oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

update workflow artifacts to v4 to get the check infrastructure working again

Browse Source
This commit is contained in:
Daria Phoebe Brashear
2025-10-09 10:46:05 -04:00
parent 0d2e1a1692 7e4950042c
commit de065a739b
2388 changed files with 537626 additions and 189636 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View File

@@ -0,0 +1,38 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots**
If applicable, add screenshots to help explain your problem.
**Desktop (please complete the following information):**
- OS: [e.g. iOS]
- Browser [e.g. chrome, safari]
- Version [e.g. 22]
**Smartphone (please complete the following information):**
- Device: [e.g. iPhone6]
- OS: [e.g. iOS8.1]
- Browser [e.g. stock browser, safari]
- Version [e.g. 22]
**Additional context**
Add any other context about the problem here.

20
.github/ISSUE_TEMPLATE/feature_request.md vendored Normal file
View File

@@ -0,0 +1,20 @@
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: ''
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.

68
.github/workflows/coverity.yml vendored Normal file
View File

@@ -0,0 +1,68 @@
name: Linux Coverity Build
on:
push:
# Pushes to this branch get the scan-build treatment
branches:
- 'coverity*'
jobs:
linux:
#if: ${{ secrets.COVERITY_SCAN_TOKEN }} != ''
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
name: [linux-clang]
include:
- name: linux-clang
os: ubuntu-22.04
compiler: clang
steps:
- name: Clone repository
uses: actions/checkout@v1
- name: Install packages
if: startsWith(matrix.os, 'ubuntu')
run: |
sudo apt-get update -qq
sudo apt-get install -y bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python3 ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev clang-tools clang-format jq valgrind
# Temporary workaround for:
# https://github.com/actions/virtual-environments/issues/3185
sudo hostname localhost
- name: Download Coverity Build Tool
env:
TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
PROJECT: ${{ secrets.COVERITY_SCAN_PROJECT }}
run: |
wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=$PROJECT" -O cov-analysis-linux64.tar.gz
mkdir cov-analysis-linux64
tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
- name: Build
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
CONFIGURE_OPTS: ${{ matrix.configureopts }}
run: |
/bin/sh ./autogen.sh
export PATH="$PWD/cov-analysis-linux64/bin:$PATH"
mkdir build
cd build
../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations"
ulimit -c unlimited
# We don't want to scan-build libedit nor SQLite3 because ETOOSLOW
(cd lib/libedit && make -j4)
(cd lib/sqlite && make -j4)
cov-build --dir cov-int make -j4
tar czvf ../heimdal.tgz cov-int
- name: Submit the result to Coverity Scan
env:
TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }}
PROJECT: ${{ secrets.COVERITY_SCAN_PROJECT }}
run: |
curl \
--form "token=$TOKEN" \
--form "email=$EMAIL" \
--form "file=@heimdal.tgz" \
--form version="$(git rev-parse HEAD)" \
--form description="$GITHUB_REF / $GITHUB_SHA" "https://scan.coverity.com/builds?project=$PROJECT"

117
.github/workflows/linux-mit-interop.yml vendored Normal file
View File

@@ -0,0 +1,117 @@
name: Linux Build
on:
push:
branches:
- 'interop-mit*'
jobs:
unix:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
name: [linux-clang]
include:
- name: linux-clang
os: ubuntu-22.04
compiler: clang
cflags: ''
steps:
- name: Clone repository
uses: actions/checkout@v1
- name: Checkout MIT
uses: actions/checkout@v3
with:
repository: krb5/krb5
path: mit
- name: Install Heimdal dependencies
run: |
sudo apt-get update -qq
sudo apt-get install -y bison comerr-dev flex doxygen
sudo apt-get install -y libcap-ng-dev libdb-dev libedit-dev libjson-perl
sudo apt-get install -y libldap2-dev libncurses5-dev libperl4-corelibs-perl
sudo apt-get install -y libsqlite3-dev libkeyutils-dev pkg-config python3
sudo apt-get install -y ss-dev texinfo unzip netbase keyutils ldap-utils
sudo apt-get install -y gdb apport curl libmicrohttpd-dev jq valgrind
- name: Install MIT Kerberos dependencies
run: |
sudo apt-get install -y gettext libcmocka-dev libresolv-wrapper libsasl2-dev libssl-dev python3-kdcproxy python3-pip slapd tcsh
pip3 install pyrad
# Temporary workaround for:
# https://github.com/actions/virtual-environments/issues/3185
sudo hostname localhost
- name: Build MIT
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
run: |
cd mit/src
autoreconf
./configure --enable-maintainer-mode --with-ldap --with-crypto-impl=openssl --prefix=$HOME/mitkrb5
make -j4 $MAKEVARS
make install
- name: Build
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
run: |
/bin/sh ./autogen.sh
mkdir build
cd build
../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="${{ matrix.cflags }} -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" --with-mitkrb5=$HOME/mitkrb5
make -j4
- name: Test
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
run: |
cd build
ulimit -c unlimited
make check
- name: Make Install
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
run: |
cd build || true
make DESTDIR=/tmp/h5l install
cd /tmp/h5l
tar czf $HOME/heimdal-install-linux-${{ matrix.compiler }}.tgz .
- name: Core dump stacks
run: |
echo "thread apply all bt" > /tmp/x
find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done
if [ "$(find . -name core -print | wc -l)" -gt 0 ]; then false; fi
- name: Test logs
run: |
find build -depth -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-${{ matrix.compiler }}.tgz --verbatim-files-from --files-from -
find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
- name: Failed Test logs
if: ${{ failure() }}
run: |
find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
- name: Make Dist
run: |
cd build
make dist
make distclean
if [ "$(git ls-files -o|grep -v ^build/ | wc -l)" -ne 0 ]; then
echo "Files not removed by make distclean:"
git ls-files -o|grep -v ^build/
fi
- name: Upload Install Tarball
uses: actions/upload-artifact@v4
with:
name: Install Tarball
path: '~/heimdal-install-linux-${{ matrix.compiler }}.tgz'
- name: Upload Dist Tarball
uses: actions/upload-artifact@v4
with:
name: Dist Tarball
path: 'build/heimdal-*.tar.gz'
- name: Upload Logs Tarball
uses: actions/upload-artifact@v4
with:
name: Test Logs
path: '~/logs-linux-${{ matrix.compiler }}.tgz'

146
.github/workflows/linux.yml vendored Normal file
View File

@@ -0,0 +1,146 @@
name: Linux Build
on:
push:
branches:
- 'master'
- 'heimdal-7-1-branch'
paths:
- '!docs/**'
- '!**.md'
- '!**.[1-9]'
- '**.[chly]'
- '**.hin'
- '**.in'
- '**.am'
- '**.m4'
- '**.ac'
- '**.pl'
- '**.py'
- '**.asn1'
- '**.opt'
- '**/COPYING'
- '**/INSTALL'
- '**/README*'
- '.github/workflows/linux.yml'
- '!appveyor.yml'
- '!.travis.yml'
pull_request:
paths:
- '!docs/**'
- '!**.md'
- '!**.[1-9]'
- '**.[chly]'
- '**.hin'
- '**.in'
- '**.am'
- '**.m4'
- '**.ac'
- '**.pl'
- '**.py'
- '**.asn1'
- '**.opt'
- '**/COPYING'
- '**/INSTALL'
- '**/README*'
- '.github/workflows/linux.yml'
- '!appveyor.yml'
- '!.travis.yml'
jobs:
unix:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
name: [linux-clang, linux-gcc]
include:
- name: linux-clang
os: ubuntu-22.04
compiler: clang
cflags: ''
- name: linux-gcc
os: ubuntu-22.04
compiler: gcc
cflags: '-Wnonnull'
steps:
- name: Clone repository
uses: actions/checkout@v1
- name: Install packages
if: startsWith(matrix.os, 'ubuntu')
run: |
sudo apt-get update -qq
sudo apt-get install -y bison comerr-dev flex doxygen
sudo apt-get install -y libcap-ng-dev libdb-dev libedit-dev libjson-perl
sudo apt-get install -y libldap2-dev libncurses5-dev libperl4-corelibs-perl
sudo apt-get install -y libsqlite3-dev libkeyutils-dev pkg-config python3
sudo apt-get install -y ss-dev texinfo unzip netbase keyutils ldap-utils
sudo apt-get install -y gdb apport curl libmicrohttpd-dev jq valgrind
# Temporary workaround for:
# https://github.com/actions/virtual-environments/issues/3185
sudo hostname localhost
- name: Build
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
run: |
/bin/sh ./autogen.sh
mkdir build
cd build
../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="${{ matrix.cflags }} -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations"
make -j4
- name: Test
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
run: |
cd build
ulimit -c unlimited
make check
- name: Make Install
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
run: |
cd build || true
make DESTDIR=/tmp/h5l install
cd /tmp/h5l
tar czf $HOME/heimdal-install-linux-${{ matrix.compiler }}.tgz .
- name: Core dump stacks
run: |
echo "thread apply all bt" > /tmp/x
find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done
if [ "$(find . -name core -print | wc -l)" -gt 0 ]; then false; fi
- name: Test logs
run: |
find build -depth -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-${{ matrix.compiler }}.tgz --verbatim-files-from --files-from -
find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
- name: Failed Test logs
if: ${{ failure() }}
run: |
find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
- name: Make Dist
run: |
cd build
make dist
make distclean
if [ "$(git ls-files -o|grep -v ^build/ | wc -l)" -ne 0 ]; then
echo "Files not removed by make distclean:"
git ls-files -o|grep -v ^build/
fi
- name: Upload Install Tarball
uses: actions/upload-artifact@v4
with:
name: Install Tarball
path: '~/heimdal-install-linux-${{ matrix.compiler }}.tgz'
- name: Upload Dist Tarball
uses: actions/upload-artifact@v4
with:
name: Dist Tarball
path: 'build/heimdal-*.tar.gz'
- name: Upload Logs Tarball
uses: actions/upload-artifact@v4
with:
name: Test Logs
path: '~/logs-linux-${{ matrix.compiler }}.tgz'

124
.github/workflows/osx.yml vendored Normal file
View File

@@ -0,0 +1,124 @@
name: OS X Build
on:
push:
branches:
- 'master'
- 'osx-build'
- 'heimdal-7-1-branch'
paths:
- '!docs/**'
- '!**.md'
- '!**.[1-9]'
- '**.[chly]'
- '**.hin'
- '**.in'
- '**.am'
- '**.m4'
- '**.ac'
- '**.pl'
- '**.py'
- '**.asn1'
- '**.opt'
- '**/COPYING'
- '**/INSTALL'
- '**/README*'
- '.github/workflows/osx.yml'
- '!appveyor.yml'
- '!.travis.yml'
pull_request:
paths:
- '!docs/**'
- '!**.md'
- '!**.[1-9]'
- '**.[chly]'
- '**.hin'
- '**.in'
- '**.am'
- '**.m4'
- '**.ac'
- '**.pl'
- '**.py'
- '**.asn1'
- '**.opt'
- '**/COPYING'
- '**/INSTALL'
- '**/README*'
- '.github/workflows/osx.yml'
- '!appveyor.yml'
- '!.travis.yml'
jobs:
osx:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
name: [osx-clang]
include:
- name: osx-clang
os: macos-latest
compiler: clang
steps:
- name: Install packages
run: |
echo "bison, flex, ncurses, texinfo, and unzip are in the base OS."
echo "berkeley-db, perl, python3, curl, and jq are installed in the"
echo "base image already."
brew install autoconf automake libtool cpanm texinfo texi2html
sudo cpanm install JSON
- name: Clone repository
uses: actions/checkout@v1
- name: Build
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
CONFIGURE_OPTS: ${{ matrix.configureopts }}
run: |
/bin/sh ./autogen.sh
mkdir build
cd build
../configure --srcdir=`dirname "$PWD"` --disable-heimdal-documentation --disable-afs-support --enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" CFLAGS="-O0 -g -ggdb3"
ulimit -c unlimited
PATH=/usr/local/opt/texinfo/bin:$PATH
export PATH
make -j4
#- name: Setup upterm session
# uses: lhotari/action-upterm@v1
# with:
# limit-access-to-actor: true
- name: Test
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
CONFIGURE_OPTS: ${{ matrix.configureopts }}
run: |
set -vx
sudo lsof -nP -i:49188 || true
cd build
make check
- name: Install
run: |
cd build || true
make DESTDIR=/tmp/h5l install
cd /tmp/h5l
tar czf $HOME/heimdal-install-osx.tgz .
- name: Test logs
run: |
find build -depth -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/' | cpio -o > $HOME/logs-osx.cpio
find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat
- name: Failed Test logs
if: ${{ failure() }}
run: |
find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat
- name: Upload Install Tarball
uses: actions/upload-artifact@v4
with:
name: Install Tarball
path: '~/heimdal-install-osx.tgz'
- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
name: Upload Test Logs
path: '~/logs-osx.cpio'

67
.github/workflows/scanbuild.yml vendored Normal file
View File

@@ -0,0 +1,67 @@
name: Linux Static Analyzer Build
on:
push:
# Pushes to this branch get the scan-build treatment
branches:
- 'scan-build*'
pull_request:
# Changing this build gets it to run
paths:
- '.github/workflows/scanbuild.yml'
jobs:
unix:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
name: [linux-clang]
include:
- name: linux-clang
os: ubuntu-22.04
compiler: clang
steps:
- name: Clone repository
uses: actions/checkout@v1
- name: Install packages
if: startsWith(matrix.os, 'ubuntu')
run: |
sudo apt-get update -qq
sudo apt-get install -y bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python3 ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev clang-tools clang-format jq valgrind
# Temporary workaround for:
# https://github.com/actions/virtual-environments/issues/3185
sudo hostname localhost
- name: Build
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
CONFIGURE_OPTS: ${{ matrix.configureopts }}
run: |
/bin/sh ./autogen.sh
mkdir build
cd build
../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations"
ulimit -c unlimited
# We don't want to scan-build libedit nor SQLite3 because ETOOSLOW
(cd lib/libedit && make -j4)
(cd lib/sqlite && make -j4)
scan-build --keep-going make -j4
- name: Test
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
run: |
cd build
ulimit -c unlimited
scan-build --keep-going make check
- name: Failed Test logs
if: ${{ failure() }}
run: |
find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat
- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
name: Scan-Build Reports
path: '/tmp/scan-build*/'

133
.github/workflows/ubsan.yml vendored Normal file
View File

@@ -0,0 +1,133 @@
name: Linux UBSAN Build
on:
push:
branches:
- 'master'
- 'ubsan'
paths:
- '!docs/**'
- '!**.md'
- '!**.[1-9]'
- '**.[chly]'
- '**.hin'
- '**.in'
- '**.am'
- '**.m4'
- '**.ac'
- '**.pl'
- '**.py'
- '**.asn1'
- '**.opt'
- '**/COPYING'
- '**/INSTALL'
- '**/README*'
- '.github/workflows/ubsan.yml'
- '!appveyor.yml'
- '!.travis.yml'
pull_request:
paths:
- '!docs/**'
- '!**.md'
- '!**.[1-9]'
- '**.[chly]'
- '**.hin'
- '**.in'
- '**.am'
- '**.m4'
- '**.ac'
- '**.pl'
- '**.py'
- '**.asn1'
- '**.opt'
- '**/COPYING'
- '**/INSTALL'
- '**/README*'
- '.github/workflows/ubsan.yml'
- '!appveyor.yml'
- '!.travis.yml'
jobs:
unix:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
name: [linux-clang, linux-gcc]
include:
- name: linux-clang
os: ubuntu-22.04
compiler: clang
cflags: '-fsanitize=undefined'
ldflags: ''
- name: linux-gcc
os: ubuntu-22.04
compiler: gcc
cflags: '-Wnonnull -fsanitize=undefined'
ldflags: ''
steps:
- name: Clone repository
uses: actions/checkout@v1
- name: Install packages
if: startsWith(matrix.os, 'ubuntu')
run: |
sudo apt-get update -qq
sudo apt-get install -y bison comerr-dev flex doxygen
sudo apt-get install -y libcap-ng-dev libdb-dev libedit-dev libjson-perl
sudo apt-get install -y libldap2-dev libncurses5-dev libperl4-corelibs-perl
sudo apt-get install -y libsqlite3-dev libkeyutils-dev pkg-config python3
sudo apt-get install -y ss-dev texinfo unzip netbase keyutils ldap-utils
sudo apt-get install -y gdb apport curl libmicrohttpd-dev jq valgrind
# Temporary workaround for:
# https://github.com/actions/virtual-environments/issues/3185
sudo hostname localhost
- name: Build
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
run: |
/bin/sh ./autogen.sh
mkdir build
cd build
../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --enable-dynamic --disable-static --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="${{ matrix.cflags }} -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" LDFLAGS="${{ matrix.ldflags }}"
make -j4
- name: Test
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
run: |
cd build
ulimit -c unlimited
make check
- name: Make Install
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
run: |
cd build || true
make DESTDIR=/tmp/h5l install
cd /tmp/h5l
tar czf $HOME/heimdal-install-linux-${{ matrix.compiler }}.tgz .
- name: Core dump stacks
run: |
echo "thread apply all bt" > /tmp/x
find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done
if [ "$(find . -name core -print | wc -l)" -gt 0 ]; then false; fi
- name: Test logs
run: |
find build -depth -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-${{ matrix.compiler }}.tgz --verbatim-files-from --files-from -
find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
- name: Failed Test logs
if: ${{ failure() }}
run: |
find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
- name: All Test logs
if: true
run: |
find build -name \*.trs | sed -e 's/trs$/log/' | xargs cat
- name: Upload Logs Tarball
uses: actions/upload-artifact@v4
with:
name: Test Logs
path: '~/logs-linux-${{ matrix.compiler }}.tgz'

71
.github/workflows/valgrind.yml vendored Normal file
View File

@@ -0,0 +1,71 @@
name: Linux Valgrind Tests Build
on:
push:
# Pushes to the valgrind branch get the valgrind treatment
branches:
- 'valgrind*'
pull_request:
# Changing this build also gets it to run
paths:
- '.github/workflows/valgrind.yml'
jobs:
unix:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
name: [linux-clang]
include:
- name: linux-clang
os: ubuntu-22.04
compiler: clang
steps:
- name: Clone repository
uses: actions/checkout@v1
- name: Install packages
if: startsWith(matrix.os, 'ubuntu')
run: |
sudo apt-get update -qq
sudo apt-get install -y bison comerr-dev flex libcap-ng-dev lmdb-utils liblmdb-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python3 ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev jq valgrind
# Temporary workaround for:
# https://github.com/actions/virtual-environments/issues/3185
sudo hostname localhost
- name: Build
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
CONFIGURE_OPTS: ${{ matrix.configureopts }}
CHECK_TESTER_NO_VALGRIND: 'no-valgrind'
run: |
/bin/sh ./autogen.sh
mkdir build
cd build
../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-g -ggdb3 -O0 -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations"
make -j4
- name: Test
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
run: |
cd build
ulimit -c unlimited
make check-valgrind
- name: Valgrind output
run: |
find . -name \*.log -print0|xargs -0 grep '^==[0-9]*== ' || true
- name: Test logs
run: |
find build -depth -name \*.log | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-valgrind.tgz --verbatim-files-from --files-from -
find build -name \*.trs|xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
- name: Failed Test logs
if: ${{ failure() }}
run: |
find build -name \*.trs|xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
name: Test Logs
path: '~/logs-linux-valgrind.tgz'

94
.github/workflows/windows.yml vendored Normal file
View File

@@ -0,0 +1,94 @@
name: Windows Build
on:
push:
branches:
- 'master'
- 'windows-build'
- 'heimdal-7-1-branch'
paths:
- '!docs/**'
- '!**.md'
- '!**.[1-9]'
- '**.[chly]'
- '**.hin'
- '**.in'
- '**.pl'
- '**.py'
- '**.asn1'
- '**.opt'
- '**.w32'
- '**/NTMakefile*'
- '**/COPYING'
- '**/INSTALL'
- '**/README*'
- '.github/workflows/windows.yml'
- '!appveyor.yml'
- '!.travis.yml'
pull_request:
paths:
- '!docs/**'
- '!**.md'
- '!**.[1-9]'
- '**.[chly]'
- '**.hin'
- '**.in'
- '**.pl'
- '**.py'
- '**.asn1'
- '**.opt'
- '**.w32'
- '**/NTMakefile'
- '**/COPYING'
- '**/INSTALL'
- '**/README*'
- '.github/workflows/windows.yml'
- '!appveyor.yml'
- '!.travis.yml'
jobs:
windows:
runs-on: windows-latest
env:
APPVER: '10.0'
CODESIGN_PKT: 0000000000000000
INSTALL_DIR: C:\heimdal
WINSDKVER: '10.0.22000.0'
WIXDIR: 'c:\Program Files (x86)\Windows Installer XML v3.5'
steps:
- name: Clone repository
uses: actions/checkout@v1
- name: Find MSVC and run vcvarsall.bat
uses: ilammy/msvc-dev-cmd@v1
with:
arch: amd64
- name: Build and Test
shell: cmd
run: |
set PATH=%PATH%;C:\msys64\usr\bin;C:\Program Files (x86)\HTML Help Workshop;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin
set CODESIGN_PKT=0000000000000000
set dbg__type=Debug
mkdir %INSTALL_DIR%
pacman --noconfirm -S zstd
pacman --noconfirm -S autoconf
pacman --noconfirm -S automake
pacman --noconfirm -S flex
pacman --noconfirm -S bison
pacman --noconfirm -S perl
pacman --noconfirm -S perl-JSON
pacman --noconfirm -S texinfo
set PATH=%PATH%;%wix%bin
title Heimdal Build %CPU% %dbg__type%
set "PATH=%PATH%;C:\Perl64\bin;C:\tools\cygwin\bin;C:\Program Files (x86)\HTML Help Workshop"
set "PATH=%PATH%;C:/msys64/usr/bin"
set "PATH=%PATH%;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin"
set "PATH=%PATH%;C:\Python310-x64"
echo PATH=%PATH%
nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1
nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 test
- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
name: Objects
path: 'D:/a/heimdal/heimdal/out/'

