed checksum type.
-
- krb5_c_is_coll_proof_cksum() returns true if ctype is a collision proof
- checksum type.
-
- krb5_c_keylengths() return the minimum length (inlength) bytes needed to
- create a key and the length (keylength) of the resulting key for the
- enctype.
-
-SEE ALSO
- krb5(3), krb5_create_checksum(3), krb5_free_data(3), kerberos(8)
-
-HEIMDAL Nov 17, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_ccapi.h b/lib/krb5/krb5_ccapi.h
index 06d8886145af..ed7b848c6b97 100644
--- a/lib/krb5/krb5_ccapi.h
+++ b/lib/krb5/krb5_ccapi.h
@@ -38,7 +38,7 @@
#include <krb5-types.h>
-#ifdef __APPLE__
+#if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__))
#pragma pack(push,2)
#endif
@@ -231,7 +231,7 @@ struct cc_context_t {
typedef cc_int32
(*cc_initialize_func)(cc_context_t*, cc_int32, cc_int32 *, char const **);
-#if defined(__APPLE__)
+#if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__))
#pragma pack(pop)
#endif
diff --git a/lib/krb5/krb5_check_transited.cat3 b/lib/krb5/krb5_check_transited.cat3
deleted file mode 100644
index 9907d6cc27c1..000000000000
--- a/lib/krb5/krb5_check_transited.cat3
+++ /dev/null
@@ -1,48 +0,0 @@
-KRB5_CHECK_TRANSITED(3) BSD Library Functions Manual KRB5_CHECK_TRANSITED(3)
-
-NAME
- krb5_check_transited, krb5_check_transited_realms,
- krb5_domain_x500_decode, krb5_domain_x500_encode -- realm transit verifi-
- cation and encoding/decoding functions
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_check_transited(krb5_context context, krb5_const_realm client_realm,
- krb5_const_realm server_realm, krb5_realm *realms, int num_realms,
- int *bad_realm);
-
- krb5_error_code
- krb5_check_transited_realms(krb5_context context,
- const char *const *realms, int num_realms, int *bad_realm);
-
- krb5_error_code
- krb5_domain_x500_decode(krb5_context context, krb5_data tr,
- char ***realms, int *num_realms, const char *client_realm,
- const char *server_realm);
-
- krb5_error_code
- krb5_domain_x500_encode(char **realms, int num_realms,
- krb5_data *encoding);
-
-DESCRIPTION
- krb5_check_transited() checks the path from client_realm to server_realm
- where realms and num_realms is the realms between them. If the function
- returns an error value, bad_realm will be set to the realm in the list
- causing the error. krb5_check_transited() is used internally by the KDC
- and libkrb5 and should not be called by client applications.
-
- krb5_check_transited_realms() is deprecated.
-
- krb5_domain_x500_encode() and krb5_domain_x500_decode() encodes and de-
- codes the realm names in the X500 format that Kerberos uses to describe
- the transited realms in krbtgts.
-
-SEE ALSO
- krb5(3), krb5.conf(5)
-
-HEIMDAL May 1, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_create_checksum.cat3 b/lib/krb5/krb5_create_checksum.cat3
deleted file mode 100644
index 673f56d708b6..000000000000
--- a/lib/krb5/krb5_create_checksum.cat3
+++ /dev/null
@@ -1,112 +0,0 @@
-NAME(3) BSD Library Functions Manual NAME(3)
-
-NAME
- krb5_checksum, krb5_checksum_disable, krb5_checksum_is_collision_proof,
- krb5_checksum_is_keyed, krb5_checksumsize, krb5_cksumtype_valid,
- krb5_copy_checksum, krb5_create_checksum, krb5_crypto_get_checksum_type
- krb5_free_checksum, krb5_free_checksum_contents, krb5_hmac,
- krb5_verify_checksum -- creates, handles and verifies checksums
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- typedef Checksum krb5_checksum;
-
- void
- krb5_checksum_disable(krb5_context context, krb5_cksumtype type);
-
- krb5_boolean
- krb5_checksum_is_collision_proof(krb5_context context,
- krb5_cksumtype type);
-
- krb5_boolean
- krb5_checksum_is_keyed(krb5_context context, krb5_cksumtype type);
-
- krb5_error_code
- krb5_cksumtype_valid(krb5_context context, krb5_cksumtype ctype);
-
- krb5_error_code
- krb5_checksumsize(krb5_context context, krb5_cksumtype type,
- size_t *size);
-
- krb5_error_code
- krb5_create_checksum(krb5_context context, krb5_crypto crypto,
- krb5_key_usage usage, int type, void *data, size_t len,
- Checksum *result);
-
- krb5_error_code
- krb5_verify_checksum(krb5_context context, krb5_crypto crypto,
- krb5_key_usage usage, void *data, size_t len, Checksum *cksum);
-
- krb5_error_code
- krb5_crypto_get_checksum_type(krb5_context context, krb5_crypto crypto,
- krb5_cksumtype *type);
-
- void
- krb5_free_checksum(krb5_context context, krb5_checksum *cksum);
-
- void
- krb5_free_checksum_contents(krb5_context context, krb5_checksum *cksum);
-
- krb5_error_code
- krb5_hmac(krb5_context context, krb5_cksumtype cktype, const void *data,
- size_t len, unsigned usage, krb5_keyblock *key, Checksum *result);
-
- krb5_error_code
- krb5_copy_checksum(krb5_context context, const krb5_checksum *old,
- krb5_checksum **new);
-
-DESCRIPTION
- The krb5_checksum structure holds a Kerberos checksum. There is no com-
- ponent inside krb5_checksum that is directly referable.
-
- The functions are used to create and verify checksums.
- krb5_create_checksum() creates a checksum of the specified data, and puts
- it in result. If crypto is NULL, usage_or_type specifies the checksum
- type to use; it must not be keyed. Otherwise crypto is an encryption con-
- text created by krb5_crypto_init(), and usage_or_type specifies a key-us-
- age.
-
- krb5_verify_checksum() verifies the checksum against the provided data.
-
- krb5_checksum_is_collision_proof() returns true is the specified checksum
- is collision proof (that it's very unlikely that two strings has the same
- hash value, and that it's hard to find two strings that has the same
- hash). Examples of collision proof checksums are MD5, and SHA1, while
- CRC32 is not.
-
- krb5_checksum_is_keyed() returns true if the specified checksum type is
- keyed (that the hash value is a function of both the data, and a separate
- key). Examples of keyed hash algorithms are HMAC-SHA1-DES3, and RSA-
- MD5-DES. The "plain" hash functions MD5, and SHA1 are not keyed.
-
- krb5_crypto_get_checksum_type() returns the checksum type that will be
- used when creating a checksum for the given crypto context. This func-
- tion is useful in combination with krb5_checksumsize() when you want to
- know the size a checksum will use when you create it.
-
- krb5_cksumtype_valid() returns 0 or an error if the checksumtype is im-
- plemented and not currently disabled in this kerberos library.
-
- krb5_checksumsize() returns the size of the outdata of checksum function.
-
- krb5_copy_checksum() returns a copy of the checksum krb5_free_checksum()
- should use used to free the new checksum.
-
- krb5_free_checksum() free the checksum and the content of the checksum.
-
- krb5_free_checksum_contents() frees the content of checksum in cksum.
-
- krb5_hmac() calculates the HMAC over data (with length len) using the
- keyusage usage and keyblock key. Note that keyusage is not always used
- in checksums.
-
- krb5_checksum_disable globally disables the checksum type.
-
-SEE ALSO
- krb5_crypto_init(3), krb5_c_encrypt(3), krb5_encrypt(3)
-
-HEIMDAL August 12, 2005 HEIMDAL
diff --git a/lib/krb5/krb5_creds.cat3 b/lib/krb5/krb5_creds.cat3
deleted file mode 100644
index a7254961e9af..000000000000
--- a/lib/krb5/krb5_creds.cat3
+++ /dev/null
@@ -1,57 +0,0 @@
-KRB5_CREDS(3) BSD Library Functions Manual KRB5_CREDS(3)
-
-NAME
- krb5_creds, krb5_copy_creds, krb5_copy_creds_contents, krb5_free_creds,
- krb5_free_cred_contents -- Kerberos 5 credential handling functions
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_copy_creds(krb5_context context, const krb5_creds *incred,
- krb5_creds **outcred);
-
- krb5_error_code
- krb5_copy_creds_contents(krb5_context context, const krb5_creds *incred,
- krb5_creds *outcred);
-
- krb5_error_code
- krb5_free_creds(krb5_context context, krb5_creds *outcred);
-
- krb5_error_code
- krb5_free_cred_contents(krb5_context context, krb5_creds *cred);
-
-DESCRIPTION
- krb5_creds holds Kerberos credentials:
-
- typedef struct krb5_creds {
- krb5_principal client;
- krb5_principal server;
- krb5_keyblock session;
- krb5_times times;
- krb5_data ticket;
- krb5_data second_ticket;
- krb5_authdata authdata;
- krb5_addresses addresses;
- krb5_ticket_flags flags;
- } krb5_creds;
-
- krb5_copy_creds() makes a copy of incred to outcred. outcred should be
- freed with krb5_free_creds() by the caller.
-
- krb5_copy_creds_contents() makes a copy of the content of incred to
- outcreds. outcreds should be freed by the called with
- krb5_free_creds_contents().
-
- krb5_free_creds() frees the content of the cred structure and the struc-
- ture itself.
-
- krb5_free_cred_contents() frees the content of the cred structure.
-
-SEE ALSO
- krb5(3), krb5_compare_creds(3), krb5_get_init_creds(3), kerberos(8)
-
-HEIMDAL May 1, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_digest.cat3 b/lib/krb5/krb5_digest.cat3
deleted file mode 100644
index ac69a1305b86..000000000000
--- a/lib/krb5/krb5_digest.cat3
+++ /dev/null
@@ -1,145 +0,0 @@
-KRB5_DIGEST(3) BSD Library Functions Manual KRB5_DIGEST(3)
-
-NAME
- krb5_digest, krb5_digest_alloc, krb5_digest_free,
- krb5_digest_set_server_cb, krb5_digest_set_type,
- krb5_digest_set_hostname, krb5_digest_get_server_nonce,
- krb5_digest_set_server_nonce, krb5_digest_get_opaque,
- krb5_digest_set_opaque, krb5_digest_get_identifier,
- krb5_digest_set_identifier, krb5_digest_init_request,
- krb5_digest_set_client_nonce, krb5_digest_set_digest,
- krb5_digest_set_username, krb5_digest_set_authid,
- krb5_digest_set_authentication_user, krb5_digest_set_realm,
- krb5_digest_set_method, krb5_digest_set_uri, krb5_digest_set_nonceCount,
- krb5_digest_set_qop, krb5_digest_request, krb5_digest_get_responseData,
- krb5_digest_get_rsp, krb5_digest_get_tickets,
- krb5_digest_get_client_binding, krb5_digest_get_a1_hash -- remote digest
- (HTTP-DIGEST, SASL, CHAP) support
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- typedef struct krb5_digest *krb5_digest;
-
- krb5_error_code
- krb5_digest_alloc(krb5_context context, krb5_digest *digest);
-
- void
- krb5_digest_free(krb5_digest digest);
-
- krb5_error_code
- krb5_digest_set_type(krb5_context context, krb5_digest digest,
- const char *type);
-
- krb5_error_code
- krb5_digest_set_server_cb(krb5_context context, krb5_digest digest,
- const char *type, const char *binding);
-
- krb5_error_code
- krb5_digest_set_hostname(krb5_context context, krb5_digest digest,
- const char *hostname);
-
- const char *
- krb5_digest_get_server_nonce(krb5_context context, krb5_digest digest);
-
- krb5_error_code
- krb5_digest_set_server_nonce(krb5_context context, krb5_digest digest,
- const char *nonce);
-
- const char *
- krb5_digest_get_opaque(krb5_context context, krb5_digest digest);
-
- krb5_error_code
- krb5_digest_set_opaque(krb5_context context, krb5_digest digest,
- const char *opaque);
-
- const char *
- krb5_digest_get_identifier(krb5_context context, krb5_digest digest);
-
- krb5_error_code
- krb5_digest_set_identifier(krb5_context context, krb5_digest digest,
- const char *id);
-
- krb5_error_code
- krb5_digest_init_request(krb5_context context, krb5_digest digest,
- krb5_realm realm, krb5_ccache ccache);
-
- krb5_error_code
- krb5_digest_set_client_nonce(krb5_context context, krb5_digest digest,
- const char *nonce);
-
- krb5_error_code
- krb5_digest_set_digest(krb5_context context, krb5_digest digest,
- const char *dgst);
-
- krb5_error_code
- krb5_digest_set_username(krb5_context context, krb5_digest digest,
- const char *username);
-
- krb5_error_code
- krb5_digest_set_authid(krb5_context context, krb5_digest digest,
- const char *authid);
-
- krb5_error_code
- krb5_digest_set_authentication_user(krb5_context context,
- krb5_digest digest, krb5_principal authentication_user);
-
- krb5_error_code
- krb5_digest_set_realm(krb5_context context, krb5_digest digest,
- const char *realm);
-
- krb5_error_code
- krb5_digest_set_method(krb5_context context, krb5_digest digest,
- const char *method);
-
- krb5_error_code
- krb5_digest_set_uri(krb5_context context, krb5_digest digest,
- const char *uri);
-
- krb5_error_code
- krb5_digest_set_nonceCount(krb5_context context, krb5_digest digest,
- const char *nonce_count);
-
- krb5_error_code
- krb5_digest_set_qop(krb5_context context, krb5_digest digest,
- const char *qop);
-
- krb5_error_code
- krb5_digest_request(krb5_context context, krb5_digest digest,
- krb5_realm realm, krb5_ccache ccache);
-
- const char *
- krb5_digest_get_responseData(krb5_context context, krb5_digest digest);
-
- const char *
- krb5_digest_get_rsp(krb5_context context, krb5_digest digest);
-
- krb5_error_code
- krb5_digest_get_tickets(krb5_context context, krb5_digest digest,
- Ticket **tickets);
-
- krb5_error_code
- krb5_digest_get_client_binding(krb5_context context, krb5_digest digest,
- char **type, char **binding);
-
- krb5_error_code
- krb5_digest_get_a1_hash(krb5_context context, krb5_digest digest,
- krb5_data *data);
-
-DESCRIPTION
- The krb5_digest_alloc() function allocatates the digest structure. The
- structure should be freed with krb5_digest_free() when it is no longer
- being used.
-
- krb5_digest_alloc() returns 0 to indicate success. Otherwise an kerberos
- code is returned and the pointer that digest points to is set to NULL.
-
- krb5_digest_free() free the structure digest.
-
-SEE ALSO
- krb5(3), kerberos(8)
-
-HEIMDAL February 18, 2007 HEIMDAL
diff --git a/lib/krb5/krb5_eai_to_heim_errno.cat3 b/lib/krb5/krb5_eai_to_heim_errno.cat3
deleted file mode 100644
index 721914050761..000000000000
--- a/lib/krb5/krb5_eai_to_heim_errno.cat3
+++ /dev/null
@@ -1,28 +0,0 @@
-KRB5_EAI_TO_HEIM_ERRN... BSD Library Functions Manual KRB5_EAI_TO_HEIM_ERRN...
-
-NAME
- krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno -- convert resolver
- error code to com_err error codes
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_eai_to_heim_errno(int eai_errno, int system_error);
-
- krb5_error_code
- krb5_h_errno_to_heim_errno(int eai_errno);
-
-DESCRIPTION
- krb5_eai_to_heim_errno() and krb5_h_errno_to_heim_errno() convert
- getaddrinfo(3), getnameinfo(3), and h_errno(3) to com_err error code that
- are used by Heimdal, this is useful for for function returning kerberos
- errors and needs to communicate failures from resolver function.
-
-SEE ALSO
- krb5(3), kerberos(8)
-
-HEIMDAL April 13, 2004 HEIMDAL
diff --git a/lib/krb5/krb5_encrypt.cat3 b/lib/krb5/krb5_encrypt.cat3
deleted file mode 100644
index dd0c0c04e002..000000000000
--- a/lib/krb5/krb5_encrypt.cat3
+++ /dev/null
@@ -1,137 +0,0 @@
-KRB5_ENCRYPT(3) BSD Library Functions Manual KRB5_ENCRYPT(3)
-
-NAME
- krb5_crypto_getblocksize, krb5_crypto_getconfoundersize
- krb5_crypto_getenctype, krb5_crypto_getpadsize, krb5_crypto_overhead,
- krb5_decrypt, krb5_decrypt_EncryptedData, krb5_decrypt_ivec,
- krb5_decrypt_ticket, krb5_encrypt, krb5_encrypt_EncryptedData,
- krb5_encrypt_ivec, krb5_enctype_disable, krb5_enctype_keysize,
- krb5_enctype_to_string, krb5_enctype_valid, krb5_get_wrapped_length,
- krb5_string_to_enctype -- encrypt and decrypt data, set and get encryp-
- tion type parameters
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_encrypt(krb5_context context, krb5_crypto crypto, unsigned usage,
- void *data, size_t len, krb5_data *result);
-
- krb5_error_code
- krb5_encrypt_EncryptedData(krb5_context context, krb5_crypto crypto,
- unsigned usage, void *data, size_t len, int kvno,
- EncryptedData *result);
-
- krb5_error_code
- krb5_encrypt_ivec(krb5_context context, krb5_crypto crypto,
- unsigned usage, void *data, size_t len, krb5_data *result,
- void *ivec);
-
- krb5_error_code
- krb5_decrypt(krb5_context context, krb5_crypto crypto, unsigned usage,
- void *data, size_t len, krb5_data *result);
-
- krb5_error_code
- krb5_decrypt_EncryptedData(krb5_context context, krb5_crypto crypto,
- unsigned usage, EncryptedData *e, krb5_data *result);
-
- krb5_error_code
- krb5_decrypt_ivec(krb5_context context, krb5_crypto crypto,
- unsigned usage, void *data, size_t len, krb5_data *result,
- void *ivec);
-
- krb5_error_code
- krb5_decrypt_ticket(krb5_context context, Ticket *ticket,
- krb5_keyblock *key, EncTicketPart *out, krb5_flags flags);
-
- krb5_error_code
- krb5_crypto_getblocksize(krb5_context context, size_t *blocksize);
-
- krb5_error_code
- krb5_crypto_getenctype(krb5_context context, krb5_crypto crypto,
- krb5_enctype *enctype);
-
- krb5_error_code
- krb5_crypto_getpadsize(krb5_context context, size_t, *padsize");
-
- krb5_error_code
- krb5_crypto_getconfoundersize(krb5_context context, krb5_crypto crypto,
- size_t, *confoundersize");
-
- krb5_error_code
- krb5_enctype_keysize(krb5_context context, krb5_enctype type,
- size_t *keysize);
-
- krb5_error_code
- krb5_crypto_overhead(krb5_context context, size_t, *padsize");
-
- krb5_error_code
- krb5_string_to_enctype(krb5_context context, const char *string,
- krb5_enctype *etype);
-
- krb5_error_code
- krb5_enctype_to_string(krb5_context context, krb5_enctype etype,
- char **string);
-
- krb5_error_code
- krb5_enctype_valid(krb5_context context, krb5_enctype etype);
-
- void
- krb5_enctype_disable(krb5_context context, krb5_enctype etype);
-
- size_t
- krb5_get_wrapped_length(krb5_context context, krb5_crypto crypto,
- size_t data_len);
-
-DESCRIPTION
- These functions are used to encrypt and decrypt data.
-
- krb5_encrypt_ivec() puts the encrypted version of data (of size len) in
- result. If the encryption type supports using derived keys, usage should
- be the appropriate key-usage. ivec is a pointer to a initial IV, it is
- modified to the end IV at the end of the round. Ivec should be the size
- of If NULL is passed in, the default IV is used. krb5_encrypt() does the
- same as krb5_encrypt_ivec() but with ivec being NULL.
- krb5_encrypt_EncryptedData() does the same as krb5_encrypt(), but it puts
- the encrypted data in a EncryptedData structure instead. If kvno is not
- zero, it will be put in the (optional) kvno field in the EncryptedData.
-
- krb5_decrypt_ivec(), krb5_decrypt(), and krb5_decrypt_EncryptedData()
- works similarly.
-
- krb5_decrypt_ticket() decrypts the encrypted part of ticket with key.
- krb5_decrypt_ticket() also verifies the timestamp in the ticket, invalid
- flag and if the KDC haven't verified the transited path, the transit
- path.
-
- krb5_enctype_keysize(), krb5_crypto_getconfoundersize(),
- krb5_crypto_getblocksize(), krb5_crypto_getenctype(),
- krb5_crypto_getpadsize(), krb5_crypto_overhead() all returns various
- (sometimes) useful information from a crypto context.
- krb5_crypto_overhead() is the combination of krb5_crypto_getconfounder-
- size, krb5_crypto_getblocksize and krb5_crypto_getpadsize and return the
- maximum overhead size.
-
- krb5_enctype_to_string() converts a encryption type number to a string
- that can be printable and stored. The strings returned should be freed
- with free(3).
-
- krb5_string_to_enctype() converts a encryption type strings to a encryp-
- tion type number that can use used for other Kerberos crypto functions.
-
- krb5_enctype_valid() returns 0 if the encrypt is supported and not dis-
- abled, otherwise and error code is returned.
-
- krb5_enctype_disable() (globally, for all contextes) disables the
- enctype.
-
- krb5_get_wrapped_length() returns the size of an encrypted packet by
- crypto of length data_len.
-
-SEE ALSO
- krb5_create_checksum(3), krb5_crypto_init(3)
-
-HEIMDAL March 20, 2004 HEIMDAL
diff --git a/lib/krb5/krb5_err.et b/lib/krb5/krb5_err.et
index f660fbae7829..1a64c14a411d 100644
--- a/lib/krb5/krb5_err.et
+++ b/lib/krb5/krb5_err.et
@@ -3,6 +3,8 @@
#
# This might look like a com_err file, but is not
#
+# Do try to keep this in sync with MIT's.
+#
id "$Id$"
error_table krb5
@@ -92,7 +94,7 @@ error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate"
error_code INVALID_CERTIFICATE, "Certificate invalid"
error_code REVOKED_CERTIFICATE, "Certificate revoked"
error_code REVOCATION_STATUS_UNKNOWN, "Revocation status unknown"
-error_code REVOCATION_STATUS_UNAVAILABLE, "Revocation status unavaible"
+error_code REVOCATION_STATUS_UNAVAILABLE, "Revocation status unavailable"
error_code CLIENT_NAME_MISMATCH, "Client name mismatch in certificate"
error_code INCONSISTENT_KEY_PURPOSE, "Inconsistent key purpose"
error_code DIGEST_IN_CERT_NOT_ACCEPTED, "Digest in certificate not accepted"
@@ -101,12 +103,16 @@ error_code DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED, "Digest in signedData not accepte
error_code PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED, "Public key encryption not supported"
## these are never used
-#index 80
+#index 85
#prefix KRB5_IAKERB
#error_code ERR_KDC_NOT_FOUND, "IAKERB proxy could not find a KDC"
#error_code ERR_KDC_NO_RESPONSE, "IAKERB proxy never reeived a response from a KDC"
-# 82-93 are reserved
+index 91
+error_code MORE_PREAUTH_DATA_REQUIRED, "More pre-authentication data required"
+
+index 93
+error_code UNKNOWN_CRITICAL_FAST_OPTIONS, "Unknown critical FAST options"
index 94
error_code INVALID_HASH_ALG, "Invalid OTP digest algorithm"
@@ -265,15 +271,44 @@ error_code KRB5_SAM_INVALID_ETYPE, "Invalid encryption type in SAM challenge"
error_code KRB5_SAM_NO_CHECKSUM, "Missing checksum in SAM challenge"
error_code KRB5_SAM_BAD_CHECKSUM, "Bad checksum in SAM challenge"
-index 238
+error_code KRB5_KT_NAME_TOOLONG, "Keytab name too long"
+error_code KRB5_KT_KVNONOTFOUND, "Key version number for principal in key table is incorrect"
+error_code KRB5_APPL_EXPIRED, "This application has expired"
+error_code KRB5_LIB_EXPIRED, "This Krb5 library has expired"
+
+error_code KRB5_CHPW_PWDNULL, "New password cannot be zero length"
+error_code KRB5_CHPW_FAIL, "Password change failed"
+error_code KRB5_KT_FORMAT, "Bad format in keytab"
+
+error_code KRB5_NOPERM_ETYPE, "Encryption type not permitted"
+error_code KRB5_CONFIG_ETYPE_NOSUPP, "No supported encryption types (config file error?)"
+
error_code KRB5_OBSOLETE_FN, "Program called an obsolete, deleted function"
-index 245
+error_code KRB5_EAI_FAIL, "unknown getaddrinfo failure"
+error_code KRB5_EAI_NODATA, "no data available for host/domain name"
+error_code KRB5_EAI_NONAME, "host/domain name not found"
+error_code KRB5_EAI_SERVICE, "service name unknown"
+
+error_code KRB5_ERR_NUMERIC_REALM, "Cannot determine realm for numeric host address"
+
error_code KRB5_ERR_BAD_S2K_PARAMS, "Invalid key generation parameters from KDC"
+
error_code KRB5_ERR_NO_SERVICE, "Service not available"
+
+index 247
error_code KRB5_CC_NOSUPP, "Credential cache function not supported"
error_code KRB5_DELTAT_BADFORMAT, "Invalid format of Kerberos lifetime or clock skew string"
error_code KRB5_PLUGIN_NO_HANDLE, "Supplied data not handled by this plugin"
error_code KRB5_PLUGIN_OP_NOTSUPP, "Plugin does not support the operaton"
+error_code KRB5_ERR_INVALID_UTF8, "Invalid UTF-8 string"
+error_code KRB5_ERR_FAST_REQUIRED, "FAST protected pre-authentication required but not supported by KDC"
+
+error_code KRB5_LOCAL_ADDR_REQUIRED, "Auth context must contain local address"
+error_code KRB5_REMOTE_ADDR_REQUIRED, "Auth context must contain remote address"
+
+error_code KRB5_TRACE_NOSUPP, "Tracing unsupported"
+
+
end
diff --git a/lib/krb5/krb5_find_padata.cat3 b/lib/krb5/krb5_find_padata.cat3
deleted file mode 100644
index 2b7f5f288d54..000000000000
--- a/lib/krb5/krb5_find_padata.cat3
+++ /dev/null
@@ -1,32 +0,0 @@
-KRB5_FIND_PADATA(3) BSD Library Functions Manual KRB5_FIND_PADATA(3)
-
-NAME
- krb5_find_padata, krb5_padata_add -- Kerberos 5 pre-authentication data
- handling functions
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- PA_DATA *
- krb5_find_padata(PA_DATA *val, unsigned len, int type, int *index);
-
- int
- krb5_padata_add(krb5_context context, METHOD_DATA *md, int type,
- void *buf, size_t len);
-
-DESCRIPTION
- krb5_find_padata() tries to find the pre-authentication data entry of
- type type in the array val of length len. The search is started at entry
- pointed out by *index (zero based indexing). If the type isn't found,
- NULL is returned.
-
- krb5_padata_add() adds a pre-authentication data entry of type type
- pointed out by buf and len to md.
-
-SEE ALSO
- krb5(3), kerberos(8)
-
-HEIMDAL March 21, 2004 HEIMDAL
diff --git a/lib/krb5/krb5_generate_random_block.cat3 b/lib/krb5/krb5_generate_random_block.cat3
deleted file mode 100644
index ca4848d1d654..000000000000
--- a/lib/krb5/krb5_generate_random_block.cat3
+++ /dev/null
@@ -1,22 +0,0 @@
-KRB5_GENERATE_RANDOM_... BSD Library Functions Manual KRB5_GENERATE_RANDOM_...
-
-NAME
- krb5_generate_random_block -- Kerberos 5 random functions
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- void
- krb5_generate_random_block(void *buf, size_t len);
-
-DESCRIPTION
- krb5_generate_random_block() generates a cryptographically strong pseudo-
- random block into the buffer buf of length len.
-
-SEE ALSO
- krb5(3), krb5.conf(5)
-
-HEIMDAL March 21, 2004 HEIMDAL
diff --git a/lib/krb5/krb5_get_all_client_addrs.cat3 b/lib/krb5/krb5_get_all_client_addrs.cat3
deleted file mode 100644
index 8538a6d6c619..000000000000
--- a/lib/krb5/krb5_get_all_client_addrs.cat3
+++ /dev/null
@@ -1,38 +0,0 @@
-KRB5_GET_ADDRS(3) BSD Library Functions Manual KRB5_GET_ADDRS(3)
-
-NAME
- krb5_get_all_client_addrs, krb5_get_all_server_addrs -- return local ad-
- dresses
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_get_all_client_addrs(krb5_context context, krb5_addresses *addrs);
-
- krb5_error_code
- krb5_get_all_server_addrs(krb5_context context, krb5_addresses *addrs);
-
-DESCRIPTION
- These functions return in addrs a list of addresses associated with the
- local host.
-
- The server variant returns all configured interface addresses (if possi-
- ble), including loop-back addresses. This is useful if you want to create
- sockets to listen to.
-
- The client version will also scan local interfaces (can be turned off by
- setting libdefaults/scan_interfaces to false in krb5.conf), but will not
- include loop-back addresses, unless there are no other addresses found.
- It will remove all addresses included in libdefaults/ignore_addresses but
- will unconditionally include addresses in libdefaults/extra_addresses.
-
- The returned addresses should be freed by calling krb5_free_addresses().
-
-SEE ALSO
- krb5_free_addresses(3)
-
-HEIMDAL July 1, 2001 HEIMDAL
diff --git a/lib/krb5/krb5_get_credentials.cat3 b/lib/krb5/krb5_get_credentials.cat3
deleted file mode 100644
index 595484d72397..000000000000
--- a/lib/krb5/krb5_get_credentials.cat3
+++ /dev/null
@@ -1,96 +0,0 @@
-KRB5_GET_CREDENTIALS(3) BSD Library Functions Manual KRB5_GET_CREDENTIALS(3)
-
-NAME
- krb5_get_credentials, krb5_get_credentials_with_flags, krb5_get_kdc_cred,
- krb5_get_renewed_creds -- get credentials from the KDC using krbtgt
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_get_credentials(krb5_context context, krb5_flags options,
- krb5_ccache ccache, krb5_creds *in_creds, krb5_creds **out_creds);
-
- krb5_error_code
- krb5_get_credentials_with_flags(krb5_context context, krb5_flags options,
- krb5_kdc_flags flags, krb5_ccache ccache, krb5_creds *in_creds,
- krb5_creds **out_creds);
-
- krb5_error_code
- krb5_get_kdc_cred(krb5_context context, krb5_ccache id,
- krb5_kdc_flags flags, krb5_addresses *addresses,
- Ticket *second_ticket, krb5_creds *in_creds, krb5_creds **out_creds);
-
- krb5_error_code
- krb5_get_renewed_creds(krb5_context context, krb5_creds *creds,
- krb5_const_principal client, krb5_ccache ccache,
- const char *in_tkt_service);
-
-DESCRIPTION
- krb5_get_credentials_with_flags() get credentials specified by
- in_creds->server and in_creds->client (the rest of the in_creds structure
- is ignored) by first looking in the ccache and if doesn't exists or is
- expired, fetch the credential from the KDC using the krbtgt in ccache.
- The credential is returned in out_creds and should be freed using the
- function krb5_free_creds().
-
- Valid flags to pass into options argument are:
-
- KRB5_GC_CACHED Only check the ccache, don't got out on network to
- fetch credential.
- KRB5_GC_USER_USER Request a user to user ticket. This option doesn't
- store the resulting user to user credential in the
- ccache.
- KRB5_GC_EXPIRED_OK returns the credential even if it is expired, default
- behavior is trying to refetch the credential from the
- KDC.
-
- Flags are KDCOptions, note the caller must fill in the bit-field and not
- use the integer associated structure.
-
- krb5_get_credentials() works the same way as
- krb5_get_credentials_with_flags() except that the flags field is missing.
-
- krb5_get_kdc_cred() does the same as the functions above, but the caller
- must fill in all the information andits closer to the wire protocol.
-
- krb5_get_renewed_creds() renews a credential given by in_tkt_service (if
- NULL the default krbtgt) using the credential cache ccache. The result
- is stored in creds and should be freed using krb5_free_creds.
-
-EXAMPLES
- Here is a example function that get a credential from a credential cache
- id or the KDC and returns it to the caller.
-
- #include <krb5.h>
-
- int
- getcred(krb5_context context, krb5_ccache id, krb5_creds **creds)
- {
- krb5_error_code ret;
- krb5_creds in;
-
- ret = krb5_parse_name(context, "client@EXAMPLE.COM",
- &in.client);
- if (ret)
- krb5_err(context, 1, ret, "krb5_parse_name");
-
- ret = krb5_parse_name(context, "host/server.example.com@EXAMPLE.COM",
- &in.server);
- if (ret)
- krb5_err(context, 1, ret, "krb5_parse_name");
-
- ret = krb5_get_credentials(context, 0, id, &in, creds);
- if (ret)
- krb5_err(context, 1, ret, "krb5_get_credentials");
-
- return 0;
- }
-
-SEE ALSO
- krb5(3), krb5_get_forwarded_creds(3), krb5.conf(5)
-
-HEIMDAL July 26, 2004 HEIMDAL
diff --git a/lib/krb5/krb5_get_creds.cat3 b/lib/krb5/krb5_get_creds.cat3
deleted file mode 100644
index 88f4aa2d16ca..000000000000
--- a/lib/krb5/krb5_get_creds.cat3
+++ /dev/null
@@ -1,92 +0,0 @@
-KRB5_GET_CREDS(3) BSD Library Functions Manual KRB5_GET_CREDS(3)
-
-NAME
- krb5_get_creds, krb5_get_creds_opt_add_options, krb5_get_creds_opt_alloc,
- krb5_get_creds_opt_free, krb5_get_creds_opt_set_enctype,
- krb5_get_creds_opt_set_impersonate, krb5_get_creds_opt_set_options,
- krb5_get_creds_opt_set_ticket -- get credentials from the KDC
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_get_creds(krb5_context context, krb5_get_creds_opt opt,
- krb5_ccache ccache, krb5_const_principal inprinc,
- krb5_creds **out_creds);
-
- void
- krb5_get_creds_opt_add_options(krb5_context context,
- krb5_get_creds_opt opt, krb5_flags options);
-
- krb5_error_code
- krb5_get_creds_opt_alloc(krb5_context context, krb5_get_creds_opt *opt);
-
- void
- krb5_get_creds_opt_free(krb5_context context, krb5_get_creds_opt opt);
-
- void
- krb5_get_creds_opt_set_enctype(krb5_context context,
- krb5_get_creds_opt opt, krb5_enctype enctype);
-
- krb5_error_code
- krb5_get_creds_opt_set_impersonate(krb5_context context,
- krb5_get_creds_opt opt, krb5_const_principal self);
-
- void
- krb5_get_creds_opt_set_options(krb5_context context,
- krb5_get_creds_opt opt, krb5_flags options);
-
- krb5_error_code
- krb5_get_creds_opt_set_ticket(krb5_context context,
- krb5_get_creds_opt opt, const Ticket *ticket);
-
-DESCRIPTION
- krb5_get_creds() fetches credentials specified by opt by first looking in
- the ccache, and then it doesn't exists, fetch the credential from the KDC
- using the krbtgts in ccache. The credential is returned in out_creds and
- should be freed using the function krb5_free_creds().
-
- The structure krb5_get_creds_opt controls the behavior of
- krb5_get_creds(). The structure is opaque to consumers that can set the
- content of the structure with accessors functions. All accessor functions
- make copies of the data that is passed into accessor functions, so exter-
- nal consumers free the memory before calling krb5_get_creds().
-
- The structure krb5_get_creds_opt is allocated with
- krb5_get_creds_opt_alloc() and freed with krb5_get_creds_opt_free(). The
- free function also frees the content of the structure set by the accessor
- functions.
-
- krb5_get_creds_opt_add_options() and krb5_get_creds_opt_set_options()
- adds and sets options to the krb5_get_creds_opt structure . The possible
- options to set are
- KRB5_GC_CACHED Only check the ccache, don't got out on network to
- fetch credential.
- KRB5_GC_USER_USER request a user to user ticket. This options doesn't
- store the resulting user to user credential in the
- ccache.
- KRB5_GC_EXPIRED_OK
- returns the credential even if it is expired, default
- behavior is trying to refetch the credential from the
- KDC.
- KRB5_GC_NO_STORE Do not store the resulting credentials in the ccache.
-
- krb5_get_creds_opt_set_enctype() sets the preferred encryption type of
- the application. Don't set this unless you have to since if there is no
- match in the KDC, the function call will fail.
-
- krb5_get_creds_opt_set_impersonate() sets the principal to impersonate.,
- Returns a ticket that have the impersonation principal as a client and
- the requestor as the service. Note that the requested principal have to
- be the same as the client principal in the krbtgt.
-
- krb5_get_creds_opt_set_ticket() sets the extra ticket used in user-to-
- user or contrained delegation use case.
-
-SEE ALSO
- krb5(3), krb5_get_credentials(3), krb5.conf(5)
-
-HEIMDAL June 15, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_get_forwarded_creds.cat3 b/lib/krb5/krb5_get_forwarded_creds.cat3
deleted file mode 100644
index 0cf9282437a7..000000000000
--- a/lib/krb5/krb5_get_forwarded_creds.cat3
+++ /dev/null
@@ -1,32 +0,0 @@
-KRB5_GET_FORWARDED_CR... BSD Library Functions Manual KRB5_GET_FORWARDED_CR...
-
-NAME
- krb5_get_forwarded_creds, krb5_fwd_tgt_creds -- get forwarded credentials
- from the KDC
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_get_forwarded_creds(krb5_context context,
- krb5_auth_context auth_context, krb5_ccache ccache, krb5_flags flags,
- const char *hostname, krb5_creds *in_creds, krb5_data *out_data);
-
- krb5_error_code
- krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
- const char *hostname, krb5_principal client, krb5_principal server,
- krb5_ccache ccache, int forwardable, krb5_data *out_data);
-
-DESCRIPTION
- krb5_get_forwarded_creds() and krb5_fwd_tgt_creds() get tickets forwarded
- to hostname. If the tickets that are forwarded are address-less, the for-
- warded tickets will also be address-less, otherwise hostname will be used
- for figure out the address to forward the ticket too.
-
-SEE ALSO
- krb5(3), krb5_get_credentials(3), krb5.conf(5)
-
-HEIMDAL July 26, 2004 HEIMDAL
diff --git a/lib/krb5/krb5_get_in_cred.cat3 b/lib/krb5/krb5_get_in_cred.cat3
deleted file mode 100644
index e0f0fcea0c93..000000000000
--- a/lib/krb5/krb5_get_in_cred.cat3
+++ /dev/null
@@ -1,131 +0,0 @@
-KRB5_GET_IN_TKT(3) BSD Library Functions Manual KRB5_GET_IN_TKT(3)
-
-NAME
- krb5_get_in_tkt, krb5_get_in_cred, krb5_get_in_tkt_with_password,
- krb5_get_in_tkt_with_keytab, krb5_get_in_tkt_with_skey,
- krb5_free_kdc_rep, krb5_password_key_proc -- deprecated initial authenti-
- cation functions
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_get_in_tkt(krb5_context context, krb5_flags options,
- const krb5_addresses *addrs, const krb5_enctype *etypes,
- const krb5_preauthtype *ptypes, krb5_key_proc key_proc,
- krb5_const_pointer keyseed, krb5_decrypt_proc decrypt_proc,
- krb5_const_pointer decryptarg, krb5_creds *creds, krb5_ccache ccache,
- krb5_kdc_rep *ret_as_reply);
-
- krb5_error_code
- krb5_get_in_cred(krb5_context context, krb5_flags options,
- const krb5_addresses *addrs, const krb5_enctype *etypes,
- const krb5_preauthtype *ptypes, const krb5_preauthdata *preauth,
- krb5_key_proc key_proc, krb5_const_pointer keyseed,
- krb5_decrypt_proc decrypt_proc, krb5_const_pointer decryptarg,
- krb5_creds *creds, krb5_kdc_rep *ret_as_reply);
-
- krb5_error_code
- krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
- krb5_addresses *addrs, const krb5_enctype *etypes,
- const krb5_preauthtype *pre_auth_types, const char *password,
- krb5_ccache ccache, krb5_creds *creds, krb5_kdc_rep *ret_as_reply);
-
- krb5_error_code
- krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
- krb5_addresses *addrs, const krb5_enctype *etypes,
- const krb5_preauthtype *pre_auth_types, krb5_keytab keytab,
- krb5_ccache ccache, krb5_creds *creds, krb5_kdc_rep *ret_as_reply);
-
- krb5_error_code
- krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options,
- krb5_addresses *addrs, const krb5_enctype *etypes,
- const krb5_preauthtype *pre_auth_types, const krb5_keyblock *key,
- krb5_ccache ccache, krb5_creds *creds, krb5_kdc_rep *ret_as_reply);
-
- krb5_error_code
- krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *rep);
-
- krb5_error_code
- krb5_password_key_proc(krb5_context context, krb5_enctype type,
- krb5_salt salt, krb5_const_pointer keyseed, krb5_keyblock **key);
-
-DESCRIPTION
- All the functions in this manual page are deprecated in the MIT implemen-
- tation, and will soon be deprecated in Heimdal too, don't use them.
-
- Getting initial credential ticket for a principal. krb5_get_in_cred is
- the function all other krb5_get_in function uses to fetch tickets. The
- other krb5_get_in function are more specialized and therefor somewhat
- easier to use.
-
- If your need is only to verify a user and password, consider using
- krb5_verify_user(3) instead, it have a much simpler interface.
-
- krb5_get_in_tkt and krb5_get_in_cred fetches initial credential, queries
- after key using the key_proc argument. The differences between the two
- function is that krb5_get_in_tkt stores the credential in a krb5_creds
- while krb5_get_in_cred stores the credential in a krb5_ccache.
-
- krb5_get_in_tkt_with_password, krb5_get_in_tkt_with_keytab, and
- krb5_get_in_tkt_with_skey does the same work as krb5_get_in_cred but are
- more specialized.
-
- krb5_get_in_tkt_with_password uses the clients password to authenticate.
- If the password argument is NULL the user user queried with the default
- password query function.
-
- krb5_get_in_tkt_with_keytab searches the given keytab for a service entry
- for the client principal. If the keytab is NULL the default keytab is
- used.
-
- krb5_get_in_tkt_with_skey uses a key to get the initial credential.
-
- There are some common arguments to the krb5_get_in functions, these are:
-
- options are the KDC_OPT flags.
-
- etypes is a NULL terminated array of encryption types that the client ap-
- proves.
-
- addrs a list of the addresses that the initial ticket. If it is NULL the
- list will be generated by the library.
-
- pre_auth_types a NULL terminated array of pre-authentication types. If
- pre_auth_types is NULL the function will try without pre-authentication
- and return those pre-authentication that the KDC returned.
-
- ret_as_reply will (if not NULL) be filled in with the response of the KDC
- and should be free with krb5_free_kdc_rep().
-
- key_proc is a pointer to a function that should return a key salted ap-
- propriately. Using NULL will use the default password query function.
-
- decrypt_proc Using NULL will use the default decryption function.
-
- decryptarg will be passed to the decryption function decrypt_proc.
-
- creds creds should be filled in with the template for a credential that
- should be requested. The client and server elements of the creds struc-
- ture must be filled in. Upon return of the function it will be contain
- the content of the requested credential (krb5_get_in_cred), or it will be
- freed with krb5_free_creds(3) (all the other krb5_get_in functions).
-
- ccache will store the credential in the credential cache ccache. The
- credential cache will not be initialized, thats up the the caller.
-
- krb5_password_key_proc is a library function that is suitable using as
- the krb5_key_proc argument to krb5_get_in_cred or krb5_get_in_tkt.
- keyseed should be a pointer to a NUL terminated string or NULL.
- krb5_password_key_proc will query the user for the pass on the console if
- the password isn't given as the argument keyseed.
-
- krb5_free_kdc_rep() frees the content of rep.
-
-SEE ALSO
- krb5(3), krb5_verify_user(3), krb5.conf(5), kerberos(8)
-
-HEIMDAL May 31, 2003 HEIMDAL
diff --git a/lib/krb5/krb5_get_init_creds.cat3 b/lib/krb5/krb5_get_init_creds.cat3
deleted file mode 100644
index c92749926ded..000000000000
--- a/lib/krb5/krb5_get_init_creds.cat3
+++ /dev/null
@@ -1,248 +0,0 @@
-KRB5_GET_INIT_CREDS(3) BSD Library Functions Manual KRB5_GET_INIT_CREDS(3)
-
-NAME
- krb5_get_init_creds, krb5_get_init_creds_keytab, krb5_get_init_creds_opt,
- krb5_get_init_creds_opt_alloc, krb5_get_init_creds_opt_free,
- krb5_get_init_creds_opt_init, krb5_get_init_creds_opt_set_address_list,
- krb5_get_init_creds_opt_set_addressless,
- krb5_get_init_creds_opt_set_anonymous,
- krb5_get_init_creds_opt_set_default_flags,
- krb5_get_init_creds_opt_set_etype_list,
- krb5_get_init_creds_opt_set_forwardable,
- krb5_get_init_creds_opt_set_pa_password,
- krb5_get_init_creds_opt_set_paq_request,
- krb5_get_init_creds_opt_set_preauth_list,
- krb5_get_init_creds_opt_set_proxiable,
- krb5_get_init_creds_opt_set_renew_life, krb5_get_init_creds_opt_set_salt,
- krb5_get_init_creds_opt_set_tkt_life,
- krb5_get_init_creds_opt_set_canonicalize,
- krb5_get_init_creds_opt_set_win2k, krb5_get_init_creds_password,
- krb5_prompt, krb5_prompter_posix -- Kerberos 5 initial authentication
- functions
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_get_init_creds_opt;
-
- krb5_error_code
- krb5_get_init_creds_opt_alloc(krb5_context context,
- krb5_get_init_creds_opt **opt);
-
- void
- krb5_get_init_creds_opt_free(krb5_context context,
- krb5_get_init_creds_opt *opt);
-
- void
- krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt);
-
- void
- krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
- krb5_addresses *addresses);
-
- void
- krb5_get_init_creds_opt_set_addressless(krb5_get_init_creds_opt *opt,
- krb5_boolean addressless);
-
- void
- krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt,
- int anonymous);
-
- void
- krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt,
- int change_password_prompt);
-
- void
- krb5_get_init_creds_opt_set_default_flags(krb5_context context,
- const char *appname, krb5_const_realm realm,
- krb5_get_init_creds_opt *opt);
-
- void
- krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
- krb5_enctype *etype_list, int etype_list_length);
-
- void
- krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
- int forwardable);
-
- krb5_error_code
- krb5_get_init_creds_opt_set_pa_password(krb5_context context,
- krb5_get_init_creds_opt *opt, const char *password,
- krb5_s2k_proc key_proc);
-
- krb5_error_code
- krb5_get_init_creds_opt_set_paq_request(krb5_context context,
- krb5_get_init_creds_opt *opt, krb5_boolean req_pac);
-
- krb5_error_code
- krb5_get_init_creds_opt_set_pkinit(krb5_context context,
- krb5_get_init_creds_opt *opt, const char *cert_file,
- const char *key_file, const char *x509_anchors, int flags,
- char *password);
-
- void
- krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
- krb5_preauthtype *preauth_list, int preauth_list_length);
-
- void
- krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
- int proxiable);
-
- void
- krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
- krb5_deltat renew_life);
-
- void
- krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
- krb5_data *salt);
-
- void
- krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
- krb5_deltat tkt_life);
-
- krb5_error_code
- krb5_get_init_creds_opt_set_canonicalize(krb5_context context,
- krb5_get_init_creds_opt *opt, krb5_boolean req);
-
- krb5_error_code
- krb5_get_init_creds_opt_set_win2k(krb5_context context,
- krb5_get_init_creds_opt *opt, krb5_boolean req);
-
- krb5_error_code
- krb5_get_init_creds(krb5_context context, krb5_creds *creds,
- krb5_principal client, krb5_prompter_fct prompter,
- void *prompter_data, krb5_deltat start_time,
- const char *in_tkt_service, krb5_get_init_creds_opt *options);
-
- krb5_error_code
- krb5_get_init_creds_password(krb5_context context, krb5_creds *creds,
- krb5_principal client, const char *password,
- krb5_prompter_fct prompter, void *prompter_data,
- krb5_deltat start_time, const char *in_tkt_service,
- krb5_get_init_creds_opt *in_options);
-
- krb5_error_code
- krb5_get_init_creds_keytab(krb5_context context, krb5_creds *creds,
- krb5_principal client, krb5_keytab keytab, krb5_deltat start_time,
- const char *in_tkt_service, krb5_get_init_creds_opt *options);
-
- int
- krb5_prompter_posix(krb5_context context, void *data, const char *name,
- const char *banner, int num_prompts, krb5_prompt prompts[]);
-
-DESCRIPTION
- Getting initial credential ticket for a principal. That may include
- changing an expired password, and doing preauthentication. This inter-
- face that replaces the deprecated krb5_in_tkt and krb5_in_cred functions.
-
- If you only want to verify a username and password, consider using
- krb5_verify_user(3) instead, since it also verifies that initial creden-
- tials with using a keytab to make sure the response was from the KDC.
-
- First a krb5_get_init_creds_opt structure is initialized with
- krb5_get_init_creds_opt_alloc() or krb5_get_init_creds_opt_init().
- krb5_get_init_creds_opt_alloc() allocates a extendible structures that
- needs to be freed with krb5_get_init_creds_opt_free(). The structure may
- be modified by any of the krb5_get_init_creds_opt_set() functions to
- change request parameters and authentication information.
-
- If the caller want to use the default options, NULL can be passed in-
- stead.
-
- The the actual request to the KDC is done by any of the
- krb5_get_init_creds(), krb5_get_init_creds_password(), or
- krb5_get_init_creds_keytab() functions. krb5_get_init_creds() is the
- least specialized function and can, with the right in data, behave like
- the latter two. The latter two are there for compatibility with older
- releases and they are slightly easier to use.
-
- krb5_prompt is a structure containing the following elements:
-
- typedef struct {
- const char *prompt;
- int hidden;
- krb5_data *reply;
- krb5_prompt_type type
- } krb5_prompt;
-
- prompt is the prompt that should shown to the user If hidden is set, the
- prompter function shouldn't echo the output to the display device. reply
- must be preallocated; it will not be allocated by the prompter function.
- Possible values for the type element are:
-
- KRB5_PROMPT_TYPE_PASSWORD
- KRB5_PROMPT_TYPE_NEW_PASSWORD
- KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN
- KRB5_PROMPT_TYPE_PREAUTH
- KRB5_PROMPT_TYPE_INFO
-
- krb5_prompter_posix() is the default prompter function in a POSIX envi-
- ronment. It matches the krb5_prompter_fct and can be used in the
- krb5_get_init_creds functions. krb5_prompter_posix() doesn't require
- prompter_data.
-
- If the start_time is zero, then the requested ticket will be valid begin-
- ning immediately. Otherwise, the start_time indicates how far in the fu-
- ture the ticket should be postdated.
-
- If the in_tkt_service name is non-NULL, that principal name will be used
- as the server name for the initial ticket request. The realm of the name
- specified will be ignored and will be set to the realm of the client
- name. If no in_tkt_service name is specified, krbtgt/CLIENT-
- REALM@CLIENT-REALM will be used.
-
- For the rest of arguments, a configuration or library default will be
- used if no value is specified in the options structure.
-
- krb5_get_init_creds_opt_set_address_list() sets the list of addresses
- that is should be stored in the ticket.
-
- krb5_get_init_creds_opt_set_addressless() controls if the ticket is re-
- quested with addresses or not, krb5_get_init_creds_opt_set_address_list()
- overrides this option.
-
- krb5_get_init_creds_opt_set_anonymous() make the request anonymous if the
- anonymous parameter is non-zero.
-
- krb5_get_init_creds_opt_set_default_flags() sets the default flags using
- the configuration file.
-
- krb5_get_init_creds_opt_set_etype_list() set a list of enctypes that the
- client is willing to support in the request.
-
- krb5_get_init_creds_opt_set_forwardable() request a forwardable ticket.
-
- krb5_get_init_creds_opt_set_pa_password() set the password and key_proc
- that is going to be used to get a new ticket. password or key_proc can
- be NULL if the caller wants to use the default values. If the password
- is unset and needed, the user will be prompted for it.
-
- krb5_get_init_creds_opt_set_paq_request() sets the password that is going
- to be used to get a new ticket.
-
- krb5_get_init_creds_opt_set_preauth_list() sets the list of client-sup-
- ported preauth types.
-
- krb5_get_init_creds_opt_set_proxiable() makes the request proxiable.
-
- krb5_get_init_creds_opt_set_renew_life() sets the requested renewable
- lifetime.
-
- krb5_get_init_creds_opt_set_salt() sets the salt that is going to be used
- in the request.
-
- krb5_get_init_creds_opt_set_tkt_life() sets requested ticket lifetime.
-
- krb5_get_init_creds_opt_set_canonicalize() requests that the KDC canoni-
- calize the client principal if possible.
-
- krb5_get_init_creds_opt_set_win2k() turns on compatibility with Windows
- 2000.
-
-SEE ALSO
- krb5(3), krb5_creds(3), krb5_verify_user(3), krb5.conf(5), kerberos(8)
-
-HEIMDAL Sep 16, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_get_krbhst.cat3 b/lib/krb5/krb5_get_krbhst.cat3
deleted file mode 100644
index 27d544807e73..000000000000
--- a/lib/krb5/krb5_get_krbhst.cat3
+++ /dev/null
@@ -1,55 +0,0 @@
-KRB5_GET_KRBHST(3) BSD Library Functions Manual KRB5_GET_KRBHST(3)
-
-NAME
- krb5_get_krbhst, krb5_get_krb_admin_hst, krb5_get_krb_changepw_hst,
- krb5_get_krb524hst, krb5_free_krbhst -- lookup Kerberos KDC hosts
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_get_krbhst(krb5_context context, const krb5_realm *realm,
- char ***hostlist);
-
- krb5_error_code
- krb5_get_krb_admin_hst(krb5_context context, const krb5_realm *realm,
- char ***hostlist);
-
- krb5_error_code
- krb5_get_krb_changepw_hst(krb5_context context, const krb5_realm *realm,
- char ***hostlist);
-
- krb5_error_code
- krb5_get_krb524hst(krb5_context context, const krb5_realm *realm,
- char ***hostlist);
-
- krb5_error_code
- krb5_free_krbhst(krb5_context context, char **hostlist);
-
-DESCRIPTION
- These functions implement the old API to get a list of Kerberos hosts,
- and are thus similar to the krb5_krbhst_init() functions. However, since
- these functions returns all hosts in one go, they potentially have to do
- more lookups than necessary. These functions remain for compatibility
- reasons.
-
- After a call to one of these functions, hostlist is a NULL terminated
- list of strings, pointing to the requested Kerberos hosts. These should
- be freed with krb5_free_krbhst() when done with.
-
-EXAMPLES
- The following code will print the KDCs of the realm "MY.REALM".
-
- char **hosts, **p;
- krb5_get_krbhst(context, "MY.REALM", &hosts);
- for(p = hosts; *p; p++)
- printf("%s\n", *p);
- krb5_free_krbhst(context, hosts);
-
-SEE ALSO
- krb5_krbhst_init(3)
-
-HEIMDAL April 24, 2005 HEIMDAL
diff --git a/lib/krb5/krb5_getportbyname.cat3 b/lib/krb5/krb5_getportbyname.cat3
deleted file mode 100644
index 106177186413..000000000000
--- a/lib/krb5/krb5_getportbyname.cat3
+++ /dev/null
@@ -1,28 +0,0 @@
-NAME(3) BSD Library Functions Manual NAME(3)
-
-NAME
- krb5_getportbyname -- get port number by name
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- int
- krb5_getportbyname(krb5_context context, const char *service,
- const char *proto, int default_port);
-
-DESCRIPTION
- krb5_getportbyname() gets the port number for service / proto pair from
- the global service table for and returns it in network order. If it
- isn't found in the global table, the default_port (given in host order)
- is returned.
-
-EXAMPLE
- int port = krb5_getportbyname(context, "kerberos", "tcp", 88);
-
-SEE ALSO
- krb5(3)
-
-HEIMDAL August 15, 2004 HEIMDAL
diff --git a/lib/krb5/krb5_init_context.cat3 b/lib/krb5/krb5_init_context.cat3
deleted file mode 100644
index 6bc70e974423..000000000000
--- a/lib/krb5/krb5_init_context.cat3
+++ /dev/null
@@ -1,184 +0,0 @@
-KRB5_CONTEXT(3) BSD Library Functions Manual KRB5_CONTEXT(3)
-
-NAME
- krb5_add_et_list, krb5_add_extra_addresses, krb5_add_ignore_addresses,
- krb5_context, krb5_free_config_files, krb5_free_context,
- krb5_get_default_config_files, krb5_get_dns_canonize_hostname,
- krb5_get_extra_addresses, krb5_get_fcache_version,
- krb5_get_ignore_addresses, krb5_get_kdc_sec_offset,
- krb5_get_max_time_skew, krb5_get_use_admin_kdc krb5_init_context,
- krb5_init_ets, krb5_prepend_config_files,
- krb5_prepend_config_files_default, krb5_set_config_files,
- krb5_set_dns_canonize_hostname, krb5_set_extra_addresses,
- krb5_set_fcache_version, krb5_set_ignore_addresses,
- krb5_set_max_time_skew, krb5_set_use_admin_kdc, -- create, modify and
- delete krb5_context structures
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- struct krb5_context;
-
- krb5_error_code
- krb5_init_context(krb5_context *context);
-
- void
- krb5_free_context(krb5_context context);
-
- void
- krb5_init_ets(krb5_context context);
-
- krb5_error_code
- krb5_add_et_list(krb5_context context, void (*func)(struct et_list **));
-
- krb5_error_code
- krb5_add_extra_addresses(krb5_context context,
- krb5_addresses *addresses);
-
- krb5_error_code
- krb5_set_extra_addresses(krb5_context context,
- const krb5_addresses *addresses);
-
- krb5_error_code
- krb5_get_extra_addresses(krb5_context context,
- krb5_addresses *addresses);
-
- krb5_error_code
- krb5_add_ignore_addresses(krb5_context context,
- krb5_addresses *addresses);
-
- krb5_error_code
- krb5_set_ignore_addresses(krb5_context context,
- const krb5_addresses *addresses);
-
- krb5_error_code
- krb5_get_ignore_addresses(krb5_context context,
- krb5_addresses *addresses);
-
- krb5_error_code
- krb5_set_fcache_version(krb5_context context, int version);
-
- krb5_error_code
- krb5_get_fcache_version(krb5_context context, int *version);
-
- void
- krb5_set_dns_canonize_hostname(krb5_context context, krb5_boolean flag);
-
- krb5_boolean
- krb5_get_dns_canonize_hostname(krb5_context context);
-
- krb5_error_code
- krb5_get_kdc_sec_offset(krb5_context context, int32_t *sec,
- int32_t *usec);
-
- krb5_error_code
- krb5_set_config_files(krb5_context context, char **filenames);
-
- krb5_error_code
- krb5_prepend_config_files(const char *filelist, char **pq,
- char ***ret_pp);
-
- krb5_error_code
- krb5_prepend_config_files_default(const char *filelist,
- char ***pfilenames);
-
- krb5_error_code
- krb5_get_default_config_files(char ***pfilenames);
-
- void
- krb5_free_config_files(char **filenames);
-
- void
- krb5_set_use_admin_kdc(krb5_context context, krb5_boolean flag);
-
- krb5_boolean
- krb5_get_use_admin_kdc(krb5_context context);
-
- time_t
- krb5_get_max_time_skew(krb5_context context);
-
- krb5_error_code
- krb5_set_max_time_skew(krb5_context context, time_t time);
-
-DESCRIPTION
- The krb5_init_context() function initializes the context structure and
- reads the configuration file /etc/krb5.conf.
-
- The structure should be freed by calling krb5_free_context() when it is
- no longer being used.
-
- krb5_init_context() returns 0 to indicate success. Otherwise an errno
- code is returned. Failure means either that something bad happened dur-
- ing initialization (typically [ENOMEM]) or that Kerberos should not be
- used [ENXIO].
-
- krb5_init_ets() adds all com_err(3) libs to context. This is done by
- krb5_init_context().
-
- krb5_add_et_list() adds a com_err(3) error-code handler func to the spec-
- ified context. The error handler must generated by the the re-rentrant
- version of the compile_et(1) program. krb5_add_extra_addresses() add a
- list of addresses that should be added when requesting tickets.
-
- krb5_add_ignore_addresses() add a list of addresses that should be ig-
- nored when requesting tickets.
-
- krb5_get_extra_addresses() get the list of addresses that should be added
- when requesting tickets.
-
- krb5_get_ignore_addresses() get the list of addresses that should be ig-
- nored when requesting tickets.
-
- krb5_set_ignore_addresses() set the list of addresses that should be ig-
- nored when requesting tickets.
-
- krb5_set_extra_addresses() set the list of addresses that should be added
- when requesting tickets.
-
- krb5_set_fcache_version() sets the version of file credentials caches
- that should be used.
-
- krb5_get_fcache_version() gets the version of file credentials caches
- that should be used.
-
- krb5_set_dns_canonize_hostname() sets if the context is configured to
- canonicalize hostnames using DNS.
-
- krb5_get_dns_canonize_hostname() returns if the context is configured to
- canonicalize hostnames using DNS.
-
- krb5_get_kdc_sec_offset() returns the offset between the localtime and
- the KDC's time. sec and usec are both optional argument and NULL can be
- passed in.
-
- krb5_set_config_files() set the list of configuration files to use and
- re-initialize the configuration from the files.
-
- krb5_prepend_config_files() parse the filelist and prepend the result to
- the already existing list pq The result is returned in ret_pp and should
- be freed with krb5_free_config_files().
-
- krb5_prepend_config_files_default() parse the filelist and append that to
- the default list of configuration files.
-
- krb5_get_default_config_files() get a list of default configuration
- files.
-
- krb5_free_config_files() free a list of configuration files returned by
- krb5_get_default_config_files(), krb5_prepend_config_files_default(), or
- krb5_prepend_config_files().
-
- krb5_set_use_admin_kdc() sets if all KDC requests should go admin KDC.
-
- krb5_get_use_admin_kdc() gets if all KDC requests should go admin KDC.
-
- krb5_get_max_time_skew() and krb5_set_max_time_skew() get and sets the
- maximum allowed time skew between client and server.
-
-SEE ALSO
- errno(2), krb5(3), krb5_config(3), krb5_context(3), kerberos(8)
-
-HEIMDAL December 8, 2004 HEIMDAL
diff --git a/lib/krb5/krb5_is_thread_safe.cat3 b/lib/krb5/krb5_is_thread_safe.cat3
deleted file mode 100644
index bd9b37940c9f..000000000000
--- a/lib/krb5/krb5_is_thread_safe.cat3
+++ /dev/null
@@ -1,25 +0,0 @@
-KRB5_IS_THREAD_SAFE(3) BSD Library Functions Manual KRB5_IS_THREAD_SAFE(3)
-
-NAME
- krb5_is_thread_safe -- is the Kerberos library compiled with multithread
- support
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_boolean
- krb5_is_thread_safe(void);
-
-DESCRIPTION
- krb5_is_thread_safe returns TRUE if the library was compiled with with
- multithread support. If the library isn't compiled, the consumer have to
- use a global lock to make sure Kerboros functions are not called at the
- same time by different threads.
-
-SEE ALSO
- krb5_create_checksum(3), krb5_encrypt(3)
-
-HEIMDAL May 5, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_krbhst_init.cat3 b/lib/krb5/krb5_krbhst_init.cat3
deleted file mode 100644
index 44ddb4d2c8f2..000000000000
--- a/lib/krb5/krb5_krbhst_init.cat3
+++ /dev/null
@@ -1,117 +0,0 @@
-KRB5_KRBHST_INIT(3) BSD Library Functions Manual KRB5_KRBHST_INIT(3)
-
-NAME
- krb5_krbhst_init, krb5_krbhst_init_flags, krb5_krbhst_next,
- krb5_krbhst_next_as_string, krb5_krbhst_reset, krb5_krbhst_free,
- krb5_krbhst_format_string, krb5_krbhst_get_addrinfo -- lookup Kerberos
- KDC hosts
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_krbhst_init(krb5_context context, const char *realm,
- unsigned int type, krb5_krbhst_handle *handle);
-
- krb5_error_code
- krb5_krbhst_init_flags(krb5_context context, const char *realm,
- unsigned int type, int flags, krb5_krbhst_handle *handle);
-
- krb5_error_code
- krb5_krbhst_next(krb5_context context, krb5_krbhst_handle handle,
- krb5_krbhst_info **host);
-
- krb5_error_code
- krb5_krbhst_next_as_string(krb5_context context,
- krb5_krbhst_handle handle, char *hostname, size_t hostlen);
-
- void
- krb5_krbhst_reset(krb5_context context, krb5_krbhst_handle handle);
-
- void
- krb5_krbhst_free(krb5_context context, krb5_krbhst_handle handle);
-
- krb5_error_code
- krb5_krbhst_format_string(krb5_context context,
- const krb5_krbhst_info *host, char *hostname, size_t hostlen);
-
- krb5_error_code
- krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host,
- struct addrinfo **ai);
-
-DESCRIPTION
- These functions are used to sequence through all Kerberos hosts of a par-
- ticular realm and service. The service type can be the KDCs, the adminis-
- trative servers, the password changing servers, or the servers for Ker-
- beros 4 ticket conversion.
-
- First a handle to a particular service is obtained by calling
- krb5_krbhst_init() (or krb5_krbhst_init_flags()) with the realm of inter-
- est and the type of service to lookup. The type can be one of:
-
- KRB5_KRBHST_KDC
- KRB5_KRBHST_ADMIN
- KRB5_KRBHST_CHANGEPW
- KRB5_KRBHST_KRB524
-
- The handle is returned to the caller, and should be passed to the other
- functions.
-
- The flag argument to krb5_krbhst_init_flags is the same flags as
- krb5_send_to_kdc_flags() uses. Possible values are:
-
- KRB5_KRBHST_FLAGS_MASTER only talk to master (readwrite) KDC
- KRB5_KRBHST_FLAGS_LARGE_MSG this is a large message, so use trans-
- port that can handle that.
-
- For each call to krb5_krbhst_next() information on a new host is re-
- turned. The former function returns in host a pointer to a structure con-
- taining information about the host, such as protocol, hostname, and port:
-
- typedef struct krb5_krbhst_info {
- enum { KRB5_KRBHST_UDP,
- KRB5_KRBHST_TCP,
- KRB5_KRBHST_HTTP } proto;
- unsigned short port;
- struct addrinfo *ai;
- struct krb5_krbhst_info *next;
- char hostname[1];
- } krb5_krbhst_info;
-
- The related function, krb5_krbhst_next_as_string(), return the same in-
- formation as a URL-like string.
-
- When there are no more hosts, these functions return KRB5_KDC_UNREACH.
-
- To re-iterate over all hosts, call krb5_krbhst_reset() and the next call
- to krb5_krbhst_next() will return the first host.
-
- When done with the handle, krb5_krbhst_free() should be called.
-
- To use a krb5_krbhst_info, there are two functions:
- krb5_krbhst_format_string() that will return a printable representation
- of that struct and krb5_krbhst_get_addrinfo() that will return a struct
- addrinfo that can then be used for communicating with the server men-
- tioned.
-
-EXAMPLES
- The following code will print the KDCs of the realm "MY.REALM":
-
- krb5_krbhst_handle handle;
- char host[MAXHOSTNAMELEN];
- krb5_krbhst_init(context, "MY.REALM", KRB5_KRBHST_KDC, &handle);
- while(krb5_krbhst_next_as_string(context, handle,
- host, sizeof(host)) == 0)
- printf("%s\n", host);
- krb5_krbhst_free(context, handle);
-
-SEE ALSO
- getaddrinfo(3), krb5_get_krbhst(3), krb5_send_to_kdc_flags(3)
-
-HISTORY
- These functions first appeared in Heimdal 0.3g.
-
-HEIMDAL May 10, 2005 HEIMDAL
diff --git a/lib/krb5/krb5_locl.h b/lib/krb5/krb5_locl.h
index b64f3a9fbd49..75ca24b66767 100644
--- a/lib/krb5/krb5_locl.h
+++ b/lib/krb5/krb5_locl.h
@@ -82,6 +82,7 @@ struct mbuf;
#include <com_err.h>
#include <heimbase.h>
+#include "heimbase-atomics.h"
#define HEIMDAL_TEXTDOMAIN "heimdal_krb5"
@@ -122,6 +123,8 @@ struct mbuf;
#include <krb5_asn1.h>
+typedef Krb5Int32 krb5int32;
+typedef Krb5UInt32 krb5uint32;
#include <pkinit_asn1.h>
struct send_to_kdc;
@@ -134,14 +137,24 @@ struct ContentInfo;
struct AlgorithmIdentifier;
typedef struct krb5_pk_init_ctx_data *krb5_pk_init_ctx;
struct krb5_dh_moduli;
+struct krb5_fast_state;
+struct krb5_gss_init_ctx_data;
/* v4 glue */
struct _krb5_krb_auth_data;
+struct krb5_gss_init_ctx_data;
+typedef struct krb5_gss_init_ctx_data *krb5_gss_init_ctx;
+
+struct gss_ctx_id_t_desc_struct;
+struct gss_cred_id_t_desc_struct;
+struct gss_OID_desc_struct;
+
#include <der.h>
#include <krb5.h>
#include <krb5_err.h>
+#include <k5e1_err.h>
#include <asn1_err.h>
#ifdef PKINIT
#include <hx509.h>
@@ -149,17 +162,47 @@ struct _krb5_krb_auth_data;
#include "crypto.h"
+typedef krb5_error_code (KRB5_LIB_CALL *krb5_gssic_step)(
+ krb5_context,
+ krb5_gss_init_ctx,
+ const krb5_creds *,
+ struct gss_ctx_id_t_desc_struct **,
+ KDCOptions options,
+ krb5_data *,
+ krb5_data *,
+ krb5_data *);
+
+typedef krb5_error_code (KRB5_LIB_CALL *krb5_gssic_finish)(
+ krb5_context,
+ krb5_gss_init_ctx,
+ const krb5_creds *,
+ struct gss_ctx_id_t_desc_struct *,
+ krb5int32,
+ krb5_enctype,
+ krb5_principal *,
+ krb5_keyblock **);
+
+typedef void (KRB5_LIB_CALL *krb5_gssic_release_cred)(
+ krb5_context,
+ krb5_gss_init_ctx,
+ struct gss_cred_id_t_desc_struct *);
+
+typedef void (KRB5_LIB_CALL *krb5_gssic_delete_sec_context)(
+ krb5_context,
+ krb5_gss_init_ctx,
+ struct gss_ctx_id_t_desc_struct *);
+
+#define KRB5_GSS_IC_FLAG_RELEASE_CRED 1
+
#include <krb5-private.h>
#include "heim_threads.h"
+extern const char _krb5_wellknown_lkdc[];
+
#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
-#ifndef __func__
-#define __func__ "unknown-function"
-#endif
-
#define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum))
#ifndef PATH_SEP
@@ -170,6 +213,9 @@ struct _krb5_krb_auth_data;
#define KEYTAB_DEFAULT "FILE:" SYSCONFDIR "/krb5.keytab"
#define KEYTAB_DEFAULT_MODIFY "FILE:" SYSCONFDIR "/krb5.keytab"
+#ifndef CLIENT_KEYTAB_DEFAULT
+#define CLIENT_KEYTAB_DEFAULT "FILE:" LOCALSTATEDIR "/user/%{euid}/client.keytab";
+#endif
#define MODULI_FILE SYSCONFDIR "/krb5.moduli"
@@ -205,10 +251,11 @@ struct _krb5_get_init_creds_opt_private {
krb5_pk_init_ctx pk_init_ctx;
krb5_get_init_creds_tristate addressless;
int flags;
-#define KRB5_INIT_CREDS_CANONICALIZE 1
-#define KRB5_INIT_CREDS_NO_C_CANON_CHECK 2
-#define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK 4
-#define KRB5_INIT_CREDS_PKINIT_KX_VALID 32
+#define KRB5_INIT_CREDS_DONE 1
+#define KRB5_INIT_CREDS_CANONICALIZE 2
+#define KRB5_INIT_CREDS_NO_C_CANON_CHECK 4
+#define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK 8
+#define KRB5_INIT_CREDS_PKINIT_KX_VALID 32
#define KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK 64
struct {
krb5_gic_process_last_req func;
@@ -218,7 +265,18 @@ struct _krb5_get_init_creds_opt_private {
typedef uint32_t krb5_enctype_set;
+/*
+ * Do not remove or reorder the fields of this structure.
+ * Fields that are no longer used should be marked "deprecated".
+ * New fields should always be appended to the end of the
+ * structure.
+ *
+ * Although this structure is internal it is shared with
+ * plugins and such changes will result in data corruption
+ * if plugins are not built with a matching version.
+ */
typedef struct krb5_context_data {
+ heim_context hcontext;
krb5_enctype *etypes;
krb5_enctype *cfg_etypes;
krb5_enctype *etypes_des;/* deprecated */
@@ -233,9 +291,6 @@ typedef struct krb5_context_data {
int32_t kdc_sec_offset;
int32_t kdc_usec_offset;
krb5_config_section *cf;
- struct et_list *et_list;
- struct krb5_log_facility *warn_dest;
- struct krb5_log_facility *debug_dest;
const krb5_cc_ops **cc_ops;
int num_cc_ops;
const char *http_proxy;
@@ -253,13 +308,12 @@ typedef struct krb5_context_data {
int num_kt_types; /* # of registered keytab types */
struct krb5_keytab_data *kt_types; /* registered keytab types */
const char *date_fmt;
- char *error_string;
krb5_error_code error_code;
krb5_addresses *ignore_addresses;
char *default_cc_name;
char *default_cc_name_env;
+ char *configured_default_cc_name;
int default_cc_name_set;
- HEIMDAL_MUTEX mutex; /* protects error_string */
int large_msg_size;
int max_msg_size;
int tgs_negative_timeout; /* timeout for TGS negative cache */
@@ -270,21 +324,20 @@ typedef struct krb5_context_data {
#define KRB5_CTX_F_SOCKETS_INITIALIZED 8
#define KRB5_CTX_F_RD_REQ_IGNORE 16
#define KRB5_CTX_F_FCACHE_STRICT_CHECKING 32
+#define KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE 64
+#define KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME 128
struct send_to_kdc *send_to_kdc;
#ifdef PKINIT
hx509_context hx509ctx;
#endif
unsigned int num_kdc_requests;
krb5_name_canon_rule name_canon_rules;
+ size_t config_include_depth;
+ krb5_boolean no_ticket_store; /* Don't store service tickets */
} krb5_context_data;
-#ifndef KRB5_USE_PATH_TOKENS
-#define KRB5_DEFAULT_CCNAME_FILE "FILE:/tmp/krb5cc_%{uid}"
-#define KRB5_DEFAULT_CCNAME_DIR "DIR:/tmp/krb5cc_%{uid}_dir/"
-#else
#define KRB5_DEFAULT_CCNAME_FILE "FILE:%{TEMP}/krb5cc_%{uid}"
#define KRB5_DEFAULT_CCNAME_DIR "DIR:%{TEMP}/krb5cc_%{uid}_dir/"
-#endif
#define KRB5_DEFAULT_CCNAME_API "API:"
#define KRB5_DEFAULT_CCNAME_KCM_KCM "KCM:%{uid}"
#define KRB5_DEFAULT_CCNAME_KCM_API "API:%{uid}"
@@ -343,6 +396,7 @@ struct krb5_pk_identity {
hx509_revoke_ctx revokectx;
int flags;
#define PKINIT_BTMM 1
+#define PKINIT_NO_KDC_ANCHOR 2
};
enum krb5_pk_type {
@@ -369,10 +423,50 @@ struct krb5_pk_init_ctx_data {
unsigned int require_hostname_match:1;
unsigned int trustedCertifiers:1;
unsigned int anonymous:1;
+ unsigned int kdc_verified:1;
};
#endif /* PKINIT */
+struct krb5_fast_state {
+ enum PA_FX_FAST_REQUEST_enum type;
+ unsigned int flags;
+#define KRB5_FAST_REPLY_KEY_USE_TO_ENCRYPT_THE_REPLY 0x0001
+#define KRB5_FAST_REPLY_KEY_USE_IN_TRANSACTION 0x0002
+#define KRB5_FAST_KDC_REPLY_KEY_REPLACED 0x0004
+#define KRB5_FAST_REPLY_REPLY_VERIFIED 0x0008
+#define KRB5_FAST_STRONG 0x0010
+#define KRB5_FAST_EXPECTED 0x0020 /* in exchange with KDC, fast was discovered */
+#define KRB5_FAST_REQUIRED 0x0040 /* fast required by action of caller */
+#define KRB5_FAST_DISABLED 0x0080
+
+#define KRB5_FAST_AP_ARMOR_SERVICE 0x0100
+#define KRB5_FAST_OPTIMISTIC 0x0200 /* Optimistic try, like Anon + PKINIT or service fast bit */
+#define KRB5_FAST_REQUIRE_ENC_PA 0x0400
+
+#define KRB5_FAST_AS_REQ 0x1000
+#define KRB5_FAST_ANON_PKINIT_ARMOR 0x2000
+#define KRB5_FAST_KDC_VERIFIED 0x4000
+
+ krb5_keyblock *reply_key;
+ krb5_ccache armor_ccache;
+ krb5_auth_context armor_ac;
+ KrbFastArmor *armor_data;
+ krb5_principal armor_service;
+ krb5_crypto armor_crypto;
+ krb5_keyblock armor_key;
+ krb5_keyblock *strengthen_key;
+
+ /* KRB5_FAST_ANON_PKINIT_ARMOR */
+ krb5_get_init_creds_opt *anon_pkinit_opt;
+ krb5_init_creds_context anon_pkinit_ctx;
+};
+
+struct krb5_decrypt_tkt_with_subkey_state {
+ krb5_keyblock *subkey;
+ struct krb5_fast_state *fast_state;
+};
+
#define ISTILDE(x) (x == '~')
#ifdef _WIN32
# define ISPATHSEP(x) (x == '/' || x =='\\')
@@ -380,4 +474,11 @@ struct krb5_pk_init_ctx_data {
# define ISPATHSEP(x) (x == '/')
#endif
+/* Flag in KRB5_AUTHDATA_AP_OPTIONS */
+#define KERB_AP_OPTIONS_CBT 0x00004000
+
+/* Flag in PAC_ATTRIBUTES_INFO */
+#define KRB5_PAC_WAS_REQUESTED 0x1
+#define KRB5_PAC_WAS_GIVEN_IMPLICITLY 0x2
+
#endif /* __KRB5_LOCL_H__ */
diff --git a/lib/krb5/krb5_mk_req.cat3 b/lib/krb5/krb5_mk_req.cat3
deleted file mode 100644
index 266f1a052e9a..000000000000
--- a/lib/krb5/krb5_mk_req.cat3
+++ /dev/null
@@ -1,88 +0,0 @@
-KRB5_MK_REQ(3) BSD Library Functions Manual KRB5_MK_REQ(3)
-
-NAME
- krb5_mk_req, krb5_mk_req_exact, krb5_mk_req_extended, krb5_rd_req,
- krb5_rd_req_with_keyblock, krb5_mk_rep, krb5_mk_rep_exact,
- krb5_mk_rep_extended, krb5_rd_rep, krb5_build_ap_req, krb5_verify_ap_req
- -- create and read application authentication request
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_mk_req(krb5_context context, krb5_auth_context *auth_context,
- const krb5_flags ap_req_options, const char *service,
- const char *hostname, krb5_data *in_data, krb5_ccache ccache,
- krb5_data *outbuf);
-
- krb5_error_code
- krb5_mk_req_extended(krb5_context context,
- krb5_auth_context *auth_context, const krb5_flags ap_req_options,
- krb5_data *in_data, krb5_creds *in_creds, krb5_data *outbuf);
-
- krb5_error_code
- krb5_rd_req(krb5_context context, krb5_auth_context *auth_context,
- const krb5_data *inbuf, krb5_const_principal server,
- krb5_keytab keytab, krb5_flags *ap_req_options,
- krb5_ticket **ticket);
-
- krb5_error_code
- krb5_build_ap_req(krb5_context context, krb5_enctype enctype,
- krb5_creds *cred, krb5_flags ap_options, krb5_data authenticator,
- krb5_data *retdata);
-
- krb5_error_code
- krb5_verify_ap_req(krb5_context context, krb5_auth_context *auth_context,
- krb5_ap_req *ap_req, krb5_const_principal server,
- krb5_keyblock *keyblock, krb5_flags flags,
- krb5_flags *ap_req_options, krb5_ticket **ticket);
-
-DESCRIPTION
- The functions documented in this manual page document the functions that
- facilitates the exchange between a Kerberos client and server. They are
- the core functions used in the authentication exchange between the client
- and the server.
-
- The krb5_mk_req and krb5_mk_req_extended creates the Kerberos message
- KRB_AP_REQ that is sent from the client to the server as the first packet
- in a client/server exchange. The result that should be sent to server is
- stored in outbuf.
-
- auth_context should be allocated with krb5_auth_con_init() or NULL passed
- in, in that case, it will be allocated and freed internally.
-
- The input data in_data will have a checksum calculated over it and check-
- sum will be transported in the message to the server.
-
- ap_req_options can be set to one or more of the following flags:
-
- AP_OPTS_USE_SESSION_KEY
- Use the session key when creating the request, used for user to
- user authentication.
-
- AP_OPTS_MUTUAL_REQUIRED
- Mark the request as mutual authenticate required so that the re-
- ceiver returns a mutual authentication packet.
-
- The krb5_rd_req read the AP_REQ in inbuf and verify and extract the con-
- tent. If server is specified, that server will be fetched from the
- keytab and used unconditionally. If server is NULL, the keytab will be
- search for a matching principal.
-
- The keytab argument specifies what keytab to search for receiving princi-
- pals. The arguments ap_req_options and ticket returns the content.
-
- When the AS-REQ is a user to user request, neither of keytab or principal
- are used, instead krb5_rd_req() expects the session key to be set in
- auth_context.
-
- The krb5_verify_ap_req and krb5_build_ap_req both constructs and verify
- the AP_REQ message, should not be used by external code.
-
-SEE ALSO
- krb5(3), krb5.conf(5)
-
-HEIMDAL August 27, 2005 HEIMDAL
diff --git a/lib/krb5/krb5_mk_safe.cat3 b/lib/krb5/krb5_mk_safe.cat3
deleted file mode 100644
index a517fefd8412..000000000000
--- a/lib/krb5/krb5_mk_safe.cat3
+++ /dev/null
@@ -1,35 +0,0 @@
-KRB5_MK_SAFE(3) BSD Library Functions Manual KRB5_MK_SAFE(3)
-
-NAME
- krb5_mk_safe, krb5_mk_priv -- generates integrity protected and/or en-
- crypted messages
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_mk_priv(krb5_context context, krb5_auth_context auth_context,
- const krb5_data *userdata, krb5_data *outbuf,
- krb5_replay_data *outdata);
-
- krb5_error_code
- krb5_mk_safe(krb5_context context, krb5_auth_context auth_context,
- const krb5_data *userdata, krb5_data *outbuf,
- krb5_replay_data *outdata);
-
-DESCRIPTION
- krb5_mk_safe() and krb5_mk_priv() formats KRB-SAFE (integrity protected)
- and KRB-PRIV (also encrypted) messages into outbuf. The actual message
- data is taken from userdata. If the KRB5_AUTH_CONTEXT_DO_SEQUENCE or
- KRB5_AUTH_CONTEXT_DO_TIME flags are set in the auth_context, sequence
- numbers and time stamps are generated. If the
- KRB5_AUTH_CONTEXT_RET_SEQUENCE or KRB5_AUTH_CONTEXT_RET_TIME flags are
- set they are also returned in the outdata parameter.
-
-SEE ALSO
- krb5_auth_con_init(3), krb5_rd_priv(3), krb5_rd_safe(3)
-
-HEIMDAL May 1, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_openlog.3 b/lib/krb5/krb5_openlog.3
index 28e9a1f4bc88..09de9d0c7ebf 100644
--- a/lib/krb5/krb5_openlog.3
+++ b/lib/krb5/krb5_openlog.3
@@ -161,13 +161,24 @@ follows:
.Bl -tag -width "xxx" -offset indent
.It Li STDERR
This logs to the program's stderr.
+.It Li EFILE: Ns Pa /file
+Log to the specified file if it exists, otherwise do nothing.
+All writes will be appended to the end of the file and the file
+will be re-opened for each new write.
+Non-existence of the file is cached for 1 second which reduces
+the potential performance impact significantly.
+This is useful for defining a trace file which can be enabled
+without restarting a server.
.It Li FILE: Ns Pa /file
+Log to the specified file.
+All writes will be appended to the end of the file and the file
+will be re-opened for each new write.
.It Li FILE= Ns Pa /file
-Log to the specified file. The form using a colon appends to the file, the
-form with an equal truncates the file. The truncating form keeps the file
-open, while the appending form closes it after each log message (which
-makes it possible to rotate logs). The truncating form is mainly for
-compatibility with the MIT libkrb5.
+On the first write, this form will
+.Xr truncate 2
+the file and then append all subsequent messages whilst keeping the
+file descriptor open.
+This form is mainly for compatibility with MIT libkrb5.
.It Li DEVICE= Ns Pa /device
This logs to the specified device, at present this is the same as
.Li FILE:/device .
@@ -203,9 +214,44 @@ parameter to
.Fn krb5_log
is within this range (inclusive) the message gets logged to this
destination, otherwise not. Either of the min and max valued may be
-omitted, in this case min is assumed to be zero, and max is assumed to be
-infinity. If you don't include a dash, both min and max gets set to the
-specified value. If no range is specified, all messages gets logged.
+omitted, in this case min is assumed to be 0, and max is assumed to
+be 3.
+If you don't include a dash, both min and max get set to the
+specified value.
+.Pp
+The paths specified are subject to token expansion.
+For the purposes of logging, the most interesting token
+expansion is
+.ar %{strftime:<string>}
+which calls
+.Xr strftime 3
+on
+.Ar <string>
+with the localised current time of day.
+.Ss Levels
+Each log message has a level as follows:
+.Bl -tag -width "xxx" -offset indent
+.It 0
+Critical conditions.
+This is a condition that should be corrected immediately, such as a
+corrupted Kerberos database.
+.It 1
+Errors.
+These are errors that occur in the normal processing of requests.
+.It 2
+Warning messages.
+On the KDC, this includes malformed requests and requests that
+are out of policy.
+.It 3
+Informational messages.
+.It 4-6
+Debugging messages with increasing obscurity as the level rises.
+.It 7
+Tracing messages.
+These messages may be high volume and are likely to impact
+performance significantly.
+Notably, tracing messages may be emitted whilst locks are held.
+.El
.Sh EXAMPLES
.Bd -literal -offset indent
[logging]
@@ -222,7 +268,24 @@ other messages will be logged to syslog with priority
.Li LOG_INFO ,
and facility
.Li LOG_USER .
-All other programs will log all messages to their stderr.
+.Bd -literal -offset indent
+[logging]
+ kdc = FILE:/var/log/kdc-%{strftime:%Y%m%d%H}
+ kdc = 4-/EFILE:/tmp/kdc-trace
+.Ed
+.Pp
+This will log all messages from the
+.Nm kdc
+program with level 0 to 3 (inclusively) to a file whose
+name is generated using
+.Xr strftime 3 .
+As the file is
+.Xr open 2 ed
+each time a log message is written, this can be used to write
+automatically rotating log files.
+All of the KDC debugging messages will be written into
+.Pa /tmp/kdc-trace
+but only if it exists.