670
.gitignore vendored
View File

@@ -1,26 +1,116 @@
# git-ls-files --others --exclude-from=.git/info/exclude
# Lines that start with '#' are comments.
# For a project mostly in C, the following would be a good set of
# exclude patterns (uncomment them if you want to use them):
# *.[oa]
# *~
# After changing this file, please run:
#
# git ls-files -i --exclude-standard
#
# to check that you haven't inadvertently ignored any tracked files. This
# command should return no output. Any files listed by it are files
# present in the repository but ignored by .gitignore.
# General rules, with some exclusions for where they're too general.
.DS_Store
.deps/
.dirstamp
.libs/
Makefile
Makefile.in
rs_state.ini
tags
!/lib/asn1/asn1_gen.c
!/lib/asn1/asn1_print.c
!/lib/krb5/asn1_glue.c
*_asn1.h
!/lib/asn1/heim_asn1.h
*_asn1-priv.h
asn1_*_asn1.c
*_asn1_files
*_asn1_oids.x
*_asn1_syms.x
*_err.[ch]
!/lib/com_err/com_err.[ch]
*-commands.[ch]
*~
*.a
*.la
*.lo
*.o
*.log
*.trs
*.tmp
# Top-level files.
/.vscode
/aclocal.m4
/autom4te.cache
/compile
/confdefs.h
/config.guess
/config.log
/config.status
/config.sub
/configure
/conftest.c
/conftest.err
/depcomp
/install-sh
/libtool
/ltmain.sh
/missing
/setupbuild.cmd
/stage1.diff
/stage2.diff
/test-driver
/tmp.h
/ylwrap
/appl/login/login-protos.h
/lib/libedit/aclocal.m4
/lib/libedit/autom4te.cache
/lib/libedit/compile
/lib/libedit/config.guess
/lib/libedit/config.h
/lib/libedit/config.log
/lib/libedit/config.status
/lib/libedit/config.sub
/lib/libedit/configure
/lib/libedit/depcomp
/lib/libedit/install-sh
/lib/libedit/libtool
/lib/libedit/ltmain.sh
/lib/libedit/missing
/lib/libedit/setupbuild.cmd
/lib/libedit/ylwrap
/lib/libedit/src/common.h
/lib/libedit/src/emacs.h
/lib/libedit/src/fcns.c
/lib/libedit/src/fcns.h
/lib/libedit/src/func.h
/lib/libedit/src/help.c
/lib/libedit/src/help.h
/lib/libedit/src/vi.h
/lib/libedit/stamp-h1
# Files in subdirectories.
/admin/ktutil
/appl/afsutil/afslog
/appl/afsutil/pagsh
/appl/dbutils/bsearch
/appl/gssmask/gssmaestro
/appl/gssmask/gssmask
/appl/kf/kf
/appl/kf/kfd
/appl/otp/otp
/appl/otp/otpprint
/appl/test/gssapi_client
/appl/test/gssapi_server
/appl/test/http_client
/appl/test/nt_gss_client
/appl/test/nt_gss_server
/appl/test/tcp_client
/appl/test/tcp_server
/appl/test/uu_client
/appl/test/uu_server
/cf/libtool.m4
/cf/ltoptions.m4
/cf/ltsugar.m4
@@ -36,32 +126,434 @@ Makefile.in
/doc/krb5
/doc/ntlm
/doc/wind
/doc/vars.texi
/doc/doxyout
/include/*.h
!/include/crypto-headers.h
!/include/heim_threads.h
/include/bits
/include/config.h.in
/include/stamp-h.in
/include/gssapi/*.h
/include/hcrypto/*.h
/include/kadm5/*.h
/include/stamp-h1
/include/version.h.in
/kadmin/add_random_users
/kadmin/kadmin
/kadmin/kadmind
/kadmin/test_util
/kcm/kcm
/kcm/kcm-protos.h
/kdc/digest-service
/kdc/hprop
/kdc/hpropd
/kdc/kdc
/kdc/kdc-protos.h
/kdc/kdc-private.h
/lib/asn1/der-protos.h
/kdc/kdc-replay
/kdc/kdc-tester
/kdc/kstash
/kdc/string2key
/kdc/test_csr_authorizer
/kdc/test_kdc_ca
/kdc/test_token_validator
/kpasswd/kpasswd
/kpasswd/kpasswd-generator
/kpasswd/kpasswdd
/kuser/copy_cred_cache
/kuser/generate-requests
/kuser/heimtools
/kuser/kdecode_ticket
/kuser/kdestroy
/kuser/kdigest
/kuser/kgetcred
/kuser/kimpersonate
/kuser/kinit
/kuser/klist
/kuser/kswitch
/kuser/kverify
/lib/asn1/asn1_compile
/lib/asn1/asn1_gen
/lib/asn1/asn1_print
/lib/asn1/asn1parse.c
/lib/asn1/asn1parse.h
/lib/asn1/check-ber
/lib/asn1/check-der
/lib/asn1/check-gen
/lib/asn1/check-gen-template
/lib/asn1/check-template
/lib/asn1/check-timegm
/lib/asn1/cms_asn1.json
/lib/asn1/cms_asn1_oids.c
/lib/asn1/cms_asn1_syms.c
/lib/asn1/cms_template_asn1.json
/lib/asn1/cms_template_asn1_oids.c
/lib/asn1/cms_template_asn1_syms.c
/lib/asn1/crmf_asn1.json
/lib/asn1/crmf_asn1_oids.c
/lib/asn1/crmf_asn1_syms.c
/lib/asn1/crmf_template_asn1.json
/lib/asn1/crmf_template_asn1_oids.c
/lib/asn1/crmf_template_asn1_syms.c
/lib/asn1/der-private.h
/lib/asn1/der-protos.h
/lib/asn1/digest_asn1.json
/lib/asn1/digest_asn1_oids.c
/lib/asn1/digest_asn1_syms.c
/lib/asn1/digest_template_asn1.json
/lib/asn1/digest_template_asn1_oids.c
/lib/asn1/digest_template_asn1_syms.c
/lib/asn1/krb5_asn1.json
/lib/asn1/krb5_asn1_oids.c
/lib/asn1/krb5_asn1_syms.c
/lib/asn1/krb5_template_asn1.json
/lib/asn1/krb5_template_asn1_oids.c
/lib/asn1/krb5_template_asn1_syms.c
/lib/asn1/kx509_asn1.json
/lib/asn1/kx509_asn1_oids.c
/lib/asn1/kx509_asn1_syms.c
/lib/asn1/kx509_template_asn1.json
/lib/asn1/kx509_template_asn1_oids.c
/lib/asn1/kx509_template_asn1_syms.c
/lib/asn1/lex.c
/lib/asn1/ocsp_asn1.json
/lib/asn1/ocsp_asn1_oids.c
/lib/asn1/ocsp_asn1_syms.c
/lib/asn1/ocsp_template_asn1.json
/lib/asn1/ocsp_template_asn1_oids.c
/lib/asn1/ocsp_template_asn1_syms.c
/lib/asn1/pkcs10_asn1.json
/lib/asn1/pkcs10_asn1_oids.c
/lib/asn1/pkcs10_asn1_syms.c
/lib/asn1/pkcs10_template_asn1.json
/lib/asn1/pkcs10_template_asn1_oids.c
/lib/asn1/pkcs10_template_asn1_syms.c
/lib/asn1/pkcs12_asn1.json
/lib/asn1/pkcs12_asn1_oids.c
/lib/asn1/pkcs12_asn1_syms.c
/lib/asn1/pkcs12_template_asn1.json
/lib/asn1/pkcs12_template_asn1_oids.c
/lib/asn1/pkcs12_template_asn1_syms.c
/lib/asn1/pkcs8_asn1.json
/lib/asn1/pkcs8_asn1_oids.c
/lib/asn1/pkcs8_asn1_syms.c
/lib/asn1/pkcs8_template_asn1.json
/lib/asn1/pkcs8_template_asn1_oids.c
/lib/asn1/pkcs8_template_asn1_syms.c
/lib/asn1/pkcs9_asn1.json
/lib/asn1/pkcs9_asn1_oids.c
/lib/asn1/pkcs9_asn1_syms.c
/lib/asn1/pkcs9_template_asn1.json
/lib/asn1/pkcs9_template_asn1_oids.c
/lib/asn1/pkcs9_template_asn1_syms.c
/lib/asn1/pkinit_asn1.json
/lib/asn1/pkinit_asn1_oids.c
/lib/asn1/pkinit_asn1_syms.c
/lib/asn1/pkinit_template_asn1.json
/lib/asn1/pkinit_template_asn1_oids.c
/lib/asn1/pkinit_template_asn1_syms.c
/lib/asn1/rfc2459_asn1.json
/lib/asn1/rfc2459_asn1_oids.c
/lib/asn1/rfc2459_asn1_syms.c
/lib/asn1/rfc2459_template_asn1.json
/lib/asn1/rfc2459_template_asn1_oids.c
/lib/asn1/rfc2459_template_asn1_syms.c
/lib/asn1/rfc4108_asn1.json
/lib/asn1/rfc4108_asn1_oids.c
/lib/asn1/rfc4108_asn1_syms.c
/lib/asn1/rfc4108_template_asn1.json
/lib/asn1/rfc4108_template_asn1_oids.c
/lib/asn1/rfc4108_template_asn1_syms.c
/lib/asn1/test_asn1.json
/lib/asn1/test_asn1_oids.c
/lib/asn1/test_asn1_syms.c
/lib/asn1/test_template_asn1.json
/lib/asn1/test_template_asn1_oids.c
/lib/asn1/test_template_asn1_syms.c
/lib/asn1/x690sample_asn1.json
/lib/asn1/x690sample_asn1_oids.c
/lib/asn1/x690sample_asn1_syms.c
/lib/asn1/x690sample_template_asn1.json
/lib/asn1/x690sample_template_asn1_oids.c
/lib/asn1/x690sample_template_asn1_syms.c
/lib/auth/Makefile.in
/lib/base/base64.c
/lib/base/heimbase-protos.h
/lib/base/json-journal
/lib/base/test_base
/lib/base/test_db.json
/lib/com_err/compile_et
/lib/com_err/lex.c
/lib/com_err/parse.c
/lib/com_err/parse.h
/lib/com_err/snprintf.c
/lib/com_err/strlcpy.c
/lib/gssapi/asn1_ContextFlags.c
/lib/gssapi/asn1_GSSAPIContextToken.c
/lib/gssapi/asn1_MechType.c
/lib/gssapi/asn1_MechTypeList.c
/lib/gssapi/asn1_NegHints.c
/lib/gssapi/asn1_NegStateEnum.c
/lib/gssapi/asn1_NegTokenInit.c
/lib/gssapi/asn1_NegTokenInit2.c
/lib/gssapi/asn1_NegTokenResp.c
/lib/gssapi/asn1_NegotiationToken.c
/lib/gssapi/asn1_NegotiationToken2.c
/lib/gssapi/gss-token
/lib/gssapi/gssapi_asn1-template.c
/lib/gssapi/gssapi_asn1.json
/lib/gssapi/gssapi_asn1_oids.c
/lib/gssapi/gssapi_asn1_syms.c
/lib/gssapi/gsstool
/lib/gssapi/krb5/gsskrb5-private.h
/lib/gssapi/ntlm/ntlm-private.h
/lib/gssapi/sanon/sanon-private.h
/lib/gssapi/spnego/spnego-private.h
/lib/hdb/hdb-protos.h
/lib/gssapi/spnego_asn1-template.c
/lib/gssapi/spnego_asn1.json
/lib/gssapi/spnego_asn1_oids.c
/lib/gssapi/spnego_asn1_syms.c
/lib/gssapi/test_acquire_cred
/lib/gssapi/test_add_store_cred
/lib/gssapi/test_cfx
/lib/gssapi/test_context
/lib/gssapi/test_cred
/lib/gssapi/test_kcred
/lib/gssapi/test_names
/lib/gssapi/test_ntlm
/lib/gssapi/test_oid
/lib/gss_preauth/gss-preauth-protos.h
/lib/gss_preauth/gss-preauth-private.h
/lib/hcrypto/crypto-test
/lib/hcrypto/crypto-test2
/lib/hcrypto/destest
/lib/hcrypto/error
/lib/hcrypto/example_evp_cipher
/lib/hcrypto/hcrypto
/lib/hcrypto/hcrypto-link
/lib/hcrypto/mdtest
/lib/hcrypto/rc2test
/lib/hcrypto/rctest
/lib/hcrypto/test-out-1
/lib/hcrypto/test-out-15
/lib/hcrypto/test-out-16
/lib/hcrypto/test-out-17
/lib/hcrypto/test-out-31
/lib/hcrypto/test-out-32
/lib/hcrypto/test-out-33
/lib/hcrypto/test_bn
/lib/hcrypto/test_bulk
/lib/hcrypto/test_cipher
/lib/hcrypto/test_crypto
/lib/hcrypto/test_dh
/lib/hcrypto/test_engine_dso
/lib/hcrypto/test_hmac
/lib/hcrypto/test-out-7
/lib/hcrypto/test_pkcs12
/lib/hcrypto/test_pkcs5
/lib/hcrypto/test_rand
/lib/hcrypto/test_rsa
/lib/hcrypto/unix
/lib/hcrypto/libtommath/callgraph.txt
/lib/hdb/asn1_Event.c
/lib/hdb/asn1_GENERATION.c
/lib/hdb/asn1_HDBFlags.c
/lib/hdb/asn1_HDB_EncTypeList.c
/lib/hdb/asn1_HDB_EntryOrAlias.c
/lib/hdb/asn1_HDB_Ext_Aliases.c
/lib/hdb/asn1_HDB_Ext_Constrained_delegation_acl.c
/lib/hdb/asn1_HDB_Ext_KeyRotation.c
/lib/hdb/asn1_HDB_Ext_KeySet.c
/lib/hdb/asn1_HDB_Ext_Lan_Manager_OWF.c
/lib/hdb/asn1_HDB_Ext_PKINIT_acl.c
/lib/hdb/asn1_HDB_Ext_PKINIT_cert.c
/lib/hdb/asn1_HDB_Ext_PKINIT_hash.c
/lib/hdb/asn1_HDB_Ext_Password.c
/lib/hdb/asn1_HDB_entry.c
/lib/hdb/asn1_HDB_entry_alias.c
/lib/hdb/asn1_HDB_extension.c
/lib/hdb/asn1_HDB_extensions.c
/lib/hdb/asn1_HDB_keyset.c
/lib/hdb/asn1_Key.c
/lib/hdb/asn1_KeyRotation.c
/lib/hdb/asn1_KeyRotationFlags.c
/lib/hdb/asn1_Keys.c
/lib/hdb/asn1_Salt.c
/lib/hdb/hdb-private.h
/lib/hx509/hx509-private.h
/lib/hx509/hx509-protos.h
/lib/hx509/data/*.pem
/lib/hdb/hdb-protos.h
/lib/hdb/hdb_asn1-template.c
/lib/hdb/hdb_asn1.json
/lib/hdb/hdb_asn1_oids.c
/lib/hdb/hdb_asn1_syms.c
/lib/hdb/test_concurrency
/lib/hdb/test_dbinfo
/lib/hdb/test_hdbkeys
/lib/hdb/test_mkey
/lib/hdb/test_namespace
/lib/hdb/testhdb-*-shm
/lib/hdb/testhdb-*-wal
/lib/hx509/actual
/lib/hx509/PKITS_data/
/lib/hx509/cert-ca.der
/lib/hx509/cert-ca.pem
/lib/hx509/cert-ee.pem
/lib/hx509/cert-null.pem
/lib/hx509/cert-proxy.der
/lib/hx509/cert-sub-ca.pem
/lib/hx509/cert-sub-ca2.pem
/lib/hx509/cert-sub-ee.pem
/lib/hx509/crl.crl
/lib/hx509/data/*.srl
/lib/hx509/data/*.req
/lib/hx509/data/sub-ca-combined.crt
/lib/hx509/expected
/lib/hx509/ev.data
/lib/hx509/ev.data.out
/lib/hx509/hx509-private.h
/lib/hx509/hx509-protos.h
/lib/hx509/hxtool
/lib/hx509/out.pem
/lib/hx509/out2.pem
/lib/hx509/pkcs10-request.der
/lib/hx509/random-data
/lib/hx509/request.out
/lib/hx509/sel-gram.c
/lib/hx509/sel-gram.h
/lib/hx509/sel-lex.c
/lib/hx509/sd
/lib/hx509/sd.data
/lib/hx509/sd.data.out
/lib/hx509/sd.pem
/lib/hx509/statfile
/lib/hx509/test
/lib/hx509/test-rc-file.rc
/lib/hx509/test_ca
/lib/hx509/test_cert
/lib/hx509/test_chain
/lib/hx509/test_cms
/lib/hx509/test_crypto
/lib/hx509/test_expr
/lib/hx509/test_java_pkcs11
/lib/hx509/test_name
/lib/hx509/test_nist
/lib/hx509/test_nist2
/lib/hx509/test_nist_cert
/lib/hx509/test_nist_pkcs12
/lib/hx509/test_pkcs11
/lib/hx509/test_query
/lib/hx509/test_req
/lib/hx509/test_soft_pkcs11
/lib/hx509/test_windows
/lib/hx509/wca.pem
/lib/hx509/wcrl.crl
/lib/hx509/wdc.pem
/lib/hx509/wuser.pem
/lib/ipc/tc
/lib/ipc/ts
/lib/ipc/ts-http
/lib/kadm5/default_keys
/lib/kadm5/iprop-log
/lib/kadm5/ipropd-master
/lib/kadm5/ipropd-slave
/lib/kadm5/test_pw_quality
/lib/kadm5/kadm5-protos.h
/lib/kadm5/kadm5-private.h
/lib/kafs/resolve.c
/lib/kafs/strlcpy.c
/lib/kafs/strsep.c
/lib/kafs/strtok_r.c
/lib/krb5/aes-test
/lib/krb5/config_file.c.orig
/lib/krb5/config_file.c.rej
/lib/krb5/derived-key-test
/lib/krb5/krb5-protos.h
/lib/krb5/krb5-private.h
/lib/krb5/krbhst-test
/lib/krb5/n-fold-test
/lib/krb5/parse-name-test
/lib/krb5/pseudo-random-test
/lib/krb5/store-test
/lib/krb5/string-to-key-test
/lib/krb5/test_acl
/lib/krb5/test_addr
/lib/krb5/test_alname
/lib/krb5/test_ap-req
/lib/krb5/test_canon
/lib/krb5/test_cc
/lib/krb5/test_config
/lib/krb5/test_config_include.out
/lib/krb5/test_config_strings.out
/lib/krb5/test_crypto
/lib/krb5/test_crypto_wrapping
/lib/krb5/test_expand_toks
/lib/krb5/test_fx
/lib/krb5/test_hostname
/lib/krb5/test_keytab
/lib/krb5/test_mem
/lib/krb5/test_mkforwardable
/lib/krb5/test_pac
/lib/krb5/test_pkinit_dh2key
/lib/krb5/test_pknistkdf
/lib/krb5/test_plugin
/lib/krb5/test_prf
/lib/krb5/test_princ
/lib/krb5/test_set_kvno0
/lib/krb5/test_store
/lib/krb5/test_time
/lib/krb5/test_x500
/lib/krb5/test_forward
/lib/krb5/test_get_addrs
/lib/krb5/test_gic
/lib/krb5/test_kuserok
/lib/krb5/test_renew
/lib/krb5/test_rfc3961
/lib/krb5/verify_krb5_conf
/lib/ntlm/heimntlm-protos.h
/lib/ntlm/test_ntlm
/lib/otp/ndbm_wrap.c
/lib/otp/ndbm_wrap.h
/lib/otp/otptest
/lib/otp/snprintf.c
/lib/otp/strcasecmp.c
/lib/otp/strlcat.c
/lib/otp/strlcpy.c
/lib/otp/strlwr.c
/lib/otp/strncasecmp.c
/lib/roken/base32-test
/lib/roken/base64-test
/lib/roken/getaddrinfo-test
/lib/roken/getifaddrs-test
/lib/roken/hex-test
/lib/roken/make-roken
/lib/roken/make-roken.c
/lib/roken/parse_bytes-test
/lib/roken/parse_reply-test
/lib/roken/parse_time-test
/lib/roken/resolve-test
/lib/roken/rkbase32
/lib/roken/rkbase64
/lib/roken/rkpty
/lib/roken/rkvis
/lib/roken/roken.h
/lib/roken/rtbl
/lib/roken/snprintf-test
/lib/roken/strpftime-test
/lib/roken/test-auxval
/lib/roken/test-detach
/lib/roken/test-getuserinfo
/lib/roken/test-readenv
/lib/roken/tsearch-test
/lib/roken/vis.h
/lib/sl/getprogname.c
/lib/sl/slc
/lib/sl/slc-gram.c
/lib/sl/slc-gram.h
/lib/sl/slc-lex.c
/lib/sl/snprintf.c
/lib/sl/strdup.c
/lib/sl/strtok_r.c
/lib/sl/strupr.c
/lib/sl/test_sl
/lib/wind/*.pyc
/lib/wind/bidi_table.c
/lib/wind/bidi_table.h
@@ -69,10 +561,162 @@ Makefile.in
/lib/wind/combining_table.h
/lib/wind/errorlist_table.c
/lib/wind/errorlist_table.h
/lib/wind/idn-lookup
/lib/wind/map_table.c
/lib/wind/map_table.h
/lib/wind/normalize_table.c
/lib/wind/normalize_table.h
/lib/wind/punycode_examples.c
/lib/wind/punycode_examples.h
/lib/wind/__pycache__/
/lib/wind/test-bidi
/lib/wind/test-ldap
/lib/wind/test-map
/lib/wind/test-normalize
/lib/wind/test-prohibited
/lib/wind/test-punycode
/lib/wind/test-rw
/lib/wind/test-utf8
/out
/po/gen-po.sh
/scripts
/tests/bin/intr
/tests/bin/setup-env
/tests/can/check-can
/tests/can/current-db.db
/tests/can/krb5.conf
/tests/can/log
/tests/can/mit-pkinit-20070607.cf
/tests/can/test_can
/tests/db/add-modify-delete
/tests/db/check-aliases
/tests/db/check-dbinfo
/tests/db/current-db.db
/tests/db/dbinfo.out
/tests/db/have-db
/tests/db/krb5.conf
/tests/db/krb5.conf-db1
/tests/db/krb5.conf-db3
/tests/db/krb5.conf-lmdb
/tests/db/krb5.conf-sqlite
/tests/db/loaddump-db
/tests/db/log
/tests/db/tempfile
/tests/gss/barpassword
/tests/gss/check-basic
/tests/gss/check-context
/tests/gss/check-gss
/tests/gss/check-gssmask
/tests/gss/check-negoex
/tests/gss/check-ntlm
/tests/gss/check-spnego
/tests/gss/current-db.db
/tests/gss/foopassword
/tests/gss/krb5.conf
/tests/gss/krb5ccfile
/tests/gss/krb5ccfile-ds
/tests/gss/krb5ccfile2
/tests/gss/mech
/tests/gss/new_clients_k5.conf
/tests/gss/server.keytab
/tests/gss/tempfile
/tests/java/check-kinit
/tests/java/krb5.conf
/tests/kdc/acache.krb5
/tests/kdc/barpassword
/tests/kdc/bx509.pem
/tests/kdc/cache.krb5
/tests/kdc/cc_dir/
/tests/kdc/cdigest-reply
/tests/kdc/check-authz
/tests/kdc/check-bx509
/tests/kdc/check-canon
/tests/kdc/check-cc
/tests/kdc/check-delegation
/tests/kdc/check-des
/tests/kdc/check-digest
/tests/kdc/check-fast
/tests/kdc/check-hdb-mitdb
/tests/kdc/check-httpkadmind
/tests/kdc/check-iprop
/tests/kdc/check-kadmin
/tests/kdc/check-kdc
/tests/kdc/check-kdc-weak
/tests/kdc/check-keys
/tests/kdc/check-kpasswdd
/tests/kdc/check-pkinit
/tests/kdc/check-referral
/tests/kdc/check-tester
/tests/kdc/check-uu
/tests/kdc/current-db.db
/tests/kdc/current-db.sqlite3
/tests/kdc/current-db.sqlite3-shm
/tests/kdc/current-db.sqlite3-wal
/tests/kdc/current.log.save
/tests/kdc/email.pem
/tests/kdc/foopassword
/tests/kdc/foopassword.rkpty
/tests/kdc/icache.krb5
/tests/kdc/iprop-stats
/tests/kdc/iprop-stats2
/tests/kdc/iprop.keytab
/tests/kdc/ipropd.dumpfile
/tests/kdc/k.der
/tests/kdc/kdc-tester4.json
/tests/kdc/kdc.pid
/tests/kdc/krb5-authz.conf
/tests/kdc/krb5-authz2.conf
/tests/kdc/krb5-bx509.conf
/tests/kdc/krb5-canon.conf
/tests/kdc/krb5-canon2.conf
/tests/kdc/krb5-cccol.conf
/tests/kdc/krb5-hdb-mitdb.conf
/tests/kdc/krb5-httpkadmind.conf
/tests/kdc/krb5-master2.conf
/tests/kdc/krb5-pkinit-win.conf
/tests/kdc/krb5-pkinit.conf
/tests/kdc/krb5-pkinit2.conf
/tests/kdc/krb5-slave.conf
/tests/kdc/krb5-slave2.conf
/tests/kdc/krb5-weak.conf
/tests/kdc/krb5.conf
/tests/kdc/krb5.conf.keys
/tests/kdc/localname
/tests/kdc/messages.log2
/tests/kdc/mixed-issuer.pem
/tests/kdc/notfoopassword
/tests/kdc/o2cache.krb5
/tests/kdc/ocache.krb5
/tests/kdc/pkinit-anchor.pem
/tests/kdc/req
/tests/kdc/s2digest-reply
/tests/kdc/sdb
/tests/kdc/sdigest-init
/tests/kdc/sdigest-reply
/tests/kdc/server-issuer.pem
/tests/kdc/server.keytab
/tests/kdc/server.pem
/tests/kdc/simple_csr_authz/
/tests/kdc/tempfile
/tests/kdc/test-rc-file.rc
/tests/kdc/trivial.pem
/tests/kdc/user-issuer.pem
/tests/ldap/check-ldap
/tests/ldap/krb5.conf
/tests/ldap/slapd-init
/tests/plugin/cache.krb5
/tests/plugin/check-pac
/tests/plugin/current-db.db
/tests/plugin/foopassword
/tests/plugin/krb5.conf
/tests/plugin/server.keytab
/tools/heimdal-gssapi.pc
/tools/heimdal-kadm-client.pc
/tools/heimdal-kadm-server.pc
/tools/heimdal-krb5.pc
/tools/kadm-client.pc
/tools/kadm-server.pc
/tools/kafs.pc
/tools/krb5-gssapi.pc
/tools/krb5.pc
/tools/krb5-config

92
.travis.yml Normal file
View File

@@ -0,0 +1,92 @@
os:
- linux
- osx
language: c
env:
global:
secure: "YKG77M7zMvJ+IeV2ziw//HcHqMqFoAzIZlE99Yw/aOn5pvMYKq6Ep7EFVhbfDu9yN0T7M5csCGQeH7/ylDlsZSRMUw72844ezMDM8e10T/lW/T/OYN7j1ZVHh3WSJgS+1D9VG6/Y0OY1Si3lb7PcOdAIU0fPJV5xQONN2+hpJeI="
before_install:
- if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get update -qq; fi
- if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils; fi
- if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq ldap-utils gdb apport; fi
- if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq curl libmicrohttpd-dev; fi
- if [ $TRAVIS_OS_NAME = linux -a -n "$COVERAGE" ]; then sudo apt-get install -qq jq; fi
- if [ $TRAVIS_OS_NAME = osx ]; then HOMEBREW_NO_AUTO_UPDATE=1 brew install cpanm bison flex berkeley-db lmdb openldap openssl; fi
- if [ $TRAVIS_OS_NAME = osx ]; then sudo cpanm install JSON; fi
- if [ $TRAVIS_OS_NAME = osx -a -n "$COVERAGE" ]; then brew install jq; fi
- mkdir ci-build
- mkdir coverity-build
- ./autogen.sh
install:
- cd ci-build
- |
if [ $TRAVIS_OS_NAME = osx ]; then
LDFLAGS="-L/usr/local/opt/berkeley-db/lib -L/usr/local/opt/lmdb/lib" \
CFLAGS="-I/usr/local/opt/lmdb/include" \
../configure \
--srcdir=`dirname "$PWD"` \
--prefix=/tmp/heimdal \
--enable-maintainer-mode $COVERAGE \
--enable-static=no \
--enable-pthread-support \
--disable-afs-support \
--disable-ndbm-db \
--with-openldap=/usr/local/opt/openldap \
--with-openssl=/usr/local/opt/openssl/ \
--with-hcrypto-default-backend=ossl \
--with-berkeley-db \
--with-berkeley-db-include=/usr/local/opt/berkeley-db/include
else
# This list of -Wno-error options should be reduced over time where possible
if [ x"$TRAVIS_COMPILER" != x"clang" ]; then
CFLAGS="-Wno-error=empty-body -Wno-error=shadow -Wno-error=unused-value -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" ../configure --enable-developer --srcdir=`dirname "$PWD"` --enable-maintainer-mode $COVERAGE
else
CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" ../configure --enable-developer --srcdir=`dirname "$PWD"` --enable-maintainer-mode $COVERAGE
fi
fi
- ulimit -c unlimited; make -j3
script:
- if [ x${COVERITY_SCAN_BRANCH} != x1 ]; then ulimit -c unlimited; make check${MAKE_CHECK_SUFFIX}; fi
after_script:
- if [ -n "$COVERAGE" ]; then ../tools/coveralls-tool -O $PWD -S ..; fi
- find . -name \*.log -print0|xargs -0 grep '^==[1-9]'
after_failure:
- find . -name test-suite.log -print0 | xargs -0 cat
- if [ $TRAVIS_OS_NAME = linux ]; then echo "thread apply all bt" > x; find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done; fi
- if [ $TRAVIS_OS_NAME = osx ]; then find . -name core -print | while read core; do echo bt | lldb --core "$core" `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done; fi
compiler:
- clang
- gcc
matrix:
include:
- os: linux
compiler: gcc
env: COVERAGE=--enable-gcov
exclude:
- os: osx
compiler: gcc
notifications:
email:
on_success: change
on_failure: always
addons:
coverity_scan:
project:
name: "heimdal/heimdal"
description: "Build submitted via Travis CI"
notification_email: heimdal-builders@secure-endpoints.com
build_command_prepend: ../configure --enable-maintainer-mode
build_command: make
branch_pattern: coverity_scan

76
CODE_OF_CONDUCT.md Normal file
View File

@@ -0,0 +1,76 @@
# Contributor Covenant Code of Conduct
## Our Pledge
In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to making participation in our project and
our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, sex characteristics, gender identity and expression,
level of experience, education, socio-economic status, nationality, personal
appearance, race, religion, or sexual identity and orientation.
## Our Standards
Examples of behavior that contributes to creating a positive environment
include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members
Examples of unacceptable behavior by participants include:
* The use of sexualized language or imagery and unwelcome sexual attention or
advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic
address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Our Responsibilities
Project maintainers are responsible for clarifying the standards of acceptable
behavior and are expected to take appropriate and fair corrective action in
response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or
reject comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct, or to ban temporarily or
permanently any contributor for other behaviors that they deem inappropriate,
threatening, offensive, or harmful.
## Scope
This Code of Conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community. Examples of
representing a project or community include using an official project e-mail
address, posting via an official social media account, or acting as an appointed
representative at an online or offline event. Representation of a project may be
further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project team at abuse@heimdal.team. All
complaints will be reviewed and investigated and will result in a response that
is deemed necessary and appropriate to the circumstances. The project team is
obligated to maintain confidentiality with regard to the reporter of an incident.
Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good
faith may face temporary or permanent repercussions as determined by other
members of the project's leadership.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see
https://www.contributor-covenant.org/faq

2
ChangeLog.2005
View File

@@ -1323,7 +1323,7 @@
2005-05-07 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/addr_families.c (krb5_print_address): catch when the
unknown adress don't fit. From Björn Sandell <biorn@dce.chalmers.se>
unknown address don't fit. From Björn Sandell <biorn@dce.chalmers.se>
2005-05-05 Dave Love <d.love@dl.ac.uk>

4
ChangeLog.2006
View File

@@ -366,7 +366,7 @@
* lib/krb5/pac.c: Almost enough code to do PAC parsing and
verification, missing in the unix2NTTIME and ucs2 corner. The
later will be adressed by finally adding libwind.
later will be addressed by finally adding libwind.
* lib/krb5/krb5_init_context.3: document krb5_[gs]et_max_time_skew
@@ -2016,7 +2016,7 @@
* lib/krb5/n-fold-test.c: main is not a KRB5_LIB_FUNCTION
* lib/krb5/mk_priv.c (krb5_mk_priv): abort if ASN1_MALLOC_ENCODE
failes to produce the matching lenghts.
failes to produce the matching lengths.
2006-01-27 Love Hörnquist Åstrand <lha@it.su.se>

2
ChangeLog.2007
View File

@@ -423,7 +423,7 @@
2007-06-28 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/digest.c: On success, print username, not ip-adress.
* kdc/digest.c: On success, print username, not ip-address.
2007-06-26 Love Hörnquist Åstrand <lha@it.su.se>

2
LICENSE
View File

@@ -1,4 +1,4 @@
Copyright (c) 1995 - 2008 Kungliga Tekniska Högskolan
Copyright (c) 1995 - 2014 Kungliga Tekniska Högskolan
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.

26
Makefile.am
View File

@@ -7,12 +7,20 @@ kcm_dir = kcm
endif
SUBDIRS= include lib kuser kdc admin kadmin kpasswd
SUBDIRS+= $(kcm_dir) appl doc tools tests packages etc po
SUBDIRS+= $(kcm_dir) appl tools tests packages etc po
if HEIMDAL_DOCUMENTATION
SUBDIRS+= doc
endif
## ACLOCAL = @ACLOCAL@ -I cf
ACLOCAL_AMFLAGS = -I cf
EXTRA_DIST = \
NTMakefile \
windows \
TODO \
LICENSE \
README \
@@ -30,21 +38,33 @@ EXTRA_DIST = \
autogen.sh \
krb5.conf \
cf/make-proto.pl \
cf/roken-h-process.pl \
cf/install-catman.sh \
cf/ChangeLog \
cf/c-function.m4 \
cf/ChangeLog \
cf/have-pragma-weak.m4 \
cf/have-types.m4 \
cf/krb-func-getcwd-broken.m4 \
cf/krb-prog-ranlib.m4 \
cf/krb-prog-yacc.m4 \
cf/krb-sys-aix.m4 \
cf/krb-sys-nextstep.m4 \
cf/krb-version.m4 \
cf/roken.m4 \
cf/valgrind-suppressions \
cf/maybe-valgrind.sh \
cf/symbol-version.py \
cf/w32-check-exported-symbols.pl \
cf/w32-def-from-dll.pl \
cf/w32-detect-vc-version.pl \
cf/w32-hh-toc-from-info.pl \
cf/w32-list-externs-from-objs.pl \
cf/vararray.m4
print-distdir:
@echo $(distdir)
clean-local-gcov:
find . '(' -name '*.gcno' -o -name '*.gcda' -o -name '*.gcov' ')' -a -print|xargs rm -f
.PHONY: clean-local-gcov