.Sh SEE ALSO
.Xr syslog 3 ,
.Xr krb5.conf 5
diff --git a/lib/krb5/krb5_openlog.cat3 b/lib/krb5/krb5_openlog.cat3
deleted file mode 100644
index e976a1174fa5..000000000000
--- a/lib/krb5/krb5_openlog.cat3
+++ /dev/null
@@ -1,158 +0,0 @@
-KRB5_OPENLOG(3) BSD Library Functions Manual KRB5_OPENLOG(3)
-
-NAME
- krb5_initlog, krb5_openlog, krb5_closelog, krb5_addlog_dest,
- krb5_addlog_func, krb5_log, krb5_vlog, krb5_log_msg, krb5_vlog_msg --
- Heimdal logging functions
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- typedef void
- (*krb5_log_log_func_t)(const char *time, const char *message,
- void *data);
-
- typedef void
- (*krb5_log_close_func_t)(void *data);
-
- krb5_error_code
- krb5_addlog_dest(krb5_context context, krb5_log_facility *facility,
- const char *destination);
-
- krb5_error_code
- krb5_addlog_func(krb5_context context, krb5_log_facility *facility,
- int min, int max, krb5_log_log_func_t log,
- krb5_log_close_func_t close, void *data);
-
- krb5_error_code
- krb5_closelog(krb5_context context, krb5_log_facility *facility);
-
- krb5_error_code
- krb5_initlog(krb5_context context, const char *program,
- krb5_log_facility **facility);
-
- krb5_error_code
- krb5_log(krb5_context context, krb5_log_facility *facility, int level,
- const char *format, ...);
-
- krb5_error_code
- krb5_log_msg(krb5_context context, krb5_log_facility *facility,
- char **reply, int level, const char *format, ...);
-
- krb5_error_code
- krb5_openlog(krb5_context context, const char *program,
- krb5_log_facility **facility);
-
- krb5_error_code
- krb5_vlog(krb5_context context, krb5_log_facility *facility, int level,
- const char *format, va_list arglist);
-
- krb5_error_code
- krb5_vlog_msg(krb5_context context, krb5_log_facility *facility,
- char **reply, int level, const char *format, va_list arglist);
-
-DESCRIPTION
- These functions logs messages to one or more destinations.
-
- The krb5_openlog() function creates a logging facility, that is used to
- log messages. A facility consists of one or more destinations (which can
- be files or syslog or some other device). The program parameter should be
- the generic name of the program that is doing the logging. This name is
- used to lookup which destinations to use. This information is contained
- in the logging section of the krb5.conf configuration file. If no entry
- is found for program, the entry for default is used, or if that is miss-
- ing too, SYSLOG will be used as destination.
-
- To close a logging facility, use the krb5_closelog() function.
-
- To log a message to a facility use one of the functions krb5_log(),
- krb5_log_msg(), krb5_vlog(), or krb5_vlog_msg(). The functions ending in
- _msg return in reply a pointer to the message that just got logged. This
- string is allocated, and should be freed with free(). The format is a
- standard printf() style format string (but see the BUGS section).
-
- If you want better control of where things gets logged, you can instead
- of using krb5_openlog() call krb5_initlog(), which just initializes a fa-
- cility, but doesn't define any actual logging destinations. You can then
- add destinations with the krb5_addlog_dest() and krb5_addlog_func() func-
- tions. The first of these takes a string specifying a logging destina-
- tion, and adds this to the facility. If you want to do some non-standard
- logging you can use the krb5_addlog_func() function, which takes a func-
- tion to use when logging. The log function is called for each message
- with time being a string specifying the current time, and message the
- message to log. close is called when the facility is closed. You can
- pass application specific data in the data parameter. The min and max pa-
- rameter are the same as in a destination (defined below). To specify a
- max of infinity, pass -1.
-
- krb5_openlog() calls krb5_initlog() and then calls krb5_addlog_dest() for
- each destination found.
-
- Destinations
- The defined destinations (as specified in krb5.conf) follows:
-
- STDERR
- This logs to the program's stderr.
-
- FILE:/file
-
- FILE=/file
- Log to the specified file. The form using a colon appends to
- the file, the form with an equal truncates the file. The trun-
- cating form keeps the file open, while the appending form
- closes it after each log message (which makes it possible to
- rotate logs). The truncating form is mainly for compatibility
- with the MIT libkrb5.
-
- DEVICE=/device
- This logs to the specified device, at present this is the same
- as FILE:/device.
-
- CONSOLE
- Log to the console, this is the same as DEVICE=/dev/console.
-
- SYSLOG[:priority[:facility]]
- Send messages to the syslog system, using priority, and facil-
- ity. To get the name for one of these, you take the name of
- the macro passed to syslog(3), and remove the leading LOG_
- (LOG_NOTICE becomes NOTICE). The default values (as well as
- the values used for unrecognised values), are ERR, and AUTH,
- respectively. See syslog(3) for a list of priorities and fa-
- cilities.
-
- Each destination may optionally be prepended with a range of logging lev-
- els, specified as min-max/. If the level parameter to krb5_log() is
- within this range (inclusive) the message gets logged to this destina-
- tion, otherwise not. Either of the min and max valued may be omitted, in
- this case min is assumed to be zero, and max is assumed to be infinity.
- If you don't include a dash, both min and max gets set to the specified
- value. If no range is specified, all messages gets logged.
-
-EXAMPLES
- [logging]
- kdc = 0/FILE:/var/log/kdc.log
- kdc = 1-/SYSLOG:INFO:USER
- default = STDERR
-
- This will log all messages from the kdc program with level 0 to
- /var/log/kdc.log, other messages will be logged to syslog with priority
- LOG_INFO, and facility LOG_USER. All other programs will log all mes-
- sages to their stderr.
-
-SEE ALSO
- syslog(3), krb5.conf(5)
-
-BUGS
- These functions use asprintf() to format the message. If your operating
- system does not have a working asprintf(), a replacement will be used. At
- present this replacement does not handle some correct conversion specifi-
- cations (like floating point numbers). Until this is fixed, the use of
- these conversions should be avoided.
-
- If logging is done to the syslog facility, these functions might not be
- thread-safe, depending on the implementation of openlog(), and syslog().
-
-HEIMDAL August 6, 1997 HEIMDAL
diff --git a/lib/krb5/krb5_parse_name.cat3 b/lib/krb5/krb5_parse_name.cat3
deleted file mode 100644
index 5799ef31bfee..000000000000
--- a/lib/krb5/krb5_parse_name.cat3
+++ /dev/null
@@ -1,30 +0,0 @@
-KRB5_PARSE_NAME(3) BSD Library Functions Manual KRB5_PARSE_NAME(3)
-
-NAME
- krb5_parse_name -- string to principal conversion
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_parse_name(krb5_context context, const char *name,
- krb5_principal *principal);
-
-DESCRIPTION
- krb5_parse_name() converts a string representation of a principal name to
- krb5_principal. The principal will point to allocated data that should
- be freed with krb5_free_principal().
-
- The string should consist of one or more name components separated with
- slashes ("/"), optionally followed with an "@" and a realm name. A slash
- or @ may be contained in a name component by quoting it with a backslash
- ("\"). A realm should not contain slashes or colons.
-
-SEE ALSO
- krb5_build_principal(3), krb5_free_principal(3),
- krb5_sname_to_principal(3), krb5_unparse_name(3)
-
-HEIMDAL May 1, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_principal.cat3 b/lib/krb5/krb5_principal.cat3
deleted file mode 100644
index 5488ad9dfb83..000000000000
--- a/lib/krb5/krb5_principal.cat3
+++ /dev/null
@@ -1,259 +0,0 @@
-KRB5_PRINCIPAL(3) BSD Library Functions Manual KRB5_PRINCIPAL(3)
-
-NAME
- krb5_get_default_principal, krb5_principal, krb5_build_principal,
- krb5_build_principal_ext, krb5_build_principal_va,
- krb5_build_principal_va_ext, krb5_copy_principal, krb5_free_principal,
- krb5_make_principal, krb5_parse_name, krb5_parse_name_flags,
- krb5_parse_nametype, krb5_princ_set_realm, krb5_principal_compare,
- krb5_principal_compare_any_realm, krb5_principal_get_comp_string,
- krb5_principal_get_realm, krb5_principal_get_type, krb5_principal_match,
- krb5_principal_set_type, krb5_realm_compare, krb5_sname_to_principal,
- krb5_sock_to_principal, krb5_unparse_name, krb5_unparse_name_flags,
- krb5_unparse_name_fixed, krb5_unparse_name_fixed_flags,
- krb5_unparse_name_fixed_short, krb5_unparse_name_short -- Kerberos 5
- principal handling functions
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_principal;
-
- void
- krb5_free_principal(krb5_context context, krb5_principal principal);
-
- krb5_error_code
- krb5_parse_name(krb5_context context, const char *name,
- krb5_principal *principal);
-
- krb5_error_code
- krb5_parse_name_flags(krb5_context context, const char *name, int flags,
- krb5_principal *principal);
-
- krb5_error_code
- krb5_unparse_name(krb5_context context, krb5_const_principal principal,
- char **name);
-
- krb5_error_code
- krb5_unparse_name_flags(krb5_context context,
- krb5_const_principal principal, int flags, char **name);
-
- krb5_error_code
- krb5_unparse_name_fixed(krb5_context context,
- krb5_const_principal principal, char *name, size_t len);
-
- krb5_error_code
- krb5_unparse_name_fixed_flags(krb5_context context,
- krb5_const_principal principal, int flags, char *name, size_t len);
-
- krb5_error_code
- krb5_unparse_name_short(krb5_context context,
- krb5_const_principal principal, char **name);
-
- krb5_error_code
- krb5_unparse_name_fixed_short(krb5_context context,
- krb5_const_principal principal, char *name, size_t len);
-
- void
- krb5_princ_set_realm(krb5_context context, krb5_principal principal,
- krb5_realm *realm);
-
- krb5_error_code
- krb5_build_principal(krb5_context context, krb5_principal *principal,
- int rlen, krb5_const_realm realm, ...);
-
- krb5_error_code
- krb5_build_principal_va(krb5_context context, krb5_principal *principal,
- int rlen, krb5_const_realm realm, va_list ap);
-
- krb5_error_code
- krb5_build_principal_ext(krb5_context context, krb5_principal *principal,
- int rlen, krb5_const_realm realm, ...);
-
- krb5_error_code
- krb5_build_principal_va_ext(krb5_context context,
- krb5_principal *principal, int rlen, krb5_const_realm realm,
- va_list ap);
-
- krb5_error_code
- krb5_make_principal(krb5_context context, krb5_principal *principal,
- krb5_const_realm realm, ...);
-
- krb5_error_code
- krb5_copy_principal(krb5_context context, krb5_const_principal inprinc,
- krb5_principal *outprinc);
-
- krb5_boolean
- krb5_principal_compare(krb5_context context, krb5_const_principal princ1,
- krb5_const_principal princ2);
-
- krb5_boolean
- krb5_principal_compare_any_realm(krb5_context context,
- krb5_const_principal princ1, krb5_const_principal princ2);
-
- const char *
- krb5_principal_get_comp_string(krb5_context context,
- krb5_const_principal principal, unsigned int component);
-
- const char *
- krb5_principal_get_realm(krb5_context context,
- krb5_const_principal principal);
-
- int
- krb5_principal_get_type(krb5_context context,
- krb5_const_principal principal);
-
- krb5_boolean
- krb5_principal_match(krb5_context context,
- krb5_const_principal principal, krb5_const_principal pattern);
-
- void
- krb5_principal_set_type(krb5_context context, krb5_principal principal,
- int type);
-
- krb5_boolean
- krb5_realm_compare(krb5_context context, krb5_const_principal princ1,
- krb5_const_principal princ2);
-
- krb5_error_code
- krb5_sname_to_principal(krb5_context context, const char *hostname,
- const char *sname, int32_t type, krb5_principal *ret_princ);
-
- krb5_error_code
- krb5_sock_to_principal(krb5_context context, int socket,
- const char *sname, int32_t type, krb5_principal *principal);
-
- krb5_error_code
- krb5_get_default_principal(krb5_context context, krb5_principal *princ);
-
- krb5_error_code
- krb5_parse_nametype(krb5_context context, const char *str,
- int32_t *type);
-
-DESCRIPTION
- krb5_principal holds the name of a user or service in Kerberos.
-
- A principal has two parts, a PrincipalName and a realm. The Principal-
- Name consists of one or more components. In printed form, the components
- are separated by /. The PrincipalName also has a name-type.
-
- Examples of a principal are nisse/root@EXAMPLE.COM and
- host/datan.kth.se@KTH.SE. krb5_parse_name() and krb5_parse_name_flags()
- passes a principal name in name to the kerberos principal structure.
- krb5_parse_name_flags() takes an extra flags argument the following flags
- can be passed in
-
- KRB5_PRINCIPAL_PARSE_NO_REALM
- requires the input string to be without a realm, and no realm is
- stored in the principal return argument.
-
- KRB5_PRINCIPAL_PARSE_REQUIRE_REALM
- requires the input string to with a realm.
-
- krb5_unparse_name() and krb5_unparse_name_flags() prints the principal
- princ to the string name. name should be freed with free(3). To the
- flags argument the following flags can be passed in
-
- KRB5_PRINCIPAL_UNPARSE_SHORT
- no realm if the realm is one of the local realms.
-
- KRB5_PRINCIPAL_UNPARSE_NO_REALM
- never include any realm in the principal name.
-
- KRB5_PRINCIPAL_UNPARSE_DISPLAY
- don't quote
- On failure name is set to NULL. krb5_unparse_name_fixed() and
- krb5_unparse_name_fixed_flags() behaves just like krb5_unparse(), but in-
- stead unparses the principal into a fixed size buffer.
-
- krb5_unparse_name_short() just returns the principal without the realm if
- the principal is in the default realm. If the principal isn't, the full
- name is returned. krb5_unparse_name_fixed_short() works just like
- krb5_unparse_name_short() but on a fixed size buffer.
-
- krb5_build_principal() builds a principal from the realm realm that has
- the length rlen. The following arguments form the components of the
- principal. The list of components is terminated with NULL.
-
- krb5_build_principal_va() works like krb5_build_principal() using vargs.
-
- krb5_build_principal_ext() and krb5_build_principal_va_ext() take a list
- of length-value pairs, the list is terminated with a zero length.
-
- krb5_make_principal() works the same way as krb5_build_principal(), ex-
- cept it figures out the length of the realm itself.
-
- krb5_copy_principal() makes a copy of a principal. The copy needs to be
- freed with krb5_free_principal().
-
- krb5_principal_compare() compares the two principals, including realm of
- the principals and returns TRUE if they are the same and FALSE if not.
-
- krb5_principal_compare_any_realm() works the same way as
- krb5_principal_compare() but doesn't compare the realm component of the
- principal.
-
- krb5_realm_compare() compares the realms of the two principals and re-
- turns TRUE is they are the same, and FALSE if not.
-
- krb5_principal_match() matches a principal against a pattern. The pat-
- tern is a globbing expression, where each component (separated by /) is
- matched against the corresponding component of the principal.
-
- The krb5_principal_get_realm() and krb5_principal_get_comp_string() func-
- tions return parts of the principal, either the realm or a specific com-
- ponent. Both functions return string pointers to data inside the princi-
- pal, so they are valid only as long as the principal exists.
-
- The component argument to krb5_principal_get_comp_string() is the index
- of the component to return, from zero to the total number of components
- minus one. If the index is out of range NULL is returned.
-
- krb5_principal_get_realm() and krb5_principal_get_comp_string() are re-
- placements for krb5_princ_component() and related macros, described as
- internal in the MIT API specification. Unlike the macros, these func-
- tions return strings, not krb5_data. A reason to return krb5_data was
- that it was believed that principal components could contain binary data,
- but this belief was unfounded, and it has been decided that principal
- components are infact UTF8, so it's safe to use zero terminated strings.
-
- It's generally not necessary to look at the components of a principal.
-
- krb5_principal_get_type() and krb5_principal_set_type() get and sets the
- name type for a principal. Name type handling is tricky and not often
- needed, don't use this unless you know what you do.
-
- krb5_sname_to_principal() and krb5_sock_to_principal() are for easy cre-
- ation of "service" principals that can, for instance, be used to lookup a
- key in a keytab. For both functions the sname parameter will be used for
- the first component of the created principal. If sname is NULL, "host"
- will be used instead.
-
- krb5_sname_to_principal() will use the passed hostname for the second
- component. If type is KRB5_NT_SRV_HST this name will be looked up with
- gethostbyname(). If hostname is NULL, the local hostname will be used.
-
- krb5_sock_to_principal() will use the "sockname" of the passed socket,
- which should be a bound AF_INET or AF_INET6 socket. There must be a map-
- ping between the address and "sockname". The function may try to resolve
- the name in DNS.
-
- krb5_get_default_principal() tries to find out what's a reasonable de-
- fault principal by looking at the environment it is running in.
-
- krb5_parse_nametype() parses and returns the name type integer value in
- type. On failure the function returns an error code and set the error
- string.
-
-SEE ALSO
- krb5_config(3), krb5.conf(5)
-
-BUGS
- You can not have a NUL in a component in some of the variable argument
- functions above. Until someone can give a good example of where it would
- be a good idea to have NUL's in a component, this will not be fixed.
-
-HEIMDAL May 1, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_rcache.cat3 b/lib/krb5/krb5_rcache.cat3
deleted file mode 100644
index e16ad25e6b45..000000000000
--- a/lib/krb5/krb5_rcache.cat3
+++ /dev/null
@@ -1,83 +0,0 @@
-KRB5_RCACHE(3) BSD Library Functions Manual KRB5_RCACHE(3)
-
-NAME
- krb5_rcache, krb5_rc_close, krb5_rc_default, krb5_rc_default_name,
- krb5_rc_default_type, krb5_rc_destroy, krb5_rc_expunge,
- krb5_rc_get_lifespan, krb5_rc_get_name, krb5_rc_get_type,
- krb5_rc_initialize, krb5_rc_recover, krb5_rc_resolve,
- krb5_rc_resolve_full, krb5_rc_resolve_type, krb5_rc_store,
- krb5_get_server_rcache -- Kerberos 5 replay cache
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- struct krb5_rcache;
-
- krb5_error_code
- krb5_rc_close(krb5_context context, krb5_rcache id);
-
- krb5_error_code
- krb5_rc_default(krb5_context context, krb5_rcache *id);
-
- const char *
- krb5_rc_default_name(krb5_context context);
-
- const char *
- krb5_rc_default_type(krb5_context context);
-
- krb5_error_code
- krb5_rc_destroy(krb5_context context, krb5_rcache id);
-
- krb5_error_code
- krb5_rc_expunge(krb5_context context, krb5_rcache id);
-
- krb5_error_code
- krb5_rc_get_lifespan(krb5_context context, krb5_rcache id,
- krb5_deltat *auth_lifespan);
-
- const char*
- krb5_rc_get_name(krb5_context context, krb5_rcache id);
-
- const char*
- krb5_rc_get_type(krb5_context context, krb5_rcache id);
-
- krb5_error_code
- krb5_rc_initialize(krb5_context context, krb5_rcache id,
- krb5_deltat auth_lifespan);
-
- krb5_error_code
- krb5_rc_recover(krb5_context context, krb5_rcache id);
-
- krb5_error_code
- krb5_rc_resolve(krb5_context context, krb5_rcache id, const char *name);
-
- krb5_error_code
- krb5_rc_resolve_full(krb5_context context, krb5_rcache *id,
- const char *string_name);
-
- krb5_error_code
- krb5_rc_resolve_type(krb5_context context, krb5_rcache *id,
- const char *type);
-
- krb5_error_code
- krb5_rc_store(krb5_context context, krb5_rcache id,
- krb5_donot_replay *rep);
-
- krb5_error_code
- krb5_get_server_rcache(krb5_context context, const krb5_data *piece,
- krb5_rcache *id);
-
-DESCRIPTION
- The krb5_rcache structure holds a storage element that is used for data
- manipulation. The structure contains no public accessible elements.
-
- krb5_rc_initialize() Creates the reply cache id and sets it lifespan to
- auth_lifespan. If the cache already exists, the content is destroyed.
-
-SEE ALSO
- krb5(3), krb5_data(3), kerberos(8)
-
-HEIMDAL May 1, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_rd_error.cat3 b/lib/krb5/krb5_rd_error.cat3
deleted file mode 100644
index a64ad0a172ef..000000000000
--- a/lib/krb5/krb5_rd_error.cat3
+++ /dev/null
@@ -1,51 +0,0 @@
-KRB5_RD_ERROR(3) BSD Library Functions Manual KRB5_RD_ERROR(3)
-
-NAME
- krb5_rd_error, krb5_free_error, krb5_free_error_contents,
- krb5_error_from_rd_error -- parse, free and read error from KRB-ERROR
- message
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_rd_error(krb5_context context, const krb5_data *msg,
- KRB_ERROR *result);
-
- void
- krb5_free_error(krb5_context context, krb5_error *error);
-
- void
- krb5_free_error_contents(krb5_context context, krb5_error *error);
-
- krb5_error_code
- krb5_error_from_rd_error(krb5_context context, const krb5_error *error,
- const krb5_creds *creds);
-
-DESCRIPTION
- Usually applications never needs to parse and understand Kerberos error
- messages since higher level functions will parse and push up the error in
- the krb5_context. These functions are described for completeness.
-
- krb5_rd_error() parses and returns the kerboeros error message, the
- structure should be freed with krb5_free_error_contents() when the caller
- is done with the structure.
-
- krb5_free_error() frees the content and the memory region holding the
- structure iself.
-
- krb5_free_error_contents() free the content of the KRB-ERROR message.
-
- krb5_error_from_rd_error() will parse the error message and set the error
- buffer in krb5_context to the error string passed back or the matching
- error code in the KRB-ERROR message. Caller should pick up the message
- with krb5_get_error_string(3) (don't forget to free the returned string
- with krb5_free_error_string()).
-
-SEE ALSO
- krb5(3), krb5_set_error_string(3), krb5_get_error_string(3), krb5.conf(5)
-
-HEIMDAL July 26, 2004 HEIMDAL
diff --git a/lib/krb5/krb5_rd_safe.cat3 b/lib/krb5/krb5_rd_safe.cat3
deleted file mode 100644
index 0f4fd9fe9ea5..000000000000
--- a/lib/krb5/krb5_rd_safe.cat3
+++ /dev/null
@@ -1,34 +0,0 @@
-KRB5_RD_SAFE(3) BSD Library Functions Manual KRB5_RD_SAFE(3)
-
-NAME
- krb5_rd_safe, krb5_rd_priv -- verifies authenticity of messages
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_rd_priv(krb5_context context, krb5_auth_context auth_context,
- const krb5_data *inbuf, krb5_data *outbuf,
- krb5_replay_data *outdata);
-
- krb5_error_code
- krb5_rd_safe(krb5_context context, krb5_auth_context auth_context,
- const krb5_data *inbuf, krb5_data *outbuf,
- krb5_replay_data *outdata);
-
-DESCRIPTION
- krb5_rd_safe() and krb5_rd_priv() parses KRB-SAFE and KRB-PRIV messages
- (as generated by krb5_mk_safe(3) and krb5_mk_priv(3)) from inbuf and ver-
- ifies its integrity. The user data part of the message in put in outbuf.
- The encryption state, including keyblocks and addresses, is taken from
- auth_context. If the KRB5_AUTH_CONTEXT_RET_SEQUENCE or
- KRB5_AUTH_CONTEXT_RET_TIME flags are set in the auth_context the sequence
- number and time are returned in the outdata parameter.
-
-SEE ALSO
- krb5_auth_con_init(3), krb5_mk_priv(3), krb5_mk_safe(3)
-
-HEIMDAL May 1, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_set_default_realm.cat3 b/lib/krb5/krb5_set_default_realm.cat3
deleted file mode 100644
index 2bf0a5b825b8..000000000000
--- a/lib/krb5/krb5_set_default_realm.cat3
+++ /dev/null
@@ -1,69 +0,0 @@
-KRB5_SET_DEFAULT_REAL... BSD Library Functions Manual KRB5_SET_DEFAULT_REAL...
-
-NAME
- krb5_copy_host_realm, krb5_free_host_realm, krb5_get_default_realm,
- krb5_get_default_realms, krb5_get_host_realm, krb5_set_default_realm --
- default and host realm read and manipulation routines
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_copy_host_realm(krb5_context context, const krb5_realm *from,
- krb5_realm **to);
-
- krb5_error_code
- krb5_free_host_realm(krb5_context context, krb5_realm *realmlist);
-
- krb5_error_code
- krb5_get_default_realm(krb5_context context, krb5_realm *realm);
-
- krb5_error_code
- krb5_get_default_realms(krb5_context context, krb5_realm **realm);
-
- krb5_error_code
- krb5_get_host_realm(krb5_context context, const char *host,
- krb5_realm **realms);
-
- krb5_error_code
- krb5_set_default_realm(krb5_context context, const char *realm);
-
-DESCRIPTION
- krb5_copy_host_realm() copies the list of realms from from to to. to
- should be freed by the caller using krb5_free_host_realm.
-
- krb5_free_host_realm() frees all memory allocated by realmlist.
-
- krb5_get_default_realm() returns the first default realm for this host.
- The realm returned should be freed with krb5_xfree().
-
- krb5_get_default_realms() returns a NULL terminated list of default
- realms for this context. Realms returned by krb5_get_default_realms()
- should be freed with krb5_free_host_realm().
-
- krb5_get_host_realm() returns a NULL terminated list of realms for host
- by looking up the information in the [domain_realm] in krb5.conf or in
- DNS. If the mapping in [domain_realm] results in the string dns_locate,
- DNS is used to lookup the realm.
-
- When using DNS to a resolve the domain for the host a.b.c,
- krb5_get_host_realm() looks for a TXT resource record named
- _kerberos.a.b.c, and if not found, it strips off the first component and
- tries a again (_kerberos.b.c) until it reaches the root.
-
- If there is no configuration or DNS information found,
- krb5_get_host_realm() assumes it can use the domain part of the host to
- form a realm. Caller must free realmlist with krb5_free_host_realm().
-
- krb5_set_default_realm() sets the default realm for the context. If NULL
- is used as a realm, the [libdefaults]default_realm stanza in krb5.conf is
- used. If there is no such stanza in the configuration file, the
- krb5_get_host_realm() function is used to form a default realm.
-
-SEE ALSO
- free(3), krb5.conf(5)
-
-HEIMDAL April 24, 2005 HEIMDAL
diff --git a/lib/krb5/krb5_set_password.cat3 b/lib/krb5/krb5_set_password.cat3
deleted file mode 100644
index f6b7f387487f..000000000000
--- a/lib/krb5/krb5_set_password.cat3
+++ /dev/null
@@ -1,65 +0,0 @@
-KRB5_SET_PASSWORD(3) BSD Library Functions Manual KRB5_SET_PASSWORD(3)
-
-NAME
- krb5_change_password, krb5_set_password, krb5_set_password_using_ccache,
- krb5_passwd_result_to_string -- change password functions
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_change_password(krb5_context context, krb5_creds *creds,
- char *newpw, int *result_code, krb5_data *result_code_string,
- krb5_data *result_string);
-
- krb5_error_code
- krb5_set_password(krb5_context context, krb5_creds *creds, char *newpw,
- krb5_principal targprinc, int *result_code,
- krb5_data *result_code_string, krb5_data *result_string);
-
- krb5_error_code
- krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache,
- char *newpw, krb5_principal targprinc, int *result_code,
- krb5_data *result_code_string, krb5_data *result_string);
-
- const char *
- krb5_passwd_result_to_string(krb5_context context, int result);
-
-DESCRIPTION
- These functions change the password for a given principal.
-
- krb5_set_password() and krb5_set_password_using_ccache() are the newer of
- the three functions, and use a newer version of the protocol (and also
- fall back to the older set-password protocol if the newer protocol
- doesn't work).
-
- krb5_change_password() sets the password newpasswd for the client princi-
- pal in creds. The server principal of creds must be kadmin/changepw.
-
- krb5_set_password() and krb5_set_password_using_ccache() change the pass-
- word for the principal targprinc.
-
- krb5_set_password() requires that the credential for
- kadmin/changepw@REALM is in creds. If the user caller isn't an adminis-
- trator, this credential needs to be an initial credential, see
- krb5_get_init_creds(3) how to get such credentials.
-
- krb5_set_password_using_ccache() will get the credential from ccache.
-
- If targprinc is NULL, krb5_set_password_using_ccache() uses the the de-
- fault principal in ccache and krb5_set_password() uses the global the de-
- fault principal.
-
- All three functions return an error in result_code and maybe an error
- string to print in result_string.
-
- krb5_passwd_result_to_string() returns an human readable string describ-
- ing the error code in result_code from the krb5_set_password() functions.
-
-SEE ALSO
- krb5_ccache(3), krb5_init_context(3)
-
-HEIMDAL July 15, 2004 HEIMDAL
diff --git a/lib/krb5/krb5_string_to_key.cat3 b/lib/krb5/krb5_string_to_key.cat3
deleted file mode 100644
index 3e3621880185..000000000000
--- a/lib/krb5/krb5_string_to_key.cat3
+++ /dev/null
@@ -1,73 +0,0 @@
-KRB5_STRING_TO_KEY(3) BSD Library Functions Manual KRB5_STRING_TO_KEY(3)
-
-NAME
- krb5_string_to_key, krb5_string_to_key_data,
- krb5_string_to_key_data_salt, krb5_string_to_key_data_salt_opaque,
- krb5_string_to_key_salt, krb5_string_to_key_salt_opaque,
- krb5_get_pw_salt, krb5_free_salt -- turns a string to a Kerberos key
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_string_to_key(krb5_context context, krb5_enctype enctype,
- const char *password, krb5_principal principal, krb5_keyblock *key);
-
- krb5_error_code
- krb5_string_to_key_data(krb5_context context, krb5_enctype enctype,
- krb5_data password, krb5_principal principal, krb5_keyblock *key);
-
- krb5_error_code
- krb5_string_to_key_data_salt(krb5_context context, krb5_enctype enctype,
- krb5_data password, krb5_salt salt, krb5_keyblock *key);
-
- krb5_error_code
- krb5_string_to_key_data_salt_opaque(krb5_context context,
- krb5_enctype enctype, krb5_data password, krb5_salt salt,
- krb5_data opaque, krb5_keyblock *key);
-
- krb5_error_code
- krb5_string_to_key_salt(krb5_context context, krb5_enctype enctype,
- const char *password, krb5_salt salt, krb5_keyblock *key);
-
- krb5_error_code
- krb5_string_to_key_salt_opaque(krb5_context context,
- krb5_enctype enctype, const char *password, krb5_salt salt,
- krb5_data opaque, krb5_keyblock *key);
-
- krb5_error_code
- krb5_get_pw_salt(krb5_context context, krb5_const_principal principal,
- krb5_salt *salt);
-
- krb5_error_code
- krb5_free_salt(krb5_context context, krb5_salt salt);
-
-DESCRIPTION
- The string to key functions convert a string to a kerberos key.
-
- krb5_string_to_key_data_salt_opaque() is the function that does all the
- work, the rest of the functions are just wrappers around
- krb5_string_to_key_data_salt_opaque() that calls it with default values.
-
- krb5_string_to_key_data_salt_opaque() transforms the password with the
- given salt-string salt and the opaque, encryption type specific parameter
- opaque to a encryption key key according to the string to key function
- associated with enctype.
-
- The key should be freed with krb5_free_keyblock_contents().
-
- If one of the functions that doesn't take a krb5_salt as it argument
- krb5_get_pw_salt() is used to get the salt value.
-
- krb5_get_pw_salt() get the default password salt for a principal, use
- krb5_free_salt() to free the salt when done.
-
- krb5_free_salt() frees the content of salt.
-
-SEE ALSO
- krb5(3), krb5_data(3), krb5_keyblock(3), kerberos(8)
-
-HEIMDAL July 10, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_timeofday.cat3 b/lib/krb5/krb5_timeofday.cat3
deleted file mode 100644
index bec02a410644..000000000000
--- a/lib/krb5/krb5_timeofday.cat3
+++ /dev/null
@@ -1,54 +0,0 @@
-KRB5_TIMEOFDAY(3) BSD Library Functions Manual KRB5_TIMEOFDAY(3)
-
-NAME
- krb5_timeofday, krb5_set_real_time, krb5_us_timeofday, krb5_format_time,
- krb5_string_to_deltat -- Kerberos 5 time handling functions
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_timestamp;
-
- krb5_deltat;
-
- krb5_error_code
- krb5_set_real_time(krb5_context context, krb5_timestamp sec,
- int32_t usec);
-
- krb5_error_code
- krb5_timeofday(krb5_context context, krb5_timestamp *timeret);
-
- krb5_error_code
- krb5_us_timeofday(krb5_context context, krb5_timestamp *sec,
- int32_t *usec);
-
- krb5_error_code
- krb5_format_time(krb5_context context, time_t t, char *s, size_t len,
- krb5_boolean include_time);
-
- krb5_error_code
- krb5_string_to_deltat(const char *string, krb5_deltat *deltat);
-
-DESCRIPTION
- krb5_set_real_time sets the absolute time that the caller knows the KDC
- has. With this the Kerberos library can calculate the relative differ-
- ence between the KDC time and the local system time and store it in the
- context. With this information the Kerberos library can adjust all time
- stamps in Kerberos packages.
-
- krb5_timeofday() returns the current time, but adjusted with the time
- difference between the local host and the KDC. krb5_us_timeofday() also
- returns microseconds.
-
- krb5_format_time formats the time t into the string s of length len. If
- include_time is set, the time is set include_time.
-
- krb5_string_to_deltat parses delta time string into deltat.
-
-SEE ALSO
- gettimeofday(2), krb5(3)
-
-HEIMDAL September 16, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_verify_init_creds.cat3 b/lib/krb5/krb5_verify_init_creds.cat3
deleted file mode 100644
index 05dcb76ce6e3..000000000000
--- a/lib/krb5/krb5_verify_init_creds.cat3
+++ /dev/null
@@ -1,51 +0,0 @@
-KRB5_VERIFY_INIT_CRED... BSD Library Functions Manual KRB5_VERIFY_INIT_CRED...
-
-NAME
- krb5_verify_init_creds_opt_init,
- krb5_verify_init_creds_opt_set_ap_req_nofail, krb5_verify_init_creds --
- verifies a credential cache is correct by using a local keytab
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- struct krb5_verify_init_creds_opt;
-
- void
- krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *options);
-
- void
- krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *options,
- int ap_req_nofail);
-
- krb5_error_code
- krb5_verify_init_creds(krb5_context context, krb5_creds *creds,
- krb5_principal ap_req_server, krb5_ccache *ccache,
- krb5_verify_init_creds_opt *options);
-
-DESCRIPTION
- The krb5_verify_init_creds function verifies the initial tickets with the
- local keytab to make sure the response of the KDC was spoof-ed.
-
- krb5_verify_init_creds will use principal ap_req_server from the local
- keytab, if NULL is passed in, the code will guess the local hostname and
- use that to form host/hostname/GUESSED-REALM-FOR-HOSTNAME. creds is the
- credential that krb5_verify_init_creds should verify. If ccache is given
- krb5_verify_init_creds() stores all credentials it fetched from the KDC
- there, otherwise it will use a memory credential cache that is destroyed
- when done.
-
- krb5_verify_init_creds_opt_init() cleans the the structure, must be used
- before trying to pass it in to krb5_verify_init_creds().
-
- krb5_verify_init_creds_opt_set_ap_req_nofail() controls controls the be-
- havior if ap_req_server doesn't exists in the local keytab or in the
- KDC's database, if it's true, the error will be ignored. Note that this
- use is possible insecure.
-
-SEE ALSO
- krb5(3), krb5_get_init_creds(3), krb5_verify_user(3), krb5.conf(5)
-
-HEIMDAL May 1, 2006 HEIMDAL
diff --git a/lib/krb5/krb5_verify_user.cat3 b/lib/krb5/krb5_verify_user.cat3
deleted file mode 100644
index df5d56d33427..000000000000
--- a/lib/krb5/krb5_verify_user.cat3
+++ /dev/null
@@ -1,140 +0,0 @@
-KRB5_VERIFY_USER(3) BSD Library Functions Manual KRB5_VERIFY_USER(3)
-
-NAME
- krb5_verify_user, krb5_verify_user_lrealm, krb5_verify_user_opt,
- krb5_verify_opt_init, krb5_verify_opt_alloc, krb5_verify_opt_free,
- krb5_verify_opt_set_ccache, krb5_verify_opt_set_flags,
- krb5_verify_opt_set_service, krb5_verify_opt_set_secure,
- krb5_verify_opt_set_keytab -- Heimdal password verifying functions
-
-LIBRARY
- Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
- #include <krb5.h>
-
- krb5_error_code
- krb5_verify_user(krb5_context context, krb5_principal principal,
- krb5_ccache ccache, const char *password, krb5_boolean secure,
- const char *service);
-
- krb5_error_code
- krb5_verify_user_lrealm(krb5_context context, krb5_principal principal,
- krb5_ccache ccache, const char *password, krb5_boolean secure,
- const char *service);
-
- void
- krb5_verify_opt_init(krb5_verify_opt *opt);
-
- void
- krb5_verify_opt_alloc(krb5_verify_opt **opt);
-
- void
- krb5_verify_opt_free(krb5_verify_opt *opt);
-
- void
- krb5_verify_opt_set_ccache(krb5_verify_opt *opt, krb5_ccache ccache);
-
- void
- krb5_verify_opt_set_keytab(krb5_verify_opt *opt, krb5_keytab keytab);
-
- void
- krb5_verify_opt_set_secure(krb5_verify_opt *opt, krb5_boolean secure);
-
- void
- krb5_verify_opt_set_service(krb5_verify_opt *opt, const char *service);
-
- void
- krb5_verify_opt_set_flags(krb5_verify_opt *opt, unsigned int flags);
-
- krb5_error_code
- krb5_verify_user_opt(krb5_context context, krb5_principal principal,
- const char *password, krb5_verify_opt *opt);
-
-DESCRIPTION
- The krb5_verify_user function verifies the password supplied by a user.
- The principal whose password will be verified is specified in principal.
- New tickets will be obtained as a side-effect and stored in ccache (if
- NULL, the default ccache is used). krb5_verify_user() will call
- krb5_cc_initialize() on the given ccache, so ccache must only initialized
- with krb5_cc_resolve() or krb5_cc_gen_new(). If the password is not sup-
- plied in password (and is given as NULL) the user will be prompted for
- it. If secure the ticket will be verified against the locally stored
- service key service (by default `host' if given as NULL ).
-
- The krb5_verify_user_lrealm() function does the same, except that it ig-
- nores the realm in principal and tries all the local realms (see
- krb5.conf(5)). After a successful return, the principal is set to the
- authenticated realm. If the call fails, the principal will not be mean-
- ingful, and should only be freed with krb5_free_principal(3).
-
- krb5_verify_opt_alloc() and krb5_verify_opt_free() allocates and frees a
- krb5_verify_opt. You should use the the alloc and free function instead
- of allocation the structure yourself, this is because in a future release
- the structure wont be exported.
-
- krb5_verify_opt_init() resets all opt to default values.
-
- None of the krb5_verify_opt_set function makes a copy of the data struc-
- ture that they are called with. It's up the caller to free them after the
- krb5_verify_user_opt() is called.
-
- krb5_verify_opt_set_ccache() sets the ccache that user of opt will use.
- If not set, the default credential cache will be used.
-
- krb5_verify_opt_set_keytab() sets the keytab that user of opt will use.
- If not set, the default keytab will be used.
-
- krb5_verify_opt_set_secure() if secure if true, the password verification
- will require that the ticket will be verified against the locally stored
- service key. If not set, default value is true.
-
- krb5_verify_opt_set_service() sets the service principal that user of opt
- will use. If not set, the `host' service will be used.
-
- krb5_verify_opt_set_flags() sets flags that user of opt will use. If the
- flag KRB5_VERIFY_LREALMS is used, the principal will be modified like
- krb5_verify_user_lrealm() modifies it.
-
- krb5_verify_user_opt() function verifies the password supplied by a user.
- The principal whose password will be verified is specified in principal.
- Options the to the verification process is pass in in opt.
-
-EXAMPLES
- Here is a example program that verifies a password. it uses the
- `host/`hostname`' service principal in krb5.keytab.
-
- #include <krb5.h>
-
- int
- main(int argc, char **argv)
- {
- char *user;
- krb5_error_code error;
- krb5_principal princ;
- krb5_context context;
-
- if (argc != 2)
- errx(1, "usage: verify_passwd <principal-name>");
-
- user = argv[1];
-
- if (krb5_init_context(&context) < 0)
- errx(1, "krb5_init_context");
-
- if ((error = krb5_parse_name(context, user, &princ)) != 0)
- krb5_err(context, 1, error, "krb5_parse_name");
-
- error = krb5_verify_user(context, princ, NULL, NULL, TRUE, NULL);
- if (error)
- krb5_err(context, 1, error, "krb5_verify_user");
-
- return 0;
- }
-
-SEE ALSO
- krb5_cc_gen_new(3), krb5_cc_initialize(3), krb5_cc_resolve(3),
- krb5_err(3), krb5_free_principal(3), krb5_init_context(3),
- krb5_kt_default(3), krb5.conf(5)
-
-HEIMDAL May 1, 2006 HEIMDAL
diff --git a/lib/krb5/krbhst-test.c b/lib/krb5/krbhst-test.c
index 873734fce77a..cd388ecfaaa0 100644
--- a/lib/krb5/krbhst-test.c
+++ b/lib/krb5/krbhst-test.c
@@ -59,6 +59,7 @@ usage (int ret)
int
main(int argc, char **argv)
{
+ krb5_error_code ret;
int i, j;
krb5_context context;
int types[] = {KRB5_KRBHST_KDC, KRB5_KRBHST_ADMIN, KRB5_KRBHST_CHANGEPW,
@@ -82,7 +83,9 @@ main(int argc, char **argv)
argc -= optidx;
argv += optidx;
- krb5_init_context (&context);
+ ret = krb5_init_context(&context);
+ if (ret)
+ krb5_err(NULL, 1, ret, "Failed to initialize context");
for(i = 0; i < argc; i++) {
krb5_krbhst_handle handle;
char host[MAXHOSTNAMELEN];
@@ -90,12 +93,16 @@ main(int argc, char **argv)
for (j = 0; j < sizeof(types)/sizeof(*types); ++j) {
printf ("%s for %s:\n", type_str[j], argv[i]);
- krb5_krbhst_init(context, argv[i], types[j], &handle);
- while(krb5_krbhst_next_as_string(context, handle,
- host, sizeof(host)) == 0)
+ ret = krb5_krbhst_init(context, argv[i], types[j], &handle);
+ if (ret)
+ krb5_err(context, 1, ret, "Could not init krbhst iterator");
+ while ((ret = krb5_krbhst_next_as_string(context, handle, host,
+ sizeof(host))) == 0)
printf("\thost: %s\n", host);
krb5_krbhst_reset(context, handle);
- printf ("\n");
+ printf("\n");
+ if (ret)
+ krb5_err(context, 1, ret, "Could not iterate all krbhst");
}
}
return 0;
diff --git a/lib/krb5/krbhst.c b/lib/krb5/krbhst.c
index 36da64b0e469..99a96d298c1e 100644
--- a/lib/krb5/krbhst.c
+++ b/lib/krb5/krbhst.c
@@ -65,7 +65,7 @@ is_invalid_tld_srv_target(const char *target)
static krb5_error_code
srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
- const char *realm, const char *dns_type,
+ const char *realm, const char *dns_type, const char *sitename,
const char *proto, const char *service, int port)
{
char domain[1024];
@@ -93,7 +93,11 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
else
def_port = port;
- snprintf(domain, sizeof(domain), "_%s._%s.%s.", service, proto, realm);
+ if (sitename)
+ snprintf(domain, sizeof(domain), "_%s._%s.%s._sites.%s.",
+ service, proto, sitename, realm);
+ else
+ snprintf(domain, sizeof(domain), "_%s._%s.%s.", service, proto, realm);
r = rk_dns_lookup(domain, dns_type);
if(r == NULL) {
@@ -109,6 +113,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
if (num_srv == 0) {
_krb5_debug(context, 0,
"DNS SRV RR lookup domain nodata: %s", domain);
+ rk_dns_free_data(r);
return KRB5_KDC_UNREACH;
}
@@ -169,23 +174,29 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
struct krb5_krbhst_data {
+ const char *config_param;
+ const char *srv_label;
char *realm;
unsigned int flags;
int def_port;
int port; /* hardwired port number if != 0 */
-#define KD_CONFIG 1
-#define KD_SRV_UDP 2
-#define KD_SRV_TCP 4
-#define KD_SRV_HTTP 8
-#define KD_FALLBACK 16
-#define KD_CONFIG_EXISTS 32
-#define KD_LARGE_MSG 64
-#define KD_PLUGIN 128
-#define KD_HOSTNAMES 256
+#define KD_CONFIG 0x0001
+#define KD_SRV_UDP 0x0002
+#define KD_SRV_TCP 0x0004
+#define KD_SITE_SRV_UDP 0x0008
+#define KD_SITE_SRV_TCP 0x0010
+#define KD_SRV_HTTP 0x0020
+#define KD_SRV_KKDCP 0x0040
+#define KD_FALLBACK 0x0080
+#define KD_CONFIG_EXISTS 0x0100
+#define KD_LARGE_MSG 0x0200
+#define KD_PLUGIN 0x0400
+#define KD_HOSTNAMES 0x0800
krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *,
krb5_krbhst_info**);
char *hostname;
+ char *sitename;
unsigned int fallback_count;
struct krb5_krbhst_info *hosts, **index, **end;
@@ -332,7 +343,13 @@ append_host_hostinfo(struct krb5_krbhst_data *kd, struct krb5_krbhst_info *host)
_krb5_free_krbhst_info(host);
return;
}
- *kd->end = host;
+ /*
+ * We should always initialize kd->end in common_init(), but static
+ * analyzers may not see that we do, and the compiler might conclude
+ * there's UB here.
+ */
+ if (kd->end)
+ *kd->end = host;
kd->end = &host->next;
}
@@ -359,14 +376,14 @@ krb5_krbhst_format_string(krb5_context context, const krb5_krbhst_info *host,
char *hostname, size_t hostlen)
{
const char *proto = "";
- char portstr[7] = "";
if(host->proto == KRB5_KRBHST_TCP)
proto = "tcp/";
else if(host->proto == KRB5_KRBHST_HTTP)
proto = "http://";
- if(host->port != host->def_port)
- snprintf(portstr, sizeof(portstr), ":%d", host->port);
- snprintf(hostname, hostlen, "%s%s%s", proto, host->hostname, portstr);
+ if (host->port != host->def_port)
+ snprintf(hostname, hostlen, "%s%s:%d", proto, host->hostname, (int)host->port);
+ else
+ snprintf(hostname, hostlen, "%s%s", proto, host->hostname);
return 0;
}
@@ -427,7 +444,7 @@ krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host,
static krb5_boolean
get_next(struct krb5_krbhst_data *kd, krb5_krbhst_info **host)
{
- struct krb5_krbhst_info *hi = *kd->index;
+ struct krb5_krbhst_info *hi = kd ? *kd->index : NULL;
if(hi != NULL) {
*host = hi;
kd->index = &(*kd->index)->next;
@@ -438,7 +455,7 @@ get_next(struct krb5_krbhst_data *kd, krb5_krbhst_info **host)
static void
srv_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
- const char *proto, const char *service)
+ const char *sitename, const char *proto, const char *service)
{
krb5_error_code ret;
krb5_krbhst_info **res;
@@ -447,8 +464,8 @@ srv_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
if (krb5_realm_is_lkdc(kd->realm))
return;
- ret = srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service,
- kd->port);
+ ret = srv_find_realm(context, &res, &count, kd->realm, "SRV",
+ sitename, proto, service, kd->port);
_krb5_debug(context, 2, "searching DNS for realm %s %s.%s -> %d",
kd->realm, proto, service, ret);
if (ret)
@@ -551,6 +568,8 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
"Realm %s needs immediate attention "
"see https://icann.org/namecollision",
kd->realm);
+ free(host);
+ freeaddrinfo(ai);
return KRB5_KDC_UNREACH;
}
}
@@ -559,6 +578,7 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
hi = calloc(1, sizeof(*hi) + hostlen);
if(hi == NULL) {
free(host);
+ freeaddrinfo(ai);
return krb5_enomem(context);
}
@@ -680,6 +700,17 @@ plcallback(krb5_context context,
return KRB5_PLUGIN_NO_HANDLE;
}
+static const char *const locate_plugin_deps[] = { "krb5", NULL };
+
+static const struct heim_plugin_data
+locate_plugin_data = {
+ "krb5",
+ KRB5_PLUGIN_LOCATE,
+ KRB5_PLUGIN_LOCATE_VERSION_0,
+ locate_plugin_deps,
+ krb5_get_instance
+};
+
static void
plugin_get_hosts(krb5_context context,
struct krb5_krbhst_data *kd,
@@ -690,8 +721,7 @@ plugin_get_hosts(krb5_context context,
if (_krb5_homedir_access(context))
ctx.flags |= KRB5_PLF_ALLOW_HOMEDIR;
- _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_LOCATE,
- KRB5_PLUGIN_LOCATE_VERSION_0,
+ _krb5_plugin_run_f(context, &locate_plugin_data,
0, &ctx, plcallback);
}
@@ -735,7 +765,7 @@ kdc_get_next(krb5_context context,
}
if((kd->flags & KD_CONFIG) == 0) {
- config_get_hosts(context, kd, "kdc");
+ config_get_hosts(context, kd, kd->config_param);
kd->flags |= KD_CONFIG;
if(get_next(kd, host))
return 0;
@@ -749,21 +779,28 @@ kdc_get_next(krb5_context context,
}
if(context->srv_lookup) {
+ if(kd->sitename && (kd->flags & KD_SITE_SRV_TCP) == 0) {
+ srv_get_hosts(context, kd, kd->sitename, "tcp", "kerberos");
+ kd->flags |= KD_SITE_SRV_TCP;
+ if(get_next(kd, host))
+ return 0;
+ }
+
if((kd->flags & KD_SRV_UDP) == 0 && (kd->flags & KD_LARGE_MSG) == 0) {
- srv_get_hosts(context, kd, "udp", "kerberos");
+ srv_get_hosts(context, kd, NULL, "udp", kd->srv_label);
kd->flags |= KD_SRV_UDP;
if(get_next(kd, host))
return 0;
}
if((kd->flags & KD_SRV_TCP) == 0) {
- srv_get_hosts(context, kd, "tcp", "kerberos");
+ srv_get_hosts(context, kd, NULL, "tcp", kd->srv_label);
kd->flags |= KD_SRV_TCP;
if(get_next(kd, host))
return 0;
}
if((kd->flags & KD_SRV_HTTP) == 0) {
- srv_get_hosts(context, kd, "http", "kerberos");
+ srv_get_hosts(context, kd, NULL, "http", kd->srv_label);
kd->flags |= KD_SRV_HTTP;
if(get_next(kd, host))
return 0;
@@ -800,7 +837,7 @@ admin_get_next(krb5_context context,
}
if((kd->flags & KD_CONFIG) == 0) {
- config_get_hosts(context, kd, "admin_server");
+ config_get_hosts(context, kd, kd->config_param);
kd->flags |= KD_CONFIG;
if(get_next(kd, host))
return 0;
@@ -815,7 +852,7 @@ admin_get_next(krb5_context context,
if(context->srv_lookup) {
if((kd->flags & KD_SRV_TCP) == 0) {
- srv_get_hosts(context, kd, "tcp", "kerberos-adm");
+ srv_get_hosts(context, kd, NULL, "tcp", kd->srv_label);
kd->flags |= KD_SRV_TCP;
if(get_next(kd, host))
return 0;
@@ -854,7 +891,7 @@ kpasswd_get_next(krb5_context context,
}
if((kd->flags & KD_CONFIG) == 0) {
- config_get_hosts(context, kd, "kpasswd_server");
+ config_get_hosts(context, kd, kd->config_param);
kd->flags |= KD_CONFIG;
if(get_next(kd, host))
return 0;
@@ -869,13 +906,13 @@ kpasswd_get_next(krb5_context context,
if(context->srv_lookup) {
if((kd->flags & KD_SRV_UDP) == 0) {
- srv_get_hosts(context, kd, "udp", "kpasswd");
+ srv_get_hosts(context, kd, NULL, "udp", kd->srv_label);
kd->flags |= KD_SRV_UDP;
if(get_next(kd, host))
return 0;
}
if((kd->flags & KD_SRV_TCP) == 0) {
- srv_get_hosts(context, kd, "tcp", "kpasswd");
+ srv_get_hosts(context, kd, NULL, "tcp", kd->srv_label);
kd->flags |= KD_SRV_TCP;
if(get_next(kd, host))
return 0;
@@ -899,7 +936,7 @@ kpasswd_get_next(krb5_context context,
return KRB5_KDC_UNREACH;
}
-static void
+static void KRB5_CALLCONV
krbhost_dealloc(void *ptr)
{
struct krb5_krbhst_data *handle = (struct krb5_krbhst_data *)ptr;
@@ -911,12 +948,16 @@ krbhost_dealloc(void *ptr)
}
if (handle->hostname)
free(handle->hostname);
+ if (handle->sitename)
+ free(handle->sitename);
free(handle->realm);
}
static struct krb5_krbhst_data*
common_init(krb5_context context,
+ const char *config_param,
+ const char *srv_label,
const char *service,
const char *realm,
int flags)
@@ -931,6 +972,9 @@ common_init(krb5_context context,
return NULL;
}
+ kd->config_param = config_param;
+ kd->srv_label = srv_label;
+
_krb5_debug(context, 2, "Trying to find service %s for realm %s flags %x",
service, realm, flags);
@@ -968,6 +1012,8 @@ krb5_krbhst_init_flags(krb5_context context,
krb5_error_code (*next)(krb5_context, struct krb5_krbhst_data *,
krb5_krbhst_info **);
int def_port;
+ const char *config_param;
+ const char *srv_label;
const char *service;
*handle = NULL;
@@ -975,27 +1021,49 @@ krb5_krbhst_init_flags(krb5_context context,
switch(type) {
case KRB5_KRBHST_KDC:
next = kdc_get_next;
- def_port = ntohs(krb5_getportbyname (context, "kerberos", "udp", 88));
+ def_port = ntohs(krb5_getportbyname(context, "kerberos", "udp", 88));
+ config_param = "kdc";
+ srv_label = "kerberos";
service = "kdc";
break;
case KRB5_KRBHST_ADMIN:
next = admin_get_next;
- def_port = ntohs(krb5_getportbyname (context, "kerberos-adm",
- "tcp", 749));
+ def_port = ntohs(krb5_getportbyname(context, "kerberos-adm",
+ "tcp", 749));
+ config_param = "admin_server";
+ srv_label = "kerberos-adm";
+ service = "admin";
+ break;
+ case KRB5_KRBHST_READONLY_ADMIN:
+ next = admin_get_next;
+ def_port = ntohs(krb5_getportbyname(context, "kerberos-adm",
+ "tcp", 749));
+ config_param = "readonly_admin_server";
+ srv_label = "kerberos-adm-readonly";
service = "admin";
break;
case KRB5_KRBHST_CHANGEPW:
next = kpasswd_get_next;
- def_port = ntohs(krb5_getportbyname (context, "kpasswd", "udp",
- KPASSWD_PORT));
+ def_port = ntohs(krb5_getportbyname(context, "kpasswd", "udp",
+ KPASSWD_PORT));
+ config_param = "kpasswd_server";
+ srv_label = "kpasswd";
service = "change_password";
break;
+ case KRB5_KRBHST_TKTBRIDGEAP:
+ next = kdc_get_next;
+ def_port = ntohs(krb5_getportbyname(context, "kerberos", "tcp", 88));
+ config_param = "tktbridgeap";
+ srv_label = "kerberos-tkt-bridge";
+ service = "kdc";
+ break;
default:
krb5_set_error_message(context, ENOTTY,
N_("unknown krbhst type (%u)", ""), type);
return ENOTTY;
}
- if((kd = common_init(context, service, realm, flags)) == NULL)
+ if((kd = common_init(context, config_param, srv_label, service, realm,
+ flags)) == NULL)
return ENOMEM;
kd->get_next = next;
kd->def_port = def_port;
@@ -1054,6 +1122,19 @@ krb5_krbhst_set_hostname(krb5_context context,
return 0;
}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_krbhst_set_sitename(krb5_context context,
+ krb5_krbhst_handle handle,
+ const char *sitename)
+{
+ if (handle->sitename)
+ free(handle->sitename);
+ handle->sitename = strdup(sitename);
+ if (handle->sitename == NULL)
+ return krb5_enomem(context);
+ return 0;
+}
+
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_krbhst_reset(krb5_context context, krb5_krbhst_handle handle)
{
@@ -1084,24 +1165,25 @@ gethostlist(krb5_context context, const char *realm,
if (ret)
return ret;
- while(krb5_krbhst_next(context, handle, &hostinfo) == 0)
+ while (krb5_krbhst_next(context, handle, &hostinfo) == 0)
nhost++;
- if(nhost == 0) {
+ if (nhost == 0) {
krb5_set_error_message(context, KRB5_KDC_UNREACH,
N_("No KDC found for realm %s", ""), realm);
+ krb5_krbhst_free(context, handle);
return KRB5_KDC_UNREACH;
}
*hostlist = calloc(nhost + 1, sizeof(**hostlist));
- if(*hostlist == NULL) {
+ if (*hostlist == NULL) {
krb5_krbhst_free(context, handle);
return krb5_enomem(context);
}
krb5_krbhst_reset(context, handle);
nhost = 0;
- while(krb5_krbhst_next_as_string(context, handle,
- host, sizeof(host)) == 0) {
- if(((*hostlist)[nhost++] = strdup(host)) == NULL) {
+ while (krb5_krbhst_next_as_string(context, handle,
+ host, sizeof(host)) == 0) {
+ if (((*hostlist)[nhost++] = strdup(host)) == NULL) {
krb5_free_krbhst(context, *hostlist);
krb5_krbhst_free(context, handle);
return krb5_enomem(context);
@@ -1113,18 +1195,30 @@ gethostlist(krb5_context context, const char *realm,
}
/*
- * return an malloced list of kadmin-hosts for `realm' in `hostlist'
+ * Return a malloced list of kadmin-hosts for `realm' in `hostlist'
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_krb_admin_hst (krb5_context context,
- const krb5_realm *realm,
- char ***hostlist)
+krb5_get_krb_admin_hst(krb5_context context,
+ const krb5_realm *realm,
+ char ***hostlist)
{
return gethostlist(context, *realm, KRB5_KRBHST_ADMIN, hostlist);
}
/*
+ * Return a malloced list of writable kadmin-hosts for `realm' in `hostlist'
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_get_krb_readonly_admin_hst(krb5_context context,
+ const krb5_realm *realm,
+ char ***hostlist)
+{
+ return gethostlist(context, *realm, KRB5_KRBHST_READONLY_ADMIN, hostlist);
+}
+
+/*
* return an malloced list of changepw-hosts for `realm' in `hostlist'
*/
diff --git a/lib/krb5/krcache.c b/lib/krb5/krcache.c
new file mode 100644
index 000000000000..9e992216153d
--- /dev/null
+++ b/lib/krb5/krcache.c
@@ -0,0 +1,2075 @@
+/*
+ * Copyright (c) 2006 The Regents of the University of Michigan.
+ * All rights reserved.
+ *
+ * Portions Copyright (c) 2018, AuriStor, Inc.
+ *
+ * Permission is granted to use, copy, create derivative works
+ * and redistribute this software and such derivative works
+ * for any purpose, so long as the name of The University of
+ * Michigan is not used in any advertising or publicity
+ * pertaining to the use of distribution of this software
+ * without specific, written prior authorization. If the
+ * above copyright notice or any other identification of the
+ * University of Michigan is included in any copy of any
+ * portion of this software, then the disclaimer below must
+ * also be included.
+ *
+ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
+ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
+ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
+ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
+ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
+ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
+ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGES.
+ */
+/*
+ * Copyright 1990,1991,1992,1993,1994,2000,2004 Massachusetts Institute of
+ * Technology. All Rights Reserved.
+ *
+ * Original stdio support copyright 1995 by Cygnus Support.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * This file implements a collection-enabled credential cache type where the
+ * credentials are stored in the Linux keyring facility.
+ *
+ * A residual of this type can have three forms:
+ * anchor:collection:subsidiary
+ * anchor:collection
+ * collection
+ *
+ * The anchor name is "process", "thread", or "legacy" and determines where we
+ * search for keyring collections. In the third form, the anchor name is
+ * presumed to be "legacy". The anchor keyring for legacy caches is the
+ * session keyring.
+ *
+ * If the subsidiary name is present, the residual identifies a single cache
+ * within a collection. Otherwise, the residual identifies the collection
+ * itself. When a residual identifying a collection is resolved, the
+ * collection's primary key is looked up (or initialized, using the collection
+ * name as the subsidiary name), and the resulting cache's name will use the
+ * first name form and will identify the primary cache.
+ *
+ * Keyring collections are named "_krb_<collection>" and are linked from the
+ * anchor keyring. The keys within a keyring collection are links to cache
+ * keyrings, plus a link to one user key named "krb_ccache:primary" which
+ * contains a serialized representation of the collection version (currently 1)
+ * and the primary name of the collection.
+ *
+ * Cache keyrings contain one user key per credential which contains a
+ * serialized representation of the credential. There is also one user key
+ * named "__krb5_princ__" which contains a serialized representation of the
+ * cache's default principal.
+ *
+ * If the anchor name is "legacy", then the initial primary cache (the one
+ * named with the collection name) is also linked to the session keyring, and
+ * we look for a cache in that location when initializing the collection. This
+ * extra link allows that cache to be visible to old versions of the KEYRING
+ * cache type, and allows us to see caches created by that code.
+ */
+
+#include "krb5_locl.h"
+
+#ifdef HAVE_KEYUTILS_H
+
+#include <keyutils.h>
+
+/*
+ * We try to use the big_key key type for credentials except in legacy caches.
+ * We fall back to the user key type if the kernel does not support big_key.
+ * If the library doesn't support keyctl_get_persistent(), we don't even try
+ * big_key since the two features were added at the same time.
+ */
+#ifdef HAVE_KEYCTL_GET_PERSISTENT
+#define KRCC_CRED_KEY_TYPE "big_key"
+#else
+#define KRCC_CRED_KEY_TYPE "user"
+#endif
+
+/*
+ * We use the "user" key type for collection primary names, for cache principal
+ * names, and for credentials in legacy caches.
+ */
+#define KRCC_KEY_TYPE_USER "user"
+
+/*
+ * We create ccaches as separate keyrings
+ */
+#define KRCC_KEY_TYPE_KEYRING "keyring"
+
+/*
+ * Special name of the key within a ccache keyring
+ * holding principal information
+ */
+#define KRCC_SPEC_PRINC_KEYNAME "__krb5_princ__"
+
+/*
+ * Special name for the key to communicate the name(s)
+ * of credentials caches to be used for requests.
+ * This should currently contain a single name, but
+ * in the future may contain a list that may be
+ * intelligently chosen from.
+ */
+#define KRCC_SPEC_CCACHE_SET_KEYNAME "__krb5_cc_set__"
+
+/*
+ * This name identifies the key containing the name of the current primary
+ * cache within a collection.
+ */
+#define KRCC_COLLECTION_PRIMARY "krb_ccache:primary"
+
+/*
+ * If the library context does not specify a keyring collection, unique ccaches
+ * will be created within this collection.
+ */
+#define KRCC_DEFAULT_UNIQUE_COLLECTION "session:__krb5_unique__"
+
+/*
+ * Collection keyring names begin with this prefix. We use a prefix so that a
+ * cache keyring with the collection name itself can be linked directly into
+ * the anchor, for legacy session keyring compatibility.
+ */
+#define KRCC_CCCOL_PREFIX "_krb_"
+
+/*
+ * For the "persistent" anchor type, we look up or create this fixed keyring
+ * name within the per-UID persistent keyring.
+ */
+#define KRCC_PERSISTENT_KEYRING_NAME "_krb"
+
+/*
+ * Name of the key holding time offsets for the individual cache
+ */
+#define KRCC_TIME_OFFSETS "__krb5_time_offsets__"
+
+/*
+ * Keyring name prefix and length of random name part
+ */
+#define KRCC_NAME_PREFIX "krb_ccache_"
+#define KRCC_NAME_RAND_CHARS 8
+
+#define KRCC_COLLECTION_VERSION 1
+
+#define KRCC_PERSISTENT_ANCHOR "persistent"
+#define KRCC_PROCESS_ANCHOR "process"
+#define KRCC_THREAD_ANCHOR "thread"
+#define KRCC_SESSION_ANCHOR "session"
+#define KRCC_USER_ANCHOR "user"
+#define KRCC_LEGACY_ANCHOR "legacy"
+
+#if SIZEOF_KEY_SERIAL_T != 4
+/* lockless implementation assumes 32-bit key serials */
+#error only 32-bit key serial numbers supported by this version of keyring ccache
+#endif
+
+typedef heim_base_atomic(key_serial_t) atomic_key_serial_t;
+
+typedef union _krb5_krcache_and_princ_id {
+ heim_base_atomic(uint64_t) krcu_cache_and_princ_id;
+ struct {
+ atomic_key_serial_t cache_id; /* keyring ID representing ccache */
+ atomic_key_serial_t princ_id; /* key ID holding principal info */
+ } krcu_id;
+ #define krcu_cache_id krcu_id.cache_id
+ #define krcu_princ_id krcu_id.princ_id
+} krb5_krcache_and_princ_id;
+
+/*
+ * This represents a credentials cache "file" where cache_id is the keyring
+ * serial number for this credentials cache "file". Each key in the keyring
+ * contains a separate key.
+ *
+ * Thread-safe as long as caches are not destroyed whilst other threads are
+ * using them.
+ */
+typedef struct _krb5_krcache {
+ char *krc_name; /* Name for this credentials cache */
+ char *krc_collection;
+ char *krc_subsidiary;
+ heim_base_atomic(krb5_timestamp) krc_changetime; /* update time, does not decrease (mutable) */
+ krb5_krcache_and_princ_id krc_id; /* cache and principal IDs (mutable) */
+ #define krc_cache_and_principal_id krc_id.krcu_cache_and_princ_id
+ #define krc_cache_id krc_id.krcu_id.cache_id
+ #define krc_princ_id krc_id.krcu_id.princ_id
+ key_serial_t krc_coll_id; /* collection containing this cache keyring */
+ krb5_boolean krc_is_legacy; /* */
+} krb5_krcache;
+
+#define KRCACHE(X) ((krb5_krcache *)(X)->data.data)
+
+static krb5_error_code KRB5_CALLCONV
+krcc_get_first(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor);
+
+static krb5_error_code KRB5_CALLCONV
+krcc_get_next(krb5_context context,
+ krb5_ccache id,
+ krb5_cc_cursor *cursor,
+ krb5_creds *creds);
+
+static krb5_error_code KRB5_CALLCONV
+krcc_end_get(krb5_context context,
+ krb5_ccache id,
+ krb5_cc_cursor *cursor);
+
+static krb5_error_code KRB5_CALLCONV
+krcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor);
+
+static krb5_error_code
+clear_cache_keyring(krb5_context context, atomic_key_serial_t *pcache_id);
+
+static krb5_error_code
+alloc_cache(krb5_context context,
+ key_serial_t collection_id,
+ key_serial_t cache_id,
+ const char *anchor_name,
+ const char *collection_name,
+ const char *subsidiary_name,
+ krb5_krcache **data);
+
+static krb5_error_code
+save_principal(krb5_context context,
+ key_serial_t cache_id,
+ krb5_const_principal princ,
+ atomic_key_serial_t *pprinc_id);
+
+static krb5_error_code
+save_time_offsets(krb5_context context,
+ key_serial_t cache_id,
+ int32_t sec_offset,
+ int32_t usec_offset);
+
+static void
+update_change_time(krb5_context context,
+ krb5_timestamp now,
+ krb5_krcache *d);
+
+/*
+ * GET_PERSISTENT(uid) acquires the persistent keyring for uid, or falls back
+ * to the user keyring if uid matches the current effective uid.
+ */
+
+static key_serial_t
+get_persistent_fallback(uid_t uid)
+{
+ return (uid == geteuid()) ? KEY_SPEC_USER_KEYRING : -1;
+}
+
+#ifdef HAVE_KEYCTL_GET_PERSISTENT
+#define GET_PERSISTENT get_persistent_real
+static key_serial_t
+get_persistent_real(uid_t uid)
+{
+ key_serial_t key;
+
+ key = keyctl_get_persistent(uid, KEY_SPEC_PROCESS_KEYRING);
+
+ return (key == -1 && errno == ENOTSUP) ? get_persistent_fallback(uid) : key;
+}
+#else
+#define GET_PERSISTENT get_persistent_fallback
+#endif
+
+/*
+ * If a process has no explicitly set session keyring, KEY_SPEC_SESSION_KEYRING
+ * will resolve to the user session keyring for ID lookup and reading, but in
+ * some kernel versions, writing to that special keyring will instead create a
+ * new empty session keyring for the process. We do not want that; the keys we
+ * create would be invisible to other processes. We can work around that
+ * behavior by explicitly writing to the user session keyring when it matches
+ * the session keyring. This function returns the keyring we should write to
+ * for the session anchor.
+ */
+static key_serial_t
+session_write_anchor(void)
+{
+ key_serial_t s, u;
+
+ s = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
+ u = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
+
+ return (s == u) ? KEY_SPEC_USER_SESSION_KEYRING : KEY_SPEC_SESSION_KEYRING;
+}
+
+/*
+ * Find or create a keyring within parent with the given name. If possess is
+ * nonzero, also make sure the key is linked from possess. This is necessary
+ * to ensure that we have possession rights on the key when the parent is the
+ * user or persistent keyring.
+ */
+static krb5_error_code
+find_or_create_keyring(key_serial_t parent,
+ key_serial_t possess,
+ const char *name,
+ atomic_key_serial_t *pkey)
+{
+ key_serial_t key;
+
+ key = keyctl_search(parent, KRCC_KEY_TYPE_KEYRING, name, possess);
+ if (key == -1) {
+ if (possess != 0) {
+ key = add_key(KRCC_KEY_TYPE_KEYRING, name, NULL, 0, possess);
+ if (key == -1 || keyctl_link(key, parent) == -1)
+ return errno;
+ } else {
+ key = add_key(KRCC_KEY_TYPE_KEYRING, name, NULL, 0, parent);
+ if (key == -1)
+ return errno;
+ }
+ }
+
+ heim_base_atomic_store(pkey, key);
+
+ return 0;
+}
+
+/*
+ * Parse a residual name into an anchor name, a collection name, and possibly a
+ * subsidiary name.
+ */
+static krb5_error_code
+parse_residual(krb5_context context,
+ const char *residual,
+ char **panchor_name,
+ char **pcollection_name,
+ char **psubsidiary_name)
+{
+ char *anchor_name = NULL;
+ char *collection_name = NULL;
+ char *subsidiary_name = NULL;
+ const char *sep;
+
+ *panchor_name = NULL;
+ *pcollection_name = NULL;
+ *psubsidiary_name = NULL;
+
+ if (residual == NULL)
+ residual = "";
+
+ /* Parse out the anchor name. Use the legacy anchor if not present. */
+ sep = strchr(residual, ':');
+ if (sep == NULL) {
+ anchor_name = strdup(KRCC_LEGACY_ANCHOR);
+ if (anchor_name == NULL)
+ goto nomem;
+ } else {
+ anchor_name = strndup(residual, sep - residual);
+ if (anchor_name == NULL)
+ goto nomem;
+ residual = sep + 1;
+ }
+
+ /* Parse out the collection and subsidiary name. */
+ sep = strchr(residual, ':');
+ if (sep == NULL) {
+ collection_name = strdup(residual);
+ if (collection_name == NULL)
+ goto nomem;
+ } else {
+ collection_name = strndup(residual, sep - residual);
+ if (collection_name == NULL)
+ goto nomem;
+
+ subsidiary_name = strdup(sep + 1);
+ if (subsidiary_name == NULL)
+ goto nomem;
+ }
+
+ *panchor_name = anchor_name;
+ *pcollection_name = collection_name;
+ *psubsidiary_name = subsidiary_name;
+
+ return 0;
+
+nomem:
+ free(anchor_name);
+ free(collection_name);
+ free(subsidiary_name);
+
+ return krb5_enomem(context);
+}
+
+/*
+ * Return TRUE if residual identifies a subsidiary cache which should be linked
+ * into the anchor so it can be visible to old code. This is the case if the
+ * residual has the legacy anchor and the subsidiary name matches the
+ * collection name.
+ */
+static krb5_boolean
+is_legacy_cache_name_p(const char *residual)
+{
+ const char *sep, *aname, *cname, *sname;
+ size_t alen, clen, legacy_len = sizeof(KRCC_LEGACY_ANCHOR) - 1;
+
+ /* Get pointers to the anchor, collection, and subsidiary names. */
+ aname = residual;
+ sep = strchr(residual, ':');
+ if (sep == NULL)
+ return FALSE;
+
+ alen = sep - aname;
+ cname = sep + 1;
+ sep = strchr(cname, ':');
+ if (sep == NULL)
+ return FALSE;
+
+ clen = sep - cname;
+ sname = sep + 1;
+
+ return alen == legacy_len && clen == strlen(sname) &&
+ strncmp(aname, KRCC_LEGACY_ANCHOR, alen) == 0 &&
+ strncmp(cname, sname, clen) == 0;
+}
+
+/*
+ * If the default cache name for context is a KEYRING cache, parse its residual
+ * string. Otherwise set all outputs to NULL.
+ */
+static krb5_error_code
+get_default(krb5_context context,
+ char **panchor_name,
+ char **pcollection_name,
+ char **psubsidiary_name)
+{
+ const char *defname;
+
+ *panchor_name = *pcollection_name = *psubsidiary_name = NULL;
+
+ defname = krb5_cc_default_name(context);
+ if (defname == NULL || strncmp(defname, "KEYRING:", 8) != 0)
+ return 0;
+
+ return parse_residual(context, defname + 8,
+ panchor_name, pcollection_name, psubsidiary_name);
+}
+
+/* Create a residual identifying a subsidiary cache. */
+static krb5_error_code
+make_subsidiary_residual(krb5_context context,
+ const char *anchor_name,
+ const char *collection_name,
+ const char *subsidiary_name,
+ char **presidual)
+{
+ if (asprintf(presidual, "%s:%s:%s", anchor_name, collection_name,
+ subsidiary_name ? subsidiary_name : "tkt") < 0) {
+ *presidual = NULL;
+ return krb5_enomem(context);
+ }
+
+ return 0;
+}
+
+/*
+ * Retrieve or create a keyring for collection_name within the anchor, and set
+ * *collection_id to its serial number.
+ */
+static krb5_error_code
+get_collection(krb5_context context,
+ const char *anchor_name,
+ const char *collection_name,
+ atomic_key_serial_t *pcollection_id)
+{
+ krb5_error_code ret;
+ key_serial_t persistent_id, anchor_id, possess_id = 0;
+ char *ckname, *cnend;
+ uid_t uidnum;
+
+ heim_base_atomic_init(pcollection_id, 0);
+
+ if (!anchor_name || !collection_name)
+ return KRB5_KCC_INVALID_ANCHOR;
+
+ if (strcmp(anchor_name, KRCC_PERSISTENT_ANCHOR) == 0) {
+ /*
+ * The collection name is a uid (or empty for the current effective
+ * uid), and we look up a fixed keyring name within the persistent
+ * keyring for that uid. We link it to the process keyring to ensure
+ * that we have possession rights on the collection key.
+ */
+ if (*collection_name != '\0') {
+ errno = 0;
+ uidnum = (uid_t)strtol(collection_name, &cnend, 10);
+ if (errno || *cnend != '\0')
+ return KRB5_KCC_INVALID_UID;
+ } else {
+ uidnum = geteuid();
+ }
+
+ persistent_id = GET_PERSISTENT(uidnum);
+ if (persistent_id == -1)
+ return KRB5_KCC_INVALID_UID;
+
+ return find_or_create_keyring(persistent_id, KEY_SPEC_PROCESS_KEYRING,
+ KRCC_PERSISTENT_KEYRING_NAME,
+ pcollection_id);
+ }
+
+ if (strcmp(anchor_name, KRCC_PROCESS_ANCHOR) == 0) {
+ anchor_id = KEY_SPEC_PROCESS_KEYRING;
+ } else if (strcmp(anchor_name, KRCC_THREAD_ANCHOR) == 0) {
+ anchor_id = KEY_SPEC_THREAD_KEYRING;
+ } else if (strcmp(anchor_name, KRCC_SESSION_ANCHOR) == 0) {
+ anchor_id = session_write_anchor();
+ } else if (strcmp(anchor_name, KRCC_USER_ANCHOR) == 0) {
+ /*
+ * The user keyring does not confer possession, so we need to link the
+ * collection to the process keyring to maintain possession rights.
+ */
+ anchor_id = KEY_SPEC_USER_KEYRING;
+ possess_id = KEY_SPEC_PROCESS_KEYRING;
+ } else if (strcmp(anchor_name, KRCC_LEGACY_ANCHOR) == 0) {
+ anchor_id = session_write_anchor();
+ } else {
+ return KRB5_KCC_INVALID_ANCHOR;
+ }
+
+ /* Look up the collection keyring name within the anchor keyring. */
+ if (asprintf(&ckname, "%s%s", KRCC_CCCOL_PREFIX, collection_name) == -1)
+ return krb5_enomem(context);
+
+ ret = find_or_create_keyring(anchor_id, possess_id, ckname,
+ pcollection_id);
+ free(ckname);
+
+ return ret;
+}
+
+/* Store subsidiary_name into the primary index key for collection_id. */
+static krb5_error_code
+set_primary_name(krb5_context context,
+ key_serial_t collection_id,
+ const char *subsidiary_name)
+{
+ krb5_error_code ret;
+ krb5_storage *sp;
+ krb5_data payload;
+ key_serial_t key;
+
+ sp = krb5_storage_emem();
+ if (sp == NULL) {
+ krb5_set_error_message(context, KRB5_CC_NOMEM, N_("malloc: out of memory", ""));
+ return KRB5_CC_NOMEM;
+ }
+ krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+ ret = krb5_store_int32(sp, KRCC_COLLECTION_VERSION);
+ if (ret)
+ goto cleanup;
+
+ ret = krb5_store_string(sp, subsidiary_name);
+ if (ret)
+ goto cleanup;
+
+ ret = krb5_storage_to_data(sp, &payload);
+ if (ret)
+ goto cleanup;
+
+ key = add_key(KRCC_KEY_TYPE_USER, KRCC_COLLECTION_PRIMARY,
+ payload.data, payload.length, collection_id);
+ ret = (key == -1) ? errno : 0;
+ krb5_data_free(&payload);
+
+cleanup:
+ krb5_storage_free(sp);
+
+ return ret;
+}
+
+static krb5_error_code
+parse_index(krb5_context context,
+ int32_t *version,
+ char **primary,
+ const unsigned char *payload,
+ size_t psize)
+{
+ krb5_error_code ret;
+ krb5_data payload_data;
+ krb5_storage *sp;
+
+ payload_data.length = psize;
+ payload_data.data = rk_UNCONST(payload);
+
+ sp = krb5_storage_from_data(&payload_data);
+ if (sp == NULL)
+ return KRB5_CC_NOMEM;
+
+ krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+ ret = krb5_ret_int32(sp, version);
+ if (ret == 0)
+ ret = krb5_ret_string(sp, primary);
+
+ krb5_storage_free(sp);
+
+ return ret;
+}
+
+/*
+ * Get or initialize the primary name within collection_id and set
+ * *subsidiary to its value. If initializing a legacy collection, look
+ * for a legacy cache and add it to the collection.
+ */
+static krb5_error_code
+get_primary_name(krb5_context context,
+ const char *anchor_name,
+ const char *collection_name,
+ key_serial_t collection_id,
+ char **psubsidiary)
+{
+ krb5_error_code ret;
+ key_serial_t primary_id, legacy;
+ void *payload = NULL;
+ int payloadlen;
+ int32_t version;
+ char *subsidiary_name = NULL;
+
+ *psubsidiary = NULL;
+
+ primary_id = keyctl_search(collection_id, KRCC_KEY_TYPE_USER,
+ KRCC_COLLECTION_PRIMARY, 0);
+ if (primary_id == -1) {
+ /*
+ * Initialize the primary key using the collection name. We can't name
+ * a key with the empty string, so map that to an arbitrary string.
+ */
+ subsidiary_name = strdup((*collection_name == '\0') ? "tkt" :
+ collection_name);
+ if (subsidiary_name == NULL) {
+ ret = krb5_enomem(context);
+ goto cleanup;
+ }
+
+ ret = set_primary_name(context, collection_id, subsidiary_name);
+ if (ret)
+ goto cleanup;
+
+ if (strcmp(anchor_name, KRCC_LEGACY_ANCHOR) == 0) {
+ /*
+ * Look for a cache created by old code. If we find one, add it to
+ * the collection.
+ */
+ legacy = keyctl_search(KEY_SPEC_SESSION_KEYRING,
+ KRCC_KEY_TYPE_KEYRING, subsidiary_name, 0);
+ if (legacy != -1 && keyctl_link(legacy, collection_id) == -1) {
+ ret = errno;
+ goto cleanup;
+ }
+ }
+ } else {
+ /* Read, parse, and free the primary key's payload. */
+ payloadlen = keyctl_read_alloc(primary_id, &payload);
+ if (payloadlen == -1) {
+ ret = errno;
+ goto cleanup;
+ }
+ ret = parse_index(context, &version, &subsidiary_name, payload,
+ payloadlen);
+ if (ret)
+ goto cleanup;
+
+ if (version != KRCC_COLLECTION_VERSION) {
+ ret = KRB5_KCC_UNKNOWN_VERSION;
+ goto cleanup;
+ }
+ }
+
+ *psubsidiary = subsidiary_name;
+ subsidiary_name = NULL;
+
+cleanup:
+ free(payload);
+ free(subsidiary_name);
+
+ return ret;
+}
+
+/*
+ * Note: MIT keyring code uses krb5int_random_string() as if the second argument
+ * is a character count rather than a size. The function below takes a character
+ * count to match the usage in this file correctly.
+ */
+static krb5_error_code
+generate_random_string(krb5_context context, char *s, size_t slen)
+{
+ static char chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+ char *p;
+ size_t i;
+
+ p = malloc(slen);
+ if (p == NULL)
+ return krb5_enomem(context);
+
+ krb5_generate_random_block(p, slen);
+
+ for (i = 0; i < slen; i++)
+ s[i] = chars[p[i] % (sizeof(chars) - 1)];
+
+ s[i] = '\0';
+ free(p);
+
+ return 0;
+}
+
+/*
+ * Create a keyring with a unique random name within collection_id. Set
+ * *subsidiary to its name and *cache_id to its key serial number.
+ */
+static krb5_error_code
+add_unique_keyring(krb5_context context,
+ key_serial_t collection_id,
+ char **psubsidiary,
+ key_serial_t *pcache_id)
+{
+ key_serial_t key;
+ krb5_error_code ret;
+ char uniquename[sizeof(KRCC_NAME_PREFIX) + KRCC_NAME_RAND_CHARS];
+ int prefixlen = sizeof(KRCC_NAME_PREFIX) - 1;
+ int tries;
+
+ *psubsidiary = NULL;
+ *pcache_id = 0;
+
+ memcpy(uniquename, KRCC_NAME_PREFIX, sizeof(KRCC_NAME_PREFIX));
+
+ for (key = -1, tries = 0; tries < 5; tries++) {
+ ret = generate_random_string(context, uniquename + prefixlen,
+ KRCC_NAME_RAND_CHARS);
+ if (ret)
+ return ret;
+
+ key = keyctl_search(collection_id, KRCC_KEY_TYPE_KEYRING, uniquename, 0);
+ if (key == -1) {
+ /* Name does not already exist. Create it to reserve the name. */
+ key = add_key(KRCC_KEY_TYPE_KEYRING, uniquename, NULL, 0, collection_id);
+ if (key == -1)
+ return errno;
+ break;
+ }
+ }
+
+ *psubsidiary = strdup(uniquename);
+ if (*psubsidiary == NULL)
+ return krb5_enomem(context);
+
+ *pcache_id = key;
+
+ return 0;
+}
+
+static krb5_error_code
+add_cred_key(const char *name,
+ const void *payload,
+ size_t plen,
+ key_serial_t cache_id,
+ krb5_boolean legacy_type,
+ key_serial_t *pkey)
+{
+ key_serial_t key;
+
+ *pkey = -1;
+
+ if (!legacy_type) {
+ /* Try the preferred cred key type; fall back if no kernel support. */
+ key = add_key(KRCC_CRED_KEY_TYPE, name, payload, plen, cache_id);
+ if (key != -1) {
+ *pkey = key;
+ return 0;
+ } else if (errno != EINVAL && errno != ENODEV)
+ return errno;
+ }
+
+ /* Use the user key type. */
+ key = add_key(KRCC_KEY_TYPE_USER, name, payload, plen, cache_id);
+ if (key == -1)
+ return errno;
+
+ *pkey = key;
+
+ return 0;
+}
+
+static void
+update_keyring_expiration(krb5_context context,
+ krb5_ccache id,
+ key_serial_t cache_id,
+ krb5_timestamp now)
+{
+ krb5_cc_cursor cursor;
+ krb5_creds creds;
+ krb5_timestamp endtime = 0;
+ unsigned int timeout;
+
+ /*
+ * We have no way to know what is the actual timeout set on the keyring.
+ * We also cannot keep track of it in a local variable as another process
+ * can always modify the keyring independently, so just always enumerate
+ * all start TGT keys and find out the highest endtime time.
+ */
+ if (krcc_get_first(context, id, &cursor) != 0)
+ return;
+
+ for (;;) {
+ if (krcc_get_next(context, id, &cursor, &creds) != 0)
+ break;
+ if (creds.times.endtime > endtime)
+ endtime = creds.times.endtime;
+ krb5_free_cred_contents(context, &creds);
+ }
+ (void) krcc_end_get(context, id, &cursor);
+
+ if (endtime == 0) /* No creds with end times */
+ return;
+
+ /*
+ * Setting the timeout to zero would reset the timeout, so we set it to one
+ * second instead if creds are already expired.
+ */
+ timeout = endtime > now ? endtime - now : 1;
+ (void) keyctl_set_timeout(cache_id, timeout);
+}
+
+/*
+ * Create or overwrite the cache keyring, and set the default principal.
+ */
+static krb5_error_code
+initialize_internal(krb5_context context,
+ krb5_ccache id,
+ krb5_const_principal princ)
+{
+ krb5_krcache *data = KRCACHE(id);
+ krb5_error_code ret;
+ const char *cache_name, *p;
+ krb5_krcache_and_princ_id ids;
+
+ if (data == NULL)
+ return krb5_einval(context, 2);
+
+ memset(&ids, 0, sizeof(ids));
+ ids.krcu_cache_and_princ_id = heim_base_atomic_load(&data->krc_cache_and_principal_id);
+
+ ret = clear_cache_keyring(context, &ids.krcu_cache_id);
+ if (ret)
+ return ret;
+
+ if (ids.krcu_cache_id == 0) {
+ /*
+ * The key didn't exist at resolve time, or was destroyed after resolving.
+ * Check again and create the key if it still isn't there.
+ */
+ p = strrchr(data->krc_name, ':');
+ cache_name = (p != NULL) ? p + 1 : data->krc_name;
+ ret = find_or_create_keyring(data->krc_coll_id, 0, cache_name, &ids.krcu_cache_id);
+ if (ret)
+ return ret;
+ }
+
+ /*
+ * If this is the legacy cache in a legacy session collection, link it
+ * directly to the session keyring so that old code can see it.
+ */
+ if (is_legacy_cache_name_p(data->krc_name))
+ (void) keyctl_link(ids.krcu_cache_id, session_write_anchor());
+
+ if (princ != NULL) {
+ ret = save_principal(context, ids.krcu_cache_id, princ, &ids.krcu_princ_id);
+ if (ret)
+ return ret;
+ } else
+ ids.krcu_princ_id = 0;
+
+ /*
+ * Save time offset if it is valid and this is not a legacy cache. Legacy
+ * applications would fail to parse the new key in the cache keyring.