600
NEWS
View File

@@ -1,14 +1,606 @@
Partial news for a future Heimdal 8.0 release -- but NOTE WELL that this is NOT
a release at this time!
Bug fixes
- Errors found by the Coverity static analysis.
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Fix out-of-tree SQLite3 ccache permissions / umask issues.
- iprop bugs, race conditions, and performance
- Many misc. bugs
Features:
- KDC: Add FAST support for TGS.
- KDC: Greatly improved plugin facility for Samba.
- KDC: Add httpkadmind service providing a subset of kadmin
functionality over HTTP.
- KDC: Add support for virtual service principal namespaces.
- KDC: Add support for synthetic client principals that exist if the
pre-authentication mechanism (e.g., PKINIT) can authenticate
them, thus not requiring an HDB entry.
- KDC: Add experimental GSS-API pre-authentication support.
- KDC: Revamp and enhance kx509 support (though bx509d mostly replaces kx509).
- KDC: Better support for aliases and referrals.
- KDC: Always return the salt in the PA-ETYPE-INFO[2].
- KDC: Add warn_ticket_addresses configuration parameter.
- KDC: allow anonymous AS requests with long-term keys.
- KDC: Do not include PAC for anonymous AS requests.
- KDC: Enable keepalive mode on incoming sockets.
- KDC: Greatly improved logging.
- KDC: Remove KRB5SignedPath, to be replaced with PAC.
- PKIX: Add bx509d -- an online certification authority (CA) with an HTTP API.
- kadmin: Add HTTP-based kadmin protocol.
- kadmin: Add add_alias, del_alias.
- kadmin: Add command aliases to man page.
- kadmin: Add disallow-client attribute.
- kadmin: add --hdb / -H argument.
- kadmin: Allow enforcing password quality on admin password change.
- kadmin: Improve ext_keytab usage.
- kadmin: Selective pruning of historic key for principal.
- krb5: Add client_aware_channel_bindings option.
- krb5: Add constrained credential delegation option "destination TGT"
- krb5: Add "EFILE:" target for logging.
- krb5: Add include/includedir directives for krb5.conf.
- krb5: Complete DIR ccache collection support.
- krb5: Add FILE ccache collection support.
- krb5: Improved FILE ccache performance.
- krb5: Add KEYRING ccache support.
- krb5: Add kx509 client.
- krb5: Improve FILE keytab performance.
- krb5: Implement KRB5_TRACE environment variable.
- krb5: Add experimental name canonicalization rules configuration.
- krb5: Support start_realm ccconfig entry type.
- kinit: Add --default-for option for ccache collection support.
- kinit: Add --pk-anon-fast-armor option.
- kinit: Don't leave dangling temporary ccaches.
- klist: Better --json
- iprop: Many performance and scaling enhancements.
- iprop: Support hierarchical propagation.
- ASN.1: Document fuzzing process.
- ASN.1: Complete template backend.
- ASN.1: Add partial Information Object System support (template backend
only). This means that open type holes can be decoded recursively
with one codec function call.
- ASN.1: Add JSON encoder functionality (template backend only).
- ASN.1: Greatly enhanced asn1_print(1) command, which can now print a
JSON representation of any DER-encoded value of any type exported
by ASN.1 modules in Heimdal.
- ASN.1: Support circular types.
- ASN.1: Topographically sort declarations.
- ASN.1: Proper support for IMPLICIT tags.
- GSS: Import gss-token(1) command.
- GSS: Add advanced credential store / load functionality.
- GSS: Add name attributes support, with support for many basic attributes
and PAC buffer accessors too.
- GSS: Add SANON mechanism for anonymous-only key exchange using
elliptic curve Diffie-Hellman (ECDH) with Curve25519.
- GSS: Add gss_acquire_cred_from() and credential store extensions.
- GSS: Support fragmented tokens reassembly (for SMB).
- GSS: Support client keytab.
- GSS: Add NegoEx support.
- libhx509: Lots of improvements.
- hxtool: Add "acert" (assert cert contents) command
- hxtool: add cert type: https-negotiate-server
- hxtool: add generate-key command
- hxtool: Add OID symbol resolution and printing of OIDs known to hxtool.
- hxtool: Add print --raw-json option that shows certificates in JSON, with
all extensions and attributes known to Heimdal fully decoded.
- hxtool: Improved SAN support.
- hxtool: Improved CSR support.
- Improved plugin interfaces.
- hcrypto: Add X25519.
- hcrypto: Better RSA key generation.
- hcrypto: import libtommath v1.2.0.
- roken: Add secure_getenv() and issuid(), use them extensively.
Release Notes - Heimdal - Version Heimdal 7.8
Bug fixes
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
- Pass correct length to _gssapi_verify_pad()
- Check for overflow in _gsskrb5_get_mech()
- Check buffer length against overflow for DES{,3} unwrap
- Check the result of _gsskrb5_get_mech()
- Avoid undefined behaviour in _gssapi_verify_pad()
- Don't pass NULL pointers to memcpy() in DES unwrap
- Use constant-time memcmp() in unwrap_des3()
- Use constant-time memcmp() for arcfour unwrap
- CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
This is a 10.0 on the Common Vulnerability Scoring System (CVSS) v3.
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all CHOICE types used in
Heimdal, though not all cases will be exploitable. We have not
completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal since 2005. It was first reported by
Douglas Bagnall, though it had been found independently by the
Heimdal maintainers via fuzzing.
While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure.
- Errors found by the LLVM scan-build static analyzer.
- Errors found by the valgrind memory debugger.
- Work around GCC Bug 95189 (memcmp wrongly stripped like strcmp).
- Fix Unicode normalization read of 1 bytes past end of array.
- Correct ASN.1 OID typo for SHA-384
- Fix a deadlock in in the MEMORY ccache type.
- TGS: strip forwardable and proxiable flags if the server is
disallowed.
- CVE-2019-14870: Validate client attributes in protocol-transition
- CVE-2019-14870: Apply forwardable policy in protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
- Incremental HDB propagation improvements
- Refactor send_diffs making it progressive
- Handle partial writes on non-blocking sockets
- Disable Nagle in iprop master and slave
- Use async I/O
- Don't send I_HAVE in response to AYT
- Do not recover log in kadm5_get_principal()
- Don't send diffs to slaves with not yet known version
- Don't stutter in send_diffs
- Optional backwards-compatible anon-pkinit behaviour
Release Notes - Heimdal - Version Heimdal 7.7
Bug fixes
- PKCS#11 hcrypto back-end
. initialize the p11_module_load function list
. verify that not only is a mechanism present but that its mechanism
info states that it offers the required encryption, decryption or
digest services
- krb5:
. Starting with 7.6, Heimdal permitted requesting authenticated
anonymous tickets. However, it did not verify that a KDC in fact
returned an anonymous ticket when one was requested.
- Cease setting the KDCOption reaquest_anonymous flag when issuing
S4UProxy (constrained delegation) TGS requests.
. when the Win2K PKINIT compatibility option is set, do
not require krbtgt otherName to match when validating KDC
certificate.
. set PKINIT_BTMM flag per Apple implementation
. use memset_s() instead of memset()
- kdc:
. When generating KRB5SignedPath in the AS, use the reply client name
rather than the one from the request, so validation will work
correctly in the TGS.
. allow checksum of PA-FOR-USER to be HMAC_MD5. Even if tgt used
an enctype with a different checksum. Per [MS-SFU] 2.2.1
PA-FOR-USER the checksum is always HMAC_MD5, and that's what
Windows and MIT clients send.
In heimdal both the client and kdc use instead the
checksum of the tgt, and therefore work with each other
but Windows and MIT clients fail against heimdal KDC.
Both Windows and MIT KDCs would allow any keyed checksum
to be used so Heimdal client interoperates with them.
Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based tgt in order to support per-spec clients.
. use memset_s() instead of memset().
- Detect Heimdal 1.0 through 7.6 clients that issue S4UProxy
(constrained delegation) TGS Requests with the request
anonymous flag set. These requests will be treated as
S4UProxy requests and not anonymous requests.
- HDB:
. Set SQLite3 backend default page size to 8KB.
. Add hdb_set_sync() method
- kadmind:
. disable HDB sync during database load avoiding unnecessary disk i/o.
- ipropd:
. disable HDB sync during receive_everything. Doing an fsync
per-record when receiving the complete HDB is a performance
disaster. Among other things, if the HDB is very large, then
one slave receving a full HDB can cause other slaves to timeout
and, if HDB write activity is high enough to cause iprop log
truncation, then also need full syncs, which leads to a cycle of
full syncs for all slaves until HDB write activity drops.
Allowing the iprop log to be larger helps, but improving
receive_everything() performance helps even more.
- kinit:
. Anonymous PKINIT tickets discard the realm information used
to locate the issuing AS. Store the issuing realm in the
credentials cache in order to locate a KDC which can renew them.
. Do not leak the result of krb5_cc_get_config() when determining
anonymous PKINIT start realm.
- klist:
. Show transited-policy-checked, ok-as-delegate and anonymous
flags when listing credentials.
- tests:
. Regenerate certs so that they expire before the 2038 armageddon
so the test suite will pass on 32-bit operating systems until the
underlying issues can be resolved.
- Solaris:
. Define _STDC_C11_BCI for memset_s prototype
- build tooling:
. Convert from python 2 to python 3
- documentation
. rename verify-password to verify-password-quality
. hprop default mode is encrypt
. kadmind "all" permission does not include "get-keys"
. verify-password-quality might not be stateless
Release Notes - Heimdal - Version Heimdal 7.6
Security
- CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum
When the Heimdal KDC checks the checksum that is placed on the
S4U2Self packet by the server to protect the requested principal
against modification, it does not confirm that the checksum
algorithm that protects the user name (principal) in the request
is keyed. This allows a man-in-the-middle attacker who can
intercept the request to the KDC to modify the packet by replacing
the user name (principal) in the request with any desired user
name (principal) that exists in the KDC and replace the checksum
protecting that name with a CRC32 checksum (which requires no
prior knowledge to compute).
This would allow a S4U2Self ticket requested on behalf of user
name (principal) user@EXAMPLE.COM to any service to be changed
to a S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the
PAC of the modified user name (principal).
- CVE-2019-12098, client-only:
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge
when anonymous PKINIT is used. Failure to do so can permit an active
attacker to become a man-in-the-middle.
Bug fixes
- Happy eyeballs: Don't wait for responses from known-unreachable KDCs.
- kdc: check return copy_Realm, copy_PrincipalName, copy_EncryptionKey
- kinit:
. cleanup temporary ccaches
. see man page for "kinit --anonymous" command line syntax change
- kdc: Make anonymous AS-requests more RFC8062-compliant.
- Updated expired test certificates
- Solaris:
. PKCS#11 hcrypto backend broken since 7.0.1
. Building with Sun Pro C
Features
- kuser: support authenticated anonymous AS-REQs in kinit
- kdc: support for anonymous TGS-REQs
- kgetcred support for anonymous service tickets
- Support builds with OpenSSL 1.1.1
Release Notes - Heimdal - Version Heimdal 7.5
Security
- Fix CVE-2017-17439, which is a remote denial of service
vulnerability:
In Heimdal 7.1 through 7.4, remote unauthenticated attackers
are able to crash the KDC by sending a crafted UDP packet
containing empty data fields for client name or realm.
Bug fixes
- Handle long input lines when reloading database dumps.
- In pre-forked mode (default on Unix), correctly clear
the process ids of exited children, allowing new child processes
to replace the old.
- Fixed incorrect KDC response when no-cross realm TGT exists,
allowing client requests to fail quickly rather than time
out after trying to get a correct answer from each KDC.
Release Notes - Heimdal - Version Heimdal 7.4
Security
- Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
This is a critical vulnerability.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
See https://www.orpheus-lyre.info/ for more details.
Release Notes - Heimdal - Version Heimdal 7.3
Security
- Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently
caused the previous hop realm to not be added to the transit path
of issued tickets. This may, in some cases, enable bypass of capath
policy in Heimdal versions 1.5 through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
(CVE-2017-6594)
Release Notes - Heimdal - Version Heimdal 7.2
Bug fixes
- Portability improvements
- More strict parsing of encoded URI components in HTTP KDC
- Fixed memory leak in malloc error recovery in NTLM GSSAPI mechanism
- Avoid overly specific CPU info in krb5-config in aid of reproducible builds
- Don't do AFS string-to-key tests when feature is disabled
- Skip mdb_stat test when the command is not available
- Windows: update SHA2 timestamp server
- hdb: add missing export hdb_generate_key_set_password_with_ks_tuple
- Fix signature of hdb_generate_key_set_password()
- Windows: enable KX509 support in the KDC
- kdc: fix kx509 service principal match
- iprop: handle case where master sends nothing new
- ipropd-slave: fix incorrect error codes
- Allow choice of sqlite for HDB pref
- check-iprop: don't fail to kill daemons
- roken: pidfile -> rk_pidfile
- kdc: _kdc_do_kx509 fix use after free error
- Do not detect x32 as 64-bit platform.
- No sys/ttydefaults.h on CYGWIN
- Fix check-iprop races
- roken_detach_prep() close pipe
Release Notes - Heimdal - Version Heimdal 7.1
Security
- kx509 realm-chopping security bug
- non-authorization of alias additions/removals in kadmind
(CVE-2016-2400)
Feature
- iprop has been revamped to fix a number of race conditions that could
lead to inconsistent replication
- Hierarchical capath support
- AES Encryption with HMAC-SHA2 for Kerberos 5
draft-ietf-kitten-aes-cts-hmac-sha2-11
- hcrypto is now thread safe on all platforms
- libhcrypto has new backends: CNG (Windows), PKCS#11 (mainly for
Solaris), and OpenSSL. OpenSSL is now a first-class libhcrypto backend.
OpenSSL 1.0.x and 1.1 are both supported. AES-NI used when supported by
backend
- HDB now supports LMDB
- Thread support on Windows
- RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST)
- New GSS APIs:
. gss_localname
- Allow setting what encryption types a principal should have with
[kadmin] default_key_rules, see krb5.conf manpage for more info
- Unify libhcrypto with LTC (libtomcrypto)
- asn1_compile 64-bit INTEGER functionality
- HDB key history support including --keepold kadmin password option
- Improved cross-realm key rollover safety
- New krb5_kuserok() and krb5_aname_to_localname() plug-in interfaces
- Improved MIT compatibility
. kadm5 API
. Migration from MIT KDB via "mitdb" HDB backend
. Capable of writing the HDB in MIT dump format
- Improved Active Directory interoperability
. Enctype selection issues for PAC and other authz-data signatures
. Cross realm key rollover (kvno 0)
- New [kdc] enctype negotiation configuration:
. tgt-use-strongest-session-key
. svc-use-strongest-session-key
. preauth-use-strongest-session-key
. use-strongest-server-key
- The KDC process now uses a multi-process model improving
resiliency and performance
- Allow batch-mode kinit with password file
- SIGINFO support added to kinit cmd
- New kx509 configuration options:
. kx509_ca
. kca_service
. kx509_include_pkinit_san
. kx509_template
- Improved Heimdal library/plugin version safety
- Name canonicalization
. DNS resolver searchlist
. Improved referral support
. Support host:port host-based services
- Pluggable libheimbase interface for DBs
- Improve IPv6 Support
- LDAP
. Bind DN and password
. Start TLS
- klist --json
- DIR credential cache type
- Updated upstream SQLite and libedit
- Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh,
telnet, xnlock
- Completely remove RAND_egd support
- Moved kadmin and ktutil to /usr/bin
- Stricter fcache checks (see fcache_strict_checking krb5.conf setting)
. use O_NOFOLLOW
. don't follow symlinks
. require cache files to be owned by the user
. require sensible permissions (not group/other readable)
- Implemented gss_store_cred()
- Many more
Bug fixes
- iprop has been revamped to fix a number of race conditions that could
lead to data loss
- Include non-loopback addresses assigned to loopback interfaces
when requesting tickets with addresses
- KDC 1DES session key selection (for AFS rxkad-k5 compatibility)
- Keytab file descriptor and lock leak
- Credential cache corruption bugs
(NOTE: The FILE ccache is still not entirely safe due to the
fundamentally unsafe design of POSIX file locking)
- gss_pseudo_random() interop bug
- Plugins are now preferentially loaded from the run-time install tree
- Reauthentication after password change in init_creds_password
- Memory leak in the client kadmin library
- TGS client requests renewable/forwardable/proxiable when possible
- Locking issues in DB1 and DB3 HDB backends
- Master HDB can remain locked while waiting for network I/O
- Renewal/refresh logic when kinit is provided with a command
- KDC handling of enterprise principals
- Use correct bit for anon-pkinit
- Many more
Acknowledgements
This release of Heimdal includes contributions from:
Abhinav Upadhyay Heath Kehoe Nico Williams
Andreas Schneider Henry Jacques Patrik Lundin
Andrew Bartlett Howard Chu Philip Boulain
Andrew Tridgell Igor Sobrado Ragnar Sundblad
Antoine Jacoutot Ingo Schwarze Remi Ferrand
Arran Cudbard-Bell Jakub Čajka Rod Widdowson
Arvid Requate James Le Cuirot Rok Papež
Asanka Herath James Lee Roland C. Dowdeswell
Ben Kaduk Jeffrey Altman Ross L Richardson
Benjamin Kaduk Jeffrey Clark Russ Allbery
Bernard Spil Jeffrey Hutzelman Samuel Cabrero
Brian May Jelmer Vernooij Samuel Thibault
Chas Williams Ken Dreyer Santosh Kumar Pradhan
Chaskiel Grundman Kiran S J Sean Davis
Dana Koch Kumar Thangavelu Sergio Gelato
Daniel Schepler Landon Fuller Simon Wilkinson
David Mulder Linus Nordberg Stef Walter
Douglas Bagnall Love Hörnquist Åstrand Stefan Metzmacher
Ed Maste Luke Howard Steffen Jaeckel
Eray Aslan Magnus Ahltorp Timothy Pearson
Florian Best Marc Balmer Tollef Fog Heen
Fredrik Pettai Marcin Cieślak Tony Acero
Greg Hudson Marco Molteni Uri Simchoni
Gustavo Zacarias Matthieu Hautreux Viktor Dukhovni
Günther Deschner Michael Meffie Volker Lendecke
Harald Barth Moritz Lenz
Release Notes - Heimdal - Version Heimdal 1.5.3
Bug fixes
- Fix leaking file descriptors in KDC
- Better socket/timeout handling in libkrb5
- General bug fixes
- Build fixes
Release Notes - Heimdal - Version Heimdal 1.5.2
Security fixes
- CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege
- Check that key types strictly match - denial of service
Release Notes - Heimdal - Version Heimdal 1.5.1
Bug fixes
- Fix building on Solaris, requires c99
- Fix building on Windows
- Build system updates
Release Notes - Heimdal - Version Heimdal 1.5
New features
- Support GSS name extensions/attributes
- SHA512 support
- No Kerberos 4 support
- Basic support for MIT Admin protocol (SECGSS flavor)
in kadmind (extract keytab)
- Replace editline with libedit
Release Notes - Heimdal - Version Heimdal 1.4
New features
- Support for reading MIT database file directly
- KCM is polished up and now used in production
- NTLM first class citizen, credentials stored in KCM
- Table driven ASN.1 compiler, smaller!, not enabled by default
- Native Windows client support
Notes
- Disabled write support NDBM hdb backend (read still in there) since
it can't handle large records, please migrate to a diffrent backend
(like BDB4)
Release Notes - Heimdal - Version Heimdal 1.3.3
Bug fixes
- Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
- Check NULL pointers before dereference them [kdc]
Release Notes - Heimdal - Version Heimdal 1.3.2
Bug fixes
- Don't mix length when clearing hmac (could memset too much)
- More paranoid underrun checking when decrypting packets
- Check the password change requests and refuse to answer empty packets
- Build on OpenSolaris
- Renumber AD-SIGNED-TICKET since it was stolen from US
- Don't cache /dev/*random file descriptor, it doesn't get unloaded
- Make C++ safe
- Misc warnings
Release Notes - Heimdal - Version Heimdal 1.3.1
Bug fixes
- Store KDC offset in credentials
- Many many more bug fixes
Release Notes - Heimdal - Version Heimdal 1.3.1
New features
- Make work with OpenLDAPs krb5 overlay
Release Notes - Heimdal - Version Heimdal 1.3
New features
- Partital support for MIT kadmind rpc protocol in kadmind
- Partial support for MIT kadmind rpc protocol in kadmind
- Better support for finding keytab entries when using SPN aliases in the KDC
- Support BER in ASN.1 library (needed for CMS)
- Support decryption in Keychain private keys
- Support for new sqlite based credential cache
- Try both to KDC referals the the common DNS reverse lookup in GSS-API
- Fix the KCM not not leak resources on failure
- Try both KDC referals and the common DNS reverse lookup in GSS-API
- Fix the KCM to not leak resources on failure
- Add IPv6 support to iprop
- Support localization of error strings in
kinit/klist/kdestroy and Kerberos library
@@ -22,7 +614,7 @@ Release Notes - Heimdal - Version Heimdal 1.3
- Support for settin friendly name on credential caches
- Move to using doxygen to generate documentation.
- Sprinkling __attribute__((depricated)) for old function to be removed
- Sprinkling __attribute__((__deprecated__)) for old function to be removed
- Support to export LAST-REQUST information in AS-REQ
- Support for client deferrals in in AS-REQ
- Add seek support for krb5_storage.

47
NTMakefile Normal file
View File

@@ -0,0 +1,47 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
!if exist("thirdparty\NTMakefile")
thirdparty=thirdparty
!endif
!ifdef APPVEYOR
SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl \
tools tests packages etc
!else
SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl doc \
tools tests packages etc $(thirdparty) packages\windows\installer
!endif
!include windows/NTMakefile.w32
all::
@echo Build finished succesfully

23
README
View File

@@ -1,18 +1,19 @@
Heimdal is a Kerberos 5 implementation.
Heimdal is an implementation of: ASN.1/DER, PKIX, and Kerberos.
Please see the manual in doc, by default installed in
/usr/heimdal/info/heimdal.info for information on how to install.
There are also briefer man pages for most of the commands.
For information how to install see
<https://github.com/heimdal/heimdal/wiki/Building-and-installing>.
Bug reports and bugs are appreciated, see more under Bug reports in
the manual on how we prefer them.
There are briefer man pages for most of the commands.
Bug reports and bugs are appreciated. Use GitHub issues.
<https://www.heimdal.software/heimdal/issues>.
For more information see the web-page at
<http://www.h5l.org/> or the mailing lists:
<https://www.heimdal.software/heimdal/> or the mailing lists:
heimdal-announce@sics.se low-volume announcement
heimdal-discuss@sics.se high-volume discussion
heimdal-announce@heimdal.software low-volume announcement
heimdal-discuss@heimdal.software high-volume discussion
send a mail to heimdal-announce-request@sics.se and
heimdal-discuss-request@sics.se respectively to subscribe.
send a mail to heimdal-announce-subscribe@heimdal.software and
heimdal-discuss-subscribe@heimdal.software respectively to subscribe.

13
README.fast Normal file
View File

@@ -0,0 +1,13 @@
-- in order of preference
- client: plugin support for fast plugins
note GSS-API can be used as PA plugin interface
- kdc: plugin support for fast plugins
partly done with "struct kdc_patypes"
- kcm: support FAST armor ticket
-- using PK-INIT anonymous
-- using host key

39
README.md Normal file
View File

@@ -0,0 +1,39 @@
[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/linux.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Alinux)
[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/osx.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Aosx)
[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/windows.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Awindows)
[![Appveyor-CI build (Windows)](https://ci.appveyor.com/api/projects/status/6j0k0m7kd6jjj4tw/branch/master?svg=true)](https://ci.appveyor.com/project/heimdal/heimdal/branch/master)
[![Coverage Status](https://coveralls.io/repos/github/heimdal/heimdal/badge.svg?branch=master)](https://coveralls.io/github/heimdal/heimdal?branch=master)
Heimdal
=======
Heimdal is an implementation of:
- ASN.1/DER,
- PKIX, and
- Kerberos.
For information how to install see [here](https://github.com/heimdal/heimdal/wiki/Building-and-installing).
There are man pages for most of the commands.
Bug reports and bugs are appreciated. Use [GitHub issues](https://www.heimdal.software/heimdal/issues).
For more information see the project homepage [https://heimdal.software/heimdal/](https://heimdal.software/heimdal/) or the mailing lists:
heimdal-announce@heimdal.software low-volume announcement
heimdal-discuss@heimdal.software high-volume discussion
send mail to [heimdal-announce-subscribe@heimdal.software](mailto:heimdal-announce-subscribe@heimdal.software) and
[heimdal-discuss-subscribe@heimdal.software](mailto:heimdal-discuss-subscribe@heimdal.software)
respectively to subscribe.
Build Status
============
[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/linux.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Alinux)
[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/osx.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Aosx)
[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/windows.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Awindows)
[![Appveyor-CI build (Windows)](https://ci.appveyor.com/api/projects/status/6j0k0m7kd6jjj4tw/branch/master?svg=true)](https://ci.appveyor.com/project/heimdal/heimdal/branch/master)
[![Coverage Status](https://coveralls.io/repos/github/heimdal/heimdal/badge.svg?branch=master)](https://coveralls.io/github/heimdal/heimdal?branch=master)

90
SECURITY.md Normal file
View File

@@ -0,0 +1,90 @@
# Security Policy
## Supported Versions
Use this section to tell people about which versions of your project are
currently being supported with security updates.
| Version | Supported |
| ------- | ------------------ |
| 7.x.x | :white_check_mark: |
| < 7.0 | :x: |
## Reporting a Vulnerability
Security sensitive bug reports should be sent to
heimdal-security@heimdal.team using this PGP key.
Key ID: 9A077911BB7DC320
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (MingW32)
mQINBFz8mXMBEAC3oUdMAP52TaJYQ2Rri0C4hNx7v73Jb/MqoAJKyJ7RKlGkpNp4
8K7+/VwRqiex0Cs//wU2TMCLRK7n/J2YG3Z+Eu2FZeWRUmEJfvzgXDi/IfYmyytV
DU5RxFF7oB3X8xeESoLLB1haGuDR4fTxgtIJGVgh6ShddcMObO9zhqGtLmlf6BTD
fXPxxPn0fNqStVh38rEoL3Ri/KFoojOxIFubhfrKfTwRarNUUCT6b+ybra82rfB1
JzNICraskvZGelCvC7vIflHLeg6a2a9dYkJeaNbXPR0p2BbNWoZ+y/nukCtTQHNO
avsFnALgm4LpWjEOkCr38TRPllrrYYA+DbjfB4bnp4BxOd1DaXtwBvkm/QMn2xuv
DBsJklY2RzAW9/l0S6VDVNbtIao21wtDLC98SdR9iweOcuvm0LcTfzEfiSf6vqIt
YIatTo7wh2/X0axzHsE5XTxmwzutMQ5ysOkgj5v6bmhxhAxNYspmSeei8698t2xT
ezOJwj2zjzaqgSQVND9uaRkxWkEQnp8P26DizGgO8VygAKSM6abqGnSXQgHrLYWR
FziTai98M3f9DA8m4aAxYHNRh/EnE7CieM8QglEEqRjfUzaZs+cUQMZaEMAkh8G6
yJKhEWfhiWR6vK6vdA1lUSgzTGynch96OCrOYebjfp0VKLOFgkGauusyZwARAQAB
tDBIZWltZGFsIFNlY3VyaXR5IDxoZWltZGFsLXNlY3VyaXR5QGhlaW1kYWwudGVh
bT6JAjkEEwECACMFAlz8mXMCGyMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAK
CRCaB3kRu33DICt6D/4/SzcNwUHb4CsOFgBVX/f4Gi6VDaGzgcthX8ddby2sHmgJ
YvmHD3ftwATVPZ0NtZ0h0v6tlBBVP6lq2lV0dJk4wDRZU2x2xxCMNFvgid2OFH4n
s47Wyed63IKokuwfqqDRcTMKLG/8zE0s/zmczxGw4KTPkiFe58qWPS4WdQqxhGbQ
byDByi16yO/5Yp13kFhtdzpDiwCIlf4W1DkwK133JZRKGvvc2E8dFY0H1u+ZYWj5
YkJMbxSJkUD8vOarO7LaHLTeu+nRwrbmBqNX3e7UOcgCozwTpTlD63oxZ25HOSCb
nJs0xjQU0lGhebbBWO0e2gGljE+irAuIO5sPd/JOxV+Ppl97LkRFs2PrNqABj1XP
caknBkeT//12s2YbmQAMv3xWdqsH8YypWHMSG4vTwxS/CdM2FqrPiAUUa9OoZaSK
Oi9CxV5/02XkGIdVDKLqAXpzYMbQXRGyUORL/93QLULq3CMZq8depzELJGGhTr52
tqtK1ecq8hUqtroSixFydKOfHL/CnssteRHTOT0O110PLOkrcPAE7cadjhYYUXWc
4R8QnUQpUnpsEDBLOeqLubw/yGCG9YfA3j6uXkWsKeFuC5P0QG1ptoOEcT40l0J0
bbHSSrbeAsovGQcs7qZGs0Vybetufx3YbhFcj85W64+Q36YK97L2gnuitnxNPIhG
BBMRAgAGBQJc/Jr7AAoJEFWROgb+WUtoRN4An1T7Oz+P0xe+TRCDISoofk9QuXLk
AKCw9dd28MLBFjeBSDgihi27RqtjOIkBHAQTAQIABgUCXPybJwAKCRDcZtQjSX34
eN2sB/46kXACbiPbfZKa4HuipnTGbmach66PrTkpdZUXt+kYyO9Os33kLO33qNSe
mFZwRHJGMhahzMZMEA18n85HYyQw4/Kqx/Atr2TnVigJpN2YIw0L6rfv9KP8vhwK
fn4YXpH1ZFs54EUK85pT+Orbkk83tWPDnUlf9dkVX2GHWBqTbUjbKduaEbdDvRqE
NiiXTWhaSBpxLW/Iqu/ogwAH+36B1apLjoBtMYzU3up+OKrNN+Lrsi0ztCdhGIjj
jND4JiqnnaKbKOpj6htXJHryXNicXfFa64cHtrYkz8PJVEpo4AkBIAZRvgl0C5vT
HkeyBuRAHSbvtN0EfQCgIFJRUVnmiQIcBBMBAgAGBQJc/JtjAAoJEPd6c1WStpoE
GooQAJB1zZwIeTKj77FqqfPtU9sc8DWrxnBSYSJCYJAM4520OaG2RBpLFjJ30GSY
Ky9MeUGOCfOl4wx9LfMU4GKFqxjw5N0H7f2DTNdPKp5QzZT5LIle5xu4UerolDdU
Wn/LOJpYJbYnyFKOi3NU0A8yS1wJsJ1ZGf4GB6Xi9q8Wx+E482pSFDWkFInwAozc
rvZCtx/4vsEKLWDCEOlUclbnmipiUtKm1jxyOnTQbzqx5X5ZLxIjTmz/LdvJJiYf
H+BAFAaIlCr5JWw6SSRo/cL0l7b+Q0YPqaY+ElTdYQXyfC0C0yPVmpA2jnqpgUp/
O53AYZNZtvRnbBq67VWSbBUXllu44QgVI180tBeDqZWYbGcyRWQ+36S3xh6O1gfA
cOqs6IzKNtALFOYKLvaWFP+Tls+uGAzYeQFN92V0n3agK1p9rGmMa79yPyIqeHfi
7cpnqtsjXDm6qoMD+119tWL+exg3GKzZpYVpptpSQXnVzqOLGhEQdVtQ8uLaY/4g
2CL27Rg3wp+dmQDPmUWqZIWBg32R6vqxzbKcnwaAqLiH0ryULOB2ebKPu/FKQGZN
5I6S75pwzXoDioXD1ALAeAyhfpp2XSYDI3AeLvF34hgPwLuw1AVdr0VF27E7IAub
lcHvdNS+bry6k16difwjJS9G2qRblZmwxpv5UpdiRW87YDjLuQINBFz8mXMBEACg
P4pnjDcLtWTDfNNaRbTl/4VTLKEgTwF04dslWFKJt7SiDepwcJNBux6sPdF3B4/U
VQXI1OqQ9msBz4nQj5c+m2ZQC2mRohLIjigmEiCe+62CbauKP5Jaj4xKW0xEkPiX
DsiUWZqetQBXvxjVvh6rS1MArzKtLOGXHsaRRK84JquD+CjMxKwOPPgRJNbOay5f
rXfKV2oxVWGxylaZnc1zZhLau+Z1mto1c80glt1HNTNzue1NLBckB55Z7nUn0ue8
q2pay1VrPwdM2Ym/r+K5mpwvqKw9Xwc8Uj/Uypb9r9Qt8WvlZ7j1lbbF9Tgs4Hjk
O5ZmHN4SZxhRHSymwce6R3efp+3T1A2I0es5BGBhmz62i2x98Jf3uaR7wQIGO+bS
3XoVG1llghpYYZIVK1x+2HyWqfVBfnO62vbULA5wtXYdY5V+R7gzctnybr0SUjh0
msWLh39G3yReU9ia4dZg4CLb3/bAf25AeN+V8DraGyPdeieMOfad+IpazFm0aPo/
zmMe94mhyOK/pDkuvLOvSGQm0dy/lWPLK8K8p4fLMKKRv6Tyzps77407GWqo8+8R
sF9YPvN2/E0iJXokgIKrCQtoovNsitgL9CANX8+kzcs5QHsh/FJJhLoA3zwaR/9S
nAP3JeAubda4PbBXggzsv2+lIIBvz5URwN9lSPdblQARAQABiQIfBBgBAgAJBQJc
/JlzAhsMAAoJEJoHeRG7fcMgMGwP/00bpcf6K/GCZxAuu0vuohvKe3tTR1cD8Sks
ZsavXyvaUuHkZn31OPow/RGYcRnMLfh9iddgV++lxYcaZ8iILtGnH9vXg0bhiX1x
XLhSRwcpF1Rf7/1KgAsKcd0PtHehxNMEiS9ISqZBDZQyMYaCh2wK5FienQziGOLx
ehHxarEfwQJEFqW3+rWs5YhaRD4fLuxi4fxefT9TQp+rZp+2CNFENI5w2bFFkFYe
wUZ2waTbxpFUDV2HB0znH8HEyIfEBGGpbD8tHCiM7W46gpi6mBnEfd/3gQu+ewoz
z4dfspKTQfuIUMN1s0+iqzY9to1Bzfrnc328ntMnhfXsz91hwqMLpD36zLUTtHPc
Zf9E+R4Q9bsqGUoVo8xrkd52Nxta24leF5x7+8K90vghsFJ8dP1qS2y8w3emUlDn
++GVrZWJRLhwbVOtcroRF2WqGTRRJZ5sgaMq5LIE9KUCKioq+/gFvWyDABH1Y1jq
vEep+eyl6DuEoDY9KV912EUtF7Fn7mM1aY4tLOYYGVIqy/SfvKKS+8Fv9QUkFjVV
PhkGVow1Hh8SHAzq/8mMV6/D7xUgMJhfnjwUNp0t7s5J9xN4uLSKSVlyNkI2JRvd
m445blzP6zyWOwlY1RdOX+qEo+y7zyruWc3EB8kzQTKjIzShVN3k+SOAO4QGM6Jy
CthJqQ8K
=Nb2m
-----END PGP PUBLIC KEY BLOCK-----

45
TODO
View File

@@ -1,49 +1,30 @@
-*- indented-text -*-
$Id$
* configure
* appl
** appl/popper
* doc
* kdc
* kadmin
* kpasswdd
* lib
** lib/asn1
** lib/auth
** lib/auth/sia
** lib/com_err
** lib/des
** lib/gssapi
cache delegation credentials to avoid hitting the kdc ? require time
stampless tickets, and was supported in the recv'ing end with 0.6.1.
** lib/hdb
make iov work for arcfour
make iov work for ntlm
interop test
make TYPE_STREAM work
** lib/kadm5
add policies?
fix to use rpc?
** lib/krb5
verify_user: handle non-secure verification failing because of
host->realm mapping
** lib/roken
* windows stuff
-- drop all double negation #ifndef NO_
-- got though windows specific ifdefs to minimized them
-- switch to use heim-ipc for services, like the kadmin change notification socket
-- Unify lib/krb5/expand_path_w32.c

5
TODO-iov
View File

@@ -1,5 +0,0 @@
make iov work for arcfour
make iov work for ntlm
interop test
make TYPE_STREAM work

11
admin/Makefile.am
View File

@@ -2,13 +2,11 @@
include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += $(INCLUDE_readline) $(INCLUDE_hcrypto)
AM_CPPFLAGS += $(INCLUDE_readline)
SLC = $(top_builddir)/lib/sl/slc
man_MANS = ktutil.1
man_MANS = ktutil.8
sbin_PROGRAMS = ktutil
bin_PROGRAMS = ktutil
dist_ktutil_SOURCES = \
add.c \
@@ -39,7 +37,8 @@ LDADD = \
$(LIB_hcrypto) \
$(top_builddir)/lib/asn1/libasn1.la \
$(top_builddir)/lib/sl/libsl.la \
$(LIB_heimbase) \
$(LIB_readline) \
$(LIB_roken)
EXTRA_DIST = $(man_MANS) ktutil-commands.in
EXTRA_DIST = NTMakefile ktutil-version.rc $(man_MANS) ktutil-commands.in

75
admin/NTMakefile Normal file
View File

@@ -0,0 +1,75 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=admin
cincdirs=$(cincdirs) -I$(OBJ)
!include ../windows/NTMakefile.w32
SBINPROGRAMS=$(SBINDIR)\ktutil.exe
KTUTIL_OBJS= \
$(OBJ)\add.obj \
$(OBJ)\change.obj \
$(OBJ)\copy.obj \
$(OBJ)\destroy.obj \
$(OBJ)\get.obj \
$(OBJ)\ktutil.obj \
$(OBJ)\ktutil-commands.obj \
$(OBJ)\list.obj \
$(OBJ)\purge.obj \
$(OBJ)\remove.obj \
$(OBJ)\rename.obj
KTUTIL_LIBS= \
$(LIBHEIMBASE) \
$(LIBHEIMDAL) \
$(LIBKADM5SRV) \
$(LIBSL) \
$(LIBROKEN) \
$(LIBVERS)
$(SBINDIR)\ktutil.exe: $(KTUTIL_OBJS) $(KTUTIL_LIBS) $(OBJ)\ktutil-version.res
$(EXECONLINK)
$(EXEPREP)
$(OBJ)\ktutil-commands.c $(OBJ)\ktutil-commands.h: ktutil-commands.in
cd $(OBJ)
$(CP) $(SRCDIR)\ktutil-commands.in $(OBJ)
$(BINDIR)\slc.exe ktutil-commands.in
cd $(SRCDIR)
INCFILES=\
$(OBJ)\ktutil-commands.h
all:: $(INCFILES) $(SBINPROGRAMS)
clean::
-$(RM) $(SBINPROGRAMS:.exe=.*)

187
admin/add.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
* Copyright (c) 1997-2022 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -32,6 +32,8 @@
*/
#include "ktutil_locl.h"
#include <heimbase.h>
#include <base64.h>
RCSID("$Id$");
@@ -94,7 +96,8 @@ kt_add(struct add_options *opt, int argc, char **argv)
goto out;
}
if(opt->password_string == NULL && opt->random_flag == 0) {
if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: ", 1)) {
if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: ",
UI_UTIL_FLAG_VERIFY)) {
ret = 1;
goto out;
}
@@ -104,7 +107,7 @@ kt_add(struct add_options *opt, int argc, char **argv)
if (opt->hex_flag) {
size_t len;
void *data;
len = (strlen(opt->password_string) + 1) / 2;
data = malloc(len);
@@ -113,7 +116,7 @@ kt_add(struct add_options *opt, int argc, char **argv)
goto out;
}
if (hex_decode(opt->password_string, data, len) != len) {
if ((size_t)hex_decode(opt->password_string, data, len) != len) {
free(data);
krb5_warn(context, ENOMEM, "hex decode failed");
goto out;
@@ -152,6 +155,180 @@ kt_add(struct add_options *opt, int argc, char **argv)
krb5_warn(context, ret, "add");
out:
krb5_kt_free_entry(context, &entry);
krb5_kt_close(context, keytab);
if (ret == 0) {
ret = krb5_kt_close(context, keytab);
if (ret)
krb5_warn(context, ret, "Could not write the keytab");
} else {
krb5_kt_close(context, keytab);
}
return ret != 0;
}
/* We might be reading from a pipe, so we can't use rk_undumpdata() */
static char *
read_file(FILE *f)
{
size_t alloced;
size_t len = 0;
size_t bytes;
char *res, *end, *p;
if ((res = malloc(1024)) == NULL)
err(1, "Out of memory");
alloced = 1024;
end = res + alloced;
p = res;
do {
if (p == end) {
char *tmp;
if ((tmp = realloc(res, alloced + (alloced > 1))) == NULL)
err(1, "Out of memory");
alloced += alloced > 1;
p = tmp + len;
res = tmp;
end = res + alloced;
}
bytes = fread(p, 1, end - p, f);
len += bytes;
p += bytes;
} while (bytes && !feof(f) && !ferror(f));
if (ferror(f))
errx(1, "Could not read all input");
if (p == end) {
char *tmp;
if ((tmp = strndup(res, len)) == NULL)
err(1, "Out of memory");
free(res);
res = tmp;
}
if (strlen(res) != len)
err(1, "Embedded NULs in input!");
return res;
}
static void
json2keytab_entry(heim_dict_t d, krb5_keytab kt, size_t idx)
{
krb5_keytab_entry e;
krb5_error_code ret;
heim_object_t v;
uint64_t u;
int64_t i;
char *buf = NULL;
memset(&e, 0, sizeof(e));
v = heim_dict_get_value(d, HSTR("timestamp"));
if (heim_get_tid(v) != HEIM_TID_NUMBER)
goto bad;
u = heim_number_get_long(v);
e.timestamp = u;
if (u != (uint64_t)e.timestamp)
goto bad;
v = heim_dict_get_value(d, HSTR("kvno"));
if (heim_get_tid(v) != HEIM_TID_NUMBER)
goto bad;
i = heim_number_get_long(v);
e.vno = i;
if (i != (int64_t)e.vno)
goto bad;
v = heim_dict_get_value(d, HSTR("enctype_number"));
if (heim_get_tid(v) != HEIM_TID_NUMBER)
goto bad;
i = heim_number_get_long(v);
e.keyblock.keytype = i;
if (i != (int64_t)e.keyblock.keytype)
goto bad;
v = heim_dict_get_value(d, HSTR("key"));
if (heim_get_tid(v) != HEIM_TID_STRING)
goto bad;
{
const char *s = heim_string_get_utf8(v);
int declen;
if ((buf = malloc(strlen(s))) == NULL)
err(1, "Out of memory");
declen = rk_base64_decode(s, buf);
if (declen < 0)
goto bad;
e.keyblock.keyvalue.data = buf;
e.keyblock.keyvalue.length = declen;
}
v = heim_dict_get_value(d, HSTR("principal"));
if (heim_get_tid(v) != HEIM_TID_STRING)
goto bad;
ret = krb5_parse_name(context, heim_string_get_utf8(v), &e.principal);
if (ret == 0)
ret = krb5_kt_add_entry(context, kt, &e);
/* For now, ignore aliases; besides, they're never set anywhere in-tree */
if (ret)
krb5_warn(context, ret,
"Could not parse or write keytab entry %lu",
(unsigned long)idx);
bad:
krb5_free_principal(context, e.principal);
free(buf);
}
int
kt_import(void *opt, int argc, char **argv)
{
krb5_error_code ret;
krb5_keytab kt;
heim_object_t o;
heim_error_t json_err = NULL;
heim_json_flags_t flags = HEIM_JSON_F_STRICT;
FILE *f = argc == 0 ? stdin : fopen(argv[0], "r");
size_t alen, i;
char *json;
if (f == NULL)
err(1, "Could not open file %s", argv[0]);
json = read_file(f);
fclose(f);
o = heim_json_create(json, 10, flags, &json_err);
free(json);
if (o == NULL) {
if (json_err != NULL) {
o = heim_error_copy_string(json_err);
if (o)
errx(1, "Could not parse JSON: %s", heim_string_get_utf8(o));
}
errx(1, "Could not parse JSON");
}
if (heim_get_tid(o) != HEIM_TID_ARRAY)
errx(1, "JSON text must be an array");
alen = heim_array_get_length(o);
if (alen == 0)
errx(1, "Empty JSON array; not overwriting keytab");
if ((kt = ktutil_open_keytab()) == NULL)
err(1, "Could not open keytab");
for (i = 0; i < alen; i++) {
heim_object_t e = heim_array_get_value(o, i);
if (heim_get_tid(e) != HEIM_TID_DICT)
warnx("Element %ld of JSON text array is not an object", (long)i);
else
json2keytab_entry(heim_array_get_value(o, i), kt, i);
}
ret = krb5_kt_close(context, kt);
if (ret)
krb5_warn(context, ret, "Could not write the keytab");
return ret != 0;
}

81
admin/change.c
View File

@@ -36,17 +36,23 @@
RCSID("$Id$");
static krb5_error_code
change_entry (krb5_keytab keytab,
krb5_principal principal, krb5_kvno kvno,
const char *realm, const char *admin_server, int server_port)
change_entry(krb5_keytab keytab,
krb5_principal principal,
krb5_kvno kvno,
int keep,
size_t nkstuple,
krb5_key_salt_tuple *kstuple,
const char *realm,
const char *admin_server,
int server_port)
{
krb5_error_code ret;
kadm5_config_params conf;
void *kadm_handle;
char *client_name;
krb5_keyblock *keys;
size_t i;
int num_keys;
int i;
ret = krb5_unparse_name (context, principal, &client_name);
if (ret) {
@@ -73,7 +79,7 @@ change_entry (krb5_keytab keytab,
free(conf.realm);
krb5_set_error_message(context, ENOMEM, "malloc failed");
return ENOMEM;
}
}
conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
}
@@ -96,14 +102,15 @@ change_entry (krb5_keytab keytab,
free (client_name);
return ret;
}
ret = kadm5_randkey_principal (kadm_handle, principal, &keys, &num_keys);
kadm5_destroy (kadm_handle);
ret = kadm5_randkey_principal_3(kadm_handle, principal, keep, nkstuple,
kstuple, &keys, &num_keys);
kadm5_destroy(kadm_handle);
if (ret) {
krb5_warn(context, ret, "kadm5_randkey_principal: %s:", client_name);
krb5_warn(context, ret, "kadm5_randkey_principal_3: %s:", client_name);
free (client_name);
return ret;
}
free (client_name);
free(client_name);
for (i = 0; i < num_keys; ++i) {
krb5_keytab_entry new_entry;
@@ -131,18 +138,55 @@ struct change_set {
};
int
kt_change (struct change_options *opt, int argc, char **argv)
kt_change(struct change_options *opt, int argc, char **argv)
{
krb5_error_code ret;
krb5_keytab keytab;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;
int i, j, max;
krb5_key_salt_tuple *kstuple = NULL;
const char *enctype;
size_t i, j, max, nkstuple;
int keep = 1;
struct change_set *changeset;
int errors = 0;
if((keytab = ktutil_open_keytab()) == NULL)
i = 0;
if (opt->keepold_flag) {
keep = 1;
i++;
}
if (opt->keepallold_flag) {
keep = 2;
i++;
}
if (opt->pruneall_flag) {
keep = 0;
i++;
}
if (i > 1) {
fprintf(stderr, "use only one of --keepold, --keepallold, or --pruneall\n");
return EINVAL;
}
enctype = opt->enctype_string;
if (enctype == NULL || enctype[0] == '\0')
enctype = krb5_config_get_string(context, NULL, "libdefaults",
"supported_enctypes", NULL);
if (enctype == NULL || enctype[0] == '\0')
enctype = "aes128-cts-hmac-sha1-96";
ret = krb5_string_to_keysalts2(context, enctype, &nkstuple, &kstuple);
if (ret) {
fprintf(stderr, "enctype(s) unknown\n");
return ret;
}
/* XXX Parameterize keytab name */
if ((keytab = ktutil_open_keytab()) == NULL) {
free(kstuple);
return 1;
}
j = 0;
max = 0;
@@ -217,7 +261,6 @@ kt_change (struct change_options *opt, int argc, char **argv)
krb5_kt_end_seq_get(context, keytab, &cursor);
if (ret == KRB5_KT_END) {
ret = 0;
for (i = 0; i < j; i++) {
if (verbose_flag) {
char *client_name;
@@ -232,11 +275,12 @@ kt_change (struct change_options *opt, int argc, char **argv)
free(client_name);
}
}
ret = change_entry (keytab,
changeset[i].principal, changeset[i].kvno,
opt->realm_string,
opt->admin_server_string,
opt->server_port_integer);
ret = change_entry(keytab,
changeset[i].principal, changeset[i].kvno,
keep, nkstuple, kstuple,
opt->realm_string,
opt->admin_server_string,
opt->server_port_integer);
if (ret != 0)
errors = 1;
}
@@ -247,6 +291,7 @@ kt_change (struct change_options *opt, int argc, char **argv)
free (changeset);
out:
free(kstuple);
krb5_kt_close(context, keytab);
return errors;
}

19
admin/copy.c
View File

@@ -47,7 +47,7 @@ compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b)
}
int
kt_copy (void *opt, int argc, char **argv)
kt_copy (struct copy_options *opt, int argc, char **argv)
{
krb5_error_code ret;
krb5_keytab src_keytab, dst_keytab;
@@ -106,11 +106,18 @@ kt_copy (void *opt, int argc, char **argv)
"already exists for %s, keytype %s, kvno %d",
name_str, etype_str, entry.vno);
}
krb5_kt_free_entry(context, &dummy);
krb5_kt_free_entry (context, &entry);
free(name_str);
free(etype_str);
continue;
if (!opt->copy_duplicates_flag) {
krb5_kt_free_entry(context, &dummy);
krb5_kt_free_entry (context, &entry);
free(name_str);
free(etype_str);
continue;
}
/*
* Because we can end up trying all keys that match the enctype,
* copying entries with duplicate principal, vno, and enctype, but
* different keys, can be useful.
*/
} else if(ret != KRB5_KT_NOTFOUND) {
krb5_warn (context, ret, "%s: fetching %s/%s/%u",
to, name_str, etype_str, entry.vno);

179
admin/get.c
View File

@@ -82,56 +82,97 @@ open_kadmin_connection(char *principal,
return kadm_handle;
}
static int
parse_enctypes(struct get_options *opt,
size_t *nks,
krb5_key_salt_tuple **ks)
{
const char *str;
char *s = NULL;
char *tmp;
size_t i;
int ret;
*nks = 0;
*ks = NULL;
if (opt->enctypes_strings.num_strings == 0) {
str = krb5_config_get_string(context, NULL, "libdefaults",
"supported_enctypes", NULL);
if (str == NULL)
str = "aes128-cts-hmac-sha1-96";
return krb5_string_to_keysalts2(context, str, nks, ks);
}
for (i = 0; i < opt->enctypes_strings.num_strings; i++) {
if (asprintf(&tmp, "%s%s%s", i ? s : "", i ? "," : "",
opt->enctypes_strings.strings[i]) == -1) {
free(s);
return krb5_enomem(context);
}
free(s);
s = tmp;
}
ret = krb5_string_to_keysalts2(context, s, nks, ks);
free(s);
return ret;
}
int
kt_get(struct get_options *opt, int argc, char **argv)
{
krb5_error_code ret = 0;
krb5_keytab keytab;
void *kadm_handle = NULL;
krb5_enctype *etypes = NULL;
size_t netypes = 0;
int i, j;
krb5_key_salt_tuple *ks = NULL;
size_t nks;
size_t i;
int a, j, keep;
unsigned int failed = 0;
if((keytab = ktutil_open_keytab()) == NULL)
i = 0;
keep = 1;
if (opt->keepallold_flag) {
keep = 2;
i++;
}
if (opt->keepold_flag) {
keep = 1;
i++;
}
if (opt->pruneall_flag) {
keep = 0;
i++;
}
if (i > 1) {
fprintf(stderr, "use only one of --keepold, --keepallold, or --pruneall\n");
return EINVAL;
}
if ((ret = parse_enctypes(opt, &nks, &ks))) {
fprintf(stderr, "invalid enctype(s)\n");
return ret;
}
if((keytab = ktutil_open_keytab()) == NULL) {
free(ks);
return 1;
}
if(opt->realm_string)
krb5_set_default_realm(context, opt->realm_string);
if (opt->enctypes_strings.num_strings != 0) {
etypes = malloc (opt->enctypes_strings.num_strings * sizeof(*etypes));
if (etypes == NULL) {
krb5_warnx(context, "malloc failed");
goto out;
}
netypes = opt->enctypes_strings.num_strings;
for(i = 0; i < netypes; i++) {
ret = krb5_string_to_enctype(context,
opt->enctypes_strings.strings[i],
&etypes[i]);
if(ret) {
krb5_warnx(context, "unrecognized enctype: %s",
opt->enctypes_strings.strings[i]);
goto out;
}
}
}
for(i = 0; i < argc; i++){
for(a = 0; a < argc; a++){
krb5_principal princ_ent;
kadm5_principal_ent_rec princ;
int mask = 0;
krb5_keyblock *keys;
int n_keys;
int n_keys = 0;
int created = 0;
krb5_keytab_entry entry;
ret = krb5_parse_name(context, argv[i], &princ_ent);
ret = krb5_parse_name(context, argv[a], &princ_ent);
if (ret) {
krb5_warn(context, ret, "can't parse principal %s", argv[i]);
krb5_warn(context, ret, "can't parse principal %s", argv[a]);
failed++;
continue;
}
@@ -156,28 +197,33 @@ kt_get(struct get_options *opt, int argc, char **argv)
if(kadm_handle == NULL)
break;
}
ret = kadm5_create_principal(kadm_handle, &princ, mask, "x");
if(ret == 0)
created = 1;
else if(ret != KADM5_DUP) {
krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[i]);
krb5_free_principal(context, princ_ent);
failed++;
continue;
}
ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys);
if (ret) {
krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[i]);
krb5_free_principal(context, princ_ent);
failed++;
continue;
}
if (opt->create_flag) {
ret = kadm5_create_principal(kadm_handle, &princ, mask, "thisIs_aUseless.password123");
if(ret == 0)
created = 1;
else if(ret != KADM5_DUP) {
krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]);
krb5_free_principal(context, princ_ent);
failed++;
continue;
}
}
if (opt->change_keys_flag) {
ret = kadm5_randkey_principal_3(kadm_handle, princ_ent, keep, nks, ks,
&keys, &n_keys);
if (ret) {
krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]);
krb5_free_principal(context, princ_ent);
failed++;
continue;
}
}
ret = kadm5_get_principal(kadm_handle, princ_ent, &princ,
KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
if (ret) {
krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[i]);
krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[a]);
for (j = 0; j < n_keys; j++)
krb5_free_keyblock_contents(context, &keys[j]);
krb5_free_principal(context, princ_ent);
@@ -185,7 +231,7 @@ kt_get(struct get_options *opt, int argc, char **argv)
continue;
}
if(!created && (princ.attributes & KRB5_KDB_DISALLOW_ALL_TIX))
krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[i]);
krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[a]);
princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
mask = KADM5_ATTRIBUTES;
if(created) {
@@ -194,7 +240,7 @@ kt_get(struct get_options *opt, int argc, char **argv)
}
ret = kadm5_modify_principal(kadm_handle, &princ, mask);
if (ret) {
krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[i]);
krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[a]);
for (j = 0; j < n_keys; j++)
krb5_free_keyblock_contents(context, &keys[j]);
krb5_free_principal(context, princ_ent);
@@ -202,37 +248,22 @@ kt_get(struct get_options *opt, int argc, char **argv)
continue;
}
for(j = 0; j < n_keys; j++) {
int do_add = TRUE;
if (netypes) {
int k;
do_add = FALSE;
for (k = 0; k < netypes; ++k)
if (keys[j].keytype == etypes[k]) {
do_add = TRUE;
break;
}
}
if (do_add) {
entry.principal = princ_ent;
entry.vno = princ.kvno;
entry.keyblock = keys[j];
entry.timestamp = time (NULL);
ret = krb5_kt_add_entry(context, keytab, &entry);
if (ret)
krb5_warn(context, ret, "krb5_kt_add_entry");
}
entry.principal = princ_ent;
entry.vno = princ.kvno;
entry.keyblock = keys[j];
entry.timestamp = time (NULL);
ret = krb5_kt_add_entry(context, keytab, &entry);
if (ret)
krb5_warn(context, ret, "krb5_kt_add_entry");
krb5_free_keyblock_contents(context, &keys[j]);
}
kadm5_free_principal_ent(kadm_handle, &princ);
krb5_free_principal(context, princ_ent);
}
out:
free(etypes);
if (kadm_handle)
kadm5_destroy(kadm_handle);
krb5_kt_close(context, keytab);
free(ks);
return ret != 0 || failed > 0;
}

89
admin/ktutil-commands.in
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2004 Kungliga Tekniska Högskolan
* Copyright (c) 2004-2022 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -54,7 +54,7 @@ command = {
short = "e"
type = "string"
argument = "enctype"
help = "encryption type"
help = "encryption type(s)"
}
option = {
long = "password"
@@ -75,6 +75,21 @@ command = {
type = "flag"
help = "generate random key"
}
option = {
long = "keepold"
type = "flag"
help = "keep old keys/password needed to decrypt extant tickets (default)"
}
option = {
long = "keepallold"
type = "flag"
help = "keep all old keys/password"
}
option = {
long = "pruneall"
type = "flag"
help = "delete all old keys"
}
option = {
long = "hex"
short = "H"
@@ -94,6 +109,28 @@ command = {
argument = "realm"
help = "realm to use"
}
option = {
long = "enctype"
short = "e"
type = "string"
argument = "enctype"
help = "encryption type(s)"
}
option = {
long = "keepold"
type = "flag"
help = "keep old keys/password needed to decrypt extant tickets (default)"
}
option = {
long = "keepallold"
type = "flag"
help = "keep all old keys/password"
}
option = {
long = "pruneall"
type = "flag"
help = "delete all old keys"
}
option = {
long = "admin-server"
short = "a"
@@ -114,11 +151,17 @@ command = {
}
command = {
name = "copy"
name = "merge"
function = "kt_copy"
option = {
long = "copy-duplicates"
type = "flag"
help = "copy entries for the same principal and kvno, but different keys"
}
argument = "source destination"
min_args = "2"
max_args = "2"
help = "Copies one keytab to another."
help = "Merges one keytab into another."
}
command = {
name = "get"
@@ -129,6 +172,16 @@ command = {
help = "admin principal"
argument = "principal"
}
option = {
long = "create"
type = "-flag"
help = "do not create the principal"
}
option = {
long = "change-keys"
type = "-flag"
help = "do not change the principal's keys"
}
option = {
long = "enctypes"
short = "e"
@@ -136,6 +189,21 @@ command = {
help = "encryption types to use"
argument = "enctype"
}
option = {
long = "keepold"
type = "flag"
help = "keep old keys/password needed to decrypt extant tickets (default)"
}
option = {
long = "keepallold"
type = "flag"
help = "keep all old keys/password"
}
option = {
long = "pruneall"
type = "flag"
help = "delete all old keys"
}
option = {
long = "realm"
short = "r"
@@ -162,6 +230,14 @@ command = {
argument = "principal..."
help = "Change keys for specified principals, and add them to the keytab."
}
command = {
name = "import"
function = "kt_import"
help = "Imports a keytab from JSON output of ktutil list --json --keys."
min_args = "0"
max_args = "1"
argument = "JSON-FILE"
}
command = {
name = "list"
option = {
@@ -174,6 +250,11 @@ command = {
type = "flag"
help = "show timestamps"
}
option = {
long = "json"
type = "flag"
help = "output JSON representation"
}
max_args = "0"
function = "kt_list"
help = "Show contents of keytab."
@@ -206,7 +287,7 @@ command = {
short = "V"
type = "integer"
help = "key version to remove"
argument = "enctype"
argument = "kvno"
default = "0"
}
option = {

36
admin/ktutil-version.rc Normal file
View File

@@ -0,0 +1,36 @@
/***********************************************************************
* Copyright (c) 2010, Secure Endpoints Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*
**********************************************************************/
#define RC_FILE_TYPE VFT_APP
#define RC_FILE_DESC_0409 "Kerberos Keytab Tool"
#define RC_FILE_ORIG_0409 "ktutil.exe"
#include "../windows/version.rc"

229
admin/ktutil.1 Normal file
View File

@@ -0,0 +1,229 @@
.\" Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd April 14, 2005
.Dt KTUTIL 1
.Os HEIMDAL
.Sh NAME
.Nm ktutil
.Nd manage Kerberos keytabs
.Sh SYNOPSIS
.Nm
.Oo Fl k Ar keytab \*(Ba Xo
.Fl Fl keytab= Ns Ar keytab
.Xc
.Oc
.Op Fl v | Fl Fl verbose
.Op Fl Fl version
.Op Fl h | Fl Fl help
.Ar command
.Op Ar args
.Sh DESCRIPTION
.Nm
is a program for managing keytabs.
Supported options:
.Bl -tag -width Ds
.It Fl v , Fl Fl verbose
Verbose output.
.El
.Pp
.Ar command
can be one of the following:
.Bl -tag -width srvconvert
.It Nm add Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
Oo Fl V Ar kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \
Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \
Oo Fl Fl enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \
Oo Fl Fl password= Ns Ar password Oc Oo Fl r Oc Oo Fl Fl random Oc \
Oo Fl s Oc Oo Fl Fl no-salt Oc Oo Fl H Oc Op Fl Fl hex
Adds a key to the keytab. Options that are not specified will be
prompted for. This requires that you know the password or the hex key of the
principal to add; if what you really want is to add a new principal to
the keytab, you should consider the
.Ar get
command, which talks to the kadmin server.
.It Nm change Oo Fl r Ar realm Oc Oo Fl Fl realm= Ns Ar realm Oc \
Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \
Oo Fl Fl enctype= Ns Ar enctype Oc \
Oo Fl Fl a Ar host Oc Oo Fl Fl admin-server= Ns Ar host Oc \
Oo Fl Fl s Ar port Oc Op Fl Fl server-port= Ns Ar port
Update one or several keys to new versions. By default, use the admin
server for the realm of a keytab entry. Otherwise it will use the
values specified by the options.
.Pp
If no principals are given, all the ones in the keytab are updated.
.It Nm copy Oo Fl Fl copy-duplicates Oc Ar keytab-src Ar keytab-dest
Copies all the entries from
.Ar keytab-src
to
.Ar keytab-dest .
Because entries already in
.Ar keytab-dest
are kept, this command functions to merge keytabs.
Entries for the same principal, key version number, and
encryption type in the
.Ar keytab-src
that are also in the
.Ar keytab-dest
will not be copied to the
.Ar keytab-dest
unless the
.Fl Fl copy-duplicates
option is given.
.It Nm get Oo Fl p Ar admin principal Oc \
Oo Fl Fl principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \
Oo Fl Fl no-create Oc \
Oo Fl Fl no-change-keys Oc \
Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \
Oo Fl Fl enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \
Oo Fl Fl realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \
Oo Fl Fl admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \
Oo Fl Fl server-port= Ns Ar server port Oc Ar principal ...
.Pp
For each
.Ar principal ,
get a the principal's keys from the KDC via the kadmin protocol,
creating the principal if it doesn't exist (unless
.Fl Fl no-create
is given), and changing its keys to new random keys (unless
.Fl Fl no-change-keys
is given).
.Pp
If no
.Ar realm
is specified, the realm to operate on is taken from the first
principal.
.It Nm import Oo JSON-FILE Oc
Read an array of keytab entries in a JSON file and copy them to
the keytab.
Use the
.Nm list
command with its
.Fl Fl json
option
and
.Fl Fl keys
option to export a keytab.
.It Nm list Oo Fl Fl keys Oc Op Fl Fl timestamp Oo Op Fl Fl json Oc
List the keys stored in the keytab.
Use the
.Fl Fl json
and
.Fl Fl keys
options to export a keytab as JSON for importing with the
.Nm import
command.
.It Nm remove Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
Oo Fl V kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \
Oo Fl Fl enctype= Ns Ar enctype Oc
Removes the specified key or keys. Not specifying a
.Ar kvno
removes keys with any version number. Not specifying an
.Ar enctype
removes keys of any type.
.It Nm merge Oo Fl Fl copy-duplicates Oc Ar keytab-src Ar keytab-dest
An alias for the
.Nm copy
command.
.It Nm rename Ar from-principal Ar to-principal
Renames all entries for the
.Ar from-principal
in the keytab
.Ar from-principal
to
.Ar to-principal .
.It Nm purge Op Fl Fl age= Ns Ar age
Removes all old versions of a key for which there is a newer version
that is at least
.Ar age
(default one week) old.
Note that this does not update the KDC database.
The
.Xr kadmin 1
command has a
.Nm prune
command that can do this on the KDC side.
.El
.Sh ENVIRONMENT
.Bl -tag -width Ds
.It Ev KRB5_KTNAME
Specifies the default keytab.
.It Ev KRB5_CONFIG
The file name of
.Pa krb5.conf ,
the default being
.Pa /etc/krb5.conf .
.El
.Sh KEYTAB NAMING
The syntax for the value of the
.Ql KRB5_KTNAME
environment variable and
.Oo Fl k Ar keytab \*(Ba Xo
.Fl Fl keytab= Ns Ar keytab
.Xc
.Oc
options is
.Ql TYPE:name
where the TYPE is one of
.Ql FILE ,
.Ql HDBGET ,
.Ql HDB ,
or
.Ql ANY ,
and the name syntax is specific to the keytab type.
.Pp
For the FILE keytab type the name is the path to a file whose
format is the well-known keytab file format used by MIT Kerberos,
Heimdal, Java, and others.
.Pp
For the HDB and HDBGET keytab types the name syntax is
.Ql [<path>][:mkey=<path>]
where the first path is the path to the HDB and the second path
is the path to the master key file.
Note that to use the HDB and HDBGET keytab types in a program
linked with Heimdal libraries one first load the
.Ql libhdb
library and then register their keytab methods using
.Xr krb5_kt_register 3 .
Note also that
.Nm ktutil
does not load and register the HDB and HDBGET keytab types at
this time.
.Pp
The ANY keytab type name syntax is a sequence of other keytab
names (including their TYPE: prefix) separated by commas.
Note that there is no escape sequence for commas in keytab names.
.Sh SEE ALSO
.Xr kadmin 1
.Xr kinit 1
.Xr krb5_kt_register 3

196
admin/ktutil.8
View File

@@ -1,196 +0,0 @@
.\" Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd April 14, 2005
.Dt KTUTIL 8
.Os HEIMDAL
.Sh NAME
.Nm ktutil
.Nd manage Kerberos keytabs
.Sh SYNOPSIS
.Nm
.Oo Fl k Ar keytab \*(Ba Xo
.Fl -keytab= Ns Ar keytab
.Xc
.Oc
.Op Fl v | Fl -verbose
.Op Fl -version
.Op Fl h | Fl -help
.Ar command
.Op Ar args
.Sh DESCRIPTION
.Nm
is a program for managing keytabs.
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl v ,
.Fl -verbose
.Xc
Verbose output.
.El
.Pp
.Ar command
can be one of the following:
.Bl -tag -width srvconvert
.It add Xo
.Op Fl p Ar principal
.Op Fl -principal= Ns Ar principal
.Op Fl V Ar kvno
.Op Fl -kvno= Ns Ar kvno
.Op Fl e Ar enctype
.Op Fl -enctype= Ns Ar enctype
.Op Fl w Ar password
.Op Fl -password= Ns Ar password
.Op Fl r
.Op Fl -random
.Op Fl s
.Op Fl -no-salt
.Op Fl H
.Op Fl -hex
.Xc
Adds a key to the keytab. Options that are not specified will be
prompted for. This requires that you know the password or the hex key of the
principal to add; if what you really want is to add a new principal to
the keytab, you should consider the
.Ar get
command, which talks to the kadmin server.
.It change Xo
.Op Fl r Ar realm
.Op Fl -realm= Ns Ar realm
.Op Fl -a Ar host
.Op Fl -admin-server= Ns Ar host
.Op Fl -s Ar port
.Op Fl -server-port= Ns Ar port
.Xc
Update one or several keys to new versions. By default, use the admin
server for the realm of a keytab entry. Otherwise it will use the
values specified by the options.
.Pp
If no principals are given, all the ones in the keytab are updated.
.It copy Xo
.Ar keytab-src
.Ar keytab-dest
.Xc
Copies all the entries from
.Ar keytab-src
to
.Ar keytab-dest .
.It get Xo
.Op Fl p Ar admin principal
.Op Fl -principal= Ns Ar admin principal
.Op Fl e Ar enctype
.Op Fl -enctypes= Ns Ar enctype
.Op Fl r Ar realm
.Op Fl -realm= Ns Ar realm
.Op Fl a Ar admin server
.Op Fl -admin-server= Ns Ar admin server
.Op Fl s Ar server port
.Op Fl -server-port= Ns Ar server port
.Ar principal ...
.Xc
For each
.Ar principal ,
generate a new key for it (creating it if it doesn't already exist),
and put that key in the keytab.
.Pp
If no
.Ar realm
is specified, the realm to operate on is taken from the first
principal.
.It list Xo
.Op Fl -keys
.Op Fl -timestamp
.Xc
List the keys stored in the keytab.
.It remove Xo
.Op Fl p Ar principal
.Op Fl -principal= Ns Ar principal
.Op Fl V kvno
.Op Fl -kvno= Ns Ar kvno
.Op Fl e enctype
.Op Fl -enctype= Ns Ar enctype
.Xc
Removes the specified key or keys. Not specifying a
.Ar kvno
removes keys with any version number. Not specifying an
.Ar enctype
removes keys of any type.
.It rename Xo
.Ar from-principal
.Ar to-principal
.Xc
Renames all entries in the keytab that match the
.Ar from-principal
to
.Ar to-principal .
.It purge Xo
.Op Fl -age= Ns Ar age
.Xc
Removes all old versions of a key for which there is a newer version
that is at least
.Ar age
(default one week) old.
.It srvconvert
.It srv2keytab Xo
.Op Fl s Ar srvtab
.Op Fl -srvtab= Ns Ar srvtab
.Xc
Converts the version 4 srvtab in
.Ar srvtab
to a version 5 keytab and stores it in
.Ar keytab .
Identical to:
.Bd -ragged -offset indent
.Li ktutil copy
.Li krb4: Ns Ar srvtab
.Ar keytab
.Ed
.It srvcreate
.It key2srvtab Xo
.Op Fl s Ar srvtab
.Op Fl -srvtab= Ns Ar srvtab
.Xc
Converts the version 5 keytab in
.Ar keytab
to a version 4 srvtab and stores it in
.Ar srvtab .
Identical to:
.Bd -ragged -offset indent
.Li ktutil copy
.Ar keytab
.Li krb4: Ns Ar srvtab
.Ed
.El
.Sh SEE ALSO
.Xr kadmin 8