+ */
+ if (context->kdc_sec_offset && !is_legacy_cache_name_p(data->krc_name)) {
+ ret = save_time_offsets(context,
+ ids.krcu_cache_id,
+ context->kdc_sec_offset,
+ context->kdc_usec_offset);
+ if (ret)
+ return ret;
+ }
+
+ /* update cache and principal IDs atomically */
+ heim_base_atomic_store(&data->krc_cache_and_principal_id, ids.krcu_cache_and_princ_id);
+
+ return 0;
+}
+
+static krb5_error_code KRB5_CALLCONV
+krcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ)
+{
+ krb5_krcache *data = KRCACHE(id);
+ krb5_error_code ret;
+
+ if (data == NULL)
+ return krb5_einval(context, 2);
+
+ if (princ == NULL)
+ return KRB5_CC_BADNAME;
+
+ ret = initialize_internal(context, id, princ);
+ if (ret == 0)
+ update_change_time(context, 0, data);
+
+ return ret;
+}
+
+/* Release the ccache handle. */
+static krb5_error_code KRB5_CALLCONV
+krcc_close(krb5_context context, krb5_ccache id)
+{
+ krb5_krcache *data = KRCACHE(id);
+
+ if (data == NULL)
+ return krb5_einval(context, 2);
+
+ free(data->krc_subsidiary);
+ free(data->krc_collection);
+ free(data->krc_name);
+ krb5_data_free(&id->data);
+
+ return 0;
+}
+
+/*
+ * Clear out a ccache keyring, unlinking all keys within it.
+ */
+static krb5_error_code
+clear_cache_keyring(krb5_context context,
+ atomic_key_serial_t *pcache_id)
+{
+ int res;
+ key_serial_t cache_id = heim_base_atomic_load(pcache_id);
+
+ _krb5_debug(context, 10, "clear_cache_keyring: cache_id %d\n", cache_id);
+
+ if (cache_id != 0) {
+ res = keyctl_clear(cache_id);
+ if (res == -1 && (errno == EACCES || errno == ENOKEY)) {
+ /*
+ * Possibly the keyring was destroyed between krcc_resolve() and now;
+ * if we really don't have permission, we will fail later.
+ */
+ res = 0;
+ heim_base_atomic_store(pcache_id, 0);
+ }
+ if (res == -1)
+ return errno;
+ }
+
+ return 0;
+}
+
+/* Destroy the cache keyring */
+static krb5_error_code KRB5_CALLCONV
+krcc_destroy(krb5_context context, krb5_ccache id)
+{
+ krb5_error_code ret = 0;
+ krb5_krcache *data = KRCACHE(id);
+ int res;
+
+ if (data == NULL)
+ return krb5_einval(context, 2);
+
+ /* no atomics, destroy is not thread-safe */
+ (void) clear_cache_keyring(context, &data->krc_cache_id);
+
+ if (data->krc_cache_id != 0) {
+ res = keyctl_unlink(data->krc_cache_id, data->krc_coll_id);
+ if (res < 0) {
+ ret = errno;
+ _krb5_debug(context, 10, "unlinking key %d from ring %d: %s",
+ data->krc_cache_id, data->krc_coll_id, error_message(errno));
+ }
+ /* If this is a legacy cache, unlink it from the session anchor. */
+ if (is_legacy_cache_name_p(data->krc_name))
+ (void) keyctl_unlink(data->krc_cache_id, session_write_anchor());
+ }
+
+ heim_base_atomic_store(&data->krc_princ_id, 0);
+
+ /* krcc_close is called by libkrb5, do not double-free */
+ return ret;
+}
+
+/* Create a cache handle for a cache ID. */
+static krb5_error_code
+make_cache(krb5_context context,
+ key_serial_t collection_id,
+ key_serial_t cache_id,
+ const char *anchor_name,
+ const char *collection_name,
+ const char *subsidiary_name,
+ krb5_ccache *cache)
+{
+ krb5_error_code ret;
+ krb5_krcache *data;
+ key_serial_t princ_id = 0;
+
+ /* Determine the key containing principal information, if present. */
+ princ_id = keyctl_search(cache_id, KRCC_KEY_TYPE_USER, KRCC_SPEC_PRINC_KEYNAME, 0);
+ if (princ_id == -1)
+ princ_id = 0;
+
+ ret = alloc_cache(context, collection_id, cache_id,
+ anchor_name, collection_name, subsidiary_name, &data);
+ if (ret)
+ return ret;
+
+ if (*cache == NULL) {
+ ret = _krb5_cc_allocate(context, &krb5_krcc_ops, cache);
+ if (ret) {
+ free(data->krc_name);
+ free(data);
+ return ret;
+ }
+ }
+
+ data->krc_princ_id = princ_id;
+
+ (*cache)->data.data = data;
+ (*cache)->data.length = sizeof(*data);
+
+ return 0;
+}
+
+/* Create a keyring ccache handle for the given residual string. */
+static krb5_error_code KRB5_CALLCONV
+krcc_resolve_2(krb5_context context,
+ krb5_ccache *id,
+ const char *residual,
+ const char *sub)
+{
+ krb5_error_code ret;
+ atomic_key_serial_t collection_id;
+ key_serial_t cache_id;
+ char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL;
+
+ ret = parse_residual(context, residual, &anchor_name, &collection_name,
+ &subsidiary_name);
+ if (ret)
+ goto cleanup;
+ if (sub) {
+ free(subsidiary_name);
+ if ((subsidiary_name = strdup(sub)) == NULL) {
+ ret = krb5_enomem(context);
+ goto cleanup;
+ }
+ }
+
+ ret = get_collection(context, anchor_name, collection_name, &collection_id);
+ if (ret)
+ goto cleanup;
+
+ if (subsidiary_name == NULL) {
+ /* Retrieve or initialize the primary name for the collection. */
+ ret = get_primary_name(context, anchor_name, collection_name,
+ collection_id, &subsidiary_name);
+ if (ret)
+ goto cleanup;
+ }
+
+ /* Look up the cache keyring ID, if the cache is already initialized. */
+ cache_id = keyctl_search(collection_id, KRCC_KEY_TYPE_KEYRING,
+ subsidiary_name, 0);
+ if (cache_id < 0)
+ cache_id = 0;
+
+ ret = make_cache(context, collection_id, cache_id, anchor_name,
+ collection_name, subsidiary_name, id);
+ if (ret)
+ goto cleanup;
+
+cleanup:
+ free(anchor_name);
+ free(collection_name);
+ free(subsidiary_name);
+
+ return ret;
+}
+
+struct krcc_cursor {
+ size_t numkeys;
+ size_t currkey;
+ key_serial_t princ_id;
+ key_serial_t offsets_id;
+ key_serial_t *keys;
+};
+
+/* Prepare for a sequential iteration over the cache keyring. */
+static krb5_error_code
+krcc_get_first(krb5_context context,
+ krb5_ccache id,
+ krb5_cc_cursor *cursor)
+{
+ struct krcc_cursor *krcursor;
+ krb5_krcache *data = KRCACHE(id);
+ key_serial_t cache_id;
+ void *keys;
+ long size;
+
+ if (data == NULL)
+ return krb5_einval(context, 2);
+
+ cache_id = heim_base_atomic_load(&data->krc_cache_id);
+ if (cache_id == 0)
+ return KRB5_FCC_NOFILE;
+
+ size = keyctl_read_alloc(cache_id, &keys);
+ if (size == -1) {
+ _krb5_debug(context, 10, "Error getting from keyring: %s\n",
+ strerror(errno));
+ return KRB5_CC_IO;
+ }
+
+ krcursor = calloc(1, sizeof(*krcursor));
+ if (krcursor == NULL) {
+ free(keys);
+ return KRB5_CC_NOMEM;
+ }
+
+ krcursor->princ_id = heim_base_atomic_load(&data->krc_princ_id);
+ krcursor->offsets_id = keyctl_search(cache_id, KRCC_KEY_TYPE_USER,
+ KRCC_TIME_OFFSETS, 0);
+ krcursor->numkeys = size / sizeof(key_serial_t);
+ krcursor->keys = keys;
+
+ *cursor = krcursor;
+
+ return 0;
+}
+
+static krb5_error_code
+keyctl_read_krb5_data(key_serial_t keyid, krb5_data *payload)
+{
+ krb5_data_zero(payload);
+
+ payload->length = keyctl_read_alloc(keyid, &payload->data);
+
+ return (payload->length == -1) ? KRB5_FCC_NOFILE : 0;
+}
+
+/* Get the next credential from the cache keyring. */
+static krb5_error_code KRB5_CALLCONV
+krcc_get_next(krb5_context context,
+ krb5_ccache id,
+ krb5_cc_cursor *cursor,
+ krb5_creds *creds)
+{
+ struct krcc_cursor *krcursor;
+ krb5_error_code ret;
+ krb5_data payload;
+ krb5_storage *sp;
+
+ memset(creds, 0, sizeof(krb5_creds));
+
+ krcursor = *cursor;
+ if (krcursor == NULL)
+ return KRB5_CC_END;
+
+ if (krcursor->currkey >= krcursor->numkeys)
+ return KRB5_CC_END;
+
+ /*
+ * If we're pointing at the entry with the principal, or at the key
+ * with the time offsets, skip it.
+ */
+ while (krcursor->keys[krcursor->currkey] == krcursor->princ_id ||
+ krcursor->keys[krcursor->currkey] == krcursor->offsets_id) {
+ krcursor->currkey++;
+ if (krcursor->currkey >= krcursor->numkeys)
+ return KRB5_CC_END;
+ }
+
+ ret = keyctl_read_krb5_data(krcursor->keys[krcursor->currkey], &payload);
+ if (ret) {
+ _krb5_debug(context, 10, "Error reading key %d: %s\n",
+ krcursor->keys[krcursor->currkey],
+ strerror(errno));
+ return ret;
+ }
+ krcursor->currkey++;
+
+ sp = krb5_storage_from_data(&payload);
+ if (sp == NULL) {
+ ret = KRB5_CC_IO;
+ } else {
+ ret = krb5_ret_creds(sp, creds);
+ krb5_storage_free(sp);
+ }
+
+ krb5_data_free(&payload);
+
+ return ret;
+}
+
+/* Release an iteration cursor. */
+static krb5_error_code KRB5_CALLCONV
+krcc_end_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor)
+{
+ struct krcc_cursor *krcursor = *cursor;
+
+ if (krcursor != NULL) {
+ free(krcursor->keys);
+ free(krcursor);
+ }
+
+ *cursor = NULL;
+
+ return 0;
+}
+
+/* Create keyring data for a credential cache. */
+static krb5_error_code
+alloc_cache(krb5_context context,
+ key_serial_t collection_id,
+ key_serial_t cache_id,
+ const char *anchor_name,
+ const char *collection_name,
+ const char *subsidiary_name,
+ krb5_krcache **pdata)
+{
+ krb5_error_code ret;
+ krb5_krcache *data;
+
+ *pdata = NULL;
+
+ data = calloc(1, sizeof(*data));
+ if (data == NULL)
+ return KRB5_CC_NOMEM;
+
+ ret = make_subsidiary_residual(context, anchor_name, collection_name,
+ subsidiary_name, &data->krc_name);
+ if (ret ||
+ (data->krc_collection = strdup(collection_name)) == NULL ||
+ (data->krc_subsidiary = strdup(subsidiary_name ? subsidiary_name : "tkt")) == NULL) {
+ if (data) {
+ free(data->krc_collection);
+ free(data->krc_name);
+ }
+ free(data);
+ if (ret == 0)
+ ret = krb5_enomem(context);
+ return ret;
+ }
+
+ heim_base_atomic_init(&data->krc_princ_id, 0);
+ heim_base_atomic_init(&data->krc_cache_id, cache_id);
+ data->krc_coll_id = collection_id;
+ data->krc_changetime = 0;
+ data->krc_is_legacy = (strcmp(anchor_name, KRCC_LEGACY_ANCHOR) == 0);
+
+ update_change_time(context, 0, data);
+
+ *pdata = data;
+
+ return 0;
+}
+
+/* Create a new keyring cache with a unique name. */
+static krb5_error_code KRB5_CALLCONV
+krcc_gen_new(krb5_context context, krb5_ccache *id)
+{
+ krb5_error_code ret;
+ char *anchor_name, *collection_name, *subsidiary_name;
+ char *new_subsidiary_name = NULL, *new_residual = NULL;
+ krb5_krcache *data;
+ atomic_key_serial_t collection_id;
+ key_serial_t cache_id = 0;
+
+ /* Determine the collection in which we will create the cache.*/
+ ret = get_default(context, &anchor_name, &collection_name,
+ &subsidiary_name);
+ if (ret)
+ return ret;
+
+ if (anchor_name == NULL) {
+ ret = parse_residual(context, KRCC_DEFAULT_UNIQUE_COLLECTION, &anchor_name,
+ &collection_name, &subsidiary_name);
+ if (ret)
+ return ret;
+ }
+ if (subsidiary_name != NULL) {
+ krb5_set_error_message(context, KRB5_DCC_CANNOT_CREATE,
+ N_("Can't create new subsidiary cache because default cache "
+ "is already a subsidiary", ""));
+ ret = KRB5_DCC_CANNOT_CREATE;
+ goto cleanup;
+ }
+
+ /* Make a unique keyring within the chosen collection. */
+ ret = get_collection(context, anchor_name, collection_name, &collection_id);
+ if (ret)
+ goto cleanup;
+
+ ret = add_unique_keyring(context, collection_id, &new_subsidiary_name, &cache_id);
+ if (ret)
+ goto cleanup;
+
+ ret = alloc_cache(context, collection_id, cache_id,
+ anchor_name, collection_name, new_subsidiary_name,
+ &data);
+ if (ret)
+ goto cleanup;
+
+ (*id)->data.data = data;
+ (*id)->data.length = sizeof(*data);
+
+cleanup:
+ free(anchor_name);
+ free(collection_name);
+ free(subsidiary_name);
+ free(new_subsidiary_name);
+ free(new_residual);
+
+ return ret;
+}
+
+/* Return an alias to the residual string of the cache. */
+static krb5_error_code KRB5_CALLCONV
+krcc_get_name_2(krb5_context context,
+ krb5_ccache id,
+ const char **name,
+ const char **collection_name,
+ const char **subsidiary_name)
+{
+ krb5_krcache *data = KRCACHE(id);
+
+ if (data == NULL)
+ return krb5_einval(context, 2);
+
+ if (name)
+ *name = data->krc_name;
+ if (collection_name)
+ *collection_name = data->krc_collection;
+ if (subsidiary_name)
+ *subsidiary_name = data->krc_subsidiary;
+ return 0;
+}
+
+/* Retrieve a copy of the default principal, if the cache is initialized. */
+static krb5_error_code KRB5_CALLCONV
+krcc_get_principal(krb5_context context,
+ krb5_ccache id,
+ krb5_principal *princ)
+{
+ krb5_krcache *data = KRCACHE(id);
+ krb5_error_code ret;
+ krb5_storage *sp = NULL;
+ krb5_data payload;
+ krb5_krcache_and_princ_id ids;
+
+ krb5_data_zero(&payload);
+ *princ = NULL;
+
+ if (data == NULL)
+ return krb5_einval(context, 2);
+
+ memset(&ids, 0, sizeof(ids));
+ ids.krcu_cache_and_princ_id = heim_base_atomic_load(&data->krc_cache_and_principal_id);
+ if (ids.krcu_cache_id == 0 || ids.krcu_princ_id == 0) {
+ ret = KRB5_FCC_NOFILE;
+ krb5_set_error_message(context, ret,
+ N_("Credentials cache keyring '%s' not found", ""),
+ data->krc_name);
+ goto cleanup;
+ }
+
+ ret = keyctl_read_krb5_data(ids.krcu_princ_id, &payload);
+ if (ret) {
+ _krb5_debug(context, 10, "Reading principal key %d: %s\n",
+ ids.krcu_princ_id, strerror(errno));
+ goto cleanup;
+ }
+
+ sp = krb5_storage_from_data(&payload);
+ if (sp == NULL) {
+ ret = KRB5_CC_IO;
+ goto cleanup;
+ }
+
+ ret = krb5_ret_principal(sp, princ);
+ if (ret)
+ goto cleanup;
+
+cleanup:
+ krb5_storage_free(sp);
+ krb5_data_free(&payload);
+
+ return ret;
+}
+
+/* Remove a cred from the cache keyring */
+static krb5_error_code KRB5_CALLCONV
+krcc_remove_cred(krb5_context context, krb5_ccache id,
+ krb5_flags which, krb5_creds *mcred)
+{
+ krb5_krcache *data = KRCACHE(id);
+ krb5_error_code ret, ret2;
+ krb5_cc_cursor cursor;
+ krb5_creds found_cred;
+ krb5_krcache_and_princ_id ids;
+
+ if (data == NULL)
+ return krb5_einval(context, 2);
+
+ ret = krcc_get_first(context, id, &cursor);
+ if (ret)
+ return ret;
+
+ memset(&ids, 0, sizeof(ids));
+ ids.krcu_cache_and_princ_id = heim_base_atomic_load(&data->krc_cache_and_principal_id);
+
+ while ((ret = krcc_get_next(context, id, &cursor, &found_cred)) == 0) {
+ struct krcc_cursor *krcursor = cursor;
+
+ if (!krb5_compare_creds(context, which, mcred, &found_cred)) {
+ krb5_free_cred_contents(context, &found_cred);
+ continue;
+ }
+
+ _krb5_debug(context, 10, "Removing cred %d from cache_id %d, princ_id %d\n",
+ krcursor->keys[krcursor->currkey - 1],
+ ids.krcu_cache_id, ids.krcu_princ_id);
+
+ keyctl_invalidate(krcursor->keys[krcursor->currkey - 1]);
+ krcursor->keys[krcursor->currkey - 1] = 0;
+ krb5_free_cred_contents(context, &found_cred);
+ }
+
+ ret2 = krcc_end_get(context, id, &cursor);
+ if (ret == KRB5_CC_END)
+ ret = ret2;
+
+ return ret;
+}
+
+/* Set flags on the cache. (We don't care about any flags.) */
+static krb5_error_code KRB5_CALLCONV
+krcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags)
+{
+ return 0;
+}
+
+static int KRB5_CALLCONV
+krcc_get_version(krb5_context context, krb5_ccache id)
+{
+ return 0;
+}
+
+/* Store a credential in the cache keyring. */
+static krb5_error_code KRB5_CALLCONV
+krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds)
+{
+ krb5_error_code ret;
+ krb5_krcache *data = KRCACHE(id);
+ krb5_storage *sp = NULL;
+ char *keyname = NULL;
+ key_serial_t cred_key, cache_id;
+ krb5_timestamp now;
+ krb5_data payload;
+
+ krb5_data_zero(&payload);
+
+ if (data == NULL)
+ return krb5_einval(context, 2);
+
+ cache_id = heim_base_atomic_load(&data->krc_cache_id);
+ if (cache_id == 0)
+ return KRB5_FCC_NOFILE;
+
+ ret = krb5_unparse_name(context, creds->server, &keyname);
+ if (ret)
+ goto cleanup;
+
+ sp = krb5_storage_emem();
+ if (sp == NULL) {
+ krb5_set_error_message(context, KRB5_CC_NOMEM, N_("malloc: out of memory", ""));
+ ret = KRB5_CC_NOMEM;
+ goto cleanup;
+ }
+
+ ret = krb5_store_creds(sp, creds);
+ if (ret)
+ goto cleanup;
+
+ ret = krb5_storage_to_data(sp, &payload);
+ if (ret)
+ goto cleanup;
+
+ _krb5_debug(context, 10, "krcc_store: adding new key '%s' to keyring %d\n",
+ keyname, cache_id);
+ ret = add_cred_key(keyname, payload.data, payload.length, cache_id,
+ data->krc_is_legacy, &cred_key);
+ if (ret)
+ goto cleanup;
+
+ ret = krb5_timeofday(context, &now);
+ if (ret)
+ goto cleanup;
+
+ update_change_time(context, now, data);
+
+ /* Set timeout on credential key */
+ if (creds->times.endtime > now)
+ (void) keyctl_set_timeout(cred_key, creds->times.endtime - now);
+
+ /* Set timeout on credential cache keyring */
+ update_keyring_expiration(context, id, cache_id, now);
+
+cleanup:
+ krb5_data_free(&payload);
+ krb5_storage_free(sp);
+ krb5_xfree(keyname);
+
+ return ret;
+}
+
+/*
+ * Get the cache's last modification time. (This is currently broken; it
+ * returns only the last change made using this handle.)
+ */
+static krb5_error_code KRB5_CALLCONV
+krcc_lastchange(krb5_context context,
+ krb5_ccache id,
+ krb5_timestamp *change_time)
+{
+ krb5_krcache *data = KRCACHE(id);
+
+ if (data == NULL)
+ return krb5_einval(context, 2);
+
+ *change_time = heim_base_atomic_load(&data->krc_changetime);
+
+ return 0;
+}
+
+static krb5_error_code
+save_principal(krb5_context context,
+ key_serial_t cache_id,
+ krb5_const_principal princ,
+ atomic_key_serial_t *pprinc_id)
+{
+ krb5_error_code ret;
+ krb5_storage *sp;
+ key_serial_t newkey;
+ krb5_data payload;
+
+ krb5_data_zero(&payload);
+
+ sp = krb5_storage_emem();
+ if (sp == NULL) {
+ krb5_set_error_message(context, KRB5_CC_NOMEM, N_("malloc: out of memory", ""));
+ return KRB5_CC_NOMEM;
+ }
+
+ ret = krb5_store_principal(sp, princ);
+ if (ret) {
+ krb5_storage_free(sp);
+ return ret;
+ }
+
+ ret = krb5_storage_to_data(sp, &payload);
+ if (ret) {
+ krb5_storage_free(sp);
+ return ret;
+ }
+
+ krb5_storage_free(sp);
+ {
+ krb5_error_code tmp;
+ char *princname = NULL;
+
+ tmp = krb5_unparse_name(context, princ, &princname);
+ _krb5_debug(context, 10, "save_principal: adding new key '%s' "
+ "to keyring %d for principal '%s'\n",
+ KRCC_SPEC_PRINC_KEYNAME, cache_id,
+ tmp ? "<unknown>" : princname);
+ if (tmp == 0)
+ krb5_xfree(princname);
+ }
+
+ /* Add new key into keyring */
+ newkey = add_key(KRCC_KEY_TYPE_USER, KRCC_SPEC_PRINC_KEYNAME,
+ payload.data, payload.length, cache_id);
+ if (newkey == -1) {
+ ret = errno;
+ _krb5_debug(context, 10, "Error adding principal key: %s\n", strerror(ret));
+ } else {
+ ret = 0;
+ heim_base_atomic_store(pprinc_id, newkey);
+ }
+
+ krb5_data_free(&payload);
+
+ return ret;
+}
+
+/* Add a key to the cache keyring containing the given time offsets. */
+static krb5_error_code
+save_time_offsets(krb5_context context,
+ key_serial_t cache_id,
+ int32_t sec_offset,
+ int32_t usec_offset)
+{
+ krb5_error_code ret;
+ key_serial_t newkey;
+ krb5_storage *sp;
+ krb5_data payload;
+
+ krb5_data_zero(&payload);
+
+ sp = krb5_storage_emem();
+ if (sp == NULL) {
+ krb5_set_error_message(context, KRB5_CC_NOMEM, N_("malloc: out of memory", ""));
+ return KRB5_CC_NOMEM;
+ }
+
+ krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+ ret = krb5_store_int32(sp, sec_offset);
+ if (ret == 0)
+ ret = krb5_store_int32(sp, usec_offset);
+ if (ret) {
+ krb5_storage_free(sp);
+ return ret;
+ }
+
+ ret = krb5_storage_to_data(sp, &payload);
+ if (ret) {
+ krb5_storage_free(sp);
+ return ret;
+ }
+
+ krb5_storage_free(sp);
+
+ newkey = add_key(KRCC_KEY_TYPE_USER, KRCC_TIME_OFFSETS, payload.data,
+ payload.length, cache_id);
+ ret = newkey == -1 ? errno : 0;
+
+ krb5_data_free(&payload);
+
+ return ret;
+}
+
+static krb5_error_code KRB5_CALLCONV
+krcc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
+{
+ krb5_krcache *data = KRCACHE(id);
+ key_serial_t cache_id;
+ krb5_error_code ret;
+
+ if (data == NULL)
+ return krb5_einval(context, 2);
+
+ cache_id = heim_base_atomic_load(&data->krc_cache_id);
+
+ ret = save_time_offsets(context, cache_id, (int32_t)offset, 0);
+ if (ret == 0)
+ update_change_time(context, 0, data);
+
+ return ret;
+}
+
+/* Retrieve and parse the key in the cache keyring containing time offsets. */
+static krb5_error_code KRB5_CALLCONV
+krcc_get_kdc_offset(krb5_context context,
+ krb5_ccache id,
+ krb5_deltat *offset)
+{
+ krb5_krcache *data = KRCACHE(id);
+ krb5_error_code ret = 0;
+ key_serial_t key, cache_id;
+ krb5_storage *sp = NULL;
+ krb5_data payload;
+ int32_t sec_offset = 0;
+
+ if (data == NULL)
+ return krb5_einval(context, 2);
+
+ krb5_data_zero(&payload);
+
+ cache_id = heim_base_atomic_load(&data->krc_cache_id);
+ if (cache_id == 0) {
+ ret = KRB5_FCC_NOFILE;
+ goto cleanup;
+ }
+
+ key = keyctl_search(cache_id, KRCC_KEY_TYPE_USER, KRCC_TIME_OFFSETS, 0);
+ if (key == -1) {
+ ret = ENOENT;
+ goto cleanup;
+ }
+
+ ret = keyctl_read_krb5_data(key, &payload);
+ if (ret) {
+ _krb5_debug(context, 10, "Reading time offsets key %d: %s\n",
+ key, strerror(errno));
+ goto cleanup;
+ }
+
+ sp = krb5_storage_from_data(&payload);
+ if (sp == NULL) {
+ ret = krb5_enomem(context);;
+ goto cleanup;
+ }
+
+ krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+ ret = krb5_ret_int32(sp, &sec_offset);
+ /*
+ * We can't output nor use the usec_offset here, so we don't bother to read
+ * it, though we do write it.
+ */
+
+cleanup:
+ *offset = sec_offset;
+ krb5_storage_free(sp);
+ krb5_data_free(&payload);
+ return ret;
+}
+
+struct krcc_iter {
+ atomic_key_serial_t collection_id;
+ char *anchor_name;
+ char *collection_name;
+ char *subsidiary_name;
+ char *primary_name;
+ krb5_boolean first;
+ long num_keys;
+ long next_key;
+ key_serial_t *keys;
+};
+
+static krb5_error_code KRB5_CALLCONV
+krcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
+{
+ struct krcc_iter *iter;
+ krb5_error_code ret;
+ void *keys;
+ long size;
+
+ *cursor = NULL;
+
+ iter = calloc(1, sizeof(*iter));
+ if (iter == NULL) {
+ ret = krb5_enomem(context);
+ goto error;
+ }
+ iter->first = TRUE;
+
+ ret = get_default(context, &iter->anchor_name, &iter->collection_name,
+ &iter->subsidiary_name);
+ if (ret)
+ goto error;
+
+ /* If there is no default collection, return an empty cursor. */
+ if (iter->anchor_name == NULL) {
+ *cursor = iter;
+ return 0;
+ }
+
+ ret = get_collection(context, iter->anchor_name, iter->collection_name,
+ &iter->collection_id);
+ if (ret)
+ goto error;
+
+ if (iter->subsidiary_name == NULL) {
+ ret = get_primary_name(context, iter->anchor_name,
+ iter->collection_name, iter->collection_id,
+ &iter->primary_name);
+ if (ret)
+ goto error;
+
+ size = keyctl_read_alloc(iter->collection_id, &keys);
+ if (size == -1) {
+ ret = errno;
+ goto error;
+ }
+ iter->keys = keys;
+ iter->num_keys = size / sizeof(key_serial_t);
+ }
+
+ *cursor = iter;
+
+ return 0;
+
+error:
+ krcc_end_cache_get(context, iter);
+
+ return ret;
+}
+
+static krb5_error_code KRB5_CALLCONV
+krcc_get_cache_next(krb5_context context,
+ krb5_cc_cursor cursor,
+ krb5_ccache *cache)
+{
+ krb5_error_code ret;
+ struct krcc_iter *iter = cursor;
+ key_serial_t key, cache_id = 0;
+ const char *first_name, *keytype, *sep, *subsidiary_name;
+ size_t keytypelen;
+ char *description = NULL;
+
+ *cache = NULL;
+
+ /* No keyring available */
+ if (iter->collection_id == 0)
+ return KRB5_CC_END;
+
+ if (iter->first) {
+ /*
+ * Look for the primary cache for a collection cursor, or the
+ * subsidiary cache for a subsidiary cursor.
+ */
+ iter->first = FALSE;
+ first_name = (iter->primary_name != NULL) ? iter->primary_name :
+ iter->subsidiary_name;
+ cache_id = keyctl_search(iter->collection_id, KRCC_KEY_TYPE_KEYRING,
+ first_name, 0);
+ if (cache_id != -1) {
+ return make_cache(context, iter->collection_id, cache_id,
+ iter->anchor_name, iter->collection_name,
+ first_name, cache);
+ }
+ }
+
+ /* A subsidiary cursor yields at most the first cache. */
+ if (iter->subsidiary_name != NULL)
+ return KRB5_CC_END;
+
+ keytype = KRCC_KEY_TYPE_KEYRING ";";
+ keytypelen = strlen(keytype);
+
+ for (ret = KRB5_CC_END; iter->next_key < iter->num_keys; iter->next_key++) {
+ free(description);
+ description = NULL;
+
+ /*
+ * Get the key description, which should have the form:
+ * typename;UID;GID;permissions;description
+ */
+ key = iter->keys[iter->next_key];
+ if (keyctl_describe_alloc(key, &description) < 0)
+ continue;
+ sep = strrchr(description, ';');
+ if (sep == NULL)
+ continue;
+ subsidiary_name = sep + 1;
+
+ /* Skip this key if it isn't a keyring. */
+ if (strncmp(description, keytype, keytypelen) != 0)
+ continue;
+
+ /* Don't repeat the primary cache. */
+ if (iter->primary_name &&
+ strcmp(subsidiary_name, iter->primary_name) == 0)
+ continue;
+
+ /* We found a valid key */
+ iter->next_key++;
+ ret = make_cache(context, iter->collection_id, key, iter->anchor_name,
+ iter->collection_name, subsidiary_name, cache);
+ break;
+ }
+
+ free(description);
+
+ return ret;
+}
+
+static krb5_error_code KRB5_CALLCONV
+krcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
+{
+ struct krcc_iter *iter = cursor;
+
+ if (iter != NULL) {
+ free(iter->anchor_name);
+ free(iter->collection_name);
+ free(iter->subsidiary_name);
+ free(iter->primary_name);
+ free(iter->keys);
+
+ memset(iter, 0, sizeof(*iter));
+ free(iter);
+ }
+
+ return 0;
+}
+
+static krb5_error_code KRB5_CALLCONV
+krcc_set_default(krb5_context context, krb5_ccache id)
+{
+ krb5_krcache *data = KRCACHE(id);
+ krb5_error_code ret;
+ char *anchor_name, *collection_name, *subsidiary_name;
+ atomic_key_serial_t collection_id;
+
+ if (data == NULL)
+ return krb5_einval(context, 2);
+
+ ret = parse_residual(context, data->krc_name,
+ &anchor_name, &collection_name, &subsidiary_name);
+ if (ret)
+ goto cleanup;
+
+ ret = get_collection(context, anchor_name, collection_name, &collection_id);
+ if (ret)
+ goto cleanup;
+
+ ret = set_primary_name(context, collection_id, subsidiary_name);
+ if (ret)
+ goto cleanup;
+
+cleanup:
+ free(anchor_name);
+ free(collection_name);
+ free(subsidiary_name);
+
+ return ret;
+}
+
+/*
+ * Utility routine: called by krcc_* functions to keep
+ * result of krcc_last_change_time up to date.
+ */
+static void
+update_change_time(krb5_context context, krb5_timestamp now, krb5_krcache *data)
+{
+ krb5_timestamp old;
+
+ if (now == 0)
+ krb5_timeofday(context, &now);
+
+ old = heim_base_exchange_time_t(&data->krc_changetime, now);
+ if (old > now) /* don't go backwards */
+ heim_base_atomic_store(&data->krc_changetime, old + 1);
+}
+
+static int
+move_key_to_new_keyring(key_serial_t parent, key_serial_t key,
+ char *desc, int desc_len, void *data)
+{
+ key_serial_t cache_id = *(key_serial_t *)data;
+
+ if (parent) {
+ if (keyctl_link(key, cache_id) == -1 ||
+ keyctl_unlink(key, parent) == -1)
+ return -1;
+ }
+
+ return 0;
+}
+
+/* Move contents of one ccache to another; destroys from cache */
+static krb5_error_code KRB5_CALLCONV
+krcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
+{
+ krb5_krcache *krfrom = KRCACHE(from);
+ krb5_krcache *krto = KRCACHE(to);
+ krb5_error_code ret;
+ krb5_timestamp now;
+ key_serial_t to_cache_id;
+
+ if (krfrom == NULL || krto == NULL)
+ return krb5_einval(context, 2);
+
+ ret = initialize_internal(context, to, NULL);
+ if (ret)
+ return ret;
+
+ krb5_timeofday(context, &now);
+ to_cache_id = heim_base_atomic_load(&krto->krc_cache_id);
+
+ if (krfrom->krc_cache_id != 0) {
+ ret = recursive_key_scan(krfrom->krc_cache_id,
+ move_key_to_new_keyring, &to_cache_id);
+ if (ret)
+ return KRB5_CC_IO;
+
+ if (keyctl_unlink(krfrom->krc_cache_id, krfrom->krc_coll_id) == -1)
+ return errno;
+
+ heim_base_exchange_32(&krto->krc_princ_id, krfrom->krc_princ_id);
+ }
+
+ update_change_time(context, now, krto);
+ krb5_cc_destroy(context, from);
+ return 0;
+}
+
+static krb5_error_code KRB5_CALLCONV
+krcc_get_default_name(krb5_context context, char **str)
+{
+ *str = strdup("KEYRING:");
+ if (*str == NULL)
+ return krb5_enomem(context);
+
+ return 0;
+}
+
+/*
+ * ccache implementation storing credentials in the Linux keyring facility
+ * The default is to put them at the session keyring level.
+ * If "KEYRING:process:" or "KEYRING:thread:" is specified, then they will
+ * be stored at the process or thread level respectively.
+ */
+KRB5_LIB_VARIABLE const krb5_cc_ops krb5_krcc_ops = {
+ KRB5_CC_OPS_VERSION_5,
+ "KEYRING",
+ NULL,
+ NULL,
+ krcc_gen_new,
+ krcc_initialize,
+ krcc_destroy,
+ krcc_close,
+ krcc_store,
+ NULL, /* retrieve */
+ krcc_get_principal,
+ krcc_get_first,
+ krcc_get_next,
+ krcc_end_get,
+ krcc_remove_cred,
+ krcc_set_flags,
+ krcc_get_version,
+ krcc_get_cache_first,
+ krcc_get_cache_next,
+ krcc_end_cache_get,
+ krcc_move,
+ krcc_get_default_name,
+ krcc_set_default,
+ krcc_lastchange,
+ krcc_set_kdc_offset,
+ krcc_get_kdc_offset,
+ krcc_get_name_2,
+ krcc_resolve_2
+};
+
+#endif /* HAVE_KEYUTILS_H */
diff --git a/lib/krb5/kuserok.c b/lib/krb5/kuserok.c
index 492d0c6b858e..7a7de452ae6f 100644
--- a/lib/krb5/kuserok.c
+++ b/lib/krb5/kuserok.c
@@ -67,10 +67,10 @@ plcallback(krb5_context context, const void *plug, void *plugctx, void *userctx)
}
static krb5_error_code plugin_reg_ret;
-static krb5plugin_kuserok_ftable kuserok_simple_plug;
-static krb5plugin_kuserok_ftable kuserok_sys_k5login_plug;
-static krb5plugin_kuserok_ftable kuserok_user_k5login_plug;
-static krb5plugin_kuserok_ftable kuserok_deny_plug;
+static const krb5plugin_kuserok_ftable kuserok_simple_plug;
+static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug;
+static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug;
+static const krb5plugin_kuserok_ftable kuserok_deny_plug;
static void
reg_def_plugins_once(void *ctx)
@@ -144,7 +144,7 @@ check_owner_dir(krb5_context context,
heim_assert(owner != NULL, "no directory owner ?");
- if (rk_getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
+ if (getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
krb5_set_error_message(context, errno,
"User unknown %s (getpwnam_r())", owner);
return EACCES;
@@ -219,7 +219,7 @@ check_owner_file(krb5_context context,
if (owner == NULL)
return 0;
- if (rk_getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
+ if (getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
krb5_set_error_message(context, errno,
"User unknown %s (getpwnam_r())", owner);
return EACCES;
@@ -455,6 +455,17 @@ krb5_kuserok(krb5_context context,
}
+static const char *const kuserok_plugin_deps[] = { "krb5", NULL };
+
+static const struct heim_plugin_data
+kuserok_plugin_data = {
+ "krb5",
+ KRB5_PLUGIN_KUSEROK,
+ KRB5_PLUGIN_KUSEROK_VERSION_0,
+ kuserok_plugin_deps,
+ krb5_get_instance
+};
+
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
_krb5_kuserok(krb5_context context,
krb5_principal principal,
@@ -515,9 +526,8 @@ _krb5_kuserok(krb5_context context,
for (n = 0; rules[n]; n++) {
ctx.rule = rules[n];
- ret = _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_KUSEROK,
- KRB5_PLUGIN_KUSEROK_VERSION_0, 0,
- &ctx, plcallback);
+ ret = _krb5_plugin_run_f(context, &kuserok_plugin_data,
+ 0, &ctx, plcallback);
if (ret != KRB5_PLUGIN_NO_HANDLE)
goto out;
}
@@ -713,28 +723,28 @@ kuser_ok_null_plugin_fini(void *ctx)
return;
}
-static krb5plugin_kuserok_ftable kuserok_simple_plug = {
+static const krb5plugin_kuserok_ftable kuserok_simple_plug = {
KRB5_PLUGIN_KUSEROK_VERSION_0,
kuser_ok_null_plugin_init,
kuser_ok_null_plugin_fini,
kuserok_simple_plug_f,
};
-static krb5plugin_kuserok_ftable kuserok_sys_k5login_plug = {
+static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug = {
KRB5_PLUGIN_KUSEROK_VERSION_0,
kuser_ok_null_plugin_init,
kuser_ok_null_plugin_fini,
kuserok_sys_k5login_plug_f,
};
-static krb5plugin_kuserok_ftable kuserok_user_k5login_plug = {
+static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug = {
KRB5_PLUGIN_KUSEROK_VERSION_0,
kuser_ok_null_plugin_init,
kuser_ok_null_plugin_fini,
kuserok_user_k5login_plug_f,
};
-static krb5plugin_kuserok_ftable kuserok_deny_plug = {
+static const krb5plugin_kuserok_ftable kuserok_deny_plug = {
KRB5_PLUGIN_KUSEROK_VERSION_0,
kuser_ok_null_plugin_init,
kuser_ok_null_plugin_fini,
diff --git a/lib/krb5/kuserok_plugin.h b/lib/krb5/kuserok_plugin.h
index b45071d18e73..7c3f3b4c8dcc 100644
--- a/lib/krb5/kuserok_plugin.h
+++ b/lib/krb5/kuserok_plugin.h
@@ -32,6 +32,8 @@
#ifndef HEIMDAL_KRB5_KUSEROK_PLUGIN_H
#define HEIMDAL_KRB5_KUSEROK_PLUGIN_H 1
+#include <heimbase-svc.h>
+
#define KRB5_PLUGIN_KUSEROK "krb5_plugin_kuserok"
#define KRB5_PLUGIN_KUSEROK_VERSION_0 0
@@ -76,9 +78,7 @@
* @ingroup krb5_support
*/
typedef struct krb5plugin_kuserok_ftable_desc {
- int minor_version;
- krb5_error_code (KRB5_LIB_CALL *init)(krb5_context, void **);
- void (KRB5_LIB_CALL *fini)(void *);
+ HEIM_PLUGIN_FTABLE_COMMON_ELEMENTS(krb5_context);
krb5_error_code (KRB5_LIB_CALL *kuserok)(void *, krb5_context, const char *,
unsigned int, const char *, const char *,
krb5_const_principal,
diff --git a/lib/krb5/kx509.c b/lib/krb5/kx509.c
new file mode 100644
index 000000000000..7525739f66ca
--- /dev/null
+++ b/lib/krb5/kx509.c
@@ -0,0 +1,1323 @@
+/*
+ * Copyright (c) 2019 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+#include <kx509_asn1.h>
+#include <kx509_err.h>
+#include "../hx509/hx_locl.h" /* XXX find a better way */
+#include "hx509-private.h"
+
+/*
+ * This file implements a client for the kx509 protocol -- a Kerberized online
+ * CA that can issue a Certificate to a client that authenticates using
+ * Kerberos.
+ *
+ * The kx509 protocol is the inverse of PKINIT. Whereas PKINIT allows users
+ * with PKIX credentials to acquire Kerberos credentials, the kx509 protocol
+ * allows users with Kerberos credentials to acquire PKIX credentials.
+ *
+ * I.e., kx509 is a bridge, just like PKINIT.
+ *
+ * The kx509 protocol is very simple, and very limited.
+ *
+ * A request consists of a DER-encoded Kx509Request message prefixed with four
+ * bytes identifying the protocol (see `version_2_0' below).
+ *
+ * A Kx509Request message contains an AP-REQ, a public key, and an HMAC of the
+ * public key made with the session key of the AP-REQ's ticket.
+ *
+ * The service principal can be either kca_service/hostname.fqdn or
+ * krbtgt/REALM (a Heimdal innovation).
+ *
+ * If a request is missing a public key, then the request is a probe intended
+ * to discover whether the service is enabled, thus helping the client avoid
+ * a possibly-slow private key generation operation.
+ *
+ * The response is a DER-encoded Kx509Response also prefixed with
+ * `version_2_0', and contains: an optional error code and error text, an
+ * optional certificate (for the success case), and an optional HMAC of those
+ * fields that is present when the service was able to verify the AP-REQ.
+ *
+ * Limitations:
+ *
+ * - no proof of possession for the public key
+ * - only RSA keys are supported
+ * - no way to express options (e.g., what KUs, EKUs, or SANs are desired)
+ * - no sub-session key usage
+ * - no reflection protection other than the HMAC's forgery protection and the
+ * fact that the client could tell that a reflected attack isn't success
+ *
+ * Future directions:
+ *
+ * - Since the public key field of the request is an OCTET STRING, we could
+ * send a CSR, or even an expired certificate (possibly self-signed,
+ * possibly one issued earlier) that can serve as a template.
+ *
+ * This solves the first three limitations, as it allows the client to
+ * demonstrate proof of possession, allows arbitrary public key types, and
+ * allows the client to express desires about the to-be-issued certificate.
+ *
+ * - Use the AP-REQ's Authenticator's sub-session key for the HMAC, and derive
+ * per-direction sub-sub-keys.
+ *
+ * - We might design a new protocol that better fits the RFC4120 KDC message
+ * framework.
+ */
+
+static const unsigned char version_2_0[4] = {0 , 0, 2, 0};
+
+struct krb5_kx509_req_ctx_data {
+ krb5_auth_context ac;
+ krb5_data given_csr;
+ hx509_request csr;
+ Kx509CSRPlus csr_plus;
+ char *realm; /* Realm to which to send request */
+ krb5_keyblock *hmac_key; /* For HMAC validation */
+ hx509_private_key *keys;
+ hx509_private_key priv_key;
+ unsigned int expect_chain;
+};
+
+/**
+ * Create a kx509 request context.
+ *
+ * @param context The Kerberos library context
+ * @param out Where to place the kx509 request context
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_init(krb5_context context, krb5_kx509_req_ctx *out)
+{
+ krb5_kx509_req_ctx ctx;
+ krb5_error_code ret;
+ hx509_name name = NULL;
+
+ ALLOC(ctx, 1);
+ if (ctx == NULL)
+ return krb5_enomem(context);
+ ctx->given_csr.data = NULL;
+ ctx->priv_key = NULL;
+ ctx->hmac_key = NULL;
+ ctx->realm = NULL;
+ ctx->keys = NULL;
+ ctx->csr = NULL;
+ ret = hx509_request_init(context->hx509ctx, &ctx->csr);
+ if (ret == 0)
+ ret = hx509_parse_name(context->hx509ctx, "", &name);
+ if (ret == 0)
+ ret = hx509_request_set_name(context->hx509ctx, ctx->csr, name);
+ if (ret == 0)
+ ret = krb5_auth_con_init(context, &ctx->ac);
+ if (name)
+ hx509_name_free(&name);
+ if (ret == 0)
+ *out = ctx;
+ else
+ krb5_kx509_ctx_free(context, &ctx);
+ return ret;
+}
+
+/**
+ * Free a kx509 request context.
+ *
+ * @param context The Kerberos library context
+ * @param ctxp Pointer to krb5 request context to free
+ *
+ * @return A krb5 error code.
+ */
+void
+krb5_kx509_ctx_free(krb5_context context, krb5_kx509_req_ctx *ctxp)
+{
+ krb5_kx509_req_ctx ctx = *ctxp;
+
+ *ctxp = NULL;
+ if (ctx == NULL)
+ return;
+ krb5_free_keyblock(context, ctx->hmac_key);
+ krb5_auth_con_free(context, ctx->ac);
+ free_Kx509CSRPlus(&ctx->csr_plus);
+ free(ctx->realm);
+ hx509_request_free(&ctx->csr);
+ krb5_data_free(&ctx->given_csr);
+ hx509_private_key_free(&ctx->priv_key);
+ _hx509_certs_keys_free(context->hx509ctx, ctx->keys);
+ free(ctx);
+}
+
+/**
+ * Set a realm to send kx509 request to, if different from the client's.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param realm Realm name
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_set_realm(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ const char *realm)
+{
+ return ((kx509_ctx->realm = strdup(realm)) == NULL) ?
+ krb5_enomem(context) : 0;
+}
+
+/**
+ * Sets a CSR for a kx509 request.
+ *
+ * Normally kx509 will generate a CSR (and even a private key for it)
+ * automatically. If a CSR is given then kx509 will use it instead of
+ * generating one.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param csr_der A DER-encoded PKCS#10 CSR
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_set_csr_der(krb5_context context,
+ krb5_kx509_req_ctx ctx,
+ krb5_data *csr_der)
+{
+ krb5_data_free(&ctx->given_csr);
+ return krb5_data_copy(&ctx->given_csr, csr_der->data, csr_der->length);
+}
+
+/**
+ * Adds an EKU as an additional desired Certificate Extension or in the CSR if
+ * the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param oids A string representation of an OID
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_eku(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ const char *oids)
+{
+ krb5_error_code ret;
+ heim_oid oid;
+
+ ret = der_parse_heim_oid(oids, NULL, &oid);
+ if (ret == 0)
+ hx509_request_add_eku(context->hx509ctx, kx509_ctx->csr, &oid);
+ der_free_oid(&oid);
+ return ret;
+}
+
+/**
+ * Adds a dNSName SAN (domainname, hostname) as an additional desired
+ * Certificate Extension or in the CSR if the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param dname A string containing a DNS domainname
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_san_dns_name(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ const char *dname)
+{
+ return hx509_request_add_dns_name(context->hx509ctx, kx509_ctx->csr,
+ dname);
+}
+
+/**
+ * Adds an xmppAddr SAN (jabber address) as an additional desired Certificate
+ * Extension or in the CSR if the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param jid A string containing a Jabber address
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_san_xmpp(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ const char *jid)
+{
+ return hx509_request_add_xmpp_name(context->hx509ctx, kx509_ctx->csr, jid);
+}
+
+/**
+ * Adds an rfc822Name SAN (e-mail address) as an additional desired Certificate
+ * Extension or in the CSR if the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param email A string containing an e-mail address
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_san_rfc822Name(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ const char *email)
+{
+ return hx509_request_add_email(context->hx509ctx, kx509_ctx->csr, email);
+}
+
+/**
+ * Adds an pkinit SAN (Kerberos principal name) as an additional desired
+ * Certificate Extension or in the CSR if the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param pname A string containing a representation of a Kerberos principal
+ * name
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_san_pkinit(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ const char *pname)
+{
+ return hx509_request_add_pkinit(context->hx509ctx, kx509_ctx->csr, pname);
+}
+
+/**
+ * Adds a Microsoft-style UPN (user principal name) as an additional desired
+ * Certificate Extension or in the CSR if the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param upn A string containing a representation of a UPN
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_san_ms_upn(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ const char *upn)
+{
+ return hx509_request_add_ms_upn_name(context->hx509ctx, kx509_ctx->csr,
+ upn);
+}
+
+/**
+ * Adds an registeredID SAN (OID) as an additional desired Certificate
+ * Extension or in the CSR if the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param oids A string representation of an OID
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_san_registeredID(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ const char *oids)
+{
+ krb5_error_code ret;
+ heim_oid oid;
+
+ ret = der_parse_heim_oid(oids, NULL, &oid);
+ if (ret == 0)
+ hx509_request_add_registered(context->hx509ctx, kx509_ctx->csr, &oid);
+ der_free_oid(&oid);
+ return ret;
+}
+
+static krb5_error_code
+load_priv_key(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ const char *fn)
+{
+ hx509_private_key *keys = NULL;
+ hx509_certs certs = NULL;
+ krb5_error_code ret;
+
+ ret = hx509_certs_init(context->hx509ctx, fn, 0, NULL, &certs);
+ if (ret == ENOENT)
+ return 0;
+ if (ret == 0)
+ ret = _hx509_certs_keys_get(context->hx509ctx, certs, &keys);
+ if (ret == 0 && keys[0] == NULL)
+ ret = ENOENT;
+ if (ret == 0)
+ kx509_ctx->priv_key = _hx509_private_key_ref(keys[0]);
+ if (ret) {
+ char *emsg = hx509_get_error_string(context->hx509ctx, ret);
+
+ krb5_set_error_message(context, ret, "Could not load private key "
+ "from %s for kx509: %s", fn, emsg);
+ hx509_free_error_string(emsg);
+ }
+ hx509_certs_free(&certs);
+ return ret;
+}
+
+/**
+ * Set a private key.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param store The name of a PKIX credential store
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_set_key(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ const char *store)
+{
+ SubjectPublicKeyInfo key;
+ krb5_error_code ret;
+
+ memset(&key, 0, sizeof(key));
+ hx509_private_key_free(&kx509_ctx->priv_key);
+ _hx509_certs_keys_free(context->hx509ctx, kx509_ctx->keys);
+ kx509_ctx->keys = NULL;
+ ret = load_priv_key(context, kx509_ctx, store);
+ if (ret == 0)
+ ret = hx509_private_key2SPKI(context->hx509ctx, kx509_ctx->priv_key,
+ &key);
+ if (ret == 0)
+ ret = hx509_request_set_SubjectPublicKeyInfo(context->hx509ctx,
+ kx509_ctx->csr, &key);
+ free_SubjectPublicKeyInfo(&key);
+ return ret;
+}
+
+static krb5_error_code
+gen_priv_key(krb5_context context,
+ const char *gen_type,
+ unsigned long gen_bits,
+ hx509_private_key *key)
+{
+ struct hx509_generate_private_context *key_gen_ctx = NULL;
+ krb5_error_code ret;
+
+ _krb5_debug(context, 1, "kx509: gen priv key");
+ if (strcmp(gen_type, "rsa") != 0) {
+ krb5_set_error_message(context, ENOTSUP, "Key type %s is not "
+ "supported for kx509; only \"rsa\" is "
+ "supported for kx509 at this time",
+ gen_type);
+ return ENOTSUP;
+ }
+
+ ret = _hx509_generate_private_key_init(context->hx509ctx,
+ ASN1_OID_ID_PKCS1_RSAENCRYPTION,
+ &key_gen_ctx);
+ if (ret == 0)
+ ret = _hx509_generate_private_key_bits(context->hx509ctx, key_gen_ctx, gen_bits);
+
+ if (ret == 0)
+ ret = _hx509_generate_private_key(context->hx509ctx, key_gen_ctx, key);
+ _hx509_generate_private_key_free(&key_gen_ctx);
+ if (ret) {
+ char *emsg = hx509_get_error_string(context->hx509ctx, ret);
+
+ krb5_set_error_message(context, ret,
+ "Could not generate a private key: %s", emsg);
+ hx509_free_error_string(emsg);
+ }
+ return ret;
+}
+
+/**
+ * Generate a private key.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param gen_type The type of key (default: rsa)
+ * @param gen_bits The size of the key (for non-ECC, really, for RSA)
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_gen_key(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ const char *gen_type,
+ int gen_bits)
+{
+ SubjectPublicKeyInfo key;
+ krb5_error_code ret;
+
+ memset(&key, 0, sizeof(key));
+
+ if (gen_type == NULL) {
+ gen_type = krb5_config_get_string_default(context, NULL, "rsa",
+ "libdefaults",
+ "kx509_gen_key_type", NULL);
+ }
+ if (gen_bits == 0) {
+ /*
+ * The key size is really only for non-ECC, of which we'll only support
+ * RSA. For ECC key sizes will either be implied by the `key_type' or
+ * will have to be a magic value that allows us to pick from some small
+ * set of curves (e.g., 255 == Curve25519).
+ */
+ gen_bits = krb5_config_get_int_default(context, NULL, 2048,
+ "libdefaults",
+ "kx509_gen_rsa_key_size", NULL);
+ }
+ hx509_private_key_free(&kx509_ctx->priv_key);
+ _hx509_certs_keys_free(context->hx509ctx, kx509_ctx->keys);
+ kx509_ctx->keys = NULL;
+
+ ret = gen_priv_key(context, gen_type, gen_bits, &kx509_ctx->priv_key);
+ if (ret == 0)
+ ret = hx509_private_key2SPKI(context->hx509ctx, kx509_ctx->priv_key,
+ &key);
+ if (ret == 0)
+ ret = hx509_request_set_SubjectPublicKeyInfo(context->hx509ctx,
+ kx509_ctx->csr, &key);
+ free_SubjectPublicKeyInfo(&key);
+ return ret;
+}
+
+/* Set a cc config entry indicating that the kx509 service is not available */
+static void
+store_kx509_disabled(krb5_context context, const char *realm, krb5_ccache cc)
+{
+ krb5_data data;
+
+ if (!cc)
+ return;
+
+ data.data = (void *)(uintptr_t)realm;
+ data.length = strlen(realm);
+ krb5_cc_set_config(context, cc, NULL, "kx509_service_realm", &data);
+ data.data = "disabled";
+ data.length = strlen(data.data);
+ krb5_cc_set_config(context, cc, NULL, "kx509_service_status", &data);
+}
+
+static int KRB5_CALLCONV
+certs_export_func(hx509_context context, void *d, hx509_cert c)
+{
+ heim_octet_string os;
+ Certificates *cs = d;
+ Certificate c2;
+ int ret;
+
+ ret = hx509_cert_binary(context, c, &os);
+ if (ret)
+ return ret;
+ ret = decode_Certificate(os.data, os.length, &c2, NULL);
+ der_free_octet_string(&os);
+ if (ret)
+ return ret;
+ ret = add_Certificates(cs, &c2);
+ free_Certificate(&c2);
+ return ret;
+}
+
+static krb5_error_code
+certs_export(hx509_context context, hx509_certs certs, heim_octet_string *out)
+{
+ Certificates cs;
+ size_t len;
+ int ret;
+
+ cs.len = 0;
+ cs.val = 0;
+ ret = hx509_certs_iter_f(context, certs, certs_export_func, &cs);
+ if (ret == 0)
+ ASN1_MALLOC_ENCODE(Certificates, out->data, out->length, &cs, &len, ret);
+ free_Certificates(&cs);
+ return ret;
+}
+
+/* Store the private key and certificate where requested */
+static krb5_error_code
+store(krb5_context context,
+ const char *hx509_store,
+ const char *realm,
+ krb5_ccache cc,
+ hx509_private_key key,
+ hx509_cert cert,
+ hx509_certs chain)
+{
+ heim_octet_string hdata;
+ krb5_error_code ret = 0;
+ krb5_data data;
+
+ krb5_clear_error_message(context);
+
+ if (cc) {
+ /* Record the realm we used */
+ data.data = (void *)(uintptr_t)realm;
+ data.length = strlen(realm);
+ krb5_cc_set_config(context, cc, NULL, "kx509_service_realm", &data);
+
+ /* Serialize and store the certificate in the ccache */
+ ret = hx509_cert_binary(context->hx509ctx, cert, &hdata);
+ if (ret == 0)
+ ret = krb5_cc_set_config(context, cc, NULL, "kx509cert", &hdata);
+ der_free_octet_string(&hdata);
+
+ if (ret == 0 && key) {
+ /*
+ * Serialized and store the key in the ccache. Use PKCS#8 so that we
+ * store the algorithm OID too, which is needed in order to be able to
+ * read the private key back.
+ */
+ if (ret == 0)
+ ret = _hx509_private_key_export(context->hx509ctx, key,
+ HX509_KEY_FORMAT_PKCS8, &hdata);
+ if (ret == 0)
+ ret = krb5_cc_set_config(context, cc, NULL, "kx509key", &hdata);
+ der_free_octet_string(&hdata);
+ if (ret)
+ krb5_set_error_message(context, ret, "Could not store kx509 "
+ "private key and certificate in ccache %s",
+ krb5_cc_get_name(context, cc));
+ }
+
+ if (ret == 0 && chain) {
+ ret = certs_export(context->hx509ctx, chain, &hdata);
+ if (ret == 0)
+ ret = krb5_cc_set_config(context, cc, NULL, "kx509cert-chain",
+ &hdata);
+ der_free_octet_string(&hdata);
+ }
+ }
+
+ /* Store the private key and cert in an hx509 store */
+ if (hx509_store != NULL) {
+ hx509_certs certs;
+
+ if (key)
+ _hx509_cert_assign_key(cert, key); /* store both in the same store */
+
+ ret = hx509_certs_init(context->hx509ctx, hx509_store,
+ HX509_CERTS_CREATE, NULL, &certs);
+ if (ret == 0)
+ ret = hx509_certs_add(context->hx509ctx, certs, cert);
+ if (ret == 0 && chain != NULL)
+ ret = hx509_certs_merge(context->hx509ctx, certs, chain);
+ if (ret == 0)
+ ret = hx509_certs_store(context->hx509ctx, certs, 0, NULL);
+ hx509_certs_free(&certs);
+ if (ret)
+ krb5_prepend_error_message(context, ret, "Could not store kx509 "
+ "private key and certificate in key "
+ "store %s", hx509_store);
+ }
+
+ /* Store the name of the hx509 store in the ccache too */
+ if (cc && hx509_store) {
+ data.data = (void *)(uintptr_t)hx509_store;
+ data.length = strlen(hx509_store);
+ (void) krb5_cc_set_config(context, cc, NULL, "kx509store", &data);
+ }
+ return ret;
+}
+
+/* Make a Kx509CSRPlus or a raw SPKI */
+static krb5_error_code
+mk_kx509_req_body(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ krb5_data *out)
+{
+ krb5_error_code ret;
+ size_t len;
+
+ if (krb5_config_get_bool_default(context, NULL, FALSE,
+ "realms", kx509_ctx->realm,
+ "kx509_req_use_raw_spki", NULL)) {
+ SubjectPublicKeyInfo spki;
+
+ /* Interop with old kx509 servers, send a raw SPKI, not a CSR */
+ out->data = NULL;
+ out->length = 0;
+ memset(&spki, 0, sizeof(spki));
+ ret = hx509_private_key2SPKI(context->hx509ctx,
+ kx509_ctx->priv_key, &spki);
+ if (ret == 0) {
+ out->length = spki.subjectPublicKey.length >> 3;
+ out->data = spki.subjectPublicKey.data;
+ }
+ kx509_ctx->expect_chain = 0;
+ return ret;
+ }
+
+ /*
+ * New kx509 servers use a CSR for proof of possession, and send back a
+ * chain of certificates, with the issued certificate first.
+ */
+ kx509_ctx->expect_chain = 1;
+
+ if (kx509_ctx->given_csr.length) {
+ krb5_data exts_der;
+
+ exts_der.data = NULL;
+ exts_der.length = 0;
+
+ /* Use the given CSR */
+ ret = der_copy_octet_string(&kx509_ctx->given_csr,
+ &kx509_ctx->csr_plus.csr);
+
+ /*
+ * Extract the desired Certificate Extensions from our internal
+ * as-yet-unsigned CSR, then decode them into place in the
+ * Kx509CSRPlus.
+ */
+ if (ret == 0)
+ ret = hx509_request_get_exts(context->hx509ctx,
+ kx509_ctx->csr,
+ &exts_der);
+ if (ret == 0 && exts_der.data && exts_der.length &&
+ (kx509_ctx->csr_plus.exts =
+ calloc(1, sizeof (kx509_ctx->csr_plus.exts[0]))) == NULL)
+ ret = krb5_enomem(context);
+ if (ret == 0 && exts_der.data && exts_der.length)
+ ret = decode_Extensions(exts_der.data, exts_der.length,
+ kx509_ctx->csr_plus.exts, NULL);
+ krb5_data_free(&exts_der);
+ } else {
+ /*
+ * Sign and use our internal CSR, which will carry all our desired
+ * Certificate Extensions as an extReq CSR Attribute.
+ */
+ ret = hx509_request_to_pkcs10(context->hx509ctx,
+ kx509_ctx->csr,
+ kx509_ctx->priv_key,
+ &kx509_ctx->csr_plus.csr);
+ }
+ if (ret == 0)
+ ASN1_MALLOC_ENCODE(Kx509CSRPlus, out->data, out->length,
+ &kx509_ctx->csr_plus, &len, ret);
+ return ret;
+}
+
+static krb5_error_code
+get_start_realm(krb5_context context,
+ krb5_ccache cc,
+ krb5_const_principal princ,
+ char **out)
+{
+ krb5_error_code ret;
+ krb5_data d;
+
+ ret = krb5_cc_get_config(context, cc, NULL, "start_realm", &d);
+ if (ret == 0) {
+ *out = strndup(d.data, d.length);
+ krb5_data_free(&d);
+ } else if (princ) {
+ *out = strdup(krb5_principal_get_realm(context, princ));
+ } else {
+ krb5_principal ccprinc = NULL;
+
+ ret = krb5_cc_get_principal(context, cc, &ccprinc);
+ if (ret)
+ return ret;
+ *out = strdup(krb5_principal_get_realm(context, ccprinc));
+ krb5_free_principal(context, ccprinc);
+ }
+ return (*out) ? 0 : krb5_enomem(context);
+}
+
+/*
+ * Make a request, which is a DER-encoded Kx509Request with version_2_0
+ * prefixed to it.
+ *
+ * If no private key is given, then a probe request will be made.
+ */
+static krb5_error_code
+mk_kx509_req(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ krb5_ccache incc,
+ hx509_private_key private_key,
+ krb5_data *req)
+{
+ unsigned char digest[SHA_DIGEST_LENGTH];
+ SubjectPublicKeyInfo spki;
+ struct Kx509Request kx509_req;
+ krb5_data pre_req;
+ krb5_error_code ret = 0;
+ krb5_creds this_cred;
+ krb5_creds *cred = NULL;
+ HMAC_CTX ctx;
+ const char *hostname;
+ char *start_realm = NULL;
+ size_t len = 0;
+
+ krb5_data_zero(&pre_req);
+ memset(&spki, 0, sizeof(spki));
+ memset(&this_cred, 0, sizeof(this_cred));
+ memset(&kx509_req, 0, sizeof(kx509_req));
+ kx509_req.pk_hash.data = digest;
+ kx509_req.pk_hash.length = SHA_DIGEST_LENGTH;
+
+ if (private_key || kx509_ctx->given_csr.data) {
+ /* Encode the CSR or public key for use in the request */
+ ret = mk_kx509_req_body(context, kx509_ctx, &kx509_req.pk_key);
+ } else {
+ /* Probe */
+ kx509_req.pk_key.data = NULL;
+ kx509_req.pk_key.length = 0;
+ }
+
+ if (ret == 0)
+ ret = krb5_cc_get_principal(context, incc, &this_cred.client);
+ if (ret == 0)
+ ret = get_start_realm(context, incc, this_cred.client, &start_realm);
+ if (ret == 0 && kx509_ctx->realm == NULL)
+ ret = krb5_kx509_ctx_set_realm(context, kx509_ctx, start_realm);
+ if (ret == 0) {
+ /*
+ * The kx509 protocol as deployed uses kca_service/kdc_hostname, but
+ * this is inconvenient in libkrb5: we want to be able to use the
+ * send_to_kdc machinery, and since the Heimdal KDC is also the kx509
+ * service, we want not to have to specify kx509 hosts separately from
+ * KDCs.
+ *
+ * We'd much rather use krbtgt/CLIENT_REALM@REQUESTED_REALM. What
+ * we do is assume all KDCs for `realm' support the kx509 service and
+ * then sendto the KDCs for that realm while using a hostbased service
+ * if still desired.
+ *
+ * Note that upstairs we try to get the start_realm cc config, so if
+ * realm wasn't given to krb5_kx509_ext(), then it should be set to
+ * that already unless there's no start_realm cc config, in which case
+ * we'll use the ccache's default client principal's realm.
+ */
+ hostname = krb5_config_get_string(context, NULL, "realms",
+ kx509_ctx->realm, "kx509_hostname",
+ NULL);
+ if (hostname == NULL)
+ hostname = krb5_config_get_string(context, NULL, "libdefaults",
+ "kx509_hostname", NULL);
+ if (hostname) {
+ ret = krb5_sname_to_principal(context, hostname, "kca_service",
+ KRB5_NT_SRV_HST, &this_cred.server);
+ if (ret == 0)
+ ret = krb5_principal_set_realm(context, this_cred.server,
+ kx509_ctx->realm);
+ } else {
+ ret = krb5_make_principal(context, &this_cred.server,
+ start_realm,
+ KRB5_TGS_NAME,
+ kx509_ctx->realm,
+ NULL);
+ }
+ }
+
+ /* Make the AP-REQ and extract the HMAC key */
+ if (ret == 0)
+ ret = krb5_get_credentials(context, 0, incc, &this_cred, &cred);
+ if (ret == 0)
+ ret = krb5_mk_req_extended(context, &kx509_ctx->ac, AP_OPTS_USE_SUBKEY,
+ NULL, cred, &kx509_req.authenticator);
+ krb5_free_keyblock(context, kx509_ctx->hmac_key);
+ kx509_ctx->hmac_key = NULL;
+ if (ret == 0)
+ ret = krb5_auth_con_getkey(context, kx509_ctx->ac,
+ &kx509_ctx->hmac_key);
+
+ if (ret)
+ goto out;
+
+ /* Add the the key and HMAC to the message */
+ HMAC_CTX_init(&ctx);
+ if (HMAC_Init_ex(&ctx, kx509_ctx->hmac_key->keyvalue.data,
+ kx509_ctx->hmac_key->keyvalue.length,
+ EVP_sha1(), NULL) == 0) {
+ HMAC_CTX_cleanup(&ctx);
+ ret = krb5_enomem(context);
+ } else {
+ HMAC_Update(&ctx, version_2_0, sizeof(version_2_0));
+ if (private_key || kx509_ctx->given_csr.data) {
+ HMAC_Update(&ctx, kx509_req.pk_key.data, kx509_req.pk_key.length);
+ } else {
+ /* Probe */
+ HMAC_Update(&ctx, kx509_req.authenticator.data, kx509_req.authenticator.length);
+ }
+ HMAC_Final(&ctx, kx509_req.pk_hash.data, 0);
+ HMAC_CTX_cleanup(&ctx);
+ }
+
+ /* Encode the message, prefix `version_2_0', output the result */
+ if (ret == 0)
+ ASN1_MALLOC_ENCODE(Kx509Request, pre_req.data, pre_req.length, &kx509_req, &len, ret);
+ if (ret == 0)
+ ret = krb5_data_alloc(req, pre_req.length + sizeof(version_2_0));
+ if (ret == 0) {
+ memcpy(req->data, version_2_0, sizeof(version_2_0));
+ memcpy(((unsigned char *)req->data) + sizeof(version_2_0),
+ pre_req.data, pre_req.length);
+ }
+
+out:
+ free(start_realm);
+ free(pre_req.data);
+ krb5_free_creds(context, cred);
+ kx509_req.pk_hash.data = NULL;
+ kx509_req.pk_hash.length = 0;
+ free_Kx509Request(&kx509_req);
+ free_SubjectPublicKeyInfo(&spki);
+ krb5_free_cred_contents(context, &this_cred);
+ if (ret == 0 && req->length != len + sizeof(version_2_0)) {
+ krb5_data_free(req);
+ krb5_set_error_message(context, ret = ERANGE,
+ "Could not make a kx509 request");
+ }
+ return ret;
+}
+
+static krb5_error_code
+rd_chain(krb5_context context,
+ heim_octet_string *d,
+ hx509_cert *cert,
+ hx509_certs *chain,
+ heim_error_t *herr)
+{
+ krb5_error_code ret;
+ Certificates certs;
+ size_t i, len;
+
+ *cert = NULL;
+ *chain = NULL;
+
+ if ((ret = decode_Certificates(d->data, d->length, &certs, &len)))
+ return ret;
+ if (certs.len == 0) {
+ *herr = heim_error_create(EINVAL, "Server sent empty Certificate list");
+ return EINVAL;
+ }
+ *cert = hx509_cert_init(context->hx509ctx, &certs.val[0], herr);
+ if (*cert == NULL) {
+ free_Certificates(&certs);
+ return errno;
+ }
+ if (certs.len == 1)
+ _krb5_debug(context, 1, "kx509 server sent certificate but no chain");
+ else
+ _krb5_debug(context, 1, "kx509 server sent %llu certificates",
+ (unsigned long long)certs.len);
+
+ ret = hx509_certs_init(context->hx509ctx, "MEMORY:anonymous",
+ HX509_CERTS_CREATE, NULL, chain);
+ if (ret) {
+ hx509_cert_free(*cert);
+ *cert = NULL;
+ free_Certificates(&certs);
+ return ret;
+ }
+
+ for (i = 1; ret == 0 && i < certs.len; i++) {
+ hx509_cert c = hx509_cert_init(context->hx509ctx, &certs.val[i], herr);
+
+ if (c == NULL)
+ ret = errno;
+ else
+ ret = hx509_certs_add(context->hx509ctx, *chain, c);
+ hx509_cert_free(c);
+ }
+ free_Certificates(&certs);
+ if (ret) {
+ hx509_certs_free(chain);
+ hx509_cert_free(*cert);
+ *cert = NULL;
+ }
+ return ret;
+}
+
+/* Parse and validate a kx509 reply */
+static krb5_error_code
+rd_kx509_resp(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ krb5_data *rep,
+ hx509_cert *cert,
+ hx509_certs *chain)
+{
+ unsigned char digest[SHA_DIGEST_LENGTH];
+ Kx509Response r;
+ krb5_error_code code = 0;
+ krb5_error_code ret = 0;
+ heim_string_t hestr;
+ heim_error_t herr = NULL;
+ const char *estr;
+ HMAC_CTX ctx;
+ size_t hdr_len = sizeof(version_2_0);
+ size_t len;
+
+ *cert = NULL;
+ *chain = NULL;
+
+ /* Strip `version_2_0' prefix */
+ if (rep->length < hdr_len || memcmp(rep->data, version_2_0, hdr_len) != 0) {
+ krb5_set_error_message(context, ENOTSUP,
+ "KDC does not support kx509 protocol");
+ return ENOTSUP; /* XXX */
+ }
+
+ /* Decode */
+ ret = decode_Kx509Response(((unsigned char *)rep->data) + 4,
+ rep->length - 4, &r, &len);
+ if (ret == 0 && len + hdr_len != rep->length)
+ ret = EINVAL; /* XXX */
+ if (ret) {
+ krb5_set_error_message(context, ret, "kx509 response is not valid");
+ return ret;
+ }
+
+ HMAC_CTX_init(&ctx);
+ if (HMAC_Init_ex(&ctx, kx509_ctx->hmac_key->keyvalue.data,
+ kx509_ctx->hmac_key->keyvalue.length, EVP_sha1(), NULL) == 0) {
+ free_Kx509Response(&r);
+ HMAC_CTX_cleanup(&ctx);
+ return krb5_enomem(context);
+ }
+
+ HMAC_Update(&ctx, version_2_0, sizeof(version_2_0));
+
+ {
+ int32_t t = r.error_code;
+ unsigned char encint[sizeof(t) + 1];
+ size_t k;
+
+ /*
+ * RFC6717 says this about how the error-code is included in the HMAC:
+ *
+ * o DER representation of the error-code exclusive of the tag and
+ * length, if it is present.
+ *
+ * So we use der_put_integer(), which encodes from the right.
+ *
+ * RFC6717 does not constrain the error-code's range. We assume it to
+ * be a 32-bit, signed integer, for which we'll need no more than 5
+ * bytes.
+ */
+ ret = der_put_integer(&encint[sizeof(encint) - 1],
+ sizeof(encint), &t, &k);
+ if (ret == 0)
+ HMAC_Update(&ctx, &encint[sizeof(encint)] - k, k);
+
+ /* Normalize error code */
+ if (r.error_code == 0) {
+ code = 0; /* No error */
+ } else if (r.error_code < 0) {
+ code = KRB5KRB_ERR_GENERIC; /* ??? */
+ } else if (r.error_code <= KX509_ERR_SRV_OVERLOADED) {
+ /*
+ * RFC6717 (kx509) error code. These are actually not used on the
+ * wire in any existing implementations that we are aware of. Just
+ * in case, however, we'll map these.
+ */
+ code = KX509_ERR_CLNT_FATAL + r.error_code;
+ } else if (r.error_code < kx509_krb5_error_base) {
+ /* Unknown error codes */
+ code = KRB5KRB_ERR_GENERIC;
+ } else {
+ /*
+ * Heimdal-specific enhancement to RFC6171: Kerberos wire protocol
+ * error codes.
+ */
+ code = KRB5KDC_ERR_NONE + r.error_code - kx509_krb5_error_base;
+ if (code >= KRB5_ERR_RCSID)
+ code = KRB5KRB_ERR_GENERIC;
+ if (code == KRB5KDC_ERR_NONE)
+ code = 0;
+ }
+ }
+ if (r.certificate)
+ HMAC_Update(&ctx, r.certificate->data, r.certificate->length);
+ if (r.e_text)
+ HMAC_Update(&ctx, *r.e_text, strlen(*r.e_text));
+ HMAC_Final(&ctx, &digest, 0);
+ HMAC_CTX_cleanup(&ctx);
+
+ if (r.hash == NULL) {
+ /*
+ * No HMAC -> unauthenticated [error] response.
+ *
+ * Do not output any certificate.
+ */
+ free_Kx509Response(&r);
+ return code;
+ }
+
+ /*
+ * WARNING: We do not validate that `r.certificate' is a DER-encoded
+ * Certificate, not here, and we don't use a different HMAC key
+ * for the response than for the request.
+ *
+ * If ever we start sending a Certificate as the Kx509Request
+ * pk-key field, then we'll have a reflection attack. As the
+ * Certificate we'd send in that case will be expired, the
+ * reflection attack would be just a DoS.
+ */
+ if (r.hash->length != sizeof(digest) ||
+ ct_memcmp(r.hash->data, digest, sizeof(digest)) != 0) {
+ krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
+ "kx509 response MAC mismatch");
+ free_Kx509Response(&r);
+ return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ }
+
+ if (r.certificate == NULL) {
+ /* Authenticated response, either an error or probe success */
+ free_Kx509Response(&r);
+ if (code != KRB5KDC_ERR_POLICY && kx509_ctx->priv_key == NULL)
+ return 0; /* Probe success */
+ return code ? code : KRB5KDC_ERR_POLICY; /* Not a probe -> must fail */
+ }
+
+ /* Import the certificate payload */
+ if (kx509_ctx->expect_chain) {
+ ret = rd_chain(context, r.certificate, cert, chain, &herr);
+ } else {
+ *cert = hx509_cert_init_data(context->hx509ctx, r.certificate->data,
+ r.certificate->length, &herr);
+ if (!*cert)
+ ret = errno;
+ }
+ free_Kx509Response(&r);
+ if (*cert) {
+ heim_release(herr);
+ return 0;
+ }
+
+ hestr = herr ? heim_error_copy_string(herr) : NULL;
+ estr = hestr ? heim_string_get_utf8(hestr) : "(no error message)";
+ krb5_set_error_message(context, ret, "Could not parse certificate "
+ "produced by kx509 KDC: %s (%ld)",
+ estr,
+ herr ? (long)heim_error_get_code(herr) : 0L);
+
+ heim_release(hestr);
+ heim_release(herr);
+ return HEIM_PKINIT_CERTIFICATE_INVALID; /* XXX */
+}
+
+/*
+ * Make a request, send it, get the response, parse it, and store the
+ * private key and certificate.
+ */
+static krb5_error_code
+kx509_core(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ krb5_ccache incc,
+ const char *hx509_store,
+ krb5_ccache outcc)
+{
+ krb5_error_code ret;
+ hx509_certs chain = NULL;
+ hx509_cert cert = NULL;
+ krb5_data req, resp;
+
+ krb5_data_zero(&req);
+ krb5_data_zero(&resp);
+
+ /* Make the kx509 request */
+ ret = mk_kx509_req(context, kx509_ctx, incc, kx509_ctx->priv_key, &req);
+
+ /* Send the kx509 request and get the response */
+ if (ret == 0)
+ ret = krb5_sendto_context(context, NULL, &req,
+ kx509_ctx->realm, &resp);
+ if (ret == 0)
+ ret = rd_kx509_resp(context, kx509_ctx, &resp, &cert, &chain);
+
+ /* Store the key and cert! */
+ if (ret == 0 && cert && (kx509_ctx->priv_key || kx509_ctx->given_csr.data))
+ ret = store(context, hx509_store, kx509_ctx->realm, outcc,
+ kx509_ctx->priv_key, cert, chain);
+ else if (ret == KRB5KDC_ERR_POLICY)
+ /* Probe failed -> record that the realm does not support kx509 */
+ store_kx509_disabled(context, kx509_ctx->realm, outcc);
+
+ hx509_certs_free(&chain);
+ hx509_cert_free(cert);
+ krb5_data_free(&resp);
+ krb5_data_free(&req);
+ return ret;
+}
+
+/**
+ * Use the kx509 v2 protocol to get a certificate for the client principal.
+ *
+ * Given a private key this function will get a certificate. If no private key
+ * is given, one will be generated.
+ *
+ * The private key and certificate will be stored in the given PKIX credential
+ * store (e.g, "PEM-FILE:/path/to/file.pem") and/or given output ccache. When
+ * stored in a ccache, the DER-encoded Certificate will be stored as the data
+ * payload of a "cc config" named "kx509cert", while the key will be stored as
+ * a DER-encoded PKCS#8 PrivateKeyInfo in a cc config named "kx509key".
+ *
+ * @param context The Kerberos library context
+ * @param kx509_ctx A kx509 request context
+ * @param incc A credential cache (if NULL use default ccache)
+ * @param hx509_store An PKIX credential store into which to store the private
+ * key and certificate (e.g, "PEM-FILE:/path/to/file.pem")
+ * @param outcc A ccache into which to store the private key and certificate
+ * (mandatory)
+ *
+ * @return A krb5 error code.
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_kx509_ext(krb5_context context,
+ krb5_kx509_req_ctx kx509_ctx,
+ krb5_ccache incc,
+ const char *hx509_store,
+ krb5_ccache outcc)
+{
+ krb5_ccache def_cc = NULL;
+ krb5_error_code ret;
+
+ if (incc == NULL) {
+ if ((ret = krb5_cc_default(context, &def_cc)))
+ return ret;
+ incc = def_cc;
+ }
+
+ if (kx509_ctx->realm == NULL &&
+ (ret = get_start_realm(context, incc, NULL, &kx509_ctx->realm))) {
+ if (def_cc)
+ krb5_cc_close(context, def_cc);
+ return ret;
+ }
+
+ if (kx509_ctx->priv_key || kx509_ctx->given_csr.data) {
+ /* If given a private key, use it */
+ ret = kx509_core(context, kx509_ctx, incc, hx509_store, outcc);
+ if (def_cc)
+ krb5_cc_close(context, def_cc);
+ return ret;
+ }
+
+ /*
+ * No private key given, so we generate one.
+ *
+ * However, before taking the hit for generating a keypair we probe to see
+ * if we're likely to succeeed.
+ */
+
+ /* Probe == call kx509_core() w/o a private key */
+ ret = kx509_core(context, kx509_ctx, incc, NULL, outcc);
+ if (ret == 0 && kx509_ctx->given_csr.data == NULL)
+ ret = krb5_kx509_ctx_gen_key(context, kx509_ctx, NULL, 0);
+ if (ret == 0)
+ ret = kx509_core(context, kx509_ctx, incc, hx509_store, outcc);
+
+ if (def_cc)
+ krb5_cc_close(context, def_cc);
+ return ret;
+}
+
+/**
+ * Generates a public key and uses the kx509 v2 protocol to get a certificate
+ * for that key and the client principal's subject name.
+ *
+ * The private key and certificate will be stored in the given ccache, and also
+ * in a corresponding PKIX credential store if one is configured via
+ * [libdefaults] kx509_store.
+ *
+ * XXX NOTE: Dicey feature here... Review carefully!
+ *
+ * @param context The Kerberos library context
+ * @param cc A credential cache
+ * @param realm A realm from which to get the certificate (uses the client
+ * principal's realm if NULL)
+ *
+ * @return A krb5 error code.
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_kx509(krb5_context context, krb5_ccache cc, const char *realm)
+{
+ krb5_kx509_req_ctx kx509_ctx;
+ krb5_error_code ret;
+ const char *defcc;
+ char *ccache_full_name = NULL;
+ char *store_exp = NULL;
+
+ ret = krb5_kx509_ctx_init(context, &kx509_ctx);
+ if (ret)
+ return ret;
+ if (realm)
+ ret = krb5_kx509_ctx_set_realm(context, kx509_ctx, realm);
+
+ /*
+ * The idea is that IF we are asked to do kx509 w/ creds from a default
+ * ccache THEN we should store the kx509 certificate (if we get one) and
+ * private key in the default hx509 store for kx509.
+ *
+ * Ideally we could have HTTP user-agents and/or TLS libraries look for
+ * client certificates and private keys in that default hx509 store.
+ *
+ * Of course, those user-agents / libraries should be configured to use
+ * those credentials with specific hostnames/domainnames, not the entire
+ * Internet, as the latter leaks the user's identity to the world.
+ *
+ * So we check if the full name for `cc' is the same as that of the default
+ * ccache name, and if so we get the [libdefaults] kx509_store string and
+ * expand it, then use it.
+ */
+ if (ret == 0 &&
+ (defcc = krb5_cc_configured_default_name(context)) &&
+ krb5_cc_get_full_name(context, cc, &ccache_full_name) == 0 &&
+ strcmp(defcc, ccache_full_name) == 0) {
+
+ /* Find an hx509 store */
+ const char *store = krb5_config_get_string(context, NULL,
+ "libdefaults",
+ "kx509_store", NULL);
+ if (store)
+ ret = _krb5_expand_path_tokens(context, store, 1, &store_exp);
+
+ /*
+ * If there's a private key in the store already, we'll use it, else
+ * we'll let krb5_kx509_ext() generate one, so we ignore this return
+ * value:
+ */
+ (void) krb5_kx509_ctx_set_key(context, kx509_ctx, store);
+ }
+
+ /*
+ * If we did settle on a default hx509 store, we'll use it for reading the
+ * private key from (if it exists) as well as for storing the certificate
+ * (and private key) into, which may save us some key generation cycles.
+ */
+ if (ret == 0)
+ ret = krb5_kx509_ext(context, kx509_ctx, cc, store_exp, cc);
+ krb5_kx509_ctx_free(context, &kx509_ctx);
+ free(ccache_full_name);
+ free(store_exp);
+ return ret;
+}
diff --git a/lib/krb5/kx509_err.et b/lib/krb5/kx509_err.et
new file mode 100644
index 000000000000..0be3907f15e0
--- /dev/null
+++ b/lib/krb5/kx509_err.et
@@ -0,0 +1,39 @@
+#
+# Error messages for the krb5 library
+#
+# This might look like a com_err file, but is not
+#
+
+# RFC6171 says:
+#
+# +------------+-----------------------------+------------------------+
+# | error-code | Condition | Example |
+# +------------+-----------------------------+------------------------+
+# | 1 | Permanent problem with | Incompatible version |
+# | | client request | |
+# | 2 | Solvable problem with | Expired Kerberos |
+# | | client request | credentials |
+# | 3 | Temporary problem with | Packet loss |
+# | | client request | |
+# | 4 | Permanent problem with the | Internal |
+# | | server | misconfiguration |
+# | 5 | Temporary problem with the | Server overloaded |
+# | | server | |
+# +------------+-----------------------------+------------------------+
+#
+# Error 3 makes no sense on the wire, and in the library it only makes sense as
+# a timeout, so we'll name it KX509_ERR_TIMEOUT.
+
+# Error table names must be no more than four characters...
+error_table kx59
+
+prefix KX509_ERR
+
+error_code NONE, "Kx509 success"
+error_code CLNT_FATAL, "Kx509 request error, possibly unsupported version"
+error_code CLNT_SOLVABLE, "Kx509 request error such as expired credentials"
+error_code TIMEOUT, "Kx509 request timed out"
+error_code SRV_FATAL, "Permanent server problem"
+error_code SRV_OVERLOADED, "Kx509 server is overloaded"
+
+end
diff --git a/lib/krb5/libkrb5-exports.def.in b/lib/krb5/libkrb5-exports.def.in
index 47aaa8fe4f37..191a0c48c861 100644
--- a/lib/krb5/libkrb5-exports.def.in
+++ b/lib/krb5/libkrb5-exports.def.in
@@ -23,6 +23,8 @@ EXPORTS
krb5_appdefault_time
krb5_append_addresses
krb5_auth_con_addflags
+ krb5_auth_con_add_AuthorizationData
+ krb5_auth_con_add_AuthorizationDataIfRelevant
krb5_auth_con_free
krb5_auth_con_genaddrs
krb5_auth_con_generatelocalsubkey
@@ -82,10 +84,13 @@ EXPORTS
krb5_cc_cache_next
krb5_cc_clear_mcred
krb5_cc_close
+ krb5_cc_configured_default_name
krb5_cc_copy_cache
krb5_cc_copy_creds ;!
krb5_cc_copy_match_f
krb5_cc_default
+ krb5_cc_default_sub
+ krb5_cc_default_for
krb5_cc_default_name
krb5_cc_destroy
krb5_cc_end_seq_get
@@ -110,6 +115,8 @@ EXPORTS
krb5_cc_register
krb5_cc_remove_cred
krb5_cc_resolve
+ krb5_cc_resolve_sub
+ krb5_cc_resolve_for
krb5_cc_retrieve_cred
krb5_cc_set_config
krb5_cc_set_default_name
@@ -187,6 +194,7 @@ EXPORTS
krb5_crypto_init
krb5_crypto_overhead
krb5_crypto_prf
+ krb5_crypto_prfplus
krb5_crypto_prf_length
krb5_crypto_length
krb5_crypto_length_iov
@@ -199,6 +207,7 @@ EXPORTS
krb5_data_free
krb5_data_realloc
krb5_data_zero
+ krb5_debug
krb5_decode_Authenticator
krb5_decode_ETYPE_INFO2
krb5_decode_ETYPE_INFO
@@ -366,11 +375,13 @@ EXPORTS
krb5_get_init_creds_opt_set_tkt_life
krb5_get_init_creds_opt_set_win2k
krb5_get_init_creds_password
+ krb5_get_instance
krb5_get_kdc_cred
krb5_get_kdc_sec_offset
krb5_get_krb524hst
krb5_get_krb_admin_hst
krb5_get_krb_changepw_hst
+ krb5_get_krb_readonly_admin_hst
krb5_get_krbhst
krb5_get_max_time_skew
krb5_get_pw_salt
@@ -385,11 +396,13 @@ EXPORTS
krb5_h_addr2sockaddr
krb5_h_errno_to_heim_errno
krb5_have_error_string
+ krb5_have_debug
krb5_hmac
krb5_init_context
krb5_init_ets
krb5_initlog
krb5_is_config_principal
+ krb5_is_enctype_old
krb5_is_enctype_weak
krb5_is_thread_safe
#ifdef HAVE_KCM
@@ -435,13 +448,29 @@ EXPORTS
krb5_kt_resolve
krb5_kt_start_seq_get
krb5_kuserok
+ krb5_kx509
+ krb5_kx509_ctx_add_eku
+ krb5_kx509_ctx_add_san_dns_name
+ krb5_kx509_ctx_add_san_ms_upn
+ krb5_kx509_ctx_add_san_pkinit
+ krb5_kx509_ctx_add_san_registeredID
+ krb5_kx509_ctx_add_san_rfc822Name
+ krb5_kx509_ctx_add_san_xmpp
+ krb5_kx509_ctx_free
+ krb5_kx509_ctx_init
+ krb5_kx509_ctx_set_csr_der
+ krb5_kx509_ctx_set_key
+ krb5_kx509_ctx_set_realm
+ krb5_kx509_ext
krb5_log
krb5_log_msg
krb5_make_addrport
krb5_make_principal
krb5_max_sockaddr_size
+ krb5_mk_1cred
krb5_mk_error
krb5_mk_error_ext
+ krb5_mk_ncred
krb5_mk_priv
krb5_mk_rep
krb5_mk_req
@@ -473,11 +502,14 @@ EXPORTS
krb5_pac_add_buffer
krb5_pac_free
krb5_pac_get_buffer
+ _krb5_pac_get_buffer_by_name
+ krb5_pac_get_kdc_checksum_info
krb5_pac_get_types
krb5_pac_init
krb5_pac_parse
krb5_pac_verify
krb5_padata_add
+ _krb5_parse_address_no_lookup
krb5_parse_address
krb5_parse_name
krb5_parse_name_flags
@@ -498,7 +530,9 @@ EXPORTS
krb5_principal_get_realm
krb5_principal_get_type
krb5_principal_is_anonymous
+ krb5_principal_is_federated
krb5_principal_is_krbtgt
+ krb5_principal_is_root_krbtgt
krb5_principal_match
krb5_principal_set_comp_string
krb5_principal_set_realm
@@ -578,6 +612,9 @@ EXPORTS
krb5_sendto_ctx_set_type
krb5_sendto_kdc
krb5_sendto_kdc_flags
+ krb5_sendto_set_hostname
+ krb5_sendto_set_sitename
+ krb5_set_config
krb5_set_config_files
krb5_set_debug_dest
krb5_set_default_in_tkt_etypes
@@ -590,6 +627,7 @@ EXPORTS
krb5_set_home_dir_access
krb5_set_ignore_addresses
krb5_set_kdc_sec_offset
+ krb5_set_log_dest
krb5_set_max_time_skew
krb5_set_password
krb5_set_password_using_ccache
@@ -616,6 +654,7 @@ EXPORTS
krb5_storage_get_eof_code
krb5_storage_is_flags
krb5_storage_read
+ krb5_storage_stdio_from_fd
krb5_storage_seek
krb5_storage_set_byteorder
krb5_storage_set_eof_code
@@ -627,9 +666,11 @@ EXPORTS
krb5_store_address
krb5_store_addrs
krb5_store_authdata
+ krb5_store_bytes
krb5_store_creds
krb5_store_creds_tag
krb5_store_data
+ krb5_store_datalen
krb5_store_int16
krb5_store_int32
krb5_store_int64
@@ -653,11 +694,13 @@ EXPORTS
krb5_string_to_key_derived
krb5_string_to_key_salt
krb5_string_to_key_salt_opaque
+ krb5_string_to_keysalts2
krb5_string_to_keytype
krb5_string_to_salttype
krb5_ticket_get_authorization_data_type
krb5_ticket_get_client
krb5_ticket_get_endtime
+ krb5_ticket_get_times
krb5_ticket_get_server
krb5_timeofday
krb5_unparse_name
@@ -707,6 +750,7 @@ EXPORTS
krb5_cccol_cursor_new
krb5_cccol_cursor_next
krb5_cccol_cursor_free
+ krb5_cccol_get_default_ccname
; com_err error tables
initialize_krb5_error_table_r
@@ -717,6 +761,8 @@ EXPORTS
initialize_heim_error_table
initialize_k524_error_table_r
initialize_k524_error_table
+ initialize_k5e1_error_table_r
+ initialize_k5e1_error_table
; variables
krb5_mcc_ops DATA
@@ -728,6 +774,9 @@ EXPORTS
#ifdef HAVE_KCM
krb5_kcm_ops DATA
#endif
+#ifdef HAVE_KEYUTILS
+ krb5_krcc_ops DATA
+#endif
krb5_wrfkt_ops DATA
krb5_mkt_ops DATA
krb5_akf_ops DATA
@@ -740,6 +789,7 @@ EXPORTS
krb5_cc_type_file DATA
krb5_cc_type_memory DATA
krb5_cc_type_kcm DATA
+ krb5_cc_type_keyring DATA
krb5_cc_type_scc DATA
; Shared with GSSAPI krb5
@@ -747,6 +797,26 @@ EXPORTS
_krb5_crc_update
_krb5_get_krbtgt
_krb5_build_authenticator
+ _krb5_kt_client_default_name
+ _krb5_have_debug
+ _krb5_SP800_108_HMAC_KDF
+ _krb5_get_ad
+
+ ; Shared with GSSAPI preauth wrapper
+ _krb5_init_creds_set_gss_mechanism
+ _krb5_init_creds_get_gss_mechanism
+ _krb5_init_creds_set_gss_cred
+ _krb5_init_creds_get_gss_cred
+ _krb5_init_creds_init_gss
+
+ ; Private init_creds API
+ _krb5_init_creds_get_cred_starttime
+ _krb5_init_creds_get_cred_endtime
+ _krb5_init_creds_get_cred_client
+
+ ; Shared with libkadm5
+ _krb5_load_plugins
+ _krb5_unload_plugins
; Shared with libkdc
_krb5_AES_SHA1_string_to_default_iterator
@@ -756,6 +826,12 @@ EXPORTS
_krb5_get_int
_krb5_get_int64
_krb5_pac_sign
+ _krb5_pac_get_attributes_info
+ _krb5_pac_get_canon_principal
+ _krb5_kdc_pac_sign_ticket
+ _krb5_kdc_pac_ticket_parse
+ _kdc_tkt_insert_pac
+ _kdc_tkt_add_if_relevant_ad
_krb5_parse_moduli
_krb5_pk_kdf
_krb5_pk_load_id
@@ -765,10 +841,15 @@ EXPORTS
_krb5_enctype_requires_random_salt
_krb5_principal2principalname
_krb5_principalname2krb5_principal
+ _krb5_kdcrep2krb5_principal
+ _krb5_ticket2krb5_principal
_krb5_put_int
_krb5_s4u2self_to_checksumdata
_krb5_HMAC_MD5_checksum
+ _krb5_crypto_set_flags
_krb5_expand_path_tokens ;!
+ _krb5_make_pa_enc_challenge
+ _krb5_validate_pa_enc_challenge
; kinit helper
krb5_get_init_creds_opt_set_pkinit_user_certs
@@ -777,30 +858,38 @@ EXPORTS
krb5_auth_con_getsendsubkey
krb5_init_creds_free
krb5_init_creds_get
+ krb5_init_creds_get_as_reply_key
krb5_init_creds_get_creds
krb5_init_creds_get_error
krb5_init_creds_init
+ krb5_init_creds_set_fast_anon_pkinit
+ _krb5_init_creds_set_fast_anon_pkinit_optimistic
krb5_init_creds_set_fast_ccache
krb5_init_creds_set_keytab
+ krb5_init_creds_set_kdc_hostname
krb5_init_creds_set_password
krb5_init_creds_set_service
+ krb5_init_creds_set_sitename
+ krb5_init_creds_step
krb5_init_creds_store
+ krb5_init_creds_store_config
+ krb5_init_creds_warn_user
krb5_process_last_request
; testing
;! _krb5_aes_cts_encrypt
+ krb5_time_abs;
_krb5_n_fold
_krb5_expand_default_cc_name
; FAST
_krb5_fast_cf2
_krb5_fast_armor_key
+ _krb5_fast_explicit_armor_key
; Recent additions
krb5_cc_type_dcc;
krb5_dcc_ops;
- _krb5_plugin_find;
- _krb5_plugin_free;
_krb5_expand_path_tokensv;
_krb5_find_capath;
_krb5_free_capath;
diff --git a/lib/krb5/locate_plugin.h b/lib/krb5/locate_plugin.h
index 52ef0f380ee4..7fcb5ec6f5a0 100644
--- a/lib/krb5/locate_plugin.h
+++ b/lib/krb5/locate_plugin.h
@@ -38,6 +38,8 @@
#ifndef HEIMDAL_KRB5_LOCATE_PLUGIN_H
#define HEIMDAL_KRB5_LOCATE_PLUGIN_H 1
+#include <heimbase-svc.h>
+
#define KRB5_PLUGIN_LOCATE "service_locator"
#define KRB5_PLUGIN_LOCATE_VERSION 1
#define KRB5_PLUGIN_LOCATE_VERSION_0 0
@@ -70,9 +72,7 @@ typedef krb5_error_code
typedef struct krb5plugin_service_locate_ftable {
- int minor_version;
- krb5_error_code (KRB5_CALLCONV *init)(krb5_context, void **);
- void (KRB5_CALLCONV *fini)(void *);
+ HEIM_PLUGIN_FTABLE_COMMON_ELEMENTS(krb5_context);
krb5plugin_service_locate_lookup_old old_lookup;
krb5plugin_service_locate_lookup lookup; /* version 2 */
} krb5plugin_service_locate_ftable;
diff --git a/lib/krb5/log.c b/lib/krb5/log.c
index 2d66ae4c9090..306431a5ca7e 100644
--- a/lib/krb5/log.c
+++ b/lib/krb5/log.c
@@ -34,330 +34,77 @@
*/
#include "krb5_locl.h"
+#include <assert.h>
#include <vis.h>
-struct facility {
- int min;
- int max;
- krb5_log_log_func_t log_func;
- krb5_log_close_func_t close_func;
- void *data;
-};
-
-static struct facility*
-log_realloc(krb5_log_facility *f)
-{
- struct facility *fp;
- fp = realloc(f->val, (f->len + 1) * sizeof(*f->val));
- if(fp == NULL)
- return NULL;
- f->len++;
- f->val = fp;
- fp += f->len - 1;
- return fp;
-}
-
-struct s2i {
- const char *s;
- int val;
-};
-
-#define L(X) { #X, LOG_ ## X }
-
-static struct s2i syslogvals[] = {
- L(EMERG),
- L(ALERT),
- L(CRIT),
- L(ERR),
- L(WARNING),
- L(NOTICE),
- L(INFO),
- L(DEBUG),
-
- L(AUTH),
-#ifdef LOG_AUTHPRIV
- L(AUTHPRIV),
-#endif
-#ifdef LOG_CRON
- L(CRON),
-#endif
- L(DAEMON),
-#ifdef LOG_FTP
- L(FTP),
-#endif
- L(KERN),
- L(LPR),
- L(MAIL),
-#ifdef LOG_NEWS
- L(NEWS),
-#endif
- L(SYSLOG),
- L(USER),
-#ifdef LOG_UUCP
- L(UUCP),
-#endif
- L(LOCAL0),
- L(LOCAL1),
- L(LOCAL2),
- L(LOCAL3),
- L(LOCAL4),
- L(LOCAL5),
- L(LOCAL6),
- L(LOCAL7),
- { NULL, -1 }
-};
-
-static int
-find_value(const char *s, struct s2i *table)
-{
- while(table->s && strcasecmp(table->s, s))
- table++;
- return table->val;
-}
-
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_initlog(krb5_context context,
const char *program,
krb5_log_facility **fac)
{
- krb5_log_facility *f = calloc(1, sizeof(*f));
- if (f == NULL)
- return krb5_enomem(context);
- f->program = strdup(program);
- if(f->program == NULL){
- free(f);
- return krb5_enomem(context);
- }
- *fac = f;
- return 0;
+ return heim_initlog(context->hcontext, program, fac);
}
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_addlog_func(krb5_context context,
- krb5_log_facility *fac,
- int min,
- int max,
- krb5_log_log_func_t log_func,
- krb5_log_close_func_t close_func,
- void *data)
-{
- struct facility *fp = log_realloc(fac);
- if (fp == NULL)
- return krb5_enomem(context);
- fp->min = min;
- fp->max = max;
- fp->log_func = log_func;
- fp->close_func = close_func;
- fp->data = data;
- return 0;
-}
-
-
-struct _heimdal_syslog_data{
- int priority;
+struct krb5_addlog_func_wrapper {
+ krb5_context context;
+ krb5_log_log_func_t log_func;
+ krb5_log_close_func_t close_func;
+ void *data;
};
-static void KRB5_CALLCONV
-log_syslog(const char *timestr,
- const char *msg,
- void *data)
-
+static void HEIM_CALLCONV
+krb5_addlog_func_wrapper_log(heim_context hcontext,
+ const char *prefix,
+ const char *msg,
+ void *data)
{
- struct _heimdal_syslog_data *s = data;
- syslog(s->priority, "%s", msg);
-}
+ struct krb5_addlog_func_wrapper *w = data;
-static void KRB5_CALLCONV
-close_syslog(void *data)
-{
- free(data);
- closelog();
+ w->log_func(w->context,
+ prefix,
+ msg,
+ w->data);
}
-static krb5_error_code
-open_syslog(krb5_context context,
- krb5_log_facility *facility, int min, int max,
- const char *sev, const char *fac)
+static void HEIM_CALLCONV
+krb5_addlog_func_wrapper_close(void *data)
{
- struct _heimdal_syslog_data *sd = malloc(sizeof(*sd));
- int i;
+ struct krb5_addlog_func_wrapper *w = data;
- if (sd == NULL)
- return krb5_enomem(context);
- i = find_value(sev, syslogvals);
- if(i == -1)
- i = LOG_ERR;
- sd->priority = i;
- i = find_value(fac, syslogvals);
- if(i == -1)
- i = LOG_AUTH;
- sd->priority |= i;
- roken_openlog(facility->program, LOG_PID | LOG_NDELAY, i);
- return krb5_addlog_func(context, facility, min, max,
- log_syslog, close_syslog, sd);
+ w->close_func(w->data);
+ free(w);
}
-struct file_data{
- const char *filename;
- const char *mode;
- FILE *fd;
- int keep_open;
- int freefilename;
-};
-
-static void KRB5_CALLCONV
-log_file(const char *timestr,
- const char *msg,
- void *data)
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_addlog_func(krb5_context context,
+ krb5_log_facility *fac,
+ int min,
+ int max,
+ krb5_log_log_func_t log_func,
+ krb5_log_close_func_t close_func,
+ void *data)
{
- struct file_data *f = data;
- char *msgclean;
- size_t len = strlen(msg);
- if(f->keep_open == 0)
- f->fd = fopen(f->filename, f->mode);
- if(f->fd == NULL)
- return;
- /* make sure the log doesn't contain special chars */
- msgclean = malloc((len + 1) * 4);
- if (msgclean == NULL)
- goto out;
- strvisx(msgclean, rk_UNCONST(msg), len, VIS_OCTAL);
- fprintf(f->fd, "%s %s\n", timestr, msgclean);
- free(msgclean);
- out:
- if(f->keep_open == 0) {
- fclose(f->fd);
- f->fd = NULL;
- }
-}
+ struct krb5_addlog_func_wrapper *w = NULL;
-static void KRB5_CALLCONV
-close_file(void *data)
-{
- struct file_data *f = data;
- if(f->keep_open && f->filename)
- fclose(f->fd);
- if (f->filename && f->freefilename)
- free((char *)f->filename);
- free(data);
-}
-
-static krb5_error_code
-open_file(krb5_context context, krb5_log_facility *fac, int min, int max,
- const char *filename, const char *mode, FILE *f, int keep_open,
- int freefilename)
-{
- struct file_data *fd = malloc(sizeof(*fd));
- if (fd == NULL) {
- if (freefilename && filename)
- free((char *)filename);
+ w = calloc(1, sizeof(*w));
+ if (w == NULL)
return krb5_enomem(context);
- }
- fd->filename = filename;
- fd->mode = mode;
- fd->fd = f;
- fd->keep_open = keep_open;
- fd->freefilename = freefilename;
-
- return krb5_addlog_func(context, fac, min, max, log_file, close_file, fd);
-}
+ w->context = context;
+ w->log_func = log_func;
+ w->close_func = close_func;
+ w->data = data;
+ return heim_addlog_func(context->hcontext, fac, min, max,
+ krb5_addlog_func_wrapper_log,
+ krb5_addlog_func_wrapper_close,
+ w);
+}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig)
{
- krb5_error_code ret = 0;
- int min = 0, max = -1, n;
- char c;
- const char *p = orig;
-#ifdef _WIN32
- const char *q;
-#endif
-
- n = sscanf(p, "%d%c%d/", &min, &c, &max);
- if(n == 2){
- if(ISPATHSEP(c)) {
- if(min < 0){
- max = -min;
- min = 0;
- }else{
- max = min;
- }
- }
- }
- if(n){
-#ifdef _WIN32
- q = strrchr(p, '\\');
- if (q != NULL)
- p = q;
- else
-#endif
- p = strchr(p, '/');
- if(p == NULL) {
- krb5_set_error_message(context, HEIM_ERR_LOG_PARSE,
- N_("failed to parse \"%s\"", ""), orig);
- return HEIM_ERR_LOG_PARSE;
- }
- p++;
- }
- if(strcmp(p, "STDERR") == 0){
- ret = open_file(context, f, min, max, NULL, NULL, stderr, 1, 0);
- }else if(strcmp(p, "CONSOLE") == 0){
- ret = open_file(context, f, min, max, "/dev/console", "w", NULL, 0, 0);
- }else if(strncmp(p, "FILE", 4) == 0 && (p[4] == ':' || p[4] == '=')){
- char *fn;
- FILE *file = NULL;
- int keep_open = 0;
- fn = strdup(p + 5);
- if (fn == NULL)
- return krb5_enomem(context);
- if(p[4] == '='){
- int i = open(fn, O_WRONLY | O_CREAT |
- O_TRUNC | O_APPEND, 0666);
- if(i < 0) {
- ret = errno;
- krb5_set_error_message(context, ret,
- N_("open(%s) logfile: %s", ""), fn,
- strerror(ret));
- free(fn);
- return ret;
- }
- rk_cloexec(i);
- file = fdopen(i, "a");
- if(file == NULL){
- ret = errno;
- close(i);
- krb5_set_error_message(context, ret,
- N_("fdopen(%s) logfile: %s", ""),
- fn, strerror(ret));
- free(fn);
- return ret;
- }
- keep_open = 1;
- }
- ret = open_file(context, f, min, max, fn, "a", file, keep_open, 1);
- }else if(strncmp(p, "DEVICE", 6) == 0 && (p[6] == ':' || p[6] == '=')){
- ret = open_file(context, f, min, max, strdup(p + 7), "w", NULL, 0, 1);
- }else if(strncmp(p, "SYSLOG", 6) == 0 && (p[6] == '\0' || p[6] == ':')){
- char severity[128] = "";
- char facility[128] = "";
- p += 6;
- if(*p != '\0')
- p++;
- if(strsep_copy(&p, ":", severity, sizeof(severity)) != -1)
- strsep_copy(&p, ":", facility, sizeof(facility));
- if(*severity == '\0')
- strlcpy(severity, "ERR", sizeof(severity));
- if(*facility == '\0')
- strlcpy(facility, "AUTH", sizeof(facility));
- ret = open_syslog(context, f, min, max, severity, facility);
- }else{
- ret = HEIM_ERR_LOG_PARSE; /* XXX */
- krb5_set_error_message (context, ret,
- N_("unknown log type: %s", ""), p);
- }
- return ret;
+ return heim_addlog_dest(context->hcontext, f, orig);
}
@@ -367,37 +114,21 @@ krb5_openlog(krb5_context context,
krb5_log_facility **fac)
{
krb5_error_code ret;
- char **p, **q;
-
- ret = krb5_initlog(context, program, fac);
- if(ret)
- return ret;
+ char **p;
p = krb5_config_get_strings(context, NULL, "logging", program, NULL);
- if(p == NULL)
+ if (p == NULL)
p = krb5_config_get_strings(context, NULL, "logging", "default", NULL);
- if(p){
- for(q = p; *q && ret == 0; q++)
- ret = krb5_addlog_dest(context, *fac, *q);
- krb5_config_free_strings(p);
- }else
- ret = krb5_addlog_dest(context, *fac, "SYSLOG");
+ ret = heim_openlog(context->hcontext, program, (const char **)p, fac);
+ krb5_config_free_strings(p);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_closelog(krb5_context context,
- krb5_log_facility *fac)
+ krb5_log_facility *fac)
{
- int i;
- for(i = 0; i < fac->len; i++)
- (*fac->val[i].close_func)(fac->val[i].data);
- free(fac->val);
- free(fac->program);
- fac->val = NULL;
- fac->len = 0;
- fac->program = NULL;
- free(fac);
+ heim_closelog(context->hcontext, fac);
return 0;
}
@@ -413,34 +144,7 @@ krb5_vlog_msg(krb5_context context,
va_list ap)
__attribute__ ((__format__ (__printf__, 5, 0)))
{
-
- char *msg = NULL;
- const char *actual = NULL;
- char buf[64];
- time_t t = 0;
- int i;
-
- for(i = 0; fac && i < fac->len; i++)
- if(fac->val[i].min <= level &&
- (fac->val[i].max < 0 || fac->val[i].max >= level)) {
- if(t == 0) {
- t = time(NULL);
- krb5_format_time(context, t, buf, sizeof(buf), TRUE);
- }
- if(actual == NULL) {
- int ret = vasprintf(&msg, fmt, ap);
- if(ret < 0 || msg == NULL)
- actual = fmt;
- else
- actual = msg;
- }
- (*fac->val[i].log_func)(buf, actual, fac->val[i].data);
- }
- if(reply == NULL)
- free(msg);
- else
- *reply = msg;
- return 0;
+ return heim_vlog_msg(context->hcontext, fac, reply, level, fmt, ap);
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
@@ -451,7 +155,7 @@ krb5_vlog(krb5_context context,
va_list ap)
__attribute__ ((__format__ (__printf__, 4, 0)))
{
- return krb5_vlog_msg(context, fac, NULL, level, fmt, ap);
+ return heim_vlog_msg(context->hcontext, fac, NULL, level, fmt, ap);
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
@@ -467,7 +171,7 @@ krb5_log_msg(krb5_context context,
krb5_error_code ret;
va_start(ap, fmt);
- ret = krb5_vlog_msg(context, fac, reply, level, fmt, ap);
+ ret = heim_vlog_msg(context->hcontext, fac, reply, level, fmt, ap);
va_end(ap);
return ret;
}
@@ -485,7 +189,7 @@ krb5_log(krb5_context context,
krb5_error_code ret;
va_start(ap, fmt);
- ret = krb5_vlog(context, fac, level, fmt, ap);
+ ret = heim_vlog(context->hcontext, fac, level, fmt, ap);
va_end(ap);
return ret;
}
@@ -499,36 +203,50 @@ _krb5_debug(krb5_context context,
{
va_list ap;
- if (context == NULL || context->debug_dest == NULL)
- return;
+ va_start(ap, fmt);
+ if (context && context->hcontext)
+ heim_vdebug(context->hcontext, level, fmt, ap);
+ va_end(ap);
+}
+
+void KRB5_LIB_FUNCTION
+krb5_debug(krb5_context context,
+ int level,
+ const char *fmt,
+ ...)
+ __attribute__ ((__format__ (__printf__, 3, 4)))
+{
+ va_list ap;
va_start(ap, fmt);
- krb5_vlog(context, context->debug_dest, level, fmt, ap);
+ if (context && context->hcontext)
+ heim_vdebug(context->hcontext, level, fmt, ap);
va_end(ap);
}
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
_krb5_have_debug(krb5_context context, int level)
{
- if (context == NULL || context->debug_dest == NULL)
- return 0 ;
- return 1;
+ if (context == NULL || context->hcontext == NULL)
+ return 0;
+ return heim_have_debug(context->hcontext, level);
+}
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_have_debug(krb5_context context, int level)
+{
+ return _krb5_have_debug(context, level);
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_debug_dest(krb5_context context, const char *program,
const char *log_spec)
{
- krb5_error_code ret;
-
- if (context->debug_dest == NULL) {
- ret = krb5_initlog(context, program, &context->debug_dest);
- if (ret)
- return ret;
- }
+ return heim_add_debug_dest(context->hcontext, program, log_spec);
+}
- ret = krb5_addlog_dest(context, context->debug_dest, log_spec);
- if (ret)
- return ret;
- return 0;
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_set_log_dest(krb5_context context, krb5_log_facility *fac)
+{
+ return heim_set_log_dest(context->hcontext, fac);
}
diff --git a/lib/krb5/mcache.c b/lib/krb5/mcache.c
index e45bc1b0a77f..b381cae8008d 100644
--- a/lib/krb5/mcache.c
+++ b/lib/krb5/mcache.c
@@ -38,7 +38,8 @@
typedef struct krb5_mcache {
char *name;
unsigned int refcnt;
- int dead;
+ unsigned int anonymous:1;
+ unsigned int dead:1;
krb5_principal primary_principal;
struct link {
krb5_creds cred;
@@ -57,42 +58,90 @@ static struct krb5_mcache *mcc_head;
#define MISDEAD(X) ((X)->dead)
-static const char* KRB5_CALLCONV
-mcc_get_name(krb5_context context,
- krb5_ccache id)
+static krb5_error_code KRB5_CALLCONV
+mcc_get_name_2(krb5_context context,
+ krb5_ccache id,
+ const char **name,
+ const char **col,
+ const char **sub)
{
- return MCACHE(id)->name;
+ if (name)
+ *name = MCACHE(id)->name;
+ if (col)
+ *col = NULL;
+ if (sub)
+ *sub = MCACHE(id)->name;
+ return 0;
}
-static krb5_mcache * KRB5_CALLCONV
-mcc_alloc(const char *name)
+static krb5_error_code
+mcc_alloc(krb5_context context, const char *name, krb5_mcache **out)
{
krb5_mcache *m, *m_c;
+ size_t counter = 0;
int ret = 0;
+ *out = NULL;
ALLOC(m, 1);
if(m == NULL)
- return NULL;
+ return krb5_enomem(context);
+
+again:
+ if (counter > 3) {
+ free(m->name);
+ free(m);
+ return EAGAIN; /* XXX */
+ }
if(name == NULL)
- ret = asprintf(&m->name, "%p", m);
+ ret = asprintf(&m->name, "u%p-%llu", m, (unsigned long long)counter);
else
m->name = strdup(name);
if(ret < 0 || m->name == NULL) {
free(m);
- return NULL;
+ return krb5_enomem(context);
}
+ if (strcmp(m->name, "anonymous") == 0) {
+ HEIMDAL_MUTEX_init(&(m->mutex));
+ m->anonymous = 1;
+ m->dead = 0;
+ m->refcnt = 1;
+ m->primary_principal = NULL;
+ m->creds = NULL;
+ m->mtime = time(NULL);
+ m->kdc_offset = 0;
+ m->next = NULL;
+ *out = m;
+ return 0;
+ }
+
/* check for dups first */
HEIMDAL_MUTEX_lock(&mcc_mutex);
for (m_c = mcc_head; m_c != NULL; m_c = m_c->next)
- if (strcmp(m->name, m_c->name) == 0)
- break;
+ if (strcmp(m->name, m_c->name) == 0)
+ break;
if (m_c) {
- free(m->name);
- free(m);
- HEIMDAL_MUTEX_unlock(&mcc_mutex);
- return NULL;
+ if (name) {
+ /* We raced with another thread to create this cache */
+ free(m->name);
+ free(m);
+ m = m_c;
+ HEIMDAL_MUTEX_lock(&(m->mutex));
+ m->refcnt++;
+ HEIMDAL_MUTEX_unlock(&(m->mutex));
+ } else {
+ /* How likely are we to conflict on new_unique anyways?? */
+ counter++;
+ free(m->name);
+ m->name = NULL;
+ HEIMDAL_MUTEX_unlock(&mcc_mutex);
+ goto again;
+ }
+ HEIMDAL_MUTEX_unlock(&mcc_mutex);
+ *out = m;
+ return 0;
}
+ m->anonymous = 0;
m->dead = 0;
m->refcnt = 1;
m->primary_principal = NULL;
@@ -103,35 +152,21 @@ mcc_alloc(const char *name)
HEIMDAL_MUTEX_init(&(m->mutex));
mcc_head = m;
HEIMDAL_MUTEX_unlock(&mcc_mutex);
- return m;
+ *out = m;
+ return 0;
}
static krb5_error_code KRB5_CALLCONV
-mcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+mcc_resolve_2(krb5_context context,
+ krb5_ccache *id,
+ const char *res,
+ const char *sub)
{
+ krb5_error_code ret;
krb5_mcache *m;
- HEIMDAL_MUTEX_lock(&mcc_mutex);
- for (m = mcc_head; m != NULL; m = m->next)
- if (strcmp(m->name, res) == 0)
- break;
- HEIMDAL_MUTEX_unlock(&mcc_mutex);
-
- if (m != NULL) {
- HEIMDAL_MUTEX_lock(&(m->mutex));
- m->refcnt++;
- HEIMDAL_MUTEX_unlock(&(m->mutex));
- (*id)->data.data = m;
- (*id)->data.length = sizeof(*m);
- return 0;
- }
-
- m = mcc_alloc(res);
- if (m == NULL) {
- krb5_set_error_message(context, KRB5_CC_NOMEM,
- N_("malloc: out of memory", ""));
- return KRB5_CC_NOMEM;
- }
+ if ((ret = mcc_alloc(context, sub && *sub ? sub : res, &m)))
+ return ret;
(*id)->data.data = m;
(*id)->data.length = sizeof(*m);
@@ -143,15 +178,11 @@ mcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
static krb5_error_code KRB5_CALLCONV
mcc_gen_new(krb5_context context, krb5_ccache *id)
{
+ krb5_error_code ret;
krb5_mcache *m;
- m = mcc_alloc(NULL);
-
- if (m == NULL) {
- krb5_set_error_message(context, KRB5_CC_NOMEM,
- N_("malloc: out of memory", ""));
- return KRB5_CC_NOMEM;
- }
+ if ((ret = mcc_alloc(context, NULL, &m)))
+ return ret;
(*id)->data.data = m;
(*id)->data.length = sizeof(*m);
@@ -221,7 +252,7 @@ mcc_close_internal(krb5_mcache *m)
return 0;
}
if (MISDEAD(m)) {
- free (m->name);
+ free(m->name);
HEIMDAL_MUTEX_unlock(&(m->mutex));
return 1;
}
@@ -248,6 +279,18 @@ mcc_destroy(krb5_context context,
{
krb5_mcache **n, *m = MCACHE(id);
+ if (m->anonymous) {
+ HEIMDAL_MUTEX_lock(&(m->mutex));
+ if (m->refcnt == 0) {
+ HEIMDAL_MUTEX_unlock(&(m->mutex));
+ krb5_abortx(context, "mcc_destroy: refcnt already 0");
+ }
+ if (!MISDEAD(m))
+ mcc_destroy_internal(context, m);
+ HEIMDAL_MUTEX_unlock(&(m->mutex));
+ return 0;
+ }
+
HEIMDAL_MUTEX_lock(&mcc_mutex);
HEIMDAL_MUTEX_lock(&(m->mutex));
if (m->refcnt == 0)
@@ -290,12 +333,8 @@ mcc_store_cred(krb5_context context,
}
l = malloc (sizeof(*l));
- if (l == NULL) {
- krb5_set_error_message(context, KRB5_CC_NOMEM,
- N_("malloc: out of memory", ""));
- HEIMDAL_MUTEX_unlock(&(m->mutex));
- return KRB5_CC_NOMEM;
- }
+ if (l == NULL)
+ return krb5_enomem(context);
l->next = m->creds;
m->creds = l;
memset (&l->cred, 0, sizeof(l->cred));
@@ -519,8 +558,8 @@ mcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
HEIMDAL_MUTEX_unlock(&(mfrom->mutex));
HEIMDAL_MUTEX_unlock(&(mto->mutex));
HEIMDAL_MUTEX_unlock(&mcc_mutex);
- mcc_destroy(context, from);
+ krb5_cc_destroy(context, from);
return 0;
}
@@ -571,10 +610,10 @@ mcc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset
*/
KRB5_LIB_VARIABLE const krb5_cc_ops krb5_mcc_ops = {
- KRB5_CC_OPS_VERSION,
+ KRB5_CC_OPS_VERSION_5,
"MEMORY",
- mcc_get_name,
- mcc_resolve,
+ NULL,
+ NULL,
mcc_gen_new,
mcc_initialize,
mcc_destroy,
@@ -596,5 +635,7 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_mcc_ops = {
NULL,
mcc_lastchange,
mcc_set_kdc_offset,
- mcc_get_kdc_offset
+ mcc_get_kdc_offset,
+ mcc_get_name_2,
+ mcc_resolve_2
};
diff --git a/lib/krb5/mit_glue.c b/lib/krb5/mit_glue.c
index deee242c1e8c..44725f1ad29a 100644
--- a/lib/krb5/mit_glue.c
+++ b/lib/krb5/mit_glue.c
@@ -67,22 +67,23 @@ krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
const krb5_checksum *cksum, krb5_boolean *valid)
{
krb5_error_code ret;
- krb5_checksum data_cksum;
+ krb5_crypto crypto;
*valid = 0;
- ret = krb5_c_make_checksum(context, cksum->cksumtype,
- key, usage, data, &data_cksum);
+ ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret)
return ret;
- if (data_cksum.cksumtype == cksum->cksumtype
- && krb5_data_ct_cmp(&data_cksum.checksum, &cksum->checksum) == 0)
- *valid = 1;
+ ret = krb5_verify_checksum(context, crypto, usage,
+ data->data, data->length, rk_UNCONST(cksum));
+ krb5_crypto_destroy(context, crypto);
- krb5_free_checksum_contents(context, &data_cksum);
+ if (ret == 0) {
+ *valid = 1;
+ }
- return 0;
+ return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
diff --git a/lib/krb5/mk_cred.c b/lib/krb5/mk_cred.c
new file mode 100644
index 000000000000..41e858f80588
--- /dev/null
+++ b/lib/krb5/mk_cred.c
@@ -0,0 +1,324 @@
+/*
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+
+#define CHECKED_ALLOC(dst) do { \
+ if ((ALLOC(dst, 1)) == NULL) { \
+ ret = krb5_enomem(context); \
+ goto out; \
+ } \
+ } while (0)
+
+#define CHECKED_COPY(cp_func, dst, src) do { \
+ if (cp_func(src, dst)) { \
+ ret = krb5_enomem(context); \
+ goto out; \
+ } \
+ } while (0)
+#define CHECKED_COPY_PPC2KCI(cp_func, dst, src) \
+ CHECKED_COPY(cp_func, krb_cred_info->dst, &ppcreds[i]->src)
+
+#define CHECKED_ALLOC_ASSIGN(dst, src) do { \
+ if ((ALLOC(dst, 1)) == NULL) { \
+ ret = krb5_enomem(context); \
+ goto out; \
+ } else \
+ *dst = src; \
+ } while (0)
+#define CHECKED_ALLOC_ASSIGN_PPC2KCI(dst, src) \
+ CHECKED_ALLOC_ASSIGN(krb_cred_info->dst, ppcreds[i]->src)
+
+#define CHECKED_ALLOC_COPY(cp_func, dst, src) do { \
+ if ((ALLOC(dst, 1)) == NULL || cp_func(src, dst)) { \
+ ret = krb5_enomem(context); \
+ goto out; \
+ } \
+ } while (0)
+#define CHECKED_ALLOC_COPY_PPC2KCI(cp_func, dst, src) \
+ CHECKED_ALLOC_COPY(cp_func, krb_cred_info->dst, &ppcreds[i]->src)
+
+/**
+ * Make a KRB-CRED PDU with N credentials.
+ *
+ * @param context A kerberos 5 context.
+ * @param auth_context The auth context with the key to encrypt the out_data.
+ * @param ppcreds A null-terminated array of credentials to forward.
+ * @param ppdata The output KRB-CRED (to be freed by caller).
+ * @param replay_data (unused).
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_credential
+ */
+
+/* ARGSUSED */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
+ krb5_creds **ppcreds, krb5_data **ppdata,
+ krb5_replay_data *replay_data)
+{
+ krb5_error_code ret;
+ krb5_data out_data;
+
+ ret = _krb5_mk_ncred(context, auth_context, ppcreds, &out_data,
+ replay_data);
+ if (ret == 0) {
+ /*
+ * MIT allocates the return structure for no good reason. We do
+ * likewise as, in this case, incompatibility is the greater evil.
+ */
+ *ppdata = calloc(1, sizeof(**ppdata));
+ if (*ppdata) {
+ **ppdata = out_data;
+ } else {
+ krb5_data_free(&out_data);
+ ret = krb5_enomem(context);
+ }
+ }
+
+ return ret;
+}
+
+/* ARGSUSED */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_mk_ncred(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_creds **ppcreds,
+ krb5_data *out_data,
+ krb5_replay_data *replay_data)
+{
+ krb5_error_code ret;
+ EncKrbCredPart enc_krb_cred_part;
+ KrbCredInfo *krb_cred_info;
+ krb5_crypto crypto;
+ KRB_CRED cred;
+ unsigned char *buf = NULL;
+ size_t ncreds, i;
+ size_t buf_size;
+ size_t len;
+
+ /*
+ * The ownership of 'buf' is re-assigned to a containing structure
+ * multiple times. We enforce an invariant, either buf is non-zero
+ * and we own it, or buf is zero and it is freed or some structure
+ * owns any storage previously allocated as 'buf'.
+ */
+#define CHOWN_BUF(x, buf) do { (x) = (buf); (buf) = 0; } while (0)
+#define DISOWN_BUF(buf) do { free(buf); (buf) = 0; } while (0)
+
+ for (ncreds = 0; ppcreds[ncreds]; ncreds++)
+ ;
+
+ memset (&cred, 0, sizeof(cred));
+ memset (&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
+ cred.pvno = 5;
+ cred.msg_type = krb_cred;
+ ALLOC_SEQ(&cred.tickets, ncreds);
+ if (cred.tickets.val == NULL) {
+ ret = krb5_enomem(context);
+ goto out;
+ }
+ ALLOC_SEQ(&enc_krb_cred_part.ticket_info, ncreds);
+ if (enc_krb_cred_part.ticket_info.val == NULL) {
+ ret = krb5_enomem(context);
+ goto out;
+ }
+
+ for (i = 0; i < ncreds; i++) {
+ ret = decode_Ticket(ppcreds[i]->ticket.data,
+ ppcreds[i]->ticket.length,
+ &cred.tickets.val[i],
+ &len);/* don't care about len */
+ if (ret)
+ goto out;
+
+ /* fill ticket_info.val[i] */
+ krb_cred_info = &enc_krb_cred_part.ticket_info.val[i];
+
+ CHECKED_COPY(copy_EncryptionKey,
+ &krb_cred_info->key, &ppcreds[i]->session);
+ CHECKED_ALLOC_COPY_PPC2KCI(copy_Realm, prealm, client->realm);
+ CHECKED_ALLOC_COPY_PPC2KCI(copy_PrincipalName, pname, client->name);
+ CHECKED_ALLOC_ASSIGN_PPC2KCI(flags, flags.b);
+ CHECKED_ALLOC_ASSIGN_PPC2KCI(authtime, times.authtime);
+ CHECKED_ALLOC_ASSIGN_PPC2KCI(starttime, times.starttime);
+ CHECKED_ALLOC_ASSIGN_PPC2KCI(endtime, times.endtime);
+ CHECKED_ALLOC_ASSIGN_PPC2KCI(renew_till, times.renew_till);
+ CHECKED_ALLOC_COPY_PPC2KCI(copy_Realm, srealm, server->realm);
+ CHECKED_ALLOC_COPY_PPC2KCI(copy_PrincipalName, sname, server->name);
+ CHECKED_ALLOC_COPY_PPC2KCI(copy_HostAddresses, caddr, addresses);
+ }
+
+ if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+ krb5_timestamp sec;
+ int32_t usec;
+
+ krb5_us_timeofday (context, &sec, &usec);
+
+ CHECKED_ALLOC_ASSIGN(enc_krb_cred_part.timestamp, sec);
+ CHECKED_ALLOC_ASSIGN(enc_krb_cred_part.usec, usec);
+ } else {
+ enc_krb_cred_part.timestamp = NULL;
+ enc_krb_cred_part.usec = NULL;
+ /* XXX Er, shouldn't we set the seq nums?? */
+ }
+
+ /* XXX: Is this needed? */
+ if (auth_context->local_address && auth_context->local_port) {
+ ret = krb5_make_addrport(context,
+ &enc_krb_cred_part.s_address,
+ auth_context->local_address,
+ auth_context->local_port);
+ if (ret)
+ goto out;
+ }
+
+ /* XXX: Is this needed? */
+ if (auth_context->remote_address) {
+ if (auth_context->remote_port) {
+ /*
+ * XXX: Should we be checking "no-addresses" for
+ * the receiving realm?
+ */
+ ret = krb5_make_addrport(context,
+ &enc_krb_cred_part.r_address,
+ auth_context->remote_address,
+ auth_context->remote_port);
+ if (ret)
+ goto out;
+ } else {
+ /*
+ * XXX Ugly, make krb5_make_addrport() handle missing port
+ * number (i.e., port == 0), then remove this else.
+ */
+ CHECKED_ALLOC(enc_krb_cred_part.r_address);
+ ret = krb5_copy_address(context, auth_context->remote_address,
+ enc_krb_cred_part.r_address);
+ if (ret)
+ goto out;
+ }
+ }
+
+ /* encode EncKrbCredPart */
+ ASN1_MALLOC_ENCODE(EncKrbCredPart, buf, buf_size,
+ &enc_krb_cred_part, &len, ret);
+ if (ret)
+ goto out;
+
+ /**
+ * Some older of the MIT gssapi library used clear-text tickets
+ * (warped inside AP-REQ encryption), use the krb5_auth_context
+ * flag KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED to support those
+ * tickets. The session key is used otherwise to encrypt the
+ * forwarded ticket.
+ */
+
+ if (auth_context->flags & KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED) {
+ cred.enc_part.etype = KRB5_ENCTYPE_NULL;
+ cred.enc_part.kvno = NULL;
+ CHOWN_BUF(cred.enc_part.cipher.data, buf);
+ cred.enc_part.cipher.length = buf_size;
+ } else {
+ /*
+ * Here older versions then 0.7.2 of Heimdal used the local or
+ * remote subkey. That is wrong, the session key should be
+ * used. Heimdal 0.7.2 and newer have code to try both in the
+ * receiving end.
+ */
+
+ ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+ if (ret == 0)
+ ret = krb5_encrypt_EncryptedData(context,
+ crypto,
+ KRB5_KU_KRB_CRED,
+ buf,
+ len,
+ 0,
+ &cred.enc_part);
+ if (ret)
+ goto out;
+ DISOWN_BUF(buf);
+ krb5_crypto_destroy(context, crypto);
+ }
+
+ ASN1_MALLOC_ENCODE(KRB_CRED, buf, buf_size, &cred, &len, ret);
+ if (ret)
+ goto out;
+
+ CHOWN_BUF(out_data->data, buf);
+ out_data->length = len;
+ ret = 0;
+
+ out:
+ free_EncKrbCredPart(&enc_krb_cred_part);
+ free_KRB_CRED(&cred);
+ free(buf);
+ return ret;
+}
+
+/**
+ * Make a KRB-CRED PDU with 1 credential.
+ *
+ * @param context A kerberos 5 context.
+ * @param auth_context The auth context with the key to encrypt the out_data.
+ * @param ppcred A credential to forward.
+ * @param ppdata The output KRB-CRED (to be freed by caller).
+ * @param replay_data (unused).
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_credential
+ */
+
+/* ARGSUSED */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context,
+ krb5_creds *ppcred, krb5_data **ppdata,
+ krb5_replay_data *replay_data)
+{
+ krb5_creds *ppcreds[2] = { ppcred, NULL };
+
+ return krb5_mk_ncred(context, auth_context, ppcreds, ppdata, replay_data);
+}
+
+/* ARGSUSED */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context,
+ krb5_creds *ppcred, krb5_data *ppdata,
+ krb5_replay_data *replay_data)
+{
+ krb5_creds *ppcreds[2] = { ppcred, NULL };
+
+ return _krb5_mk_ncred(context, auth_context, ppcreds, ppdata, replay_data);
+}
diff --git a/lib/krb5/mk_error.c b/lib/krb5/mk_error.c
index 7f0be713e04f..3791fe75a289 100644
--- a/lib/krb5/mk_error.c
+++ b/lib/krb5/mk_error.c
@@ -76,8 +76,8 @@ krb5_mk_error_ext(krb5_context context,
msg.realm = server->realm;
msg.sname = server->name;
}else{
- static char unspec[] = "<unspecified realm>";
- msg.realm = unspec;
+ static const char unspec[] = "<unspecified realm>";
+ msg.realm = rk_UNCONST(unspec);
}
msg.crealm = rk_UNCONST(client_realm);
msg.cname = rk_UNCONST(client_name);
diff --git a/lib/krb5/mk_req_ext.c b/lib/krb5/mk_req_ext.c
index 18b16a9bf2b0..a8a07f1c718f 100644
--- a/lib/krb5/mk_req_ext.c
+++ b/lib/krb5/mk_req_ext.c
@@ -73,48 +73,37 @@ _krb5_mk_req_internal(krb5_context context,
if (ret)
goto out;
- /* it's unclear what type of checksum we can use. try the best one, except:
- * a) if it's configured differently for the current realm, or
- * b) if the session key is des-cbc-crc
+ /*
+ * Use the default checksum type except for some interoperability cases
+ * with older MIT, DCE and Windows KDCs.
*/
-
if (in_data) {
- if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
- /* this is to make DCE secd (and older MIT kdcs?) happy */
- ret = krb5_create_checksum(context,
- NULL,
- 0,
- CKSUMTYPE_RSA_MD4,
- in_data->data,
- in_data->length,
- &c);
- } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
- ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 ||
- ac->keyblock->keytype == ETYPE_DES_CBC_MD4 ||
- ac->keyblock->keytype == ETYPE_DES_CBC_MD5) {
- /* this is to make MS kdc happy */
- ret = krb5_create_checksum(context,
- NULL,
- 0,
- CKSUMTYPE_RSA_MD5,
- in_data->data,
- in_data->length,
- &c);
- } else {
- krb5_crypto crypto;
+ krb5_crypto crypto;
+ krb5_cksumtype checksum_type = CKSUMTYPE_NONE;
+
+ if (ac->keyblock->keytype == ETYPE_DES_CBC_CRC)
+ checksum_type = CKSUMTYPE_RSA_MD4;
+ else if (ac->keyblock->keytype == ETYPE_DES_CBC_MD4 ||
+ ac->keyblock->keytype == ETYPE_DES_CBC_MD5 ||
+ ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
+ ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56)
+ checksum_type = CKSUMTYPE_RSA_MD5;
+ else
+ checksum_type = CKSUMTYPE_NONE;
+
+ ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
+ if (ret)
+ goto out;
- ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
- if (ret)
- goto out;
- ret = krb5_create_checksum(context,
- crypto,
- checksum_usage,
- 0,
- in_data->data,
- in_data->length,
- &c);
- krb5_crypto_destroy(context, crypto);
- }
+ _krb5_crypto_set_flags(context, crypto, KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM);
+ ret = krb5_create_checksum(context,
+ crypto,
+ checksum_usage,
+ checksum_type,
+ in_data->data,
+ in_data->length,
+ &c);
+ krb5_crypto_destroy(context, crypto);
c_opt = &c;
} else {
c_opt = NULL;
diff --git a/lib/krb5/pac.c b/lib/krb5/pac.c
index 240845f72e38..e5b133f233d3 100644
--- a/lib/krb5/pac.c
+++ b/lib/krb5/pac.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * Copyright (c) 2006 - 2017 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -32,27 +32,58 @@
*/
#include "krb5_locl.h"
+
+#include <heimbasepriv.h>
#include <wind.h>
+#include <assert.h>
+/*
+ * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/3341cfa2-6ef5-42e0-b7bc-4544884bf399
+ */
struct PAC_INFO_BUFFER {
- uint32_t type;
- uint32_t buffersize;
- uint32_t offset_hi;
- uint32_t offset_lo;
+ uint32_t type; /* ULONG ulType in the original */
+ uint32_t buffersize; /* ULONG cbBufferSize in the original */
+ uint64_t offset; /* ULONG64 Offset in the original
+ * this being the offset from the beginning of the
+ * struct PACTYPE to the beginning of the buffer
+ * containing data of type ulType
+ */
};
+/*
+ * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/6655b92f-ab06-490b-845d-037e6987275f
+ */
struct PACTYPE {
- uint32_t numbuffers;
- uint32_t version;
- struct PAC_INFO_BUFFER buffers[1];
+ uint32_t numbuffers; /* named cBuffers of type ULONG in the original */
+ uint32_t version; /* Named Version of type ULONG in the original */
+ struct PAC_INFO_BUFFER buffers[1]; /* an ellipsis (...) in the original */
};
+/*
+ * A PAC starts with a PACTYPE header structure that is followed by an array of
+ * numbuffers PAC_INFO_BUFFER structures, each of which points to a buffer
+ * beyond the last PAC_INFO_BUFFER structures.
+ */
+
struct krb5_pac_data {
struct PACTYPE *pac;
krb5_data data;
struct PAC_INFO_BUFFER *server_checksum;
struct PAC_INFO_BUFFER *privsvr_checksum;
struct PAC_INFO_BUFFER *logon_name;
+ struct PAC_INFO_BUFFER *upn_dns_info;
+ struct PAC_INFO_BUFFER *ticket_checksum;
+ struct PAC_INFO_BUFFER *attributes_info;
+ krb5_data ticket_sign_data;
+
+ /* PAC_UPN_DNS_INFO */
+ krb5_principal upn_princ;
+ uint32_t upn_flags;
+ krb5_principal canon_princ;
+ krb5_data sid;
+
+ /* PAC_ATTRIBUTES_INFO */
+ uint64_t pac_attributes;
};
#define PAC_ALIGNMENT 8
@@ -60,10 +91,20 @@ struct krb5_pac_data {
#define PACTYPE_SIZE 8
#define PAC_INFO_BUFFER_SIZE 16
+#define PAC_LOGON_INFO 1
+#define PAC_CREDENTIALS_INFO 2
#define PAC_SERVER_CHECKSUM 6
#define PAC_PRIVSVR_CHECKSUM 7
#define PAC_LOGON_NAME 10
#define PAC_CONSTRAINED_DELEGATION 11
+#define PAC_UPN_DNS_INFO 12
+#define PAC_TICKET_CHECKSUM 16
+#define PAC_ATTRIBUTES_INFO 17
+#define PAC_REQUESTOR_SID 18
+
+/* Flag in PAC_UPN_DNS_INFO */
+#define PAC_EXTRA_LOGON_INFO_FLAGS_UPN_DEFAULTED 0x1
+#define PAC_EXTRA_LOGON_INFO_FLAGS_HAS_SAM_NAME_AND_SID 0x2
#define CHECK(r,f,l) \
do { \
@@ -73,63 +114,62 @@ struct krb5_pac_data {
} \
} while(0)
-static const char zeros[PAC_ALIGNMENT] = { 0 };
+static const char zeros[PAC_ALIGNMENT];
-/*
- * HMAC-MD5 checksum over any key (needed for the PAC routines)
- */
-
-static krb5_error_code
-HMAC_MD5_any_checksum(krb5_context context,
- const krb5_keyblock *key,
- const void *data,
- size_t len,
- unsigned usage,
- Checksum *result)
+static void HEIM_CALLCONV
+pac_dealloc(void *ctx)
{
- struct _krb5_key_data local_key;
- krb5_error_code ret;
-
- memset(&local_key, 0, sizeof(local_key));
+ krb5_pac pac = (krb5_pac)ctx;
- ret = krb5_copy_keyblock(context, key, &local_key.key);
- if (ret)
- return ret;
+ krb5_data_free(&pac->data);
+ krb5_data_free(&pac->ticket_sign_data);
- ret = krb5_data_alloc (&result->checksum, 16);
- if (ret) {
- krb5_free_keyblock(context, local_key.key);
- return ret;
+ if (pac->upn_princ) {
+ free_Principal(pac->upn_princ);
+ free(pac->upn_princ);
}
+ if (pac->canon_princ) {
+ free_Principal(pac->canon_princ);
+ free(pac->canon_princ);
+ }
+ krb5_data_free(&pac->sid);
- result->cksumtype = CKSUMTYPE_HMAC_MD5;
- ret = _krb5_HMAC_MD5_checksum(context, &local_key, data, len, usage, result);
- if (ret)
- krb5_data_free(&result->checksum);
-
- krb5_free_keyblock(context, local_key.key);
- return ret;
+ free(pac->pac);
}
+static const struct heim_type_data pac_object = {
+ HEIM_TID_PAC,
+ "heim-pac",
+ NULL,
+ pac_dealloc,
+ NULL,
+ NULL,
+ NULL,
+ NULL
+};
-static krb5_error_code pac_header_size(krb5_context context,
- uint32_t num_buffers,
- uint32_t *result)
+/*
+ * Returns the size of the PACTYPE header + the PAC_INFO_BUFFER array. This is
+ * also the end of the whole thing, and any offsets to buffers from
+ * thePAC_INFO_BUFFER[] entries have to be beyond it.
+ */
+static krb5_error_code
+pac_header_size(krb5_context context, uint32_t num_buffers, uint32_t *result)
{
krb5_error_code ret;
uint32_t header_size;
- /* Guard against integer overflow on 32-bit systems. */
+ /* Guard against integer overflow */
if (num_buffers > UINT32_MAX / PAC_INFO_BUFFER_SIZE) {
- ret = EINVAL;
+ ret = EOVERFLOW;
krb5_set_error_message(context, ret, "PAC has too many buffers");
return ret;
}
header_size = PAC_INFO_BUFFER_SIZE * num_buffers;
- /* Guard against integer overflow on 32-bit systems. */
+ /* Guard against integer overflow */
if (header_size > UINT32_MAX - PACTYPE_SIZE) {
- ret = EINVAL;
+ ret = EOVERFLOW;
krb5_set_error_message(context, ret, "PAC has too many buffers");
return ret;
}
@@ -140,28 +180,71 @@ static krb5_error_code pac_header_size(krb5_context context,
return 0;
}
-static krb5_error_code pac_aligned_size(krb5_context context,
- uint32_t size,
- uint32_t *aligned_size)
+/* Output `size' + `addend' + padding for alignment if it doesn't overflow */
+static krb5_error_code
+pac_aligned_size(krb5_context context,
+ uint32_t size,
+ uint32_t addend,
+ uint32_t *aligned_size)
{
krb5_error_code ret;
- /* Guard against integer overflow on 32-bit systems. */
- if (size > UINT32_MAX - (PAC_ALIGNMENT - 1)) {
- ret = EINVAL;
+ if (size > UINT32_MAX - addend ||
+ (size + addend) > UINT32_MAX - (PAC_ALIGNMENT - 1)) {
+ ret = EOVERFLOW;
krb5_set_error_message(context, ret, "integer overrun");
return ret;
}
+ size += addend;
size += PAC_ALIGNMENT - 1;
+ size &= ~(PAC_ALIGNMENT - 1);
+ *aligned_size = size;
+ return 0;
+}
- /* align to PAC_ALIGNMENT */
- size = (size / PAC_ALIGNMENT) * PAC_ALIGNMENT;
+/*
+ * HMAC-MD5 checksum over any key (needed for the PAC routines)
+ */
- *aligned_size = size;
+static krb5_error_code
+HMAC_MD5_any_checksum(krb5_context context,
+ const krb5_keyblock *key,
+ const void *data,
+ size_t len,
+ unsigned usage,
+ Checksum *result)
+{
+ struct _krb5_key_data local_key;
+ struct krb5_crypto_iov iov;
+ krb5_error_code ret;
- return 0;
+ memset(&local_key, 0, sizeof(local_key));
+
+ ret = krb5_copy_keyblock(context, key, &local_key.key);
+ if (ret)
+ return ret;
+
+ ret = krb5_data_alloc (&result->checksum, 16);
+ if (ret) {
+ krb5_free_keyblock(context, local_key.key);
+ return ret;
+ }
+
+ result->cksumtype = CKSUMTYPE_HMAC_MD5;
+ iov.data.data = (void *)data;
+ iov.data.length = len;
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+
+ ret = _krb5_HMAC_MD5_checksum(context, NULL, &local_key, usage, &iov, 1,
+ result);
+ if (ret)
+ krb5_data_free(&result->checksum);
+
+ krb5_free_keyblock(context, local_key.key);
+ return ret;
}
+
/*
*
*/
@@ -170,144 +253,164 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
krb5_pac *pac)
{
- krb5_error_code ret;
+ krb5_error_code ret = 0;
krb5_pac p;
krb5_storage *sp = NULL;
- uint32_t i, tmp, tmp2, header_end;
-
- p = calloc(1, sizeof(*p));
- if (p == NULL) {
- ret = krb5_enomem(context);
- goto out;
- }
+ uint32_t i, num_buffers, version, header_size = 0;
+ uint32_t prev_start = 0;
+ uint32_t prev_end = 0;
- sp = krb5_storage_from_readonly_mem(ptr, len);
- if (sp == NULL) {
+ *pac = NULL;
+ p = _heim_alloc_object(&pac_object, sizeof(*p));
+ if (p)
+ sp = krb5_storage_from_readonly_mem(ptr, len);
+ if (sp == NULL)
ret = krb5_enomem(context);
- goto out;
- }
- krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
-
- CHECK(ret, krb5_ret_uint32(sp, &tmp), out);
- CHECK(ret, krb5_ret_uint32(sp, &tmp2), out);
- if (tmp < 1) {
- ret = EINVAL; /* Too few buffers */
- krb5_set_error_message(context, ret, N_("PAC have too few buffer", ""));
- goto out;
- }
- if (tmp2 != 0) {
- ret = EINVAL; /* Wrong version */
- krb5_set_error_message(context, ret,
- N_("PAC have wrong version %d", ""),
- (int)tmp2);
- goto out;
- }
-
- ret = pac_header_size(context, tmp, &header_end);
- if (ret) {
- return ret;
+ if (ret == 0) {
+ krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+ ret = krb5_ret_uint32(sp, &num_buffers);
}
-
- p->pac = calloc(1, header_end);
- if (p->pac == NULL) {
+ if (ret == 0)
+ ret = krb5_ret_uint32(sp, &version);
+ if (ret == 0 && num_buffers < 1)
+ krb5_set_error_message(context, ret = EINVAL,
+ N_("PAC has too few buffers", ""));
+ if (ret == 0 && num_buffers > 1000)
+ krb5_set_error_message(context, ret = EINVAL,
+ N_("PAC has too many buffers", ""));
+ if (ret == 0 && version != 0)
+ krb5_set_error_message(context, ret = EINVAL,
+ N_("PAC has wrong version %d", ""),
+ (int)version);
+ if (ret == 0)
+ ret = pac_header_size(context, num_buffers, &header_size);
+ if (ret == 0 && header_size > len)
+ krb5_set_error_message(context, ret = EOVERFLOW,
+ N_("PAC encoding invalid, would overflow buffers", ""));
+ if (ret == 0)
+ p->pac = calloc(1, header_size);
+ if (ret == 0 && p->pac == NULL)
ret = krb5_enomem(context);
- goto out;
- }
-
- p->pac->numbuffers = tmp;
- p->pac->version = tmp2;
- if (header_end > len) {
- ret = EINVAL;
- goto out;
+ if (ret == 0) {
+ p->pac->numbuffers = num_buffers;
+ p->pac->version = version;
}
- for (i = 0; i < p->pac->numbuffers; i++) {
- CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].type), out);
- CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].buffersize), out);
- CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_lo), out);
- CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_hi), out);
+ for (i = 0; ret == 0 && i < p->pac->numbuffers; i++) {
+ ret = krb5_ret_uint32(sp, &p->pac->buffers[i].type);
+ if (ret == 0)
+ ret = krb5_ret_uint32(sp, &p->pac->buffers[i].buffersize);
+ if (ret == 0)
+ ret = krb5_ret_uint64(sp, &p->pac->buffers[i].offset);
+ if (ret)
+ break;
- /* consistency checks */
- if (p->pac->buffers[i].offset_lo & (PAC_ALIGNMENT - 1)) {
- ret = EINVAL;
- krb5_set_error_message(context, ret,
- N_("PAC out of allignment", ""));
- goto out;
- }
- if (p->pac->buffers[i].offset_hi) {
- ret = EINVAL;
- krb5_set_error_message(context, ret,
- N_("PAC high offset set", ""));
- goto out;
+ /* Consistency checks (we don't check for wasted space) */
+ if (p->pac->buffers[i].offset & (PAC_ALIGNMENT - 1)) {
+ krb5_set_error_message(context, ret = EINVAL,
+ N_("PAC out of alignment", ""));
+ break;
}
- if (p->pac->buffers[i].offset_lo > len) {
- ret = EINVAL;
- krb5_set_error_message(context, ret,
- N_("PAC offset off end", ""));
- goto out;
+ if (p->pac->buffers[i].offset > len ||
+ p->pac->buffers[i].buffersize > len ||
+ len - p->pac->buffers[i].offset < p->pac->buffers[i].buffersize) {
+ krb5_set_error_message(context, ret = EOVERFLOW,
+ N_("PAC buffer overflow", ""));
+ break;
}
- if (p->pac->buffers[i].offset_lo < header_end) {
- ret = EINVAL;
- krb5_set_error_message(context, ret,
+ if (p->pac->buffers[i].offset < header_size) {
+ krb5_set_error_message(context, ret = EINVAL,
N_("PAC offset inside header: %lu %lu", ""),
- (unsigned long)p->pac->buffers[i].offset_lo,
- (unsigned long)header_end);
- goto out;
- }
- if (p->pac->buffers[i].buffersize > len - p->pac->buffers[i].offset_lo){
- ret = EINVAL;
- krb5_set_error_message(context, ret, N_("PAC length off end", ""));
- goto out;
+ (unsigned long)p->pac->buffers[i].offset,
+ (unsigned long)header_size);
+ break;
}
- /* let save pointer to data we need later */
- if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
- if (p->server_checksum) {
- ret = EINVAL;
- krb5_set_error_message(context, ret,
- N_("PAC have two server checksums", ""));
- goto out;
- }
- p->server_checksum = &p->pac->buffers[i];
- } else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
- if (p->privsvr_checksum) {
- ret = EINVAL;
- krb5_set_error_message(context, ret,
- N_("PAC have two KDC checksums", ""));
- goto out;
- }
- p->privsvr_checksum = &p->pac->buffers[i];
- } else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
- if (p->logon_name) {
- ret = EINVAL;
- krb5_set_error_message(context, ret,
- N_("PAC have two logon names", ""));
- goto out;
- }
- p->logon_name = &p->pac->buffers[i];
- }
+ /*
+ * We'd like to check for non-overlapping of buffers, but the buffers
+ * need not be in the same order as the PAC_INFO_BUFFER[] entries
+ * pointing to them! To fully check for overlap we'd have to have an
+ * O(N^2) loop after we parse all the PAC_INFO_BUFFER[].
+ *
+ * But we can check that each buffer does not overlap the previous
+ * buffer.
+ */
+ if (prev_start) {
+ if (p->pac->buffers[i].offset >= prev_start &&
+ p->pac->buffers[i].offset < prev_end) {
+ krb5_set_error_message(context, ret = EINVAL,
+ N_("PAC overlap", ""));
+ break;
+ }
+ if (p->pac->buffers[i].offset < prev_start &&
+ p->pac->buffers[i].offset +
+ p->pac->buffers[i].buffersize > prev_start) {
+ krb5_set_error_message(context, ret = EINVAL,
+ N_("PAC overlap", ""));
+ break;
+ }
+ }
+ prev_start = p->pac->buffers[i].offset;
+ prev_end = p->pac->buffers[i].offset + p->pac->buffers[i].buffersize;
+
+ /* Let's save pointers to buffers we'll need later */
+ switch (p->pac->buffers[i].type) {
+ case PAC_SERVER_CHECKSUM:
+ if (p->server_checksum)
+ krb5_set_error_message(context, ret = EINVAL,
+ N_("PAC has multiple server checksums", ""));
+ else
+ p->server_checksum = &p->pac->buffers[i];
+ break;
+ case PAC_PRIVSVR_CHECKSUM:
+ if (p->privsvr_checksum)
+ krb5_set_error_message(context, ret = EINVAL,
+ N_("PAC has multiple KDC checksums", ""));
+ else
+ p->privsvr_checksum = &p->pac->buffers[i];
+ break;
+ case PAC_LOGON_NAME:
+ if (p->logon_name)
+ krb5_set_error_message(context, ret = EINVAL,
+ N_("PAC has multiple logon names", ""));
+ else
+ p->logon_name = &p->pac->buffers[i];
+ break;
+ case PAC_UPN_DNS_INFO:
+ if (p->upn_dns_info)
+ krb5_set_error_message(context, ret = EINVAL,
+ N_("PAC has multiple UPN DNS info buffers", ""));
+ else
+ p->upn_dns_info = &p->pac->buffers[i];
+ break;
+ case PAC_TICKET_CHECKSUM:
+ if (p->ticket_checksum)
+ krb5_set_error_message(context, ret = EINVAL,
+ N_("PAC has multiple ticket checksums", ""));
+ else
+ p->ticket_checksum = &p->pac->buffers[i];
+ break;
+ case PAC_ATTRIBUTES_INFO:
+ if (p->attributes_info)
+ krb5_set_error_message(context, ret = EINVAL,
+ N_("PAC has multiple attributes info buffers", ""));
+ else
+ p->attributes_info = &p->pac->buffers[i];
+ break;
+ default: break;
+ }
}
- ret = krb5_data_copy(&p->data, ptr, len);
- if (ret)
- goto out;
-
- krb5_storage_free(sp);
-
- *pac = p;
- return 0;
-
-out:
- if (sp)
- krb5_storage_free(sp);
- if (p) {
- if (p->pac)
- free(p->pac);
- free(p);
+ if (ret == 0)
+ ret = krb5_data_copy(&p->data, ptr, len);
+ if (ret == 0) {
+ *pac = p;
+ p = NULL;
}
- *pac = NULL;
-
+ if (sp)
+ krb5_storage_free(sp);
+ krb5_pac_free(context, p);
return ret;
}
@@ -317,120 +420,128 @@ krb5_pac_init(krb5_context context, krb5_pac *pac)
krb5_error_code ret;
krb5_pac p;
- p = calloc(1, sizeof(*p));
+ p = _heim_alloc_object(&pac_object, sizeof(*p));
if (p == NULL) {
return krb5_enomem(context);
}
p->pac = calloc(1, sizeof(*p->pac));
if (p->pac == NULL) {
- free(p);
+ krb5_pac_free(context, p);
return krb5_enomem(context);
}
ret = krb5_data_alloc(&p->data, PACTYPE_SIZE);
if (ret) {
free (p->pac);
- free(p);
+ krb5_pac_free(context, p);
return krb5_enomem(context);
}
+ memset(p->data.data, 0, p->data.length);
*pac = p;
return 0;
}
+/**
+ * Add a PAC buffer `nd' of type `type' to the pac `p'.
+ *
+ * @param context
+ * @param p
+ * @param type
+ * @param nd
+ *
+ * @return 0 on success or a Kerberos or system error.
+ */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_pac_add_buffer(krb5_context context, krb5_pac p,
- uint32_t type, const krb5_data *data)
+ uint32_t type, const krb5_data *nd)
{
krb5_error_code ret;
void *ptr;
- uint32_t unaligned_len, num_buffers, len, offset, header_end, old_end;
+ size_t old_len = p->data.length;
+ uint32_t len, offset, header_size;
uint32_t i;
+ uint32_t num_buffers;
- if (data->length > UINT32_MAX) {
- ret = EINVAL;
- krb5_set_error_message(context, ret, "integer overrun");
- return ret;
- }
+ assert(nd->data != NULL);
num_buffers = p->pac->numbuffers;
-
- if (num_buffers >= UINT32_MAX) {
- ret = EINVAL;
- krb5_set_error_message(context, ret, "integer overrun");
- return ret;
- }
- ret = pac_header_size(context, num_buffers + 1, &header_end);
- if (ret) {
+ ret = pac_header_size(context, num_buffers + 1, &header_size);
+ if (ret)
return ret;
- }
- ptr = realloc(p->pac, header_end);
+ ptr = realloc(p->pac, header_size);
if (ptr == NULL)
return krb5_enomem(context);
p->pac = ptr;
+ p->pac->buffers[num_buffers].type = 0;
+ p->pac->buffers[num_buffers].buffersize = 0;
+ p->pac->buffers[num_buffers].offset = 0;
+ /*
+ * Check that we can adjust all the buffer offsets in the existing
+ * PAC_INFO_BUFFERs, since changing the size of PAC_INFO_BUFFER[] means
+ * changing the offsets of buffers following that array.
+ *
+ * We don't adjust them until we can't fail.
+ */
for (i = 0; i < num_buffers; i++) {
- if (p->pac->buffers[i].offset_lo > UINT32_MAX - PAC_INFO_BUFFER_SIZE) {
- ret = EINVAL;
- krb5_set_error_message(context, ret, "integer overrun");
+ if (p->pac->buffers[i].offset > UINT32_MAX - PAC_INFO_BUFFER_SIZE) {
+ krb5_set_error_message(context, ret = EOVERFLOW,
+ "too many / too large PAC buffers");
return ret;
}
-
- p->pac->buffers[i].offset_lo += PAC_INFO_BUFFER_SIZE;
- }
-
- if (p->data.length > UINT32_MAX - PAC_INFO_BUFFER_SIZE) {
- ret = EINVAL;
- krb5_set_error_message(context, ret, "integer overrun");
- return ret;
}
- offset = p->data.length + PAC_INFO_BUFFER_SIZE;
- p->pac->buffers[num_buffers].type = type;
- p->pac->buffers[num_buffers].buffersize = data->length;
- p->pac->buffers[num_buffers].offset_lo = offset;
- p->pac->buffers[num_buffers].offset_hi = 0;
+ /*
+ * The new buffer's offset must be past the end of the buffers we have
+ * (p->data), which is the sum of the header and p->data.length.
+ */
- old_end = p->data.length;
- if (offset > UINT32_MAX - data->length) {
- krb5_set_error_message(context, EINVAL, "integer overrun");
- return EINVAL;
+ /* Set offset = p->data.length + PAC_INFO_BUFFER_SIZE + alignment */
+ ret = pac_aligned_size(context, p->data.length, PAC_INFO_BUFFER_SIZE, &offset);
+ if (ret == 0)
+ /* Set the new length = offset + nd->length + alignment */
+ ret = pac_aligned_size(context, offset, nd->length, &len);
+ if (ret) {
+ krb5_set_error_message(context, ret, "PAC buffer too large");
+ return ret;
}
- unaligned_len = offset + data->length;
-
- ret = pac_aligned_size(context, unaligned_len, &len);
- if (ret)
- return ret;
-
ret = krb5_data_realloc(&p->data, len);
if (ret) {
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
return ret;
}
+ /* Zero out the new allocation to zero out any padding */
+ memset((char *)p->data.data + old_len, 0, len - old_len);
+
+ p->pac->buffers[num_buffers].type = type;
+ p->pac->buffers[num_buffers].buffersize = nd->length;
+ p->pac->buffers[num_buffers].offset = offset;
+
+ /* Adjust all the buffer offsets in the existing PAC_INFO_BUFFERs now */
+ for (i = 0; i < num_buffers; i++)
+ p->pac->buffers[i].offset += PAC_INFO_BUFFER_SIZE;
+
/*
- * make place for new PAC INFO BUFFER header
+ * Make place for new PAC INFO BUFFER header
*/
- header_end -= PAC_INFO_BUFFER_SIZE;
- memmove((unsigned char *)p->data.data + header_end + PAC_INFO_BUFFER_SIZE,
- (unsigned char *)p->data.data + header_end ,
- old_end - header_end);
- memset((unsigned char *)p->data.data + header_end, 0, PAC_INFO_BUFFER_SIZE);
+ header_size -= PAC_INFO_BUFFER_SIZE;
+ memmove((unsigned char *)p->data.data + header_size + PAC_INFO_BUFFER_SIZE,
+ (unsigned char *)p->data.data + header_size ,
+ old_len - header_size);
+ /* Clear the space where we would put the new PAC_INFO_BUFFER[] element */
+ memset((unsigned char *)p->data.data + header_size, 0,
+ PAC_INFO_BUFFER_SIZE);
/*
- * copy in new data part
+ * Copy in new data part
*/
-
- memcpy((unsigned char *)p->data.data + offset,
- data->data, data->length);
- memset((unsigned char *)p->data.data + offset + data->length,
- 0, p->data.length - unaligned_len);
-
+ memcpy((unsigned char *)p->data.data + offset, nd->data, nd->length);
p->pac->numbuffers += 1;
-
return 0;
}
@@ -442,45 +553,85 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p,
* @param type type of buffer to get
* @param data return data, free with krb5_data_free().
*
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
+ * @return Returns 0 to indicate success, ENOENT to indicate that a buffer of
+ * the given type was not found, or a Kerberos or system error code.
*
* @ingroup krb5_pac
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_get_buffer(krb5_context context, krb5_pac p,
+krb5_pac_get_buffer(krb5_context context, krb5_const_pac p,
uint32_t type, krb5_data *data)
{
krb5_error_code ret;
uint32_t i;
for (i = 0; i < p->pac->numbuffers; i++) {
- const uint32_t len = p->pac->buffers[i].buffersize;
- const uint32_t offset = p->pac->buffers[i].offset_lo;
+ size_t len = p->pac->buffers[i].buffersize;
+ size_t offset = p->pac->buffers[i].offset;
if (p->pac->buffers[i].type != type)
continue;
- ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len);
- if (ret) {
- krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
- return ret;
- }
- return 0;
+ if (!data)
+ return 0;
+
+ ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len);
+ if (ret)
+ krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+ return ret;
}
krb5_set_error_message(context, ENOENT, "No PAC buffer of type %lu was found",
(unsigned long)type);
return ENOENT;
}
+static const struct {
+ uint32_t type;
+ krb5_data name;
+} pac_buffer_name_map[] = {
+#define PAC_MAP_ENTRY(type, name) { PAC_##type, { sizeof(name) - 1, name } }
+ PAC_MAP_ENTRY(LOGON_INFO, "logon-info" ),
+ PAC_MAP_ENTRY(CREDENTIALS_INFO, "credentials-info" ),
+ PAC_MAP_ENTRY(SERVER_CHECKSUM, "server-checksum" ),
+ PAC_MAP_ENTRY(PRIVSVR_CHECKSUM, "privsvr-checksum" ),
+ PAC_MAP_ENTRY(LOGON_NAME, "client-info" ),
+ PAC_MAP_ENTRY(CONSTRAINED_DELEGATION, "delegation-info" ),
+ PAC_MAP_ENTRY(UPN_DNS_INFO, "upn-dns-info" ),
+ PAC_MAP_ENTRY(TICKET_CHECKSUM, "ticket-checksum" ),
+ PAC_MAP_ENTRY(ATTRIBUTES_INFO, "attributes-info" ),
+ PAC_MAP_ENTRY(REQUESTOR_SID, "requestor-sid" )
+};
+
+/*
+ *
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_pac_get_buffer_by_name(krb5_context context, krb5_const_pac p,
+ const krb5_data *name, krb5_data *data)
+{
+ size_t i;
+
+ for (i = 0;
+ i < sizeof(pac_buffer_name_map) / sizeof(pac_buffer_name_map[0]);
+ i++) {
+ if (krb5_data_cmp(name, &pac_buffer_name_map[i].name) == 0)
+ return krb5_pac_get_buffer(context, p, pac_buffer_name_map[i].type, data);
+ }
+
+ krb5_set_error_message(context, ENOENT, "No PAC buffer with name %.*s was found",
+ (int)name->length, (char *)name->data);
+ return ENOENT;
+}
+
/*
*
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_pac_get_types(krb5_context context,
- krb5_pac p,
+ krb5_const_pac p,
size_t *len,
uint32_t **types)
{
@@ -505,9 +656,7 @@ krb5_pac_get_types(krb5_context context,
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_pac_free(krb5_context context, krb5_pac pac)
{
- krb5_data_free(&pac->data);
- free(pac->pac);
- free(pac);
+ heim_release(pac);
}
/*
@@ -525,10 +674,11 @@ verify_checksum(krb5_context context,
uint32_t type;
krb5_error_code ret;
Checksum cksum;
+ size_t cksumsize;
memset(&cksum, 0, sizeof(cksum));
- sp = krb5_storage_from_mem((char *)data->data + sig->offset_lo,
+ sp = krb5_storage_from_mem((char *)data->data + sig->offset,
sig->buffersize);
if (sp == NULL)
return krb5_enomem(context);
@@ -537,8 +687,17 @@ verify_checksum(krb5_context context,
CHECK(ret, krb5_ret_uint32(sp, &type), out);
cksum.cksumtype = type;
- cksum.checksum.length =
- sig->buffersize - krb5_storage_seek(sp, 0, SEEK_CUR);
+
+ ret = krb5_checksumsize(context, type, &cksumsize);
+ if (ret)
+ goto out;
+
+ /* Allow for RODCIdentifier trailer, see MS-PAC 2.8 */
+ if (cksumsize > (sig->buffersize - krb5_storage_seek(sp, 0, SEEK_CUR))) {
+ ret = EINVAL;
+ goto out;
+ }
+ cksum.checksum.length = cksumsize;
cksum.checksum.data = malloc(cksum.checksum.length);
if (cksum.checksum.data == NULL) {
ret = krb5_enomem(context);
@@ -546,13 +705,13 @@ verify_checksum(krb5_context context,
}
ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length);
if (ret != (int)cksum.checksum.length) {
- ret = EINVAL;
+ ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
krb5_set_error_message(context, ret, "PAC checksum missing checksum");
goto out;
}
if (!krb5_checksum_is_keyed(context, cksum.cksumtype)) {
- ret = EINVAL;
+ ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
krb5_set_error_message(context, ret, "Checksum type %d not keyed",
cksum.cksumtype);
goto out;
@@ -655,6 +814,202 @@ create_checksum(krb5_context context,
return 0;
}
+static krb5_error_code
+parse_upn_dns_info(krb5_context context,
+ const struct PAC_INFO_BUFFER *upndnsinfo,
+ const krb5_data *data,
+ krb5_principal *upn_princ,
+ uint32_t *flags,
+ krb5_principal *canon_princ,
+ krb5_data *sid)
+{
+ krb5_error_code ret;
+ krb5_storage *sp = NULL;
+ uint16_t upn_length, upn_offset;
+ uint16_t dns_domain_name_length, dns_domain_name_offset;
+ uint16_t canon_princ_length, canon_princ_offset;
+ uint16_t sid_length, sid_offset;
+ char *upn = NULL;
+ char *dns_domain_name = NULL;
+ char *sam_name = NULL;
+
+ *upn_princ = NULL;
+ *flags = 0;
+ *canon_princ = NULL;
+ krb5_data_zero(sid);
+
+ sp = krb5_storage_from_readonly_mem((const char *)data->data + upndnsinfo->offset,
+ upndnsinfo->buffersize);
+ if (sp == NULL)
+ return krb5_enomem(context);
+
+ krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+ CHECK(ret, krb5_ret_uint16(sp, &upn_length), out);
+ CHECK(ret, krb5_ret_uint16(sp, &upn_offset), out);
+ CHECK(ret, krb5_ret_uint16(sp, &dns_domain_name_length), out);
+ CHECK(ret, krb5_ret_uint16(sp, &dns_domain_name_offset), out);
+ CHECK(ret, krb5_ret_uint32(sp, flags), out);
+
+ if (*flags & PAC_EXTRA_LOGON_INFO_FLAGS_HAS_SAM_NAME_AND_SID) {
+ CHECK(ret, krb5_ret_uint16(sp, &canon_princ_length), out);
+ CHECK(ret, krb5_ret_uint16(sp, &canon_princ_offset), out);
+ CHECK(ret, krb5_ret_uint16(sp, &sid_length), out);
+ CHECK(ret, krb5_ret_uint16(sp, &sid_offset), out);
+ } else {
+ canon_princ_length = canon_princ_offset = 0;
+ sid_length = sid_offset = 0;
+ }
+
+ if (upn_offset) {
+ CHECK(ret, _krb5_ret_utf8_from_ucs2le_at_offset(sp, upn_offset,
+ upn_length, &upn), out);
+ }
+ CHECK(ret, _krb5_ret_utf8_from_ucs2le_at_offset(sp, dns_domain_name_offset,
+ dns_domain_name_length, &dns_domain_name), out);
+ if ((*flags & PAC_EXTRA_LOGON_INFO_FLAGS_HAS_SAM_NAME_AND_SID) && canon_princ_offset) {
+ CHECK(ret, _krb5_ret_utf8_from_ucs2le_at_offset(sp, canon_princ_offset,
+ canon_princ_length, &sam_name), out);
+ }
+
+ if (upn_offset) {
+ ret = krb5_parse_name_flags(context,
+ upn,
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE |
+ KRB5_PRINCIPAL_PARSE_NO_DEF_REALM,
+ upn_princ);
+ if (ret)
+ goto out;
+
+ ret = krb5_principal_set_realm(context, *upn_princ, dns_domain_name);
+ if (ret)
+ goto out;
+ }
+
+ if (canon_princ_offset) {
+ ret = krb5_parse_name_flags(context,
+ sam_name,
+ KRB5_PRINCIPAL_PARSE_NO_REALM |
+ KRB5_PRINCIPAL_PARSE_NO_DEF_REALM,
+ canon_princ);
+ if (ret)
+ goto out;
+
+ ret = krb5_principal_set_realm(context, *canon_princ, dns_domain_name);
+ if (ret)
+ goto out;
+ }
+
+ if (sid_offset)
+ CHECK(ret, _krb5_ret_data_at_offset(sp, sid_offset, sid_length, sid), out);
+
+out:
+ free(upn);
+ free(dns_domain_name);
+ free(sam_name);
+
+ krb5_storage_free(sp);
+
+ return ret;
+}
+
+#define UPN_DNS_INFO_EX_LENGTH 20
+
+static krb5_error_code
+build_upn_dns_info(krb5_context context,
+ krb5_const_principal upn_princ,
+ krb5_boolean upn_defaulted,
+ krb5_const_principal canon_princ,
+ const krb5_data *sid,
+ krb5_data *upn_dns_info)
+{
+ krb5_error_code ret;
+ krb5_storage *sp = NULL;
+ char *upn_princ_name = NULL;
+ char *canon_princ_name = NULL;
+ uint32_t flags;
+ krb5_const_realm realm;
+
+ sp = krb5_storage_emem();
+ if (sp == NULL) {
+ ret = krb5_enomem(context);
+ goto out;
+ }
+
+ krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+ if (upn_princ) {
+ ret = krb5_unparse_name_flags(context, upn_princ,
+ KRB5_PRINCIPAL_UNPARSE_DISPLAY,
+ &upn_princ_name);
+ if (ret)
+ goto out;
+ }
+
+ ret = krb5_storage_truncate(sp, UPN_DNS_INFO_EX_LENGTH);
+ if (ret)
+ goto out;
+
+ ret = _krb5_store_utf8_as_ucs2le_at_offset(sp, (off_t)-1, upn_princ_name);
+ if (ret)
+ goto out;
+
+ if (canon_princ) {
+ ret = krb5_unparse_name_flags(context, canon_princ,
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+ &canon_princ_name);
+ if (ret)
+ goto out;
+ }
+
+ if (canon_princ)
+ realm = canon_princ->realm;
+ else if (upn_princ)
+ realm = upn_princ->realm;
+ else {
+ ret = EINVAL;
+ goto out;
+ }
+
+ ret = _krb5_store_utf8_as_ucs2le_at_offset(sp, (off_t)-1, realm);
+ if (ret)
+ goto out;
+
+ flags = 0;
+ if (upn_princ && upn_defaulted)
+ flags |= PAC_EXTRA_LOGON_INFO_FLAGS_UPN_DEFAULTED;
+ if (canon_princ || sid)
+ flags |= PAC_EXTRA_LOGON_INFO_FLAGS_HAS_SAM_NAME_AND_SID;
+
+ ret = krb5_store_uint32(sp, flags);
+ if (ret)
+ goto out;
+
+ if (flags & PAC_EXTRA_LOGON_INFO_FLAGS_HAS_SAM_NAME_AND_SID) {
+ ret = _krb5_store_utf8_as_ucs2le_at_offset(sp, (off_t)-1,
+ canon_princ_name);
+ if (ret)
+ goto out;
+
+ ret = _krb5_store_data_at_offset(sp, (off_t)-1, sid);
+ if (ret)
+ goto out;
+ }
+
+ ret = krb5_storage_to_data(sp, upn_dns_info);
+ if (ret)
+ goto out;
+
+out:
+ if (ret)
+ krb5_data_free(upn_dns_info);
+
+ krb5_xfree(canon_princ_name);
+ krb5_xfree(upn_princ_name);
+ krb5_storage_free(sp);
+
+ return ret;
+}
/*
*
@@ -679,13 +1034,13 @@ verify_logonname(krb5_context context,
{
krb5_error_code ret;
uint32_t time1, time2;
- krb5_storage *sp;
+ krb5_storage *sp = NULL;
uint16_t len;
char *s = NULL;
char *principal_string = NULL;
char *logon_string = NULL;
- sp = krb5_storage_from_readonly_mem((const char *)data->data + logon_name->offset_lo,
+ sp = krb5_storage_from_readonly_mem((const char *)data->data + logon_name->offset,
logon_name->buffersize);
if (sp == NULL)
return krb5_enomem(context);
@@ -725,6 +1080,7 @@ verify_logonname(krb5_context context,
}
ret = krb5_storage_read(sp, s, len);
if (ret != len) {
+ free(s);
krb5_storage_free(sp);
krb5_set_error_message(context, EINVAL, "Failed to read PAC logon name");
return EINVAL;
@@ -737,8 +1093,10 @@ verify_logonname(krb5_context context,
unsigned int flags = WIND_RW_LE;
ucs2 = malloc(sizeof(ucs2[0]) * ucs2len);
- if (ucs2 == NULL)
+ if (ucs2 == NULL) {
+ free(s);
return krb5_enomem(context);
+ }
ret = wind_ucs2read(s, len, &flags, ucs2, &ucs2len);
free(s);
@@ -776,8 +1134,7 @@ verify_logonname(krb5_context context,
return ret;
}
- ret = strcmp(logon_string, principal_string);
- if (ret != 0) {
+ if (strcmp(logon_string, principal_string) != 0) {
ret = EINVAL;
krb5_set_error_message(context, ret, "PAC logon name [%s] mismatch principal name [%s]",
logon_string, principal_string);
@@ -786,6 +1143,7 @@ verify_logonname(krb5_context context,
free(principal_string);
return ret;
out:
+ krb5_storage_free(sp);
return ret;
}
@@ -802,7 +1160,7 @@ build_logon_name(krb5_context context,
krb5_error_code ret;
krb5_storage *sp;
uint64_t t;
- char *s, *s2;
+ char *s, *s2 = NULL;
size_t s2_len;
t = unix2nttime(authtime);
@@ -849,7 +1207,7 @@ build_logon_name(krb5_context context,
krb5_set_error_message(context, ret, "Principal %s is not valid UTF-8", s);
free(s);
return ret;
- } else
+ } else
free(s);
s2_len = (ucs2_len + 1) * 2;
@@ -878,22 +1236,91 @@ build_logon_name(krb5_context context,
CHECK(ret, krb5_store_uint16(sp, s2_len), out);
ret = krb5_storage_write(sp, s2, s2_len);
- free(s2);
if (ret != (int)s2_len) {
ret = krb5_enomem(context);
goto out;
}
ret = krb5_storage_to_data(sp, logon);
- if (ret)
- goto out;
+
+ out:
+ free(s2);
krb5_storage_free(sp);
+ return ret;
+}
+
+static krb5_error_code
+parse_attributes_info(krb5_context context,
+ const struct PAC_INFO_BUFFER *attributes_info,
+ const krb5_data *data,
+ uint64_t *pac_attributes)
+{
+ krb5_error_code ret;
+ krb5_storage *sp = NULL;
+ uint32_t flags_length;
+
+ *pac_attributes = 0;
+
+ sp = krb5_storage_from_readonly_mem((const char *)data->data + attributes_info->offset,
+ attributes_info->buffersize);
+ if (sp == NULL)
+ return krb5_enomem(context);
+
+ krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+ ret = krb5_ret_uint32(sp, &flags_length);
+ if (ret == 0) {
+ if (flags_length > 32)
+ ret = krb5_ret_uint64(sp, pac_attributes);
+ else {
+ uint32_t pac_attributes32 = 0;
+ ret = krb5_ret_uint32(sp, &pac_attributes32);
+ *pac_attributes = pac_attributes32;
+ }
+ }
- return 0;
-out:
krb5_storage_free(sp);
+
return ret;
}
+static krb5_error_code
+build_attributes_info(krb5_context context,
+ uint64_t pac_attributes,
+ krb5_data *attributes_info)
+{
+ krb5_error_code ret;
+ krb5_storage *sp = NULL;
+ uint32_t flags_length;
+
+ krb5_data_zero(attributes_info);
+
+ sp = krb5_storage_emem();
+ if (sp == NULL)
+ return krb5_enomem(context);
+
+ krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+ if (pac_attributes == 0)
+ flags_length = 0;
+ else
+ flags_length = 64 - rk_clzll(pac_attributes);
+ if (flags_length < KRB5_PAC_WAS_GIVEN_IMPLICITLY)
+ flags_length = KRB5_PAC_WAS_GIVEN_IMPLICITLY;
+
+ ret = krb5_store_uint32(sp, flags_length);
+ if (ret == 0) {
+ if (flags_length > 32)
+ ret = krb5_store_uint64(sp, pac_attributes);
+ else
+ ret = krb5_store_uint32(sp, (uint32_t)pac_attributes);
+ }
+ if (ret == 0)
+ ret = krb5_storage_to_data(sp, attributes_info);
+
+ krb5_storage_free(sp);
+
+ return ret;
+}
/**
* Verify the PAC.