11
admin/ktutil.c
View File

@@ -52,7 +52,7 @@ static struct getargs args[] = {
NULL
},
{
"help",
"help",
'h',
arg_flag,
&help_flag,
@@ -60,7 +60,7 @@ static struct getargs args[] = {
NULL
},
{
"keytab",
"keytab",
'k',
arg_string,
&keytab_string,
@@ -101,7 +101,7 @@ ktutil_open_keytab(void)
}
if (verbose_flag)
fprintf (stderr, "Using keytab %s\n", keytab_string);
return keytab;
}
@@ -118,8 +118,11 @@ help(void *opt, int argc, char **argv)
argv[0]);
} else {
if(c->func) {
char *fake[] = { NULL, "--help", NULL };
char shelp[] = "--help";
char *fake[3];
fake[0] = argv[0];
fake[1] = shelp;
fake[2] = NULL;
(*c->func)(2, fake);
fprintf(stderr, "\n");
}

153
admin/list.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
* Copyright (c) 1997-2022 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -32,6 +32,7 @@
*/
#include "ktutil_locl.h"
#include <heimbase.h>
#include <rtbl.h>
RCSID("$Id$");
@@ -76,7 +77,7 @@ do_list(struct list_options *opt, const char *keytab_str)
}
printf ("%s:\n\n", keytab_str);
table = rtbl_create();
rtbl_add_column_by_id(table, 0, "Vno", RTBL_ALIGN_RIGHT);
rtbl_add_column_by_id(table, 1, "Type", 0);
@@ -113,7 +114,7 @@ do_list(struct list_options *opt, const char *keytab_str)
rtbl_add_column_entry_by_id(table, 3, buf);
}
if(opt->keys_flag) {
int i;
size_t i;
s = malloc(2 * entry.keyblock.keyvalue.length + 1);
if (s == NULL) {
krb5_warnx(context, "malloc failed");
@@ -129,14 +130,16 @@ do_list(struct list_options *opt, const char *keytab_str)
if (entry.aliases) {
unsigned int i;
struct rk_strpool *p = NULL;
for (i = 0; i< entry.aliases->len; i++) {
krb5_unparse_name_fixed(context, entry.principal, buf, sizeof(buf));
rk_strpoolprintf(p, "%s%s", buf,
i + 1 < entry.aliases->len ? ", " : "");
krb5_unparse_name_fixed(context, &entry.aliases->val[i],
buf, sizeof(buf));
p = rk_strpoolprintf(p, "%s%s", buf,
i + 1 < entry.aliases->len ? ", " : "");
}
rtbl_add_column_entry_by_id(table, 5, rk_strpoolcollect(p));
rtbl_add_column_entry_by_id(table, 5, (s = rk_strpoolcollect(p)));
free(s);
}
krb5_kt_free_entry(context, &entry);
@@ -151,6 +154,136 @@ out:
return ret;
}
static int
do_list1_json(struct list_options *opt,
const char *keytab_str,
heim_array_t a)
{
krb5_error_code ret;
krb5_keytab keytab;
krb5_keytab_entry entry;
krb5_kt_cursor cursor;
ret = krb5_kt_resolve(context, keytab_str, &keytab);
if (ret) {
krb5_warn(context, ret, "resolving keytab %s", keytab_str);
return ret;
}
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if(ret) {
krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_str);
krb5_kt_close(context, keytab);
return ret;
}
//if (opt->timestamp_flag)
//if (opt->keys_flag)
while (krb5_kt_next_entry(context, keytab, &entry, &cursor) == 0) {
heim_dict_t d = heim_dict_create(5);
heim_object_t o;
char *s;
heim_array_append_value(a, d);
heim_dict_set_value(d, HSTR("keytab"),
o = heim_string_create(keytab_str)); heim_release(o);
heim_dict_set_value(d, HSTR("kvno"), o = heim_number_create(entry.vno));
heim_release(o);
heim_dict_set_value(d, HSTR("enctype_number"),
o = heim_number_create(entry.keyblock.keytype));
heim_release(o);
heim_dict_set_value(d, HSTR("flags"),
o = heim_number_create(entry.flags));
heim_release(o);
ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &s);
if (ret == 0) {
heim_dict_set_value(d, HSTR("enctype"), o = heim_string_create(s));
heim_release(o);
free(s);
}
heim_dict_set_value(d, HSTR("timestamp"),
o = heim_number_create(entry.timestamp));
heim_release(o);
ret = krb5_unparse_name(context, entry.principal, &s);
if (ret)
krb5_err(context, 1, ret, "Could not format principal");
heim_dict_set_value(d, HSTR("principal"), o = heim_string_create(s));
heim_release(o);
free(s);
if (opt->keys_flag) {
o = heim_data_create(entry.keyblock.keyvalue.data,
entry.keyblock.keyvalue.length);
heim_dict_set_value(d, HSTR("key"), o);
heim_release(o);
}
if (entry.aliases) {
heim_array_t aliases = heim_array_create();
unsigned int i;
for (i = 0; i< entry.aliases->len; i++) {
ret = krb5_unparse_name(context, &entry.aliases->val[i], &s);
if (ret)
krb5_err(context, 1, ret, "Could not format principal");
heim_array_append_value(aliases, o = heim_string_create(s));
heim_release(o);
free(s);
}
heim_dict_set_value(d, HSTR("aliases"), aliases);
heim_release(aliases);
}
krb5_kt_free_entry(context, &entry);
heim_release(d);
}
ret = krb5_kt_end_seq_get(context, keytab, &cursor);
krb5_kt_close(context, keytab);
return ret;
}
static int
do_list_json(struct list_options *opt, const char *keytab_str)
{
krb5_error_code ret = 0;
heim_json_flags_t flags =
(HEIM_JSON_F_STRICT | HEIM_JSON_F_INDENT2 | HEIM_JSON_F_NO_DATA_DICT) &
~HEIM_JSON_F_NO_DATA;
heim_array_t a = heim_array_create();
heim_string_t s;
/*
* Special-case the ANY: keytab type. What do we get from this? We get to
* include the actual keytab name for each entry in its JSON
* representation. Otherwise there would be no point because the ANY:
* keytab type iterates all the keytabs it joins.
*
* Why strncasecmp() though? Because do_list() uses it, though it arguably
* never should have.
*/
if (strncasecmp(keytab_str, "ANY:", 4) == 0) {
char buf[1024];
keytab_str += 4;
ret = 0;
while (strsep_copy((const char**)&keytab_str, ",",
buf, sizeof(buf)) != -1) {
if (do_list1_json(opt, buf, a))
ret = 1;
}
} else {
ret = do_list1_json(opt, keytab_str, a);
}
s = heim_json_copy_serialize(a, flags, NULL);
printf("%s", heim_string_get_utf8(s));
heim_release(a);
heim_release(s);
return ret;
}
int
kt_list(struct list_options *opt, int argc, char **argv)
{
@@ -167,5 +300,7 @@ kt_list(struct list_options *opt, int argc, char **argv)
}
keytab_string = kt;
}
if (opt->json_flag)
return do_list_json(opt, keytab_string) != 0;
return do_list(opt, keytab_string) != 0;
}

18
appl/Makefile.am
View File

@@ -8,20 +8,16 @@ endif
if DCE
dir_dce = dceutils
endif
if !NO_AFS
dir_afsutil = afsutil
endif
SUBDIRS = \
afsutil \
ftp \
login \
$(dir_afsutil) \
dbutils \
$(dir_otp) \
gssmask \
popper \
push \
rsh \
rcp \
su \
xnlock \
telnet \
test \
kx \
kf \
$(dir_dce)
EXTRA_DIST = NTMakefile

35
appl/NTMakefile Normal file
View File

@@ -0,0 +1,35 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=appl
!include ../windows/NTMakefile.w32

5
appl/afsutil/Makefile.am
View File

@@ -2,8 +2,6 @@
include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += $(INCLUDE_krb4)
bin_PROGRAMS = afslog pagsh
afslog_SOURCES = afslog.c
@@ -13,10 +11,9 @@ pagsh_SOURCES = pagsh.c
man_MANS = afslog.1 pagsh.1
LDADD = $(LIB_kafs) \
$(LIB_krb4) \
$(top_builddir)/lib/krb5/libkrb5.la \
$(top_builddir)/lib/asn1/libasn1.la \
$(LIB_hcrypto) \
$(LIB_roken)
EXTRA_DIST = $(man_MANS)
EXTRA_DIST = NTMakefile $(man_MANS)

35
appl/afsutil/NTMakefile Normal file
View File

@@ -0,0 +1,35 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=appl\afsutil
!include ../../windows/NTMakefile.w32

110
appl/afsutil/afslog.1
View File

@@ -1,34 +1,34 @@
.\" Copyright (c) 2002 - 2007 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd November 26, 2002
@@ -36,31 +36,29 @@
.Os HEIMDAL
.Sh NAME
.Nm afslog
.Nd
obtain AFS tokens
.Nd obtain AFS tokens
.Sh SYNOPSIS
.Nm
.Op Fl h | Fl -help
.Op Fl -no-v4
.Op Fl -no-v5
.Op Fl u | Fl -unlog
.Op Fl v | Fl -verbose
.Op Fl -version
.Op Fl h | Fl Fl help
.Op Fl Fl no-v5
.Op Fl u | Fl Fl unlog
.Op Fl v | Fl Fl verbose
.Op Fl Fl version
.Oo Fl c Ar cell \*(Ba Xo
.Fl -cell= Ns Ar cell
.Fl Fl cell= Ns Ar cell
.Xc
.Oc
.Oo Fl k Ar realm \*(Ba Xo
.Fl -realm= Ns Ar realm
.Fl Fl realm= Ns Ar realm
.Xc
.Oc
.Oo Fl P Ar principal \*(Ba Xo
.Fl -principal= Ns Ar principal
.Fl Fl principal= Ns Ar principal
.Xc
.Oc
.Bk -words
.Oo Fl p Ar path \*(Ba Xo
.Fl -file= Ns Ar path
.Fl Fl file= Ns Ar path
.Xc
.Oc
.Ek
@@ -71,57 +69,53 @@ obtains AFS tokens for a number of cells. What cells to get tokens for
can either be specified as an explicit list, as file paths to get
tokens for, or be left unspecified, in which case
.Nm
will use whatever magic
will use whatever magic
.Xr krb_afslog 3
decides upon.
.Pp
Supported options:
.Bl -tag -width Ds
.It Fl -no-v4
This makes
.Nm
not try using Kerberos 4.
.It Fl -no-v5
.It Fl Fl no-v5
This makes
.Nm
not try using Kerberos 5.
.It Xo
.Fl P Ar principal ,
.Fl -principal Ar principal
.Fl Fl principal Ar principal
.Xc
select what Kerberos 5 principal to use.
.It Fl -cache Ar cache
.It Fl Fl cache Ar cache
select what Kerberos 5 credential cache to use.
.Fl -principal
.Fl Fl principal
overrides this option.
.It Xo
.Fl u ,
.Fl -unlog
.Fl Fl unlog
.Xc
Destroy tokens instead of obtaining new. If this is specified, all
other options are ignored (except for
.Fl -help
.Fl Fl help
and
.Fl -version ) .
.Fl Fl version ) .
.It Xo
.Fl v ,
.Fl -verbose
.Fl Fl verbose
.Xc
Adds more verbosity for what is actually going on.
.It Xo
.Fl c Ar cell,
.Fl -cell= Ns Ar cell
.Fl Fl cell= Ns Ar cell
.Xc
This specified one or more cell names to get tokens for.
.It Xo
.Fl k Ar realm ,
.Fl -realm= Ns Ar realm
.Fl Fl realm= Ns Ar realm
.Xc
This is the Kerberos realm the AFS servers live in, this should
normally not be specified.
.It Xo
.Fl p Ar path ,
.Fl -file= Ns Ar path
.Fl Fl file= Ns Ar path
.Xc
This specified one or more file paths for which tokens should be
obtained.
@@ -132,22 +126,22 @@ Instead of using
and
.Fl p ,
you may also pass a list of cells and file paths after any other
options. These arguments are considered files if they are either
options. These arguments are considered files if they are either
the strings
.Do . Dc
or
.Dq ..
.Dq ..
or they contain a slash, or if there exists a file by that name.
.Sh EXAMPLES
Assuming that there is no file called
Assuming that there is no file called
.Dq openafs.org
in the current directory, and that
in the current directory, and that
.Pa /afs/openafs.org
points to that cell, the follwing should be identical:
.Bd -literal -offset indent
$ afslog -c openafs.org
$ afslog openafs.org
$ afslog /afs/openafs.org/some/file
.Ed
.Ed
.Sh SEE ALSO
.Xr krb_afslog 3

39
appl/afsutil/afslog.c
View File

@@ -61,15 +61,16 @@ struct getargs args[] = {
{ "cell", 'c', arg_strings, &cells, "cells to get tokens for", "cell" },
{ "file", 'p', arg_strings, &files, "files to get tokens for", "path" },
{ "realm", 'k', arg_string, &realm, "realm for afs cell", "realm" },
{ "unlog", 'u', arg_flag, &unlog_flag, "remove tokens" },
{ "unlog", 'u', arg_flag, &unlog_flag, "remove tokens", NULL },
#ifdef KRB5
{ "principal",'P',arg_string,&client_string,"principal to use","principal"},
{ "cache", 0, arg_string, &cache_string, "ccache to use", "cache"},
{ "v5", 0, arg_negative_flag, &use_krb5, "don't use Kerberos 5" },
{ "v5", 0, arg_negative_flag, &use_krb5, "don't use Kerberos 5",
NULL },
#endif
{ "verbose",'v', arg_flag, &verbose },
{ "version", 0, arg_flag, &version_flag },
{ "help", 'h', arg_flag, &help_flag },
{ "verbose",'v', arg_flag, &verbose, NULL, NULL },
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 'h', arg_flag, &help_flag, NULL, NULL },
};
static int num_args = sizeof(args) / sizeof(args[0]);
@@ -103,12 +104,12 @@ expand_cell_name(const char *cell)
{
FILE *f;
const char *c;
const char **fn, *files[] = { _PATH_CELLSERVDB,
_PATH_ARLA_CELLSERVDB,
_PATH_OPENAFS_DEBIAN_CELLSERVDB,
_PATH_ARLA_DEBIAN_CELLSERVDB,
NULL };
for(fn = files; *fn; fn++) {
const char **fn, *fns[] = { _PATH_CELLSERVDB,
_PATH_ARLA_CELLSERVDB,
_PATH_OPENAFS_DEBIAN_CELLSERVDB,
_PATH_ARLA_DEBIAN_CELLSERVDB,
NULL };
for(fn = fns; *fn; fn++) {
f = fopen(*fn, "r");
if(f == NULL)
continue;
@@ -117,7 +118,7 @@ expand_cell_name(const char *cell)
if(c)
return c;
}
return cell;
return NULL;
}
static void
@@ -180,9 +181,9 @@ afslog_file(const char *path)
static int
do_afslog(const char *cell)
{
int k5ret, k4ret;
int k5ret;
k5ret = k4ret = 0;
k5ret = 0;
#ifdef KRB5
if(context != NULL && id != NULL && use_krb5) {
@@ -195,9 +196,9 @@ do_afslog(const char *cell)
cell = "<default cell>";
#ifdef KRB5
if (k5ret)
warnx("krb5_afslog(%s): %s", cell, krb5_get_err_text(context, k5ret));
krb5_warn(context, k5ret, "krb5_afslog(%s)", cell);
#endif
if (k5ret || k4ret)
if (k5ret)
return 1;
return 0;
}
@@ -211,7 +212,7 @@ log_func(void *ctx, const char *str)
int
main(int argc, char **argv)
{
int optind = 0;
int optidx = 0;
int i;
int num;
int ret = 0;
@@ -220,7 +221,7 @@ main(int argc, char **argv)
setprogname(argv[0]);
if(getarg(args, num_args, argc, argv, &optind))
if(getarg(args, num_args, argc, argv, &optidx))
usage(1);
if(help_flag)
usage(0);
@@ -277,7 +278,7 @@ main(int argc, char **argv)
num++;
}
free_getarg_strings (&cells);
for(i = optind; i < argc; i++){
for(i = optidx; i < argc; i++){
num++;
if(strcmp(argv[i], ".") == 0 ||
strcmp(argv[i], "..") == 0 ||

80
appl/afsutil/pagsh.1
View File

@@ -1,79 +1,80 @@
.\" Copyright (c) 2005 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd February 12, 2005
.Dt PAGSH 1
.Os Heimdal
.Os
.Sh NAME
.Nm pagsh
.Nd
creates a new credential cache sandbox
.Nd creates a new credential cache sandbox
.Sh SYNOPSIS
.Nm
.Op Fl c
.Op Fl h | Fl -help
.Op Fl -version
.Op Fl -cache-type= Ns Ar string
.Op Fl c Ar command-string
.Op Fl h | Fl Fl help
.Op Fl Fl version
.Op Fl Fl cache-type= Ns Ar string
.Ar command [args...]
.Sh DESCRIPTION
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl c
.Fl c Ar command-string
Executes command(s) contained in
.Ar command-string .
.Xc
.It Xo
.Fl -cache-type= Ns Ar string
.Fl Fl cache-type= Ns Ar string
.Xc
.It Xo
.Fl h ,
.Fl -help
.Fl Fl help
.Xc
.It Xo
.Fl -version
.Fl Fl version
.Xc
.El
.Pp
.Nm
creates a new credential cache sandbox for the user to live in.
If AFS is installed on the computer, the user is put in a newly
created PAG.
created Process Authentication Group (PAG).
.Pp
For Kerberos 5, the credential cache type that is used is the same as
the credential cache type that was used at the time of
.Nm
invocation.
The credential cache type can be controlled by the option
.Fl -cache-type .
.Fl Fl cache-type .
.Sh EXAMPLES
Create a new sandbox where new credentials can be used, while the old
credentials can be used by other processes.
@@ -89,4 +90,5 @@ $ klist
klist: No ticket file: /tmp/krb5cc_03014a
.Ed
.Sh SEE ALSO
.Xr afslog 1
.Xr afslog 1 ,
.Xr kinit 1

30
appl/afsutil/pagsh.c
View File

@@ -73,12 +73,12 @@ static char *typename_arg;
#endif
struct getargs getargs[] = {
{ NULL, 'c', arg_flag, &c_flag },
{ NULL, 'c', arg_flag, &c_flag, NULL, NULL },
#ifdef KRB5
{ "cache-type", 0, arg_string, &typename_arg },
{ "cache-type", 0, arg_string, &typename_arg, NULL, NULL },
#endif
{ "version", 0, arg_flag, &version_flag },
{ "help", 'h', arg_flag, &help_flag },
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 'h', arg_flag, &help_flag, NULL, NULL },
};
static int num_args = sizeof(getargs) / sizeof(getargs[0]);
@@ -99,15 +99,16 @@ main(int argc, char **argv)
{
int f;
char tf[1024];
char shellbuf[MAX_PATH];
char *p;
char *path;
char **args;
unsigned int i;
int optind = 0;
int optidx = 0;
setprogname(argv[0]);
if(getarg(getargs, num_args, argc, argv, &optind))
if(getarg(getargs, num_args, argc, argv, &optidx))
usage(1);
if(help_flag)
usage(0);
@@ -116,8 +117,8 @@ main(int argc, char **argv)
exit(0);
}
argc -= optind;
argv += optind;
argc -= optidx;
argv += optidx;
#ifdef KRB5
{
@@ -138,7 +139,7 @@ main(int argc, char **argv)
if (name == NULL)
krb5_errx(context, 1, "Generated credential cache have no name");
snprintf(tf, sizeof(tf), "%s:%s", typename_arg, name);
snprintf(tf, sizeof(tf), "%s:%s", krb5_cc_get_type(context, id), name);
ret = krb5_cc_close(context, id);
if (ret)
@@ -166,13 +167,10 @@ main(int argc, char **argv)
(unsigned long)((argc + 10)*sizeof(char *)));
if(*argv == NULL) {
path = getenv("SHELL");
if(path == NULL){
struct passwd *pw = k_getpwuid(geteuid());
if (pw == NULL)
errx(1, "no such user: %d", (int)geteuid());
path = strdup(pw->pw_shell);
}
if (roken_get_shell(shellbuf, sizeof(shellbuf)) != NULL)
path = strdup(shellbuf);
else
path = strdup("/bin/sh");
} else {
path = strdup(*argv++);
}

13
appl/dbutils/Makefile.am Normal file
View File

@@ -0,0 +1,13 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
bin_PROGRAMS = bsearch
bsearch_SOURCES = bsearch.c
man_MANS = bsearch.1
EXTRA_DIST = NTMakefile $(man_MANS)
LDADD = $(LIB_roken) $(LIB_vers) $(LIB_heimbase)

35
appl/dbutils/NTMakefile Normal file
View File

@@ -0,0 +1,35 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=appl\dbutils
!include ../../windows/NTMakefile.w32

115
appl/dbutils/bsearch.1 Normal file
View File

@@ -0,0 +1,115 @@
.\"
.\" Copyright (c) 2011, Secure Endpoints Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" - Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" - Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
.\" COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 30, 2011
.Dt BSEARCH 1
.Os KTH-KRB
.Sh NAME
.Nm bsearch
.Nd manages one-time passwords
.Sh SYNOPSIS
.Nm bsearch
.Op Fl KVvh
.Op Fl b Ar block-size
.Op Fl m Ar max-cache-size
.Ar file
.Ar [key ...]
.Sh DESCRIPTION
The
.Nm
program performs binary searches of
.Ar file
which must be a sorted flat text file.
.Pp
Each line is a record. Each record starts with a key
that is optionally followed by whitespace and a value.
Whitespace may be quoted with a backslash, but newline
and carriage-return characters must be quoted in some
other manner (e.g., as backslash-n and backslash-r).
Escapes are not interpreted nor removed.
.Pp
If no key arguments are given on the comman-line, then
keys will be read from standard input.
.Pp
By default only values are printed to standard output.
Use the -K option to also print keys. The exit status
will be non-zero if any key lookups fail.
.Pp
Options are:
.Bl -tag -width Ds
.It Fl K
Print keys.
.It Fl V
Don't print values.
.It Fl h
Print usage and exit.
.It Fl v
Print statistic and debug information to standard
error.
.Ar file
A sorted flat text file. NOTE: use the "C" locale for
sorting this file, as in "LC_ALL=C sort -u -o file
file".
.It Fl h
For getting a help message.
.It Fl m
Set
.Ar max-cache-size
as the maximum cache size. If the
.Ar file
is smaller than this size then the whole file will be
read into memory, else the program will read blocks.
Defaults to 1MB.
.It Fl b
Set
.Ar block-size
as the block size for block-wise I/O. This must be a
power of 2, must be no smaller than 512 and no larger
than 1MB. Defaults to the
.Ar file's
filesystem's preferred blocksize.
.El
.Sh EXAMPLES
.Bd -literal -offset indent
$ env LC_ALL=C sort -o /tmp/words /usr/share/dict/words
$ bsearch -Kv /tmp/words day
Using whole-file method
Key day found at offset 327695 in 12 loops and 0 reads
day
$
.Ed
.Sh NOTES
.Pp
Records must not be longer than one block's size.
.Pp
Flat text files must be sorted in the "C" locale. In
some systems the default locale may result in
case-insensitive sorting by the sort command.
.Sh SEE ALSO
.Xr sort 1

205
appl/dbutils/bsearch.c Normal file
View File

@@ -0,0 +1,205 @@
/*
* Copyright (c) 2011, Secure Endpoints Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <errno.h>
#include <roken.h>
#include <heimbase.h>
#include <getarg.h>
#include <vers.h>
int help_flag;
int version_flag;
int verbose_flag;
int print_keys_flag;
int no_values_flag;
int block_size_int;
int max_size_int;
struct getargs args[] = {
{ "print-keys", 'K', arg_flag, &print_keys_flag,
"print keys", NULL },
{ "no-values", 'V', arg_flag, &no_values_flag,
"don't print values", NULL },
{ "verbose", 'v', arg_flag, &verbose_flag,
"print statistics and informative messages", NULL },
{ "help", 'h', arg_flag, &help_flag,
"print usage message", NULL },
{ "block-size", 'b', arg_integer, &block_size_int,
"block size", "integer" },
{ "max-cache-size", 'm', arg_integer, &max_size_int,
"maximum cache size", "integer" },
{ "version", '\0', arg_flag, &version_flag, NULL, NULL }
};
static int num_args = sizeof(args) / sizeof(args[0]);
static void
usage(int status)
{
arg_printusage(args, num_args, NULL, "file [key ...]");
exit(status);
}
#define MAX_BLOCK_SIZE (1024 * 1024)
#define DEFAULT_MAX_FILE_SIZE (1024 * 1024)
int
main(int argc, char **argv)
{
char keybuf[1024];
char *fname;
char *key = keybuf;
char *value;
char *p;
bsearch_file_handle bfh = NULL;
size_t num;
size_t loc; /* index where record is located or to be inserted */
size_t loops; /* number of loops/comparisons needed for lookup */
size_t reads = 0; /* number of reads needed for a lookup */
size_t failures = 0; /* number of lookup failures -- for exit status */
size_t block_size = 0;
size_t max_size = 0;
int optidx = 0;
int blockwise;
int ret = 0;
setprogname(argv[0]);
if (getarg(args, num_args, argc, argv, &optidx))
usage(1);
if (version_flag) {
print_version(NULL);
return 0;
}
if (help_flag)
usage(0);
if (block_size_int != 0 && block_size_int < 512) {
fprintf(stderr, "Invalid block size: too small\n");
return 1;
}
if (block_size_int > 0) {
/* Check that block_size is a power of 2 */
num = block_size_int;
while (num) {
if ((num % 2) && (num >> 1)) {
fprintf(stderr, "Invalid block size: must be power "
"of two\n");
return 1;
}
num >>= 1;
}
if (block_size_int > MAX_BLOCK_SIZE)
fprintf(stderr, "Invalid block size: too large\n");
block_size = block_size_int;
}
if (max_size_int < 0)
usage(1);
max_size = max_size_int;
argc -= optind;
argv += optind;
if (argc == 0)
usage(1);
fname = argv[0];
argc--;
argv++;
ret = _bsearch_file_open(fname, max_size, block_size, &bfh, &reads);
if (ret != 0) {
perror("bsearch_file_open");
return 1;
}
_bsearch_file_info(bfh, &block_size, &max_size, &blockwise);
if (verbose_flag && blockwise) {
fprintf(stderr, "Using block-wise method with block size %lu and "
"cache size %lu\n",
(long unsigned)block_size, (long unsigned)max_size);
} else if (verbose_flag) {
fprintf(stderr, "Using whole-file method\n");
}
for (;;) {
loops = 0; /* reset stats */
/* Eww */
if (argc) {
key = *(argv++);
if (!key)
break;
} else {
if (!fgets(keybuf, sizeof (keybuf), stdin))
break;
p = strchr(key, '\n');
if (!p)
break;
*p = '\0';
if (!*key)
continue;
}
ret = _bsearch_file(bfh, key, &value, &loc, &loops, &reads);
if (ret != 0) {
if (ret > 0) {
fprintf(stderr, "Error: %s\n", strerror(ret));
_bsearch_file_close(&bfh);
return 1;
}
if (verbose_flag)
fprintf(stderr, "Key %s not found in %lu loops and %lu reads; "
"insert at %lu\n", key, (long unsigned)loops,
(long unsigned)reads, (long unsigned)loc);
failures++;
continue;
}
if (verbose_flag)
fprintf(stderr, "Key %s found at offset %lu in %lu loops and "
"%lu reads\n", key, (long unsigned)loc,
(long unsigned)loops, (long unsigned)reads);
if (print_keys_flag && !no_values_flag && value)
printf("%s %s\n", key, value);
else if (print_keys_flag)
printf("%s\n", key);
else if (no_values_flag && value)
printf("%s\n", value);
free(value);
}
if (failures)
return 2;
_bsearch_file_close(&bfh);
return 0;
}

1
appl/dceutils/Makefile.am
View File

@@ -24,6 +24,7 @@ k5dcecon_SOURCES = k5dcecon.c k5dce.h
dpagaix_SOURCES = dpagaix.c
EXTRA_DIST = \
NTMakefile \
dfspag.exp \
README.dcedfs \
README.original \

35
appl/dceutils/NTMakefile Normal file
View File

@@ -0,0 +1,35 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=appl\dceutils
!include ../../windows/NTMakefile.w32

2
appl/dceutils/dfspag.exp
View File

@@ -1,3 +1,3 @@
#!/unix
* kernel extentions used to get the pag
* kernel extensions used to get the pag
kafs_syscall syscall

2
appl/dceutils/dpagaix.c
View File

@@ -1,6 +1,6 @@
/*
* dpagaix.c
* On AIX we need to get the kernel extentions
* On AIX we need to get the kernel extensions
* with the DFS kafs_syscall in it.
* We might be running on a system
* where DFS is not active.

4
appl/dceutils/k5dce.h
View File

@@ -6,7 +6,7 @@
*/
#ifdef sun
/* Transarc obfascates these routines */
/* Transarc obfuscates these routines */
#ifdef DCE_1_1
#define krb5_init_ets _dce_PkjKqOaklP
@@ -55,7 +55,7 @@ typedef unsigned char krb5_octet;
typedef krb5_octet krb5_boolean;
typedef krb5short krb5_keytype; /* in k5.2 it's a short */
typedef krb5_int32 krb5_flags;
typedef krb5_int32 krb5_timestamp;
typedef krb5_int32 krb5_timestamp; /* is a time_t in krb5.h */
typedef char * krb5_pointer; /* pointer to unexposed data */

14
appl/dceutils/k5dcecon.c
View File

@@ -163,8 +163,8 @@ int k5dcesession(luid, pname, tgt, ppag, tflags)
/*
* (but root has the ffffffff which we are not interested in)
*/
if (!strncmp(direntp->d_name,"dcecred_",8)
&& (strlen(direntp->d_name) == 16)) {
if (strncmp(direntp->d_name,"dcecred_",8) == 0 &&
(strlen(direntp->d_name) == 16)) {
/* looks like a cache name, lets do the stat, etc */
@@ -246,7 +246,7 @@ int k5dcematch(luid, pname, ccname, sizep, tgt)
/* DEEDEBUG2("k5dcematch called: cache=%s\n",ccname+38); */
if (!strncmp(ccname,"FILE:",5)) {
if (strncmp(ccname,"FILE:",5) == 0) {
strcpy(ccdata,ccname+5);
strcat(ccdata,".data");
@@ -343,7 +343,7 @@ int k5dcegettgt(pcache, ccname, pname, tgt)
DEEDEBUG2("Unparsed to \"%s\"\n", kusername);
DEEDEBUG2("pname is \"%s\"\n", pname);
if (strcmp(kusername, pname)) {
if (strcmp(kusername, pname) != 0) {
DEEDEBUG("Principals not equal\n");
goto return1;
}
@@ -473,7 +473,7 @@ int k5dcecon(luid, luser, pname)
/*
* Destroy the Kerberos5 cred cache file.
* but dont care aout the return code.
* but don't care about the return code.
*/
DEEDEBUG("Destroying the old cache\n");
@@ -574,7 +574,7 @@ int k5dcecreate(luid, luser, pname, krbtgt)
}
if (!strcmp(urealm,defrealm)) {
if (strcmp(urealm,defrealm) == 0) {
strcpy(username,pname);
} else {
strcpy(username,"/.../");
@@ -601,7 +601,7 @@ int k5dcecreate(luid, luser, pname, krbtgt)
"Error while adding credentials for %s because %s\n",
username, err_string);
goto abort;
}
}
DEEDEBUG("validating and certifying\n");
/*
* Now "validate" and certify the identity,

1038
appl/ftp/ChangeLog
View File

File diff suppressed because it is too large Load Diff

5
appl/ftp/Makefile.am
View File

@@ -1,5 +0,0 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
SUBDIRS = common ftp ftpd

12
appl/ftp/common/Makefile.am
View File

@@ -1,12 +0,0 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += $(INCLUDE_krb4)
noinst_LIBRARIES = libcommon.a
libcommon_a_SOURCES = \
sockbuf.c \
buffer.c \
common.h

44
appl/ftp/ftp/Makefile.am
View File

@@ -1,44 +0,0 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_hcrypto)
bin_PROGRAMS = ftp
CHECK_LOCAL =
if KRB5
krb5_sources = gssapi.c
endif
ftp_SOURCES = \
cmds.c \
cmdtab.c \
extern.h \
ftp.c \
ftp_locl.h \
ftp_var.h \
main.c \
pathnames.h \
ruserpass.c \
domacro.c \
globals.c \
security.c \
security.h \
kauth.c \
$(krb5_sources)
EXTRA_ftp_SOURCES = gssapi.c
man_MANS = ftp.1
LDADD = \
../common/libcommon.a \
$(LIB_gssapi) \
$(LIB_krb5) \
$(LIB_hcrypto) \
$(LIB_roken) \
$(LIB_readline)
EXTRA_DIST = $(man_MANS)

2148
appl/ftp/ftp/cmds.c
View File

File diff suppressed because it is too large Load Diff

203
appl/ftp/ftp/cmdtab.c
View File

@@ -1,203 +0,0 @@
/*
* Copyright (c) 1985, 1989, 1993, 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ftp_locl.h"
/*
* User FTP -- Command Tables.
*/
char accounthelp[] = "send account command to remote server";
char appendhelp[] = "append to a file";
char asciihelp[] = "set ascii transfer type";
char beephelp[] = "beep when command completed";
char binaryhelp[] = "set binary transfer type";
char casehelp[] = "toggle mget upper/lower case id mapping";
char cdhelp[] = "change remote working directory";
char cduphelp[] = "change remote working directory to parent directory";
char chmodhelp[] = "change file permissions of remote file";
char connecthelp[] = "connect to remote tftp";
char crhelp[] = "toggle carriage return stripping on ascii gets";
char deletehelp[] = "delete remote file";
char debughelp[] = "toggle/set debugging mode";
char dirhelp[] = "list contents of remote directory";
char disconhelp[] = "terminate ftp session";
char domachelp[] = "execute macro";
char formhelp[] = "set file transfer format";
char globhelp[] = "toggle metacharacter expansion of local file names";
char hashhelp[] = "toggle printing `#' for each buffer transferred";
char helphelp[] = "print local help information";
char idlehelp[] = "get (set) idle timer on remote side";
char lcdhelp[] = "change local working directory";
char lshelp[] = "list contents of remote directory";
char macdefhelp[] = "define a macro";
char mdeletehelp[] = "delete multiple files";
char mdirhelp[] = "list contents of multiple remote directories";
char mgethelp[] = "get multiple files";
char mkdirhelp[] = "make directory on the remote machine";
char mlshelp[] = "list contents of multiple remote directories";
char modtimehelp[] = "show last modification time of remote file";
char modehelp[] = "set file transfer mode";
char mputhelp[] = "send multiple files";
char newerhelp[] = "get file if remote file is newer than local file ";
char nlisthelp[] = "nlist contents of remote directory";
char nmaphelp[] = "set templates for default file name mapping";
char ntranshelp[] = "set translation table for default file name mapping";
char porthelp[] = "toggle use of PORT cmd for each data connection";
char prompthelp[] = "force interactive prompting on multiple commands";
char proxyhelp[] = "issue command on alternate connection";
char pwdhelp[] = "print working directory on remote machine";
char quithelp[] = "terminate ftp session and exit";
char quotehelp[] = "send arbitrary ftp command";
char receivehelp[] = "receive file";
char regethelp[] = "get file restarting at end of local file";
char remotehelp[] = "get help from remote server";
char renamehelp[] = "rename file";
char restarthelp[]= "restart file transfer at bytecount";
char rmdirhelp[] = "remove directory on the remote machine";
char rmtstatushelp[]="show status of remote machine";
char runiquehelp[] = "toggle store unique for local files";
char resethelp[] = "clear queued command replies";
char sendhelp[] = "send one file";
char passivehelp[] = "enter passive transfer mode";
char sitehelp[] = "send site specific command to remote server\n\t\tTry \"rhelp site\" or \"site help\" for more information";
char shellhelp[] = "escape to the shell";
char sizecmdhelp[] = "show size of remote file";
char statushelp[] = "show current status";
char structhelp[] = "set file transfer structure";
char suniquehelp[] = "toggle store unique on remote machine";
char systemhelp[] = "show remote system type";
char tenexhelp[] = "set tenex file transfer type";
char tracehelp[] = "toggle packet tracing";
char typehelp[] = "set file transfer type";
char umaskhelp[] = "get (set) umask on remote side";
char userhelp[] = "send new user information";
char verbosehelp[] = "toggle verbose mode";
char prothelp[] = "set protection level";
char prothelp_c[] = "set command protection level";
#if defined(KRB5)
char klisthelp[] = "show remote tickets";
#endif
#if defined(KRB5)
char afsloghelp[] = "obtain remote AFS tokens";
#endif
struct cmd cmdtab[] = {
{ "!", shellhelp, 0, 0, 0, shell },
{ "$", domachelp, 1, 0, 0, domacro },
{ "account", accounthelp, 0, 1, 1, account},
{ "append", appendhelp, 1, 1, 1, put },
{ "ascii", asciihelp, 0, 1, 1, setascii },
{ "bell", beephelp, 0, 0, 0, setbell },
{ "binary", binaryhelp, 0, 1, 1, setbinary },
{ "bye", quithelp, 0, 0, 0, quit },
{ "case", casehelp, 0, 0, 1, setcase },
{ "cd", cdhelp, 0, 1, 1, cd },
{ "cdup", cduphelp, 0, 1, 1, cdup },
{ "chmod", chmodhelp, 0, 1, 1, do_chmod },
{ "close", disconhelp, 0, 1, 1, disconnect },
{ "cr", crhelp, 0, 0, 0, setcr },
{ "delete", deletehelp, 0, 1, 1, delete },
{ "debug", debughelp, 0, 0, 0, setdebug },
{ "dir", dirhelp, 1, 1, 1, ls },
{ "disconnect", disconhelp, 0, 1, 1, disconnect },
{ "form", formhelp, 0, 1, 1, setform },
{ "get", receivehelp, 1, 1, 1, get },
{ "glob", globhelp, 0, 0, 0, setglob },
{ "hash", hashhelp, 0, 0, 0, sethash },
{ "help", helphelp, 0, 0, 1, help },
{ "idle", idlehelp, 0, 1, 1, ftp_idle },
{ "image", binaryhelp, 0, 1, 1, setbinary },
{ "lcd", lcdhelp, 0, 0, 0, lcd },
{ "ls", lshelp, 1, 1, 1, ls },
{ "macdef", macdefhelp, 0, 0, 0, macdef },
{ "mdelete", mdeletehelp, 1, 1, 1, mdelete },
{ "mdir", mdirhelp, 1, 1, 1, mls },
{ "mget", mgethelp, 1, 1, 1, mget },
{ "mkdir", mkdirhelp, 0, 1, 1, makedir },
{ "mls", mlshelp, 1, 1, 1, mls },
{ "mode", modehelp, 0, 1, 1, setftmode },
{ "modtime", modtimehelp, 0, 1, 1, modtime },
{ "mput", mputhelp, 1, 1, 1, mput },
{ "newer", newerhelp, 1, 1, 1, newer },
{ "nmap", nmaphelp, 0, 0, 1, setnmap },
{ "nlist", nlisthelp, 1, 1, 1, ls },
{ "ntrans", ntranshelp, 0, 0, 1, setntrans },
{ "open", connecthelp, 0, 0, 1, setpeer },
{ "passive", passivehelp, 0, 0, 0, setpassive },
{ "prompt", prompthelp, 0, 0, 0, setprompt },
{ "proxy", proxyhelp, 0, 0, 1, doproxy },
{ "sendport", porthelp, 0, 0, 0, setport },
{ "put", sendhelp, 1, 1, 1, put },
{ "pwd", pwdhelp, 0, 1, 1, pwd },
{ "quit", quithelp, 0, 0, 0, quit },
{ "quote", quotehelp, 1, 1, 1, quote },
{ "recv", receivehelp, 1, 1, 1, get },
{ "reget", regethelp, 1, 1, 1, reget },
{ "rstatus", rmtstatushelp, 0, 1, 1, rmtstatus },
{ "rhelp", remotehelp, 0, 1, 1, rmthelp },
{ "rename", renamehelp, 0, 1, 1, renamefile },
{ "reset", resethelp, 0, 1, 1, reset },
{ "restart", restarthelp, 1, 1, 1, restart },
{ "rmdir", rmdirhelp, 0, 1, 1, removedir },
{ "runique", runiquehelp, 0, 0, 1, setrunique },
{ "send", sendhelp, 1, 1, 1, put },
{ "site", sitehelp, 0, 1, 1, site },
{ "size", sizecmdhelp, 1, 1, 1, sizecmd },
{ "status", statushelp, 0, 0, 1, status },
{ "struct", structhelp, 0, 1, 1, setstruct },
{ "system", systemhelp, 0, 1, 1, syst },
{ "sunique", suniquehelp, 0, 0, 1, setsunique },
{ "tenex", tenexhelp, 0, 1, 1, settenex },
{ "trace", tracehelp, 0, 0, 0, settrace },
{ "type", typehelp, 0, 1, 1, settype },
{ "user", userhelp, 0, 1, 1, user },
{ "umask", umaskhelp, 0, 1, 1, do_umask },
{ "verbose", verbosehelp, 0, 0, 0, setverbose },
{ "?", helphelp, 0, 0, 1, help },
{ "protect", prothelp, 0, 1, 0, sec_prot },
/* what MIT uses */
{ "cprotect", prothelp_c, 0, 1, 1, sec_prot_command },
#if defined(KRB5)
{ "klist", klisthelp, 0, 1, 0, klist },
#endif
#if defined(KRB5)
{ "afslog", afsloghelp, 0, 1, 0, afslog },
#endif
{ 0 },
};
int NCMDS = (sizeof (cmdtab) / sizeof (cmdtab[0])) - 1;

148
appl/ftp/ftp/domacro.c
View File

@@ -1,148 +0,0 @@
/*
* Copyright (c) 1985, 1993, 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ftp_locl.h"
RCSID("$Id$");
void
domacro(int argc, char **argv)
{
int i, j, count = 2, loopflg = 0;
char *cp1, *cp2, line2[200];
struct cmd *c;
if (argc < 2 && !another(&argc, &argv, "macro name")) {
printf("Usage: %s macro_name.\n", argv[0]);
code = -1;
return;
}
for (i = 0; i < macnum; ++i) {
if (!strncmp(argv[1], macros[i].mac_name, 9)) {
break;
}
}
if (i == macnum) {
printf("'%s' macro not found.\n", argv[1]);
code = -1;
return;
}
strlcpy(line2, line, sizeof(line2));
TOP:
cp1 = macros[i].mac_start;
while (cp1 != macros[i].mac_end) {
while (isspace((unsigned char)*cp1)) {
cp1++;
}
cp2 = line;
while (*cp1 != '\0') {
size_t len;
switch(*cp1) {
case '\\':
if (line + sizeof(line) - 2 < cp2)
goto out;
*cp2++ = *++cp1;
break;
case '$':
if (isdigit((unsigned char)*(cp1+1))) {
j = 0;
while (isdigit((unsigned char)*++cp1)) {
j = 10*j + *cp1 - '0';
}
cp1--;
if (argc - 2 >= j) {
len = sizeof(line) - (cp2 - line) - 1;
if (strlcpy(cp2, argv[j+1], len) >= len)
goto out;
cp2 += strlen(argv[j+1]);
}
break;
}
if (*(cp1+1) == 'i') {
loopflg = 1;
cp1++;
if (count < argc) {
len = sizeof(line) - (cp2 - line) - 1;
if (strlcpy(cp2, argv[count], len) >= len)
goto out;
cp2 += strlen(argv[count]);
}
break;
}
/* intentional drop through */
default:
if (line + sizeof(line) - 2 < cp2)
goto out;
*cp2++ = *cp1;
break;
}
if (*cp1 != '\0') {
cp1++;
}
}
out:
*cp2 = '\0';
makeargv();
c = getcmd(margv[0]);
if (c == (struct cmd *)-1) {
printf("?Ambiguous command\n");
code = -1;
}
else if (c == 0) {
printf("?Invalid command\n");
code = -1;
}
else if (c->c_conn && !connected) {
printf("Not connected.\n");
code = -1;
}
else {
if (verbose) {
printf("%s\n",line);
}
(*c->c_handler)(margc, margv);
if (bell && c->c_bell) {
putchar('\007');
}
strlcpy(line, line2, sizeof(line));
makeargv();
argc = margc;
argv = margv;
}
if (cp1 != macros[i].mac_end) {
cp1++;
}
}
if (loopflg && ++count < argc) {
goto TOP;
}
}

174
appl/ftp/ftp/extern.h
View File

@@ -1,174 +0,0 @@
/*-
* Copyright (c) 1994 The Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)extern.h 8.3 (Berkeley) 10/9/94
*/
/* $Id$ */
#include <setjmp.h>
#include <stdlib.h>
#ifdef TIME_WITH_SYS_TIME
#include <sys/time.h>
#include <time.h>
#elif defined(HAVE_SYS_TIME_H)
#include <sys/time.h>
#else
#include <time.h>
#endif
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h>
#endif
void abort_remote (FILE *);
void abortpt (int);
void abortrecv (int);
void account (int, char **);
int another (int *, char ***, char *);
void blkfree (char **);
void cd (int, char **);
void cdup (int, char **);
void changetype (int, int);
void cmdabort (int);
void cmdscanner (int);
int command (char *fmt, ...)
__attribute__ ((format (printf, 1,2)));
int confirm (char *, char *);
FILE *dataconn (const char *);
void delete (int, char **);
void disconnect (int, char **);
void do_chmod (int, char **);
void do_umask (int, char **);
void domacro (int, char **);
char *domap (char *);
void doproxy (int, char **);
char *dotrans (char *);
int empty (fd_set *, int);
void fatal (char *);
void get (int, char **);
struct cmd *getcmd (char *);
int getit (int, char **, int, char *);
int getreply (int);
int globulize (char **);
char *gunique (char *);
void help (int, char **);
char *hookup (const char *, int);
void ftp_idle (int, char **);
int initconn (void);
void intr (int);
void lcd (int, char **);
int login (char *);
RETSIGTYPE lostpeer (int);
void ls (int, char **);
void macdef (int, char **);
void makeargv (void);
void makedir (int, char **);
void mdelete (int, char **);
void mget (int, char **);
void mls (int, char **);
void modtime (int, char **);
void mput (int, char **);
char *onoff (int);
void newer (int, char **);
void proxtrans (char *, char *, char *);
void psabort (int);
void pswitch (int);
void ptransfer (char *, long, struct timeval *, struct timeval *);
void put (int, char **);
void pwd (int, char **);
void quit (int, char **);
void quote (int, char **);
void quote1 (char *, int, char **);
void recvrequest (char *, char *, char *, char *, int, int);
void reget (int, char **);
char *remglob (char **, int);
void removedir (int, char **);
void renamefile (int, char **);
void reset (int, char **);
void restart (int, char **);
void rmthelp (int, char **);
void rmtstatus (int, char **);
int ruserpassword (char *, char **, char **, char **);
void sendrequest (char *, char *, char *, char *, int);
void setascii (int, char **);
void setbell (int, char **);
void setbinary (int, char **);
void setcase (int, char **);
void setcr (int, char **);
void setdebug (int, char **);
void setform (int, char **);
void setftmode (int, char **);
void setglob (int, char **);
void sethash (int, char **);
void setnmap (int, char **);
void setntrans (int, char **);
void setpassive (int, char **);
void setpeer (int, char **);
void setport (int, char **);
void setprompt (int, char **);
void setrunique (int, char **);
void setstruct (int, char **);
void setsunique (int, char **);
void settenex (int, char **);
void settrace (int, char **);
void settype (int, char **);
void setverbose (int, char **);
void shell (int, char **);
void site (int, char **);
void sizecmd (int, char **);
char *slurpstring (void);
void status (int, char **);
void syst (int, char **);
void tvsub (struct timeval *, struct timeval *, struct timeval *);
void user (int, char **);
extern jmp_buf abortprox;
extern int abrtflag;
extern struct cmd cmdtab[];
extern FILE *cout;
extern int data;
extern char *home;
extern jmp_buf jabort;
extern int proxy;
extern char reply_string[];
extern off_t restart_point;
extern int NCMDS;
extern char username[32];
extern char myhostname[];
extern char *mydomain;
void afslog (int, char **);
void kauth (int, char **);
void kdestroy (int, char **);
void klist (int, char **);
void krbtkfile (int, char **);

1211
appl/ftp/ftp/ftp.1
View File

File diff suppressed because it is too large Load Diff

1814
appl/ftp/ftp/ftp.c
View File

File diff suppressed because it is too large Load Diff

141
appl/ftp/ftp/ftp_locl.h
View File

@@ -1,141 +0,0 @@
/*
* Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
#ifndef __FTP_LOCL_H__
#define __FTP_LOCL_H__
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#ifdef TIME_WITH_SYS_TIME
#include <sys/time.h>
#include <time.h>
#elif defined(HAVE_SYS_TIME_H)
#include <sys/time.h>
#else
#include <time.h>
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_SYS_PARAM_H
#include <sys/param.h>
#endif
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h>
#endif
#ifdef HAVE_SYS_WAIT_H
#include <sys/wait.h>
#endif
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_IN_SYSTM_H
#include <netinet/in_systm.h>
#endif
#ifdef HAVE_NETINET_IP_H
#include <netinet/ip.h>
#endif
#ifdef HAVE_ARPA_FTP_H
#include <arpa/ftp.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#ifdef HAVE_ARPA_TELNET_H
#include <arpa/telnet.h>
#endif
#include <errno.h>
#include <ctype.h>
#include <glob.h>
#ifdef HAVE_NETDB_H
#include <netdb.h>
#endif
#ifdef HAVE_SYS_MMAN_H
#include <sys/mman.h>
#endif
#include <err.h>
#ifdef SOCKS
#include <socks.h>
extern int LIBPREFIX(fclose) (FILE *);
/* This doesn't belong here. */
struct tm *localtime(const time_t *);
struct hostent *gethostbyname(const char *);
#endif
#include "ftp_var.h"
#include "extern.h"
#include "common.h"
#include "pathnames.h"
#include "roken.h"
#include "security.h"
/* des_read_pw_string */
#include "crypto-headers.h"
#if defined(__sun__) && !defined(__svr4)
int fclose(FILE*);
int pclose(FILE*);
#endif
#endif /* __FTP_LOCL_H__ */

130
appl/ftp/ftp/ftp_var.h
View File

@@ -1,130 +0,0 @@
/*
* Copyright (c) 1985, 1989, 1993, 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)ftp_var.h 8.4 (Berkeley) 10/9/94
*/
/*
* FTP global variables.
*/
#ifdef HAVE_SYS_PARAM_H
#include <sys/param.h>
#endif
#include <setjmp.h>
/*
* Options and other state info.
*/
extern int trace; /* trace packets exchanged */
extern int hash; /* print # for each buffer transferred */
extern int sendport; /* use PORT cmd for each data connection */
extern int verbose; /* print messages coming back from server */
extern int connected; /* connected to server */
extern int fromatty; /* input is from a terminal */
extern int interactive; /* interactively prompt on m* cmds */
extern int lineedit; /* use line-editing */
extern int debug; /* debugging level */
extern int bell; /* ring bell on cmd completion */
extern int doglob; /* glob local file names */
extern int autologin; /* establish user account on connection */
extern int doencrypt;
extern int proxy; /* proxy server connection active */
extern int proxflag; /* proxy connection exists */
extern int sunique; /* store files on server with unique name */
extern int runique; /* store local files with unique name */
extern int mcase; /* map upper to lower case for mget names */
extern int ntflag; /* use ntin ntout tables for name translation */
extern int mapflag; /* use mapin mapout templates on file names */
extern int code; /* return/reply code for ftp command */
extern int crflag; /* if 1, strip car. rets. on ascii gets */
extern char pasv[64]; /* passive port for proxy data connection */
extern int passivemode; /* passive mode enabled */
extern char *altarg; /* argv[1] with no shell-like preprocessing */
extern char ntin[17]; /* input translation table */
extern char ntout[17]; /* output translation table */
extern char mapin[MaxPathLen]; /* input map template */
extern char mapout[MaxPathLen]; /* output map template */
extern char typename[32]; /* name of file transfer type */
extern int type; /* requested file transfer type */
extern int curtype; /* current file transfer type */
extern char structname[32]; /* name of file transfer structure */
extern int stru; /* file transfer structure */
extern char formname[32]; /* name of file transfer format */
extern int form; /* file transfer format */
extern char modename[32]; /* name of file transfer mode */
extern int mode; /* file transfer mode */
extern char bytename[32]; /* local byte size in ascii */
extern int bytesize; /* local byte size in binary */
extern char *hostname; /* name of host connected to */
extern int unix_server; /* server is unix, can use binary for ascii */
extern int unix_proxy; /* proxy is unix, can use binary for ascii */
extern jmp_buf toplevel; /* non-local goto stuff for cmd scanner */
extern char line[200]; /* input line buffer */
extern char *stringbase; /* current scan point in line buffer */
extern char argbuf[200]; /* argument storage buffer */
extern char *argbase; /* current storage point in arg buffer */
extern int margc; /* count of arguments on input line */
extern char **margv; /* args parsed from input line */
extern int margvlen; /* how large margv is currently */
extern int cpend; /* flag: if != 0, then pending server reply */
extern int mflag; /* flag: if != 0, then active multi command */
extern int options; /* used during socket creation */
extern int use_kerberos; /* use Kerberos authentication */
/*
* Format of command table.
*/
struct cmd {
char *c_name; /* name of command */
char *c_help; /* help string */
char c_bell; /* give bell when command completes */
char c_conn; /* must be connected to use command */
char c_proxy; /* proxy server may execute */
void (*c_handler) (int, char **); /* function to call */
};
struct macel {
char mac_name[9]; /* macro name */
char *mac_start; /* start of macro in macbuf */
char *mac_end; /* end of macro in macbuf */
};
extern int macnum; /* number of defined macros */
extern struct macel macros[16];
extern char macbuf[4096];

79
appl/ftp/ftp/globals.c
View File

@@ -1,79 +0,0 @@
#include "ftp_locl.h"
RCSID("$Id$");
/*
* Options and other state info.
*/
int trace; /* trace packets exchanged */
int hash; /* print # for each buffer transferred */
int sendport; /* use PORT cmd for each data connection */
int verbose; /* print messages coming back from server */
int connected; /* connected to server */
int fromatty; /* input is from a terminal */
int interactive; /* interactively prompt on m* cmds */
int lineedit; /* use line-editing */
int debug; /* debugging level */
int bell; /* ring bell on cmd completion */
int doglob; /* glob local file names */
int doencrypt; /* try to use encryption */
int autologin; /* establish user account on connection */
int proxy; /* proxy server connection active */
int proxflag; /* proxy connection exists */
int sunique; /* store files on server with unique name */
int runique; /* store local files with unique name */
int mcase; /* map upper to lower case for mget names */
int ntflag; /* use ntin ntout tables for name translation */
int mapflag; /* use mapin mapout templates on file names */
int code; /* return/reply code for ftp command */
int crflag; /* if 1, strip car. rets. on ascii gets */
char pasv[64]; /* passive port for proxy data connection */
int passivemode; /* passive mode enabled */
char *altarg; /* argv[1] with no shell-like preprocessing */
char ntin[17]; /* input translation table */
char ntout[17]; /* output translation table */
char mapin[MaxPathLen]; /* input map template */
char mapout[MaxPathLen]; /* output map template */
char typename[32]; /* name of file transfer type */
int type; /* requested file transfer type */
int curtype; /* current file transfer type */
char structname[32]; /* name of file transfer structure */
int stru; /* file transfer structure */
char formname[32]; /* name of file transfer format */
int form; /* file transfer format */
char modename[32]; /* name of file transfer mode */
int mode; /* file transfer mode */
char bytename[32]; /* local byte size in ascii */
int bytesize; /* local byte size in binary */
char *hostname; /* name of host connected to */
int unix_server; /* server is unix, can use binary for ascii */
int unix_proxy; /* proxy is unix, can use binary for ascii */
jmp_buf toplevel; /* non-local goto stuff for cmd scanner */
char line[200]; /* input line buffer */
char *stringbase; /* current scan point in line buffer */
char argbuf[200]; /* argument storage buffer */
char *argbase; /* current storage point in arg buffer */
int margc; /* count of arguments on input line */
char **margv; /* args parsed from input line */
int margvlen; /* how large margv is currently */
int cpend; /* flag: if != 0, then pending server reply */
int mflag; /* flag: if != 0, then active multi command */
int options; /* used during socket creation */
int use_kerberos; /* use Kerberos authentication */
/*
* Format of command table.
*/
int macnum; /* number of defined macros */
struct macel macros[16];
char macbuf[4096];
char username[32];
/* these are set in ruserpassword */
char myhostname[MaxHostNameLen];
char *mydomain;