@@ -934,34 +1361,34 @@ krb5_pac_verify(krb5_context context,
return EINVAL;
}
- ret = verify_logonname(context,
- pac->logon_name,
- &pac->data,
- authtime,
- principal);
- if (ret)
- return ret;
+ if (principal != NULL) {
+ ret = verify_logonname(context, pac->logon_name, &pac->data, authtime,
+ principal);
+ if (ret)
+ return ret;
+ }
+
+ if (pac->server_checksum->buffersize < 4 ||
+ pac->privsvr_checksum->buffersize < 4)
+ return EINVAL;
/*
* in the service case, clean out data option of the privsvr and
* server checksum before checking the checksum.
*/
+ if (server != NULL)
{
krb5_data *copy;
- if (pac->server_checksum->buffersize < 4 ||
- pac->privsvr_checksum->buffersize < 4)
- return EINVAL;
-
ret = krb5_copy_data(context, &pac->data, &copy);
if (ret)
return ret;
- memset((char *)copy->data + pac->server_checksum->offset_lo + 4,
+ memset((char *)copy->data + pac->server_checksum->offset + 4,
0,
pac->server_checksum->buffersize - 4);
- memset((char *)copy->data + pac->privsvr_checksum->offset_lo + 4,
+ memset((char *)copy->data + pac->privsvr_checksum->offset + 4,
0,
pac->privsvr_checksum->buffersize - 4);
@@ -981,11 +1408,46 @@ krb5_pac_verify(krb5_context context,
pac->privsvr_checksum,
&pac->data,
(char *)pac->data.data
- + pac->server_checksum->offset_lo + 4,
+ + pac->server_checksum->offset + 4,
pac->server_checksum->buffersize - 4,
privsvr);
if (ret)
return ret;
+
+ if (pac->ticket_sign_data.length != 0) {
+ if (pac->ticket_checksum == NULL) {
+ krb5_set_error_message(context, EINVAL,
+ "PAC missing ticket checksum");
+ return EINVAL;
+ }
+
+ ret = verify_checksum(context, pac->ticket_checksum, &pac->data,
+ pac->ticket_sign_data.data,
+ pac->ticket_sign_data.length, privsvr);
+ if (ret)
+ return ret;
+ }
+ }
+
+ if (pac->upn_dns_info &&
+ pac->upn_princ == NULL && pac->canon_princ == NULL && pac->sid.data == NULL) {
+ ret = parse_upn_dns_info(context, pac->upn_dns_info, &pac->data,
+ &pac->upn_princ, &pac->upn_flags,
+ &pac->canon_princ, &pac->sid);
+ if (ret)
+ return ret;
+
+ if (principal && pac->canon_princ &&
+ !krb5_realm_compare(context, principal, pac->canon_princ)) {
+ return KRB5KRB_AP_ERR_MODIFIED;
+ }
+ }
+
+ if (pac->attributes_info) {
+ ret = parse_attributes_info(context, pac->attributes_info, &pac->data,
+ &pac->pac_attributes);
+ if (ret)
+ return ret;
}
return 0;
@@ -1006,7 +1468,7 @@ fill_zeros(krb5_context context, krb5_storage *sp, size_t len)
if (l > sizeof(zeros))
l = sizeof(zeros);
sret = krb5_storage_write(sp, zeros, l);
- if (sret <= 0)
+ if (sret != l)
return krb5_enomem(context);
len -= sret;
@@ -1051,32 +1513,48 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_pac_sign(krb5_context context,
krb5_pac p,
time_t authtime,
- krb5_principal principal,
+ krb5_const_principal principal,
const krb5_keyblock *server_key,
const krb5_keyblock *priv_key,
+ uint16_t rodc_id,
+ krb5_const_principal upn_princ,
+ krb5_const_principal canon_princ,
+ uint64_t *pac_attributes, /* optional */
krb5_data *data)
{
krb5_error_code ret;
krb5_storage *sp = NULL, *spdata = NULL;
uint32_t end;
size_t server_size, priv_size;
- uint32_t server_offset = 0, priv_offset = 0;
+ uint32_t server_offset = 0, priv_offset = 0, ticket_offset = 0;
uint32_t server_cksumtype = 0, priv_cksumtype = 0;
uint32_t num = 0;
- uint32_t i;
+ uint32_t i, sz;
krb5_data logon, d;
+ krb5_data upn_dns_info;
+ krb5_data attributes_info;
+ krb5_data_zero(&d);
krb5_data_zero(&logon);
+ krb5_data_zero(&upn_dns_info);
+ krb5_data_zero(&attributes_info);
+ /*
+ * Set convenience buffer pointers.
+ *
+ * This could really stand to be moved to krb5_pac_add_buffer() and/or
+ * utility function, so that when this function gets called they must
+ * already have been set.
+ */
for (i = 0; i < p->pac->numbuffers; i++) {
if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
if (p->server_checksum == NULL) {
p->server_checksum = &p->pac->buffers[i];
}
if (p->server_checksum != &p->pac->buffers[i]) {
- ret = EINVAL;
+ ret = KRB5KDC_ERR_BADOPTION;
krb5_set_error_message(context, ret,
- N_("PAC have two server checksums", ""));
+ N_("PAC has multiple server checksums", ""));
goto out;
}
} else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
@@ -1084,9 +1562,9 @@ _krb5_pac_sign(krb5_context context,
p->privsvr_checksum = &p->pac->buffers[i];
}
if (p->privsvr_checksum != &p->pac->buffers[i]) {
- ret = EINVAL;
+ ret = KRB5KDC_ERR_BADOPTION;
krb5_set_error_message(context, ret,
- N_("PAC have two KDC checksums", ""));
+ N_("PAC has multiple KDC checksums", ""));
goto out;
}
} else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
@@ -1094,84 +1572,150 @@ _krb5_pac_sign(krb5_context context,
p->logon_name = &p->pac->buffers[i];
}
if (p->logon_name != &p->pac->buffers[i]) {
- ret = EINVAL;
+ ret = KRB5KDC_ERR_BADOPTION;
+ krb5_set_error_message(context, ret,
+ N_("PAC has multiple logon names", ""));
+ goto out;
+ }
+ } else if (p->pac->buffers[i].type == PAC_UPN_DNS_INFO) {
+ if (p->upn_dns_info == NULL) {
+ p->upn_dns_info = &p->pac->buffers[i];
+ }
+ if (p->upn_dns_info != &p->pac->buffers[i]) {
+ ret = KRB5KDC_ERR_BADOPTION;
+ krb5_set_error_message(context, ret,
+ N_("PAC has multiple UPN DNS info buffers", ""));
+ goto out;
+ }
+ } else if (p->pac->buffers[i].type == PAC_TICKET_CHECKSUM) {
+ if (p->ticket_checksum == NULL) {
+ p->ticket_checksum = &p->pac->buffers[i];
+ }
+ if (p->ticket_checksum != &p->pac->buffers[i]) {
+ ret = KRB5KDC_ERR_BADOPTION;
+ krb5_set_error_message(context, ret,
+ N_("PAC has multiple ticket checksums", ""));
+ goto out;
+ }
+ } else if (p->pac->buffers[i].type == PAC_ATTRIBUTES_INFO) {
+ if (p->attributes_info == NULL) {
+ p->attributes_info = &p->pac->buffers[i];
+ }
+ if (p->attributes_info != &p->pac->buffers[i]) {
+ ret = KRB5KDC_ERR_BADOPTION;
krb5_set_error_message(context, ret,
- N_("PAC have two logon names", ""));
+ N_("PAC has multiple attributes info buffers", ""));
goto out;
}
}
}
+ /* Count missing-but-necessary buffers */
if (p->logon_name == NULL)
num++;
if (p->server_checksum == NULL)
num++;
if (p->privsvr_checksum == NULL)
num++;
+ if ((upn_princ || canon_princ) && p->upn_dns_info == NULL)
+ num++;
+ if (p->ticket_sign_data.length != 0 && p->ticket_checksum == NULL)
+ num++;
+ if (pac_attributes && p->attributes_info == NULL)
+ num++;
+ /* Allocate any missing-but-necessary buffers */
if (num) {
void *ptr;
- uint32_t len;
-
- if (p->pac->numbuffers > UINT32_MAX - num) {
- ret = EINVAL;
- krb5_set_error_message(context, ret, "integer overrun");
- goto out;
- }
- ret = pac_header_size(context, p->pac->numbuffers + num, &len);
- if (ret)
- goto out;
-
- ptr = realloc(p->pac, len);
- if (ptr == NULL)
- return krb5_enomem(context);
+ uint32_t old_len, len;
+ if (p->pac->numbuffers > UINT32_MAX - num) {
+ ret = EINVAL;
+ krb5_set_error_message(context, ret, "integer overrun");
+ goto out;
+ }
+ ret = pac_header_size(context, p->pac->numbuffers, &old_len);
+ if (ret == 0)
+ ret = pac_header_size(context, p->pac->numbuffers + num, &len);
+ if (ret)
+ goto out;
+
+ ptr = realloc(p->pac, len);
+ if (ptr == NULL) {
+ ret = krb5_enomem(context);
+ goto out;
+ }
+ memset((char *)ptr + old_len, 0, len - old_len);
p->pac = ptr;
+
if (p->logon_name == NULL) {
p->logon_name = &p->pac->buffers[p->pac->numbuffers++];
- memset(p->logon_name, 0, sizeof(*p->logon_name));
p->logon_name->type = PAC_LOGON_NAME;
}
if (p->server_checksum == NULL) {
p->server_checksum = &p->pac->buffers[p->pac->numbuffers++];
- memset(p->server_checksum, 0, sizeof(*p->server_checksum));
p->server_checksum->type = PAC_SERVER_CHECKSUM;
}
if (p->privsvr_checksum == NULL) {
p->privsvr_checksum = &p->pac->buffers[p->pac->numbuffers++];
- memset(p->privsvr_checksum, 0, sizeof(*p->privsvr_checksum));
p->privsvr_checksum->type = PAC_PRIVSVR_CHECKSUM;
}
+ if ((upn_princ || canon_princ) && p->upn_dns_info == NULL) {
+ p->upn_dns_info = &p->pac->buffers[p->pac->numbuffers++];
+ p->upn_dns_info->type = PAC_UPN_DNS_INFO;
+ }
+ if (p->ticket_sign_data.length != 0 && p->ticket_checksum == NULL) {
+ p->ticket_checksum = &p->pac->buffers[p->pac->numbuffers++];
+ p->ticket_checksum->type = PAC_TICKET_CHECKSUM;
+ }
+ if (pac_attributes && p->attributes_info == NULL) {
+ p->attributes_info = &p->pac->buffers[p->pac->numbuffers++];
+ p->attributes_info->type = PAC_ATTRIBUTES_INFO;
+ }
}
/* Calculate LOGON NAME */
ret = build_logon_name(context, authtime, principal, &logon);
- if (ret)
- goto out;
/* Set lengths for checksum */
- ret = pac_checksum(context, server_key, &server_cksumtype, &server_size);
- if (ret)
- goto out;
- ret = pac_checksum(context, priv_key, &priv_cksumtype, &priv_size);
- if (ret)
- goto out;
+ if (ret == 0)
+ ret = pac_checksum(context, server_key, &server_cksumtype, &server_size);
- /* Encode PAC */
- sp = krb5_storage_emem();
- if (sp == NULL)
- return krb5_enomem(context);
+ if (ret == 0)
+ ret = pac_checksum(context, priv_key, &priv_cksumtype, &priv_size);
- krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+ if (ret == 0 && (upn_princ || canon_princ)) {
+ krb5_boolean upn_defaulted =
+ upn_princ && krb5_principal_compare(context, principal, upn_princ);
- spdata = krb5_storage_emem();
- if (spdata == NULL) {
- krb5_storage_free(sp);
- return krb5_enomem(context);
+ ret = build_upn_dns_info(context, upn_princ, upn_defaulted,
+ canon_princ, NULL, &upn_dns_info);
+ }
+
+ if (ret == 0 && pac_attributes)
+ ret = build_attributes_info(context, *pac_attributes, &attributes_info);
+
+ /* Encode PAC */
+ if (ret == 0) {
+ sp = krb5_storage_emem();
+ if (sp == NULL)
+ ret = krb5_enomem(context);
+ }
+
+ if (ret == 0) {
+ krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+ spdata = krb5_storage_emem();
+ if (spdata == NULL)
+ ret = krb5_enomem(context);
}
+
+ if (ret)
+ goto out;
+
krb5_storage_set_flags(spdata, KRB5_STORAGE_BYTEORDER_LE);
+ /* `sp' has the header, `spdata' has the buffers */
CHECK(ret, krb5_store_uint32(sp, p->pac->numbuffers), out);
CHECK(ret, krb5_store_uint32(sp, p->pac->version), out);
@@ -1179,6 +1723,28 @@ _krb5_pac_sign(krb5_context context,
if (ret)
goto out;
+ /*
+ * For each buffer we write its contents to `spdata' and then append the
+ * PAC_INFO_BUFFER for that buffer into the header in `sp'. The logical
+ * end of the whole thing is kept in `end', which functions as the offset
+ * to write in the buffer's PAC_INFO_BUFFER, then we update it at the
+ * bottom so that the next buffer can be written there.
+ *
+ * TODO? Maybe rewrite all of this so that:
+ *
+ * - we use krb5_pac_add_buffer() to add the buffers we produce
+ * - we use the krb5_data of the concatenated buffers that's maintained by
+ * krb5_pac_add_buffer() so we don't need `spdata' here
+ *
+ * We do way too much here, and that makes this code hard to read. Plus we
+ * throw away all the work done in krb5_pac_add_buffer(). On the other
+ * hand, krb5_pac_add_buffer() has to loop over all the buffers, so if we
+ * call krb5_pac_add_buffer() here in a loop, we'll be accidentally
+ * quadratic, but we only need to loop over adding the buffers we add,
+ * which is very few, so not quite quadratic. We should also cap the
+ * number of buffers we're willing to accept in a PAC we parse to something
+ * reasonable, like a few tens.
+ */
for (i = 0; i < p->pac->numbuffers; i++) {
uint32_t len;
size_t sret;
@@ -1192,12 +1758,12 @@ _krb5_pac_sign(krb5_context context,
krb5_set_error_message(context, ret, "integer overrun");
goto out;
}
+ len = server_size + 4;
if (end > UINT32_MAX - 4) {
ret = EINVAL;
krb5_set_error_message(context, ret, "integer overrun");
goto out;
}
- len = server_size + 4;
server_offset = end + 4;
CHECK(ret, krb5_store_uint32(spdata, server_cksumtype), out);
CHECK(ret, fill_zeros(context, spdata, server_size), out);
@@ -1207,24 +1773,72 @@ _krb5_pac_sign(krb5_context context,
krb5_set_error_message(context, ret, "integer overrun");
goto out;
}
+ len = priv_size + 4;
if (end > UINT32_MAX - 4) {
ret = EINVAL;
krb5_set_error_message(context, ret, "integer overrun");
goto out;
}
- len = priv_size + 4;
priv_offset = end + 4;
CHECK(ret, krb5_store_uint32(spdata, priv_cksumtype), out);
CHECK(ret, fill_zeros(context, spdata, priv_size), out);
+ if (rodc_id != 0) {
+ if (len > UINT32_MAX - sizeof(rodc_id)) {
+ ret = EINVAL;
+ krb5_set_error_message(context, ret, "integer overrun");
+ goto out;
+ }
+ len += sizeof(rodc_id);
+ CHECK(ret, fill_zeros(context, spdata, sizeof(rodc_id)), out);
+ }
+ } else if (p->ticket_sign_data.length != 0 &&
+ p->pac->buffers[i].type == PAC_TICKET_CHECKSUM) {
+ if (priv_size > UINT32_MAX - 4) {
+ ret = EINVAL;
+ krb5_set_error_message(context, ret, "integer overrun");
+ goto out;
+ }
+ len = priv_size + 4;
+ if (end > UINT32_MAX - 4) {
+ ret = EINVAL;
+ krb5_set_error_message(context, ret, "integer overrun");
+ goto out;
+ }
+ ticket_offset = end + 4;
+ CHECK(ret, krb5_store_uint32(spdata, priv_cksumtype), out);
+ CHECK(ret, fill_zeros(context, spdata, priv_size), out);
+ if (rodc_id != 0) {
+ if (len > UINT32_MAX - sizeof(rodc_id)) {
+ ret = EINVAL;
+ krb5_set_error_message(context, ret, "integer overrun");
+ goto out;
+ }
+ len += sizeof(rodc_id);
+ CHECK(ret, krb5_store_uint16(spdata, rodc_id), out);
+ }
} else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
len = krb5_storage_write(spdata, logon.data, logon.length);
if (logon.length != len) {
- ret = EINVAL;
+ ret = KRB5KDC_ERR_BADOPTION;
+ goto out;
+ }
+ } else if (upn_dns_info.length != 0 &&
+ p->pac->buffers[i].type == PAC_UPN_DNS_INFO) {
+ len = krb5_storage_write(spdata, upn_dns_info.data, upn_dns_info.length);
+ if (upn_dns_info.length != len) {
+ ret = KRB5KDC_ERR_BADOPTION;
+ goto out;
+ }
+ } else if (attributes_info.length != 0 &&
+ p->pac->buffers[i].type == PAC_ATTRIBUTES_INFO) {
+ len = krb5_storage_write(spdata, attributes_info.data, attributes_info.length);
+ if (attributes_info.length != len) {
+ ret = KRB5KDC_ERR_BADOPTION;
goto out;
}
} else {
len = p->pac->buffers[i].buffersize;
- ptr = (char *)p->data.data + p->pac->buffers[i].offset_lo;
+ ptr = (char *)p->data.data + p->pac->buffers[i].offset;
sret = krb5_storage_write(spdata, ptr, len);
if (sret != len) {
@@ -1237,27 +1851,17 @@ _krb5_pac_sign(krb5_context context,
/* write header */
CHECK(ret, krb5_store_uint32(sp, p->pac->buffers[i].type), out);
CHECK(ret, krb5_store_uint32(sp, len), out);
- CHECK(ret, krb5_store_uint32(sp, end), out);
- CHECK(ret, krb5_store_uint32(sp, 0), out);
+ CHECK(ret, krb5_store_uint64(sp, end), out); /* offset */
/* advance data endpointer and align */
{
uint32_t e;
- if (end > UINT32_MAX - len) {
- ret = EINVAL;
- krb5_set_error_message(context, ret, "integer overrun");
- goto out;
- }
- end += len;
-
- ret = pac_aligned_size(context, end, &e);
+ ret = pac_aligned_size(context, end, len, &e);
+ if (ret == 0 && end + len != e)
+ ret = fill_zeros(context, spdata, e - (end + len));
if (ret)
goto out;
-
- if (end != e) {
- CHECK(ret, fill_zeros(context, spdata, e - end), out);
- }
end = e;
}
@@ -1266,54 +1870,338 @@ _krb5_pac_sign(krb5_context context,
/* assert (server_offset != 0 && priv_offset != 0); */
/* export PAC */
- ret = krb5_storage_to_data(spdata, &d);
- if (ret) {
- krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
- goto out;
- }
- ret = krb5_storage_write(sp, d.data, d.length);
- if (ret != (int)d.length) {
- krb5_data_free(&d);
- ret = krb5_enomem(context);
- goto out;
+ if (ret == 0)
+ ret = krb5_storage_to_data(spdata, &d);
+ if (ret == 0) {
+ sz = krb5_storage_write(sp, d.data, d.length);
+ if (sz != d.length) {
+ krb5_data_free(&d);
+ ret = krb5_enomem(context);
+ goto out;
+ }
}
krb5_data_free(&d);
- ret = krb5_storage_to_data(sp, &d);
- if (ret) {
- ret = krb5_enomem(context);
- goto out;
- }
+ if (ret == 0)
+ ret = krb5_storage_to_data(sp, &d);
/* sign */
- ret = create_checksum(context, server_key, server_cksumtype,
- d.data, d.length,
- (char *)d.data + server_offset, server_size);
- if (ret) {
- krb5_data_free(&d);
- goto out;
- }
- ret = create_checksum(context, priv_key, priv_cksumtype,
- (char *)d.data + server_offset, server_size,
- (char *)d.data + priv_offset, priv_size);
- if (ret) {
- krb5_data_free(&d);
- goto out;
+ if (ret == 0 && p->ticket_sign_data.length)
+ ret = create_checksum(context, priv_key, priv_cksumtype,
+ p->ticket_sign_data.data,
+ p->ticket_sign_data.length,
+ (char *)d.data + ticket_offset, priv_size);
+ if (ret == 0)
+ ret = create_checksum(context, server_key, server_cksumtype,
+ d.data, d.length,
+ (char *)d.data + server_offset, server_size);
+ if (ret == 0)
+ ret = create_checksum(context, priv_key, priv_cksumtype,
+ (char *)d.data + server_offset, server_size,
+ (char *)d.data + priv_offset, priv_size);
+ if (ret == 0 && rodc_id != 0) {
+ krb5_data rd;
+ krb5_storage *rs = krb5_storage_emem();
+ if (rs == NULL)
+ ret = krb5_enomem(context);
+ else
+ krb5_storage_set_flags(rs, KRB5_STORAGE_BYTEORDER_LE);
+ if (ret == 0)
+ ret = krb5_store_uint16(rs, rodc_id);
+ if (ret == 0)
+ ret = krb5_storage_to_data(rs, &rd);
+ krb5_storage_free(rs);
+ if (ret)
+ goto out;
+ heim_assert(rd.length == sizeof(rodc_id), "invalid length");
+ memcpy((char *)d.data + priv_offset + priv_size, rd.data, rd.length);
+ krb5_data_free(&rd);
}
+ if (ret)
+ goto out;
+
/* done */
*data = d;
krb5_data_free(&logon);
+ krb5_data_free(&upn_dns_info);
+ krb5_data_free(&attributes_info);
krb5_storage_free(sp);
krb5_storage_free(spdata);
return 0;
out:
+ krb5_data_free(&d);
krb5_data_free(&logon);
+ krb5_data_free(&upn_dns_info);
+ krb5_data_free(&attributes_info);
if (sp)
krb5_storage_free(sp);
if (spdata)
krb5_storage_free(spdata);
return ret;
}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_pac_get_kdc_checksum_info(krb5_context context,
+ krb5_const_pac pac,
+ krb5_cksumtype *cstype,
+ uint16_t *rodc_id)
+{
+ krb5_error_code ret;
+ krb5_storage *sp = NULL;
+ const struct PAC_INFO_BUFFER *sig;
+ size_t cksumsize, prefix;
+ uint32_t type = 0;
+
+ *cstype = 0;
+ *rodc_id = 0;
+
+ sig = pac->privsvr_checksum;
+ if (sig == NULL) {
+ krb5_set_error_message(context, KRB5KDC_ERR_BADOPTION,
+ "PAC missing kdc checksum");
+ return KRB5KDC_ERR_BADOPTION;
+ }
+
+ sp = krb5_storage_from_mem((char *)pac->data.data + sig->offset,
+ sig->buffersize);
+ if (sp == NULL)
+ return krb5_enomem(context);
+
+ krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+ ret = krb5_ret_uint32(sp, &type);
+ if (ret)
+ goto out;
+
+ ret = krb5_checksumsize(context, type, &cksumsize);
+ if (ret)
+ goto out;
+
+ prefix = krb5_storage_seek(sp, 0, SEEK_CUR);
+
+ if ((sig->buffersize - prefix) >= cksumsize + 2) {
+ krb5_storage_seek(sp, cksumsize, SEEK_CUR);
+ ret = krb5_ret_uint16(sp, rodc_id);
+ if (ret)
+ goto out;
+ }
+
+ *cstype = type;
+
+out:
+ krb5_storage_free(sp);
+
+ return ret;
+}
+
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_pac_get_canon_principal(krb5_context context,
+ krb5_const_pac pac,
+ krb5_principal *canon_princ)
+{
+ *canon_princ = NULL;
+
+ if (pac->canon_princ == NULL) {
+ krb5_set_error_message(context, ENOENT,
+ "PAC missing UPN DNS info buffer");
+ return ENOENT;
+ }
+
+ return krb5_copy_principal(context, pac->canon_princ, canon_princ);
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_pac_get_attributes_info(krb5_context context,
+ krb5_const_pac pac,
+ uint64_t *pac_attributes)
+{
+ *pac_attributes = 0;
+
+ if (pac->attributes_info == NULL) {
+ krb5_set_error_message(context, ENOENT,
+ "PAC missing attributes info buffer");
+ return ENOENT;
+ }
+
+ *pac_attributes = pac->pac_attributes;
+
+ return 0;
+}
+
+static const unsigned char single_zero = '\0';
+static const krb5_data single_zero_pac = { 1, rk_UNCONST(&single_zero) };
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_kdc_pac_ticket_parse(krb5_context context,
+ EncTicketPart *tkt,
+ krb5_boolean *signedticket,
+ krb5_pac *ppac)
+{
+ AuthorizationData *ad = tkt->authorization_data;
+ krb5_pac pac = NULL;
+ unsigned i, j;
+ size_t len = 0;
+ krb5_error_code ret = 0;
+
+ *signedticket = FALSE;
+ *ppac = NULL;
+
+ if (ad == NULL || ad->len == 0)
+ return 0;
+
+ for (i = 0; i < ad->len; i++) {
+ AuthorizationData child;
+
+ if (ad->val[i].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
+ ret = KRB5KDC_ERR_BADOPTION;
+ goto out;
+ }
+
+ if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
+ continue;
+
+ ret = decode_AuthorizationData(ad->val[i].ad_data.data,
+ ad->val[i].ad_data.length,
+ &child,
+ NULL);
+ if (ret) {
+ krb5_set_error_message(context, ret, "Failed to decode "
+ "AD-IF-RELEVANT with %d", ret);
+ goto out;
+ }
+
+ for (j = 0; j < child.len; j++) {
+ krb5_data adifr_data = ad->val[i].ad_data;
+ krb5_data pac_data = child.val[j].ad_data;
+ krb5_data recoded_adifr;
+
+ if (child.val[j].ad_type != KRB5_AUTHDATA_WIN2K_PAC)
+ continue;
+
+ if (pac != NULL) {
+ free_AuthorizationData(&child);
+ ret = KRB5KDC_ERR_BADOPTION;
+ goto out;
+ }
+
+ ret = krb5_pac_parse(context,
+ pac_data.data,
+ pac_data.length,
+ &pac);
+ if (ret) {
+ free_AuthorizationData(&child);
+ goto out;
+ }
+
+ if (pac->ticket_checksum == NULL)
+ continue;
+
+ /*
+ * Encode the ticket with the PAC replaced with a single zero
+ * byte, to be used as input data to the ticket signature.
+ */
+
+ child.val[j].ad_data = single_zero_pac;
+
+ ASN1_MALLOC_ENCODE(AuthorizationData, recoded_adifr.data,
+ recoded_adifr.length, &child, &len, ret);
+ if (recoded_adifr.length != len)
+ krb5_abortx(context, "Internal error in ASN.1 encoder");
+
+ child.val[j].ad_data = pac_data;
+
+ if (ret) {
+ free_AuthorizationData(&child);
+ goto out;
+ }
+
+ ad->val[i].ad_data = recoded_adifr;
+
+ ASN1_MALLOC_ENCODE(EncTicketPart,
+ pac->ticket_sign_data.data,
+ pac->ticket_sign_data.length, tkt, &len,
+ ret);
+ if (pac->ticket_sign_data.length != len)
+ krb5_abortx(context, "Internal error in ASN.1 encoder");
+
+ ad->val[i].ad_data = adifr_data;
+ krb5_data_free(&recoded_adifr);
+
+ if (ret) {
+ free_AuthorizationData(&child);
+ goto out;
+ }
+
+ *signedticket = TRUE;
+ }
+ free_AuthorizationData(&child);
+ }
+
+out:
+ if (ret) {
+ krb5_pac_free(context, pac);
+ return ret;
+ }
+
+ *ppac = pac;
+
+ return 0;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_kdc_pac_sign_ticket(krb5_context context,
+ const krb5_pac pac,
+ krb5_const_principal client,
+ const krb5_keyblock *server_key,
+ const krb5_keyblock *kdc_key,
+ uint16_t rodc_id,
+ krb5_const_principal upn,
+ krb5_const_principal canon_name,
+ krb5_boolean add_ticket_sig,
+ EncTicketPart *tkt,
+ uint64_t *pac_attributes) /* optional */
+{
+ krb5_error_code ret;
+ krb5_data tkt_data;
+ krb5_data rspac;
+
+ krb5_data_zero(&rspac);
+ krb5_data_zero(&tkt_data);
+
+ krb5_data_free(&pac->ticket_sign_data);
+
+ if (add_ticket_sig) {
+ size_t len = 0;
+
+ ret = _kdc_tkt_insert_pac(context, tkt, &single_zero_pac);
+ if (ret)
+ return ret;
+
+ ASN1_MALLOC_ENCODE(EncTicketPart, tkt_data.data, tkt_data.length,
+ tkt, &len, ret);
+ if(tkt_data.length != len)
+ krb5_abortx(context, "Internal error in ASN.1 encoder");
+ if (ret)
+ return ret;
+
+ ret = remove_AuthorizationData(tkt->authorization_data, 0);
+ if (ret) {
+ krb5_data_free(&tkt_data);
+ return ret;
+ }
+
+ pac->ticket_sign_data = tkt_data;
+ }
+
+ ret = _krb5_pac_sign(context, pac, tkt->authtime, client, server_key,
+ kdc_key, rodc_id, upn, canon_name,
+ pac_attributes, &rspac);
+ if (ret == 0)
+ ret = _kdc_tkt_insert_pac(context, tkt, &rspac);
+ krb5_data_free(&rspac);
+ return ret;
+}
diff --git a/lib/krb5/pcache.c b/lib/krb5/pcache.c
index 3a9949dc2777..980449027330 100644
--- a/lib/krb5/pcache.c
+++ b/lib/krb5/pcache.c
@@ -48,7 +48,7 @@ cc_plugin_register_to_context(krb5_context context, const void *plug, void *plug
krb5_cc_ops *ccops = (krb5_cc_ops *)plugctx;
krb5_error_code ret;
- if (ccops == NULL || ccops->version < KRB5_CC_OPS_VERSION)
+ if (ccops == NULL)
return KRB5_PLUGIN_NO_HANDLE;
ret = krb5_cc_register(context, ccops, TRUE);
@@ -58,13 +58,24 @@ cc_plugin_register_to_context(krb5_context context, const void *plug, void *plug
return KRB5_PLUGIN_NO_HANDLE;
}
+static const char *const ccache_plugin_deps[] = { "krb5", NULL };
+
+static const struct heim_plugin_data
+ccache_plugin_data = {
+ "krb5",
+ KRB5_PLUGIN_CCACHE,
+ 0,
+ ccache_plugin_deps,
+ krb5_get_instance
+};
+
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_load_ccache_plugins(krb5_context context)
{
krb5_error_code userctx = 0;
- (void)_krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_CCACHE,
- 0, 0, &userctx, cc_plugin_register_to_context);
+ (void)_krb5_plugin_run_f(context, &ccache_plugin_data, 0,
+ &userctx, cc_plugin_register_to_context);
return userctx;
}
diff --git a/lib/krb5/pkinit-ec.c b/lib/krb5/pkinit-ec.c
index 33bc62c8dcef..34cefd506fe3 100644
--- a/lib/krb5/pkinit-ec.c
+++ b/lib/krb5/pkinit-ec.c
@@ -56,6 +56,7 @@
#include <openssl/ecdh.h>
#include <openssl/evp.h>
#include <openssl/bn.h>
+#include <openssl/dh.h>
#define HEIM_NO_CRYPTO_HDRS
#endif
@@ -125,6 +126,9 @@ _krb5_build_authpack_subjectPK_EC(krb5_context context,
if (ret)
return ret;
+#ifdef HAVE_OPENSSL_30
+ ctx->u.eckey = EVP_EC_gen(OSSL_EC_curve_nid2name(NID_X9_62_prime256v1));
+#else
ctx->u.eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ctx->u.eckey == NULL)
return krb5_enomem(context);
@@ -132,8 +136,13 @@ _krb5_build_authpack_subjectPK_EC(krb5_context context,
ret = EC_KEY_generate_key(ctx->u.eckey);
if (ret != 1)
return EINVAL;
+#endif
+#ifdef HAVE_OPENSSL_30
+ xlen = i2d_PublicKey(ctx->u.eckey, NULL);
+#else
xlen = i2o_ECPublicKey(ctx->u.eckey, NULL);
+#endif
if (xlen <= 0)
return EINVAL;
@@ -143,7 +152,11 @@ _krb5_build_authpack_subjectPK_EC(krb5_context context,
a->clientPublicValue->subjectPublicKey.data = p;
+#ifdef HAVE_OPENSSL_30
+ xlen = i2d_PublicKey(ctx->u.eckey, &p);
+#else
xlen = i2o_ECPublicKey(ctx->u.eckey, &p);
+#endif
if (xlen <= 0) {
a->clientPublicValue->subjectPublicKey.data = NULL;
free(p);
@@ -171,6 +184,61 @@ _krb5_pk_rd_pa_reply_ecdh_compute_key(krb5_context context,
int *out_sz)
{
#ifdef HAVE_HCRYPTO_W_OPENSSL
+#ifdef HAVE_OPENSSL_30
+ krb5_error_code ret = 0;
+ EVP_PKEY_CTX *pctx = NULL;
+ EVP_PKEY *template = NULL;
+ EVP_PKEY *public = NULL;
+ size_t shared_len = 0;
+
+ if ((template = EVP_PKEY_new()) == NULL)
+ ret = krb5_enomem(context);
+ if (ret == 0 &&
+ EVP_PKEY_copy_parameters(template, ctx->u.eckey) != 1)
+ ret = krb5_enomem(context);
+ if (ret == 0 && (pctx = EVP_PKEY_CTX_new(ctx->u.eckey, NULL)) == NULL)
+ ret = krb5_enomem(context);
+ if (ret == 0 && EVP_PKEY_derive_init(pctx) != 1)
+ ret = krb5_enomem(context);
+ if (ret == 0 &&
+ EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_NONE) != 1)
+ ret = krb5_enomem(context);
+ if (ret == 0 &&
+ (public = d2i_PublicKey(EVP_PKEY_EC, &template, &in, in_sz)) == NULL)
+ krb5_set_error_message(context,
+ ret = HX509_PARSING_KEY_FAILED,
+ "PKINIT: Can't parse the KDC's ECDH public key");
+ if (ret == 0 &&
+ EVP_PKEY_derive_set_peer_ex(pctx, public, 1) != 1)
+ krb5_set_error_message(context,
+ ret = KRB5KRB_ERR_GENERIC,
+ "Could not derive ECDH shared secret for PKINIT key exchange "
+ "(EVP_PKEY_derive_set_peer_ex)");
+ if (ret == 0 &&
+ (EVP_PKEY_derive(pctx, NULL, &shared_len) != 1 || shared_len == 0))
+ krb5_set_error_message(context,
+ ret = KRB5KRB_ERR_GENERIC,
+ "Could not derive ECDH shared secret for PKINIT key exchange "
+ "(EVP_PKEY_derive to get length)");
+ if (ret == 0 && shared_len > INT_MAX)
+ krb5_set_error_message(context,
+ ret = KRB5KRB_ERR_GENERIC,
+ "Could not derive ECDH shared secret for PKINIT key exchange "
+ "(shared key too large)");
+ if (ret == 0 && (*out = malloc(shared_len)) == NULL)
+ ret = krb5_enomem(context);
+ if (ret == 0 && EVP_PKEY_derive(pctx, *out, &shared_len) != 1)
+ krb5_set_error_message(context,
+ ret = KRB5KRB_ERR_GENERIC,
+ "Could not derive ECDH shared secret for PKINIT key exchange "
+ "(EVP_PKEY_derive)");
+ if (ret == 0)
+ *out_sz = shared_len;
+ EVP_PKEY_CTX_free(pctx); // move
+ EVP_PKEY_free(template);
+
+ return ret;
+#else
krb5_error_code ret = 0;
int dh_gen_keylen;
@@ -219,6 +287,7 @@ _krb5_pk_rd_pa_reply_ecdh_compute_key(krb5_context context,
*out_sz = dh_gen_keylen;
return ret;
+#endif
#else
krb5_set_error_message(context, ENOTSUP,
N_("PKINIT: ECDH not supported", ""));
@@ -230,8 +299,12 @@ void
_krb5_pk_eckey_free(void *eckey)
{
#ifdef HAVE_HCRYPTO_W_OPENSSL
+#ifdef HAVE_OPENSSL_30
+ EVP_PKEY_free(eckey);
+#else
EC_KEY_free(eckey);
#endif
+#endif
}
#else
diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c
index 7ede91c3fa9a..2a0979b7e127 100644
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -109,26 +109,34 @@ integer_to_BN(krb5_context context, const char *field, const heim_integer *f)
}
static krb5_error_code
-select_dh_group(krb5_context context, DH *dh, unsigned long bits,
+select_dh_group(krb5_context context, DH *dh, unsigned long min_bits,
struct krb5_dh_moduli **moduli)
{
const struct krb5_dh_moduli *m;
- if (bits == 0) {
+ if (moduli[0] == NULL) {
+ krb5_set_error_message(context, EINVAL,
+ N_("Did not find a DH group parameter "
+ "matching requirement of %lu bits", ""),
+ min_bits);
+ return EINVAL;
+ }
+
+ if (min_bits == 0) {
m = moduli[1]; /* XXX */
if (m == NULL)
m = moduli[0]; /* XXX */
} else {
int i;
for (i = 0; moduli[i] != NULL; i++) {
- if (bits < moduli[i]->bits)
+ if (moduli[i]->bits >= min_bits)
break;
}
if (moduli[i] == NULL) {
krb5_set_error_message(context, EINVAL,
N_("Did not find a DH group parameter "
"matching requirement of %lu bits", ""),
- bits);
+ min_bits);
return EINVAL;
}
m = moduli[i];
@@ -232,7 +240,7 @@ create_signature(krb5_context context,
return 0;
}
-static int
+static int KRB5_LIB_CALL
cert2epi(hx509_context context, void *ctx, hx509_cert c)
{
ExternalPrincipalIdentifiers *ids = ctx;
@@ -473,16 +481,29 @@ build_auth_pack(krb5_context context,
free_DomainParameters(&dp);
return ret;
}
- dp.q = calloc(1, sizeof(*dp.q));
- if (dp.q == NULL) {
- free_DomainParameters(&dp);
- return ENOMEM;
- }
- ret = BN_to_integer(context, dh->q, dp.q);
- if (ret) {
- free_DomainParameters(&dp);
- return ret;
- }
+ if (dh->q && BN_num_bits(dh->q)) {
+ /*
+ * The q parameter is required, but MSFT made it optional.
+ * It's only required in order to verify the domain parameters
+ * -- the security of the DH group --, but we validate groups
+ * against known groups rather than accepting arbitrary groups
+ * chosen by the peer, so we really don't need to have put it
+ * on the wire. Because these are Oakley groups, and the
+ * primes are Sophie Germain primes, q is p>>1 and we can
+ * compute it on the fly like MIT Kerberos does, but we'd have
+ * to implement BN_rshift1().
+ */
+ dp.q = calloc(1, sizeof(*dp.q));
+ if (dp.q == NULL) {
+ free_DomainParameters(&dp);
+ return ENOMEM;
+ }
+ ret = BN_to_integer(context, dh->q, dp.q);
+ if (ret) {
+ free_DomainParameters(&dp);
+ return ret;
+ }
+ }
dp.j = NULL;
dp.validationParms = NULL;
@@ -719,7 +740,7 @@ pk_mk_padata(krb5_context context,
free(buf.data);
if (ret == 0)
- krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0);
+ ret = krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0);
out:
free_ContentInfo(&content_info);
@@ -774,7 +795,7 @@ _krb5_pk_mk_padata(krb5_context context,
NULL);
if (ic_flags & KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK)
ctx->require_eku = 0;
- if (ctx->id->flags & PKINIT_BTMM)
+ if (ctx->id->flags & (PKINIT_BTMM | PKINIT_NO_KDC_ANCHOR))
ctx->require_eku = 0;
ctx->require_krbtgt_otherName =
@@ -816,33 +837,43 @@ pk_verify_sign(krb5_context context,
struct krb5_pk_cert **signer)
{
hx509_certs signer_certs;
- int ret, flags = 0;
+ int ret;
+ unsigned flags = 0, verify_flags = 0;
+
+ *signer = NULL;
- /* BTMM is broken in Leo and SnowLeo */
if (id->flags & PKINIT_BTMM) {
flags |= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH;
flags |= HX509_CMS_VS_NO_KU_CHECK;
flags |= HX509_CMS_VS_NO_VALIDATE;
}
+ if (id->flags & PKINIT_NO_KDC_ANCHOR)
+ flags |= HX509_CMS_VS_NO_VALIDATE;
- *signer = NULL;
-
- ret = hx509_cms_verify_signed(context->hx509ctx,
- id->verify_ctx,
- flags,
- data,
- length,
- NULL,
- id->certpool,
- contentType,
- content,
- &signer_certs);
+ ret = hx509_cms_verify_signed_ext(context->hx509ctx,
+ id->verify_ctx,
+ flags,
+ data,
+ length,
+ NULL,
+ id->certpool,
+ contentType,
+ content,
+ &signer_certs,
+ &verify_flags);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"CMS verify signed failed");
return ret;
}
+ heim_assert((verify_flags & HX509_CMS_VSE_VALIDATED) ||
+ (id->flags & PKINIT_NO_KDC_ANCHOR),
+ "Either PKINIT signer must be validated, or NO_KDC_ANCHOR must be set");
+
+ if ((verify_flags & HX509_CMS_VSE_VALIDATED) == 0)
+ goto out;
+
*signer = calloc(1, sizeof(**signer));
if (*signer == NULL) {
krb5_clear_error_message(context);
@@ -983,7 +1014,6 @@ get_reply_key(krb5_context context,
static krb5_error_code
pk_verify_host(krb5_context context,
const char *realm,
- const krb5_krbhst_info *hi,
struct krb5_pk_init_ctx_data *ctx,
struct krb5_pk_cert *host)
{
@@ -1048,7 +1078,9 @@ pk_verify_host(krb5_context context,
free_KRB5PrincipalName(&r);
}
hx509_free_octet_string_list(&list);
- if (matched == 0) {
+
+ if (matched == 0 &&
+ (ctx->id->flags & PKINIT_NO_KDC_ANCHOR) == 0) {
ret = KRB5_KDC_ERR_INVALID_CERTIFICATE;
/* XXX: Lost in translation... */
krb5_set_error_message(context, ret,
@@ -1059,18 +1091,6 @@ pk_verify_host(krb5_context context,
if (ret)
return ret;
- if (hi) {
- ret = hx509_verify_hostname(context->hx509ctx, host->cert,
- ctx->require_hostname_match,
- HX509_HN_HOSTNAME,
- hi->hostname,
- hi->ai->ai_addr, hi->ai->ai_addrlen);
-
- if (ret)
- krb5_set_error_message(context, ret,
- N_("Address mismatch in "
- "the KDC certificate", ""));
- }
return ret;
}
@@ -1082,7 +1102,6 @@ pk_rd_pa_reply_enckey(krb5_context context,
const char *realm,
krb5_pk_init_ctx ctx,
krb5_enctype etype,
- const krb5_krbhst_info *hi,
unsigned nonce,
const krb5_data *req_buffer,
PA_DATA *pa,
@@ -1091,6 +1110,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
krb5_error_code ret;
struct krb5_pk_cert *host = NULL;
krb5_data content;
+ heim_octet_string unwrapped;
heim_oid contentType = { 0, NULL };
int flags = HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT;
@@ -1122,9 +1142,8 @@ pk_rd_pa_reply_enckey(krb5_context context,
/* win2k uses ContentInfo */
if (type == PKINIT_WIN2K) {
heim_oid type2;
- heim_octet_string out;
- ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL);
+ ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL);
if (ret) {
/* windows LH with interesting CMS packets */
size_t ph = 1 + der_length_len(content.length);
@@ -1143,7 +1162,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
content.data = ptr;
content.length += ph;
- ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL);
+ ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL);
if (ret)
goto out;
}
@@ -1152,13 +1171,13 @@ pk_rd_pa_reply_enckey(krb5_context context,
krb5_set_error_message(context, ret,
N_("PKINIT: Invalid content type", ""));
der_free_oid(&type2);
- der_free_octet_string(&out);
+ der_free_octet_string(&unwrapped);
goto out;
}
der_free_oid(&type2);
krb5_data_free(&content);
- ret = krb5_data_copy(&content, out.data, out.length);
- der_free_octet_string(&out);
+ ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
+ der_free_octet_string(&unwrapped);
if (ret) {
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
@@ -1171,15 +1190,26 @@ pk_rd_pa_reply_enckey(krb5_context context,
content.length,
ctx->id,
&contentType,
- &content,
+ &unwrapped,
&host);
+ if (ret == 0) {
+ krb5_data_free(&content);
+ ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
+ der_free_octet_string(&unwrapped);
+ }
if (ret)
goto out;
- /* make sure that it is the kdc's certificate */
- ret = pk_verify_host(context, realm, hi, ctx, host);
- if (ret) {
- goto out;
+ heim_assert(host || (ctx->id->flags & PKINIT_NO_KDC_ANCHOR),
+ "KDC signature must be verified unless PKINIT_NO_KDC_ANCHOR set");
+
+ if (host) {
+ /* make sure that it is the kdc's certificate */
+ ret = pk_verify_host(context, realm, ctx, host);
+ if (ret)
+ goto out;
+
+ ctx->kdc_verified = 1;
}
#if 0
@@ -1321,7 +1351,6 @@ pk_rd_pa_reply_dh(krb5_context context,
const char *realm,
krb5_pk_init_ctx ctx,
krb5_enctype etype,
- const krb5_krbhst_info *hi,
const DHNonce *c_n,
const DHNonce *k_n,
unsigned nonce,
@@ -1358,10 +1387,17 @@ pk_rd_pa_reply_dh(krb5_context context,
if (ret)
goto out;
- /* make sure that it is the kdc's certificate */
- ret = pk_verify_host(context, realm, hi, ctx, host);
- if (ret)
- goto out;
+ heim_assert(host || (ctx->id->flags & PKINIT_NO_KDC_ANCHOR),
+ "KDC signature must be verified unless PKINIT_NO_KDC_ANCHOR set");
+
+ if (host) {
+ /* make sure that it is the kdc's certificate */
+ ret = pk_verify_host(context, realm, ctx, host);
+ if (ret)
+ goto out;
+
+ ctx->kdc_verified = 1;
+ }
if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkdhkeydata)) {
ret = KRB5KRB_AP_ERR_MSG_TYPE;
@@ -1516,7 +1552,6 @@ _krb5_pk_rd_pa_reply(krb5_context context,
const char *realm,
void *c,
krb5_enctype etype,
- const krb5_krbhst_info *hi,
unsigned nonce,
const krb5_data *req_buffer,
PA_DATA *pa,
@@ -1607,14 +1642,14 @@ _krb5_pk_rd_pa_reply(krb5_context context,
switch (rep.element) {
case choice_PA_PK_AS_REP_dhInfo:
- ret = pk_rd_pa_reply_dh(context, &data, &oid, realm, ctx, etype, hi,
+ ret = pk_rd_pa_reply_dh(context, &data, &oid, realm, ctx, etype,
ctx->clientDHNonce,
rep.u.dhInfo.serverDHNonce,
nonce, pa, key);
break;
case choice_PA_PK_AS_REP_encKeyPack:
ret = pk_rd_pa_reply_enckey(context, PKINIT_27, &data, &oid, realm,
- ctx, etype, hi, nonce, req_buffer, pa, key);
+ ctx, etype, nonce, req_buffer, pa, key);
break;
default:
krb5_abortx(context, "pk-init as-rep case not possible to happen");
@@ -1666,7 +1701,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
}
ret = pk_rd_pa_reply_enckey(context, PKINIT_WIN2K, &data, &oid, realm,
- ctx, etype, hi, nonce, req_buffer, pa, key);
+ ctx, etype, nonce, req_buffer, pa, key);
der_free_octet_string(&data);
der_free_oid(&oid);
@@ -1790,7 +1825,7 @@ _krb5_pk_set_user_id(krb5_context context,
ret = der_print_hex_heim_integer(&i, &sn);
der_free_heim_integer(&i);
if (ret) {
- free(name);
+ free(str);
goto out;
}
@@ -1816,16 +1851,10 @@ _krb5_pk_load_id(krb5_context context,
{
struct krb5_pk_identity *id = NULL;
struct prompter p;
- int ret;
+ krb5_error_code ret;
*ret_id = NULL;
- if (anchor_id == NULL) {
- krb5_set_error_message(context, HEIM_PKINIT_NO_VALID_CA,
- N_("PKINIT: No anchor given", ""));
- return HEIM_PKINIT_NO_VALID_CA;
- }
-
/* load cert */
id = calloc(1, sizeof(*id));
@@ -1887,7 +1916,7 @@ _krb5_pk_load_id(krb5_context context,
NULL, *chain_list);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
- "Failed to laod chain %s",
+ "Failed to load chain %s",
*chain_list);
goto out;
}
@@ -2060,8 +2089,12 @@ _krb5_parse_moduli_line(krb5_context context,
if (ret)
goto out;
ret = parse_integer(context, &p, file, lineno, "q", &m1->q);
- if (ret)
- goto out;
+ if (ret) {
+ m1->q.negative = 0;
+ m1->q.length = 0;
+ m1->q.data = 0;
+ krb5_clear_error_message(context);
+ }
*m = m1;
@@ -2075,17 +2108,22 @@ _krb5_parse_moduli_line(krb5_context context,
return ret;
}
+static void
+free_moduli_element(struct krb5_dh_moduli *element)
+{
+ free(element->name);
+ der_free_heim_integer(&element->p);
+ der_free_heim_integer(&element->g);
+ der_free_heim_integer(&element->q);
+ free(element);
+}
+
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
_krb5_free_moduli(struct krb5_dh_moduli **moduli)
{
int i;
- for (i = 0; moduli[i] != NULL; i++) {
- free(moduli[i]->name);
- der_free_heim_integer(&moduli[i]->p);
- der_free_heim_integer(&moduli[i]->g);
- der_free_heim_integer(&moduli[i]->q);
- free(moduli[i]);
- }
+ for (i = 0; moduli[i] != NULL; i++)
+ free_moduli_element(moduli[i]);
free(moduli);
}
@@ -2115,7 +2153,7 @@ static const char *default_moduli_rfc3526_MODP_group14 =
/* name */
"rfc3526-MODP-group14 "
/* bits */
- "1760 "
+ "2048 "
/* p */
"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
@@ -2180,9 +2218,8 @@ _krb5_parse_moduli(krb5_context context, const char *file,
if (file == NULL)
file = MODULI_FILE;
-#ifdef KRB5_USE_PATH_TOKENS
{
- char * exp_file;
+ char *exp_file;
if (_krb5_expand_path_tokens(context, file, 1, &exp_file) == 0) {
f = fopen(exp_file, "r");
@@ -2191,9 +2228,6 @@ _krb5_parse_moduli(krb5_context context, const char *file,
f = NULL;
}
}
-#else
- f = fopen(file, "r");
-#endif
if (f == NULL) {
*moduli = m;
@@ -2207,29 +2241,33 @@ _krb5_parse_moduli(krb5_context context, const char *file,
buf[strcspn(buf, "\n")] = '\0';
lineno++;
+ ret = _krb5_parse_moduli_line(context, file, lineno, buf, &element);
+ if (ret)
+ break;
+ if (element == NULL)
+ continue;
+
m2 = realloc(m, (n + 2) * sizeof(m[0]));
if (m2 == NULL) {
- _krb5_free_moduli(m);
- return krb5_enomem(context);
+ free_moduli_element(element);
+ ret = krb5_enomem(context);
+ break;
}
m = m2;
- m[n] = NULL;
-
- ret = _krb5_parse_moduli_line(context, file, lineno, buf, &element);
- if (ret) {
- _krb5_free_moduli(m);
- return ret;
- }
- if (element == NULL)
- continue;
-
m[n] = element;
m[n + 1] = NULL;
n++;
}
+ if (ret) {
+ _krb5_free_moduli(m);
+ m = NULL;
+ }
+
*moduli = m;
- return 0;
+
+ (void) fclose(f);
+ return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
@@ -2246,7 +2284,8 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits,
for (i = 0; moduli[i] != NULL; i++) {
if (der_heim_integer_cmp(&moduli[i]->g, g) == 0 &&
der_heim_integer_cmp(&moduli[i]->p, p) == 0 &&
- (q == NULL || der_heim_integer_cmp(&moduli[i]->q, q) == 0))
+ (q == NULL || moduli[i]->q.length == 0 ||
+ der_heim_integer_cmp(&moduli[i]->q, q) == 0))
{
if (bits && bits > moduli[i]->bits) {
krb5_set_error_message(context,
@@ -2326,6 +2365,8 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
{
#ifdef PKINIT
krb5_error_code ret;
+ char **freeme1 = NULL;
+ char **freeme2 = NULL;
char *anchors = NULL;
if (opt->opt_private == NULL) {
@@ -2345,16 +2386,13 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
/* XXX implement krb5_appdefault_strings */
if (pool == NULL)
- pool = krb5_config_get_strings(context, NULL,
- "appdefaults",
- "pkinit_pool",
- NULL);
+ pool = freeme1 = krb5_config_get_strings(context, NULL, "appdefaults",
+ "pkinit_pool", NULL);
if (pki_revoke == NULL)
- pki_revoke = krb5_config_get_strings(context, NULL,
- "appdefaults",
- "pkinit_revoke",
- NULL);
+ pki_revoke = freeme2 = krb5_config_get_strings(context, NULL,
+ "appdefaults",
+ "pkinit_revoke", NULL);
if (x509_anchors == NULL) {
krb5_appdefault_string(context, "kinit",
@@ -2366,6 +2404,13 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
if (flags & KRB5_GIC_OPT_PKINIT_ANONYMOUS)
opt->opt_private->pk_init_ctx->anonymous = 1;
+ if ((flags & KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR) == 0 &&
+ x509_anchors == NULL) {
+ krb5_set_error_message(context, HEIM_PKINIT_NO_VALID_CA,
+ N_("PKINIT: No anchor given", ""));
+ return HEIM_PKINIT_NO_VALID_CA;
+ }
+
ret = _krb5_pk_load_id(context,
&opt->opt_private->pk_init_ctx->id,
user_id,
@@ -2375,6 +2420,9 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
prompter,
prompter_data,
password);
+ krb5_config_free_strings(freeme2);
+ krb5_config_free_strings(freeme1);
+ free(anchors);
if (ret) {
free(opt->opt_private->pk_init_ctx);
opt->opt_private->pk_init_ctx = NULL;
@@ -2382,15 +2430,21 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
}
if (flags & KRB5_GIC_OPT_PKINIT_BTMM)
opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM;
-
if (principal && krb5_principal_is_lkdc(context, principal))
opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM;
+ if (flags & KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR)
+ opt->opt_private->pk_init_ctx->id->flags |= PKINIT_NO_KDC_ANCHOR;
if (opt->opt_private->pk_init_ctx->id->certs) {
- _krb5_pk_set_user_id(context,
- principal,
- opt->opt_private->pk_init_ctx,
- opt->opt_private->pk_init_ctx->id->certs);
+ ret = _krb5_pk_set_user_id(context,
+ principal,
+ opt->opt_private->pk_init_ctx,
+ opt->opt_private->pk_init_ctx->id->certs);
+ if (ret) {
+ free(opt->opt_private->pk_init_ctx);
+ opt->opt_private->pk_init_ctx = NULL;
+ return ret;
+ }
} else
opt->opt_private->pk_init_ctx->id->cert = NULL;
@@ -2449,9 +2503,7 @@ krb5_get_init_creds_opt_set_pkinit_user_certs(krb5_context context,
return EINVAL;
}
- _krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs);
-
- return 0;
+ return _krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs);
#else
krb5_set_error_message(context, EINVAL,
N_("no support for PKINIT compiled in", ""));
@@ -2601,3 +2653,15 @@ krb5_pk_enterprise_cert(krb5_context context,
return EINVAL;
#endif
}
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+_krb5_pk_is_kdc_verified(krb5_context context,
+ krb5_get_init_creds_opt *opt)
+{
+ if (opt == NULL ||
+ opt->opt_private == NULL ||
+ opt->opt_private->pk_init_ctx == NULL)
+ return FALSE;
+
+ return opt->opt_private->pk_init_ctx->kdc_verified;
+}
diff --git a/lib/krb5/plugin.c b/lib/krb5/plugin.c
index f4bf99953ebb..b4035d39d58a 100644
--- a/lib/krb5/plugin.c
+++ b/lib/krb5/plugin.c
@@ -3,6 +3,8 @@
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
+ * Portions Copyright (c) 2018 AuriStor, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -32,35 +34,30 @@
*/
#include "krb5_locl.h"
+#include "common_plugin.h"
-#ifdef HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-#include <dirent.h>
-
-struct krb5_plugin {
- void *symbol;
- struct krb5_plugin *next;
-};
-
-struct plugin {
- enum { DSO, SYMBOL } type;
- union {
- struct {
- char *path;
- void *dsohandle;
- } dso;
- struct {
- enum krb5_plugin_type type;
- char *name;
- char *symbol;
- } symbol;
- } u;
- struct plugin *next;
-};
-
-static HEIMDAL_MUTEX plugin_mutex = HEIMDAL_MUTEX_INITIALIZER;
-static struct plugin *registered = NULL;
+/*
+ * Definitions:
+ *
+ * module - a category of plugin module, identified by subsystem
+ * (typically "krb5")
+ * dso - a library for a module containing a map of plugin
+ * types to plugins (e.g. "service_locator")
+ * plugin - a set of callbacks and state that follows the
+ * common plugin module definition (version, init, fini)
+ *
+ * Obviously it would have been clearer to use the term "module" rather than
+ * "DSO" given there is an internal "DSO", but "module" was already taken...
+ *
+ * modules := { module: dsos }
+ * dsos := { path, dsohandle, plugins-by-name }
+ * plugins-by-name := { plugin-name: [plug] }
+ * plug := { ftable, ctx }
+ *
+ * Some existing plugin consumers outside libkrb5 use the "krb5" module
+ * namespace, but going forward the module should match the consumer library
+ * name (e.g. libhdb should use the "hdb" module rather than "krb5").
+ */
/**
* Register a plugin symbol name of specific type.
@@ -78,187 +75,22 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_plugin_register(krb5_context context,
enum krb5_plugin_type type,
const char *name,
- void *symbol)
-{
- struct plugin *e;
-
- HEIMDAL_MUTEX_lock(&plugin_mutex);
-
- /* check for duplicates */
- for (e = registered; e != NULL; e = e->next) {
- if (e->type == SYMBOL &&
- strcmp(e->u.symbol.name, name) == 0 &&
- e->u.symbol.type == type && e->u.symbol.symbol == symbol) {
- HEIMDAL_MUTEX_unlock(&plugin_mutex);
- return 0;
- }
- }
-
- e = calloc(1, sizeof(*e));
- if (e == NULL) {
- HEIMDAL_MUTEX_unlock(&plugin_mutex);
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
- return ENOMEM;
- }
- e->type = SYMBOL;
- e->u.symbol.type = type;
- e->u.symbol.name = strdup(name);
- if (e->u.symbol.name == NULL) {
- HEIMDAL_MUTEX_unlock(&plugin_mutex);
- free(e);
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
- return ENOMEM;
- }
- e->u.symbol.symbol = symbol;
-
- e->next = registered;
- registered = e;
- HEIMDAL_MUTEX_unlock(&plugin_mutex);
-
- return 0;
-}
-
-static krb5_error_code
-add_symbol(krb5_context context, struct krb5_plugin **list, void *symbol)
-{
- struct krb5_plugin *e;
-
- e = calloc(1, sizeof(*e));
- if (e == NULL) {
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
- return ENOMEM;
- }
- e->symbol = symbol;
- e->next = *list;
- *list = e;
- return 0;
-}
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_plugin_find(krb5_context context,
- enum krb5_plugin_type type,
- const char *name,
- struct krb5_plugin **list)
-{
- struct plugin *e;
- krb5_error_code ret;
-
- *list = NULL;
-
- HEIMDAL_MUTEX_lock(&plugin_mutex);
-
- for (ret = 0, e = registered; e != NULL; e = e->next) {
- switch(e->type) {
- case DSO: {
- void *sym;
- if (e->u.dso.dsohandle == NULL)
- continue;
- sym = dlsym(e->u.dso.dsohandle, name);
- if (sym)
- ret = add_symbol(context, list, sym);
- break;
- }
- case SYMBOL:
- if (strcmp(e->u.symbol.name, name) == 0 && e->u.symbol.type == type)
- ret = add_symbol(context, list, e->u.symbol.symbol);
- break;
- }
- if (ret) {
- _krb5_plugin_free(*list);
- *list = NULL;
- }
- }
-
- HEIMDAL_MUTEX_unlock(&plugin_mutex);
- if (ret)
- return ret;
-
- if (*list == NULL) {
- krb5_set_error_message(context, ENOENT, "Did not find a plugin for %s", name);
- return ENOENT;
- }
-
- return 0;
-}
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_plugin_free(struct krb5_plugin *list)
-{
- struct krb5_plugin *next;
- while (list) {
- next = list->next;
- free(list);
- list = next;
- }
-}
-/*
- * module - dict of {
- * ModuleName = [
- * plugin = object{
- * array = { ptr, ctx }
- * }
- * ]
- * }
- */
-
-static heim_dict_t modules;
-
-struct plugin2 {
- heim_string_t path;
- void *dsohandle;
- heim_dict_t names;
-};
-
-static void
-plug_dealloc(void *ptr)
-{
- struct plugin2 *p = ptr;
- heim_release(p->path);
- heim_release(p->names);
- if (p->dsohandle)
- dlclose(p->dsohandle);
-}
-
-static char *
-resolve_origin(const char *di)
+ const void *symbol)
{
-#ifdef HAVE_DLADDR
- Dl_info dl_info;
- const char *dname;
- char *path, *p;
-#endif
-
- if (strncmp(di, "$ORIGIN/", sizeof("$ORIGIN/") - 1) &&
- strcmp(di, "$ORIGIN"))
- return strdup(di);
-
-#ifndef HAVE_DLADDR
- return strdup(LIBDIR "/plugin/krb5");
-#else /* !HAVE_DLADDR */
- di += sizeof("$ORIGIN") - 1;
-
- if (dladdr(_krb5_load_plugins, &dl_info) == 0)
- return strdup(LIBDIR "/plugin/krb5");
-
- dname = dl_info.dli_fname;
-#ifdef _WIN32
- p = strrchr(dname, '\\');
- if (p == NULL)
-#endif
- p = strrchr(dname, '/');
- if (p) {
- if (asprintf(&path, "%.*s%s", (int) (p - dname), dname, di) == -1)
- return NULL;
- } else {
- if (asprintf(&path, "%s%s", dname, di) == -1)
- return NULL;
+ /*
+ * It's not clear that PLUGIN_TYPE_FUNC was ever used or supported. It likely
+ * would have caused _krb5_plugin_run_f() to crash as the previous implementation
+ * assumed PLUGIN_TYPE_DATA.
+ */
+ if (type != PLUGIN_TYPE_DATA) {
+ krb5_warnx(context, "krb5_plugin_register: PLUGIN_TYPE_DATA no longer supported");
+ return EINVAL;
}
- return path;
-#endif /* !HAVE_DLADDR */
+ return heim_plugin_register(context->hcontext, (heim_pcontext)context,
+ "krb5", name, symbol);
}
-
/**
* Load plugins (new system) for the given module @name (typically
* "krb5") from the given directory @paths.
@@ -272,132 +104,7 @@ resolve_origin(const char *di)
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
_krb5_load_plugins(krb5_context context, const char *name, const char **paths)
{
-#ifdef HAVE_DLOPEN
- heim_string_t s = heim_string_create(name);
- heim_dict_t module;
- struct dirent *entry;
- krb5_error_code ret;
- const char **di;
- char *dirname = NULL;
- DIR *d;
-#ifdef _WIN32
- const char * plugin_prefix;
- size_t plugin_prefix_len;
-
- if (asprintf(&plugin_prefix, "plugin_%s_", name) == -1)
- return;
- plugin_prefix_len = (plugin_prefix ? strlen(plugin_prefix) : 0);
-#endif
-
- HEIMDAL_MUTEX_lock(&plugin_mutex);
-
- if (modules == NULL) {
- modules = heim_dict_create(11);
- if (modules == NULL) {
- HEIMDAL_MUTEX_unlock(&plugin_mutex);
- return;
- }
- }
-
- module = heim_dict_copy_value(modules, s);
- if (module == NULL) {
- module = heim_dict_create(11);
- if (module == NULL) {
- HEIMDAL_MUTEX_unlock(&plugin_mutex);
- heim_release(s);
- return;
- }
- heim_dict_set_value(modules, s, module);
- }
- heim_release(s);
-
- for (di = paths; *di != NULL; di++) {
- free(dirname);
- dirname = resolve_origin(*di);
- if (dirname == NULL)
- continue;
- d = opendir(dirname);
- if (d == NULL)
- continue;
- rk_cloexec_dir(d);
-
- while ((entry = readdir(d)) != NULL) {
- char *n = entry->d_name;
- char *path = NULL;
- heim_string_t spath;
- struct plugin2 *p;
-
- /* skip . and .. */
- if (n[0] == '.' && (n[1] == '\0' || (n[1] == '.' && n[2] == '\0')))
- continue;
-
- ret = 0;
-#ifdef _WIN32
- /*
- * On Windows, plugins must be loaded from the same directory as
- * heimdal.dll (typically the assembly directory) and must have
- * the name form "plugin_<module>_<name>.dll".
- */
- {
- char *ext;
-
- if (strnicmp(n, plugin_prefix, plugin_prefix_len))
- continue;
- ext = strrchr(n, '.');
- if (ext == NULL || stricmp(ext, ".dll"))
- continue;
-
- ret = asprintf(&path, "%s\\%s", dirname, n);
- if (ret < 0 || path == NULL)
- continue;
- }
-#endif
-#ifdef __APPLE__
- { /* support loading bundles on MacOS */
- size_t len = strlen(n);
- if (len > 7 && strcmp(&n[len - 7], ".bundle") == 0)
- ret = asprintf(&path, "%s/%s/Contents/MacOS/%.*s", dirname, n, (int)(len - 7), n);
- }
-#endif
- if (ret < 0 || path == NULL)
- ret = asprintf(&path, "%s/%s", dirname, n);
-
- if (ret < 0 || path == NULL)
- continue;
-
- spath = heim_string_create(n);
- if (spath == NULL) {
- free(path);
- continue;
- }
-
- /* check if already cached */
- p = heim_dict_copy_value(module, spath);
- if (p == NULL) {
- p = heim_alloc(sizeof(*p), "krb5-plugin", plug_dealloc);
- if (p)
- p->dsohandle = dlopen(path, RTLD_LOCAL|RTLD_LAZY);
-
- if (p && p->dsohandle) {
- p->path = heim_retain(spath);
- p->names = heim_dict_create(11);
- heim_dict_set_value(module, spath, p);
- }
- }
- heim_release(p);
- heim_release(spath);
- free(path);
- }
- closedir(d);
- }
- free(dirname);
- HEIMDAL_MUTEX_unlock(&plugin_mutex);
- heim_release(module);
-#ifdef _WIN32
- if (plugin_prefix)
- free(plugin_prefix);
-#endif
-#endif /* HAVE_DLOPEN */
+ heim_load_plugins(context->hcontext, name, paths);
}
/**
@@ -406,101 +113,14 @@ _krb5_load_plugins(krb5_context context, const char *name, const char **paths)
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
_krb5_unload_plugins(krb5_context context, const char *name)
{
- HEIMDAL_MUTEX_lock(&plugin_mutex);
- heim_release(modules);
- modules = NULL;
- HEIMDAL_MUTEX_unlock(&plugin_mutex);
-}
-
-/*
- *
- */
-
-struct common_plugin_method {
- int version;
- krb5_error_code (*init)(krb5_context, void **);
- void (*fini)(void *);
-};
-
-struct plug {
- void *dataptr;
- void *ctx;
-};
-
-static void
-plug_free(void *ptr)
-{
- struct plug *pl = ptr;
- if (pl->dataptr) {
- struct common_plugin_method *cpm = pl->dataptr;
- cpm->fini(pl->ctx);
- }
-}
-
-struct iter_ctx {
- krb5_context context;
- heim_string_t n;
- const char *name;
- int min_version;
- int flags;
- heim_array_t result;
- krb5_error_code (KRB5_LIB_CALL *func)(krb5_context, const void *, void *, void *);
- void *userctx;
- krb5_error_code ret;
-};
-
-static void
-search_modules(heim_object_t key, heim_object_t value, void *ctx)
-{
- struct iter_ctx *s = ctx;
- struct plugin2 *p = value;
- struct plug *pl = heim_dict_copy_value(p->names, s->n);
- struct common_plugin_method *cpm;
-
- if (pl == NULL) {
- if (p->dsohandle == NULL)
- return;
-
- pl = heim_alloc(sizeof(*pl), "struct-plug", plug_free);
-
- cpm = pl->dataptr = dlsym(p->dsohandle, s->name);
- if (cpm) {
- int ret;
-
- ret = cpm->init(s->context, &pl->ctx);
- if (ret)
- cpm = pl->dataptr = NULL;
- }
- heim_dict_set_value(p->names, s->n, pl);
- } else {
- cpm = pl->dataptr;
- }
-
- if (cpm && cpm->version >= s->min_version)
- heim_array_append_value(s->result, pl);
- heim_release(pl);
-}
-
-static void
-eval_results(heim_object_t value, void *ctx, int *stop)
-{
- struct plug *pl = value;
- struct iter_ctx *s = ctx;
-
- if (s->ret != KRB5_PLUGIN_NO_HANDLE)
- return;
-
- s->ret = s->func(s->context, pl->dataptr, pl->ctx, s->userctx);
- if (s->ret != KRB5_PLUGIN_NO_HANDLE
- && !(s->flags & KRB5_PLUGIN_INVOKE_ALL))
- *stop = 1;
+ heim_unload_plugins(context->hcontext, name);
}
/**
* Run plugins for the given @module (e.g., "krb5") and @name (e.g.,
* "kuserok"). Specifically, the @func is invoked once per-plugin with
* four arguments: the @context, the plugin symbol value (a pointer to a
- * struct whose first three fields are the same as struct common_plugin_method),
+ * struct whose first three fields are the same as common_plugin_ftable),
* a context value produced by the plugin's init method, and @userctx.
*
* @func should unpack arguments for a plugin function and invoke it
@@ -527,80 +147,62 @@ eval_results(heim_object_t value, void *ctx, int *stop)
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_plugin_run_f(krb5_context context,
- const char *module,
- const char *name,
- int min_version,
+ const struct heim_plugin_data *caller,
int flags,
void *userctx,
krb5_error_code (KRB5_LIB_CALL *func)(krb5_context, const void *, void *, void *))
{
- heim_string_t m = heim_string_create(module);
- heim_dict_t dict;
- void *plug_ctx;
- struct common_plugin_method *cpm;
- struct iter_ctx s;
- struct krb5_plugin *registered_plugins = NULL;
- struct krb5_plugin *p;
-
- /* Get registered plugins */
- (void) _krb5_plugin_find(context, PLUGIN_TYPE_DATA, name, &registered_plugins);
-
- HEIMDAL_MUTEX_lock(&plugin_mutex);
-
- s.context = context;
- s.name = name;
- s.n = heim_string_create(name);
- s.flags = flags;
- s.min_version = min_version;
- s.result = heim_array_create();
- s.func = func;
- s.userctx = userctx;
- s.ret = KRB5_PLUGIN_NO_HANDLE;
-
- /* Get loaded plugins */
- dict = heim_dict_copy_value(modules, m);
- heim_release(m);
-
- /* Add loaded plugins to s.result array */
- if (dict)
- heim_dict_iterate_f(dict, &s, search_modules);
+ int32_t (HEIM_LIB_CALL *func2)(void *, const void *, void *, void *) = (void *)func;
+ return heim_plugin_run_f(context->hcontext, (heim_pcontext)context, caller,
+ flags, KRB5_PLUGIN_NO_HANDLE, userctx, func2);
+}
- /* We don't need to hold plugin_mutex during plugin invocation */
- HEIMDAL_MUTEX_unlock(&plugin_mutex);
+/**
+ * Return a cookie identifying this instance of a library.
+ *
+ * Inputs:
+ *
+ * @context A krb5_context
+ * @module Our library name or a library we depend on
+ *
+ * Outputs: The instance cookie
+ *
+ * @ingroup krb5_support
+ */
- /* Invoke registered plugins (old system) */
- for (p = registered_plugins; p; p = p->next) {
- /*
- * XXX This is the wrong way to handle registered plugins, as we
- * call init/fini on each invocation! We do this because we
- * have nowhere in the struct plugin registered list to store
- * the context allocated by the plugin's init function. (But at
- * least we do call init/fini!)
- *
- * What we should do is adapt the old plugin system to the new
- * one and change how we register plugins so that we use the new
- * struct plug to keep track of their context structures, that
- * way we can init once, invoke many times, then fini.
- */
- cpm = (struct common_plugin_method *)p->symbol;
- s.ret = cpm->init(context, &plug_ctx);
- if (s.ret)
- continue;
- s.ret = s.func(s.context, p->symbol, plug_ctx, s.userctx);
- cpm->fini(plug_ctx);
- if (s.ret != KRB5_PLUGIN_NO_HANDLE &&
- !(flags & KRB5_PLUGIN_INVOKE_ALL))
- break;
- }
- _krb5_plugin_free(registered_plugins);
+#ifdef WIN32
+static uintptr_t
+djb2(uintptr_t hash, unsigned char *str)
+{
+ int c;
- /* Invoke loaded plugins (new system) */
- if (s.ret == KRB5_PLUGIN_NO_HANDLE)
- heim_array_iterate_f(s.result, &s, eval_results);
+ while (c = *str++)
+ hash = ((hash << 5) + hash) + c; /* hash * 33 + c */
- heim_release(s.result);
- heim_release(s.n);
- heim_release(dict);
+ return hash;
+}
+#endif
- return s.ret;
+KRB5_LIB_FUNCTION uintptr_t KRB5_LIB_CALL
+krb5_get_instance(const char *libname)
+{
+#ifdef WIN32
+ char *version;
+ char *name;
+ uintptr_t instance;
+
+ if (win32_getLibraryVersion("heimdal", &name, &version))
+ return 0;
+ instance = djb2(5381, name);
+ instance = djb2(instance, version);
+ free(name);
+ free(version);
+ return instance;
+#else
+ static const char *instance = "libkrb5";
+
+ if (strcmp(libname, "krb5") == 0)
+ return (uintptr_t)instance;
+ return 0;
+#endif
}
diff --git a/lib/krb5/principal.c b/lib/krb5/principal.c
index 937a9a7d59e4..690a725fbde6 100644
--- a/lib/krb5/principal.c
+++ b/lib/krb5/principal.c
@@ -103,6 +103,8 @@ krb5_free_principal(krb5_context context,
krb5_principal p)
{
if(p){
+ if (p->nameattrs && p->nameattrs->pac)
+ heim_release(p->nameattrs->pac);
free_Principal(p);
free(p);
}
@@ -234,10 +236,10 @@ krb5_parse_name_flags(krb5_context context,
*principal = NULL;
if (no_realm && require_realm) {
- krb5_set_error_message(context, KRB5_ERR_NO_SERVICE,
+ krb5_set_error_message(context, EINVAL,
N_("Can't require both realm and "
"no realm at the same time", ""));
- return KRB5_ERR_NO_SERVICE;
+ return EINVAL;
}
/* count number of component,
@@ -279,9 +281,24 @@ krb5_parse_name_flags(krb5_context context,
c = '\t';
else if (c == 'b')
c = '\b';
- else if (c == '0')
- c = '\0';
- else if (c == '\0') {
+ else if (c == '0') {
+ /*
+ * We'll ignore trailing embedded NULs in components and
+ * realms, but can't support any other embedded NULs.
+ */
+ while (*p) {
+ if ((*p == '/' || *p == '@') && !got_realm)
+ break;
+ if (*(p++) != '\\' || *(p++) != '0') {
+ ret = KRB5_PARSE_MALFORMED;
+ krb5_set_error_message(context, ret,
+ N_("embedded NULs in principal "
+ "name not supported", ""));
+ goto exit;
+ }
+ }
+ continue;
+ } else if (c == '\0') {
ret = KRB5_PARSE_MALFORMED;
krb5_set_error_message(context, ret,
N_("trailing \\ in principal name", ""));
@@ -442,6 +459,22 @@ unparse_name_fixed(krb5_context context,
int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) != 0;
int display = (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) != 0;
+ if (name == NULL) {
+ krb5_set_error_message(context, EINVAL,
+ N_("Invalid name buffer, "
+ "can't unparse", ""));
+ return EINVAL;
+ }
+
+ if (len == 0) {
+ krb5_set_error_message(context, ERANGE,
+ N_("Invalid name buffer length, "
+ "can't unparse", ""));
+ return ERANGE;
+ }
+
+ name[0] = '\0';
+
if (!no_realm && princ_realm(principal) == NULL) {
krb5_set_error_message(context, ERANGE,
N_("Realm missing from principal, "
@@ -756,6 +789,9 @@ krb5_make_principal(krb5_context context,
krb5_error_code ret;
krb5_realm r = NULL;
va_list ap;
+
+ *principal = NULL;
+
if(realm == NULL) {
ret = krb5_get_default_realm(context, &r);
if(ret)
@@ -910,13 +946,20 @@ krb5_copy_principal(krb5_context context,
krb5_const_principal inprinc,
krb5_principal *outprinc)
{
- krb5_principal p = malloc(sizeof(*p));
+ krb5_principal p;
+
+ *outprinc = NULL;
+
+ p = malloc(sizeof(*p));
if (p == NULL)
return krb5_enomem(context);
if(copy_Principal(inprinc, p)) {
free(p);
return krb5_enomem(context);
}
+ if (inprinc->nameattrs && inprinc->nameattrs->pac)
+ p->nameattrs->pac = heim_retain(inprinc->nameattrs->pac);
+
*outprinc = p;
return 0;
}
@@ -1297,10 +1340,32 @@ krb5_principal_is_anonymous(krb5_context context,
return strcmp(p->realm, KRB5_ANON_REALM) != 0;
}
+/**
+ * Returns true iff name is WELLKNOWN/FEDERATED
+ *
+ * @ingroup krb5_principal
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_principal_is_federated(krb5_context context,
+ krb5_const_principal p)
+{
+ if (p->name.name_type != KRB5_NT_WELLKNOWN &&
+ p->name.name_type != KRB5_NT_UNKNOWN)
+ return FALSE;
+
+ if (p->name.name_string.len != 2 ||
+ strcmp(p->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
+ strcmp(p->name.name_string.val[1], KRB5_FEDERATED_NAME) != 0)
+ return FALSE;
+
+ return TRUE;
+}
+
static int
tolower_ascii(int c)
{
- if (c >= 'A' || c <= 'Z')
+ if (c >= 'A' && c <= 'Z')
return 'a' + (c - 'A');
return c;
}
@@ -1398,8 +1463,8 @@ krb5_sname_to_principal(krb5_context context,
/* Lower-case the hostname, because that's the convention */
for (cp = remote_host; *cp; cp++)
- if (isupper((int) (*cp)))
- *cp = tolower((int) (*cp));
+ if (isupper((unsigned char) (*cp)))
+ *cp = tolower((unsigned char) (*cp));
/*
* If there is only one name canon rule and it says to
@@ -1465,7 +1530,7 @@ static void
tolower_str(char *s)
{
for (; *s != '\0'; s++) {
- if (isupper(*s))
+ if (isupper((unsigned char)*s))
*s = tolower_ascii(*s);
}
}
@@ -1720,12 +1785,14 @@ _krb5_get_name_canon_rules(krb5_context context, krb5_name_canon_rule *rules)
krb5_config_free_strings(values);
if (ret)
return ret;
+ if (*rules == NULL)
+ return krb5_enomem(context);
if (krb5_config_get_bool_default(context, NULL, FALSE,
"libdefaults", "safe_name_canon", NULL))
make_rules_safe(context, *rules);
- heim_assert(rules != NULL && (*rules)[0].type != KRB5_NCRT_BOGUS,
+ heim_assert((*rules)[0].type != KRB5_NCRT_BOGUS,
"internal error in parsing principal name "
"canonicalization rules");
@@ -1788,7 +1855,7 @@ apply_name_canon_rule(krb5_context context, krb5_name_canon_rule rules,
krb5_name_canon_rule_options *rule_opts)
{
krb5_name_canon_rule rule = &rules[rule_idx];
- krb5_error_code ret;
+ krb5_error_code ret = 0;
unsigned int ndots = 0;
krb5_principal nss = NULL;
const char *sname = NULL;
@@ -1833,17 +1900,17 @@ apply_name_canon_rule(krb5_context context, krb5_name_canon_rule rules,
ndots++;
}
if (rule->mindots > 0 && ndots < rule->mindots)
- return 0;
+ goto out;
if (ndots > rule->maxdots)
- return 0;
+ goto out;
if (rule->match_domain != NULL &&
!is_domain_suffix(orig_hostname, rule->match_domain))
- return 0;
+ goto out;
if (rule->match_realm != NULL &&
strcmp(rule->match_realm, in_princ->realm) != 0)
- return 0;
+ goto out;
new_realm = rule->realm;
switch (rule->type) {
@@ -1927,10 +1994,12 @@ apply_name_canon_rule(krb5_context context, krb5_name_canon_rule rules,
new_hostname = hostname_with_port;
}
- if (new_realm != NULL)
- krb5_principal_set_realm(context, *out_princ, new_realm);
- if (new_hostname != NULL)
- krb5_principal_set_comp_string(context, *out_princ, 1, new_hostname);
+ if (new_realm != NULL &&
+ (ret = krb5_principal_set_realm(context, *out_princ, new_realm)))
+ goto out;
+ if (new_hostname != NULL &&
+ (ret = krb5_principal_set_comp_string(context, *out_princ, 1, new_hostname)))
+ goto out;
if (princ_type(*out_princ) == KRB5_NT_SRV_HST_NEEDS_CANON)
princ_type(*out_princ) = KRB5_NT_SRV_HST;
diff --git a/lib/krb5/rd_cred.c b/lib/krb5/rd_cred.c
index e38882525ab4..f8d57362310b 100644
--- a/lib/krb5/rd_cred.c
+++ b/lib/krb5/rd_cred.c
@@ -96,7 +96,7 @@ krb5_rd_cred(krb5_context context,
goto out;
}
- if (cred.enc_part.etype == (krb5_enctype)ETYPE_NULL) {
+ if (cred.enc_part.etype == ETYPE_NULL) {
/* DK: MIT GSS-API Compatibility */
enc_krb_cred_part_data.length = cred.enc_part.cipher.length;
enc_krb_cred_part_data.data = cred.enc_part.cipher.data;
@@ -222,7 +222,7 @@ krb5_rd_cred(krb5_context context,
if (enc_krb_cred_part.timestamp == NULL ||
enc_krb_cred_part.usec == NULL ||
- labs(*enc_krb_cred_part.timestamp - sec)
+ krb5_time_abs(*enc_krb_cred_part.timestamp, sec)
> context->max_skew) {
krb5_clear_error_message (context);
ret = KRB5KRB_AP_ERR_SKEW;
diff --git a/lib/krb5/rd_priv.c b/lib/krb5/rd_priv.c
index 3e49dd8b4634..ab1a165d5165 100644
--- a/lib/krb5/rd_priv.c
+++ b/lib/krb5/rd_priv.c
@@ -136,7 +136,7 @@ krb5_rd_priv(krb5_context context,
krb5_timeofday (context, &sec);
if (part.timestamp == NULL ||
part.usec == NULL ||
- labs(*part.timestamp - sec) > context->max_skew) {
+ krb5_time_abs(*part.timestamp, sec) > context->max_skew) {
krb5_clear_error_message (context);
ret = KRB5KRB_AP_ERR_SKEW;
goto failure_part;
diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c
index 3937dc5ab3ac..012cfefc2d80 100644
--- a/lib/krb5/rd_req.c
+++ b/lib/krb5/rd_req.c
@@ -146,7 +146,7 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0)
return 0;
- if(enc->transited.tr_type != DOMAIN_X500_COMPRESS)
+ if(enc->transited.tr_type != domain_X500_Compress)
return KRB5KDC_ERR_TRTYPE_NOSUPP;
if(enc->transited.contents.length == 0)
@@ -260,6 +260,8 @@ krb5_verify_authenticator_checksum(krb5_context context,
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret)
goto out;
+
+ _krb5_crypto_set_flags(context, crypto, KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM);
ret = krb5_verify_checksum(context, crypto,
KRB5_KU_AP_REQ_AUTH_CKSUM,
data, len, authenticator->cksum);
@@ -307,6 +309,7 @@ krb5_verify_ap_req2(krb5_context context,
krb5_auth_context ac;
krb5_error_code ret;
EtypeList etypes;
+ int badaddr = 0;
memset(&etypes, 0, sizeof(etypes));
@@ -348,11 +351,6 @@ krb5_verify_ap_req2(krb5_context context,
ap_req->ticket.sname,
ap_req->ticket.realm);
if (ret) goto out;
- ret = _krb5_principalname2krb5_principal(context,
- &t->client,
- t->ticket.cname,
- t->ticket.crealm);
- if (ret) goto out;
ret = decrypt_authenticator (context,
&t->ticket.key,
@@ -384,6 +382,27 @@ krb5_verify_ap_req2(krb5_context context,
}
}
+ /*
+ * The ticket authenticates the client, and conveys naming attributes that
+ * we want to expose in GSS using RFC6680 APIs.
+ *
+ * So we same the ticket enc-part in the client's krb5_principal object
+ * (note though that the session key will be absent in that copy of the
+ * ticket enc-part).
+ */
+ ret = _krb5_ticket2krb5_principal(context, &t->client, &t->ticket,
+ ac->authenticator->authorization_data);
+ if (ret) goto out;
+
+ t->client->nameattrs->peer_realm =
+ calloc(1, sizeof(t->client->nameattrs->peer_realm[0]));
+ if (t->client->nameattrs->peer_realm == NULL) {
+ ret = krb5_enomem(context);
+ goto out;
+ }
+ ret = copy_Realm(&ap_req->ticket.realm, t->client->nameattrs->peer_realm);
+ if (ret) goto out;
+
/* check addresses */
if (t->ticket.caddr
@@ -391,9 +410,19 @@ krb5_verify_ap_req2(krb5_context context,
&& !krb5_address_search (context,
ac->remote_address,
t->ticket.caddr)) {
- ret = KRB5KRB_AP_ERR_BADADDR;
- krb5_clear_error_message (context);
- goto out;
+ /*
+ * Hack alert. If KRB5_VERIFY_AP_REQ_IGNORE_ADDRS and the client's
+ * address didn't check out then we'll return KRB5KRB_AP_ERR_BADADDR
+ * even on success, and we'll let the caller figure it out because
+ * `*ticket != NULL' or `*auth_context != NULL'.