535
appl/ftp/ftp/gssapi.c
View File

@@ -1,535 +0,0 @@
/*
* Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef FTP_SERVER
#include "ftpd_locl.h"
#else
#include "ftp_locl.h"
#endif
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_krb5.h>
#include <krb5_err.h>
RCSID("$Id$");
int ftp_do_gss_bindings = 0;
int ftp_do_gss_delegate = 1;
struct gss_data {
gss_ctx_id_t context_hdl;
char *client_name;
gss_cred_id_t delegated_cred_handle;
void *mech_data;
};
static int
gss_init(void *app_data)
{
struct gss_data *d = app_data;
d->context_hdl = GSS_C_NO_CONTEXT;
d->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
#if defined(FTP_SERVER)
return 0;
#else
/* XXX Check the gss mechanism; with gss_indicate_mechs() ? */
#ifdef KRB5
return !use_kerberos;
#else
return 0;
#endif /* KRB5 */
#endif /* FTP_SERVER */
}
static int
gss_check_prot(void *app_data, int level)
{
if(level == prot_confidential)
return -1;
return 0;
}
static int
gss_decode(void *app_data, void *buf, int len, int level)
{
OM_uint32 maj_stat, min_stat;
gss_buffer_desc input, output;
gss_qop_t qop_state;
int conf_state;
struct gss_data *d = app_data;
size_t ret_len;
input.length = len;
input.value = buf;
maj_stat = gss_unwrap (&min_stat,
d->context_hdl,
&input,
&output,
&conf_state,
&qop_state);
if(GSS_ERROR(maj_stat))
return -1;
memmove(buf, output.value, output.length);
ret_len = output.length;
gss_release_buffer(&min_stat, &output);
return ret_len;
}
static int
gss_overhead(void *app_data, int level, int len)
{
return 100; /* dunno? */
}
static int
gss_encode(void *app_data, void *from, int length, int level, void **to)
{
OM_uint32 maj_stat, min_stat;
gss_buffer_desc input, output;
int conf_state;
struct gss_data *d = app_data;
input.length = length;
input.value = from;
maj_stat = gss_wrap (&min_stat,
d->context_hdl,
level == prot_private,
GSS_C_QOP_DEFAULT,
&input,
&conf_state,
&output);
*to = output.value;
return output.length;
}
static void
sockaddr_to_gss_address (struct sockaddr *sa,
OM_uint32 *addr_type,
gss_buffer_desc *gss_addr)
{
switch (sa->sa_family) {
#ifdef HAVE_IPV6
case AF_INET6 : {
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
gss_addr->length = 16;
gss_addr->value = &sin6->sin6_addr;
*addr_type = GSS_C_AF_INET6;
break;
}
#endif
case AF_INET : {
struct sockaddr_in *sin4 = (struct sockaddr_in *)sa;
gss_addr->length = 4;
gss_addr->value = &sin4->sin_addr;
*addr_type = GSS_C_AF_INET;
break;
}
default :
errx (1, "unknown address family %d", sa->sa_family);
}
}
/* end common stuff */
#ifdef FTP_SERVER
static int
gss_adat(void *app_data, void *buf, size_t len)
{
char *p = NULL;
gss_buffer_desc input_token, output_token;
OM_uint32 maj_stat, min_stat;
gss_name_t client_name;
struct gss_data *d = app_data;
gss_channel_bindings_t bindings;
if (ftp_do_gss_bindings) {
bindings = malloc(sizeof(*bindings));
if (bindings == NULL)
errx(1, "out of memory");
sockaddr_to_gss_address (his_addr,
&bindings->initiator_addrtype,
&bindings->initiator_address);
sockaddr_to_gss_address (ctrl_addr,
&bindings->acceptor_addrtype,
&bindings->acceptor_address);
bindings->application_data.length = 0;
bindings->application_data.value = NULL;
} else
bindings = GSS_C_NO_CHANNEL_BINDINGS;
input_token.value = buf;
input_token.length = len;
maj_stat = gss_accept_sec_context (&min_stat,
&d->context_hdl,
GSS_C_NO_CREDENTIAL,
&input_token,
bindings,
&client_name,
NULL,
&output_token,
NULL,
NULL,
&d->delegated_cred_handle);
if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
free(bindings);
if(output_token.length) {
if(base64_encode(output_token.value, output_token.length, &p) < 0) {
reply(535, "Out of memory base64-encoding.");
return -1;
}
gss_release_buffer(&min_stat, &output_token);
}
if(maj_stat == GSS_S_COMPLETE){
char *name;
gss_buffer_desc export_name;
gss_OID oid;
maj_stat = gss_display_name(&min_stat, client_name,
&export_name, &oid);
if(maj_stat != 0) {
reply(500, "Error displaying name");
goto out;
}
/* XXX kerberos */
if(oid != GSS_KRB5_NT_PRINCIPAL_NAME) {
reply(500, "OID not kerberos principal name");
gss_release_buffer(&min_stat, &export_name);
goto out;
}
name = malloc(export_name.length + 1);
if(name == NULL) {
reply(500, "Out of memory");
gss_release_buffer(&min_stat, &export_name);
goto out;
}
memcpy(name, export_name.value, export_name.length);
name[export_name.length] = '\0';
gss_release_buffer(&min_stat, &export_name);
d->client_name = name;
if(p)
reply(235, "ADAT=%s", p);
else
reply(235, "ADAT Complete");
sec_complete = 1;
} else if(maj_stat == GSS_S_CONTINUE_NEEDED) {
if(p)
reply(335, "ADAT=%s", p);
else
reply(335, "OK, need more data");
} else {
OM_uint32 new_stat;
OM_uint32 msg_ctx = 0;
gss_buffer_desc status_string;
gss_display_status(&new_stat,
min_stat,
GSS_C_MECH_CODE,
GSS_C_NO_OID,
&msg_ctx,
&status_string);
syslog(LOG_ERR, "gss_accept_sec_context: %.*s",
(int)status_string.length,
(char*)status_string.value);
gss_release_buffer(&new_stat, &status_string);
reply(431, "Security resource unavailable");
}
out:
if (client_name)
gss_release_name(&min_stat, &client_name);
free(p);
return 0;
}
int gss_userok(void*, char*);
int gss_session(void*, char*);
struct sec_server_mech gss_server_mech = {
"GSSAPI",
sizeof(struct gss_data),
gss_init, /* init */
NULL, /* end */
gss_check_prot,
gss_overhead,
gss_encode,
gss_decode,
/* */
NULL,
gss_adat,
NULL, /* pbsz */
NULL, /* ccc */
gss_userok,
gss_session
};
#else /* FTP_SERVER */
extern struct sockaddr *hisctladdr, *myctladdr;
static int
import_name(const char *kname, const char *host, gss_name_t *target_name)
{
OM_uint32 maj_stat, min_stat;
gss_buffer_desc name;
char *str;
name.length = asprintf(&str, "%s@%s", kname, host);
if (str == NULL) {
printf("Out of memory\n");
return AUTH_ERROR;
}
name.value = str;
maj_stat = gss_import_name(&min_stat,
&name,
GSS_C_NT_HOSTBASED_SERVICE,
target_name);
if (GSS_ERROR(maj_stat)) {
OM_uint32 new_stat;
OM_uint32 msg_ctx = 0;
gss_buffer_desc status_string;
gss_display_status(&new_stat,
min_stat,
GSS_C_MECH_CODE,
GSS_C_NO_OID,
&msg_ctx,
&status_string);
printf("Error importing name %.*s: %.*s\n",
(int)name.length,
(char *)name.value,
(int)status_string.length,
(char *)status_string.value);
free(name.value);
gss_release_buffer(&new_stat, &status_string);
return AUTH_ERROR;
}
free(name.value);
return 0;
}
static int
gss_auth(void *app_data, char *host)
{
OM_uint32 maj_stat, min_stat;
gss_name_t target_name;
gss_buffer_desc input, output_token;
int context_established = 0;
char *p;
int n;
gss_channel_bindings_t bindings;
struct gss_data *d = app_data;
OM_uint32 mech_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
const char *knames[] = { "ftp", "host", NULL }, **kname = knames;
if(import_name(*kname++, host, &target_name))
return AUTH_ERROR;
input.length = 0;
input.value = NULL;
if (ftp_do_gss_bindings) {
bindings = malloc(sizeof(*bindings));
if (bindings == NULL)
errx(1, "out of memory");
sockaddr_to_gss_address (myctladdr,
&bindings->initiator_addrtype,
&bindings->initiator_address);
sockaddr_to_gss_address (hisctladdr,
&bindings->acceptor_addrtype,
&bindings->acceptor_address);
bindings->application_data.length = 0;
bindings->application_data.value = NULL;
} else
bindings = GSS_C_NO_CHANNEL_BINDINGS;
if (ftp_do_gss_delegate)
mech_flags |= GSS_C_DELEG_FLAG;
while(!context_established) {
maj_stat = gss_init_sec_context(&min_stat,
GSS_C_NO_CREDENTIAL,
&d->context_hdl,
target_name,
GSS_C_NO_OID,
mech_flags,
0,
bindings,
&input,
NULL,
&output_token,
NULL,
NULL);
if (GSS_ERROR(maj_stat)) {
OM_uint32 new_stat;
OM_uint32 msg_ctx = 0;
gss_buffer_desc status_string;
d->context_hdl = GSS_C_NO_CONTEXT;
gss_release_name(&min_stat, &target_name);
if(*kname != NULL) {
if(import_name(*kname++, host, &target_name)) {
if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
free(bindings);
return AUTH_ERROR;
}
continue;
}
if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
free(bindings);
gss_display_status(&new_stat,
min_stat,
GSS_C_MECH_CODE,
GSS_C_NO_OID,
&msg_ctx,
&status_string);
printf("Error initializing security context: %.*s\n",
(int)status_string.length,
(char*)status_string.value);
gss_release_buffer(&new_stat, &status_string);
return AUTH_CONTINUE;
}
if (input.value) {
free(input.value);
input.value = NULL;
input.length = 0;
}
if (output_token.length != 0) {
base64_encode(output_token.value, output_token.length, &p);
gss_release_buffer(&min_stat, &output_token);
n = command("ADAT %s", p);
free(p);
}
if (GSS_ERROR(maj_stat)) {
if (d->context_hdl != GSS_C_NO_CONTEXT)
gss_delete_sec_context (&min_stat,
&d->context_hdl,
GSS_C_NO_BUFFER);
break;
}
if (maj_stat & GSS_S_CONTINUE_NEEDED) {
p = strstr(reply_string, "ADAT=");
if(p == NULL){
printf("Error: expected ADAT in reply. got: %s\n",
reply_string);
if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
free(bindings);
return AUTH_ERROR;
} else {
p+=5;
input.value = malloc(strlen(p));
input.length = base64_decode(p, input.value);
}
} else {
if(code != 235) {
printf("Unrecognized response code: %d\n", code);
if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
free(bindings);
return AUTH_ERROR;
}
context_established = 1;
}
}
gss_release_name(&min_stat, &target_name);
if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
free(bindings);
if (input.value)
free(input.value);
{
gss_name_t targ_name;
maj_stat = gss_inquire_context(&min_stat,
d->context_hdl,
NULL,
&targ_name,
NULL,
NULL,
NULL,
NULL,
NULL);
if (GSS_ERROR(maj_stat) == 0) {
gss_buffer_desc name;
maj_stat = gss_display_name (&min_stat,
targ_name,
&name,
NULL);
if (GSS_ERROR(maj_stat) == 0) {
printf("Authenticated to <%.*s>\n",
(int)name.length,
(char *)name.value);
gss_release_buffer(&min_stat, &name);
}
gss_release_name(&min_stat, &targ_name);
} else
printf("Failed to get gss name of peer.\n");
}
return AUTH_OK;
}
struct sec_client_mech gss_client_mech = {
"GSSAPI",
sizeof(struct gss_data),
gss_init,
gss_auth,
NULL, /* end */
gss_check_prot,
gss_overhead,
gss_encode,
gss_decode,
};
#endif /* FTP_SERVER */

590
appl/ftp/ftp/main.c
View File

@@ -1,590 +0,0 @@
/*
* Copyright (c) 1985, 1989, 1993, 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* FTP User Program -- Command Interface.
*/
#include "ftp_locl.h"
#include <getarg.h>
RCSID("$Id$");
static int help_flag;
static int version_flag;
static int debug_flag;
struct getargs getargs[] = {
{ NULL, 'd', arg_flag, &debug_flag,
"debug", NULL },
{ NULL, 'g', arg_negative_flag, &doglob,
"disables globbing", NULL},
{ NULL, 'i', arg_negative_flag, &interactive,
"Turn off interactive prompting", NULL},
{ NULL, 'l', arg_negative_flag, &lineedit,
"Turn off line editing", NULL},
{ NULL, 'n', arg_negative_flag, &autologin,
"Turn off auto-login", NULL},
{ NULL, 'p', arg_flag, &passivemode,
"passive mode", NULL},
{ NULL, 't', arg_counter, &trace,
"Packet tracing", NULL},
#ifdef KRB5
{ "gss-bindings", 0, arg_negative_flag, &ftp_do_gss_bindings,
"Don't use GSS-API bindings", NULL},
{ "gss-delegate", 0, arg_negative_flag, &ftp_do_gss_delegate,
"Disable delegation of GSS-API credentials", NULL},
#endif
{ NULL, 'v', arg_counter, &verbose,
"verbosity", NULL},
{ NULL, 'K', arg_negative_flag, &use_kerberos,
"Disable kerberos authentication", NULL},
{ "encrypt", 'x', arg_flag, &doencrypt,
"Encrypt command and data channel if possible" },
{ "version", 0, arg_flag, &version_flag },
{ "help", 'h', arg_flag, &help_flag },
};
static int num_args = sizeof(getargs) / sizeof(getargs[0]);
static void
usage(int ecode)
{
arg_printusage(getargs, num_args, NULL, "[host [port]]");
exit(ecode);
}
int
main(int argc, char **argv)
{
int top;
struct passwd *pw = NULL;
char homedir[MaxPathLen];
struct servent *sp;
int optind = 0;
setprogname(argv[0]);
sp = getservbyname("ftp", "tcp");
if (sp == 0)
errx(1, "ftp/tcp: unknown service");
doglob = 1;
interactive = 1;
autologin = 1;
lineedit = 1;
passivemode = 0; /* passive mode not active */
use_kerberos = 1;
#ifdef KRB5
ftp_do_gss_bindings = 1;
#endif
if(getarg(getargs, num_args, argc, argv, &optind))
usage(1);
if(help_flag)
usage(0);
if(version_flag) {
print_version(NULL);
exit(0);
}
if (debug_flag) {
options |= SO_DEBUG;
debug++;
}
argc -= optind;
argv += optind;
fromatty = isatty(fileno(stdin));
if (fromatty)
verbose++;
cpend = 0; /* no pending replies */
proxy = 0; /* proxy not active */
crflag = 1; /* strip c.r. on ascii gets */
sendport = -1; /* not using ports */
/*
* Set up the home directory in case we're globbing.
*/
pw = k_getpwuid(getuid());
if (pw != NULL) {
strlcpy(homedir, pw->pw_dir, sizeof(homedir));
home = homedir;
}
if (argc > 0) {
char *xargv[5];
if (setjmp(toplevel))
exit(0);
signal(SIGINT, intr);
signal(SIGPIPE, lostpeer);
xargv[0] = (char*)getprogname();
xargv[1] = argv[0];
xargv[2] = argv[1];
xargv[3] = argv[2];
xargv[4] = NULL;
setpeer(argc+1, xargv);
}
if(setjmp(toplevel) == 0)
top = 1;
else
top = 0;
if (top) {
signal(SIGINT, intr);
signal(SIGPIPE, lostpeer);
}
for (;;) {
cmdscanner(top);
top = 1;
}
}
void
intr(int sig)
{
longjmp(toplevel, 1);
}
#ifndef SHUT_RDWR
#define SHUT_RDWR 2
#endif
RETSIGTYPE
lostpeer(int sig)
{
if (connected) {
if (cout != NULL) {
shutdown(fileno(cout), SHUT_RDWR);
fclose(cout);
cout = NULL;
}
if (data >= 0) {
shutdown(data, SHUT_RDWR);
close(data);
data = -1;
}
connected = 0;
}
pswitch(1);
if (connected) {
if (cout != NULL) {
shutdown(fileno(cout), SHUT_RDWR);
fclose(cout);
cout = NULL;
}
connected = 0;
}
proxflag = 0;
pswitch(0);
sec_end();
SIGRETURN(0);
}
/*
char *
tail(filename)
char *filename;
{
char *s;
while (*filename) {
s = strrchr(filename, '/');
if (s == NULL)
break;
if (s[1])
return (s + 1);
*s = '\0';
}
return (filename);
}
*/
static char *
simple_readline(char *prompt)
{
char buf[BUFSIZ];
printf ("%s", prompt);
fflush (stdout);
if(fgets(buf, sizeof(buf), stdin) == NULL)
return NULL;
if (buf[strlen(buf) - 1] == '\n')
buf[strlen(buf) - 1] = '\0';
return strdup(buf);
}
#ifndef HAVE_READLINE
static char *
readline(char *prompt)
{
return simple_readline (prompt);
}
static void
add_history(char *p)
{
}
#else
/* These should not really be here */
char *readline(char *);
void add_history(char *);
#endif
/*
* Command parser.
*/
void
cmdscanner(int top)
{
struct cmd *c;
int l;
if (!top)
putchar('\n');
for (;;) {
if (fromatty) {
char *p;
if (lineedit)
p = readline("ftp> ");
else
p = simple_readline("ftp> ");
if(p == NULL) {
printf("\n");
quit(0, 0);
}
strlcpy(line, p, sizeof(line));
if (lineedit)
add_history(p);
free(p);
} else{
if (fgets(line, sizeof line, stdin) == NULL)
quit(0, 0);
}
/* XXX will break on long lines */
l = strlen(line);
if (l == 0)
break;
if (line[--l] == '\n') {
if (l == 0)
break;
line[l] = '\0';
} else if (l == sizeof(line) - 2) {
printf("sorry, input line too long\n");
while ((l = getchar()) != '\n' && l != EOF)
/* void */;
break;
} /* else it was a line without a newline */
makeargv();
if (margc == 0) {
continue;
}
c = getcmd(margv[0]);
if (c == (struct cmd *)-1) {
printf("?Ambiguous command\n");
continue;
}
if (c == 0) {
printf("?Invalid command\n");
continue;
}
if (c->c_conn && !connected) {
printf("Not connected.\n");
continue;
}
(*c->c_handler)(margc, margv);
if (bell && c->c_bell)
putchar('\007');
if (c->c_handler != help)
break;
}
signal(SIGINT, intr);
signal(SIGPIPE, lostpeer);
}
struct cmd *
getcmd(char *name)
{
char *p, *q;
struct cmd *c, *found;
int nmatches, longest;
longest = 0;
nmatches = 0;
found = 0;
for (c = cmdtab; (p = c->c_name); c++) {
for (q = name; *q == *p++; q++)
if (*q == 0) /* exact match? */
return (c);
if (!*q) { /* the name was a prefix */
if (q - name > longest) {
longest = q - name;
nmatches = 1;
found = c;
} else if (q - name == longest)
nmatches++;
}
}
if (nmatches > 1)
return ((struct cmd *)-1);
return (found);
}
/*
* Slice a string up into argc/argv.
*/
int slrflag;
void
makeargv(void)
{
char **argp;
argp = margv;
stringbase = line; /* scan from first of buffer */
argbase = argbuf; /* store from first of buffer */
slrflag = 0;
for (margc = 0; ; margc++) {
/* Expand array if necessary */
if (margc == margvlen) {
int i;
margv = (margvlen == 0)
? (char **)malloc(20 * sizeof(char *))
: (char **)realloc(margv,
(margvlen + 20)*sizeof(char *));
if (margv == NULL)
errx(1, "cannot realloc argv array");
for(i = margvlen; i < margvlen + 20; ++i)
margv[i] = NULL;
margvlen += 20;
argp = margv + margc;
}
if ((*argp++ = slurpstring()) == NULL)
break;
}
}
/*
* Parse string into argbuf;
* implemented with FSM to
* handle quoting and strings
*/
char *
slurpstring(void)
{
int got_one = 0;
char *sb = stringbase;
char *ap = argbase;
char *tmp = argbase; /* will return this if token found */
if (*sb == '!' || *sb == '$') { /* recognize ! as a token for shell */
switch (slrflag) { /* and $ as token for macro invoke */
case 0:
slrflag++;
stringbase++;
return ((*sb == '!') ? "!" : "$");
/* NOTREACHED */
case 1:
slrflag++;
altarg = stringbase;
break;
default:
break;
}
}
S0:
switch (*sb) {
case '\0':
goto OUT;
case ' ':
case '\t':
sb++; goto S0;
default:
switch (slrflag) {
case 0:
slrflag++;
break;
case 1:
slrflag++;
altarg = sb;
break;
default:
break;
}
goto S1;
}
S1:
switch (*sb) {
case ' ':
case '\t':
case '\0':
goto OUT; /* end of token */
case '\\':
sb++; goto S2; /* slurp next character */
case '"':
sb++; goto S3; /* slurp quoted string */
default:
*ap++ = *sb++; /* add character to token */
got_one = 1;
goto S1;
}
S2:
switch (*sb) {
case '\0':
goto OUT;
default:
*ap++ = *sb++;
got_one = 1;
goto S1;
}
S3:
switch (*sb) {
case '\0':
goto OUT;
case '"':
sb++; goto S1;
default:
*ap++ = *sb++;
got_one = 1;
goto S3;
}
OUT:
if (got_one)
*ap++ = '\0';
argbase = ap; /* update storage pointer */
stringbase = sb; /* update scan pointer */
if (got_one) {
return (tmp);
}
switch (slrflag) {
case 0:
slrflag++;
break;
case 1:
slrflag++;
altarg = (char *) 0;
break;
default:
break;
}
return NULL;
}
#define HELPINDENT ((int) sizeof ("directory"))
/*
* Help command.
* Call each command handler with argc == 0 and argv[0] == name.
*/
void
help(int argc, char **argv)
{
struct cmd *c;
if (argc == 1) {
int i, j, w, k;
int columns, width = 0, lines;
printf("Commands may be abbreviated. Commands are:\n\n");
for (c = cmdtab; c < &cmdtab[NCMDS]; c++) {
int len = strlen(c->c_name);
if (len > width)
width = len;
}
width = (width + 8) &~ 7;
columns = 80 / width;
if (columns == 0)
columns = 1;
lines = (NCMDS + columns - 1) / columns;
for (i = 0; i < lines; i++) {
for (j = 0; j < columns; j++) {
c = cmdtab + j * lines + i;
if ((!proxy || c->c_proxy)) {
printf("%s", c->c_name);
} else {
for (k=0; k < strlen(c->c_name); k++) {
putchar(' ');
}
}
if (c + lines >= &cmdtab[NCMDS]) {
printf("\n");
break;
}
w = strlen(c->c_name);
while (w < width) {
w = (w + 8) &~ 7;
putchar('\t');
}
}
}
return;
}
while (--argc > 0) {
char *arg;
arg = *++argv;
c = getcmd(arg);
if (c == (struct cmd *)-1)
printf("?Ambiguous help command %s\n", arg);
else if (c == (struct cmd *)0)
printf("?Invalid help command %s\n", arg);
else
printf("%-*s\t%s\n", HELPINDENT,
c->c_name, c->c_help);
}
}

44
appl/ftp/ftp/pathnames.h
View File

@@ -1,44 +0,0 @@
/*
* Copyright (c) 1989, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)pathnames.h 8.1 (Berkeley) 6/6/93
*/
#ifdef HAVE_PATHS_H
#include <paths.h>
#endif
#define _PATH_TMP_XXX "/tmp/ftpXXXXXX"
#ifndef _PATH_BSHELL
#define _PATH_BSHELL "/bin/sh"
#endif

313
appl/ftp/ftp/ruserpass.c
View File

@@ -1,313 +0,0 @@
/*
* Copyright (c) 1985, 1993, 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ftp_locl.h"
RCSID("$Id$");
static int token (void);
static FILE *cfile;
#define DEFAULT 1
#define LOGIN 2
#define PASSWD 3
#define ACCOUNT 4
#define MACDEF 5
#define PROT 6
#define ID 10
#define MACH 11
static char tokval[100];
static struct toktab {
char *tokstr;
int tval;
} toktab[]= {
{ "default", DEFAULT },
{ "login", LOGIN },
{ "password", PASSWD },
{ "passwd", PASSWD },
{ "account", ACCOUNT },
{ "machine", MACH },
{ "macdef", MACDEF },
{ "prot", PROT },
{ NULL, 0 }
};
/*
* Write a copy of the hostname into `hostname, sz' and return a guess
* as to the `domain' of that hostname.
*/
static char *
guess_domain (char *hostname_str, size_t sz)
{
struct addrinfo *ai, *a;
struct addrinfo hints;
int error;
char *dot;
if (gethostname (hostname_str, sz) < 0) {
strlcpy (hostname_str, "", sz);
return "";
}
dot = strchr (hostname_str, '.');
if (dot != NULL)
return dot + 1;
memset (&hints, 0, sizeof(hints));
hints.ai_flags = AI_CANONNAME;
error = getaddrinfo (hostname_str, NULL, &hints, &ai);
if (error)
return hostname_str;
for (a = ai; a != NULL; a = a->ai_next)
if (a->ai_canonname != NULL) {
strlcpy (hostname_str, ai->ai_canonname, sz);
break;
}
freeaddrinfo (ai);
dot = strchr (hostname_str, '.');
if (dot != NULL)
return dot + 1;
else
return hostname_str;
}
int
ruserpassword(char *host, char **aname, char **apass, char **aacct)
{
char *hdir, buf[BUFSIZ], *tmp;
int t, i, c, usedefault = 0;
struct stat stb;
mydomain = guess_domain (myhostname, MaxHostNameLen);
hdir = getenv("HOME");
if (hdir == NULL)
hdir = ".";
snprintf(buf, sizeof(buf), "%s/.netrc", hdir);
cfile = fopen(buf, "r");
if (cfile == NULL) {
if (errno != ENOENT)
warn("%s", buf);
return (0);
}
next:
while ((t = token())) switch(t) {
case DEFAULT:
usedefault = 1;
/* FALL THROUGH */
case MACH:
if (!usedefault) {
if (token() != ID)
continue;
/*
* Allow match either for user's input host name
* or official hostname. Also allow match of
* incompletely-specified host in local domain.
*/
if (strcasecmp(host, tokval) == 0)
goto match;
if (strcasecmp(hostname, tokval) == 0)
goto match;
if ((tmp = strchr(hostname, '.')) != NULL &&
tmp++ &&
strcasecmp(tmp, mydomain) == 0 &&
strncasecmp(hostname, tokval, tmp-hostname) == 0 &&
tokval[tmp - hostname] == '\0')
goto match;
if ((tmp = strchr(host, '.')) != NULL &&
tmp++ &&
strcasecmp(tmp, mydomain) == 0 &&
strncasecmp(host, tokval, tmp - host) == 0 &&
tokval[tmp - host] == '\0')
goto match;
continue;
}
match:
while ((t = token()) && t != MACH && t != DEFAULT) switch(t) {
case LOGIN:
if (token()) {
if (*aname == 0) {
*aname = strdup(tokval);
} else {
if (strcmp(*aname, tokval))
goto next;
}
}
break;
case PASSWD:
if ((*aname == NULL || strcmp(*aname, "anonymous")) &&
fstat(fileno(cfile), &stb) >= 0 &&
(stb.st_mode & 077) != 0) {
warnx("Error: .netrc file is readable by others.");
warnx("Remove password or make file unreadable by others.");
goto bad;
}
if (token() && *apass == 0) {
*apass = strdup(tokval);
}
break;
case ACCOUNT:
if (fstat(fileno(cfile), &stb) >= 0
&& (stb.st_mode & 077) != 0) {
warnx("Error: .netrc file is readable by others.");
warnx("Remove account or make file unreadable by others.");
goto bad;
}
if (token() && *aacct == 0) {
*aacct = strdup(tokval);
}
break;
case MACDEF:
if (proxy) {
fclose(cfile);
return (0);
}
while ((c=getc(cfile)) != EOF &&
(c == ' ' || c == '\t'));
if (c == EOF || c == '\n') {
printf("Missing macdef name argument.\n");
goto bad;
}
if (macnum == 16) {
printf("Limit of 16 macros have already been defined\n");
goto bad;
}
tmp = macros[macnum].mac_name;
*tmp++ = c;
for (i=0; i < 8 && (c=getc(cfile)) != EOF &&
!isspace(c); ++i) {
*tmp++ = c;
}
if (c == EOF) {
printf("Macro definition missing null line terminator.\n");
goto bad;
}
*tmp = '\0';
if (c != '\n') {
while ((c=getc(cfile)) != EOF && c != '\n');
}
if (c == EOF) {
printf("Macro definition missing null line terminator.\n");
goto bad;
}
if (macnum == 0) {
macros[macnum].mac_start = macbuf;
}
else {
macros[macnum].mac_start = macros[macnum-1].mac_end + 1;
}
tmp = macros[macnum].mac_start;
while (tmp != macbuf + 4096) {
if ((c=getc(cfile)) == EOF) {
printf("Macro definition missing null line terminator.\n");
goto bad;
}
*tmp = c;
if (*tmp == '\n') {
if (*(tmp-1) == '\0') {
macros[macnum++].mac_end = tmp - 1;
break;
}
*tmp = '\0';
}
tmp++;
}
if (tmp == macbuf + 4096) {
printf("4K macro buffer exceeded\n");
goto bad;
}
break;
case PROT:
token();
if(doencrypt == 0 && sec_request_prot(tokval) < 0)
warnx("Unknown protection level \"%s\"", tokval);
break;
default:
warnx("Unknown .netrc keyword %s", tokval);
break;
}
goto done;
}
done:
fclose(cfile);
return (0);
bad:
fclose(cfile);
return (-1);
}
static int
token(void)
{
char *cp;
int c;
struct toktab *t;
if (feof(cfile) || ferror(cfile))
return (0);
while ((c = getc(cfile)) != EOF &&
(c == '\n' || c == '\t' || c == ' ' || c == ','))
continue;
if (c == EOF)
return (0);
cp = tokval;
if (c == '"') {
while ((c = getc(cfile)) != EOF && c != '"') {
if (c == '\\')
c = getc(cfile);
*cp++ = c;
}
} else {
*cp++ = c;
while ((c = getc(cfile)) != EOF
&& c != '\n' && c != '\t' && c != ' ' && c != ',') {
if (c == '\\')
c = getc(cfile);
*cp++ = c;
}
}
*cp = 0;
if (tokval[0] == 0)
return (0);
for (t = toktab; t->tokstr; t++)
if (!strcmp(t->tokstr, tokval))
return (t->tval);
return (ID);
}