+ */
+ if ((flags & KRB5_VERIFY_AP_REQ_IGNORE_ADDRS)) {
+ badaddr = 1;
+ } else {
+ ret = KRB5KRB_AP_ERR_BADADDR;
+ krb5_clear_error_message(context);
+ goto out;
+ }
}
/* check timestamp in authenticator */
@@ -402,7 +431,7 @@ krb5_verify_ap_req2(krb5_context context,
krb5_timeofday (context, &now);
- if (labs(ac->authenticator->ctime - now) > context->max_skew) {
+ if (krb5_time_abs(ac->authenticator->ctime, now) > context->max_skew) {
ret = KRB5KRB_AP_ERR_SKEW;
krb5_clear_error_message (context);
goto out;
@@ -445,7 +474,7 @@ krb5_verify_ap_req2(krb5_context context,
if (ap_req_options) {
*ap_req_options = 0;
- if (ac->keytype != (krb5_enctype)ETYPE_NULL)
+ if (ac->keytype != ETYPE_NULL)
*ap_req_options |= AP_OPTS_USE_SUBKEY;
if (ap_req->ap_options.use_session_key)
*ap_req_options |= AP_OPTS_USE_SESSION_KEY;
@@ -463,6 +492,11 @@ krb5_verify_ap_req2(krb5_context context,
} else
krb5_auth_con_free (context, ac);
free_EtypeList(&etypes);
+
+ if (badaddr) {
+ krb5_clear_error_message(context);
+ return KRB5KRB_AP_ERR_BADADDR;
+ }
return 0;
out:
free_EtypeList(&etypes);
@@ -821,7 +855,8 @@ krb5_rd_req_ctx(krb5_context context,
krb5_keytab id = NULL, keytab = NULL;
krb5_principal service = NULL;
- *outctx = NULL;
+ if (outctx)
+ *outctx = NULL;
o = calloc(1, sizeof(*o));
if (o == NULL)
@@ -1002,6 +1037,11 @@ krb5_rd_req_ctx(krb5_context context,
goto out;
}
+ if (krb5_ticket_get_authorization_data_type(context, o->ticket,
+ KRB5_AUTHDATA_KDC_ISSUED,
+ NULL) == 0)
+ o->ticket->client->nameattrs->kdc_issued_verified = 1;
+
/* If there is a PAC, verify its server signature */
if (inctx == NULL || inctx->check_pac) {
krb5_pac pac;
@@ -1023,17 +1063,36 @@ krb5_rd_req_ctx(krb5_context context,
o->ticket->client,
o->keyblock,
NULL);
- krb5_pac_free(context, pac);
- if (ret)
+ if (ret == 0)
+ o->ticket->client->nameattrs->pac_verified = 1;
+ if (ret == 0 && (context->flags & KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME)) {
+ krb5_error_code ret2;
+ krb5_principal canon_name;
+
+ ret2 = _krb5_pac_get_canon_principal(context, pac, &canon_name);
+ if (ret2 == 0) {
+ free_Realm(&o->ticket->client->realm);
+ free_PrincipalName(&o->ticket->client->name);
+ ret = copy_Realm(&canon_name->realm, &o->ticket->client->realm);
+ if (ret == 0)
+ ret = copy_PrincipalName(&canon_name->name, &o->ticket->client->name);
+ krb5_free_principal(context, canon_name);
+ } else if (ret2 != ENOENT)
+ ret = ret2;
+ }
+ if (ret) {
+ krb5_pac_free(context, pac);
goto out;
+ }
+ o->ticket->client->nameattrs->pac = pac;
} else
ret = 0;
}
out:
- if (ret || outctx == NULL) {
+ if (ret || outctx == NULL)
krb5_rd_req_out_ctx_free(context, o);
- } else
+ else
*outctx = o;
free_AP_REQ(&ap_req);
diff --git a/lib/krb5/rd_safe.c b/lib/krb5/rd_safe.c
index cfe1e9829c9c..24ed636d4059 100644
--- a/lib/krb5/rd_safe.c
+++ b/lib/krb5/rd_safe.c
@@ -159,7 +159,7 @@ krb5_rd_safe(krb5_context context,
if (safe.safe_body.timestamp == NULL ||
safe.safe_body.usec == NULL ||
- labs(*safe.safe_body.timestamp - sec) > context->max_skew) {
+ krb5_time_abs(*safe.safe_body.timestamp, sec) > context->max_skew) {
ret = KRB5KRB_AP_ERR_SKEW;
krb5_clear_error_message (context);
goto failure;
diff --git a/lib/krb5/recvauth.c b/lib/krb5/recvauth.c
index 785c4c9c5f1b..656378309db7 100644
--- a/lib/krb5/recvauth.c
+++ b/lib/krb5/recvauth.c
@@ -138,7 +138,7 @@ krb5_recvauth_match_version(krb5_context context,
len = ntohl(len);
if (len != sizeof(her_version)
|| krb5_net_read (context, p_fd, her_version, len) != len
- || strncmp (version, her_version, len)) {
+ || strncmp (version, her_version, len) != 0) {
repl = 1;
krb5_net_write (context, p_fd, &repl, 1);
krb5_clear_error_message (context);
@@ -160,6 +160,11 @@ krb5_recvauth_match_version(krb5_context context,
return KRB5_SENDAUTH_BADAPPLVERS;
}
len = ntohl(len);
+ if (len > 1024 * 1024) {
+ krb5_set_error_message(context, ret = KRB5_SENDAUTH_REJECTED,
+ "AP-REQ too long");
+ return ret;
+ }
her_appl_version = malloc (len);
if (her_appl_version == NULL) {
repl = 2;
diff --git a/lib/krb5/replay.c b/lib/krb5/replay.c
index 6257311676f6..2fec8afd1043 100644
--- a/lib/krb5/replay.c
+++ b/lib/krb5/replay.c
@@ -58,7 +58,7 @@ krb5_rc_resolve_type(krb5_context context,
const char *type)
{
*id = NULL;
- if(strcmp(type, "FILE")) {
+ if (strcmp(type, "FILE") != 0) {
krb5_set_error_message (context, KRB5_RC_TYPE_NOTFOUND,
N_("replay cache type %s not supported", ""),
type);
@@ -82,7 +82,7 @@ krb5_rc_resolve_full(krb5_context context,
*id = NULL;
- if(strncmp(string_name, "FILE:", 5)) {
+ if (strncmp(string_name, "FILE:", 5) != 0) {
krb5_set_error_message(context, KRB5_RC_TYPE_NOTFOUND,
N_("replay cache type %s not supported", ""),
string_name);
@@ -220,8 +220,10 @@ krb5_rc_store(krb5_context context,
}
rk_cloexec_file(f);
count = fread(&tmp, sizeof(ent), 1, f);
- if(count != 1)
+ if (count != 1) {
+ fclose(f);
return KRB5_RC_IO_UNKNOWN;
+ }
t = ent.stamp - tmp.stamp;
while(fread(&tmp, sizeof(ent), 1, f)){
if(tmp.stamp < t)
diff --git a/lib/krb5/salt-aes-sha1.c b/lib/krb5/salt-aes-sha1.c
index edd066df404c..2c556f1cbefa 100644
--- a/lib/krb5/salt-aes-sha1.c
+++ b/lib/krb5/salt-aes-sha1.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-int _krb5_AES_SHA1_string_to_default_iterator = 4096;
+const int _krb5_AES_SHA1_string_to_default_iterator = 4096;
static krb5_error_code
AES_SHA1_string_to_key(krb5_context context,
diff --git a/lib/krb5/salt-aes-sha2.c b/lib/krb5/salt-aes-sha2.c
index bc674bd2dab7..9de1c280f77d 100644
--- a/lib/krb5/salt-aes-sha2.c
+++ b/lib/krb5/salt-aes-sha2.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-int _krb5_AES_SHA2_string_to_default_iterator = 32768;
+const int _krb5_AES_SHA2_string_to_default_iterator = 32768;
static krb5_error_code
AES_SHA2_string_to_key(krb5_context context,
diff --git a/lib/krb5/salt-arcfour.c b/lib/krb5/salt-arcfour.c
index 38aaa25024e6..033128ed803d 100644
--- a/lib/krb5/salt-arcfour.c
+++ b/lib/krb5/salt-arcfour.c
@@ -47,10 +47,8 @@ ARCFOUR_string_to_key(krb5_context context,
EVP_MD_CTX *m;
m = EVP_MD_CTX_create();
- if (m == NULL) {
- ret = krb5_enomem(context);
- goto out;
- }
+ if (m == NULL)
+ return krb5_enomem(context);
EVP_DigestInit_ex(m, EVP_md4(), NULL);
diff --git a/lib/krb5/salt.c b/lib/krb5/salt.c
index a3e850fcb8cf..fa926f3d6c60 100644
--- a/lib/krb5/salt.c
+++ b/lib/krb5/salt.c
@@ -91,6 +91,69 @@ krb5_string_to_salttype (krb5_context context,
return HEIM_ERR_SALTTYPE_NOSUPP;
}
+/*
+ * Like MIT's krb5_string_to_keysalts(), but simpler and with a context
+ * argument.
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_string_to_keysalts2(krb5_context context, const char *string,
+ size_t *nksaltp, krb5_key_salt_tuple **ksaltp)
+{
+ /* deleted: tupleseps, ksaltseps, dups */
+ krb5_key_salt_tuple *tmp = NULL;
+ krb5_error_code ret = 0;
+ char *copy, *token, *stype_str;
+ char *lasts = NULL;
+ krb5_enctype etype;
+ krb5_salttype stype;
+ size_t i;
+
+ *ksaltp = NULL;
+ *nksaltp = 0;
+ if ((copy = strdup(string)) == NULL)
+ return krb5_enomem(context);
+ for (token = strtok_r(copy, ", \t", &lasts), ret = 0;
+ token != NULL;
+ token = strtok_r(NULL, ", \t", &lasts)) {
+ if ((stype_str = strchr(token, ':')) != NULL)
+ *(stype_str++) = '\0';
+ if ((ret = krb5_string_to_enctype(context, token, &etype)))
+ continue;
+ if (stype_str == NULL)
+ stype = KRB5_PW_SALT;
+ else if ((ret = krb5_string_to_salttype(context, etype, stype_str, &stype)))
+ continue;
+ for (i = 0; i < *nksaltp; i++) {
+ if ((*ksaltp)[i].ks_enctype == etype &&
+ (*ksaltp)[i].ks_salttype == stype)
+ goto skip;
+ }
+ tmp = realloc(*ksaltp, ((*nksaltp) + 1) * sizeof(**ksaltp));
+ if (tmp == NULL) {
+ ret = krb5_enomem(context);
+ break;
+ }
+ *ksaltp = tmp;
+ (*ksaltp)[*nksaltp].ks_enctype = etype;
+ (*ksaltp)[*nksaltp].ks_salttype = stype;
+ (*nksaltp)++;
+skip:
+ (void)1;
+ }
+ free(copy);
+ if (ret == ENOMEM) {
+ free(*ksaltp);
+ *nksaltp = 0;
+ *ksaltp = NULL;
+ } else if (*nksaltp) {
+ return 0;
+ } else if (ret == 0) {
+ return KRB5_PROG_ETYPE_NOSUPP;
+ }
+ return ret;
+}
+
+
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_pw_salt(krb5_context context,
krb5_const_principal principal,
@@ -132,7 +195,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_string_to_key_data (krb5_context context,
krb5_enctype enctype,
krb5_data password,
- krb5_principal principal,
+ krb5_const_principal principal,
krb5_keyblock *key)
{
krb5_error_code ret;
@@ -150,7 +213,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_string_to_key (krb5_context context,
krb5_enctype enctype,
const char *password,
- krb5_principal principal,
+ krb5_const_principal principal,
krb5_keyblock *key)
{
krb5_data pw;
diff --git a/lib/krb5/scache.c b/lib/krb5/scache.c
index 61a9b4fa1445..479c58b8ff11 100644
--- a/lib/krb5/scache.c
+++ b/lib/krb5/scache.c
@@ -40,6 +40,7 @@
typedef struct krb5_scache {
char *name;
char *file;
+ char *sub;
sqlite3 *db;
sqlite_uint64 cid;
@@ -60,13 +61,19 @@ typedef struct krb5_scache {
#define SCACHE(X) ((krb5_scache *)(X)->data.data)
+/*
+ * Because we can't control what permissions SQLite3 (if not in-tree) will use,
+ * and we're a library and can't set the umask. We can't even determine the
+ * current umask in a thread-safe way (not easily), and we can't tell if some
+ * other thread might change it. So what we'll do is put the SQLite3-based
+ * ccache file in its own directory so we can create that directory with
+ * mkdir(2) and the correct permissions.
+ */
+
#define SCACHE_DEF_NAME "Default-cache"
-#ifdef KRB5_USE_PATH_TOKENS
-#define KRB5_SCACHE_DB "%{TEMP}/krb5scc_%{uid}"
-#else
-#define KRB5_SCACHE_DB "/tmp/krb5scc_%{uid}"
-#endif
-#define KRB5_SCACHE_NAME "SCC:" SCACHE_DEF_NAME ":" KRB5_SCACHE_DB
+#define KRB5_SCACHE_DIR "%{TEMP}/krb5scc_%{uid}"
+#define KRB5_SCACHE_DB KRB5_SCACHE_DIR "scc"
+#define KRB5_SCACHE_NAME "SCC:" KRB5_SCACHE_DB ":" SCACHE_DEF_NAME
#define SCACHE_INVALID_CID ((sqlite_uint64)-1)
@@ -103,7 +110,8 @@ typedef struct krb5_scache {
#define SQL_UCACHE_PRINCIPAL "UPDATE caches SET principal=? WHERE OID=?"
#define SQL_DCACHE "DELETE FROM caches WHERE OID=?"
#define SQL_SCACHE "SELECT principal,name FROM caches WHERE OID=?"
-#define SQL_SCACHE_NAME "SELECT oid FROM caches WHERE NAME=?"
+#define SQL_SCACHE_NAME "SELECT oid FROM caches WHERE NAME=? OR " \
+ "(PRINCIPAL IS NOT NULL AND PRINCIPAL=?)"
#define SQL_CCREDS "" \
"CREATE TABLE credentials (" \
@@ -153,8 +161,12 @@ free_krb5(void *str)
static void
scc_free(krb5_scache *s)
{
+ if (!s)
+ return;
if (s->file)
free(s->file);
+ if (s->sub)
+ free(s->sub);
if (s->name)
free(s->name);
@@ -224,39 +236,134 @@ exec_stmt(krb5_context context, sqlite3 *db, const char *str,
return 0;
}
+/* See block comment at the top of this file */
static krb5_error_code
-default_db(krb5_context context, sqlite3 **db)
+make_dir(krb5_context context, const char *name)
{
- char *name;
- int ret;
+ krb5_error_code ret = 0;
+ char *s, *p;
+
+ /* We really need a dirname() in roken; lib/krb5/fcache.c has one */
+ if ((s = strdup(name)) == NULL)
+ return krb5_enomem(context);
+ for (p = s + strlen(s); p > s; p--) {
+#ifdef WIN32
+ if (*p != '/' && *p != '\\')
+ continue;
+#else
+ if (*p != '/')
+ continue;
+#endif
+ *p = '\0';
+ break;
+ }
+
+ /* If p == s then DB in current directory -- nothing we can do */
+ if (p > s && mkdir(s, 0700) == -1)
+ ret = errno;
+ free(s);
- ret = _krb5_expand_default_cc_name(context, KRB5_SCACHE_DB, &name);
+ /* If we created it, we're good, else there's nothing we can do */
+ if (ret == EEXIST)
+ return 0;
if (ret)
- return ret;
+ krb5_set_error_message(context, ret,
+ N_("Error making directory for scache file %s", ""),
+ name);
+ return ret;
+}
- ret = sqlite3_open_v2(name, db, SQLITE_OPEN_READWRITE, NULL);
- free(name);
- if (ret != SQLITE_OK) {
- krb5_clear_error_message(context);
- return ENOENT;
+static krb5_error_code
+default_db(krb5_context context, const char *name, sqlite3 **db, char **file)
+{
+ krb5_error_code ret = 0;
+ char *s = NULL;
+ char *f = NULL;
+
+ if (file)
+ *file = NULL;
+
+ if (name == NULL) {
+ if ((name = krb5_cc_default_name(context))) {
+ if (strncmp(name, "SCC:", sizeof("SCC:") - 1) == 0)
+ name += sizeof("SCC:") - 1;
+ }
+ if (name == NULL) {
+ ret = _krb5_expand_default_cc_name(context, KRB5_SCACHE_DB, &s);
+ if (ret)
+ return ret;
+ name = s;
+ }
+ }
+
+ if (strncmp(name, "SCC:", sizeof("SCC:") - 1) == 0)
+ name += sizeof("SCC:") - 1;
+
+ if ((f = strdup(name)) == NULL) {
+ free(s);
+ return krb5_enomem(context);
}
+ free(s);
+
+ /* Strip off any residue from default name */
+#ifdef WIN32
+ if (f[0] && f[1] == ':' && (s = strrchr(f, ':')) != &f[1])
+ *s = '\0';
+#else
+ if ((s = strrchr(f, ':')))
+ *s = '\0';
+#endif
+
+ ret = make_dir(context, f);
+ if (ret == 0) {
+ int sret;
+
+ sret = sqlite3_open_v2(f, db, SQLITE_OPEN_READWRITE, NULL);
+ if (sret != SQLITE_OK) {
+ if (*db) {
+ krb5_set_error_message(context, ENOENT,
+ N_("Error opening scache file %s: %s (%d)", ""),
+ f, sqlite3_errmsg(*db), sret);
+ sqlite3_close(*db);
+ *db = NULL;
+ } else
+ krb5_set_error_message(context, ENOENT,
+ N_("Error opening scache file %s: %s (%d)", ""),
+ f, sqlite3_errstr(sret), sret);
+ free(f);
+ return ENOENT;
+ }
+ }
+
+#ifndef WIN32
+ /*
+ * Just in case we're using an out-of-tree SQLite3. See block comment at
+ * the top of this file, near KRB5_SCACHE_DIR's definition.
+ */
+ (void) chmod(f, 0600);
+#endif
+
+ if (file)
+ *file = f;
+ else
+ free(f);
#ifdef TRACEME
sqlite3_trace(*db, trace, NULL);
#endif
- return 0;
+ return ret;
}
static krb5_error_code
-get_def_name(krb5_context context, char **str)
+get_def_name(krb5_context context, char *filein, char **str, char **file)
{
krb5_error_code ret;
sqlite3_stmt *stmt;
const char *name;
sqlite3 *db;
- ret = default_db(context, &db);
+ ret = default_db(context, filein, &db, file);
if (ret)
return ret;
@@ -294,10 +401,15 @@ out:
static krb5_scache * KRB5_CALLCONV
-scc_alloc(krb5_context context, const char *name)
+scc_alloc(krb5_context context,
+ const char *name,
+ const char *sub,
+ int new_unique)
{
- krb5_error_code ret;
+ krb5_error_code ret = 0;
krb5_scache *s;
+ char *freeme = NULL;
+ char *subsidiary;
ALLOC(s, 1);
if(s == NULL)
@@ -305,52 +417,105 @@ scc_alloc(krb5_context context, const char *name)
s->cid = SCACHE_INVALID_CID;
- if (name) {
- char *file;
-
- if (*name == '\0') {
- ret = get_def_name(context, &s->name);
- if (ret)
- s->name = strdup(SCACHE_DEF_NAME);
- } else
- s->name = strdup(name);
-
- file = strrchr(s->name, ':');
- if (file) {
- *file++ = '\0';
- s->file = strdup(file);
- ret = 0;
- } else {
- ret = _krb5_expand_default_cc_name(context, KRB5_SCACHE_DB, &s->file);
- }
+ if (name && *name && sub && *sub) {
+ if ((s->sub = strdup(sub)) == NULL ||
+ (s->file = strdup(name)) == NULL) {
+ free(s->file);
+ free(s);
+ (void) krb5_enomem(context);
+ return NULL;
+ }
} else {
- _krb5_expand_default_cc_name(context, KRB5_SCACHE_DB, &s->file);
- ret = asprintf(&s->name, "unique-%p", s);
+ s->sub = NULL;
+ s->file = NULL;
+ s->name = NULL;
+
+ if (name == NULL)
+ name = krb5_cc_default_name(context);
+ if (name == NULL) {
+ ret = _krb5_expand_default_cc_name(context, KRB5_SCACHE_DB,
+ &freeme);
+ if (ret) {
+ free(s);
+ return NULL;
+ }
+ name = freeme;
+ }
+
+ if (strncmp(name, "SCC:", sizeof("SCC:") - 1) == 0)
+ name += sizeof("SCC:") - 1;
+
+ if ((s->file = strdup(name)) == NULL) {
+ ret = krb5_enomem(context);
+ goto out;
+ }
+
+ if ((subsidiary = strrchr(s->file, ':'))) {
+#ifdef WIN32
+ if (subsidiary == s->file + 1)
+ subsidiary = NULL;
+ else
+#endif
+ *(subsidiary++) = '\0';
+ }
+
+ if (new_unique) {
+ ret = asprintf(&s->sub, "unique-%p", s) < 0 || s->sub == NULL ?
+ krb5_enomem(context) : 0;
+ } else if (subsidiary == NULL || *subsidiary == '\0') {
+ ret = get_def_name(context, s->file, &s->sub, NULL);
+ if (ret) {
+ if ((s->sub = strdup(SCACHE_DEF_NAME)) == NULL)
+ ret = krb5_enomem(context);
+ else
+ ret = 0;
+ }
+ } else if ((s->sub = strdup(subsidiary)) == NULL) {
+ ret = krb5_enomem(context);
+ }
}
- if (ret < 0 || s->file == NULL || s->name == NULL) {
+
+ if (ret == 0 && s->file && s->sub &&
+ (asprintf(&s->name, "%s:%s", s->file, s->sub) < 0 || s->name == NULL))
+ ret = krb5_enomem(context);
+
+ out:
+ if (ret || s->file == NULL || s->sub == NULL || s->name == NULL) {
scc_free(s);
- return NULL;
+ s = NULL;
}
+ free(freeme);
return s;
}
static krb5_error_code
open_database(krb5_context context, krb5_scache *s, int flags)
{
- int ret;
+ krb5_error_code ret;
+ struct stat st;
+ int sret;
- ret = sqlite3_open_v2(s->file, &s->db, SQLITE_OPEN_READWRITE|flags, NULL);
- if (ret) {
+
+ if (!(flags & SQLITE_OPEN_CREATE) && stat(s->file, &st) == 0 &&
+ st.st_size == 0)
+ return ENOENT;
+
+ ret = make_dir(context, s->file);
+ if (ret)
+ return ret;
+ sret = sqlite3_open_v2(s->file, &s->db, SQLITE_OPEN_READWRITE|flags, NULL);
+ if (sret != SQLITE_OK) {
if (s->db) {
krb5_set_error_message(context, ENOENT,
- N_("Error opening scache file %s: %s", ""),
- s->file, sqlite3_errmsg(s->db));
+ N_("Error opening scache file %s: %s (%d)", ""),
+ s->file, sqlite3_errmsg(s->db), sret);
sqlite3_close(s->db);
s->db = NULL;
} else
krb5_set_error_message(context, ENOENT,
- N_("malloc: out of memory", ""));
+ N_("Error opening scache file %s: %s (%d)", ""),
+ s->file, sqlite3_errstr(sret), sret);
return ENOENT;
}
return 0;
@@ -361,7 +526,7 @@ create_cache(krb5_context context, krb5_scache *s)
{
int ret;
- sqlite3_bind_text(s->icache, 1, s->name, -1, NULL);
+ sqlite3_bind_text(s->icache, 1, s->sub, -1, NULL);
do {
ret = sqlite3_step(s->icache);
} while (ret == SQLITE_ROW);
@@ -388,9 +553,7 @@ make_database(krb5_context context, krb5_scache *s)
ret = open_database(context, s, 0);
if (ret) {
- mode_t oldumask = umask(077);
ret = open_database(context, s, SQLITE_OPEN_CREATE);
- umask(oldumask);
if (ret) goto out;
created_file = 1;
@@ -437,6 +600,14 @@ make_database(krb5_context context, krb5_scache *s)
ret = prepare_stmt(context, s->db, &s->umaster, SQL_UMASTER);
if (ret) goto out;
+#ifndef WIN32
+ /*
+ * Just in case we're using an out-of-tree SQLite3. See block comment at
+ * the top of this file, near KRB5_SCACHE_DIR's definition.
+ */
+ (void) chmod(s->file, 0600);
+#endif
+
return 0;
out:
@@ -477,20 +648,32 @@ bind_principal(krb5_context context,
*
*/
-static const char* KRB5_CALLCONV
-scc_get_name(krb5_context context,
- krb5_ccache id)
+static krb5_error_code KRB5_CALLCONV
+scc_get_name_2(krb5_context context,
+ krb5_ccache id,
+ const char **name,
+ const char **file,
+ const char **sub)
{
- return SCACHE(id)->name;
+ if (name)
+ *name = SCACHE(id)->name;
+ if (file)
+ *file = SCACHE(id)->file;
+ if (sub)
+ *sub = SCACHE(id)->sub;
+ return 0;
}
static krb5_error_code KRB5_CALLCONV
-scc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+scc_resolve_2(krb5_context context,
+ krb5_ccache *id,
+ const char *res,
+ const char *sub)
{
+ krb5_error_code ret;
krb5_scache *s;
- int ret;
- s = scc_alloc(context, res);
+ s = scc_alloc(context, res, sub, 0);
if (s == NULL) {
krb5_set_error_message(context, KRB5_CC_NOMEM,
N_("malloc: out of memory", ""));
@@ -503,12 +686,12 @@ scc_resolve(krb5_context context, krb5_ccache *id, const char *res)
return ret;
}
- ret = sqlite3_bind_text(s->scache_name, 1, s->name, -1, NULL);
+ ret = sqlite3_bind_text(s->scache_name, 1, s->sub, -1, NULL);
if (ret != SQLITE_OK) {
- krb5_set_error_message(context, ENOMEM,
- "bind name: %s", sqlite3_errmsg(s->db));
- scc_free(s);
- return ENOMEM;
+ krb5_set_error_message(context, ENOMEM,
+ "bind principal: %s", sqlite3_errmsg(s->db));
+ scc_free(s);
+ return ENOMEM;
}
if (sqlite3_step(s->scache_name) == SQLITE_ROW) {
@@ -540,7 +723,7 @@ scc_gen_new(krb5_context context, krb5_ccache *id)
{
krb5_scache *s;
- s = scc_alloc(context, NULL);
+ s = scc_alloc(context, NULL, NULL, 1);
if (s == NULL) {
krb5_set_error_message(context, KRB5_CC_NOMEM,
@@ -557,7 +740,7 @@ scc_gen_new(krb5_context context, krb5_ccache *id)
static krb5_error_code KRB5_CALLCONV
scc_initialize(krb5_context context,
krb5_ccache id,
- krb5_principal primary_principal)
+ krb5_principal principal)
{
krb5_scache *s = SCACHE(id);
krb5_error_code ret;
@@ -589,7 +772,7 @@ scc_initialize(krb5_context context,
}
}
- ret = bind_principal(context, s->db, s->ucachep, 1, primary_principal);
+ ret = bind_principal(context, s->db, s->ucachep, 1, principal);
if (ret)
goto rollback;
sqlite3_bind_int(s->ucachep, 2, s->cid);
@@ -827,8 +1010,8 @@ scc_get_principal(krb5_context context,
if (sqlite3_step(s->scache) != SQLITE_ROW) {
sqlite3_reset(s->scache);
krb5_set_error_message(context, KRB5_CC_END,
- N_("No principal for cache SCC:%s:%s", ""),
- s->name, s->file);
+ N_("No principal for cache SCC:%s", ""),
+ s->name);
return KRB5_CC_END;
}
@@ -836,8 +1019,8 @@ scc_get_principal(krb5_context context,
sqlite3_reset(s->scache);
krb5_set_error_message(context, KRB5_CC_END,
N_("Principal data of wrong type "
- "for SCC:%s:%s", ""),
- s->name, s->file);
+ "for SCC:%s", ""),
+ s->name);
return KRB5_CC_END;
}
@@ -845,8 +1028,8 @@ scc_get_principal(krb5_context context,
if (str == NULL) {
sqlite3_reset(s->scache);
krb5_set_error_message(context, KRB5_CC_END,
- N_("Principal not set for SCC:%s:%s", ""),
- s->name, s->file);
+ N_("Principal not set for SCC:%s", ""),
+ s->name);
return KRB5_CC_END;
}
@@ -1001,8 +1184,8 @@ next:
if (sqlite3_column_type(ctx->credstmt, 0) != SQLITE_BLOB) {
krb5_set_error_message(context, KRB5_CC_END,
- N_("credential of wrong type for SCC:%s:%s", ""),
- s->name, s->file);
+ N_("credential of wrong type for SCC:%s", ""),
+ s->name);
sqlite3_reset(ctx->credstmt);
return KRB5_CC_END;
}
@@ -1079,8 +1262,8 @@ scc_remove_cred(krb5_context context,
ret = KRB5_CC_END;
krb5_set_error_message(context, ret,
N_("Credential of wrong type "
- "for SCC:%s:%s", ""),
- s->name, s->file);
+ "for SCC:%s", ""),
+ s->name);
break;
}
@@ -1102,24 +1285,25 @@ scc_remove_cred(krb5_context context,
sqlite3_finalize(stmt);
- if (id) {
- ret = prepare_stmt(context, s->db, &stmt,
- "DELETE FROM credentials WHERE oid=?");
- if (ret)
- return ret;
- sqlite3_bind_int(stmt, 1, credid);
+ if (ret)
+ return ret;
- do {
- ret = sqlite3_step(stmt);
- } while (ret == SQLITE_ROW);
- sqlite3_finalize(stmt);
- if (ret != SQLITE_DONE) {
- ret = KRB5_CC_IO;
- krb5_set_error_message(context, ret,
- N_("failed to delete scache credental", ""));
- } else
- ret = 0;
- }
+ ret = prepare_stmt(context, s->db, &stmt,
+ "DELETE FROM credentials WHERE oid=?");
+ if (ret)
+ return ret;
+ sqlite3_bind_int(stmt, 1, credid);
+
+ do {
+ ret = sqlite3_step(stmt);
+ } while (ret == SQLITE_ROW);
+ sqlite3_finalize(stmt);
+ if (ret != SQLITE_DONE) {
+ ret = KRB5_CC_IO;
+ krb5_set_error_message(context, ret,
+ N_("failed to delete scache credental", ""));
+ } else
+ ret = 0;
return ret;
}
@@ -1134,6 +1318,7 @@ scc_set_flags(krb5_context context,
struct cache_iter {
char *drop;
+ char *file;
sqlite3 *db;
sqlite3_stmt *stmt;
};
@@ -1151,8 +1336,8 @@ scc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
if (ctx == NULL)
return krb5_enomem(context);
- ret = default_db(context, &ctx->db);
- if (ctx->db == NULL) {
+ ret = default_db(context, NULL, &ctx->db, &ctx->file);
+ if (ret) {
free(ctx);
return ret;
}
@@ -1160,48 +1345,48 @@ scc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
ret = asprintf(&name, "cacheIteration%pPid%d",
ctx, (int)getpid());
if (ret < 0 || name == NULL) {
- sqlite3_close(ctx->db);
- free(ctx);
- return krb5_enomem(context);
+ sqlite3_close(ctx->db);
+ free(ctx);
+ return krb5_enomem(context);
}
ret = asprintf(&ctx->drop, "DROP TABLE %s", name);
if (ret < 0 || ctx->drop == NULL) {
- sqlite3_close(ctx->db);
- free(name);
- free(ctx);
- return krb5_enomem(context);
+ sqlite3_close(ctx->db);
+ free(name);
+ free(ctx);
+ return krb5_enomem(context);
}
ret = asprintf(&str, "CREATE TEMPORARY TABLE %s AS SELECT name FROM caches",
- name);
+ name);
if (ret < 0 || str == NULL) {
- sqlite3_close(ctx->db);
- free(name);
- free(ctx->drop);
- free(ctx);
- return krb5_enomem(context);
+ sqlite3_close(ctx->db);
+ free(name);
+ free(ctx->drop);
+ free(ctx);
+ return krb5_enomem(context);
}
ret = exec_stmt(context, ctx->db, str, KRB5_CC_IO);
free(str);
str = NULL;
if (ret) {
- sqlite3_close(ctx->db);
- free(name);
- free(ctx->drop);
- free(ctx);
- return ret;
+ sqlite3_close(ctx->db);
+ free(name);
+ free(ctx->drop);
+ free(ctx);
+ return ret;
}
ret = asprintf(&str, "SELECT name FROM %s", name);
if (ret < 0 || str == NULL) {
- exec_stmt(context, ctx->db, ctx->drop, 0);
- sqlite3_close(ctx->db);
- free(name);
- free(ctx->drop);
- free(ctx);
- return krb5_enomem(context);
+ exec_stmt(context, ctx->db, ctx->drop, 0);
+ sqlite3_close(ctx->db);
+ free(name);
+ free(ctx->drop);
+ free(ctx);
+ return krb5_enomem(context);
}
free(name);
@@ -1249,10 +1434,13 @@ again:
goto again;
ret = _krb5_cc_allocate(context, &krb5_scc_ops, id);
- if (ret)
- return ret;
-
- return scc_resolve(context, id, name);
+ if (ret == 0)
+ ret = scc_resolve_2(context, id, ctx->file, name);
+ if (ret) {
+ free(*id);
+ *id = NULL;
+ }
+ return ret;
}
static krb5_error_code KRB5_CALLCONV
@@ -1263,6 +1451,7 @@ scc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
exec_stmt(context, ctx->db, ctx->drop, 0);
sqlite3_finalize(ctx->stmt);
sqlite3_close(ctx->db);
+ free(ctx->file);
free(ctx->drop);
free(ctx);
return 0;
@@ -1276,11 +1465,8 @@ scc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
krb5_error_code ret;
if (strcmp(sfrom->file, sto->file) != 0) {
- krb5_set_error_message(context, KRB5_CC_BADNAME,
- N_("Can't handle cross database "
- "credential move: %s -> %s", ""),
- sfrom->file, sto->file);
- return KRB5_CC_BADNAME;
+ /* Let upstairs handle the move */
+ return EXDEV;
}
ret = make_database(context, sfrom);
@@ -1307,7 +1493,7 @@ scc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
}
}
- sqlite3_bind_text(sfrom->ucachen, 1, sto->name, -1, NULL);
+ sqlite3_bind_text(sfrom->ucachen, 1, sto->sub, -1, NULL);
sqlite3_bind_int(sfrom->ucachen, 2, sfrom->cid);
do {
@@ -1326,34 +1512,19 @@ scc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
ret = exec_stmt(context, sfrom->db, "COMMIT", KRB5_CC_IO);
if (ret) return ret;
- scc_free(sfrom);
-
+ krb5_cc_close(context, from);
return 0;
rollback:
exec_stmt(context, sfrom->db, "ROLLBACK", 0);
- scc_free(sfrom);
-
return KRB5_CC_IO;
}
static krb5_error_code KRB5_CALLCONV
scc_get_default_name(krb5_context context, char **str)
{
- krb5_error_code ret;
- char *name;
-
*str = NULL;
-
- ret = get_def_name(context, &name);
- if (ret)
- return _krb5_expand_default_cc_name(context, KRB5_SCACHE_NAME, str);
-
- ret = asprintf(str, "SCC:%s", name);
- free(name);
- if (ret < 0 || *str == NULL)
- return krb5_enomem(context);
- return 0;
+ return _krb5_expand_default_cc_name(context, KRB5_SCACHE_NAME, str);
}
static krb5_error_code KRB5_CALLCONV
@@ -1370,7 +1541,7 @@ scc_set_default(krb5_context context, krb5_ccache id)
return KRB5_CC_IO;
}
- ret = sqlite3_bind_text(s->umaster, 1, s->name, -1, NULL);
+ ret = sqlite3_bind_text(s->umaster, 1, s->sub, -1, NULL);
if (ret) {
sqlite3_reset(s->umaster);
krb5_set_error_message(context, KRB5_CC_IO,
@@ -1398,10 +1569,10 @@ scc_set_default(krb5_context context, krb5_ccache id)
*/
KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops = {
- KRB5_CC_OPS_VERSION,
+ KRB5_CC_OPS_VERSION_5,
"SCC",
- scc_get_name,
- scc_resolve,
+ NULL,
+ NULL,
scc_gen_new,
scc_initialize,
scc_destroy,
@@ -1423,7 +1594,9 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops = {
scc_set_default,
NULL,
NULL,
- NULL
+ NULL,
+ scc_get_name_2,
+ scc_resolve_2
};
#endif
diff --git a/lib/krb5/send_to_kdc.c b/lib/krb5/send_to_kdc.c
index 104db9e26ee3..bcabdd4a1ceb 100644
--- a/lib/krb5/send_to_kdc.c
+++ b/lib/krb5/send_to_kdc.c
@@ -96,6 +96,17 @@ realmcallback(krb5_context context, const void *plug, void *plugctx, void *userc
ctx->send_data, ctx->receive);
}
+static const char *const send_to_kdc_plugin_deps[] = { "krb5", NULL };
+
+static const struct heim_plugin_data
+send_to_kdc_plugin_data = {
+ "krb5",
+ KRB5_PLUGIN_SEND_TO_KDC,
+ KRB5_PLUGIN_SEND_TO_KDC_VERSION_0,
+ send_to_kdc_plugin_deps,
+ krb5_get_instance
+};
+
static krb5_error_code
kdc_via_plugin(krb5_context context,
krb5_krbhst_info *hi,
@@ -111,8 +122,7 @@ kdc_via_plugin(krb5_context context,
userctx.send_data = send_data;
userctx.receive = receive;
- return _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_SEND_TO_KDC,
- KRB5_PLUGIN_SEND_TO_KDC_VERSION_0, 0,
+ return _krb5_plugin_run_f(context, &send_to_kdc_plugin_data, 0,
&userctx, kdccallback);
}
@@ -131,8 +141,7 @@ realm_via_plugin(krb5_context context,
userctx.send_data = send_data;
userctx.receive = receive;
- return _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_SEND_TO_KDC,
- KRB5_PLUGIN_SEND_TO_KDC_VERSION_2, 0,
+ return _krb5_plugin_run_f(context, &send_to_kdc_plugin_data, 0,
&userctx, realmcallback);
}
@@ -142,6 +151,7 @@ struct krb5_sendto_ctx_data {
krb5_sendto_ctx_func func;
void *data;
char *hostname;
+ char *sitename;
krb5_krbhst_handle krbhst;
/* context2 */
@@ -166,12 +176,14 @@ struct krb5_sendto_ctx_data {
unsigned int stid;
};
-static void
+static void KRB5_CALLCONV
dealloc_sendto_ctx(void *ptr)
{
krb5_sendto_ctx ctx = (krb5_sendto_ctx)ptr;
if (ctx->hostname)
free(ctx->hostname);
+ if (ctx->sitename)
+ free(ctx->sitename);
heim_release(ctx->hosts);
heim_release(ctx->krbhst);
}
@@ -228,13 +240,32 @@ krb5_sendto_set_hostname(krb5_context context,
krb5_sendto_ctx ctx,
const char *hostname)
{
- if (ctx->hostname == NULL)
- free(ctx->hostname);
- ctx->hostname = strdup(hostname);
- if (ctx->hostname == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ char *newname;
+
+ /*
+ * Handle the case where hostname == ctx->hostname by copying it first, and
+ * disposing of any previous value after.
+ */
+ newname = strdup(hostname);
+ if (newname == NULL)
+ return krb5_enomem(context);
+ free(ctx->hostname);
+ ctx->hostname = newname;
+ return 0;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_sendto_set_sitename(krb5_context context,
+ krb5_sendto_ctx ctx,
+ const char *sitename)
+{
+ char *newname;
+
+ newname = strdup(sitename);
+ if (newname == NULL)
+ return krb5_enomem(context);
+ free(ctx->sitename);
+ ctx->sitename = newname;
return 0;
}
@@ -275,7 +306,7 @@ _krb5_kdc_retry(krb5_context context, krb5_sendto_ctx ctx, void *data,
break;
}
case KRB5KDC_ERR_SVC_UNAVAILABLE:
- *action = KRB5_SENDTO_CONTINUE;
+ *action = KRB5_SENDTO_RESET;
break;
}
return 0;
@@ -299,7 +330,7 @@ struct host {
krb5_krbhst_info *hi;
struct addrinfo *ai;
rk_socket_t fd;
- struct host_fun *fun;
+ const struct host_fun *fun;
unsigned int tries;
time_t timeout;
krb5_data data;
@@ -355,7 +386,7 @@ debug_host(krb5_context context, int level, struct host *host, const char *fmt,
}
-static void
+static void HEIM_CALLCONV
deallocate_host(void *ptr)
{
struct host *host = ptr;
@@ -684,19 +715,19 @@ recv_udp(krb5_context context, struct host *host, krb5_data *data)
return 0;
}
-static struct host_fun http_fun = {
+static const struct host_fun http_fun = {
prepare_http,
send_stream,
recv_http,
1
};
-static struct host_fun tcp_fun = {
+static const struct host_fun tcp_fun = {
prepare_tcp,
send_stream,
recv_tcp,
1
};
-static struct host_fun udp_fun = {
+static const struct host_fun udp_fun = {
prepare_udp,
send_udp,
recv_udp,
@@ -1149,7 +1180,7 @@ krb5_sendto_context(krb5_context context,
action = KRB5_SENDTO_INITIAL;
- while (action != KRB5_SENDTO_DONE && action != KRB5_SENDTO_FAILED) {
+ while (1) {
krb5_krbhst_info *hi;
switch (action) {
@@ -1161,7 +1192,7 @@ krb5_sendto_context(krb5_context context,
break;
}
action = KRB5_SENDTO_KRBHST;
- /* FALLTHROUGH */
+ HEIM_FALLTHROUGH;
case KRB5_SENDTO_KRBHST:
if (ctx->krbhst == NULL) {
ret = krb5_krbhst_init_flags(context, realm, type,
@@ -1174,12 +1205,16 @@ krb5_sendto_context(krb5_context context,
if (ret)
goto out;
}
-
+ if (ctx->sitename) {
+ ret = krb5_krbhst_set_sitename(context, handle, ctx->sitename);
+ if (ret)
+ goto out;
+ }
} else {
handle = heim_retain(ctx->krbhst);
}
action = KRB5_SENDTO_TIMEOUT;
- /* FALLTHROUGH */
+ HEIM_FALLTHROUGH;
case KRB5_SENDTO_TIMEOUT:
/*
@@ -1251,14 +1286,32 @@ krb5_sendto_context(krb5_context context,
&ctx->response, &action);
if (ret)
goto out;
+
+ /*
+ * If we are not done, ask to continue/reset
+ */
+ switch (action) {
+ case KRB5_SENDTO_DONE:
+ break;
+ case KRB5_SENDTO_RESET:
+ case KRB5_SENDTO_CONTINUE:
+ /* free response to clear it out so we don't loop */
+ krb5_data_free(&ctx->response);
+ break;
+ default:
+ ret = KRB5_KDC_UNREACH;
+ krb5_set_error_message(context, ret,
+ "sendto filter funcation return unsupported state: %d", (int)action);
+ goto out;
+ }
}
break;
case KRB5_SENDTO_FAILED:
ret = KRB5_KDC_UNREACH;
- break;
+ goto out;
case KRB5_SENDTO_DONE:
ret = 0;
- break;
+ goto out;
default:
heim_abort("invalid krb5_sendto_context state");
}
diff --git a/lib/krb5/send_to_kdc_plugin.h b/lib/krb5/send_to_kdc_plugin.h
index 0fa43d3aba90..30d6892e536d 100644
--- a/lib/krb5/send_to_kdc_plugin.h
+++ b/lib/krb5/send_to_kdc_plugin.h
@@ -37,6 +37,7 @@
#define HEIMDAL_KRB5_SEND_TO_KDC_PLUGIN_H 1
#include <krb5.h>
+#include <heimbase-svc.h>
#define KRB5_PLUGIN_SEND_TO_KDC "send_to_kdc"
@@ -61,9 +62,7 @@ typedef krb5_error_code
typedef struct krb5plugin_send_to_kdc_ftable {
- int minor_version;
- krb5_error_code (KRB5_CALLCONV *init)(krb5_context, void **);
- void (KRB5_CALLCONV *fini)(void *);
+ HEIM_PLUGIN_FTABLE_COMMON_ELEMENTS(krb5_context);
krb5plugin_send_to_kdc_func send_to_kdc;
krb5plugin_send_to_realm_func send_to_realm; /* added in version 2 */
} krb5plugin_send_to_kdc_ftable;
diff --git a/lib/krb5/sendauth.c b/lib/krb5/sendauth.c
index 5011c2680892..a2c8aedb8ea7 100644
--- a/lib/krb5/sendauth.c
+++ b/lib/krb5/sendauth.c
@@ -109,6 +109,7 @@ krb5_sendauth(krb5_context context,
ssize_t sret;
krb5_boolean my_ccache = FALSE;
+ memset(&this_cred, 0, sizeof(this_cred));
len = strlen(version) + 1;
net_len = htonl(len);
if (krb5_net_write (context, p_fd, &net_len, 4) != 4
@@ -159,7 +160,6 @@ krb5_sendauth(krb5_context context,
}
client = this_client;
}
- memset(&this_cred, 0, sizeof(this_cred));
this_cred.client = client;
this_cred.server = server;
this_cred.times.endtime = 0;
@@ -185,13 +185,6 @@ krb5_sendauth(krb5_context context,
creds,
&ap_req);
- if (out_creds)
- *out_creds = creds;
- else
- krb5_free_creds(context, creds);
- if(this_client)
- krb5_free_principal(context, this_client);
-
if (ret)
return ret;
@@ -251,5 +244,14 @@ krb5_sendauth(krb5_context context,
if (rep_result == NULL)
krb5_free_ap_rep_enc_part (context, ignore);
}
- return 0;
+
+ if (out_creds)
+ ret = krb5_copy_creds(context, creds, out_creds);
+
+ this_cred.server = NULL;
+ if (creds == &this_cred)
+ krb5_free_cred_contents(context, creds);
+ else if (creds)
+ krb5_free_creds(context, creds);
+ return ret;
}
diff --git a/lib/krb5/sp800-108-kdf.c b/lib/krb5/sp800-108-kdf.c
index 37e06dec3e84..4a12067c68bd 100755
--- a/lib/krb5/sp800-108-kdf.c
+++ b/lib/krb5/sp800-108-kdf.c
@@ -73,7 +73,10 @@ _krb5_SP800_108_HMAC_KDF(krb5_context context,
unsigned char tmp[4];
size_t len;
- HMAC_Init_ex(&c, kdf_K1->data, kdf_K1->length, md, NULL);
+ if (HMAC_Init_ex(&c, kdf_K1->data, kdf_K1->length, md, NULL) == 0) {
+ HMAC_CTX_cleanup(&c);
+ return krb5_enomem(context);
+ }
_krb5_put_int(tmp, i + 1, 4);
HMAC_Update(&c, tmp, 4);
diff --git a/lib/krb5/store-int.c b/lib/krb5/store-int.c
index 542b99abc089..6fe7eb37fc69 100644
--- a/lib/krb5/store-int.c
+++ b/lib/krb5/store-int.c
@@ -49,7 +49,7 @@ KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
_krb5_get_int64(void *buffer, uint64_t *value, size_t size)
{
unsigned char *p = buffer;
- unsigned long v = 0;
+ uint64_t v = 0;
size_t i;
for (i = 0; i < size; i++)
v = (v << 8) + p[i];
diff --git a/lib/krb5/store.c b/lib/krb5/store.c
index c7355f6861bc..f95fd83aa952 100644
--- a/lib/krb5/store.c
+++ b/lib/krb5/store.c
@@ -39,6 +39,7 @@
#define BYTEORDER_IS_BE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_BE)
#define BYTEORDER_IS_HOST(SP) (BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_HOST) || \
krb5_storage_is_flags((SP), KRB5_STORAGE_HOST_BYTEORDER))
+#define BYTEORDER_IS_PACKED(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_PACKED)
/**
* Add the flags on a storage buffer by or-ing in the flags to the buffer.
@@ -299,7 +300,7 @@ krb5_storage_free(krb5_storage *sp)
}
/**
- * Copy the contnent of storage
+ * Copy the content of storage to a krb5_data.
*
* @param sp the storage to copy to a data
* @param data the copied data, free with krb5_data_free()
@@ -328,9 +329,82 @@ krb5_storage_to_data(krb5_storage *sp, krb5_data *data)
return ret;
}
if (size) {
+ ssize_t bytes;
+
sp->seek(sp, 0, SEEK_SET);
- sp->fetch(sp, data->data, data->length);
+ bytes = sp->fetch(sp, data->data, data->length);
sp->seek(sp, pos, SEEK_SET);
+
+ /* sp->fetch() really shouldn't fail */
+ if (bytes < 0)
+ return sp->eof_code;
+
+ /* Maybe the underlying file (or whatever) got truncated? */
+ data->length = bytes;
+ }
+ return 0;
+}
+
+static size_t
+pack_int(uint8_t *p, uint64_t val)
+{
+ size_t l = 0;
+
+ if (val < 128) {
+ *p = val;
+ } else {
+ while (val > 0) {
+ *p-- = val % 256;
+ val /= 256;
+ l++;
+ }
+ *p = 0x80 | l;
+ }
+ return l + 1;
+}
+
+static size_t
+unpack_int_length(uint8_t *v)
+{
+ size_t size;
+
+ if (*v < 128)
+ size = 0;
+ else
+ size = *v & 0x7f;
+
+ return size + 1;
+}
+
+static int
+unpack_int(uint8_t *p, size_t len, uint64_t *val, size_t *size)
+{
+ size_t v;
+
+ if (len == 0)
+ return EINVAL;
+ --len;
+ v = *p++;
+ if (v < 128) {
+ *val = v;
+ *size = 1;
+ } else {
+ int e;
+ size_t l;
+ uint64_t tmp;
+
+ if (v == 0x80) {
+ *size = 1;
+ return EINVAL;
+ }
+ v &= 0x7F;
+ if (len < v)
+ return ERANGE;
+ e = der_get_unsigned64(p, v, &tmp, &l);
+ if (e)
+ return ERANGE;
+ *val = tmp;
+ *size = l + 1;
}
return 0;
}
@@ -341,12 +415,20 @@ krb5_store_int(krb5_storage *sp,
size_t len)
{
int ret;
- unsigned char v[8];
+ uint8_t v[9], *p = v;
- if (len > sizeof(v))
+ if (len > sizeof(value))
return EINVAL;
- _krb5_put_int(v, value, len);
- ret = sp->store(sp, v, len);
+
+ if (BYTEORDER_IS_PACKED(sp)) {
+ uint64_t mask = ~0ULL >> (64 - len * 8);
+ value &= mask;
+ p += sizeof(v) - 1;
+ len = pack_int(p, value);
+ p = v + sizeof(v) - len;
+ } else
+ _krb5_put_int(v, value, len);
+ ret = sp->store(sp, p, len);
if (ret < 0)
return errno;
if ((size_t)ret != len)
@@ -448,9 +530,32 @@ krb5_ret_int(krb5_storage *sp,
size_t len)
{
int ret;
- unsigned char v[8];
- uint64_t w;
+ unsigned char v[9];
+ uint64_t w = 0;
*value = 0; /* quiets warnings */
+ if (BYTEORDER_IS_PACKED(sp)) {
+ ret = sp->fetch(sp, v, 1);
+ if (ret < 0)
+ return errno;
+ if (ret != 1)
+ return sp->eof_code;
+
+ len = unpack_int_length(v);
+ if (len < 1)
+ return ERANGE;
+ else if (len > 1) {
+ ret = sp->fetch(sp, v + 1, len - 1);
+ if (ret < 0)
+ return errno;
+ if (ret != len - 1)
+ return sp->eof_code;
+ }
+ ret = unpack_int(v, len, &w, &len);
+ if (ret)
+ return ret;
+ *value = w;
+ return 0;
+ }
ret = sp->fetch(sp, v, len);
if (ret < 0)
return errno;
@@ -724,10 +829,10 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_ret_int8(krb5_storage *sp,
int8_t *value)
{
- int ret;
+ ssize_t ret;
ret = sp->fetch(sp, value, sizeof(*value));
- if (ret != sizeof(*value))
+ if (ret < 0 || (size_t)ret != sizeof(*value))
return (ret<0)?errno:sp->eof_code;
return 0;
}
@@ -786,6 +891,51 @@ krb5_store_data(krb5_storage *sp,
}
/**
+ * Store a data blob to the storage. The data is stored with an int32 as
+ * length plus the data (not padded). This function only differs from
+ * krb5_store_data() insofar as it takes a void * and a length as parameters.
+ *
+ * @param sp the storage buffer to write to
+ * @param s the string to store.
+ * @param len length of the string to be stored.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_store_datalen(krb5_storage *sp, const void *d, size_t len)
+{
+ krb5_data data;
+ data.length = len;
+ data.data = (void *)d;
+ return krb5_store_data(sp, data);
+}
+
+/**
+ * Store a data blob to the storage. The data is stored without a length.
+ *
+ * @param sp the storage buffer to write to
+ * @param s the string to store.
+ * @param len length of the string to be stored.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_store_bytes(krb5_storage *sp, const void *d, size_t len)
+{
+ ssize_t ssize;
+
+ ssize = krb5_storage_write(sp, d, len);
+ if (ssize != len)
+ return ENOMEM;
+
+ return 0;
+}
+
+/**
* Parse a data from the storage.
*
* @param sp the storage buffer to read from
@@ -800,7 +950,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_ret_data(krb5_storage *sp,
krb5_data *data)
{
- int ret;
+ krb5_error_code ret;
int32_t size;
ret = krb5_ret_int32(sp, &size);
@@ -813,8 +963,10 @@ krb5_ret_data(krb5_storage *sp,
if (ret)
return ret;
if (size) {
- ret = sp->fetch(sp, data->data, size);
- if(ret != size) {
+ ssize_t bytes;
+
+ bytes = sp->fetch(sp, data->data, size);
+ if (bytes < 0 || bytes != size) {
krb5_data_free(data);
return (ret < 0)? errno : sp->eof_code;
}
@@ -838,6 +990,10 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_store_string(krb5_storage *sp, const char *s)
{
krb5_data data;
+
+ if (s == NULL)
+ return EINVAL;
+
data.length = strlen(s);
data.data = rk_UNCONST(s);
return krb5_store_data(sp, data);
@@ -861,6 +1017,8 @@ krb5_ret_string(krb5_storage *sp,
{
int ret;
krb5_data data;
+
+ *string = NULL;
ret = krb5_ret_data(sp, &data);
if(ret)
return ret;
@@ -888,9 +1046,13 @@ krb5_ret_string(krb5_storage *sp,
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_store_stringz(krb5_storage *sp, const char *s)
{
- size_t len = strlen(s) + 1;
+ size_t len;
ssize_t ret;
+ if (s == NULL)
+ return EINVAL;
+
+ len = strlen(s) + 1;
ret = sp->store(sp, s, len);
if(ret < 0)
return ret;
@@ -952,9 +1114,13 @@ krb5_ret_stringz(krb5_storage *sp,
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_store_stringnl(krb5_storage *sp, const char *s)
{
- size_t len = strlen(s);
+ size_t len;
ssize_t ret;
+ if (s == NULL)
+ return EINVAL;
+
+ len = strlen(s);
ret = sp->store(sp, s, len);
if(ret < 0)
return ret;
@@ -1233,16 +1399,18 @@ krb5_ret_times(krb5_storage *sp, krb5_times *times)
{
int ret;
int32_t tmp;
+
ret = krb5_ret_int32(sp, &tmp);
+ if (ret) return ret;
times->authtime = tmp;
- if(ret) return ret;
ret = krb5_ret_int32(sp, &tmp);
+ if (ret) return ret;
times->starttime = tmp;
- if(ret) return ret;
ret = krb5_ret_int32(sp, &tmp);
+ if (ret) return ret;
times->endtime = tmp;
- if(ret) return ret;
ret = krb5_ret_int32(sp, &tmp);
+ if (ret) return ret;
times->renew_till = tmp;
return ret;
}
@@ -1686,3 +1854,205 @@ cleanup:
}
return ret;
}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_ret_data_at_offset(krb5_storage *sp,
+ size_t offset,
+ size_t length,
+ krb5_data *data)
+{
+ krb5_error_code ret;
+ off_t cur, size;
+
+ krb5_data_zero(data);
+
+ cur = sp->seek(sp, 0, SEEK_CUR);
+ if (cur < 0)
+ return HEIM_ERR_NOT_SEEKABLE;
+
+ size = sp->seek(sp, 0, SEEK_END);
+ if (offset + length > size) {
+ ret = ERANGE;
+ goto cleanup;
+ }
+
+ ret = krb5_data_alloc(data, length);
+ if (ret)
+ goto cleanup;
+
+ if (length) {
+ sp->seek(sp, offset, SEEK_SET);
+
+ size = sp->fetch(sp, data->data, length);
+ if (size < 0 || (size_t)size != length)
+ return sp->eof_code;
+ }
+
+cleanup:
+ sp->seek(sp, cur, SEEK_SET);
+
+ return ret;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_ret_utf8_from_ucs2le_at_offset(krb5_storage *sp,
+ off_t offset,
+ size_t length,
+ char **utf8)
+{
+ krb5_error_code ret;
+ krb5_data data;
+ size_t ucs2len = length / 2;
+ uint16_t *ucs2 = NULL;
+ size_t u8len;
+ unsigned int flags = WIND_RW_LE;
+
+ *utf8 = NULL;
+
+ krb5_data_zero(&data);
+
+ ret = _krb5_ret_data_at_offset(sp, offset, length, &data);
+ if (ret)
+ goto out;
+
+ ucs2 = malloc(sizeof(ucs2[0]) * ucs2len);
+ if (ucs2 == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
+
+ ret = wind_ucs2read(data.data, data.length, &flags, ucs2, &ucs2len);
+ if (ret)
+ goto out;
+
+ ret = wind_ucs2utf8_length(ucs2, ucs2len, &u8len);
+ if (ret)
+ goto out;
+
+ u8len += 1; /* Add space for NUL */
+
+ *utf8 = malloc(u8len);
+ if (*utf8 == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
+
+ ret = wind_ucs2utf8(ucs2, ucs2len, *utf8, &u8len);
+ if (ret)
+ goto out;
+
+out:
+ if (ret && *utf8) {
+ free(*utf8);
+ *utf8 = NULL;
+ }
+ free(ucs2);
+ krb5_data_free(&data);
+
+ return ret;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_store_data_at_offset(krb5_storage *sp,
+ size_t offset,
+ const krb5_data *data)
+{
+ krb5_error_code ret;
+ krb5_ssize_t nbytes;
+ off_t pos;
+
+ if (offset == (size_t)-1) {
+ if (data == NULL || data->data == NULL) {
+ offset = 0;
+ } else {
+ pos = sp->seek(sp, 0, SEEK_CUR);
+ offset = sp->seek(sp, 0, SEEK_END);
+ sp->seek(sp, pos, SEEK_SET);
+
+ if (offset == (size_t)-1)
+ return HEIM_ERR_NOT_SEEKABLE;
+ }
+ }
+
+ if (offset > 0xFFFF)
+ return ERANGE;
+ else if ((offset != 0) != (data && data->data))
+ return EINVAL;
+ else if (data && data->length > 0xFFFF)
+ return ERANGE;
+
+ ret = krb5_store_uint16(sp, data ? (uint16_t)data->length : 0);
+ if (ret == 0)
+ ret = krb5_store_uint16(sp, (uint16_t)offset);
+ if (ret == 0 && offset) {
+ pos = sp->seek(sp, 0, SEEK_CUR);
+ sp->seek(sp, offset, SEEK_SET);
+ nbytes = krb5_storage_write(sp, data->data, data->length);
+ if ((size_t)nbytes != data->length)
+ ret = sp->eof_code;
+ sp->seek(sp, pos, SEEK_SET);
+ }
+
+ return ret;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_store_utf8_as_ucs2le_at_offset(krb5_storage *sp,
+ off_t offset,
+ const char *utf8)
+{
+ krb5_error_code ret;
+ size_t ucs2_len, ucs2le_size;
+ uint16_t *ucs2, *ucs2le;
+ unsigned int flags;
+
+ if (utf8) {
+ ret = wind_utf8ucs2_length(utf8, &ucs2_len);
+ if (ret)
+ return ret;
+
+ ucs2 = malloc(sizeof(ucs2[0]) * ucs2_len);
+ if (ucs2 == NULL)
+ return ENOMEM;
+
+ ret = wind_utf8ucs2(utf8, ucs2, &ucs2_len);
+ if (ret) {
+ free(ucs2);
+ return ret;
+ }
+
+ ucs2le_size = (ucs2_len + 1) * 2;
+ ucs2le = malloc(ucs2le_size);
+ if (ucs2le == NULL) {
+ free(ucs2);
+ return ENOMEM;
+ }
+
+ flags = WIND_RW_LE;
+ ret = wind_ucs2write(ucs2, ucs2_len, &flags, ucs2le, &ucs2le_size);
+ free(ucs2);
+ if (ret) {
+ free(ucs2le);
+ return ret;
+ }
+
+ ucs2le_size = ucs2_len * 2;
+ } else {
+ ucs2le = NULL;
+ ucs2le_size = 0;
+ offset = 0;
+ }
+
+ {
+ krb5_data data;
+
+ data.data = ucs2le;
+ data.length = ucs2le_size;
+
+ ret = _krb5_store_data_at_offset(sp, offset, &data);
+ }
+
+ free(ucs2le);
+
+ return ret;
+}
diff --git a/lib/krb5/store_emem.c b/lib/krb5/store_emem.c
index 985aba9d1272..daef4d793e03 100644
--- a/lib/krb5/store_emem.c
+++ b/lib/krb5/store_emem.c
@@ -33,6 +33,7 @@
#include "krb5_locl.h"
#include "store-int.h"
+#include <assert.h>
typedef struct emem_storage{
unsigned char *base;
@@ -45,6 +46,9 @@ static ssize_t
emem_fetch(krb5_storage *sp, void *data, size_t size)
{
emem_storage *s = (emem_storage*)sp->data;
+
+ assert(data != NULL && s->ptr != NULL);
+
if((size_t)(s->base + s->len - s->ptr) < size)
size = s->base + s->len - s->ptr;
memmove(data, s->ptr, size);
@@ -55,7 +59,17 @@ emem_fetch(krb5_storage *sp, void *data, size_t size)
static ssize_t
emem_store(krb5_storage *sp, const void *data, size_t size)
{
- emem_storage *s = (emem_storage*)sp->data;
+ emem_storage *s;
+
+ if (size == 0) {
+ sp->seek(sp, 0, SEEK_CUR);
+ return 0;
+ }
+
+ s = (emem_storage*)sp->data;
+
+ assert(data != NULL);
+
if(size > (size_t)(s->base + s->size - s->ptr)){
void *base;
size_t sz, off;
@@ -112,10 +126,17 @@ emem_trunc(krb5_storage *sp, off_t offset)
* shrunk more then half of the current size, adjust buffer.
*/
if (offset == 0) {
- free(s->base);
- s->size = 0;
- s->base = NULL;
- s->ptr = NULL;
+ if (s->size > 1024) {
+ void *base;
+
+ base = realloc(s->base, 1024);
+ if (base) {
+ s->base = base;
+ s->size = 1024;
+ }
+ }
+ s->len = 0;
+ s->ptr = s->base;
} else if ((size_t)offset > s->size || (s->size / 2) > (size_t)offset) {
void *base;
size_t off;
@@ -140,7 +161,10 @@ static void
emem_free(krb5_storage *sp)
{
emem_storage *s = sp->data;
- memset(s->base, 0, s->len);
+
+ assert(s->base != NULL);
+
+ memset_s(s->base, s->len, 0, s->len);
free(s->base);
}
@@ -179,7 +203,7 @@ krb5_storage_emem(void)
sp->flags = 0;
sp->eof_code = HEIM_ERR_EOF;
s->size = 1024;
- s->base = malloc(s->size);
+ s->base = calloc(1, s->size);
if (s->base == NULL) {
free(sp);
free(s);
@@ -193,6 +217,6 @@ krb5_storage_emem(void)
sp->trunc = emem_trunc;
sp->fsync = NULL;
sp->free = emem_free;
- sp->max_alloc = UINT_MAX/8;
+ sp->max_alloc = UINT32_MAX/64;
return sp;
}
diff --git a/lib/krb5/store_fd.c b/lib/krb5/store_fd.c
index ead18be67aa2..9184e593ab68 100644
--- a/lib/krb5/store_fd.c
+++ b/lib/krb5/store_fd.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2017 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -53,8 +53,10 @@ fd_fetch(krb5_storage * sp, void *data, size_t size)
if (count < 0) {
if (errno == EINTR)
continue;
- else
+ else if (rem == size)
return count;
+ else
+ return size - rem;
} else if (count == 0) {
return count;
}
@@ -78,7 +80,7 @@ fd_store(krb5_storage * sp, const void *data, size_t size)
if (errno == EINTR)
continue;
else
- return count;
+ return size - rem;
}
cbuf += count;
rem -= count;
@@ -95,8 +97,21 @@ fd_seek(krb5_storage * sp, off_t offset, int whence)
static int
fd_trunc(krb5_storage * sp, off_t offset)
{
+ off_t tmpoff;
+
if (ftruncate(FD(sp), offset) == -1)
return errno;
+
+ tmpoff = lseek(FD(sp), 0, SEEK_CUR);
+ if (tmpoff == -1)
+ return errno;
+
+ if (tmpoff > offset) {
+ tmpoff = lseek(FD(sp), offset, SEEK_SET);
+ if (tmpoff == -1)
+ return errno;
+ }
+
return 0;
}
@@ -180,6 +195,6 @@ krb5_storage_from_fd(int fd_in)
sp->trunc = fd_trunc;
sp->fsync = fd_sync;
sp->free = fd_free;
- sp->max_alloc = UINT_MAX/8;
+ sp->max_alloc = UINT32_MAX/64;
return sp;
}
diff --git a/lib/krb5/store_mem.c b/lib/krb5/store_mem.c
index ff2a570ca62c..638c341a64ff 100644
--- a/lib/krb5/store_mem.c
+++ b/lib/krb5/store_mem.c
@@ -147,7 +147,7 @@ krb5_storage_from_mem(void *buf, size_t len)
sp->trunc = mem_trunc;
sp->fsync = NULL;
sp->free = NULL;
- sp->max_alloc = UINT_MAX/8;
+ sp->max_alloc = UINT32_MAX/64;
return sp;
}
@@ -207,6 +207,6 @@ krb5_storage_from_readonly_mem(const void *buf, size_t len)
sp->trunc = mem_no_trunc;
sp->fsync = NULL;
sp->free = NULL;
- sp->max_alloc = UINT_MAX/8;
+ sp->max_alloc = UINT32_MAX/64;
return sp;
}
diff --git a/lib/krb5/store_sock.c b/lib/krb5/store_sock.c
index f7dc2256d729..72d3e9d22bd2 100644
--- a/lib/krb5/store_sock.c
+++ b/lib/krb5/store_sock.c
@@ -82,10 +82,13 @@ static void
socket_free(krb5_storage * sp)
{
int save_errno = errno;
- if (rk_IS_SOCKET_ERROR(rk_closesocket(SOCK(sp))))
+ if (rk_IS_SOCKET_ERROR(rk_closesocket(SOCK(sp)))) {
+#ifdef WIN32
errno = rk_SOCK_ERRNO;
- else
+#endif
+ } else {
errno = save_errno;
+ }
}
/**
@@ -112,6 +115,7 @@ krb5_storage_from_socket(krb5_socket_t sock_in)
#ifdef _WIN32
WSAPROTOCOL_INFO info;
+ sock = rk_INVALID_SOCKET;
if (WSADuplicateSocket(sock_in, GetCurrentProcessId(), &info) == 0)
{
@@ -154,6 +158,6 @@ krb5_storage_from_socket(krb5_socket_t sock_in)
sp->trunc = socket_trunc;
sp->fsync = socket_sync;
sp->free = socket_free;
- sp->max_alloc = UINT_MAX/8;
+ sp->max_alloc = UINT32_MAX/64;
return sp;
}
diff --git a/lib/krb5/store_stdio.c b/lib/krb5/store_stdio.c
new file mode 100644
index 000000000000..9244b9e7f5fa
--- /dev/null
+++ b/lib/krb5/store_stdio.c
@@ -0,0 +1,271 @@
+/*
+ * Copyright (c) 2017 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+#include "store-int.h"
+
+#ifndef HAVE_FSEEKO
+#define fseeko fseek
+#define ftello ftell
+#endif
+
+typedef struct stdio_storage {
+ FILE *f;
+ off_t pos;
+} stdio_storage;
+
+#define F(S) (((stdio_storage*)(S)->data)->f)
+#define POS(S) (((stdio_storage*)(S)->data)->pos)
+
+static ssize_t
+stdio_fetch(krb5_storage * sp, void *data, size_t size)
+{
+ char *cbuf = (char *)data;
+ ssize_t count;
+ size_t rem = size;
+
+ /* similar pattern to net_read() to support pipes */
+ while (rem > 0) {
+ count = fread(cbuf, 1, rem, F(sp));
+ if (count < 0) {
+ POS(sp) = -1;
+ if (errno == EINTR)
+ continue;
+ else
+ return count;
+ } else if (count == 0) {
+ if (POS(sp) >= 0)
+ POS(sp) += size - rem;
+ return size - rem;
+ }
+ cbuf += count;
+ rem -= count;
+ }
+ if (POS(sp) >= 0)
+ POS(sp) += size;
+ return size;
+}
+
+static ssize_t
+stdio_store(krb5_storage * sp, const void *data, size_t size)
+{
+ const char *cbuf = (const char *)data;
+ ssize_t count;
+ size_t rem = size;
+
+ /*
+ * It's possible we just went from reading to writing if the file was open
+ * for both. Per C99 (N869 final draft) section 7.18.5.3, point 6, when
+ * going from reading to writing [a file opened for both] one must seek.
+ */
+ (void) fseeko(F(sp), 0, SEEK_CUR);
+
+ /* similar pattern to net_write() to support pipes */
+ while (rem > 0) {
+ count = fwrite(cbuf, 1, rem, F(sp));
+ if (count < 0) {
+ if (errno == EINTR)
+ continue;
+ /*
+ * What does it mean to have a short write when using stdio?
+ *
+ * It can't mean much. After all stdio is buffering, so
+ * earlier writes that appeared complete may have failed,
+ * and so we don't know how much we really failed to write.
+ */
+ POS(sp) = -1;
+ return -1;
+ }
+ if (count == 0) {
+ POS(sp) = -1;
+ return -1;
+ }
+ cbuf += count;
+ rem -= count;
+ }
+ if (POS(sp) >= 0)
+ POS(sp) += size;
+ return size;
+}
+
+static off_t
+stdio_seek(krb5_storage * sp, off_t offset, int whence)
+{
+ int save_errno = errno;
+
+ if (whence == SEEK_SET && POS(sp) == offset)
+ return POS(sp);
+
+ if (whence == SEEK_CUR && POS(sp) >= 0 && offset == 0)
+ return POS(sp);
+
+ if (fseeko(F(sp), offset, whence) != 0)
+ return -1;
+ errno = save_errno;
+ return POS(sp) = ftello(F(sp));
+}
+
+static int
+stdio_trunc(krb5_storage * sp, off_t offset)
+{
+ off_t tmpoff;
+ int save_errno = errno;
+
+ if (fflush(F(sp)) == EOF)
+ return errno;
+ tmpoff = ftello(F(sp));
+ if (tmpoff < 0)
+ return errno;
+ if (tmpoff > offset)
+ tmpoff = offset;
+ if (ftruncate(fileno(F(sp)), offset) == -1)
+ return errno;
+ if (fseeko(F(sp), 0, SEEK_END) == -1)
+ return errno;
+ if (fseeko(F(sp), tmpoff, SEEK_SET) == -1)
+ return errno;
+ errno = save_errno;
+ POS(sp) = tmpoff;
+ return 0;
+}
+
+static int
+stdio_sync(krb5_storage * sp)
+{
+ if (fflush(F(sp)) == EOF)
+ return errno;
+ if (fsync(fileno(F(sp))) == -1)
+ return errno;
+ return 0;
+}
+
+static void
+stdio_free(krb5_storage * sp)
+{
+ int save_errno = errno;
+
+ if (F(sp) != NULL && fclose(F(sp)) == 0)
+ errno = save_errno;
+ F(sp) = NULL;
+}
+
+/**
+ * Open a krb5_storage using stdio for buffering.
+ *
+ * @return A krb5_storage on success, or NULL on out of memory error.
+ *
+ * @ingroup krb5_storage
+ *
+ * @sa krb5_storage_emem()
+ * @sa krb5_storage_from_fd()
+ * @sa krb5_storage_from_mem()
+ * @sa krb5_storage_from_readonly_mem()
+ * @sa krb5_storage_from_data()
+ * @sa krb5_storage_from_socket()
+ */
+
+KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
+krb5_storage_stdio_from_fd(int fd_in, const char *mode)
+{
+ krb5_storage *sp;
+ off_t off;
+ FILE *f;
+ int saved_errno = errno;
+ int fd;
+
+ off = lseek(fd_in, 0, SEEK_CUR);
+ if (off == -1)
+ return NULL;
+
+#ifdef _MSC_VER
+ /*
+ * This function used to try to pass the input to
+ * _get_osfhandle() to test if the value is a HANDLE
+ * but this doesn't work because doing so throws an
+ * exception that will result in Watson being triggered
+ * to file a Windows Error Report.
+ */
+ fd = _dup(fd_in);
+#else
+ fd = dup(fd_in);
+#endif
+
+ if (fd < 0)
+ return NULL;
+
+ f = fdopen(fd, mode);
+ if (f == NULL) {
+ (void) close(fd);
+ return NULL;
+ }
+
+ errno = saved_errno;
+
+ if (fseeko(f, off, SEEK_SET) == -1) {
+ saved_errno = errno;
+ (void) fclose(f);
+ errno = saved_errno;
+ return NULL;
+ }
+
+ errno = ENOMEM;
+ sp = malloc(sizeof(krb5_storage));
+ if (sp == NULL) {
+ saved_errno = errno;
+ (void) fclose(f);
+ errno = saved_errno;
+ return NULL;
+ }
+
+ errno = ENOMEM;
+ sp->data = malloc(sizeof(stdio_storage));
+ if (sp->data == NULL) {
+ saved_errno = errno;
+ (void) fclose(f);
+ free(sp);
+ errno = saved_errno;
+ return NULL;
+ }
+ sp->flags = 0;
+ sp->eof_code = HEIM_ERR_EOF;
+ F(sp) = f;
+ POS(sp) = off;
+ sp->fetch = stdio_fetch;
+ sp->store = stdio_store;
+ sp->seek = stdio_seek;
+ sp->trunc = stdio_trunc;
+ sp->fsync = stdio_sync;
+ sp->free = stdio_free;
+ sp->max_alloc = UINT32_MAX/64;
+ return sp;
+}
diff --git a/lib/krb5/test_acl.c b/lib/krb5/test_acl.c
index 9e27c0408643..a11ff3f8a97c 100644
--- a/lib/krb5/test_acl.c
+++ b/lib/krb5/test_acl.c
@@ -37,7 +37,7 @@
do { if (r != e) krb5_errx(c, 1, "%s", s); } while (0)
#define STRINGMATCH(c, s, _s1, _s2) \
do { \
- if (_s1 == NULL || _s2 == NULL) \
+ if (_s1 == NULL) \
krb5_errx(c, 1, "s1 or s2 is NULL"); \
if (strcmp(_s1,_s2) != 0) \
krb5_errx(c, 1, "%s", s); \
diff --git a/lib/krb5/test_alname.c b/lib/krb5/test_alname.c
index 120143e51e7b..36775adef1b4 100644
--- a/lib/krb5/test_alname.c
+++ b/lib/krb5/test_alname.c
@@ -81,8 +81,8 @@ test_alname(krb5_context context, krb5_const_realm realm,
}
krb5_err(context, 1, ret, "krb5_aname_to_localname: %s -> %s",
princ, localuser);
- free(princ);
}
+ free(princ);
if (strcmp(localname, localuser) != 0) {
if (ok)
diff --git a/lib/krb5/test_ap-req.c b/lib/krb5/test_ap-req.c
index dcdddb814981..0fd107833976 100644
--- a/lib/krb5/test_ap-req.c
+++ b/lib/krb5/test_ap-req.c
@@ -39,7 +39,7 @@
#include <getarg.h>
#include <roken.h>
-static int verify_pac = 0;
+static int verify_pac = 1;
static int server_any = 0;
static int version_flag = 0;
static int help_flag = 0;
@@ -153,6 +153,7 @@ test_ap(krb5_context context,
krb5_err(context, 1, ret, "pac parse");
krb5_pac_free(context, pac);
+ krb5_data_free(&data);
}
krb5_free_ticket(context, ticket);
diff --git a/lib/krb5/test_cc.c b/lib/krb5/test_cc.c
index fa7ee37dde6b..0ca582eaaca6 100644
--- a/lib/krb5/test_cc.c
+++ b/lib/krb5/test_cc.c
@@ -30,26 +30,132 @@
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+/*
+ * If this test fails with
+ *
+ * krb5_cc_gen_new: KEYRING: Key has been revoked
+ *
+ * then run
+ *
+ * keyctl new_session
+ */
+
#include "krb5_locl.h"
#include <getarg.h>
#include <err.h>
+#ifdef HAVE_KEYUTILS_H
+#include <keyutils.h>
+#endif
+
+static const char *unlink_this;
+static const char *unlink_this2;
+static char *tmpdir;
static int debug_flag = 0;
static int version_flag = 0;
static int help_flag = 0;
-#ifdef KRB5_USE_PATH_TOKENS
-#define TEST_CC_NAME "%{TEMP}/krb5-cc-test-foo"
-#else
-#define TEST_CC_NAME "/tmp/krb5-cc-test-foo"
-#endif
+#define TEST_CC_TEMPLATE "%{TEMP}/krb5-cc-test-XXXXXX"
+
+static void
+cleanup(void)
+{
+ char *s = NULL;
+
+ if (asprintf(&s, "%s/cc", tmpdir) > -1 && s != NULL)
+ unlink(s);
+ free(s);
+
+ if (asprintf(&s, "%s/scc", tmpdir) > -1 && s != NULL)
+ unlink(s);
+ free(s);
+
+ if (asprintf(&s, "%s/cccol/foobar+lha@H5L.SE", tmpdir) > -1 && s != NULL)
+ unlink(s);
+ free(s);
+
+ if (asprintf(&s, "%s/cccol/foobar+lha@SU.SE", tmpdir) > -1 && s != NULL)
+ unlink(s);
+ free(s);
+
+ if (asprintf(&s, "%s/cccol/foobar", tmpdir) > -1 && s != NULL)
+ unlink(s);
+ free(s);
+
+ if (asprintf(&s, "%s/cccol", tmpdir) > -1 && s != NULL)
+ rmdir(s);
+ free(s);
+
+ if (asprintf(&s, "%s/dcc/tkt.lha@H5L.SE", tmpdir) > -1 && s != NULL)
+ unlink(s);
+ free(s);
+
+ if (asprintf(&s, "%s/dcc/tkt.lha@SU.SE", tmpdir) > -1 && s != NULL)
+ unlink(s);
+ free(s);
+
+ if (asprintf(&s, "%s/dcc/tkt", tmpdir) > -1 && s != NULL)
+ unlink(s);
+ free(s);
+
+ if (asprintf(&s, "%s/dcc/primary", tmpdir) > -1 && s != NULL)
+ unlink(s);
+ free(s);
+
+ if (asprintf(&s, "%s/dcc", tmpdir) > -1 && s != NULL)
+ rmdir(s);
+ free(s);
+
+ if (unlink_this)
+ unlink(unlink_this);
+ unlink_this = NULL;
+ if (unlink_this2)
+ unlink(unlink_this2);
+ unlink_this2 = NULL;
+
+ rmdir(tmpdir);
+}
+
+static void
+make_dir(krb5_context context)
+{
+ krb5_error_code ret;
+ char *template = NULL;
+ char *dcc = NULL;
+
+ ret = _krb5_expand_path_tokens(context, TEST_CC_TEMPLATE, 1, &template);
+ if (ret)
+ krb5_err(context, 1, ret, "_krb5_expand_path_tokens(%s) failed",
+ TEST_CC_TEMPLATE);
+ if ((tmpdir = mkdtemp(template)) == NULL)
+ krb5_err(context, 1, errno, "mkdtemp(%s) failed", template);
+ if (asprintf(&dcc, "%s/dcc", tmpdir) == -1 || dcc == NULL)
+ krb5_err(context, 1, errno, "asprintf failed");
+ free(dcc);
+ atexit(cleanup);
+}
static void
test_default_name(krb5_context context)
{
krb5_error_code ret;
- const char *p, *test_cc_name = TEST_CC_NAME;
- char *p1, *p2, *p3;
+ const char *p;
+ char *test_cc_name = NULL;
+ const char *p3;
+ char *p1, *p2;
+ char *exp_test_cc_name;
+
+ if (asprintf(&test_cc_name, "%s/cc", tmpdir) == -1 || test_cc_name == NULL)
+ krb5_err(context, 1, errno, "out of memory");
+
+ /* Convert slashes to backslashes */
+ ret = _krb5_expand_path_tokens(context, test_cc_name, 1,
+ &exp_test_cc_name);
+ if (ret)
+ krb5_err(context, 1, ret, "_krb5_expand_path_tokens(%s) failed",
+ test_cc_name);
+ free(test_cc_name);
+ test_cc_name = NULL;
p = krb5_cc_default_name(context);
if (p == NULL)
@@ -58,7 +164,7 @@ test_default_name(krb5_context context)
ret = krb5_cc_set_default_name(context, NULL);
if (ret)
- krb5_errx (context, 1, "krb5_cc_set_default_name failed");
+ krb5_err(context, 1, ret, "krb5_cc_set_default_name(NULL) failed");
p = krb5_cc_default_name(context);
if (p == NULL)
@@ -68,26 +174,35 @@ test_default_name(krb5_context context)
if (strcmp(p1, p2) != 0)
krb5_errx (context, 1, "krb5_cc_default_name no longer same");
- ret = krb5_cc_set_default_name(context, test_cc_name);
+ ret = krb5_cc_set_default_name(context, exp_test_cc_name);
if (ret)
- krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed");
+ krb5_err(context, 1, ret, "krb5_cc_set_default_name(%s) failed",
+ exp_test_cc_name);
p = krb5_cc_default_name(context);
if (p == NULL)
krb5_errx (context, 1, "krb5_cc_default_name 2 failed");
- p3 = estrdup(p);
-
-#ifndef KRB5_USE_PATH_TOKENS
- /* If we are using path tokens, we don't expect the p3 and
- test_cc_name to match since p3 is going to have expanded
- tokens. */
- if (strcmp(p3, test_cc_name) != 0)
- krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed");
+
+ if (strncmp(p, "FILE:", sizeof("FILE:") - 1) == 0)
+ p3 = p + sizeof("FILE:") - 1;
+ else
+ p3 = p;
+
+ if (strcmp(exp_test_cc_name, p3) != 0) {
+#ifdef WIN32
+ krb5_warnx(context, 1,
+ "krb5_cc_default_name() returned %s; expected %s",
+ p, exp_test_cc_name);
+#else
+ krb5_errx(context, 1,
+ "krb5_cc_default_name() returned %s; expected %s",
+ p, exp_test_cc_name);
#endif
+ }
+ free(exp_test_cc_name);
free(p1);
free(p2);
- free(p3);
}
/*
@@ -181,6 +296,8 @@ test_init_vs_destroy(krb5_context context, const char *type)
krb5_cc_get_name(context, id)) < 0 || n == NULL)
errx(1, "malloc");
+ if (strcmp(krb5_cc_get_type(context, id), "FILE") == 0)
+ unlink_this = krb5_cc_get_name(context, id);
ret = krb5_cc_resolve(context, n, &id2);
free(n);
@@ -198,6 +315,7 @@ test_init_vs_destroy(krb5_context context, const char *type)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
krb5_cc_destroy(context, id2);
+ unlink_this = NULL;
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
}
@@ -208,7 +326,7 @@ test_cache_remove(krb5_context context, const char *type)
krb5_error_code ret;
krb5_ccache id;
krb5_principal p;
- krb5_creds cred;
+ krb5_creds cred, found;
ret = krb5_parse_name(context, "lha@SU.SE", &p);
if (ret)
@@ -218,6 +336,9 @@ test_cache_remove(krb5_context context, const char *type)
if (ret)
krb5_err(context, 1, ret, "krb5_cc_gen_new: %s", type);
+ if (strcmp(krb5_cc_get_type(context, id), "FILE") == 0)
+ unlink_this = krb5_cc_get_name(context, id);
+
ret = krb5_cc_initialize(context, id, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
@@ -230,6 +351,7 @@ test_cache_remove(krb5_context context, const char *type)
ret = krb5_parse_name(context, "lha@SU.SE", &cred.client);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
+ cred.times.endtime = time(NULL) + 300;
ret = krb5_cc_store_cred(context, id, &cred);
if (ret)
@@ -239,9 +361,16 @@ test_cache_remove(krb5_context context, const char *type)
if (ret)
krb5_err(context, 1, ret, "krb5_cc_remove_cred");
+ memset(&found, 0, sizeof(found));
+ ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_MATCH_TIMES,
+ &cred, &found);
+ if (ret == 0)
+ krb5_err(context, 1, ret, "krb5_cc_remove_cred didn't");
+
ret = krb5_cc_destroy(context, id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_destroy");
+ unlink_this = NULL;
krb5_free_principal(context, p);
krb5_free_principal(context, cred.server);
@@ -294,6 +423,8 @@ struct {
{ "foo", 0, "foo" },
{ "foo%}", 0, "foo%}" },
{ "%{uid}", 0, NULL },
+ { "%{euid}", 0, NULL },
+ { "%{username}", 0, NULL },
{ "foo%{null}", 0, "foo" },
{ "foo%{null}bar", 0, "foobar" },
{ "%{", 1, NULL },
@@ -303,7 +434,7 @@ struct {
{ "%{nulll}", 1, NULL },
{ "%{does not exist}", 1, NULL },
{ "%{}", 1, NULL },
-#ifdef KRB5_USE_PATH_TOKENS
+#ifdef WIN32
{ "%{APPDATA}", 0, NULL },
{ "%{COMMON_APPDATA}", 0, NULL},
{ "%{LOCAL_APPDATA}", 0, NULL},
@@ -389,6 +520,7 @@ test_cache_iter(krb5_context context, const char *type, int destroy)
krb5_principal principal;
char *name;
+ heim_assert(id != NULL, "credentials cache is non-NULL");
if (debug_flag)
printf("name: %s\n", krb5_cc_get_name(context, id));
ret = krb5_cc_get_principal(context, id, &principal);
@@ -460,6 +592,9 @@ test_copy(krb5_context context, const char *from, const char *to)
if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique: %s", from);
+ if (strcmp(krb5_cc_get_type(context, fromid), "FILE") == 0)
+ unlink_this = krb5_cc_get_name(context, fromid);
+
ret = krb5_cc_initialize(context, fromid, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
@@ -468,6 +603,9 @@ test_copy(krb5_context context, const char *from, const char *to)
if (ret)
krb5_err(context, 1, ret, "krb5_cc_gen_new: %s", to);
+ if (strcmp(krb5_cc_get_type(context, toid), "FILE") == 0)
+ unlink_this2 = krb5_cc_get_name(context, toid);
+
ret = krb5_cc_copy_cache(context, fromid, toid);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_copy_cache");
@@ -484,6 +622,7 @@ test_copy(krb5_context context, const char *from, const char *to)
krb5_cc_destroy(context, fromid);
krb5_cc_destroy(context, toid);
+ unlink_this = unlink_this2 = NULL;
}
static void
@@ -493,6 +632,7 @@ test_move(krb5_context context, const char *type)
krb5_ccache fromid, toid;
krb5_error_code ret;
krb5_principal p, p2;
+ krb5_creds cred, tocred;
ops = krb5_cc_get_prefix_ops(context, type);
if (ops == NULL)
@@ -512,13 +652,26 @@ test_move(krb5_context context, const char *type)
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
+ memset(&cred, 0, sizeof(cred));
+ ret = krb5_parse_name(context, "krbtgt/SU.SE@SU.SE", &cred.server);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_parse_name");
+ ret = krb5_parse_name(context, "lha@SU.SE", &cred.client);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_parse_name");
+
+ ret = krb5_cc_store_cred(context, fromid, &cred);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_cc_store_cred");
+
+
ret = krb5_cc_new_unique(context, type, NULL, &toid);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
- ret = krb5_cc_initialize(context, toid, p);
+ ret = krb5_cc_move(context, fromid, toid);
if (ret)
- krb5_err(context, 1, ret, "krb5_cc_initialize");
+ krb5_err(context, 1, ret, "krb5_cc_move");
ret = krb5_cc_get_principal(context, toid, &p2);
if (ret)
@@ -527,11 +680,15 @@ test_move(krb5_context context, const char *type)
if (krb5_principal_compare(context, p, p2) == FALSE)
krb5_errx(context, 1, "p != p2");
+ ret = krb5_cc_retrieve_cred(context, toid, 0, &cred, &tocred);
+ if (ret)
+ krb5_errx(context, 1, "move failed");
+ krb5_free_cred_contents(context, &cred);
+ krb5_free_cred_contents(context, &tocred);
+
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
-
krb5_cc_destroy(context, toid);
- krb5_cc_destroy(context, fromid);
}
@@ -631,6 +788,160 @@ test_cc_config(krb5_context context, const char *cc_type,
krb5_free_principal(context, p);
}
+static krb5_error_code
+test_cccol(krb5_context context, const char *def_cccol, const char **what)
+{
+ krb5_cc_cache_cursor cursor;
+ krb5_error_code ret;
+ krb5_principal p1, p2;
+ krb5_ccache id, id1, id2;
+ krb5_creds cred1, cred2;
+ size_t match1 = 0;
+ size_t match2 = 0;
+
+ memset(&cred1, 0, sizeof(cred1));
+ memset(&cred2, 0, sizeof(cred2));
+
+ *what = "krb5_parse_name";
+ ret = krb5_parse_name(context, "krbtgt/SU.SE@SU.SE", &cred1.server);
+ if (ret) return ret;
+ ret = krb5_parse_name(context, "lha@SU.SE", &cred1.client);
+ if (ret) return ret;
+ ret = krb5_parse_name(context, "krbtgt/H5L.SE@H5L.SE", &cred2.server);
+ if (ret) return ret;
+ ret = krb5_parse_name(context, "lha@H5L.SE", &cred2.client);
+ if (ret) return ret;
+ *what = "krb5_cc_set_default_name";
+ ret = krb5_cc_set_default_name(context, def_cccol);
+ if (ret) return ret;
+ *what = "krb5_cc_default";
+ ret = krb5_cc_default(context, &id1);
+ if (ret) return ret;
+ *what = "krb5_cc_initialize";
+ ret = krb5_cc_initialize(context, id1, cred1.client);
+ if (ret) return ret;
+ *what = "krb5_cc_store_cred";
+ ret = krb5_cc_store_cred(context, id1, &cred1);
+ if (ret) return ret;
+ *what = "krb5_cc_resolve";
+ ret = krb5_cc_resolve_for(context, NULL, def_cccol, cred2.client, &id2);
+ if (ret) return ret;
+ *what = "krb5_cc_initialize";
+ ret = krb5_cc_initialize(context, id2, cred2.client);
+ if (ret) return ret;
+ *what = "krb5_cc_store_cred";
+ ret = krb5_cc_store_cred(context, id2, &cred2);
+ if (ret) return ret;
+
+ krb5_cc_close(context, id1);
+ krb5_cc_close(context, id2);
+ id1 = id2 = NULL;
+
+ *what = "krb5_cc_default";
+ ret = krb5_cc_default(context, &id1);
+ if (ret) return ret;
+ *what = "krb5_cc_resolve";
+ ret = krb5_cc_resolve_for(context, NULL, def_cccol, cred2.client, &id2);
+ if (ret) return ret;
+
+ *what = "krb5_cc_get_principal";
+ ret = krb5_cc_get_principal(context, id1, &p1);
+ if (ret) return ret;
+ ret = krb5_cc_get_principal(context, id2, &p2);
+ if (ret) return ret;
+
+ if (!krb5_principal_compare(context, p1, cred1.client)) {
+ char *u1 = NULL;
+ char *u2 = NULL;
+
+ (void) krb5_unparse_name(context, p1, &u1);
+ (void) krb5_unparse_name(context, cred1.client, &u2);
+ warnx("Inconsistent principals for ccaches in %s: %s vs %s "
+ "(expected lha@SU.SE)", def_cccol, u1, u2);
+ return EINVAL;
+ }
+ if (!krb5_principal_compare(context, p2, cred2.client)) {
+ char *u1 = NULL;
+ char *u2 = NULL;
+
+ (void) krb5_unparse_name(context, p2, &u1);
+ (void) krb5_unparse_name(context, cred2.client, &u2);
+ warnx("Inconsistent principals for ccaches in %s: %s and %s "
+ "(expected lha@H5L.SE)", def_cccol, u1, u2);
+ return EINVAL;
+ }
+ krb5_free_principal(context, p1);
+ krb5_free_principal(context, p2);
+
+ *what = "krb5_cc_cache_get_first";
+ ret = krb5_cc_cache_get_first(context, NULL, &cursor);
+ if (ret) return ret;
+ *what = "krb5_cc_cache_next";
+ while (krb5_cc_cache_next(context, cursor, &id) == 0) {
+ krb5_principal p;
+
+ *what = "krb5_cc_get_principal";
+ ret = krb5_cc_get_principal(context, id, &p);
+ if (ret) return ret;
+ if (krb5_principal_compare(context, p, cred1.client))
+ match1++;
+ else if (krb5_principal_compare(context, p, cred2.client))
+ match2++;
+ krb5_free_principal(context, p);
+ krb5_cc_close(context, id);
+ }
+ (void) krb5_cc_cache_end_seq_get(context, cursor);
+
+ *what = "cccol iteration inconsistency";
+ if (match1 != 1 || match2 != 1)
+ return EINVAL;
+
+ krb5_cc_close(context, id1);
+ krb5_cc_close(context, id2);
+
+ krb5_free_cred_contents(context, &cred1);
+ krb5_free_cred_contents(context, &cred2);
+
+ return 0;
+}
+
+static void
+test_cccol_dcache(krb5_context context)
+{
+ krb5_error_code ret;
+ char *dcc = NULL;
+ const char *what;
+
+ if (asprintf(&dcc, "DIR:%s/dcc", tmpdir) == -1 || dcc == NULL)
+ krb5_err(context, 1, errno, "asprintf");
+
+ ret = test_cccol(context, dcc, &what);
+ free(dcc);
+ if (ret)
+ krb5_err(context, 1, ret, "%s", what);
+}
+
+static void
+test_cccol_scache(krb5_context context)
+{
+ krb5_error_code ret;
+ char *scache = NULL;
+ const char *what;
+ int fd;
+
+ if (asprintf(&scache, "SCC:%s/scache", tmpdir) == -1 || scache == NULL)
+ krb5_err(context, 1, errno, "asprintf");
+ if ((fd = open(scache + sizeof("SCC:") - 1, O_CREAT | O_RDWR, 0600)) == -1)
+ krb5_err(context, 1, errno, "open(%s)", scache + sizeof("SCC:") - 1);
+ (void) close(fd);
+
+ ret = test_cccol(context, scache, &what);
+ (void) unlink(scache + sizeof("SCC:") - 1);
+ free(scache);
+ if (ret)
+ krb5_err(context, 1, ret, "%s", what);
+}
+
static struct getargs args[] = {
{"debug", 'd', arg_flag, &debug_flag,
@@ -676,21 +987,52 @@ main(int argc, char **argv)
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
+ make_dir(context);
+
test_cache_remove(context, krb5_cc_type_file);
test_cache_remove(context, krb5_cc_type_memory);
#ifdef USE_SQLITE
test_cache_remove(context, krb5_cc_type_scc);
#endif
+#ifdef HAVE_KEYUTILS_H
+ keyctl_join_session_keyring(NULL);
+ test_cache_remove(context, krb5_cc_type_keyring);
+#endif
test_default_name(context);
test_mcache(context);
+ /*
+ * XXX Make sure to set default ccache names for each cc type!
+ * Otherwise we clobber the user's ccaches.
+ */
test_init_vs_destroy(context, krb5_cc_type_memory);
test_init_vs_destroy(context, krb5_cc_type_file);
#if 0
test_init_vs_destroy(context, krb5_cc_type_api);
#endif
+ /*
+ * Cleanup so we can check that the permissions on the directory created by
+ * scc are correct.
+ */
+ cleanup();
test_init_vs_destroy(context, krb5_cc_type_scc);
+
+#if defined(S_IRWXG) && defined(S_IRWXO)
+ {
+ struct stat st;
+
+ if (stat(tmpdir, &st) == 0) {
+ if ((st.st_mode & S_IRWXG) ||
+ (st.st_mode & S_IRWXO))
+ krb5_errx(context, 1,
+ "SQLite3 ccache dir perms wrong: %d", st.st_mode);
+ }
+ }
+#endif
test_init_vs_destroy(context, krb5_cc_type_dcc);
+#ifdef HAVE_KEYUTILS_H
+ test_init_vs_destroy(context, krb5_cc_type_keyring);
+#endif
test_mcc_default();
test_def_cc_name(context);
@@ -709,6 +1051,14 @@ main(int argc, char **argv)
test_cache_find(context, "lha@SU.SE", 1);
test_cache_find(context, "hulabundulahotentot@SU.SE", 0);
+ /*
+ * XXX We should compose and krb5_cc_set_default_name() a default ccache
+ * for each cc type that we test with test_cache_iter(), and we should do
+ * that inside test_cache_iter().
+ *
+ * Alternatively we should remove test_cache_iter() in favor of
+ * test_cccol(), which is a much more complete test.
+ */
test_cache_iter(context, krb5_cc_type_memory, 0);
test_cache_iter(context, krb5_cc_type_memory, 1);
test_cache_iter(context, krb5_cc_type_memory, 0);
@@ -720,6 +1070,10 @@ main(int argc, char **argv)
test_cache_iter(context, krb5_cc_type_dcc, 0);
test_cache_iter(context, krb5_cc_type_dcc, 1);
#endif
+#ifdef HAVE_KEYUTILS_H
+ test_cache_iter(context, krb5_cc_type_keyring, 0);
+ test_cache_iter(context, krb5_cc_type_keyring, 1);
+#endif
test_copy(context, krb5_cc_type_file, krb5_cc_type_file);
test_copy(context, krb5_cc_type_memory, krb5_cc_type_memory);
@@ -734,16 +1088,56 @@ main(int argc, char **argv)
test_copy(context, krb5_cc_type_dcc, krb5_cc_type_file);
test_copy(context, krb5_cc_type_dcc, krb5_cc_type_scc);
#endif
+#ifdef HAVE_KEYUTILS_H
+ test_copy(context, krb5_cc_type_keyring, krb5_cc_type_file);
+ test_copy(context, krb5_cc_type_file, krb5_cc_type_file);
+ test_copy(context, "KEYRING:", "KEYRING:bar");
+ test_copy(context, "KEYRING:bar", "KEYRING:baz");
+# ifdef HAVE_KEYCTL_GET_PERSISTENT
+ test_copy(context, krb5_cc_type_file, "KEYRING:persistent");
+ test_copy(context, "KEYRING:persistent:", krb5_cc_type_file);
+ test_copy(context, krb5_cc_type_file, "KEYRING:persistent:foo");
+ test_copy(context, "KEYRING:persistent:foo", krb5_cc_type_file);
+# endif
+ test_copy(context, krb5_cc_type_memory, "KEYRING:process:");
+ test_copy(context, "KEYRING:process:", krb5_cc_type_memory);
+ test_copy(context, krb5_cc_type_memory, "KEYRING:process:foo");
+ test_copy(context, "KEYRING:process:foo", krb5_cc_type_memory);
+ test_copy(context, krb5_cc_type_memory, "KEYRING:thread:");
+ test_copy(context, "KEYRING:thread:", krb5_cc_type_memory);
+ test_copy(context, krb5_cc_type_memory, "KEYRING:thread:foo");
+ test_copy(context, "KEYRING:thread:foo", krb5_cc_type_memory);
+ test_copy(context, krb5_cc_type_memory, "KEYRING:session:");
+ test_copy(context, "KEYRING:session:", krb5_cc_type_memory);
+ test_copy(context, krb5_cc_type_memory, "KEYRING:session:foo");
+ test_copy(context, "KEYRING:session:foo", krb5_cc_type_memory);
+ test_copy(context, krb5_cc_type_file, "KEYRING:user:");
+ test_copy(context, "KEYRING:user:", krb5_cc_type_file);
+ test_copy(context, krb5_cc_type_file, "KEYRING:user:foo");
+ test_copy(context, "KEYRING:user:foo", krb5_cc_type_memory);
+#endif /* HAVE_KEYUTILS_H */
test_move(context, krb5_cc_type_file);
test_move(context, krb5_cc_type_memory);
-#ifdef HAVE_KCM
- test_move(context, krb5_cc_type_kcm);
-#endif
test_move(context, krb5_cc_type_scc);
#if 0
test_move(context, krb5_cc_type_dcc);
#endif
+#ifdef HAVE_KEYUTILS_H
+ test_move(context, krb5_cc_type_keyring);
+# ifdef HAVE_KEYCTL_GET_PERSISTENT
+ test_move(context, "KEYRING:persistent:");
+ test_move(context, "KEYRING:persistent:foo");
+# endif
+ test_move(context, "KEYRING:process:");
+ test_move(context, "KEYRING:process:foo");
+ test_move(context, "KEYRING:thread:");
+ test_move(context, "KEYRING:thread:foo");
+ test_move(context, "KEYRING:session:");
+ test_move(context, "KEYRING:session:foo");
+ test_move(context, "KEYRING:user:");
+ test_move(context, "KEYRING:user:foo");
+#endif /* HAVE_KEYUTILS_H */
test_prefix_ops(context, "FILE:/tmp/foo", &krb5_fcc_ops);
test_prefix_ops(context, "FILE", &krb5_fcc_ops);
@@ -758,6 +1152,10 @@ main(int argc, char **argv)
test_prefix_ops(context, "DIR:", &krb5_dcc_ops);
test_prefix_ops(context, "DIR:tkt1", &krb5_dcc_ops);
#endif
+#ifdef HAVE_KEYUTILS_H
+ test_prefix_ops(context, "KEYRING:", &krb5_krcc_ops);
+ test_prefix_ops(context, "KEYRING:foo", &krb5_krcc_ops);
+#endif /* HAVE_KEYUTILS_H */
krb5_cc_destroy(context, id1);
krb5_cc_destroy(context, id2);
@@ -765,6 +1163,51 @@ main(int argc, char **argv)
test_cc_config(context, "MEMORY", "bar", 1000); /* 1000 because fast */
test_cc_config(context, "FILE", "/tmp/foocc", 30); /* 30 because slower */
+ test_cccol_dcache(context);
+ test_cccol_scache(context);
+#ifdef HAVE_KEYUTILS_H
+ {
+ const char *what;
+
+ ret = test_cccol(context, "KEYRING:legacy:fooccol", &what);
+ if (ret)
+ krb5_err(context, 1, ret, "%s", what);
+
+ ret = test_cccol(context, "MEMORY:fooccol", &what);
+ if (ret)
+ krb5_err(context, 1, ret, "%s", what);
+ }
+#endif /* HAVE_KEYUTILS_H */
+
+ {
+ const char *what;
+ char *config = NULL;
+ char *fname = NULL;
+ char *d = NULL;
+
+ if (asprintf(&d, "%s/cccol", tmpdir) == -1 || d == NULL)
+ krb5_err(context, 1, errno, "asprintf");
+ if (mkdir(d, 0700) == -1)
+ krb5_err(context, 1, errno, "mkdir(%s)", d);
+ if (asprintf(&fname, "%s/foobar", d) == -1 || fname == NULL ||
+ asprintf(&config,
+ "[libdefaults]\n"
+ "\tdefault_file_cache_collections = FILE:%1$s/cccol/foobar\n"
+ "\tenable_file_cache_iteration = true\n",
+ tmpdir) == -1 || config == NULL)
+ krb5_err(context, 1, errno, "asprintf");
+ ret = krb5_set_config(context, config);
+ if (ret)
+ krb5_err(context, 1, ret,
+ "Could not configure context from string:\n%s\n", config);
+ ret = test_cccol(context, fname, &what);
+ if (ret)
+ krb5_err(context, 1, ret, "%s", what);
+ free(config);
+ free(fname);
+ free(d);
+ }
+
krb5_free_context(context);
#if 0
diff --git a/lib/krb5/test_expand_toks.c b/lib/krb5/test_expand_toks.c
index 7f3d79f0d112..9b105fbc39fb 100644
--- a/lib/krb5/test_expand_toks.c
+++ b/lib/krb5/test_expand_toks.c
@@ -95,7 +95,7 @@ main(int argc, char **argv)
#define EXPANDED_SHOULD_BE "/tmp/abc/dcefgh/x"
#endif
- if (strcmp(expanded, EXPANDED_SHOULD_BE))
+ if (strcmp(expanded, EXPANDED_SHOULD_BE) != 0)
krb5_errx(context, 1, "Token expansion incorrect");
krb5_free_context(context);
diff --git a/lib/krb5/test_gic.c b/lib/krb5/test_gic.c
index f22a6930fcff..f11777e466bb 100644
--- a/lib/krb5/test_gic.c
+++ b/lib/krb5/test_gic.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2009 Kungliga Tekniska Högskolan
+ * Copyright (c) 2009 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
diff --git a/lib/krb5/test_hostname.c b/lib/krb5/test_hostname.c
index fbdb5c9c322a..f722353f664a 100644
--- a/lib/krb5/test_hostname.c
+++ b/lib/krb5/test_hostname.c
@@ -48,11 +48,11 @@ expand_hostname(krb5_context context, const char *host)
if (ret)
krb5_err(context, 1, ret, "krb5_expand_hostname(%s)", host);
- free(h);
-
if (debug_flag)
printf("hostname: %s -> %s\n", host, h);
+ free(h);
+
ret = krb5_expand_hostname_realms(context, host, &h, &r);
if (ret)
krb5_err(context, 1, ret, "krb5_expand_hostname_realms(%s)", host);
diff --git a/lib/krb5/test_mkforwardable.c b/lib/krb5/test_mkforwardable.c
new file mode 100644
index 000000000000..3f25f13549d2
--- /dev/null
+++ b/lib/krb5/test_mkforwardable.c
@@ -0,0 +1,191 @@
+/*
+ * Copyright (c) 1997-2021 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * Copyright (c) 2021 Isaac Boukris
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+
+/*
+ * Usage: mkforwardable server out_ccache
+ *
+ * The default cache contains a ticket to server and the default keytab
+ * contains a key to decrypt it, the ticket is decrypted and the forwardable
+ * flag is added, the ticket is then re-encrypted and stored in out_cache.
+ *
+ */
+
+static krb5_context context;
+
+static void
+check(krb5_error_code code)
+{
+ const char *errmsg;
+
+ if (code == 0)
+ return;
+
+ errmsg = krb5_get_error_message(context, code);
+ fprintf(stderr, "%s\n", errmsg);
+ krb5_free_error_message(context, errmsg);
+
+ abort();
+}
+
+static void
+decrypt_ticket_enc_part(EncryptionKey *key,
+ krb5_enctype etype,
+ Ticket *ticket,
+ EncTicketPart *et)
+{
+ krb5_error_code ret;
+ krb5_data plain;
+ size_t len;
+ krb5_crypto crypto;
+
+ check(krb5_crypto_init(context, key, etype, &crypto));
+
+ ret = krb5_decrypt_EncryptedData (context,
+ crypto,
+ KRB5_KU_TICKET,
+ &ticket->enc_part,
+ &plain);
+ check(ret);
+
+ check(decode_EncTicketPart(plain.data, plain.length, et, &len));
+
+ krb5_data_free (&plain);
+ krb5_crypto_destroy(context, crypto);
+}
+
+static void
+encrypt_ticket_enc_part(EncryptionKey *key,
+ krb5_enctype etype,
+ krb5_kvno skvno,
+ EncTicketPart *et,
+ Ticket *ticket)
+{
+ size_t len, size;
+ char *buf;
+ krb5_error_code ret;
+ krb5_crypto crypto;
+
+ ASN1_MALLOC_ENCODE(EncTicketPart, buf, len, et, &size, ret);
+ check(ret);
+
+ check(krb5_crypto_init(context, key, etype, &crypto));
+ ret = krb5_encrypt_EncryptedData(context,
+ crypto,
+ KRB5_KU_TICKET,
+ buf,
+ len,
+ skvno,
+ &ticket->enc_part);
+ check(ret);
+
+ free(buf);
+ krb5_crypto_destroy(context, crypto);
+}
+
+
+int
+main(int argc, char **argv)
+{
+ krb5_error_code ret;
+ krb5_keytab kt;
+ krb5_keytab_entry entry;
+ krb5_enctype etype;
+ krb5_creds mc, cred;
+ krb5_ccache ccache;
+ EncTicketPart et;
+ Ticket ticket;
+ size_t size;
+ krb5_kvno kvno = 0;
+
+ memset(&cred, 0, sizeof(cred));
+
+ if (argc != 3)
+ errx(1, "Usage: mkforwardable server out_ccache");
+
+ ret = krb5_init_context(&context);
+ if (ret)
+ errx(1, "krb5_init_context failed: %u", ret);
+
+ check(krb5_cc_default(context, &ccache));
+
+ krb5_cc_clear_mcred(&mc);
+
+ check(krb5_parse_name(context, argv[1], &mc.server));
+
+ check(krb5_cc_retrieve_cred(context, ccache, 0, &mc, &cred));
+
+ check(decode_Ticket(cred.ticket.data, cred.ticket.length, &ticket, NULL));
+
+ etype = ticket.enc_part.etype;
+
+ if (ticket.enc_part.kvno != NULL)
+ kvno = *ticket.enc_part.kvno;
+
+ check(krb5_kt_default(context, &kt));
+
+ check(krb5_kt_get_entry(context, kt, mc.server, kvno, etype, &entry));
+
+ decrypt_ticket_enc_part(&entry.keyblock, etype, &ticket, &et);
+
+ et.flags.forwardable = 1;
+ cred.flags.b = et.flags;
+
+ free_EncryptedData(&ticket.enc_part);
+
+ encrypt_ticket_enc_part(&entry.keyblock, etype, kvno, &et, &ticket);
+
+ krb5_data_free(&cred.ticket);
+ ASN1_MALLOC_ENCODE(Ticket, cred.ticket.data, cred.ticket.length, &ticket,
+ &size, ret);
+ check(ret);
+
+ krb5_cc_close(context, ccache);
+
+ check(krb5_cc_resolve(context, argv[2], &ccache));
+ check(krb5_cc_initialize(context, ccache, cred.client));
+
+ check(krb5_cc_store_cred(context, ccache, &cred));
+
+ free_Ticket(&ticket);
+ free_EncTicketPart(&et);
+ krb5_cc_close(context, ccache);
+ krb5_free_principal(context, mc.server);
+ krb5_free_cred_contents(context, &cred);
+ krb5_kt_free_entry(context, &entry);
+ krb5_kt_close(context, kt);
+
+ return 0;
+}
diff --git a/lib/krb5/test_pac.c b/lib/krb5/test_pac.c
index 983294ecf90c..70da1cb62665 100644
--- a/lib/krb5/test_pac.c
+++ b/lib/krb5/test_pac.c
@@ -157,6 +157,803 @@ static time_t authtime2 = 1225304188;
static const char *user2 = "openmsp";
+/* PAC ticket-signature test data. */
+
+static const krb5_keyblock rwdc_tgt_key = {
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ { 32, "\x27\x86\x34\x1d\xd3\x15\x06\x0d\x6f\xd6\x40\xfa\x03\xb1\x95\x32"
+ "\x91\x22\xe8\x6b\x0f\x47\xe0\xb5\xfe\xda\xef\x54\x98\xdc\x07\x5a" }
+};
+
+static const krb5_keyblock rwdc_tgt_pac_key = {
+ ENCTYPE_ARCFOUR_HMAC,
+ { 16, "\xb9\xf0\x39\x8d\xe9\x60\xb8\x40\x8c\x54\x0b\x61\xf9\xd2\xf1\x16" }
+};
+
+static const krb5_keyblock rodc_tgt_key = {
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ { 32, "\x0c\x7e\x63\x47\xc8\x70\x7f\x58\x7c\x91\x59\xba\xc9\xbf\x50\xb4"
+ "\xe2\xd6\x49\xb6\x85\xd3\xd9\xf3\x80\xba\xe9\x02\x46\x51\xab\x23" }
+};
+
+static const krb5_keyblock rodc_tgt_pac_key = {
+ ENCTYPE_ARCFOUR_HMAC,
+ { 16, "\x80\x5d\x66\xb9\x5f\x66\xd6\x80\xc3\x5a\x07\x41\xe8\x97\xcc\x66" }
+};
+
+static const krb5_keyblock server_key = {
+ ENCTYPE_ARCFOUR_HMAC,
+ { 16, "\xed\x23\x11\x20\x7a\x21\x44\x20\xbf\xc0\x8d\x36\xf7\xf6\xb2\x3e" }
+};
+
+
+static const unsigned char tgt_ticket[] =
+ "\x61\x82\x03\xe1\x30\x82\x03\xdd\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+ "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x1d\x30\x1b\xa0\x03\x02"
+ "\x01\x02\xa1\x14\x30\x12\x1b\x06\x6b\x72\x62\x74\x67\x74\x1b\x08"
+ "\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa3\x82\x03\xa9\x30\x82\x03\xa5"
+ "\xa0\x03\x02\x01\x12\xa1\x03\x02\x01\x02\xa2\x82\x03\x97\x04\x82"
+ "\x03\x93\xfb\x16\x6b\x43\xca\x54\x6a\xed\xc8\xa4\x1f\x9e\xde\x88"
+ "\xa0\xa2\xc8\x86\x50\x17\x67\xbc\x0b\x13\xb8\x00\x80\x48\x54\x77"
+ "\xb2\x4c\x5f\xff\x34\xb6\x05\xc4\xff\xdb\x68\x00\x7c\xf4\x4f\x65"
+ "\x56\x69\x1a\x2f\x32\x24\x19\xef\x0a\xf8\xcd\x22\x4a\xe9\xcc\x2b"
+ "\x65\xfb\x3a\xff\x3d\xb3\xdc\xea\x5a\x9b\xb0\x14\xd0\xa6\x1d\x7c"
+ "\x82\xa7\x18\x23\xad\xd3\x43\x6c\x23\x41\x6e\x7c\x84\x01\xc7\xd6"
+ "\x60\xdf\xbb\x19\xac\xf3\x5b\x52\xea\xd1\xdb\xa5\x49\xc6\xf1\x44"
+ "\x59\x41\x15\x78\x13\xbc\x85\x73\xba\xd7\xde\x55\xe9\x84\x30\x11"
+ "\x5e\x00\x47\xff\x01\x87\x46\xda\xe3\xb4\xe3\xef\xac\x67\xa8\x8d"
+ "\x06\xf4\x04\xa3\x15\x5f\x51\x59\xe9\xb4\x65\x00\x1f\x45\x7c\x2a"
+ "\xcf\x17\x78\x75\xad\xc8\x65\x92\xe7\x20\x89\x41\x43\x5e\x08\x1d"
+ "\xc9\x4b\xa1\x57\x26\x7f\x9a\x64\xc7\xe3\x90\xbf\xa8\x9f\x86\x89"
+ "\xbf\x37\xd0\x1a\x9c\xe7\x32\xbb\x9f\x8d\x38\xfd\xe8\xf4\x88\x54"
+ "\x3d\xe7\xd0\xfb\x73\x1a\x97\xee\xa5\x32\x67\x62\x4d\x1c\x28\x85"
+ "\x01\x4f\x76\x4c\xf6\xe5\x73\x93\x0e\xd8\x0a\xf1\x6f\xf0\x8c\xbf"
+ "\x65\x80\x87\xd1\xe8\xbc\xc5\x8f\x03\xb8\xfe\x7e\xd6\xde\x80\xa5"
+ "\x27\x8c\x26\x14\x66\xf3\xd2\x4d\x51\x51\xe7\x47\xac\xa5\x93\xd7"
+ "\x01\x5b\x6b\xca\x6c\xd5\x19\x7b\xad\x97\xf2\xa6\x18\x0e\xe3\xea"
+ "\x5e\x81\xe4\xd7\xf5\xb0\xca\x0f\x04\x13\xc4\xed\x5b\x0c\xb2\xc4"
+ "\x5e\xd3\xc2\xb6\x0f\x0a\x76\x8a\x7d\x1c\x79\x62\xb5\x68\x47\x33"
+ "\x5e\x28\x3a\xd6\x78\x89\xb3\xbd\x34\x72\x7f\xe1\x8e\x5e\xa9\x89"
+ "\xfe\xc5\xba\x5f\x76\x00\x27\x29\x88\x79\xb4\x42\x33\xe7\x4c\xce"
+ "\x47\x39\xac\xfa\x8e\x93\x7a\x92\x7f\xbd\x91\xc8\xff\xe4\x7b\x04"
+ "\xe8\xf7\x29\x3b\xb4\x41\xb9\xe0\x61\x14\x2a\xc9\x5b\x02\xc2\x01"
+ "\x6f\x61\xa8\x1a\x5e\x2d\x0b\x3f\xc3\x1d\x6a\xb0\x9e\xf1\x41\xaf"
+ "\xc6\xe0\x11\xb3\x47\xb2\x43\x42\xb4\x6e\xdb\x16\x41\x6a\x7b\x53"
+ "\x97\x01\x7f\x3e\x9d\x47\x27\x14\x29\x7d\xc7\xa5\x40\xaf\x77\xcb"
+ "\xc9\x3e\x2e\x1f\xa3\xc8\x69\x98\xf7\xb2\x18\xa7\xcf\x45\x87\xba"
+ "\x48\x0b\xb8\x03\x10\x46\x2d\x95\x59\x5b\x9e\xe3\xe4\x20\x08\x80"
+ "\x97\x39\x16\x0c\x34\x27\x35\xd3\xd9\x71\x7b\xc2\x7d\x16\x36\xad"
+ "\xa0\x95\x12\x49\x5a\x3b\xea\xcf\x85\x75\x9e\xa4\x96\x51\x6c\x34"
+ "\x60\xd5\x3a\x9d\x60\x80\x53\x71\xac\x21\xfe\xea\xb3\xc5\x74\x65"
+ "\x7b\x98\xb6\x63\x58\xb7\xc9\x0c\x80\xad\x54\x9b\x1c\xdf\x84\xf9"
+ "\x97\xac\x73\x72\x4f\xbe\x10\x72\x6a\xec\x36\xfc\x7c\x98\xc6\x98"
+ "\x81\xde\xab\x2b\x8a\x68\x17\xd6\xb0\xac\xfd\xed\x5d\x67\xd3\x5a"
+ "\xbe\x7e\x88\x63\x5f\xc3\x1f\xf7\x04\xd9\xcd\x0a\xc7\x70\x83\x93"
+ "\x60\x86\x0c\x08\x21\xbb\x2f\x29\x28\xaf\x3f\x93\x24\x5f\x3a\x1d"
+ "\xf3\x81\x95\xb4\xef\xd6\x8c\x79\xdf\xf7\x9d\x4a\x0a\x49\xa7\x46"
+ "\xcd\x05\x30\x6e\x92\xa2\x26\x23\x8e\xf3\xe1\x38\x41\x63\x2f\xe6"
+ "\xd1\x59\x99\x8d\x7a\x8c\x4d\x57\x19\x5c\xee\x75\x7a\xd8\x0a\x53"
+ "\x43\xb0\x92\x01\x4a\xf7\xc4\x54\x8e\xe8\xc6\x43\x0b\x43\x9a\xa3"
+ "\xfd\x5c\x0c\x47\x52\xdf\xc6\x47\xa0\x14\xef\x45\xcf\xdf\xb7\x04"
+ "\xca\x3e\x5d\x8b\x32\x9b\x81\xa3\x8b\x9d\x7c\x0f\x11\x13\xf1\x0d"
+ "\xc0\xd0\xe2\xc1\xf7\x65\x03\xe0\x50\x6c\xbb\x3c\xd2\xc1\xad\x15"
+ "\xa3\xcd\x24\x85\xc0\x94\x54\x12\x2d\x63\x01\x47\x8b\x51\xee\xd1"
+ "\x46\xc0\x47\xcf\xce\xa1\x81\x5a\x5c\xe6\x59\x99\xb1\xaf\x80\x05"
+ "\xc3\x22\x69\xb3\x19\xec\x0e\xdd\x72\x0a\xcb\xf5\x4e\x90\x65\x41"
+ "\x68\x46\x8e\xab\xb3\xcc\xb6\xe2\xbd\xbf\xc0\x04\x12\x35\x84\xe5"
+ "\xef\xa5\x7f\x98\x8e\x0d\xac\x92\xae\x8f\x9c\x41\xce\x41\xb5\xcc"
+ "\x59\x00\xa5\x2c\x71\xe3\xdd\x25\x29\xd2\xac\x0f\x9b\x23\xbd\x1e"
+ "\x25\xe5\x06\xbd\x43\x46\x46\x4f\x81\x08\x1f\x57\xa9\x93\x24\xe4"
+ "\x83\x42\x13\x00\xce\x95\xdb\xde\x95\xc5\x8c\xd8\x29\x4e\x43\xb2"
+ "\x64\xe6\x6c\x0e\x40\x86\x35\xef\xac\x5b\x15\x92\xfb\x3c\xf0\x94"
+ "\xd8\x1f\xf9\x90\x8a\xd2\xa8\x4a\x1d\x77\x57\x4c\x65\xb3\x4f\xe4"
+ "\x03\x13\x3d\x52\x8b\xe4\x9e\x98\x53\xf1\xad\xc1\x2a\x3c\xda\x4f"
+ "\x24\xbf\x24\xb2\xb7\x34\xc7\xde\xfb\xe6\xe9\x82\x05\x07\x25\xd9"
+ "\x8e\xea\xd8\xb7\x0d\x1d\x0d\xf1\x0c\x99\x1a\x6a\xa7\xe7\x27\x49"
+ "\x26\x2a\x75\xd5\x84";
+
+static const unsigned char service_ticket[] =
+ "\x61\x82\x03\xf3\x30\x82\x03\xef\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+ "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x13\x30\x11\xa0\x03\x02"
+ "\x01\x01\xa1\x0a\x30\x08\x1b\x06\x61\x70\x61\x63\x68\x65\xa3\x82"
+ "\x03\xc5\x30\x82\x03\xc1\xa0\x03\x02\x01\x17\xa1\x03\x02\x01\x02"
+ "\xa2\x82\x03\xb3\x04\x82\x03\xaf\x7e\x88\x85\x77\x22\x5e\x30\x7a"
+ "\xaf\x63\xc4\x2b\xc1\xae\x88\x87\x27\x65\x0e\x1e\xa7\x94\x67\xf9"
+ "\x9d\x49\x5b\x6b\xba\xfb\x51\x04\xc4\xe8\x44\xc9\xdf\x8d\x8d\x58"
+ "\x61\xdb\x1e\x82\x98\xc7\x68\x9e\x81\xf0\xc4\x88\x87\xd6\xf5\x7b"
+ "\x44\x8e\x4a\x65\x4f\x37\x49\x8a\x81\x67\x00\x7e\xf3\x7e\x75\x9d"
+ "\x61\x18\x6d\x6f\x21\x73\xe3\xab\xe2\x86\xc0\xf1\x8b\x9f\x25\xc2"
+ "\xdc\xc4\x65\xeb\xba\x24\x3d\x2d\x5a\x9b\xbe\xc1\x24\x8c\xf1\x78"
+ "\xfc\xf9\xca\x14\x8e\xd4\xe3\xb3\x54\x87\xce\x97\x0c\x7b\x11\x2e"
+ "\x38\x30\xed\x8c\x41\x28\x90\x5b\xc6\x3d\xba\x29\x7b\x11\xfa\x85"
+ "\x54\x13\xab\x22\xe9\x52\xdd\xad\x5a\xdc\xa7\xca\x4f\x19\x49\x81"
+ "\x53\x09\x10\xca\x6b\x1a\x44\x13\xe6\x88\xec\x14\xd2\x15\x5a\x65"
+ "\x8a\xef\x55\x6a\xb1\xda\xc4\xe6\x0d\xc8\x2d\x8b\x0c\x00\x71\x6a"
+ "\x7b\x06\x34\xe0\x93\xa4\x5d\x5b\xa9\x43\x65\x42\xc5\x13\x64\xee"
+ "\x51\xd3\xd9\xc8\x3d\x52\xe2\xba\xb2\x81\xe6\x86\x25\x6f\xa6\x22"
+ "\x25\x97\xbb\xf1\xe4\x6e\xe1\x9a\xfa\xa4\xa0\x8b\xd6\x7b\x4a\x8a"
+ "\x62\x3d\x21\x1c\x08\x16\x8d\x29\x58\x7e\xfd\x43\x48\xba\xd7\x19"
+ "\x7c\xdd\x57\xe4\x8f\x94\x6e\x97\xed\x8d\xf2\x68\xe4\x89\xde\xc3"
+ "\xed\xa6\x7b\xcd\xff\x0c\xcf\xac\xad\xfa\x54\x89\xfc\xd0\x94\xd9"
+ "\x48\x25\x61\x71\x89\x32\xb8\xdb\xf9\xfb\xb9\xf4\x8b\x7e\x9c\x95"
+ "\x5d\xa3\x03\x13\xaa\x50\x28\xfa\x0b\x54\x5e\x0a\x3a\xb6\x4e\x58"
+ "\xee\x3f\xbc\xd2\x23\x81\x82\x82\xab\xef\x6a\xf8\x10\x56\x0e\x43"
+ "\xc2\x4a\x30\xa9\x17\x1a\x46\xb2\xdd\xcf\x7d\x20\x46\x0e\xc8\xff"
+ "\x54\xf5\xa1\xa1\x43\x8b\x02\x00\x0c\x31\xbb\x66\xcd\x17\xf0\x12"
+ "\x83\x39\x6c\xcf\x9c\xe9\x68\x26\x68\x86\xd4\xa4\xe6\x33\xa1\xdb"
+ "\x74\x1d\x56\x1c\x2b\xff\x5e\xdd\xe7\xdd\x3a\x3e\x3a\x13\xbf\x36"
+ "\x5a\x3f\x0d\x21\x9d\x9c\xd5\x20\x13\x1d\x86\xb4\xb2\xa5\x34\xa2"
+ "\x0b\x9a\x0c\xa0\xac\x92\x9b\x02\xf2\x68\x19\x9e\x1c\x66\x40\x29"
+ "\x81\x13\xf3\x06\x49\xa4\xf5\xd9\xe9\xd1\x2f\x89\xac\x1d\x20\x9e"
+ "\xb1\x2e\xf3\xde\x09\x7c\xf4\xe6\x2b\x61\x3f\x35\x0f\x83\xa9\x24"
+ "\xd3\xbd\x14\x0f\x48\xcb\xe4\x98\x02\x7c\x83\x1b\x61\x59\x34\x7d"
+ "\x32\x59\xbc\xb8\xe2\xb3\x99\x80\x75\x4b\x4b\xb5\x2b\x6d\x07\x66"
+ "\x3c\x8a\xbc\x6d\x61\x6e\xcb\x12\x53\xe2\x07\x38\x4e\x2f\xdb\xe0"
+ "\x15\x4c\x8b\xdb\x7e\xeb\x61\x96\xfb\x4f\x3d\x5f\xbe\xdb\x34\xb0"
+ "\x73\x7a\xe6\x10\x8a\xe7\x37\xa3\x15\x68\x44\x85\xc2\xc1\x4f\x3e"
+ "\x4c\xc8\x51\x54\x2c\x7d\x50\x86\xf2\xbd\x19\x63\x51\x4c\xb4\xd4"
+ "\x29\x6a\x03\xae\x38\x77\x25\xbc\x15\xba\xa8\x65\x29\x29\xdd\xb1"
+ "\xaa\xe8\x9a\xbf\x4c\x15\xcf\x13\x11\x0b\x86\x5c\x44\xca\x82\x49"
+ "\x8c\x1b\x77\x28\x36\x87\xf9\xad\x6d\xe0\x05\x0f\x93\x00\x1f\xaf"
+ "\xe4\xe9\x5a\x8f\x61\x41\x46\x2f\x52\x4d\x16\x4f\x9c\xca\x94\xff"
+ "\x19\x2e\xa5\x65\x09\x4f\x58\xfb\x4b\xbe\x89\xb3\x1a\x3b\x9b\xe4"
+ "\xb9\x7b\x58\xcd\xa3\x73\x41\xe0\xcb\xbd\xce\x97\x87\x1f\x60\xc8"
+ "\xbb\x8c\xe9\xd7\x4f\x9a\x2d\xb5\xd4\x73\x4e\x25\xf3\x36\xbc\x3f"
+ "\x81\x23\x82\x1e\xde\xbe\x9b\x35\x67\x99\x9f\x9c\x02\x9c\x75\x0c"
+ "\xed\xb1\xcb\x82\x7f\xf5\x31\x66\x76\x01\x5a\x61\x3c\xa4\xe9\xae"
+ "\x1a\xc1\x3f\x35\x7d\xd4\x41\xdb\x7f\xd2\xc5\x5f\xbe\x8c\x13\xa6"
+ "\x1a\xd3\x2e\xf6\x0f\x91\xd5\x20\xd5\x36\x57\xa8\x40\x17\x3b\x49"
+ "\xf6\xe5\x55\x04\xcf\xf3\x72\x3d\xa6\x99\x3a\x40\x49\xdf\x5a\x69"
+ "\xfb\x35\x43\x3a\x49\x8e\xb9\x6d\x1b\xd3\xb9\x6a\xcb\xcd\x6c\xda"
+ "\x68\x3f\xc1\xd4\x0e\xdb\x7a\xd5\x05\x77\xac\xc2\x95\xf4\x7c\x83"
+ "\x3c\xaf\x55\x9f\x29\x52\xee\xe4\x34\x2d\x4c\x5f\xfa\x76\x0a\xe2"
+ "\x8e\xe3\xb7\x12\x37\x79\x9e\xfb\xe2\xaf\x3f\xbc\x2a\x2e\x35\x79"
+ "\xd4\x65\x05\x88\xb7\x1d\xc6\xf8\x89\xe7\xe9\xa1\xe0\xf0\x18\x3a"
+ "\xd4\x06\x47\x22\xf2\xb7\xbf\x67\x41\x24\xaf\x19\x85\x32\xf5\x91"
+ "\x8a\x16\xd8\x99\xd5\x27\x0e\x08\xfd\x07\x42\xdd\xd9\x41\xd7\x1c"
+ "\x7e\x64\x09\x9b\xe7\x51\xff\x02\x37\x32\x12\x6d\x60\x3f\x36\x25"
+ "\xd0\x53\xd8\xbd\x22\x6f\x2c\xec\x7c\xe4\x65\x7b\xd4\xcc\xce\xc4"
+ "\x8d\xee\x53\x48\x26\x8c\x97\x18\x0a\x06\x62\xaf\x31\x0c\x85\xc8"
+ "\x27\x11\xb3\x18\x9b\x24\x57\x38\x20\xf6\xe5\x42\x72\x1c\x3c\xfb"
+ "\xce\xd4\x26\x65\x92\x21\x49\x0b\x5d\x62\x72\xeb\xb3\x53\x89\x55"
+ "\xb6\x81\xef\xfd\xd2\xb6\xed";
+
+static const unsigned char s4u2self_ticket[] =
+ "\x61\x82\x03\xf2\x30\x82\x03\xee\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+ "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x13\x30\x11\xa0\x03\x02"
+ "\x01\x01\xa1\x0a\x30\x08\x1b\x06\x61\x70\x61\x63\x68\x65\xa3\x82"
+ "\x03\xc4\x30\x82\x03\xc0\xa0\x03\x02\x01\x17\xa1\x03\x02\x01\x02"
+ "\xa2\x82\x03\xb2\x04\x82\x03\xae\x41\x12\xbe\x9e\x19\x0b\x27\xfe"
+ "\x38\xd3\x9b\x98\x8d\xcf\xc4\xe5\x34\x43\x64\x4a\x96\x00\x12\x52"
+ "\x92\x24\xcc\x8a\xe2\x80\x2a\x9e\xc1\x67\x6d\xd2\x77\x41\xe3\xc3"
+ "\xb7\xde\xf9\xdf\x8f\xdb\xe8\xd6\x78\x84\x83\xa0\x99\x2a\xbb\x24"
+ "\x25\x9d\x3a\x4d\xb0\x89\xe8\xa7\x67\xbe\x4e\x7b\xd4\x20\xad\xa6"
+ "\xb5\xa2\xab\xf4\x07\xf9\x14\x2e\x08\xc5\xa8\x43\xc2\xaf\x24\x53"
+ "\xb3\xaf\x7b\x83\xb5\xd1\xca\x8a\x99\x83\x14\x08\x37\x1f\x20\x03"
+ "\xfc\xd4\xb4\xce\xb3\x9a\xc1\xbd\x31\x54\x21\xb6\xbe\x7c\x82\xbc"
+ "\x30\x61\x0d\x9a\x10\x90\x00\x69\xee\xd5\xd3\xf6\x7c\xfa\x70\xa7"
+ "\xd4\xa1\xe6\xbd\x0b\xb1\xe2\xcc\x4e\xc6\x53\xc7\x89\x39\x57\x63"
+ "\xca\xfb\x4f\x0d\x73\xf7\x2a\xda\x94\x40\xdd\x0a\xd6\x00\x14\xc2"
+ "\x7b\x5f\xda\x27\x7c\x95\x32\xab\xcf\xd1\xac\xd0\xfc\x4a\xb4\x82"
+ "\x80\x5f\x56\xa5\xac\xb9\xb4\xc8\xb9\x08\x0a\x52\x9b\x2e\x80\xf4"
+ "\x9d\x85\x73\x09\xb1\x9a\xd6\x50\x59\x47\x0f\x8f\x72\xd5\x91\x76"
+ "\x89\xba\x49\xe3\x5e\x76\x07\x84\x8b\xf2\xc0\x57\xd4\xd2\x31\xfe"
+ "\xfd\xa3\xcd\x96\x5a\xbe\x19\x18\x97\x8e\xbf\x18\x1b\xdf\xf9\x78"
+ "\x5b\xac\x3c\x1f\xff\x4c\x64\xef\x1d\x5e\x69\x04\xcf\x68\xf6\x97"
+ "\xc4\xff\x16\x8e\xb2\x22\xf3\xc5\x84\x67\x41\x04\xce\x72\xdd\x76"
+ "\x65\x2e\xee\x84\xfb\x85\x83\x4b\x41\xdf\x24\x1e\xc7\x31\xf0\xc4"
+ "\xf1\xf7\x83\xfe\x46\x6d\x6f\x45\xf6\xb4\x40\xbb\x2f\x09\xf7\xe2"
+ "\x6f\x19\xd3\x3e\xa6\x94\x76\x46\x6b\x78\x43\x08\x4c\xfc\x15\xc2"
+ "\x4d\xef\x12\xe0\x38\x6a\xdb\x49\x7a\x71\x6c\xeb\xe3\xdf\xe7\x57"
+ "\x25\x23\x09\x4d\x74\xac\x93\x95\x8a\x6c\x01\x70\x0a\xb7\x42\xee"
+ "\xf5\x5c\x65\x64\xc6\xd7\x3e\x57\x7e\x0f\x9b\xdd\xf0\xfb\xdb\x92"
+ "\xa6\x1c\x75\x18\x88\x29\x03\xf9\x58\xf0\xd0\xc2\x91\x9c\xf6\x58"
+ "\x4e\x15\xe1\xab\x46\x1e\x23\x7c\xdc\xa5\xdd\xaf\x59\xae\x22\xbb"
+ "\xc3\x6d\x02\x0f\x02\x9e\x4a\xc1\x6d\x55\x4b\x35\x69\xd5\xaa\x92"
+ "\x61\xef\x0d\x50\x42\x49\xc0\xb5\x9d\x57\x3f\x50\x4d\xc2\x17\xda"
+ "\xc4\x43\xd1\x1f\x8c\x77\x4c\xa1\x37\x5c\x39\xe7\x51\x7e\x52\x68"
+ "\x0f\x6d\x8e\x1e\xb7\x81\x14\xc1\x11\x17\xa9\x37\x75\x48\x72\x35"
+ "\xca\xeb\xcb\x0d\x84\xbb\xf1\x08\x79\xde\x31\x00\x7f\x54\xc8\xbc"
+ "\x38\x1f\x2c\x56\x3b\xfc\x9d\x8a\xbc\x2d\x72\x8b\x32\x29\xf7\x52"
+ "\x96\x60\x34\x70\x13\x6f\x5a\x98\x7f\x69\xdc\x00\x21\x4c\x9d\x21"
+ "\x52\xd9\x71\xa3\xc6\xea\xd9\xdb\xeb\xd5\x78\xe5\x8f\x5e\x1d\xa8"
+ "\xa6\x0a\x58\x9c\xc9\x45\xc0\xb6\xb1\xe5\xfb\x49\xd2\x71\x41\x52"
+ "\xae\x52\x84\xd6\x90\x1e\x9a\xc2\xdb\x5b\xf8\x18\xf8\x47\x25\x70"
+ "\x1b\x07\x64\x8c\x4a\x94\xb0\x52\x50\xf0\x99\x3b\x0d\x11\x33\xb9"
+ "\xd6\xdf\x43\xfe\x34\x92\x3f\xa9\x1c\x9e\xfc\x89\x11\xdb\xe5\x15"
+ "\xae\x74\xd2\x1b\xd0\x42\x5a\x19\x0c\x03\x8e\x09\x16\xd2\xcf\xe8"
+ "\xd5\x02\xa4\x58\xe3\xca\xef\xe3\xa5\x36\x4f\x79\x6e\xc2\x57\x7f"
+ "\x97\xcf\x87\xec\x10\x57\x35\x15\xd8\x67\x4c\xaf\x2c\x6b\x50\x04"
+ "\xd6\xf7\x5f\x83\x1a\x4d\xfe\x44\x67\x60\x3f\x98\xfe\xa5\xd0\x56"
+ "\xf1\x46\x1e\xa0\x38\x21\x62\x0e\xce\xd5\x9a\x41\x4b\xb1\x9a\x7d"
+ "\xfe\x7d\x2d\x88\x16\x82\x73\x27\x4d\x9f\xad\x06\x1e\x93\x0f\xe7"
+ "\xd0\x98\xc5\x2e\xd8\xfc\x97\x4c\xed\x3b\x89\x94\xf4\x71\x88\x9f"
+ "\xc6\x5a\x73\x6e\x00\x4a\xd4\x99\xe2\x87\x32\x62\x03\x20\x73\xe3"
+ "\xba\xcc\x5d\x35\xa8\x20\x10\xb8\x60\xff\xed\x8c\x44\x21\x31\x1a"
+ "\x41\xb1\x3b\xa3\x44\x15\x45\x99\xa2\x89\x47\xd1\x80\xfd\xee\xc7"
+ "\xe8\xa2\xaa\xb3\x90\x2b\x04\x3c\x78\xf9\xcd\x0a\x90\xd5\x46\x28"
+ "\x52\x62\xbb\x08\x46\x19\x82\xb6\xe6\x2d\x3e\x04\x95\xd5\x0e\x7e"
+ "\xb3\x5f\x0e\x30\xbe\xf0\xdb\x36\x15\x69\xd5\x2d\x38\x95\x17\x27"
+ "\x2b\xa3\xc8\x68\x00\x55\xde\x2e\xd6\x07\xb4\x7a\x89\x1c\xe7\xc2"
+ "\x3c\xc4\x57\x9f\x45\xea\x77\xaf\xd8\xf1\xbe\x2a\x05\x46\x04\x51"
+ "\x83\x21\xa7\x1a\xa8\x23\x2f\x62\xa9\x67\xe6\xf3\xab\x47\xb9\xa6"
+ "\xec\x98\x7c\x7b\xd3\x42\x5d\x73\x37\xab\x46\x75\x2b\x33\xda\xf8"
+ "\xad\x2c\x62\x36\x2a\x91\x8f\x2c\x12\x4d\x00\xd5\x02\x98\x58\xfe"
+ "\xd2\x3d\x38\xc1\xe0\x2d\xeb\x7f\x22\xe6\x12\x72\xcd\xc7\x4b\xac"
+ "\x6d\x70\xc1\xcc\xda\x6d\xf1\x21\x44\xb4\x92\xec\xce\xd7\x6a\xde"
+ "\xea\x62\x63\xa9\x15\xe8\xf3\xea\xc6\xc8\x26\x39\xef\xa0\x76\x66"
+ "\x54\x45\xb6\xdd\x4b\xff";
+
+static const unsigned char s4u2proxy_ticket[] =
+ "\x61\x82\x04\x9f\x30\x82\x04\x9b\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+ "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x20\x30\x1e\xa0\x03\x02"
+ "\x01\x03\xa1\x17\x30\x15\x1b\x03\x73\x71\x6c\x1b\x0e\x6d\x79\x73"
+ "\x71\x6c\x2e\x61\x63\x6d\x65\x2e\x63\x6f\x6d\xa3\x82\x04\x64\x30"
+ "\x82\x04\x60\xa0\x03\x02\x01\x17\xa1\x03\x02\x01\x02\xa2\x82\x04"
+ "\x52\x04\x82\x04\x4e\xaa\x63\x2e\xe0\x3a\x24\xed\x98\x29\x42\xa4"
+ "\x17\x2b\x4a\x17\x1d\xea\x46\x2a\xc9\xeb\x10\xeb\x02\xe3\xa2\x40"
+ "\xf5\x79\xaa\x1c\x83\x20\xe0\x24\x9b\x6f\x06\xc4\x31\x82\xc8\x52"
+ "\xdb\x9a\x04\x36\xff\x5c\x7a\xa5\xfe\x5c\xf3\x40\xcf\x7c\x31\x0f"
+ "\xda\x2a\x20\xa1\x7e\xdb\xf4\x05\x54\xcb\x51\xa0\x54\x25\xc8\x9f"
+ "\x4d\x23\x0a\xef\x56\x4e\xa0\xdf\xf5\x0b\xce\x75\x93\x5b\xf9\xe5"
+ "\x3a\xdf\x08\x3f\xce\x1c\x75\x6b\x4f\x38\x1a\x90\x4c\x3e\x99\x49"
+ "\x6c\x7a\x55\xf5\xdd\x59\x64\xab\x43\xfd\x3f\x45\x5a\xd3\x0f\x4f"
+ "\x37\x44\x03\x42\x0e\x83\xac\xf9\x04\x83\x43\xfc\x60\xc3\x1b\xc4"
+ "\xc0\x2a\x6c\x6e\x65\xf4\x8f\x2d\x52\x1f\x18\xbe\x09\x17\x10\x1d"
+ "\xd4\xc7\xe6\xa9\x9f\x70\x90\x65\x8a\x30\x63\x26\xfd\xb4\x63\xd0"
+ "\xaa\x3d\x80\x03\x79\x74\xc7\x5d\xe8\x50\x9e\x1b\x0a\xa7\x69\x62"
+ "\x91\xda\xcb\x80\xe8\xa3\x0d\xd8\xef\x05\x46\x2a\xb8\x14\x6f\x45"
+ "\x4e\xa6\x76\x28\x1b\xbe\x50\x0b\x5b\xf9\xe1\x61\x66\x5b\xe8\xb7"
+ "\xa1\x9c\xea\x2a\x8b\x28\x63\x8e\x20\x41\xaa\xdc\xca\x61\xa9\x1f"
+ "\x1b\xf1\xf3\x39\x47\xdf\x1f\xc3\x0d\xdd\xe7\x40\xb1\x8d\xbf\x28"
+ "\x22\xd4\x5d\x82\x63\x80\xc6\x75\x45\xa3\xe2\x79\x71\xa9\x5d\x9a"
+ "\x29\xa4\xc5\x3d\x1a\x56\x99\x2a\x3f\x4c\x97\x02\x85\xd8\x21\x15"
+ "\xd7\xaa\x8c\x6e\xa9\x0f\xb8\xa7\x1b\x43\xa4\xb5\xf0\xab\x2f\x77"
+ "\xa0\xa9\x23\xb2\x81\xf4\x0d\x02\x0e\x17\xa5\xb7\xa6\x54\xc6\x3b"
+ "\x12\xd9\x2e\x30\xdc\xb7\x84\x46\x9b\x28\x89\x15\x48\xd0\xe4\x44"
+ "\xd5\x22\x67\x3e\x58\x96\xcf\xd1\x0f\x5e\xd1\x5c\xa5\xdd\x5a\x60"
+ "\xf2\xf9\x36\xad\xe0\x39\x2a\x56\x98\x71\x37\x67\xca\x3a\xc4\x7f"
+ "\xda\x43\x22\x7b\xe9\xf3\x8c\x0d\x31\x9e\xc3\x8d\xf8\x49\xf1\x81"
+ "\xe0\xb3\x4d\x47\xfa\x91\xdd\x46\xfb\x03\x84\x13\x37\x9c\x12\x0c"
+ "\x80\x4f\x01\xc6\x19\x62\x0e\xba\x94\x0d\x89\x24\x0c\x14\xbe\x0f"
+ "\x06\xc2\x8d\x54\xfb\x84\x64\xa2\x57\x9e\x85\x54\x98\xad\x25\x2c"
+ "\xa0\x73\x39\x14\x47\xf4\xa6\x1d\xf8\x1e\x94\x4c\x2e\x0f\xd6\x33"
+ "\xa6\x1b\x58\x7a\xc1\x29\x8d\xc8\x7e\x79\xb7\x44\x92\x8a\xf3\x69"
+ "\x37\x34\x74\xe6\x29\xf7\x38\xb1\xb5\xad\x4a\x2a\x56\x86\xa5\xc5"
+ "\x65\xcf\x0b\x9b\x2a\x54\x31\x1d\xad\xc0\xac\xd0\xf3\xaf\x41\x9a"
+ "\x4c\x5b\x42\x2c\x4c\x38\x72\xa4\x74\xcb\xfb\x77\xe1\xc7\x08\xba"
+ "\x72\xc1\x8e\xa7\x60\xeb\x6a\x63\xeb\x75\x0f\xe6\xd0\x82\x43\xa3"
+ "\x49\x7c\x74\xac\x50\xbb\x30\xf8\x59\x31\xa6\xcf\xaf\xc9\x08\x1c"
+ "\x21\x6d\x42\xa6\x84\x7a\xc9\x3e\x1d\x65\xc8\x8a\x6f\x28\xaa\x54"
+ "\x0a\x87\xed\x09\xa4\x90\xe1\x4a\xda\x71\x9c\x3d\x06\x82\x86\xf6"
+ "\xc9\x0d\xe6\xcd\xdc\xe7\xe8\x9f\x07\x4b\x6b\xf3\x50\x30\xee\xdb"
+ "\xd6\x7c\x97\xa5\x53\x09\x91\xa8\xc1\x06\xed\xc2\x30\xd5\x66\x07"
+ "\x5c\x1c\xb2\x04\x81\x09\x9f\x7c\xdf\x47\xc7\xfa\x04\x4d\x73\xbd"
+ "\x1a\x28\x8c\x83\x2a\x4b\xcd\xcc\x93\x41\xc9\x9f\x05\x7a\xb6\xff"
+ "\x98\x58\xa4\x11\xf1\x3d\xca\x94\x71\xb6\x0e\x6e\xeb\x30\x3c\xfc"
+ "\x5a\xf6\x0e\x0b\x1a\x0a\x3d\xd0\x9a\x08\xd4\x43\xaf\x06\xbe\x8f"
+ "\xc0\xf2\xfb\xe7\x94\xa0\x5d\x9c\x44\x7f\xca\xbd\x1e\x83\xf8\x22"
+ "\xe8\x6e\x7f\xd4\xc6\xaa\x8a\x45\x76\x37\xf7\x45\xdb\xcb\x20\xa9"
+ "\xcc\x74\x62\x52\xe2\x88\xbf\x95\x4d\xe8\x1e\xac\x30\xfa\x9c\x1e"
+ "\xe7\xe6\xeb\x18\x75\xe3\x0f\xb8\xfc\xbf\x6c\x6f\x59\x51\xd4\x38"
+ "\xb0\xab\x85\x73\x16\x51\x5d\x27\x94\x83\x03\xd2\x86\x28\x99\xa1"
+ "\x8c\x04\x4c\xfb\x21\x79\x7b\x95\x96\x21\x47\x81\xc9\xba\xef\x13"
+ "\x18\xd6\x8f\xa9\xf4\x89\x25\x5b\xa4\xae\xbc\x6a\x59\x1e\x7b\x15"
+ "\xc9\xa5\xc8\x8a\x8c\x35\xec\xee\xe2\x8a\x0e\x1b\x8e\xaf\x4b\x51"
+ "\x9e\x66\xe7\x94\x56\xf6\x37\x93\x22\x5d\xe3\x9e\x33\x5e\xb4\x74"
+ "\xf1\x69\xe3\x93\xc3\xe8\xc7\x61\x09\x6a\xc1\xb7\x42\xcc\x3b\x5b"
+ "\x24\x40\x28\xf7\x9b\xef\x5c\x98\xb9\xe7\x2c\x01\xed\x99\x66\xa7"
+ "\x06\xeb\x08\x89\xd6\x5e\xce\x85\x08\x1a\x90\xc4\x92\x40\x53\xc5"
+ "\x53\x8b\xcb\x1a\xe9\x30\x8c\x48\xdb\x66\xc3\x98\x24\x1d\x5f\xee"
+ "\x6c\x2c\xc1\x3e\xcd\xcd\xb9\x1a\x5d\x8d\xb9\x64\xd9\x4c\x33\x83"
+ "\xa4\xa5\x08\x0a\xe3\x73\x0c\xe9\xd9\x6f\xb8\x78\x9a\x46\xdf\x6f"
+ "\x7f\x9f\x38\x69\x4b\x44\x00\x7e\x5b\xee\xf6\x2b\xba\xdd\xf7\x8a"
+ "\x0e\xa3\xff\xfc\x09\x5a\xd0\x44\x7e\x58\x2f\xfa\xe9\x1d\x1d\xc8"
+ "\x39\xc7\x2c\x62\xff\xf5\x22\xca\x8d\xae\xfd\x86\xef\x3b\x8f\xac"
+ "\x1b\x11\xb8\x6a\x4e\xf9\x6a\x93\xb1\xda\x8d\x80\xb9\xfa\xca\x52"
+ "\x0d\x4a\x45\xf1\x43\x5b\xca\x74\x1f\x94\xe6\x2a\x83\x2f\x76\x8c"
+ "\x70\x00\xcf\xa5\x95\x3c\x31\x10\x75\xd2\x75\xf8\x83\x09\x58\x11"
+ "\xff\xf9\x82\x32\x26\xad\x72\x85\x13\x64\x6e\xf6\xc1\x71\x55\xe3"
+ "\x51\x98\xda\x03\x76\xf0\x5b\x5f\xbe\x5c\xf3\x12\xe5\x6f\x03\xc4"
+ "\x36\x84\x66\xb7\xf8\xd5\xb9\x99\xeb\x66\x84\xbc\xf2\x78\x23\x87"
+ "\xb2\xa5\x64\xc4\x4a\xa1\x30\x93\x7f\x3a\x48\xe1\xad\xc0\x14\xc2"
+ "\x28\x14\x77\x7f\x23\xc7\xa8\xa2\x6c\xab\xd4\x74\xdf\xb1\x42\x84"
+ "\xa7\x11\x73\xef\x2d\xf6\x7a\xfb\xe1\xe6\xdb\xac\x57\x3b\xc7\xba"
+ "\x8c\x83\x19";
+
+static const unsigned char tgt_rodc[] =
+ "\x61\x82\x03\xe4\x30\x82\x03\xe0\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+ "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x1d\x30\x1b\xa0\x03\x02"
+ "\x01\x02\xa1\x14\x30\x12\x1b\x06\x6b\x72\x62\x74\x67\x74\x1b\x08"
+ "\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa3\x82\x03\xac\x30\x82\x03\xa8"
+ "\xa0\x03\x02\x01\x12\xa1\x06\x02\x04\xb6\x51\x00\x01\xa2\x82\x03"
+ "\x97\x04\x82\x03\x93\xe2\x97\x36\xa2\x9f\x18\x79\x44\x87\xbf\xc8"
+ "\x27\x59\x40\xd1\x9d\x3b\x3d\x1d\x8b\xc8\x86\xfb\xc5\x4a\xf8\x27"
+ "\x5b\xee\x59\xcc\x3a\xcd\x2f\x0d\xb3\x9f\xb7\x87\xe2\x83\xdb\x36"
+ "\xee\xa0\x1c\xdb\x91\x9b\xe1\x50\x3e\xaa\x3d\xea\xae\x93\x65\xdf"
+ "\xb3\x23\xfb\xa6\x00\xaf\x55\x49\xf5\x6e\xd9\x2c\xc1\x61\x97\x37"
+ "\x19\x83\xe6\x60\xd8\x46\x2d\xdb\x0c\xc4\x55\x2e\x0a\x52\x0d\x64"
+ "\xb4\x80\xa9\x3d\x37\xb6\xed\x06\xdc\x32\xfd\x6a\x40\x20\xc4\x69"
+ "\x59\xf5\x80\x9c\x7f\x7a\x68\x88\x1c\x67\x37\x52\x85\x1a\x2f\x01"
+ "\xf8\x46\xd7\x7a\x24\xfb\x14\x31\xa8\x23\xd0\xac\x13\x85\x1c\xef"
+ "\xb1\xe4\x26\x20\x4f\x0c\xbb\xcc\xbb\x86\x40\xb3\x2e\x76\x25\x26"
+ "\x2e\x0f\x33\xec\xca\xac\x32\xa2\x35\x98\x1a\x9d\x34\x30\xe8\xaa"
+ "\x85\x8c\xa0\x0a\xf6\xe9\x60\x4f\x59\x20\xed\x51\x9d\xcf\xb4\xc1"
+ "\xdf\x1e\x8f\x91\x3e\xe2\x32\x9f\x68\x14\x41\x22\x2e\x05\xa7\x6d"
+ "\x1d\xa5\x55\xd8\x3b\x1c\xa4\x0b\x80\xf1\x43\x5f\xf7\xc2\xef\xa6"
+ "\x28\xcf\xbb\x2a\xbc\x0f\xbc\x20\x11\xff\xc1\x1b\x75\x5b\x49\x6f"
+ "\xc5\xc4\xa8\x3c\x46\xb3\xfd\x41\x70\x2a\xd8\x8b\xa6\xc1\x54\xad"
+ "\x15\x3e\x96\xca\x28\x3e\xca\x06\xe6\x0d\xad\xc8\x74\x32\x9a\x0d"
+ "\x80\x65\xd6\x49\x35\xc0\xd8\x75\xed\xb7\x4b\x9d\xb5\xd5\x3b\x3b"
+ "\xd3\x2e\x9f\xed\xbe\xd3\x83\x68\xe1\x3a\x25\x2c\xb5\xfe\xbd\x89"
+ "\xf3\x0e\xe3\x5e\xb3\x15\x2e\x0e\xb5\x2b\x97\x47\x6c\x6d\x88\x82"
+ "\x42\x54\x0d\x97\x52\x17\x56\x16\x9b\x5e\xaa\x63\xb0\xcb\x6f\xe6"
+ "\x0f\x9c\x9e\x6f\x3f\x49\x31\x60\x88\x2f\x25\xae\xff\x1c\x90\x55"
+ "\x9d\x63\x50\x56\x4d\x6e\x55\x5c\x48\x84\x1d\xf1\x0a\x03\xa6\x99"
+ "\x90\x13\xd6\x9a\xf1\x43\x5d\x0d\x69\x74\x3d\x60\xf5\xa0\x58\x29"
+ "\x98\x74\x10\x35\x2f\x6b\x35\x0b\x9a\xed\x3d\x7c\x4f\x00\x55\xec"
+ "\x0e\x20\xd0\x77\x46\x45\x7c\x0f\xfa\xf6\x55\xd9\x9f\xf8\x4b\x81"
+ "\xfa\x7a\x36\x05\xb9\x8e\xaf\xd8\xd3\x40\x6c\x0f\x72\x0d\x06\xba"
+ "\x91\x65\xbe\x5a\xfd\xf4\xb4\x49\xfa\x41\x83\xcb\xcf\x8d\x8a\xb0"
+ "\xf6\x3b\xcc\x08\xf8\x26\x41\x0d\x7e\xc6\xb3\x29\x8c\x33\x32\xb3"
+ "\x44\x7c\xbd\x0a\xc7\x0a\x58\x75\xfb\x2d\xf0\x53\x6c\xba\x89\x77"
+ "\xfd\x71\x7f\xe2\x9d\x9d\x35\x1d\x6b\xb2\x6f\x72\x27\x9b\xe5\x9e"
+ "\xc0\x21\x6f\x4a\x5f\x15\xf3\x13\xa4\xd9\x76\x96\xc1\xb3\xcf\x95"
+ "\xad\x47\x39\xa7\x10\x39\x7b\xfd\x9d\x71\xe3\xb8\xc4\xdf\xea\x96"
+ "\x40\x5e\xbb\x91\xfe\x99\x78\xc7\x97\x89\xca\x38\xd5\xdc\x7f\xad"
+ "\x3c\xf8\x59\x46\x05\x54\xb0\xfd\x33\x00\xd8\xa8\xb2\xf6\x44\xad"
+ "\xd5\xfc\x2d\xce\x92\x59\x85\x61\x5c\x53\xba\xf9\xe6\xc8\x47\x2f"
+ "\x50\xa3\x4a\xa6\x69\x70\xc2\x03\x5a\x44\x84\x20\x4b\x0a\x37\xa1"
+ "\x3b\xa8\x46\x96\xa6\x95\xfa\x59\x01\x38\xb5\xc7\xdb\x7c\xa8\x24"
+ "\xf9\x75\x90\xa9\x3d\x56\x5f\x95\x14\x17\xc7\xa3\x6f\xe7\xed\x0f"
+ "\x6b\xc9\x24\xfa\x0e\x4b\x33\x32\x0f\xd4\xe8\x3d\xae\x03\x9d\xfd"
+ "\xbf\x68\xef\x1b\x5a\xfa\x4b\x2e\x7f\x70\xd8\x95\x69\x03\x58\x1b"
+ "\xae\xf2\xde\xdb\x1e\xbd\x8a\xb0\xe5\xb3\x1a\x19\xe6\x1c\xf3\xf1"
+ "\xa5\xea\x8e\x61\x47\xd6\x4a\x5c\xb1\x2d\x4c\xcb\x22\xb5\x5a\x41"
+ "\xac\xad\xdc\x94\x71\xd4\x53\xcf\x67\xc6\xfa\xd4\x6b\x60\xe7\xf6"
+ "\x8e\xaf\xae\x98\x1c\x55\xd8\xed\xff\x48\x05\x69\xf4\x63\x4b\x0b"
+ "\x1a\xa4\x50\x3e\xff\x61\x72\x23\x5d\x8a\x19\x9e\x7b\x32\x79\x81"
+ "\xab\x4e\x5b\x5d\x06\x89\x2a\x26\x13\x20\x6d\xeb\xb2\x69\xb0\xd9"
+ "\xa3\x17\x04\xfd\x85\xfb\x54\x12\x02\xa8\x1d\xc4\xd8\x17\x15\xe0"
+ "\x67\xc0\x17\x81\x91\xab\x8a\x4b\x72\xe0\x10\x17\xc2\xd3\xe2\x5e"
+ "\x08\x24\xfe\x6f\x9d\xc0\x57\x03\x19\x4b\x62\x0a\xee\x3c\xd3\xc6"
+ "\xa7\x70\xe6\xca\x02\xea\x91\xf6\x31\xcd\x02\x5b\x55\xd2\xf4\x76"
+ "\x2b\x24\xbd\x09\x45\xe8\x00\x63\xbd\x3b\xf8\xeb\xe7\x17\x20\x24"
+ "\xaf\x11\x65\xaa\x52\xd1\xf5\x74\xf5\xed\xd2\x5b\x60\x86\x9a\xfc"
+ "\xa4\x63\x10\x25\x50\xb4\x40\x14\x97\x20\xf0\x53\xbe\x0f\x2a\x28"
+ "\x09\xac\x4d\x9d\x45\x52\x77\xcd\x65\x9a\x2c\xf2\x49\xfe\x92\x1a"
+ "\x6d\xb9\xf3\x29\x6c\xcd\x5b\xee\x73\x28\x6b\x2c\x14\xec\x6a\x25"
+ "\x64\xac\xcb\xdf\x1a\xe0\xaf\x56\xf6\x49\xea\xad\x06\x9c\xa3\x60"
+ "\xb2\xcf\x2c\xad\x19\xeb\xc3\x0f";
+
+static const unsigned char service_rodc[] =
+ "\x61\x82\x03\xf3\x30\x82\x03\xef\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+ "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x13\x30\x11\xa0\x03\x02"
+ "\x01\x01\xa1\x0a\x30\x08\x1b\x06\x61\x70\x61\x63\x68\x65\xa3\x82"
+ "\x03\xc5\x30\x82\x03\xc1\xa0\x03\x02\x01\x17\xa1\x03\x02\x01\x02"
+ "\xa2\x82\x03\xb3\x04\x82\x03\xaf\xaf\x34\x2b\xc2\xe0\x1a\x4d\x2d"
+ "\xb9\xda\x8c\x44\x52\xa3\xc1\xbf\xe2\xb3\xc9\x27\x29\xd2\x90\xa4"
+ "\xca\x87\xd7\xae\x3d\x10\x1a\xc4\x88\x6c\x22\x78\x9a\xb8\xd9\xb0"
+ "\x64\xa8\xfc\x49\x8b\xcd\x95\xf6\xc0\xeb\x32\xaa\x70\x06\xdf\xa8"
+ "\x98\x9f\xa5\x56\x42\xdf\x33\xd5\x6d\x15\x9d\xea\x6c\x04\x0d\xef"
+ "\x06\x13\x52\xe2\xa7\xc3\x76\xb9\xec\x95\x94\xc4\xad\xad\xb5\xa0"
+ "\xf5\x44\x69\x69\x96\xf3\xfb\x9e\x99\x48\xca\x5d\x85\x34\x10\xfb"
+ "\x51\xb1\x6f\x59\x70\x98\x06\x39\x55\xdc\xa3\x1f\xc8\x36\x63\x47"
+ "\xc8\xfc\xc7\x8e\x44\xaf\x5c\x20\x79\x3c\x8f\x54\xb5\x3b\x38\xb4"
+ "\xda\xcf\x6c\xea\xcd\x33\x0d\xc6\x86\x07\x08\xa7\x37\x3f\xed\xc4"
+ "\x3a\xa6\x98\xcd\x5e\xf8\x06\x3c\x47\xea\x04\xaf\x1e\xd3\x88\x1e"
+ "\x17\xf9\xac\xa7\x9e\xf2\x92\x70\xef\xd3\xb7\x39\x24\x65\x0c\x32"
+ "\x7e\x03\x2f\x36\x31\xa1\x9b\xe4\x58\x8f\x78\xde\xec\xa5\xba\x54"
+ "\x68\xb4\x4c\x17\x23\x0a\x62\xc6\xb0\x22\x3d\x21\x35\xfa\x4f\xf4"
+ "\x6d\x9e\x46\xb7\xf5\xcc\x28\xe4\x78\x3a\x36\x6a\x44\xc5\x34\xb7"
+ "\x34\x0d\xac\x4f\x02\x41\x8f\xfd\xcb\xd4\x4c\xb6\x4e\xf1\xd1\xe7"
+ "\x4a\x1b\xf1\x96\xa5\xd3\x15\x74\xd4\x52\xbe\x1b\xbd\xe1\x17\xe8"
+ "\x77\x79\xf6\x51\xc4\xc3\xd9\x6a\xe9\x4c\x70\x10\x33\xed\x59\xa5"
+ "\x7d\x05\x17\xde\x61\x65\x5f\xf5\xde\x06\xa4\xd6\x39\xe4\x3f\x83"
+ "\xdd\x95\xa3\xb3\x57\x60\x1c\xf3\x42\xdb\xdc\xd5\x39\x76\x68\xd3"
+ "\x6e\xc8\x06\xff\x6b\x5b\x1d\x72\x7d\xb4\x4d\xec\x3e\xb8\x6d\x09"
+ "\xff\xa5\x0e\x30\xe8\x12\x72\x31\xce\xf3\xdd\x78\xee\x43\x53\x75"
+ "\x26\x43\xc2\x29\x1f\x78\x2f\x03\x4f\x2d\x82\xe3\x7c\x82\xb0\x1d"
+ "\x64\xdc\x67\xb3\x53\xa6\x7f\x17\xd5\x11\xc1\x0d\xde\x79\x28\x07"
+ "\x40\x08\xe0\xfa\x41\x2b\xeb\x3e\xa9\xf0\x92\xdd\x4f\xfe\x13\x05"
+ "\x73\x1a\xc7\xfe\x14\x56\x86\x32\x27\x4d\xe5\x4e\x15\x35\x1e\xe5"
+ "\x54\x87\x8f\x75\x2a\xcb\x48\x5d\xc4\xce\xd3\x71\x25\x3b\xc6\x51"
+ "\xe2\x4f\x83\x87\x05\x97\xc9\x35\x4a\xce\xd7\x5a\x82\xcc\xe5\xc1"
+ "\xf6\xf6\x40\x8a\x91\xce\x05\x3a\x6a\xba\x9b\x43\xc6\x9f\x3b\x59"
+ "\xb4\xb7\x9b\x24\x6e\xad\x98\xdf\x3e\x12\x9f\x17\x31\x0c\xc7\x7d"
+ "\x31\x0b\x6c\xc0\x7b\x72\x1f\xb3\xcf\x24\x80\x64\x49\x95\x5d\xc0"
+ "\x0a\x84\xfc\x66\xf7\xcc\xc6\x82\x78\xf4\x23\x69\xfd\x34\x09\x94"
+ "\x9e\xd6\x26\xd3\xb6\x4f\x61\x50\xd0\x38\x72\x6d\x06\xef\xa1\x0f"
+ "\x3d\x3d\x46\xb0\x4b\xd9\xe8\xe9\x76\x73\xfe\x53\x82\x84\xbd\xea"
+ "\x4b\x1b\x97\x5e\x23\x55\x8d\xe6\x2d\x14\xe2\x9c\xbd\x07\xd2\xc2"
+ "\x98\x18\xbe\x02\xda\x19\x89\x95\x05\x06\xdb\x59\x4b\xd3\xfc\x18"
+ "\x9a\xf7\x39\x98\x9b\x79\x9c\xe1\xbe\x96\xf5\x55\xd7\x2c\x1b\xbb"
+ "\x84\x1b\xd3\xad\x8c\x26\x50\xbf\x86\x1b\x59\xfa\xab\xf5\xaf\x2b"
+ "\x04\x75\xf9\x33\xcf\xed\x01\x46\xbc\x5c\xd8\x9a\x3c\x1e\x11\x9e"
+ "\x03\x86\xf7\xed\x72\x93\xde\xf4\x5f\xb7\x63\x9c\x13\x0a\xa9\xba"
+ "\x51\x12\x3d\x13\xa5\xcf\x3e\x4b\x0d\x09\xfe\x97\x87\xde\xdf\x23"
+ "\x8d\x2a\x5a\x97\x7d\xfc\xe0\x40\x1a\x99\x75\x02\x7a\xb9\xae\xb4"
+ "\x51\x5d\x48\xcd\x98\xb1\xa7\x1e\x91\x06\xf5\xb7\x85\xb5\xd3\xe0"
+ "\x9e\xa2\x44\x08\xd7\xed\xbf\x3f\x6c\x39\x19\xfe\xd9\x80\x24\xe4"
+ "\x16\x7d\xd8\x66\x1f\xbb\x85\xc1\x38\x03\x1f\x36\xce\x77\x18\x11"
+ "\x99\x22\x7e\xb1\x7c\x47\x19\xd7\x8d\x79\x39\xef\xf5\xbd\xa0\xf7"
+ "\xca\x88\x79\x7e\xc9\x2b\xd7\x99\x2c\x87\x78\x7b\x4f\x4c\x38\xd8"
+ "\x02\xcd\x7c\xd4\x07\x33\x74\x89\x61\xa7\x11\x04\x98\xb2\x5f\x95"
+ "\x0c\xc3\x17\x35\xf6\xc3\x38\xee\xc3\xf6\xcf\x46\x68\xeb\x95\xb4"
+ "\xa3\x92\xbb\xe9\xd7\x7c\x92\x7f\xd0\x67\x64\x7d\x93\xc6\x37\xb3"
+ "\xb4\xe2\xf6\x31\x89\x22\x4b\xd7\xa6\x9d\xad\x14\x0c\x00\xc4\x7c"
+ "\x44\xfa\x2c\x89\x3a\x78\xc0\xe8\xb2\x6e\x4f\xde\x37\x07\xca\x5e"
+ "\x4a\x7f\x27\xbc\x2e\x96\x5b\xaf\xd0\x6b\xa4\x31\xad\x21\x2d\x0e"
+ "\x4c\x25\x97\xde\x42\x07\xc3\x97\xf0\xf5\x3b\x69\x8c\x89\x34\x8f"
+ "\xd4\xe7\x7c\xca\x45\x83\x7f\xf7\x7b\x4e\x75\x86\x39\x3b\x67\xbe"
+ "\x57\x76\xa1\x26\x65\x1d\x49\x8c\x33\x5c\xdf\x05\x9b\xcf\x4d\xce"
+ "\x06\xc9\xaa\xd5\xee\xf0\x3a\x42\x75\x02\x93\xf5\xeb\x00\xa7\xa4"
+ "\xfc\xe6\xff\x9e\xda\xb6\xbd\xc9\xe0\x67\xac\x99\x74\x99\xd8\x3e"
+ "\xf1\x13\xa8\x2f\xd7\x9c\x26\x95\x0e\xbe\x52\x79\x9b\xda\x8a\x78"
+ "\x7e\x2b\x9f\x22\xf3\xfb\x0f";
+
+static const unsigned char s4u2self_rodc[] =
+ "\x61\x82\x03\xf2\x30\x82\x03\xee\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+ "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x13\x30\x11\xa0\x03\x02"
+ "\x01\x01\xa1\x0a\x30\x08\x1b\x06\x61\x70\x61\x63\x68\x65\xa3\x82"
+ "\x03\xc4\x30\x82\x03\xc0\xa0\x03\x02\x01\x17\xa1\x03\x02\x01\x02"
+ "\xa2\x82\x03\xb2\x04\x82\x03\xae\x4d\x90\xed\x46\x56\x94\x72\x5e"
+ "\x2a\x3d\x13\xad\xfa\xfa\x0e\xd6\x75\x91\x38\x57\xd4\x31\x6b\x07"
+ "\x75\x4b\x5c\x3c\x2c\x7a\xdc\x71\xd9\x36\x27\xf9\x27\xbf\xf0\xa9"
+ "\xb5\x16\xa0\x12\x3c\x36\x36\x16\x6e\xa5\x19\xcb\x28\xf9\xbb\xe3"
+ "\x66\xf7\x02\xad\xa8\xf9\xca\xe0\x84\x27\x7e\x9f\x81\x02\xea\xba"
+ "\x85\x6c\x57\x56\x39\x59\xfd\xce\x0f\xb6\x7d\x11\x1c\xc4\x9c\x92"
+ "\xb7\xbc\xe0\xc9\x51\xb8\x0f\xd4\x03\x84\xc4\x25\x0b\x9d\x44\x56"
+ "\x3f\xc2\xf3\x63\x7b\x8d\x2b\x61\xf2\x5f\x5b\x51\x46\x9f\x81\x1e"
+ "\xfc\xc6\x96\x71\x81\x63\xf9\xd8\x20\x57\x08\x6a\xf2\xce\xf7\x4b"
+ "\x7f\x92\x3b\x20\x21\xac\x1e\x30\x9e\x88\x71\x55\x00\x12\xef\xe4"
+ "\xfe\xf1\x6c\xe1\xab\x2f\x7c\xd9\xea\x53\xac\xd8\x74\x36\x04\xe7"
+ "\x40\x9e\x2d\x49\xc4\x9a\x6d\xdb\x95\xd1\xa1\x41\x27\xf9\x9d\xa7"
+ "\x16\x44\xd3\x58\x50\x95\x93\xdd\xba\xd0\x81\x17\xaf\x37\x19\x99"
+ "\x66\x3d\xc8\x3b\x75\xa0\xef\xd8\xa6\x8d\xa5\xe9\x94\xba\x53\x1c"
+ "\x0f\xc7\xcc\x34\x34\x23\x4f\xd5\x63\xda\x33\x49\x9c\x89\xd9\xb7"
+ "\xef\x3d\xf3\x9b\x44\x44\xcf\x84\x72\x0d\x54\xca\x40\x67\x42\x81"
+ "\xd9\xd8\xd4\x83\x6c\x52\x94\x1b\xdc\x36\x81\xee\x51\x9f\x82\x1c"
+ "\xda\x04\x84\x26\x0c\x83\xd2\xe0\x56\xbe\x53\x6b\x50\x43\xc2\x1e"
+ "\xaa\x08\xce\x37\x6b\xa8\xa8\xf8\xf2\x03\x69\xfb\xfa\xcb\xfc\xa4"
+ "\x89\x47\xbb\xd2\x68\xe5\x2d\x00\x3e\xb2\x06\x71\xda\x4c\x35\xe9"
+ "\x6d\xfc\x17\x2a\xdf\xc2\xd5\x96\x67\x03\x39\x75\xe9\xa7\x1f\x77"
+ "\xb2\xa8\x0d\xc1\x50\xc2\xe5\xed\x1a\x88\xc3\x73\x81\xa9\x86\xd2"
+ "\xc6\x34\xc7\xaa\x1c\x7f\xe6\x47\xbf\x47\xc9\x90\x39\xb3\x2c\x31"
+ "\xa0\x26\xee\x7d\xbc\x61\xe0\x26\xaa\xf6\xce\x73\x6f\xdc\xed\x27"
+ "\xdd\x13\x53\x0e\x21\x52\x1f\xd3\x75\xdb\x07\x62\x14\x00\xda\x85"
+ "\x76\x77\x16\x34\x30\x90\x7f\x94\xc5\x54\x9d\xc6\xce\xab\x11\x0b"
+ "\x98\xa9\xe6\x5f\x82\xb7\x1b\x13\xcd\xb0\xcc\xa6\xb8\x27\xb3\xd7"
+ "\x0f\x1f\xd8\x75\x56\x0e\xc5\x73\x95\x6f\x90\xda\x49\x12\xd8\x2d"
+ "\x23\x49\x13\x43\x49\x1e\xe3\xbf\x80\x4a\xde\xd6\x97\x1e\x33\x50"
+ "\x44\x6b\x7b\x00\x05\x90\xab\xfe\x94\xa8\x7c\x40\x86\x42\x4a\x6b"
+ "\xc7\x26\x21\x12\x19\x98\x01\xd5\x64\x7d\xdb\xf7\xe3\xf7\xea\xca"
+ "\x5d\xf8\xcb\x0a\x3f\x83\xf2\x6b\xe7\x2e\x3c\x71\x73\xc9\x3c\xc0"
+ "\x82\xc5\x2d\x7b\xd0\x03\xa2\xe2\xd9\x6d\xcd\x15\xd5\xd4\xbf\x90"
+ "\xc6\xf4\x19\x5b\x72\x0f\xaf\x42\xd4\x28\x58\x4f\xbe\xff\x63\x6a"
+ "\x0d\x42\x9f\x05\xfe\xbd\xdb\x81\x18\xaa\x73\x4b\x16\x96\x1b\x62"
+ "\xe8\x21\x88\xde\x9a\x57\x70\xcc\xab\x49\x4e\x0c\x31\xec\x8d\xce"
+ "\x82\x20\x3c\x44\x9b\xbc\x36\xb2\x8f\x7d\xe5\xea\x11\xf6\x71\x16"
+ "\x8e\x66\xcb\xfb\xc2\x92\xf5\xc1\x09\xac\x90\x68\xc6\xd7\x93\x21"
+ "\xcb\xb8\x57\x47\x56\x8c\x13\x7e\x78\x81\x08\x25\x3d\x4c\x1d\xeb"
+ "\x39\x2c\xf5\x9b\x67\x5d\xb4\xee\xb5\x71\xba\xcf\x29\x7a\x6b\xa5"
+ "\x30\x4a\xfd\x16\x33\x5d\x68\x95\x62\xe7\x76\xca\x06\xb8\x94\x51"
+ "\x1f\x9a\x71\x99\x78\xaa\xec\xcf\x27\xc9\x16\xcb\x91\xa0\xbe\xca"
+ "\xf9\x9c\xbe\x4d\xb0\xb9\x98\x21\x01\xb2\xa7\x7a\x8a\x0d\x1c\x62"
+ "\xeb\x7d\x52\x81\xf9\xf5\x94\x0b\x27\x6a\x1c\xfc\xb6\xb2\x3a\x52"
+ "\x39\xd2\x6c\xca\x23\x43\xd1\xbf\x44\x54\x85\xb6\xd5\xb9\x93\xb9"
+ "\x91\x86\x59\x7f\xd2\x23\x1c\xeb\x2c\x5d\xb0\xcd\x09\x2d\x83\x62"
+ "\x24\x94\x65\x64\x13\x00\xe0\x1d\xd0\xf5\x56\x79\xff\xcc\xa9\xb9"
+ "\xda\xd4\x6a\xab\xe9\x2a\x91\x40\x44\xed\x7b\x8c\xed\xb1\x39\x70"
+ "\xd0\x51\x51\x6c\x45\x5f\xd4\xed\x0d\x36\x17\xf0\x69\xf6\x92\x72"
+ "\xca\xc8\x90\x1e\xe0\x44\xf0\x19\x2e\x2c\x1f\x12\x42\xa3\x15\x9d"
+ "\x37\x86\xa3\xa3\x6e\x04\xfc\x84\x73\xf8\x1d\x13\x30\xe5\x0f\x32"
+ "\x58\xab\x51\x0e\xad\x0a\xcc\xb9\x32\x81\x44\x7c\x6e\xc1\xec\xcd"
+ "\x5d\x6a\x9a\xb7\x27\x53\x98\xcc\x2b\x8d\x3c\xac\xbe\x12\xcb\x01"
+ "\xeb\xe7\xbe\xb5\x10\x16\x22\xc1\x92\x86\xe7\xa6\x1f\x88\xfa\x6a"
+ "\x70\xec\xd8\x38\x31\x85\x6f\x08\x33\x3c\x1b\x49\x68\xd4\xa5\x4c"
+ "\x7e\xf1\xbc\x25\x4f\x2f\xef\x39\xad\x78\x19\x23\x31\x47\xa1\x96"
+ "\xae\x7b\x8d\x8b\xf1\xf4\xc4\x3b\x06\xc0\xf6\x6e\x0f\xd2\xe0\x18"
+ "\xca\xc4\x09\x1b\x34\xbe\x1f\x12\x21\x69\x79\x9c\xaf\xe2\x78\xb4"
+ "\x19\x85\x83\xb7\x9c\x2d\x1a\x14\x1d\x64\xc8\x36\x48\xf2\x3d\xf6"
+ "\x26\x8c\x5a\x4c\x03\xae";
+
+static const unsigned char s4u2proxy_rodc[] =
+ "\x61\x82\x04\x9f\x30\x82\x04\x9b\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+ "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x20\x30\x1e\xa0\x03\x02"
+ "\x01\x03\xa1\x17\x30\x15\x1b\x03\x73\x71\x6c\x1b\x0e\x6d\x79\x73"
+ "\x71\x6c\x2e\x61\x63\x6d\x65\x2e\x63\x6f\x6d\xa3\x82\x04\x64\x30"
+ "\x82\x04\x60\xa0\x03\x02\x01\x17\xa1\x03\x02\x01\x02\xa2\x82\x04"
+ "\x52\x04\x82\x04\x4e\xd2\x92\xec\x00\xf9\xc9\x37\xde\x46\xf6\x35"
+ "\x62\xb7\xa1\x77\x0c\x9a\x4f\x6d\x17\x2e\xfd\x59\x24\xfe\x85\x32"
+ "\x3f\xf2\x40\x1e\xcd\xf1\xa6\xd2\xeb\xba\x26\xa1\x87\xee\x0b\xee"
+ "\xbf\x3e\xad\x73\x07\xf1\xc8\xb9\x2b\xc7\x16\x31\xf3\x63\x95\x56"
+ "\x5d\x5d\x00\x6a\xff\xa0\x20\x05\x14\x0b\x50\x0b\x1e\x1a\xf2\x61"
+ "\x29\x1b\x49\x54\xf9\xac\x6c\x08\x91\xdf\x44\x3e\x43\x42\xbe\x4a"
+ "\x5a\x7d\xaf\xd5\xb9\x26\xe4\x91\x5f\xf0\xcc\x55\x3d\xc7\xc4\xc0"
+ "\x46\x3b\x32\x1f\xca\xcf\x16\xec\x18\x1b\x29\xe9\xb1\x4c\xdd\x0f"
+ "\xb3\x53\x2b\x0a\x7a\x5a\xff\xa0\xf4\x62\xcf\xf1\x2c\xc9\x64\xfa"
+ "\x35\xad\xb7\x18\x9b\x53\xb2\xe4\xdc\x81\x59\x8b\x2a\xb7\x94\xe0"
+ "\xf5\x99\x7d\x04\xb6\x49\xa2\x9a\x6a\xcc\x17\x62\x63\x5d\x2e\xf2"
+ "\x24\x56\x58\x00\x68\x6a\x60\x37\xf9\xa7\x55\xac\xb8\x95\xcb\x22"
+ "\x6a\xd6\x6c\x91\x99\x22\xc4\x33\x38\xfa\xf4\x7f\xf0\xf1\xae\x2e"
+ "\x5c\xa5\x6c\x6b\x98\x3e\x82\x94\xee\x2e\x4c\xbd\x41\xb8\x4f\xeb"
+ "\x0a\xca\xb1\x0b\x88\xfb\x51\x76\x87\x69\x7c\x0b\x61\xc3\xe6\xe1"
+ "\xd8\x2a\xc3\xee\xde\x13\x70\xbf\x6a\x9f\x7d\x2a\x6f\x7b\x57\x28"
+ "\xd3\x9e\x39\xf8\xc7\x05\xd5\xc0\xe3\x11\x11\x05\xeb\x2f\x08\x14"
+ "\x1c\x98\xae\x7e\x56\x8a\xb7\xcc\x2b\x74\xda\x01\x69\xeb\x56\x3c"
+ "\x89\x4f\x5d\xf8\xf7\xdb\x73\xa4\x84\x29\x91\x79\x32\xcc\xa0\xc1"
+ "\x28\xad\x9d\x4e\xcf\x45\x00\x6e\x8a\xe7\xf8\xd5\xeb\x87\x51\x37"
+ "\xcb\xb9\x4f\xc7\x08\x27\x2a\xf3\xaa\x24\x26\x0b\xed\x40\xcf\x74"
+ "\xae\xa9\xa3\xed\x1e\x97\xd0\x05\xb5\xae\xdf\x37\xb5\x24\x52\xa1"
+ "\xac\xd7\x31\xa2\xef\xc8\xab\x8a\xc4\x8c\x3d\x7c\xf3\x00\xf0\xc3"
+ "\xe7\xa3\x6d\x93\x83\xe4\x08\x2e\xa1\xb5\xc4\xdc\x4b\x3f\x06\x23"
+ "\x40\xaa\x0a\x72\xe6\x5a\xad\x65\x53\x3d\x48\x6c\x6f\xe3\xc5\x8b"
+ "\xa3\xba\x54\x73\x78\x07\xf8\x88\xd5\xf4\x87\x04\x5d\x88\x1b\xba"
+ "\x4e\x67\x9f\x92\xe8\x9c\xf0\xc4\xba\xfb\xe3\x78\xe2\xd9\xa3\x38"
+ "\xdb\xd6\x41\x4c\xa4\x76\x92\x36\xc1\xd7\x30\x05\x3f\xf8\x9f\xd1"
+ "\xf8\x79\x13\xeb\x98\xc2\x7a\xa3\x25\xab\x32\x1e\x14\x10\x87\xc0"
+ "\x00\x68\x26\xf8\x8d\x4d\xb5\x96\xb7\x35\x81\xe5\x0c\x3f\x45\x2c"
+ "\xcf\x4e\xdd\xda\xe6\xd4\xb3\xcb\x50\xf1\xe5\x48\x4c\xec\xcc\x10"
+ "\x33\xa0\x11\x53\x0d\xf3\x2c\x98\xcb\x76\xbf\x6e\xd7\xe9\x20\xe7"
+ "\xdb\xbd\xae\xcf\x69\x0e\xd1\xce\x47\xae\x5a\xe1\x21\x0d\xe9\xd5"
+ "\x2f\x09\xc4\x36\x53\x24\x4a\x5c\xac\x07\xff\xd8\xac\xfe\xae\x91"
+ "\x93\x92\xbf\xc6\x3b\xa4\xdb\x28\x52\x23\x58\x7d\xcb\xbd\x39\x34"
+ "\x07\xeb\x56\x1a\xf9\x47\xf8\x70\xee\x60\x51\x2e\x80\x92\xd4\xcf"
+ "\xd8\x9d\x75\x16\x50\xf1\xb0\x02\x61\x99\x51\x7c\x46\x48\xf9\x6b"
+ "\x84\xdf\x5c\xef\xe1\x1f\x0c\x22\x9b\xdc\xbc\x76\x7f\x3f\x6d\xfe"
+ "\xb8\x2f\x93\xb9\x27\x58\xa9\x93\x42\xda\xf2\x67\xf7\x01\xbe\xd8"
+ "\xa2\x18\xec\x1e\x40\x3d\x3b\x6f\xfe\x50\xab\xb9\x35\xb7\xdd\x2a"
+ "\xe1\x51\xf9\xce\xea\xf5\x1d\xed\x6c\x2b\xbc\x86\xc9\x53\x41\x8b"
+ "\x2e\x06\xc8\xc0\x08\x48\x37\x40\x8c\xf8\xe9\x4b\xc7\xc0\x6f\x1b"
+ "\xe1\x0c\x8c\x0e\xf4\x73\x19\x7e\xc6\x36\x84\xa2\x8f\x72\x2e\x59"
+ "\x53\x25\x2c\x92\x95\x04\x9b\x13\x97\x7a\xc7\x53\xa4\xa6\x0f\xf3"
+ "\x06\x59\x25\xe7\xd5\x35\x0e\xe9\x10\x95\x60\x0f\x53\xd4\x24\x13"
+ "\x72\xf6\x6d\x17\xb8\x43\xb2\xac\x40\x15\x11\xb6\x1b\xbb\x13\xb3"
+ "\x90\x66\x85\x92\xcb\xb4\xf5\x9c\x15\x89\x41\xbc\x07\xb0\x37\x21"
+ "\xff\x13\x93\x55\xe9\xe0\x2d\x32\x64\x62\x40\x45\xb5\x41\x80\xdd"
+ "\xb8\xf2\xe9\x64\x3e\xfb\xe6\x69\x1c\xd0\xb4\xb1\xa2\x58\x95\xe5"
+ "\xf7\x48\x8e\x10\x4c\x8b\x05\x96\xfa\x6f\x36\x34\xe1\x29\x1c\x65"
+ "\x65\x8d\xb0\x39\x50\x27\x00\xac\xa6\x4f\x5b\xd2\xb0\xfe\x69\x17"
+ "\xa2\xa8\x19\x34\x78\x9b\xef\x8c\xc2\xb9\xf1\xb6\xee\x28\xf4\x74"
+ "\xd6\x18\xe0\x0f\x36\x91\xf4\x56\xbc\x5d\x16\x21\x0e\x14\xb2\x5e"
+ "\x42\x38\xe2\x10\x81\x31\x54\x4b\xf5\xfd\x62\x72\xb0\x05\x16\x19"
+ "\x88\xe0\xd4\x5d\x5f\x10\x5c\x0d\x1f\x6a\x9f\x27\x48\x58\x18\xd1"
+ "\x60\x46\x17\xf3\x5e\xbc\xf1\x3a\xcd\x4b\x01\x08\x2e\x34\x5e\xa6"
+ "\x91\xa3\x87\x0f\xe7\x34\x9c\xcb\x87\x95\x40\xee\x22\x1c\x41\x55"
+ "\xc1\x6b\x36\x22\xa2\xbb\xf2\x55\x04\xb7\x79\x0f\xe1\xb8\x95\xcf"
+ "\x7b\x8a\x37\x6d\x1e\x78\x09\x5c\x1a\x6c\xa3\x93\x13\x70\xfe\x37"
+ "\xcc\x4a\xe7\x58\xda\xaa\x14\xe1\x32\xac\x64\xdb\x52\xef\x33\x71"
+ "\xf3\x27\xa5\x2e\x2c\x69\xe3\xa6\xab\x15\xe5\xdc\x27\xf4\xe8\x6d"
+ "\x7a\x66\x9a\x1e\x69\x46\xa9\xfa\x02\xbb\x35\x6e\x16\xc0\x06\xdf"
+ "\xd7\xcf\x8b\xab\x3e\xfc\x62\x7d\x35\x95\xb8\x15\xe2\xee\x6d\x61"
+ "\x5b\x7b\xb5\x88\x03\x45\x1c\xa0\x79\xff\x81\x4f\x75\xa9\xe7\x0a"
+ "\xed\x81\xac\xe6\x2f\x86\xb2\x23\x9b\x5a\xfe\x5c\xee\x18\x5a\x4a"
+ "\x0f\x4a\xf4\x49\x8d\xbc\x7f\x3f\xc4\xbc\x7f\xbf\x41\x95\x62\x9e"
+ "\xc6\x73\x5f\x5a\x5d\x41\x53\xe2\xaa\x03\xc8\x00\x68\xad\x26\xf2"
+ "\x8f\x66\x78\x10\x3f\xa8\x56\x4b\x77\xb9\x0d\x94\x49\x54\x47\xd5"
+ "\x69\x9d\x4f\x44\xce\xc3\x6d\xae\x51\x20\x24\x61\xb6\x6f\xff\x27"
+ "\xc4\x36\xb1";
+
+static const unsigned char extra_logon_info[] =
+ "\x08\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xf0\x01\x00\x00"
+ "\x88\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x1e\x00\x00\x00"
+ "\x78\x02\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x98\x00\x00\x00"
+ "\x98\x02\x00\x00\x00\x00\x00\x00\x0d\x00\x00\x00\x00\x00\x00\x00"
+ "\x30\x03\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x08\x00\x00\x00"
+ "\x30\x03\x00\x00\x00\x00\x00\x00\x12\x00\x00\x00\x1c\x00\x00\x00"
+ "\x38\x03\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x10\x00\x00\x00"
+ "\x58\x03\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x10\x00\x00\x00"
+ "\x68\x03\x00\x00\x00\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc"
+ "\xe0\x01\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\x7f\xff\xff\xff\xff"
+ "\xff\xff\xff\x7f\x59\xa1\x0f\x59\x77\xf5\xd7\x01\x59\xa1\x0f\x59"
+ "\x77\xf5\xd7\x01\x59\x21\x69\x4e\x78\x16\xd8\x01\x14\x00\x14\x00"
+ "\x04\x00\x02\x00\x00\x00\x00\x00\x08\x00\x02\x00\x00\x00\x00\x00"
+ "\x0c\x00\x02\x00\x00\x00\x00\x00\x10\x00\x02\x00\x00\x00\x00\x00"
+ "\x14\x00\x02\x00\x00\x00\x00\x00\x18\x00\x02\x00\x00\x00\x00\x00"
+ "\x4d\x04\x00\x00\x01\x02\x00\x00\x01\x00\x00\x00\x1c\x00\x02\x00"
+ "\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x0e\x00\x10\x00\x20\x00\x02\x00\x0e\x00\x10\x00"
+ "\x24\x00\x02\x00\x28\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x02\x00\x00\x00\x2c\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00"
+ "\x63\x00\x39\x00\x64\x00\x38\x00\x30\x00\x31\x00\x61\x00\x38\x00"
+ "\x5f\x00\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x01\x00\x00\x00\x01\x02\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
+ "\x00\x00\x00\x00\x07\x00\x00\x00\x54\x00\x45\x00\x53\x00\x54\x00"
+ "\x2d\x00\x44\x00\x43\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00"
+ "\x07\x00\x00\x00\x45\x00\x58\x00\x41\x00\x4d\x00\x50\x00\x4c\x00"
+ "\x45\x00\x00\x00\x04\x00\x00\x00\x01\x04\x00\x00\x00\x00\x00\x05"
+ "\x15\x00\x00\x00\xa1\xa5\x92\x7f\x29\x19\xc5\x3b\xbb\x56\xb0\x05"
+ "\x02\x00\x00\x00\x30\x00\x02\x00\x07\x00\x00\x00\x34\x00\x02\x00"
+ "\x07\x00\x00\x00\x05\x00\x00\x00\x01\x05\x00\x00\x00\x00\x00\x05"
+ "\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\xf1\x01\x00\x00\x01\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x12"
+ "\x01\x00\x00\x00\x00\x00\x00\x00\x00\xb6\x8f\x5a\x77\xf5\xd7\x01"
+ "\x14\x00\x63\x00\x39\x00\x64\x00\x38\x00\x30\x00\x31\x00\x61\x00"
+ "\x38\x00\x5f\x00\x30\x00\x00\x00\x2c\x00\x18\x00\x16\x00\x48\x00"
+ "\x03\x00\x00\x00\x14\x00\x60\x00\x1c\x00\x78\x00\x00\x00\x00\x00"
+ "\x63\x00\x39\x00\x64\x00\x38\x00\x30\x00\x31\x00\x61\x00\x38\x00"
+ "\x5f\x00\x30\x00\x40\x00\x45\x00\x58\x00\x41\x00\x4d\x00\x50\x00"
+ "\x4c\x00\x45\x00\x2e\x00\x43\x00\x4f\x00\x4d\x00\x00\x00\x00\x00"
+ "\x45\x00\x58\x00\x41\x00\x4d\x00\x50\x00\x4c\x00\x45\x00\x2e\x00"
+ "\x43\x00\x4f\x00\x4d\x00\x00\x00\x63\x00\x39\x00\x64\x00\x38\x00"
+ "\x30\x00\x31\x00\x61\x00\x38\x00\x5f\x00\x30\x00\x00\x00\x00\x00"
+ "\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xa1\xa5\x92\x7f"
+ "\x29\x19\xc5\x3b\xbb\x56\xb0\x05\x4d\x04\x00\x00\x00\x00\x00\x00"
+ "\x02\x00\x00\x00\x01\x00\x00\x00\x01\x05\x00\x00\x00\x00\x00\x05"
+ "\x15\x00\x00\x00\xa1\xa5\x92\x7f\x29\x19\xc5\x3b\xbb\x56\xb0\x05"
+ "\x4d\x04\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\xfd\x39\xd8\x32"
+ "\x3b\x8c\xa5\xfe\x6b\x3d\x27\xff\x10\x00\x00\x00\x2f\x99\x7e\x57"
+ "\xca\xe4\xe1\xc7\x1b\xc0\xbd\xee";
+
+struct test_pac_ticket {
+ const char *name;
+ const unsigned char *ticket;
+ size_t ticket_len;
+ uint16_t rodc_id;
+ const krb5_keyblock *key;
+ const krb5_keyblock *kdc_key;
+};
+
+static const struct test_pac_ticket pac_tickets[] = {
+ { "tgt_ticket", tgt_ticket, sizeof(tgt_ticket), 0, &rwdc_tgt_key, &rwdc_tgt_pac_key },
+ { "service_ticket", service_ticket, sizeof(service_ticket), 0, &server_key, &rwdc_tgt_pac_key },
+ { "s4u2self_ticket", s4u2self_ticket, sizeof(s4u2self_ticket), 0, &server_key, &rwdc_tgt_pac_key },
+ { "s4u2proxy_ticket", s4u2proxy_ticket, sizeof(s4u2proxy_ticket), 0, &server_key, &rwdc_tgt_pac_key },
+ { "tgt_rodc", tgt_rodc, sizeof(tgt_rodc), 46673, &rodc_tgt_key, &rodc_tgt_pac_key },
+ { "service_rodc", service_rodc, sizeof(service_rodc), 46673, &server_key, &rodc_tgt_pac_key },
+ { "s4u2self_rodc", s4u2self_rodc, sizeof(s4u2self_rodc), 46673, &server_key, &rodc_tgt_pac_key },
+ { "s4u2proxy_rodc", s4u2proxy_rodc, sizeof(s4u2proxy_rodc), 46673, &server_key, &rodc_tgt_pac_key },
+ { NULL, NULL, 0, 0, NULL, NULL }
+};
+
+static void
+t_err(krb5_context context,
+ const char *test,
+ const char *func,
+ krb5_error_code error)
+{
+ krb5_err(context, 1, error, "test %s failed in %s", test, func);
+}
+
+static krb5_boolean
+is_krbtgt(const PrincipalName *p)
+{
+ return (p->name_string.len == 2 &&
+ strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0);
+}
+
+static void
+check_ticket_signature(krb5_context context,
+ const struct test_pac_ticket *tkt)
+{
+ krb5_error_code ret;
+ krb5_crypto crypto;
+ krb5_data data, orig_pac_ad;
+ Ticket ticket;
+ AuthorizationDataElement ad;
+ EncTicketPart et;
+ krb5_principal client;
+ krb5_pac pac;
+ krb5_boolean signedticket;
+ krb5_cksumtype cstype;
+ uint16_t rodc_id;
+
+ ret = decode_Ticket(tkt->ticket, tkt->ticket_len, &ticket, NULL);
+ if (ret)
+ t_err(context, tkt->name, "decode_Ticket", ret);
+
+ ret = krb5_crypto_init(context, tkt->key, tkt->key->keytype, &crypto);
+ if (ret)
+ t_err(context, tkt->name, "krb5_crypto_init", ret);
+
+ ret = krb5_decrypt_EncryptedData(context,
+ crypto,
+ KRB5_KU_TICKET,
+ &ticket.enc_part,
+ &data);
+ if (ret)
+ t_err(context, tkt->name, "krb5_decrypt_EncryptedData", ret);
+
+ ret = decode_EncTicketPart(data.data, data.length, &et, NULL);
+ if (ret)
+ t_err(context, tkt->name, "decode_EncTicketPart", ret);
+
+ ret = _krb5_principalname2krb5_principal(context, &client, et.cname,
+ et.crealm);
+ if (ret)
+ t_err(context, tkt->name, "_krb5_principalname2krb5_principal", ret);
+
+ ret = _krb5_kdc_pac_ticket_parse(context, &et, &signedticket, &pac);
+ if (ret)
+ t_err(context, tkt->name, "_krb5_kdc_pac_ticket_parse", ret);
+
+ heim_assert(!is_krbtgt(&ticket.sname) == !!signedticket, "ticket-signature");
+
+ ret = krb5_pac_verify(context, pac, et.authtime, client,
+ tkt->key, tkt->kdc_key);
+ if (ret)
+ t_err(context, tkt->name, "krb5_pac_verify ticket-sig", ret);
+
+ ret = krb5_pac_get_kdc_checksum_info(context, pac, &cstype, &rodc_id);
+ if (ret)
+ t_err(context, tkt->name, "krb5_pac_get_kdc_checksum_info", ret);
+
+ heim_assert(cstype == CKSUMTYPE_HMAC_MD5, "Wrong checksum type");
+ heim_assert(rodc_id == tkt->rodc_id, "Wrong RODCIdentifier");
+
+ /* Try to resign the PAC */
+ ret = copy_AuthorizationDataElement(&et.authorization_data->val[0], &ad);
+ if (ret)
+ t_err(context, tkt->name, "remove_AuthorizationData", ret);
+ orig_pac_ad = ad.ad_data;
+
+ ret = remove_AuthorizationData(et.authorization_data, 0);
+ if (ret)
+ t_err(context, tkt->name, "remove_AuthorizationData", ret);
+
+ ret = _krb5_kdc_pac_sign_ticket(context, pac, client, tkt->key,
+ tkt->kdc_key, tkt->rodc_id,
+ NULL, NULL, signedticket, &et, NULL);
+ if (ret)
+ t_err(context, tkt->name, "_krb5_kdc_pac_sign_ticket", ret);
+
+ heim_assert(krb5_data_cmp(&et.authorization_data->val[0].ad_data,
+ &orig_pac_ad) == 0, "PACs differ");
+
+ free_AuthorizationDataElement(&ad);
+
+ /* Sign and verify a clean PAC */
+ krb5_pac_free(context, pac);
+ ret = krb5_pac_init(context, &pac);
+ if (ret)
+ t_err(context, tkt->name, "krb5_pac_init", ret);
+
+ ret = remove_AuthorizationData(et.authorization_data, 0);
+ if (ret)
+ t_err(context, tkt->name, "remove_AuthorizationData 2", ret);
+
+ ret = _krb5_kdc_pac_sign_ticket(context, pac, client, tkt->key,
+ tkt->kdc_key, tkt->rodc_id,
+ NULL, NULL, signedticket, &et, NULL);
+ if (ret)
+ t_err(context, tkt->name, "_krb5_kdcsignedticketsign_ticket 2", ret);
+
+ krb5_pac_free(context, pac);
+
+ ret = _krb5_kdc_pac_ticket_parse(context, &et, &signedticket, &pac);
+ if (ret)
+ t_err(context, tkt->name, "_krb5_kdc_pac_ticket_parse 2", ret);
+
+ heim_assert(!is_krbtgt(&ticket.sname) == !!signedticket, "ticket-signature");
+
+ ret = krb5_pac_verify(context, pac, et.authtime, client, tkt->key,
+ tkt->kdc_key);
+ if (ret)
+ t_err(context, tkt->name, "krb5_pac_verify ticket-sig 2", ret);
+
+ ret = krb5_pac_get_kdc_checksum_info(context, pac, &cstype, &rodc_id);
+ if (ret)
+ t_err(context, tkt->name, "krb5_pac_get_kdc_checksum_info 2", ret);
+
+ heim_assert(cstype == CKSUMTYPE_HMAC_MD5, "Wrong checksum type 2");
+ heim_assert(rodc_id == tkt->rodc_id, "Wrong RODCIdentifier 2");
+
+ krb5_pac_free(context, pac);
+ krb5_free_principal(context, client);
+ krb5_crypto_destroy(context, crypto);
+ free_EncTicketPart(&et);
+ krb5_data_free(&data);
+ free_Ticket(&ticket);
+}
+
int
main(int argc, char **argv)
@@ -166,10 +963,11 @@ main(int argc, char **argv)
krb5_pac pac;
krb5_data data;
krb5_principal p, p2;
+ unsigned char bad_pac[sizeof(saved_pac)];
ret = krb5_init_context(&context);
if (ret)
- errx(1, "krb5_init_contex");
+ errx(1, "krb5_init_context");
krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
@@ -178,6 +976,44 @@ main(int argc, char **argv)
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
+ /* Attempt to parse a truncated PAC */
+ ret = krb5_pac_parse(context, saved_pac, sizeof(saved_pac) >> 1, &pac);
+ if (ret == 0)
+ krb5_err(context, 1, ret, "krb5_pac_parse parsed a short PAC");
+
+ /* Attempt to parse a PAC with a buffer claiming too large a length */
+ memcpy(bad_pac, saved_pac, sizeof(saved_pac));
+ bad_pac[13] += 1;
+
+ ret = krb5_pac_parse(context, bad_pac, sizeof(saved_pac), &pac);
+ if (ret == 0)
+ krb5_err(context, 1, ret, "krb5_pac_parse parsed a malicious PAC");
+
+ /* Attempt to parse a PAC with a buffer offset too far in */
+ memcpy(bad_pac, saved_pac, sizeof(saved_pac));
+ bad_pac[16] += 1;
+
+ ret = krb5_pac_parse(context, bad_pac, sizeof(saved_pac), &pac);
+ if (ret == 0)
+ krb5_err(context, 1, ret, "krb5_pac_parse parsed a malicious PAC");
+
+ /* Attempt to parse a PAC with a buffer offset too far back */
+ memcpy(bad_pac, saved_pac, sizeof(saved_pac));
+ bad_pac[16] -= 1;
+
+ ret = krb5_pac_parse(context, bad_pac, sizeof(saved_pac), &pac);
+ if (ret == 0)
+ krb5_err(context, 1, ret, "krb5_pac_parse parsed a malicious PAC");
+
+ /* Attempt to parse a PAC with an incorrect buffer count */
+ memcpy(bad_pac, saved_pac, sizeof(saved_pac));
+ bad_pac[0] += 1;
+
+ ret = krb5_pac_parse(context, bad_pac, sizeof(saved_pac), &pac);
+ if (ret == 0)
+ krb5_err(context, 1, ret, "krb5_pac_parse parsed a malicious PAC");
+
+ /* Parse a well-formed PAC */
ret = krb5_pac_parse(context, saved_pac, sizeof(saved_pac), &pac);
if (ret)
krb5_err(context, 1, ret, "krb5_pac_parse");
@@ -188,7 +1024,8 @@ main(int argc, char **argv)
krb5_err(context, 1, ret, "krb5_pac_verify");
ret = _krb5_pac_sign(context, pac, authtime, p,
- &member_keyblock, &kdc_keyblock, &data);
+ &member_keyblock, &kdc_keyblock, 0, NULL, NULL,
+ NULL, &data);
if (ret)
krb5_err(context, 1, ret, "_krb5_pac_sign");
@@ -244,7 +1081,8 @@ main(int argc, char **argv)
free(list);
ret = _krb5_pac_sign(context, pac2, authtime, p,
- &member_keyblock, &kdc_keyblock, &data);
+ &member_keyblock, &kdc_keyblock, 0,
+ NULL, NULL, NULL, &data);
if (ret)
krb5_err(context, 1, ret, "_krb5_pac_sign 4");
@@ -343,7 +1181,8 @@ main(int argc, char **argv)
}
ret = _krb5_pac_sign(context, pac, authtime, p,
- &member_keyblock, &kdc_keyblock, &data);
+ &member_keyblock, &kdc_keyblock, 0,
+ NULL, NULL, NULL, &data);
if (ret)
krb5_err(context, 1, ret, "_krb5_pac_sign");
@@ -373,8 +1212,43 @@ main(int argc, char **argv)
}
krb5_pac_free(context, pac);
+ krb5_free_principal(context, p);
+
+ /*
+ * check extra logon info PAC
+ */
+ ret = krb5_pac_parse(context, extra_logon_info,
+ sizeof(extra_logon_info) - 1, &pac);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_pac_parse");
+ ret = krb5_pac_verify(context, pac, 0, NULL, NULL, NULL);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_pac_verify");
+
+ ret = krb5_parse_name(context, "c9d801a8_0@EXAMPLE.COM", &p);
+ if (ret)
+ krb5_err(context, 1, ret, "_krb5_pac_get_canon_principal");
+
+ ret = _krb5_pac_get_canon_principal(context, pac, &p2);
+ if (ret)
+ krb5_err(context, 1, ret, "_krb5_pac_get_canon_principal");
+
+ if (!krb5_principal_compare(context, p, p2))
+ krb5_errx(context, 1, "canon principal doesn't match");
+
+ krb5_pac_free(context, pac);
krb5_free_principal(context, p);
+ krb5_free_principal(context, p2);
+
+ /* Test PAC ticket-signature */
+ {
+ const struct test_pac_ticket *tkt;
+
+ for (tkt = pac_tickets; tkt->name != NULL; tkt++)
+ check_ticket_signature(context, tkt);
+ }
+
krb5_free_context(context);
return 0;
diff --git a/lib/krb5/test_plugin.c b/lib/krb5/test_plugin.c
index cfc3b6c04df1..6aedfa25b9b9 100644
--- a/lib/krb5/test_plugin.c
+++ b/lib/krb5/test_plugin.c
@@ -66,10 +66,12 @@ resolve_lookup(void *ctx,
s.sin_port = htons(88);
s.sin_addr.s_addr = htonl(0x7f000002);
- if (strcmp(realm, "NOTHERE.H5L.SE") == 0)
+ if (strcmp(realm, "NOTHERE.H5L.SE") == 0) {
(*add)(addctx, type, (struct sockaddr *)&s);
+ return 0;
+ }
- return 0;
+ return KRB5_PLUGIN_NO_HANDLE;
}
diff --git a/lib/krb5/test_princ.c b/lib/krb5/test_princ.c
index 98e61e3d8bf8..e61a60395f1a 100644
--- a/lib/krb5/test_princ.c
+++ b/lib/krb5/test_princ.c
@@ -59,7 +59,7 @@ test_princ(krb5_context context)
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
- if (strcmp(princ, princ_unparsed)) {
+ if (strcmp(princ, princ_unparsed) != 0) {
krb5_errx(context, 1, "%s != %s", princ, princ_unparsed);
}
@@ -71,7 +71,7 @@ test_princ(krb5_context context)
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
- if (strcmp(princ_short, princ_unparsed))
+ if (strcmp(princ_short, princ_unparsed) != 0)
krb5_errx(context, 1, "%s != %s", princ_short, princ_unparsed);
free(princ_unparsed);
@@ -101,7 +101,7 @@ test_princ(krb5_context context)
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
- if (strcmp(princ_short, princ_unparsed))
+ if (strcmp(princ_short, princ_unparsed) != 0)
krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed);
free(princ_unparsed);
@@ -117,7 +117,7 @@ test_princ(krb5_context context)
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
- if (strcmp(princ, princ_unparsed))
+ if (strcmp(princ, princ_unparsed) != 0)
krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
free(princ_unparsed);
@@ -156,7 +156,7 @@ test_princ(krb5_context context)
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
- if (strcmp(princ, princ_unparsed))
+ if (strcmp(princ, princ_unparsed) != 0)
krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
free(princ_unparsed);
@@ -176,7 +176,7 @@ test_princ(krb5_context context)
if (ret)
krb5_err(context, 1, ret, "krb5_unparse_name_short");
- if (strcmp(princ, princ_unparsed))
+ if (strcmp(princ, princ_unparsed) != 0)
krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
free(princ_unparsed);
@@ -200,7 +200,7 @@ test_princ(krb5_context context)
if (ret)
krb5_err(context, 1, ret, "krb5_unparse_name_norealm");
- if (strcmp(princ_short, princ_unparsed))
+ if (strcmp(princ_short, princ_unparsed) != 0)
krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed);
free(princ_unparsed);
@@ -227,7 +227,7 @@ test_princ(krb5_context context)
if (ret)
krb5_err(context, 1, ret, "krb5_unparse_name_norealm");
- if (strcmp(princ_short, princ_unparsed))
+ if (strcmp(princ_short, princ_unparsed) != 0)
krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed);
free(princ_unparsed);
@@ -246,7 +246,7 @@ test_princ(krb5_context context)
if (ret)
krb5_err(context, 1, ret, "krb5_unparse_name_flags");
- if (strcmp(princ, princ_unparsed))
+ if (strcmp(princ, princ_unparsed) != 0)
krb5_errx(context, 1, "q '%s' != '%s'", princ, princ_unparsed);
free(princ_unparsed);
@@ -255,7 +255,7 @@ test_princ(krb5_context context)
if (ret)
krb5_err(context, 1, ret, "krb5_unparse_name_flags");
- if (strcmp(noquote, princ_unparsed))
+ if (strcmp(noquote, princ_unparsed) != 0)
krb5_errx(context, 1, "nq '%s' != '%s'", noquote, princ_unparsed);
free(princ_unparsed);
diff --git a/lib/krb5/test_rfc3961.c b/lib/krb5/test_rfc3961.c
index f86b8bb3a446..ed8ee9b5f3f4 100644
--- a/lib/krb5/test_rfc3961.c
+++ b/lib/krb5/test_rfc3961.c
@@ -35,6 +35,108 @@
#include <getarg.h>
static void
+time_hmac(krb5_context context, size_t size, int iterations)
+{
+ struct timeval tv1, tv2;
+ krb5_error_code ret;
+ krb5_keyblock key;
+ char sha1_data[20];
+ Checksum result;
+ char *buf;
+ int i;
+
+ ret = krb5_generate_random_keyblock(context,
+ ETYPE_AES128_CTS_HMAC_SHA1_96,
+ &key);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
+
+ buf = calloc(1, size);
+ if (buf == NULL)
+ krb5_errx(context, 1, "out of memory");
+
+ gettimeofday(&tv1, NULL);
+
+ result.checksum.data = &sha1_data;
+ result.checksum.length = sizeof(sha1_data);
+ for (i = 0; i < iterations; i++) {
+ ret = krb5_hmac(context, CKSUMTYPE_SHA1, buf, size, 0, &key, &result);
+ if (ret)
+ krb5_err(context, 1, ret, "hmac: %d", i);
+ }
+
+ gettimeofday(&tv2, NULL);
+
+ timevalsub(&tv2, &tv1);
+
+ printf("HMAC-SHA1 size: %7lu iterations: %d time: %3ld.%06ld\n",
+ (unsigned long)size, iterations,
+ (long)tv2.tv_sec, (long)tv2.tv_usec);
+
+ free(buf);
+ krb5_free_keyblock_contents(context, &key);
+}
+
+static void
+time_hmac_evp(krb5_context context, size_t size, int iterations)
+{
+ struct timeval tv1, tv2;
+ struct krb5_crypto_iov iov;
+ struct _krb5_key_data kd;
+ krb5_error_code ret;
+ krb5_keyblock key;
+ krb5_crypto crypto;
+ char sha1_data[20];
+ Checksum result;
+ char *buf;
+ int i;
+
+ ret = krb5_generate_random_keyblock(context,
+ ETYPE_AES128_CTS_HMAC_SHA1_96,
+ &key);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
+
+ buf = calloc(1, size);
+ if (buf == NULL)
+ krb5_errx(context, 1, "out of memory");
+
+ gettimeofday(&tv1, NULL);
+
+ result.checksum.data = &sha1_data;
+ result.checksum.length = sizeof(sha1_data);
+ iov.data.data = buf;
+ iov.data.length = size;
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+ kd.key = &key;
+ kd.schedule = NULL;
+
+ ret = krb5_crypto_init(context, &key, ETYPE_AES128_CTS_HMAC_SHA1_96,
+ &crypto);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_crypto_init");
+
+ for (i = 0; i < iterations; i++) {
+ ret = _krb5_SP_HMAC_SHA1_checksum(context, crypto, &kd, 0,
+ &iov, 1, &result);
+ if (ret)
+ krb5_err(context, 1, ret, "hmac: %d", i);
+ }
+
+ gettimeofday(&tv2, NULL);
+
+ timevalsub(&tv2, &tv1);
+
+ printf("HMAC-SHA1 (evp) size: %7lu iterations: %d time: %3ld.%06ld\n",
+ (unsigned long)size, iterations,
+ (long)tv2.tv_sec, (long)tv2.tv_usec);
+
+ free(buf);
+ krb5_free_keyblock_contents(context, &key);
+ krb5_crypto_destroy(context, crypto);
+}
+
+static void
time_encryption(krb5_context context, size_t size,
krb5_enctype etype, int iterations)
{
@@ -148,12 +250,195 @@ usage (int ret)
exit (ret);
}
+/* SHA1 test vectors from RFC2202 */
+
+struct rfc2202 {
+ char key[80];
+ int keylen;
+ char data[80];
+ int datalen;
+ char digest[20];
+ int digestlen;
+};
+
+static struct rfc2202 rfc2202_vectors[] =
+{
+ {
+ {0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+ 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+ 0x0b, 0x0b, 0x0b, 0x0b},
+ 20,
+ "Hi There",
+ 8,
+ {0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64,
+ 0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e,
+ 0xf1, 0x46, 0xbe, 0x00},
+ 20
+ },
+ {
+ "Jefe",
+ 4,
+ "what do ya want for nothing?",
+ 28,
+ {0xef, 0xfc, 0xdf, 0x6a, 0xe5, 0xeb, 0x2f, 0xa2,
+ 0xd2, 0x74, 0x16, 0xd5, 0xf1, 0x84, 0xdf, 0x9c,
+ 0x25, 0x9a, 0x7c, 0x79},
+ 20
+ },
+ {
+ {0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa},
+ 20,
+ {0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd},
+ 50,
+ {0x12, 0x5d, 0x73, 0x42, 0xb9, 0xac, 0x11, 0xcd,
+ 0x91, 0xa3, 0x9a, 0xf4, 0x8a, 0xa1, 0x7b, 0x4f,
+ 0x63, 0xf1, 0x75, 0xd3},
+ 20
+ },
+ {
+ {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
+ 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+ 0x19},
+ 25,
+ {0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd},
+ 50,
+ {0x4c, 0x90, 0x07, 0xf4, 0x02, 0x62, 0x50, 0xc6,
+ 0xbc, 0x84, 0x14, 0xf9, 0xbf, 0x50, 0xc8, 0x6c,
+ 0x2d, 0x72, 0x35, 0xda},
+ 20
+ },
+ {
+ {0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+ 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+ 0x0c, 0x0c, 0x0c, 0x0c},
+ 20,
+ "Test With Truncation",
+ 20,
+ {0x4c, 0x1a, 0x03, 0x42, 0x4b, 0x55, 0xe0, 0x7f,
+ 0xe7, 0xf2, 0x7b, 0xe1, 0xd5, 0x8b, 0xb9, 0x32,
+ 0x4a, 0x9a, 0x5a, 0x04},
+ 20
+ },
+ {
+ {0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa},
+ 80,
+ "Test Using Larger Than Block-Size Key - Hash Key First",
+ 54,
+ {0xaa, 0x4a, 0xe5, 0xe1, 0x52, 0x72, 0xd0, 0x0e,
+ 0x95, 0x70, 0x56, 0x37, 0xce, 0x8a, 0x3b, 0x55,
+ 0xed, 0x40, 0x21, 0x12},
+ 20
+ },
+ {
+ {0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa},
+ 80,
+ "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data",
+ 73,
+ {0xe8, 0xe9, 0x9d, 0x0f, 0x45, 0x23, 0x7d, 0x78,
+ 0x6d, 0x6b, 0xba, 0xa7, 0x96, 0x5c, 0x78, 0x08,
+ 0xbb, 0xff, 0x1a, 0x91},
+ 20
+ }
+};
+
+/* RFC 2202 test vectors for HMAC-SHA1 */
+static void
+test_rfc2202(krb5_context context)
+{
+ int num_tests;
+ int i;
+
+ num_tests = sizeof(rfc2202_vectors) / sizeof(struct rfc2202);
+
+ printf("Running %d RFC2202 HMAC-SHA1 tests\n", num_tests);
+ for (i = 0; i < num_tests; i++) {
+ krb5_keyblock keyblock;
+ Checksum result;
+ struct krb5_crypto_iov iov;
+ struct _krb5_key_data kd;
+ char sha1_data[20];
+ int code;
+
+ memset(&keyblock, 0, sizeof(keyblock));
+ memset(&result, 0, sizeof(result));
+
+ keyblock.keyvalue.length = rfc2202_vectors[i].keylen;
+ keyblock.keyvalue.data = &rfc2202_vectors[i].key;
+
+ result.checksum.data = &sha1_data;
+ result.checksum.length = sizeof(sha1_data);
+
+ code = krb5_hmac(context, CKSUMTYPE_SHA1,
+ &rfc2202_vectors[i].data, rfc2202_vectors[i].datalen,
+ 0, &keyblock, &result);
+
+ if (code != 0)
+ errx(1, "HMAC-SHA1 failed with %d on test %d", code, i + 1);
+
+ if (memcmp(&sha1_data, rfc2202_vectors[i].digest, sizeof(sha1_data)) !=0)
+ errx(1, "Digests don't match on test %d", i);
+
+ printf("Test %d okay\n", (i * 2) + 1);
+
+ /* Now check the same using the internal HMAC function */
+
+ iov.data.data = rfc2202_vectors[i].data;
+ iov.data.length = rfc2202_vectors[i].datalen;
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+ kd.key = &keyblock;
+ kd.schedule = NULL;
+ code = _krb5_SP_HMAC_SHA1_checksum(context, NULL, &kd, 0,
+ &iov, 1, &result);
+
+ if (code != 0)
+ errx(1, "HMAC-SHA1 failed with %d on test %d", code, i + 1);
+
+ if (memcmp(&sha1_data, rfc2202_vectors[i].digest, sizeof(sha1_data)) !=0)
+ errx(1, "Digests don't match on test %d", i);
+
+ printf("Test %d okay\n", (i * 2) + 2);
+ }
+}
+
int
main(int argc, char **argv)
{
krb5_context context;
krb5_error_code ret;
- int i, enciter, s2kiter;
+ int i, enciter, s2kiter, hmaciter;
int optidx = 0;
krb5_salt salt;
@@ -188,9 +473,32 @@ main(int argc, char **argv)
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
+ test_rfc2202(context);
+
enciter = 1000;
+ hmaciter = 10000;
s2kiter = 100;
+ time_hmac(context, 16, hmaciter);
+ time_hmac(context, 32, hmaciter);
+ time_hmac(context, 512, hmaciter);
+ time_hmac(context, 1024, hmaciter);
+ time_hmac(context, 2048, hmaciter);
+ time_hmac(context, 4096, hmaciter);
+ time_hmac(context, 8192, hmaciter);
+ time_hmac(context, 16384, hmaciter);
+ time_hmac(context, 32768, hmaciter);
+
+ time_hmac_evp(context, 16, hmaciter);
+ time_hmac_evp(context, 32, hmaciter);
+ time_hmac_evp(context, 512, hmaciter);
+ time_hmac_evp(context, 1024, hmaciter);
+ time_hmac_evp(context, 2048, hmaciter);
+ time_hmac_evp(context, 4096, hmaciter);
+ time_hmac_evp(context, 8192, hmaciter);
+ time_hmac_evp(context, 16384, hmaciter);
+ time_hmac_evp(context, 32768, hmaciter);
+
for (i = 0; i < sizeof(enctypes)/sizeof(enctypes[0]); i++) {
krb5_enctype_enable(context, enctypes[i]);
diff --git a/lib/krb5/test_set_kvno0.c b/lib/krb5/test_set_kvno0.c
index 526c240f1c4b..0c7e6b447ae8 100644
--- a/lib/krb5/test_set_kvno0.c
+++ b/lib/krb5/test_set_kvno0.c
@@ -119,8 +119,11 @@ main(int argc, char **argv)
during = "decode_Ticket";
memset(&t, 0, sizeof (t));
ret = decode_Ticket(cred.ticket.data, cred.ticket.length, &t, &len);
- if (ret == ASN1_MISSING_FIELD)
+ if (ret == ASN1_MISSING_FIELD) {
+ krb5_free_cred_contents(context, &cred);
+ memset(&cred, 0, sizeof (cred));
continue;
+ }
if (ret) goto err;
if (t.enc_part.kvno) {
*t.enc_part.kvno = 0;
diff --git a/lib/krb5/test_store.c b/lib/krb5/test_store.c
index 6876cc1db279..163022c561be 100644
--- a/lib/krb5/test_store.c
+++ b/lib/krb5/test_store.c
@@ -201,6 +201,7 @@ test_truncate(krb5_context context, krb5_storage *sp, int fd)
{
struct stat sb;
+ krb5_storage_truncate(sp, 0);
krb5_store_string(sp, "hej");
krb5_storage_truncate(sp, 2);
@@ -214,7 +215,33 @@ test_truncate(krb5_context context, krb5_storage *sp, int fd)
if (fstat(fd, &sb) != 0)
krb5_err(context, 1, errno, "fstat");
if (sb.st_size != 1024)
- krb5_errx(context, 1, "length not 2");
+ krb5_errx(context, 1, "length not 1024");
+}
+
+static void
+test_buffer_issues(krb5_context context, krb5_storage *sp)
+{
+ krb5_error_code ret;
+ size_t i;
+ uint32_t v;
+
+ krb5_storage_set_eof_code(sp, -1);
+ krb5_storage_truncate(sp, 0);
+ for (i=0; i < 4096; i++) {
+ krb5_store_uint32(sp, i);
+ }
+
+ krb5_storage_truncate(sp, 1024);
+ ret = krb5_ret_uint32(sp, &v);
+ if (ret != -1)
+ krb5_errx(context, 1, "Should have received EOF");
+
+ krb5_storage_seek(sp, 8, SEEK_SET);
+ ret = krb5_ret_uint32(sp, &v);
+ if (ret == -1)
+ krb5_errx(context, 1, "Should not have received EOF");
+ if (v != 2)
+ krb5_errx(context, 1, "uint32 should have been 2");
}
static void
@@ -306,27 +333,27 @@ main(int argc, char **argv)
krb5_err(context, 1, errno, "open(%s)", fn);
sp = krb5_storage_from_fd(fd);
- close(fd);
if (sp == NULL)
krb5_errx(context, 1, "krb5_storage_from_fd: %s no mem", fn);
test_storage(context, sp);
+ test_truncate(context, sp, fd);
+ test_buffer_issues(context, sp);
krb5_storage_free(sp);
+ close(fd);
unlink(fn);
- /*
- * test truncate behavior
- */
-
fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0600);
if (fd < 0)
krb5_err(context, 1, errno, "open(%s)", fn);
- sp = krb5_storage_from_fd(fd);
+ sp = krb5_storage_stdio_from_fd(fd, "r+");
if (sp == NULL)
- krb5_errx(context, 1, "krb5_storage_from_fd: %s no mem", fn);
+ krb5_errx(context, 1, "krb5_storage_stdio_from_fd: %s no mem", fn);
+ test_storage(context, sp);
test_truncate(context, sp, fd);
+ test_buffer_issues(context, sp);
krb5_storage_free(sp);
close(fd);
unlink(fn);
diff --git a/lib/krb5/test_time.c b/lib/krb5/test_time.c
index 36c78088bfec..9c6d1cc9a44d 100644
--- a/lib/krb5/test_time.c
+++ b/lib/krb5/test_time.c
@@ -54,11 +54,11 @@ check_set_time(krb5_context context)
if (ret)
krb5_err(context, 1, ret, "krb5_us_timeofday");
- diff2 = labs(sec - tv.tv_sec);
+ diff2 = krb5_time_abs(sec, tv.tv_sec);
if (diff2 < 9 || diff > 11)
krb5_errx(context, 1, "set time error: diff: %ld",
- labs(sec - tv.tv_sec));
+ krb5_time_abs(sec, tv.tv_sec));
}
diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
index ef9965060516..d19fcc64f9f4 100644
--- a/lib/krb5/ticket.c
+++ b/lib/krb5/ticket.c
@@ -147,7 +147,7 @@ krb5_ticket_get_server(krb5_context context,
}
/**
- * Return end time of ticket
+ * Return end time of a ticket
*
* @param context a Kerberos 5 context
* @param ticket ticket to copy
@@ -165,6 +165,29 @@ krb5_ticket_get_endtime(krb5_context context,
}
/**
+ * Return authentication, start, end, and renew limit times of a ticket
+ *
+ * @param context a Kerberos 5 context
+ * @param ticket ticket to copy
+ * @param t pointer to krb5_times structure
+ *
+ * @ingroup krb5
+ */
+
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+krb5_ticket_get_times(krb5_context context,
+ const krb5_ticket *ticket,
+ krb5_times *t)
+{
+ t->authtime = ticket->ticket.authtime;
+ t->starttime = ticket->ticket.starttime ? *ticket->ticket.starttime :
+ t->authtime;
+ t->endtime = ticket->ticket.endtime;
+ t->renew_till = ticket->ticket.renew_till ? *ticket->ticket.renew_till :
+ t->endtime;
+}
+
+/**
* Get the flags from the Kerberos ticket
*
* @param context Kerberos context
@@ -181,13 +204,38 @@ krb5_ticket_get_flags(krb5_context context,
return TicketFlags2int(ticket->ticket.flags);
}
+/*
+ * Find an authz-data element in the given `ad'. If `failp', then validate any
+ * containing AD-KDC-ISSUED's keyed checksum with the `sessionkey' (if given).
+ *
+ * All AD-KDC-ISSUED will be validated (if requested) even when `type' is
+ * `KRB5_AUTHDATA_KDC_ISSUED'.
+ *
+ * Only the first matching element will be output (via `data').
+ *
+ * Note that all AD-KDC-ISSUEDs found while traversing the authz-data will be
+ * validated, though only the first one will be returned.
+ *
+ * XXX We really need a better interface though. First, forget AD-AND-OR --
+ * just remove it. Second, probably forget AD-KDC-ISSUED, but still, between
+ * that, the PAC, and the CAMMAC, we need an interface that can:
+ *
+ * a) take the derived keys instead of the service key or the session key,
+ * b) can indicate whether the element was marked critical,
+ * c) can indicate whether the element was authenticated to the KDC,
+ * d) can iterate over all the instances found (if more than one is found).
+ *
+ * Also, we need to know here if the authz-data is from a Ticket or from an
+ * Authenticator -- if the latter then we must refuse to find AD-KDC-ISSUED /
+ * PAC / CAMMAC or anything of the sort, ever.
+ */
static int
find_type_in_ad(krb5_context context,
int type,
- krb5_data *data,
+ krb5_data *data, /* optional */
krb5_boolean *found,
- krb5_boolean failp,
- krb5_keyblock *sessionkey,
+ krb5_boolean failp, /* validate AD-KDC-ISSUED */
+ krb5_keyblock *sessionkey, /* ticket session key */
const AuthorizationData *ad,
int level)
{
@@ -210,14 +258,19 @@ find_type_in_ad(krb5_context context,
*/
for (i = 0; i < ad->len; i++) {
if (!*found && ad->val[i].ad_type == type) {
- ret = der_copy_octet_string(&ad->val[i].ad_data, data);
- if (ret) {
- krb5_set_error_message(context, ret,
- N_("malloc: out of memory", ""));
- goto out;
- }
+ if (data) {
+ ret = der_copy_octet_string(&ad->val[i].ad_data, data);
+ if (ret) {
+ krb5_set_error_message(context, ret,
+ N_("malloc: out of memory", ""));
+ goto out;
+ }
+ }
*found = TRUE;
- continue;
+ if (type != KRB5_AUTHDATA_KDC_ISSUED ||
+ !failp || !sessionkey || !sessionkey->keyvalue.length)
+ continue;
+ /* else go on to validate the AD-KDC-ISSUED's keyed checksum */
}
switch (ad->val[i].ad_type) {
case KRB5_AUTHDATA_IF_RELEVANT: {
@@ -240,7 +293,6 @@ find_type_in_ad(krb5_context context,
goto out;
break;
}
-#if 0 /* XXX test */
case KRB5_AUTHDATA_KDC_ISSUED: {
AD_KDCIssued child;
@@ -255,7 +307,7 @@ find_type_in_ad(krb5_context context,
ret);
goto out;
}
- if (failp) {
+ if (failp && sessionkey && sessionkey->keyvalue.length) {
krb5_boolean valid;
krb5_data buf;
size_t len;
@@ -283,7 +335,12 @@ find_type_in_ad(krb5_context context,
free_AD_KDCIssued(&child);
goto out;
}
- }
+ } else if (failp) {
+ krb5_clear_error_message(context);
+ ret = ENOENT;
+ free_AD_KDCIssued(&child);
+ goto out;
+ }
ret = find_type_in_ad(context, type, data, found, failp, sessionkey,
&child.elements, level + 1);
free_AD_KDCIssued(&child);
@@ -291,7 +348,6 @@ find_type_in_ad(krb5_context context,
goto out;
break;
}
-#endif
case KRB5_AUTHDATA_AND_OR:
if (!failp)
break;
@@ -315,7 +371,8 @@ find_type_in_ad(krb5_context context,
out:
if (ret) {
if (*found) {
- krb5_data_free(data);
+ if (data)
+ krb5_data_free(data);
*found = 0;
}
}
@@ -332,7 +389,8 @@ _krb5_get_ad(krb5_context context,
krb5_boolean found = FALSE;
krb5_error_code ret;
- krb5_data_zero(data);
+ if (data)
+ krb5_data_zero(data);
if (ad == NULL) {
krb5_set_error_message(context, ENOENT,
@@ -376,12 +434,13 @@ krb5_ticket_get_authorization_data_type(krb5_context context,
krb5_error_code ret;
krb5_boolean found = FALSE;
- krb5_data_zero(data);
+ if (data)
+ krb5_data_zero(data);
ad = ticket->ticket.authorization_data;
if (ticket->ticket.authorization_data == NULL) {
krb5_set_error_message(context, ENOENT,
- N_("Ticket have not authorization data", ""));
+ N_("Ticket has no authorization data", ""));
return ENOENT; /* XXX */
}
@@ -391,7 +450,7 @@ krb5_ticket_get_authorization_data_type(krb5_context context,
return ret;
if (!found) {
krb5_set_error_message(context, ENOENT,
- N_("Ticket have not "
+ N_("Ticket has no "
"authorization data of type %d", ""),
type);
return ENOENT; /* XXX */
@@ -729,9 +788,9 @@ _krb5_extract_ticket(krb5_context context,
/* compare client and save */
ret = _krb5_principalname2krb5_principal(context,
- &tmp_principal,
- rep->kdc_rep.cname,
- rep->kdc_rep.crealm);
+ &tmp_principal,
+ rep->kdc_rep.cname,
+ rep->kdc_rep.crealm);
if (ret)
goto out;
@@ -762,12 +821,19 @@ _krb5_extract_ticket(krb5_context context,
creds->client = tmp_principal;
/* check server referral and save principal */
- ret = _krb5_principalname2krb5_principal (context,
- &tmp_principal,
- rep->enc_part.sname,
- rep->enc_part.srealm);
+ ret = _krb5_kdcrep2krb5_principal(context, &tmp_principal, &rep->enc_part);
if (ret)
goto out;
+
+ tmp_principal->nameattrs->peer_realm =
+ calloc(1, sizeof(tmp_principal->nameattrs->peer_realm[0]));
+ if (tmp_principal->nameattrs->peer_realm == NULL) {
+ ret = krb5_enomem(context);
+ goto out;
+ }
+ ret = copy_Realm(&creds->client->realm, tmp_principal->nameattrs->peer_realm);
+ if (ret) goto out;
+
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
ret = check_server_referral(context,
rep,
@@ -827,11 +893,11 @@ _krb5_extract_ticket(krb5_context context,
tmp_time = rep->enc_part.authtime;
if (creds->times.starttime == 0
- && labs(tmp_time - sec_now) > context->max_skew) {
+ && krb5_time_abs(tmp_time, sec_now) > context->max_skew) {
ret = KRB5KRB_AP_ERR_SKEW;
krb5_set_error_message (context, ret,
N_("time skew (%ld) larger than max (%ld)", ""),
- labs(tmp_time - sec_now),
+ (long)krb5_time_abs(tmp_time, sec_now),
(long)context->max_skew);
goto out;
}
diff --git a/lib/krb5/time.c b/lib/krb5/time.c
index 247549ba2372..d0d4af1a4698 100644
--- a/lib/krb5/time.c
+++ b/lib/krb5/time.c
@@ -127,3 +127,12 @@ krb5_string_to_deltat(const char *string, krb5_deltat *deltat)
return KRB5_DELTAT_BADFORMAT;
return 0;
}
+
+krb5_deltat
+krb5_time_abs(krb5_deltat t1, krb5_deltat t2)
+{
+ krb5_deltat t = t1 - t2;
+ if (t < 0)
+ return -t;
+ return t;
+}
diff --git a/lib/krb5/transited.c b/lib/krb5/transited.c
index 8ad122afa92b..484fd398c296 100644
--- a/lib/krb5/transited.c
+++ b/lib/krb5/transited.c
@@ -274,8 +274,11 @@ decode_realms(krb5_context context,
}
if(tr[i] == ','){
tmp = malloc(tr + i - start + 1);
- if(tmp == NULL)
+ if(tmp == NULL) {
+ free_realms(*realms);
+ *realms = NULL;
return krb5_enomem(context);
+ }
memcpy(tmp, start, tr + i - start);
tmp[tr + i - start] = '\0';
r = make_realm(tmp);
@@ -356,8 +359,6 @@ krb5_domain_x500_decode(krb5_context context,
{
char **R;
R = malloc((*num_realms + 1) * sizeof(*R));
- if (R == NULL)
- return krb5_enomem(context);
*realms = R;
while(r){
*R++ = r->realm;
@@ -365,6 +366,8 @@ krb5_domain_x500_decode(krb5_context context,
free(r);
r = p;
}
+ if (*realms == NULL)
+ return krb5_enomem(context);
}
return 0;
}
@@ -624,11 +627,12 @@ krb5_check_transited(krb5_context context,
return ret;
for (i = 0; i < num_realms; i++) {
- for (j = 0; j < num_capath; ++j) {
+ for (j = 0; j < num_capath && capath[j]; ++j) {
+ /* `capath[j]' can't be NULL, but compilers be dumb */
if (strcmp(realms[i], capath[j]) == 0)
break;
}
- if (j == num_capath) {
+ if (j == num_capath || !capath[j]) {
_krb5_free_capath(context, capath);
krb5_set_error_message (context, KRB5KRB_AP_ERR_ILL_CR_TKT,
N_("no transit allowed "
diff --git a/lib/krb5/verify_krb5_conf.c b/lib/krb5/verify_krb5_conf.c
index 0db8807a4a12..c258a2bd3b99 100644
--- a/lib/krb5/verify_krb5_conf.c
+++ b/lib/krb5/verify_krb5_conf.c
@@ -37,7 +37,6 @@
#include <err.h>
/* verify krb5.conf */
-
static int dumpconfig_flag = 0;
static int version_flag = 0;
static int help_flag = 0;
@@ -217,6 +216,20 @@ check_host(krb5_context context, const char *path, char *data)
}
static int
+check_directory(krb5_context context, const char *path, char *data)
+{
+ DIR *d = opendir(data);
+ if (d == NULL) {
+ krb5_warn(context, errno, "%s: could not open directory `%s'",
+ path, data);
+ return 1;
+ }
+
+ closedir(d);
+ return 0;
+}
+
+static int
mit_entry(krb5_context context, const char *path, char *data)
{
if (warn_mit_syntax_flag)
@@ -278,7 +291,7 @@ static struct s2i syslogvals[] = {
static int
find_value(const char *s, struct s2i *table)
{
- while(table->s && strcasecmp(table->s, s))
+ while (table->s && strcasecmp(table->s, s) != 0)
table++;
return table->val;
}
@@ -389,8 +402,11 @@ struct entry libdefaults_entries[] = {
{ "clockskew", krb5_config_string, check_time, 0 },
{ "date_format", krb5_config_string, NULL, 0 },
{ "default_as_etypes", krb5_config_string, NULL, 0 },
+ { "default_ccache_name", krb5_config_string, NULL, 0 },
+ { "default_client_keytab_name", krb5_config_string, NULL, 0 },
{ "default_cc_name", krb5_config_string, NULL, 0 },
{ "default_cc_type", krb5_config_string, NULL, 0 },
+ { "default_cc_collection", krb5_config_string, NULL, 0 },
{ "default_etypes", krb5_config_string, NULL, 0 },
{ "default_etypes_des", krb5_config_string, NULL, 0 },
{ "default_keytab_modify_name", krb5_config_string, NULL, 0 },
@@ -398,7 +414,7 @@ struct entry libdefaults_entries[] = {
{ "default_keytab_modify_name", krb5_config_string, NULL, 0 },
{ "default_realm", krb5_config_string, NULL, 0 },
{ "default_tgs_etypes", krb5_config_string, NULL, 0 },
- { "dns_canonize_hostname", krb5_config_string, check_boolean, 0 },
+ { "dns_canonicalize_hostname", krb5_config_string, check_boolean, 0 },
{ "dns_proxy", krb5_config_string, NULL, 0 },
{ "dns_lookup_kdc", krb5_config_string, check_boolean, 0 },
{ "dns_lookup_realm", krb5_config_string, check_boolean, 0 },
@@ -428,6 +444,7 @@ struct entry libdefaults_entries[] = {
{ "name_canon_rules", krb5_config_string, NULL, 0 },
{ "no-addresses", krb5_config_string, check_boolean, 0 },
{ "pkinit_dh_min_bits", krb5_config_string, NULL, 0 },
+ { "plugin_dir", krb5_config_string, check_directory, 0 },
{ "proxiable", krb5_config_string, check_boolean, 0 },
{ "renew_lifetime", krb5_config_string, check_time, 0 },
{ "scan_interfaces", krb5_config_string, check_boolean, 0 },
@@ -571,6 +588,7 @@ struct entry kdc_entries[] = {
{ "logging", krb5_config_string, check_log, 0 },
{ "max-kdc-datagram-reply-length", krb5_config_string, check_bytes, 0 },
{ "max-request", krb5_config_string, check_bytes, 0 },
+ { "num-kdc-processes", krb5_config_string, check_numeric, 0 },
{ "pkinit_allow_proxy_certificate", krb5_config_string, check_boolean, 0 },
{ "pkinit_anchors", krb5_config_string, NULL, 0 },
{ "pkinit_dh_min_bits", krb5_config_string, check_numeric, 0 },
@@ -586,6 +604,7 @@ struct entry kdc_entries[] = {
{ "preauth-use-strongest-session-key", krb5_config_string, check_boolean, 0 },
{ "require_initial_kca_tickets", krb5_config_string, check_boolean, 0 },
{ "require-preauth", krb5_config_string, check_boolean, 0 },
+ { "strict-nametypes", krb5_config_string, check_boolean, 0 },
{ "svc-use-strongest-session-key", krb5_config_string, check_boolean, 0 },
{ "tgt-use-strongest-session-key", krb5_config_string, check_boolean, 0 },
{ "transited-policy", krb5_config_string, NULL, 0 },
@@ -599,6 +618,7 @@ struct entry kadmin_entries[] = {
{ "allow_self_change_password", krb5_config_string, check_boolean, 0 },
{ "default_keys", krb5_config_string, NULL, 0 },
{ "password_lifetime", krb5_config_string, check_time, 0 },
+ { "plugin_dir", krb5_config_string, check_directory, 0 },
{ "require-preauth", krb5_config_string, check_boolean, 0 },
{ "save-password", krb5_config_string, check_boolean, 0 },
{ "use_v4_salt", krb5_config_string, NULL, 0 },
@@ -632,6 +652,7 @@ struct entry kcm_entries[] = {
};
struct entry password_quality_entries[] = {
+ { "enforce_on_admin_set", krb5_config_string, check_boolean, 0 },
{ "check_function", krb5_config_string, NULL, 0 },
{ "check_library", krb5_config_string, NULL, 0 },
{ "external_program", krb5_config_string, NULL, 0 },
diff --git a/lib/krb5/verify_krb5_conf.cat8 b/lib/krb5/verify_krb5_conf.cat8
deleted file mode 100644
index 289f2f1cb278..000000000000
--- a/lib/krb5/verify_krb5_conf.cat8
+++ /dev/null
@@ -1,56 +0,0 @@
-VERIFY_KRB5_CONF(8) BSD System Manager's Manual VERIFY_KRB5_CONF(8)
-
-NAME
- verify_krb5_conf -- checks krb5.conf for obvious errors
-
-SYNOPSIS
- verify_krb5_conf [config-file]
-
-DESCRIPTION
- verify_krb5_conf reads the configuration file krb5.conf, or the file
- given on the command line, parses it, checking verifying that the syntax
- is not correctly wrong.
-
- If the file is syntactically correct, verify_krb5_conf tries to verify
- that the contents of the file is of relevant nature.
-
-ENVIRONMENT
- KRB5_CONFIG points to the configuration file to read.
-
-FILES
- /etc/krb5.conf Kerberos 5 configuration file
-
-DIAGNOSTICS
- Possible output from verify_krb5_conf include:
-
- <path>: failed to parse <something> as size/time/number/boolean
- Usually means that <something> is misspelled, or that it contains
- weird characters. The parsing done by verify_krb5_conf is more
- strict than the one performed by libkrb5, so strings that work in
- real life might be reported as bad.
-
- <path>: host not found (<hostname>)
- Means that <path> is supposed to point to a host, but it can't be
- recognised as one.
-
- <path>: unknown or wrong type
- Means that <path> is either a string when it should be a list,
- vice versa, or just that verify_krb5_conf is confused.
-
- <path>: unknown entry
- Means that <string> is not known by verify_krb5_conf.
-
-SEE ALSO
- krb5.conf(5)
-
-BUGS
- Since each application can put almost anything in the config file, it's
- hard to come up with a watertight verification process. Most of the de-
- fault settings are sanity checked, but this does not mean that every
- problem is discovered, or that everything that is reported as a possible
- problem actually is one. This tool should thus be used with some care.
-
- It should warn about obsolete data, or bad practice, but currently
- doesn't.
-
-HEIMDAL December 8, 2004 HEIMDAL
diff --git a/lib/krb5/verify_user.c b/lib/krb5/verify_user.c
index 663196b29b15..c6ead8e42b2d 100644
--- a/lib/krb5/verify_user.c
+++ b/lib/krb5/verify_user.c
@@ -40,7 +40,7 @@ verify_common (krb5_context context,
krb5_keytab keytab,
krb5_boolean secure,
const char *service,
- krb5_creds cred)
+ krb5_creds *cred)
{
krb5_error_code ret;
krb5_principal server;
@@ -56,7 +56,7 @@ verify_common (krb5_context context,
krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, secure);
ret = krb5_verify_init_creds(context,
- &cred,
+ cred,
server,
keytab,
NULL,
@@ -71,12 +71,11 @@ verify_common (krb5_context context,
if(ret == 0){
ret = krb5_cc_initialize(context, id, principal);
if(ret == 0){
- ret = krb5_cc_store_cred(context, id, &cred);
+ ret = krb5_cc_store_cred(context, id, cred);
}
if(ccache == NULL)
krb5_cc_close(context, id);
}
- krb5_free_cred_contents(context, &cred);
return ret;
}
@@ -172,10 +171,12 @@ verify_user_opt_int(krb5_context context,
if(ret)
return ret;
#define OPT(V, D) ((vopt && (vopt->V)) ? (vopt->V) : (D))
- return verify_common (context, principal, OPT(ccache, NULL),
+ ret = verify_common (context, principal, OPT(ccache, NULL),
OPT(keytab, NULL), vopt ? vopt->secure : TRUE,
- OPT(service, "host"), cred);
+ OPT(service, "host"), &cred);
#undef OPT
+ krb5_free_cred_contents(context, &cred);
+ return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
diff --git a/lib/krb5/version-script.map b/lib/krb5/version-script.map
index 4e7225612a7a..f6278e9ecbf6 100644
--- a/lib/krb5/version-script.map
+++ b/lib/krb5/version-script.map
@@ -24,6 +24,8 @@ HEIMDAL_KRB5_2.0 {
krb5_appdefault_time;
krb5_append_addresses;
krb5_auth_con_addflags;
+ krb5_auth_con_add_AuthorizationData;
+ krb5_auth_con_add_AuthorizationDataIfRelevant;
krb5_auth_con_free;
krb5_auth_con_genaddrs;
krb5_auth_con_generatelocalsubkey;
@@ -83,9 +85,12 @@ HEIMDAL_KRB5_2.0 {
krb5_cc_cache_next;
krb5_cc_clear_mcred;
krb5_cc_close;
+ krb5_cc_configured_default_name;
krb5_cc_copy_cache;
krb5_cc_copy_match_f;
krb5_cc_default;
+ krb5_cc_default_for;
+ krb5_cc_default_sub;
krb5_cc_default_name;
krb5_cc_destroy;
krb5_cc_end_seq_get;
@@ -110,6 +115,8 @@ HEIMDAL_KRB5_2.0 {
krb5_cc_register;
krb5_cc_remove_cred;
krb5_cc_resolve;
+ krb5_cc_resolve_for;
+ krb5_cc_resolve_sub;
krb5_cc_retrieve_cred;
krb5_cc_set_config;
krb5_cc_set_default_name;
@@ -183,6 +190,7 @@ HEIMDAL_KRB5_2.0 {
krb5_crypto_init;
krb5_crypto_overhead;
krb5_crypto_prf;
+ krb5_crypto_prfplus;
krb5_crypto_prf_length;
krb5_crypto_length;
krb5_crypto_length_iov;
@@ -196,6 +204,7 @@ HEIMDAL_KRB5_2.0 {
krb5_data_free;
krb5_data_realloc;
krb5_data_zero;
+ krb5_debug;
krb5_decode_Authenticator;
krb5_decode_ETYPE_INFO2;
krb5_decode_ETYPE_INFO;
@@ -362,11 +371,13 @@ HEIMDAL_KRB5_2.0 {
krb5_get_init_creds_opt_set_tkt_life;
krb5_get_init_creds_opt_set_win2k;
krb5_get_init_creds_password;
+ krb5_get_instance;
krb5_get_kdc_cred;
krb5_get_kdc_sec_offset;
krb5_get_krb524hst;
krb5_get_krb_admin_hst;
krb5_get_krb_changepw_hst;
+ krb5_get_krb_readonly_admin_hst;
krb5_get_krbhst;
krb5_get_max_time_skew;
krb5_get_pw_salt;
@@ -379,12 +390,14 @@ HEIMDAL_KRB5_2.0 {
krb5_h_addr2addr;
krb5_h_addr2sockaddr;
krb5_h_errno_to_heim_errno;
+ krb5_have_debug;
krb5_have_error_string;
krb5_hmac;
krb5_init_context;
krb5_init_ets;
krb5_initlog;
krb5_is_config_principal;
+ krb5_is_enctype_old;
krb5_is_enctype_weak;
krb5_is_thread_safe;
krb5_kcm_call;
@@ -428,13 +441,29 @@ HEIMDAL_KRB5_2.0 {
krb5_kt_resolve;
krb5_kt_start_seq_get;
krb5_kuserok;
+ krb5_kx509;
+ krb5_kx509_ctx_add_eku;
+ krb5_kx509_ctx_add_san_dns_name;
+ krb5_kx509_ctx_add_san_ms_upn;
+ krb5_kx509_ctx_add_san_pkinit;
+ krb5_kx509_ctx_add_san_registeredID;
+ krb5_kx509_ctx_add_san_rfc822Name;
+ krb5_kx509_ctx_add_san_xmpp;
+ krb5_kx509_ctx_free;
+ krb5_kx509_ctx_init;
+ krb5_kx509_ctx_set_csr_der;
+ krb5_kx509_ctx_set_key;
+ krb5_kx509_ctx_set_realm;
+ krb5_kx509_ext;
krb5_log;
krb5_log_msg;
krb5_make_addrport;
krb5_make_principal;
krb5_max_sockaddr_size;
+ krb5_mk_1cred;
krb5_mk_error;
krb5_mk_error_ext;
+ krb5_mk_ncred;
krb5_mk_priv;
krb5_mk_rep;
krb5_mk_req;
@@ -466,11 +495,14 @@ HEIMDAL_KRB5_2.0 {
krb5_pac_add_buffer;
krb5_pac_free;
krb5_pac_get_buffer;
+ _krb5_pac_get_buffer_by_name;
+ krb5_pac_get_kdc_checksum_info;
krb5_pac_get_types;
krb5_pac_init;
krb5_pac_parse;
krb5_pac_verify;
krb5_padata_add;
+ _krb5_parse_address_no_lookup;
krb5_parse_address;
krb5_parse_name;
krb5_parse_name_flags;
@@ -495,7 +527,9 @@ HEIMDAL_KRB5_2.0 {
krb5_principal_set_realm;
krb5_principal_set_type;
krb5_principal_is_anonymous;
+ krb5_principal_is_federated;
krb5_principal_is_krbtgt;
+ krb5_principal_is_root_krbtgt;
krb5_print_address;
krb5_program_setup;
krb5_prompter_posix;
@@ -571,6 +605,9 @@ HEIMDAL_KRB5_2.0 {
krb5_sendto_ctx_set_type;
krb5_sendto_kdc;
krb5_sendto_kdc_flags;
+ krb5_sendto_set_hostname;
+ krb5_sendto_set_sitename;
+ krb5_set_config;
krb5_set_config_files;
krb5_set_debug_dest;
krb5_set_default_in_tkt_etypes;
@@ -583,6 +620,7 @@ HEIMDAL_KRB5_2.0 {
krb5_set_home_dir_access;
krb5_set_ignore_addresses;
krb5_set_kdc_sec_offset;
+ krb5_set_log_dest;
krb5_set_max_time_skew;
krb5_set_password;
krb5_set_password_using_ccache;
@@ -609,6 +647,7 @@ HEIMDAL_KRB5_2.0 {
krb5_storage_get_eof_code;
krb5_storage_is_flags;
krb5_storage_read;
+ krb5_storage_stdio_from_fd;
krb5_storage_seek;
krb5_storage_set_byteorder;
krb5_storage_set_eof_code;
@@ -620,9 +659,11 @@ HEIMDAL_KRB5_2.0 {
krb5_store_address;
krb5_store_addrs;
krb5_store_authdata;
+ krb5_store_bytes;
krb5_store_creds;
krb5_store_creds_tag;
krb5_store_data;
+ krb5_store_datalen;
krb5_store_int16;
krb5_store_int32;
krb5_store_int64;
@@ -646,11 +687,13 @@ HEIMDAL_KRB5_2.0 {
krb5_string_to_key_derived;
krb5_string_to_key_salt;
krb5_string_to_key_salt_opaque;
+ krb5_string_to_keysalts2;
krb5_string_to_keytype;
krb5_string_to_salttype;
krb5_ticket_get_authorization_data_type;
krb5_ticket_get_client;
krb5_ticket_get_endtime;
+ krb5_ticket_get_times;
krb5_ticket_get_server;
krb5_timeofday;
krb5_unparse_name;
@@ -699,6 +742,7 @@ HEIMDAL_KRB5_2.0 {
krb5_cccol_cursor_new;
krb5_cccol_cursor_next;
krb5_cccol_cursor_free;
+ krb5_cccol_get_default_ccname;
# com_err error tables
initialize_krb5_error_table_r;
@@ -709,12 +753,15 @@ HEIMDAL_KRB5_2.0 {
initialize_heim_error_table;
initialize_k524_error_table_r;
initialize_k524_error_table;
+ initialize_k5e1_error_table_r;
+ initialize_k5e1_error_table;
# variables
krb5_dcc_ops;
krb5_mcc_ops;
krb5_acc_ops;
krb5_fcc_ops;
+ krb5_krcc_ops;
krb5_scc_ops;
krb5_kcm_ops;
krb5_wrfkt_ops;
@@ -730,6 +777,7 @@ HEIMDAL_KRB5_2.0 {
krb5_cc_type_file;
krb5_cc_type_memory;
krb5_cc_type_kcm;
+ krb5_cc_type_keyring;
krb5_cc_type_scc;
# shared with HDB
@@ -741,6 +789,26 @@ HEIMDAL_KRB5_2.0 {
_krb5_crc_update;
_krb5_get_krbtgt;
_krb5_build_authenticator;
+ _krb5_kt_client_default_name;
+ _krb5_have_debug;
+ _krb5_SP800_108_HMAC_KDF;
+ _krb5_get_ad;
+
+ # Shared with GSSAPI preauth wrapper
+ _krb5_init_creds_set_gss_mechanism;
+ _krb5_init_creds_get_gss_mechanism;
+ _krb5_init_creds_set_gss_cred;
+ _krb5_init_creds_get_gss_cred;
+ _krb5_init_creds_init_gss;
+
+ # Private init_creds API
+ _krb5_init_creds_get_cred_starttime;
+ _krb5_init_creds_get_cred_endtime;
+ _krb5_init_creds_get_cred_client;
+
+ # Shared with libkadm5
+ _krb5_load_plugins;
+ _krb5_unload_plugins;
# Shared with libkdc
_krb5_AES_SHA1_string_to_default_iterator;
@@ -750,19 +818,28 @@ HEIMDAL_KRB5_2.0 {
_krb5_get_int;
_krb5_get_int64;
_krb5_pac_sign;
+ _krb5_pac_get_attributes_info;
+ _krb5_pac_get_canon_principal;
+ _krb5_kdc_pac_sign_ticket;
+ _krb5_kdc_pac_ticket_parse;
+ _kdc_tkt_insert_pac;
+ _kdc_tkt_add_if_relevant_ad;
_krb5_parse_moduli;
_krb5_pk_kdf;
_krb5_pk_load_id;
_krb5_pk_mk_ContentInfo;
_krb5_pk_octetstring2key;
- _krb5_plugin_find;
- _krb5_plugin_free;
_krb5_plugin_run_f;
_krb5_principal2principalname;
_krb5_principalname2krb5_principal;
+ _krb5_kdcrep2krb5_principal;
+ _krb5_ticket2krb5_principal;
_krb5_put_int;
_krb5_s4u2self_to_checksumdata;
_krb5_HMAC_MD5_checksum;
+ _krb5_crypto_set_flags;
+ _krb5_make_pa_enc_challenge;
+ _krb5_validate_pa_enc_challenge;
# kinit helper
krb5_get_init_creds_opt_set_pkinit_user_certs;
@@ -770,24 +847,35 @@ HEIMDAL_KRB5_2.0 {
krb5_process_last_request;
krb5_init_creds_init;
krb5_init_creds_set_service;
+ krb5_init_creds_set_fast_anon_pkinit;
+ _krb5_init_creds_set_fast_anon_pkinit_optimistic;
krb5_init_creds_set_fast_ccache;
krb5_init_creds_set_keytab;
+ krb5_init_creds_set_kdc_hostname;
krb5_init_creds_get;
+ krb5_init_creds_get_as_reply_key;
krb5_init_creds_get_creds;
krb5_init_creds_get_error;
krb5_init_creds_set_password;
+ krb5_init_creds_set_sitename;
+ krb5_init_creds_step;
krb5_init_creds_store;
+ krb5_init_creds_store_config;
krb5_init_creds_free;
+ krb5_init_creds_warn_user;
# testing
+ krb5_time_abs;
_krb5_aes_cts_encrypt;
_krb5_n_fold;
_krb5_expand_default_cc_name;
_krb5_expand_path_tokensv;
+ _krb5_expand_path_tokens;
# FAST
_krb5_fast_cf2;
_krb5_fast_armor_key;
+ _krb5_fast_explicit_armor_key;
# TGS
_krb5_find_capath;
diff --git a/lib/krb5/warn.c b/lib/krb5/warn.c
index 8269aff7416e..65a7db6b8ce1 100644
--- a/lib/krb5/warn.c
+++ b/lib/krb5/warn.c
@@ -31,6 +31,11 @@
* SUCH DAMAGE.
*/
+#if defined(_MSC_VER)
+# pragma warning(disable: 4646)
+# pragma warning(disable: 4716)
+#endif
+
#include "krb5_locl.h"
#include <err.h>
@@ -42,54 +47,16 @@ static krb5_error_code
_warnerr(krb5_context context, int do_errtext,
krb5_error_code code, int level, const char *fmt, va_list ap)
{
- char xfmt[7] = "";
- const char *args[2], **arg;
- char *msg = NULL;
- const char *err_str = NULL;
- krb5_error_code ret;
-
- args[0] = args[1] = NULL;
- arg = args;
- if(fmt){
- strlcat(xfmt, "%s", sizeof(xfmt));
- if(do_errtext)
- strlcat(xfmt, ": ", sizeof(xfmt));
- ret = vasprintf(&msg, fmt, ap);
- if(ret < 0 || msg == NULL)
- return ENOMEM;
- *arg++ = msg;
- }
- if(context && do_errtext){
- strlcat(xfmt, "%s", sizeof(xfmt));
-
- err_str = krb5_get_error_message(context, code);
- if (err_str != NULL) {
- *arg = err_str;
- } else {
- *arg= "<unknown error>";
- }
- }
-
- if(context && context->warn_dest)
- krb5_log(context, context->warn_dest, level, xfmt, args[0], args[1]);
+ if (do_errtext)
+ return heim_vwarn(context ? context->hcontext : NULL, code, fmt, ap);
else
- warnx(xfmt, args[0], args[1]);
- free(msg);
- krb5_free_error_message(context, err_str);
- return 0;
+ return heim_vwarnx(context ? context->hcontext : NULL, fmt, ap);
}
-#define FUNC(ETEXT, CODE, LEVEL) \
- krb5_error_code ret; \
- va_list ap; \
- va_start(ap, fmt); \
- ret = _warnerr(context, ETEXT, CODE, LEVEL, fmt, ap); \
- va_end(ap);
-
-#define FUNC_NORET(ETEXT, CODE, LEVEL) \
- va_list ap; \
- va_start(ap, fmt); \
- (void) _warnerr(context, ETEXT, CODE, LEVEL, fmt, ap); \
+#define FUNC_NORET(ETEXT, CODE, LEVEL) \
+ va_list ap; \
+ va_start(ap, fmt); \
+ (void) _warnerr(context, ETEXT, CODE, LEVEL, fmt, ap); \
va_end(ap);
#undef __attribute__
@@ -112,7 +79,7 @@ krb5_vwarn(krb5_context context, krb5_error_code code,
const char *fmt, va_list ap)
__attribute__ ((__format__ (__printf__, 3, 0)))
{
- return _warnerr(context, 1, code, 1, fmt, ap);
+ return heim_vwarn(context ? context->hcontext : NULL, code, fmt, ap);
}
/**
@@ -130,7 +97,12 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...)
__attribute__ ((__format__ (__printf__, 3, 4)))
{
- FUNC(1, code, 1);
+ krb5_error_code ret;
+ va_list ap;
+
+ va_start(ap, fmt);
+ ret = krb5_vwarn(context, code, fmt, ap);
+ va_end(ap);
return ret;
}
@@ -148,7 +120,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_vwarnx(krb5_context context, const char *fmt, va_list ap)
__attribute__ ((__format__ (__printf__, 2, 0)))
{
- return _warnerr(context, 0, 0, 1, fmt, ap);
+ return heim_vwarnx(context ? context->hcontext : NULL, fmt, ap);
}
/**
@@ -164,7 +136,12 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_warnx(krb5_context context, const char *fmt, ...)
__attribute__ ((__format__ (__printf__, 2, 3)))
{
- FUNC(0, 0, 1);
+ krb5_error_code ret;
+ va_list ap;
+
+ va_start(ap, fmt);
+ ret = krb5_vwarnx(context, fmt, ap);
+ va_end(ap);
return ret;
}
@@ -181,7 +158,7 @@ krb5_warnx(krb5_context context, const char *fmt, ...)
* @ingroup krb5_error
*/
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_verr(krb5_context context, int eval, krb5_error_code code,
const char *fmt, va_list ap)
__attribute__ ((__noreturn__, __format__ (__printf__, 4, 0)))
@@ -203,7 +180,7 @@ krb5_verr(krb5_context context, int eval, krb5_error_code code,
* @ingroup krb5_error
*/
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_err(krb5_context context, int eval, krb5_error_code code,
const char *fmt, ...)
__attribute__ ((__noreturn__, __format__ (__printf__, 4, 5)))
@@ -224,7 +201,7 @@ krb5_err(krb5_context context, int eval, krb5_error_code code,
* @ingroup krb5_error
*/
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap)
__attribute__ ((__noreturn__, __format__ (__printf__, 3, 0)))
{
@@ -243,7 +220,7 @@ krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap)
* @ingroup krb5_error
*/
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_errx(krb5_context context, int eval, const char *fmt, ...)
__attribute__ ((__noreturn__, __format__ (__printf__, 3, 4)))
{
@@ -264,7 +241,7 @@ krb5_errx(krb5_context context, int eval, const char *fmt, ...)
* @ingroup krb5_error
*/
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_vabort(krb5_context context, krb5_error_code code,
const char *fmt, va_list ap)
__attribute__ ((__noreturn__, __format__ (__printf__, 3, 0)))
@@ -286,7 +263,7 @@ krb5_vabort(krb5_context context, krb5_error_code code,
* @ingroup krb5_error
*/
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...)
__attribute__ ((__noreturn__, __format__ (__printf__, 3, 4)))
{
@@ -295,7 +272,7 @@ krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...)
UNREACHABLE(return 0);
}
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_vabortx(krb5_context context, const char *fmt, va_list ap)
__attribute__ ((__noreturn__, __format__ (__printf__, 2, 0)))
{
@@ -314,7 +291,7 @@ krb5_vabortx(krb5_context context, const char *fmt, va_list ap)
* @ingroup krb5_error
*/
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_abortx(krb5_context context, const char *fmt, ...)
__attribute__ ((__noreturn__, __format__ (__printf__, 2, 3)))
{
@@ -335,8 +312,7 @@ krb5_abortx(krb5_context context, const char *fmt, ...)
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_warn_dest(krb5_context context, krb5_log_facility *fac)
{
- context->warn_dest = fac;
- return 0;
+ return heim_set_warn_dest(context->hcontext, fac);
}
/**
@@ -350,5 +326,5 @@ krb5_set_warn_dest(krb5_context context, krb5_log_facility *fac)
KRB5_LIB_FUNCTION krb5_log_facility * KRB5_LIB_CALL
krb5_get_warn_dest(krb5_context context)
{
- return context->warn_dest;
+ return heim_get_warn_dest(context->hcontext);
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-03 11:15:02 +0000