883
appl/ftp/ftp/security.c
View File

@@ -1,883 +0,0 @@
/*
* Copyright (c) 1998-2002, 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef FTP_SERVER
#include "ftpd_locl.h"
#else
#include "ftp_locl.h"
#endif
RCSID("$Id$");
static enum protection_level command_prot;
static enum protection_level data_prot;
static size_t buffer_size;
struct buffer {
void *data;
size_t size;
size_t index;
int eof_flag;
};
static struct buffer in_buffer, out_buffer;
int sec_complete;
static struct {
enum protection_level level;
const char *name;
} level_names[] = {
{ prot_clear, "clear" },
{ prot_safe, "safe" },
{ prot_confidential, "confidential" },
{ prot_private, "private" }
};
static const char *
level_to_name(enum protection_level level)
{
int i;
for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++)
if(level_names[i].level == level)
return level_names[i].name;
return "unknown";
}
#ifndef FTP_SERVER /* not used in server */
static enum protection_level
name_to_level(const char *name)
{
int i;
for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++)
if(!strncasecmp(level_names[i].name, name, strlen(name)))
return level_names[i].level;
return (enum protection_level)-1;
}
#endif
#ifdef FTP_SERVER
static struct sec_server_mech *mechs[] = {
#ifdef KRB5
&gss_server_mech,
#endif
NULL
};
static struct sec_server_mech *mech;
#else
static struct sec_client_mech *mechs[] = {
#ifdef KRB5
&gss_client_mech,
#endif
NULL
};
static struct sec_client_mech *mech;
#endif
static void *app_data;
int
sec_getc(FILE *F)
{
if(sec_complete && data_prot) {
char c;
if(sec_read(fileno(F), &c, 1) <= 0)
return EOF;
return c;
} else
return getc(F);
}
static int
block_read(int fd, void *buf, size_t len)
{
unsigned char *p = buf;
int b;
while(len) {
b = read(fd, p, len);
if (b == 0)
return 0;
else if (b < 0)
return -1;
len -= b;
p += b;
}
return p - (unsigned char*)buf;
}
static int
block_write(int fd, void *buf, size_t len)
{
unsigned char *p = buf;
int b;
while(len) {
b = write(fd, p, len);
if(b < 0)
return -1;
len -= b;
p += b;
}
return p - (unsigned char*)buf;
}
static int
sec_get_data(int fd, struct buffer *buf, int level)
{
int len;
int b;
void *tmp;
b = block_read(fd, &len, sizeof(len));
if (b == 0)
return 0;
else if (b < 0)
return -1;
len = ntohl(len);
tmp = realloc(buf->data, len);
if (tmp == NULL)
return -1;
buf->data = tmp;
b = block_read(fd, buf->data, len);
if (b == 0)
return 0;
else if (b < 0)
return -1;
buf->size = (*mech->decode)(app_data, buf->data, len, data_prot);
buf->index = 0;
return 0;
}
static size_t
buffer_read(struct buffer *buf, void *dataptr, size_t len)
{
len = min(len, buf->size - buf->index);
memcpy(dataptr, (char*)buf->data + buf->index, len);
buf->index += len;
return len;
}
static size_t
buffer_write(struct buffer *buf, void *dataptr, size_t len)
{
if(buf->index + len > buf->size) {
void *tmp;
if(buf->data == NULL)
tmp = malloc(1024);
else
tmp = realloc(buf->data, buf->index + len);
if(tmp == NULL)
return -1;
buf->data = tmp;
buf->size = buf->index + len;
}
memcpy((char*)buf->data + buf->index, dataptr, len);
buf->index += len;
return len;
}
int
sec_read(int fd, void *dataptr, int length)
{
size_t len;
int rx = 0;
if(sec_complete == 0 || data_prot == 0)
return read(fd, dataptr, length);
if(in_buffer.eof_flag){
in_buffer.eof_flag = 0;
return 0;
}
len = buffer_read(&in_buffer, dataptr, length);
length -= len;
rx += len;
dataptr = (char*)dataptr + len;
while(length){
int ret;
ret = sec_get_data(fd, &in_buffer, data_prot);
if (ret < 0)
return -1;
if(ret == 0 && in_buffer.size == 0) {
if(rx)
in_buffer.eof_flag = 1;
return rx;
}
len = buffer_read(&in_buffer, dataptr, length);
length -= len;
rx += len;
dataptr = (char*)dataptr + len;
}
return rx;
}
static int
sec_send(int fd, char *from, int length)
{
int bytes;
void *buf;
bytes = (*mech->encode)(app_data, from, length, data_prot, &buf);
bytes = htonl(bytes);
block_write(fd, &bytes, sizeof(bytes));
block_write(fd, buf, ntohl(bytes));
free(buf);
return length;
}
int
sec_fflush(FILE *F)
{
if(data_prot != prot_clear) {
if(out_buffer.index > 0){
sec_write(fileno(F), out_buffer.data, out_buffer.index);
out_buffer.index = 0;
}
sec_send(fileno(F), NULL, 0);
}
fflush(F);
return 0;
}
int
sec_write(int fd, char *dataptr, int length)
{
int len = buffer_size;
int tx = 0;
if(data_prot == prot_clear)
return write(fd, dataptr, length);
len -= (*mech->overhead)(app_data, data_prot, len);
while(length){
if(length < len)
len = length;
sec_send(fd, dataptr, len);
length -= len;
dataptr += len;
tx += len;
}
return tx;
}
int
sec_vfprintf2(FILE *f, const char *fmt, va_list ap)
{
char *buf;
int ret;
if(data_prot == prot_clear)
return vfprintf(f, fmt, ap);
else {
int len;
len = vasprintf(&buf, fmt, ap);
if (len == -1)
return len;
ret = buffer_write(&out_buffer, buf, len);
free(buf);
return ret;
}
}
int
sec_fprintf2(FILE *f, const char *fmt, ...)
{
int ret;
va_list ap;
va_start(ap, fmt);
ret = sec_vfprintf2(f, fmt, ap);
va_end(ap);
return ret;
}
int
sec_putc(int c, FILE *F)
{
char ch = c;
if(data_prot == prot_clear)
return putc(c, F);
buffer_write(&out_buffer, &ch, 1);
if(c == '\n' || out_buffer.index >= 1024 /* XXX */) {
sec_write(fileno(F), out_buffer.data, out_buffer.index);
out_buffer.index = 0;
}
return c;
}
int
sec_read_msg(char *s, int level)
{
int len;
char *buf;
int return_code;
buf = malloc(strlen(s));
len = base64_decode(s + 4, buf); /* XXX */
len = (*mech->decode)(app_data, buf, len, level);
if(len < 0)
return -1;
buf[len] = '\0';
if(buf[3] == '-')
return_code = 0;
else
sscanf(buf, "%d", &return_code);
if(buf[len-1] == '\n')
buf[len-1] = '\0';
strcpy(s, buf);
free(buf);
return return_code;
}
int
sec_vfprintf(FILE *f, const char *fmt, va_list ap)
{
char *buf;
void *enc;
int len;
if(!sec_complete)
return vfprintf(f, fmt, ap);
if (vasprintf(&buf, fmt, ap) == -1) {
printf("Failed to allocate command.\n");
return -1;
}
len = (*mech->encode)(app_data, buf, strlen(buf), command_prot, &enc);
free(buf);
if(len < 0) {
printf("Failed to encode command.\n");
return -1;
}
if(base64_encode(enc, len, &buf) < 0){
free(enc);
printf("Out of memory base64-encoding.\n");
return -1;
}
free(enc);
#ifdef FTP_SERVER
if(command_prot == prot_safe)
fprintf(f, "631 %s\r\n", buf);
else if(command_prot == prot_private)
fprintf(f, "632 %s\r\n", buf);
else if(command_prot == prot_confidential)
fprintf(f, "633 %s\r\n", buf);
#else
if(command_prot == prot_safe)
fprintf(f, "MIC %s", buf);
else if(command_prot == prot_private)
fprintf(f, "ENC %s", buf);
else if(command_prot == prot_confidential)
fprintf(f, "CONF %s", buf);
#endif
free(buf);
return 0;
}
int
sec_fprintf(FILE *f, const char *fmt, ...)
{
va_list ap;
int ret;
va_start(ap, fmt);
ret = sec_vfprintf(f, fmt, ap);
va_end(ap);
return ret;
}
/* end common stuff */
#ifdef FTP_SERVER
int ccc_passed;
void
auth(char *auth_name)
{
int i;
void *tmp;
for(i = 0; (mech = mechs[i]) != NULL; i++){
if(!strcasecmp(auth_name, mech->name)){
tmp = realloc(app_data, mech->size);
if (tmp == NULL) {
reply(431, "Unable to accept %s at this time", mech->name);
return;
}
app_data = tmp;
if(mech->init && (*mech->init)(app_data) != 0) {
reply(431, "Unable to accept %s at this time", mech->name);
return;
}
if(mech->auth) {
(*mech->auth)(app_data);
return;
}
if(mech->adat)
reply(334, "Send authorization data.");
else
reply(234, "Authorization complete.");
return;
}
}
free (app_data);
app_data = NULL;
reply(504, "%s is unknown to me", auth_name);
}
void
adat(char *auth_data)
{
if(mech && !sec_complete) {
void *buf = malloc(strlen(auth_data));
size_t len;
len = base64_decode(auth_data, buf);
(*mech->adat)(app_data, buf, len);
free(buf);
} else
reply(503, "You must %sissue an AUTH first.", mech ? "re-" : "");
}
void pbsz(int size)
{
size_t new = size;
if(!sec_complete)
reply(503, "Incomplete security data exchange.");
if(mech->pbsz)
new = (*mech->pbsz)(app_data, size);
if(buffer_size != new){
buffer_size = size;
}
if(new != size)
reply(200, "PBSZ=%lu", (unsigned long)new);
else
reply(200, "OK");
}
void
prot(char *pl)
{
int p = -1;
if(buffer_size == 0){
reply(503, "No protection buffer size negotiated.");
return;
}
if(!strcasecmp(pl, "C"))
p = prot_clear;
else if(!strcasecmp(pl, "S"))
p = prot_safe;
else if(!strcasecmp(pl, "E"))
p = prot_confidential;
else if(!strcasecmp(pl, "P"))
p = prot_private;
else {
reply(504, "Unrecognized protection level.");
return;
}
if(sec_complete){
if((*mech->check_prot)(app_data, p)){
reply(536, "%s does not support %s protection.",
mech->name, level_to_name(p));
}else{
data_prot = (enum protection_level)p;
reply(200, "Data protection is %s.", level_to_name(p));
}
}else{
reply(503, "Incomplete security data exchange.");
}
}
void ccc(void)
{
if(sec_complete){
if(mech->ccc && (*mech->ccc)(app_data) == 0) {
command_prot = data_prot = prot_clear;
ccc_passed = 1;
} else
reply(534, "You must be joking.");
}else
reply(503, "Incomplete security data exchange.");
}
void mec(char *msg, enum protection_level level)
{
void *buf;
size_t len, buf_size;
if(!sec_complete) {
reply(503, "Incomplete security data exchange.");
return;
}
buf_size = strlen(msg) + 2;
buf = malloc(buf_size);
if (buf == NULL) {
reply(501, "Failed to allocate %lu", (unsigned long)buf_size);
return;
}
len = base64_decode(msg, buf);
command_prot = level;
if(len == (size_t)-1) {
free(buf);
reply(501, "Failed to base64-decode command");
return;
}
len = (*mech->decode)(app_data, buf, len, level);
if(len == (size_t)-1) {
free(buf);
reply(535, "Failed to decode command");
return;
}
((char*)buf)[len] = '\0';
if(strstr((char*)buf, "\r\n") == NULL)
strlcat((char*)buf, "\r\n", buf_size);
new_ftp_command(buf);
}
/* ------------------------------------------------------------ */
int
sec_userok(char *userstr)
{
if(sec_complete)
return (*mech->userok)(app_data, userstr);
return 0;
}
int
sec_session(char *user)
{
if(sec_complete && mech->session)
return (*mech->session)(app_data, user);
return 0;
}
char *ftp_command;
void
new_ftp_command(char *command)
{
ftp_command = command;
}
void
delete_ftp_command(void)
{
free(ftp_command);
ftp_command = NULL;
}
int
secure_command(void)
{
return ftp_command != NULL;
}
enum protection_level
get_command_prot(void)
{
return command_prot;
}
#else /* FTP_SERVER */
void
sec_status(void)
{
if(sec_complete){
printf("Using %s for authentication.\n", mech->name);
printf("Using %s command channel.\n", level_to_name(command_prot));
printf("Using %s data channel.\n", level_to_name(data_prot));
if(buffer_size > 0)
printf("Protection buffer size: %lu.\n",
(unsigned long)buffer_size);
}else{
printf("Not using any security mechanism.\n");
}
}
static int
sec_prot_internal(int level)
{
int ret;
char *p;
unsigned int s = 1048576;
int old_verbose = verbose;
verbose = 0;
if(!sec_complete){
printf("No security data exchange has taken place.\n");
return -1;
}
if(level){
ret = command("PBSZ %u", s);
if(ret != COMPLETE){
printf("Failed to set protection buffer size.\n");
return -1;
}
buffer_size = s;
p = strstr(reply_string, "PBSZ=");
if(p)
sscanf(p, "PBSZ=%u", &s);
if(s < buffer_size)
buffer_size = s;
}
verbose = old_verbose;
ret = command("PROT %c", level["CSEP"]); /* XXX :-) */
if(ret != COMPLETE){
printf("Failed to set protection level.\n");
return -1;
}
data_prot = (enum protection_level)level;
return 0;
}
enum protection_level
set_command_prot(enum protection_level level)
{
int ret;
enum protection_level old = command_prot;
if(level != command_prot && level == prot_clear) {
ret = command("CCC");
if(ret != COMPLETE) {
printf("Failed to clear command channel.\n");
return -1;
}
}
command_prot = level;
return old;
}
void
sec_prot(int argc, char **argv)
{
int level = -1;
if(argc > 3)
goto usage;
if(argc == 1) {
sec_status();
return;
}
if(!sec_complete) {
printf("No security data exchange has taken place.\n");
code = -1;
return;
}
level = name_to_level(argv[argc - 1]);
if(level == -1)
goto usage;
if((*mech->check_prot)(app_data, level)) {
printf("%s does not implement %s protection.\n",
mech->name, level_to_name(level));
code = -1;
return;
}
if(argc == 2 || strncasecmp(argv[1], "data", strlen(argv[1])) == 0) {
if(sec_prot_internal(level) < 0){
code = -1;
return;
}
} else if(strncasecmp(argv[1], "command", strlen(argv[1])) == 0) {
if(set_command_prot(level) < 0) {
code = -1;
return;
}
} else
goto usage;
code = 0;
return;
usage:
printf("usage: %s [command|data] [clear|safe|confidential|private]\n",
argv[0]);
code = -1;
}
void
sec_prot_command(int argc, char **argv)
{
int level;
if(argc > 2)
goto usage;
if(!sec_complete) {
printf("No security data exchange has taken place.\n");
code = -1;
return;
}
if(argc == 1) {
sec_status();
} else {
level = name_to_level(argv[1]);
if(level == -1)
goto usage;
if((*mech->check_prot)(app_data, level)) {
printf("%s does not implement %s protection.\n",
mech->name, level_to_name(level));
code = -1;
return;
}
if(set_command_prot(level) < 0) {
code = -1;
return;
}
}
code = 0;
return;
usage:
printf("usage: %s [clear|safe|confidential|private]\n",
argv[0]);
code = -1;
}
static enum protection_level request_data_prot;
void
sec_set_protection_level(void)
{
if(sec_complete && data_prot != request_data_prot)
sec_prot_internal(request_data_prot);
}
int
sec_request_prot(char *level)
{
int l = name_to_level(level);
if(l == -1)
return -1;
request_data_prot = (enum protection_level)l;
return 0;
}
int
sec_login(char *host)
{
int ret;
struct sec_client_mech **m;
int old_verbose = verbose;
verbose = -1; /* shut up all messages this will produce (they
are usually not very user friendly) */
for(m = mechs; *m && (*m)->name; m++) {
void *tmp;
tmp = realloc(app_data, (*m)->size);
if (tmp == NULL) {
warnx ("realloc %lu failed", (unsigned long)(*m)->size);
return -1;
}
app_data = tmp;
if((*m)->init && (*(*m)->init)(app_data) != 0) {
printf("Skipping %s...\n", (*m)->name);
continue;
}
printf("Trying %s...\n", (*m)->name);
ret = command("AUTH %s", (*m)->name);
if(ret != CONTINUE){
if(code == 504){
printf("%s is not supported by the server.\n", (*m)->name);
}else if(code == 534){
printf("%s rejected as security mechanism.\n", (*m)->name);
}else if(ret == ERROR) {
printf("The server doesn't support the FTP "
"security extensions.\n");
verbose = old_verbose;
return -1;
}
continue;
}
ret = (*(*m)->auth)(app_data, host);
if(ret == AUTH_CONTINUE)
continue;
else if(ret != AUTH_OK){
/* mechanism is supposed to output error string */
verbose = old_verbose;
return -1;
}
mech = *m;
sec_complete = 1;
if(doencrypt) {
command_prot = prot_private;
request_data_prot = prot_private;
} else {
command_prot = prot_safe;
}
break;
}
verbose = old_verbose;
return *m == NULL;
}
void
sec_end(void)
{
if (mech != NULL) {
if(mech->end)
(*mech->end)(app_data);
if (app_data != NULL) {
memset(app_data, 0, mech->size);
free(app_data);
app_data = NULL;
}
}
sec_complete = 0;
data_prot = (enum protection_level)0;
}
#endif /* FTP_SERVER */

140
appl/ftp/ftp/security.h
View File

@@ -1,140 +0,0 @@
/*
* Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
#ifndef __security_h__
#define __security_h__
enum protection_level {
prot_clear,
prot_safe,
prot_confidential,
prot_private
};
struct sec_client_mech {
char *name;
size_t size;
int (*init)(void *);
int (*auth)(void *, char*);
void (*end)(void *);
int (*check_prot)(void *, int);
int (*overhead)(void *, int, int);
int (*encode)(void *, void*, int, int, void**);
int (*decode)(void *, void*, int, int);
};
struct sec_server_mech {
char *name;
size_t size;
int (*init)(void *);
void (*end)(void *);
int (*check_prot)(void *, int);
int (*overhead)(void *, int, int);
int (*encode)(void *, void*, int, int, void**);
int (*decode)(void *, void*, int, int);
int (*auth)(void *);
int (*adat)(void *, void*, size_t);
size_t (*pbsz)(void *, size_t);
int (*ccc)(void*);
int (*userok)(void*, char*);
int (*session)(void*, char*);
};
#define AUTH_OK 0
#define AUTH_CONTINUE 1
#define AUTH_ERROR 2
extern int ftp_do_gss_bindings;
extern int ftp_do_gss_delegate;
#ifdef FTP_SERVER
extern struct sec_server_mech krb4_server_mech, gss_server_mech;
#else
extern struct sec_client_mech krb4_client_mech, gss_client_mech;
#endif
extern int sec_complete;
#ifdef FTP_SERVER
extern char *ftp_command;
void new_ftp_command(char*);
void delete_ftp_command(void);
#endif
/* ---- */
int sec_fflush (FILE *);
int sec_fprintf (FILE *, const char *, ...)
__attribute__ ((format (printf, 2,3)));
int sec_getc (FILE *);
int sec_putc (int, FILE *);
int sec_read (int, void *, int);
int sec_read_msg (char *, int);
int sec_vfprintf (FILE *, const char *, va_list)
__attribute__ ((format (printf, 2,0)));
int sec_fprintf2(FILE *f, const char *fmt, ...)
__attribute__ ((format (printf, 2,3)));
int sec_vfprintf2(FILE *, const char *, va_list)
__attribute__ ((format (printf, 2,0)));
int sec_write (int, char *, int);
#ifdef FTP_SERVER
void adat (char *);
void auth (char *);
void ccc (void);
void mec (char *, enum protection_level);
void pbsz (int);
void prot (char *);
void delete_ftp_command (void);
void new_ftp_command (char *);
int sec_userok (char *);
int sec_session(char *);
int secure_command (void);
enum protection_level get_command_prot(void);
#else
void sec_end (void);
int sec_login (char *);
void sec_prot (int, char **);
void sec_prot_command (int, char **);
int sec_request_prot (char *);
void sec_set_protection_level (void);
void sec_status (void);
enum protection_level set_command_prot(enum protection_level);
#endif
#endif /* __security_h__ */

54
appl/ftp/ftpd/Makefile.am
View File

@@ -1,54 +0,0 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER
libexec_PROGRAMS = ftpd
CHECK_LOCAL =
if KRB5
krb5_sources = gssapi.c gss_userok.c
endif
ftpd_SOURCES = \
extern.h \
ftpcmd.y \
ftpd.c \
ftpd_locl.h \
logwtmp.c \
ls.c \
pathnames.h \
popen.c \
security.c \
kauth.c \
klist.c \
$(krb4_sources) \
$(krb5_sources)
EXTRA_ftpd_SOURCES = kauth.c gssapi.c gss_userok.c
$(ftpd_OBJECTS): security.h
security.c:
@test -f security.c || $(LN_S) $(srcdir)/../ftp/security.c .
security.h:
@test -f security.h || $(LN_S) $(srcdir)/../ftp/security.h .
gssapi.c:
@test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c .
CLEANFILES = security.c security.h gssapi.c
man_MANS = ftpd.8 ftpusers.5
LDADD = ../common/libcommon.a \
$(LIB_otp) \
$(LIB_gssapi) \
$(LIB_krb5) \
$(LIB_kafs) \
$(LIB_krb4) \
$(LIB_hcrypto) \
$(LIB_roken)
EXTRA_DIST = $(man_MANS)

150
appl/ftp/ftpd/extern.h
View File

@@ -1,150 +0,0 @@
/*-
* Copyright (c) 1992, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)extern.h 8.2 (Berkeley) 4/4/94
*/
#ifndef _EXTERN_H_
#define _EXTERN_H_
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_NETDB_H
#include <netdb.h>
#endif
#include <stdio.h>
#include <stdarg.h>
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
#ifdef HAVE_LIMITS_H
#include <limits.h>
#endif
#ifndef NBBY
#define NBBY CHAR_BIT
#endif
void abor(void);
void blkfree(char **);
char **copyblk(char **);
void cwd(const char *);
void do_delete(char *);
void dologout(int);
void eprt(char *);
void epsv(char *);
void fatal(char *);
int filename_check(char *);
int ftpd_pclose(FILE *);
FILE *ftpd_popen(char *, char *, int, int);
char *ftpd_getline(char *, int);
void ftpd_logwtmp(char *, char *, char *);
void lreply(int, const char *, ...)
__attribute__ ((format (printf, 2, 3)));
void makedir(char *);
void nack(char *);
void nreply(const char *, ...)
__attribute__ ((format (printf, 1, 2)));
void pass(char *);
void pasv(void);
void perror_reply(int, const char *);
void pwd(void);
void removedir(char *);
void renamecmd(char *, char *);
char *renamefrom(char *);
void reply(int, const char *, ...)
__attribute__ ((format (printf, 2, 3)));
void retrieve(const char *, char *);
void send_file_list(char *);
void setproctitle(const char *, ...)
__attribute__ ((format (printf, 1, 2)));
void statcmd(void);
void statfilecmd(char *);
void do_store(char *, char *, int);
void upper(char *);
void user(char *);
void yyerror(char *);
void list_file(char*);
void kauth(char *, char*);
void klist(void);
void cond_kdestroy(void);
void kdestroy(void);
void krbtkfile(const char *tkfile);
void afslog(const char *, int);
void afsunlog(void);
extern int do_destroy_tickets;
extern char *k5ccname;
int find(char *);
int builtin_ls(FILE*, const char*);
int do_login(int code, char *passwd);
int klogin(char *name, char *password);
const char *ftp_rooted(const char *path);
extern struct sockaddr *ctrl_addr, *his_addr;
extern char hostname[];
extern struct sockaddr *data_dest;
extern int logged_in;
extern struct passwd *pw;
extern int guest;
extern int dochroot;
extern int logging;
extern int type;
extern off_t file_size;
extern off_t byte_count;
extern int ccc_passed;
extern int form;
extern int debug;
extern int ftpd_timeout;
extern int maxtimeout;
extern int pdata;
extern char hostname[], remotehost[];
extern char proctitle[];
extern int usedefault;
extern char tmpline[];
extern int paranoid;
#endif /* _EXTERN_H_ */

1478
appl/ftp/ftpd/ftpcmd.y
View File

File diff suppressed because it is too large Load Diff

503
appl/ftp/ftpd/ftpd.8
View File

@@ -1,503 +0,0 @@
.\" $NetBSD: ftpd.8,v 1.7 1995/04/11 02:44:53 cgd Exp $
.\"
.\" Copyright (c) 1985, 1988, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software developed by the University of
.\" California, Berkeley and its contributors.
.\" 4. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94
.\"
.Dd July 19, 2003
.Dt FTPD 8
.Os BSD 4.2
.Sh NAME
.Nm ftpd
.Nd Internet File Transfer Protocol server
.Sh SYNOPSIS
.Nm
.Op Fl a Ar authmode
.Op Fl dilvU
.Op Fl g Ar umask
.Op Fl p Ar port
.Op Fl T Ar maxtimeout
.Op Fl t Ar timeout
.Op Fl -gss-bindings
.Op Fl I | Fl -no-insecure-oob
.Op Fl u Ar default umask
.Op Fl B | Fl -builtin-ls
.Op Fl -good-chars= Ns Ar string
.Sh DESCRIPTION
.Nm Ftpd
is the
Internet File Transfer Protocol
server process. The server uses the
.Tn TCP
protocol
and listens at the port specified in the
.Dq ftp
service specification; see
.Xr services 5 .
.Pp
Available options:
.Bl -tag -width Ds
.It Fl a
Select the level of authentication required. Kerberised login can not
be turned off. The default is to only allow kerberised login. Other
possibilities can be turned on by giving a string of comma separated
flags as argument to
.Fl a .
Recognised flags are:
.Bl -tag -width plain
.It Ar plain
Allow logging in with plaintext password. The password can be a(n) OTP
or an ordinary password.
.It Ar otp
Same as
.Ar plain ,
but only OTP is allowed.
.It Ar ftp
Allow anonymous login.
.El
.Pp
The following combination modes exists for backwards compatibility:
.Bl -tag -width plain
.It Ar none
Same as
.Ar plain,ftp .
.It Ar safe
Same as
.Ar ftp .
.It Ar user
Ignored.
.El
.It Fl d
Debugging information is written to the syslog using LOG_FTP.
.It Fl g
Anonymous users will get a umask of
.Ar umask .
.It Fl -gss-bindings
require the peer to use GSS-API bindings (ie make sure IP addresses match).
.It Fl i
Open a socket and wait for a connection. This is mainly used for
debugging when ftpd isn't started by inetd.
.It Fl l
Each successful and failed
.Xr ftp 1
session is logged using syslog with a facility of LOG_FTP.
If this option is specified twice, the retrieve (get), store (put), append,
delete, make directory, remove directory and rename operations and
their filename arguments are also logged.
.It Fl p
Use
.Ar port
(a service name or number) instead of the default
.Ar ftp/tcp .
.It Fl T
A client may also request a different timeout period;
the maximum period allowed may be set to
.Ar timeout
seconds with the
.Fl T
option.
The default limit is 2 hours.
.It Fl t
The inactivity timeout period is set to
.Ar timeout
seconds (the default is 15 minutes).
.It Fl u
Set the initial umask to something else than the default 027.
.It Fl U
In previous versions of
.Nm ftpd ,
when a passive mode client requested a data connection to the server, the
server would use data ports in the range 1024..4999. Now, by default,
if the system supports the IP_PORTRANGE socket option, the server will
use data ports in the range 49152..65535. Specifying this option will
revert to the old behavior.
.It Fl v
Verbose mode.
.It Xo
.Fl B ,
.Fl -builtin-ls
.Xc
use built-in ls to list files
.It Xo
.Fl -good-chars= Ns Ar string
.Xc
allowed anonymous upload filename chars
.It Xo
.Fl I
.Fl -no-insecure-oob
.Xc
don't allow insecure out of band.
Heimdal ftp clients before 0.6.3 doesn't support secure oob, so turning
on this option makes them no longer work.
.El
.Pp
The file
.Pa /etc/nologin
can be used to disable ftp access.
If the file exists,
.Nm
displays it and exits.
If the file
.Pa /etc/ftpwelcome
exists,
.Nm
prints it before issuing the
.Dq ready
message.
If the file
.Pa /etc/motd
exists,
.Nm
prints it after a successful login.
.Pp
The ftp server currently supports the following ftp requests.
The case of the requests is ignored.
.Bl -column "Request" -offset indent
.It Request Ta "Description"
.It ABOR Ta "abort previous command"
.It ACCT Ta "specify account (ignored)"
.It ALLO Ta "allocate storage (vacuously)"
.It APPE Ta "append to a file"
.It CDUP Ta "change to parent of current working directory"
.It CWD Ta "change working directory"
.It DELE Ta "delete a file"
.It HELP Ta "give help information"
.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lgA"
.It MKD Ta "make a directory"
.It MDTM Ta "show last modification time of file"
.It MODE Ta "specify data transfer" Em mode
.It NLST Ta "give name list of files in directory"
.It NOOP Ta "do nothing"
.It PASS Ta "specify password"
.It PASV Ta "prepare for server-to-server transfer"
.It PORT Ta "specify data connection port"
.It PWD Ta "print the current working directory"
.It QUIT Ta "terminate session"
.It REST Ta "restart incomplete transfer"
.It RETR Ta "retrieve a file"
.It RMD Ta "remove a directory"
.It RNFR Ta "specify rename-from file name"
.It RNTO Ta "specify rename-to file name"
.It SITE Ta "non-standard commands (see next section)"
.It SIZE Ta "return size of file"
.It STAT Ta "return status of server"
.It STOR Ta "store a file"
.It STOU Ta "store a file with a unique name"
.It STRU Ta "specify data transfer" Em structure
.It SYST Ta "show operating system type of server system"
.It TYPE Ta "specify data transfer" Em type
.It USER Ta "specify user name"
.It XCUP Ta "change to parent of current working directory (deprecated)"
.It XCWD Ta "change working directory (deprecated)"
.It XMKD Ta "make a directory (deprecated)"
.It XPWD Ta "print the current working directory (deprecated)"
.It XRMD Ta "remove a directory (deprecated)"
.El
.Pp
The following commands are specified by RFC2228.
.Bl -column Request -offset indent
.It AUTH Ta "authentication/security mechanism"
.It ADAT Ta "authentication/security data"
.It PROT Ta "data channel protection level"
.It PBSZ Ta "protection buffer size"
.It MIC Ta "integrity protected command"
.It CONF Ta "confidentiality protected command"
.It ENC Ta "privacy protected command"
.It CCC Ta "clear command channel"
.El
.Pp
The following non-standard or
.Tn UNIX
specific commands are supported
by the
SITE request.
.Pp
.Bl -column Request -offset indent
.It UMASK Ta change umask, (e.g.
.Ic "SITE UMASK 002" )
.It IDLE Ta set idle-timer, (e.g.
.Ic "SITE IDLE 60" )
.It CHMOD Ta change mode of a file (e.g.
.Ic "SITE CHMOD 755 filename" )
.It FIND Ta quickly find a specific file with GNU
.Xr locate 1 .
.It HELP Ta give help information.
.El
.Pp
The following Kerberos related site commands are understood.
.Bl -column Request -offset indent
.It KAUTH Ta obtain remote tickets.
.It KLIST Ta show remote tickets
.El
.Pp
The remaining ftp requests specified in Internet RFC 959
are
recognized, but not implemented.
MDTM and SIZE are not specified in RFC 959, but will appear in the
next updated FTP RFC.
.Pp
The ftp server will abort an active file transfer only when the
ABOR
command is preceded by a Telnet "Interrupt Process" (IP)
signal and a Telnet "Synch" signal in the command Telnet stream,
as described in Internet RFC 959.
If a
STAT
command is received during a data transfer, preceded by a Telnet IP
and Synch, transfer status will be returned.
.Pp
.Nm Ftpd
interprets file names according to the
.Dq globbing
conventions used by
.Xr csh 1 .
This allows users to use the metacharacters
.Dq Li \&*?[]{}~ .
.Pp
.Nm Ftpd
authenticates users according to these rules.
.Pp
.Bl -enum -offset indent
.It
If Kerberos authentication is used, the user must pass valid tickets
and the principal must be allowed to login as the remote user.
.It
The login name must be in the password data base, and not have a null
password (if Kerberos is used the password field is not checked). In
this case a password must be provided by the client before any file
operations may be performed. If the user has an OTP key, the response
from a successful USER command will include an OTP challenge. The
client may choose to respond with a PASS command giving either a
standard password or an OTP one-time password. The server will
automatically determine which type of password it has been given and
attempt to authenticate accordingly. See
.Xr otp 1
for more information on OTP authentication.
.It
The login name must not appear in the file
.Pa /etc/ftpusers .
.It
The user must have a standard shell returned by
.Xr getusershell 3 .
.It
If the user name appears in the file
.Pa /etc/ftpchroot
the session's root will be changed to the user's login directory by
.Xr chroot 2
as for an
.Dq anonymous
or
.Dq ftp
account (see next item). However, the user must still supply a password.
This feature is intended as a compromise between a fully anonymous account
and a fully privileged account. The account should also be set up as for an
anonymous account.
.It
If the user name is
.Dq anonymous
or
.Dq ftp ,
an
anonymous ftp account must be present in the password
file (user
.Dq ftp ) .
In this case the user is allowed
to log in by specifying any password (by convention an email address for
the user should be used as the password).
.El
.Pp
In the last case,
.Nm ftpd
takes special measures to restrict the client's access privileges.
The server performs a
.Xr chroot 2
to the home directory of the
.Dq ftp
user.
In order that system security is not breached, it is recommended
that the
.Dq ftp
subtree be constructed with care, consider following these guidelines
for anonymous ftp.
.Pp
In general all files should be owned by
.Dq root ,
and have non-write permissions (644 or 755 depending on the kind of
file). No files should be owned or writable by
.Dq ftp
(possibly with exception for the
.Pa ~ftp/incoming ,
as specified below).
.Bl -tag -width "~ftp/pub" -offset indent
.It Pa ~ftp
The
.Dq ftp
homedirectory should be owned by root.
.It Pa ~ftp/bin
The directory for external programs (such as
.Xr ls 1 ) .
These programs must either be statically linked, or you must setup an
environment for dynamic linking when running chrooted.
These programs will be used if present:
.Bl -tag -width "locate" -offset indent
.It ls
Used when listing files.
.It compress
When retrieving a filename that ends in
.Pa .Z ,
and that file isn't present,
.Nm
will try to find the filename without
.Pa .Z
and compress it on the fly.
.It gzip
Same as compress, just with files ending in
.Pa .gz .
.It gtar
Enables retrieval of whole directories as files ending in
.Pa .tar .
Can also be combined with compression. You must use GNU Tar (or some
other that supports the
.Fl z
and
.Fl Z
flags).
.It locate
Will enable ``fast find'' with the
.Ic SITE FIND
command. You must also create a
.Pa locatedb
file in
.Pa ~ftp/etc .
.El
.It Pa ~ftp/etc
If you put copies of the
.Xr passwd 5
and
.Xr group 5
files here, ls will be able to produce owner names rather than
numbers. Remember to remove any passwords from these files.
.Pp
The file
.Pa motd ,
if present, will be printed after a successful login.
.It Pa ~ftp/dev
Put a copy of
.Xr /dev/null 7
here.
.It Pa ~ftp/pub
Traditional place to put whatever you want to make public.
.El
.Pp
If you want guests to be able to upload files, create a
.Pa ~ftp/incoming
directory owned by
.Dq root ,
and group
.Dq ftp
with mode 730 (make sure
.Dq ftp
is member of group
.Dq ftp ) .
The following restrictions apply to anonymous users:
.Bl -bullet
.It
Directories created will have mode 700.
.It
Uploaded files will be created with an umask of 777, if not changed
with the
.Fl g
option.
.It
These command are not accessible:
.Ic DELE , RMD , RNTO , RNFR ,
.Ic SITE UMASK ,
and
.Ic SITE CHMOD .
.It
Filenames must start with an alpha-numeric character, and consist of
alpha-numeric characters or any of the following:
.Li \&+
(plus),
.Li \&-
(minus),
.Li \&=
(equal),
.Li \&_
(underscore),
.Li \&.
(period), and
.Li \&,
(comma).
.El
.Sh FILES
.Bl -tag -width /etc/ftpwelcome -compact
.It Pa /etc/ftpusers
Access list for users.
.It Pa /etc/ftpchroot
List of normal users who should be chroot'd.
.It Pa /etc/ftpwelcome
Welcome notice.
.It Pa /etc/motd
Welcome notice after login.
.It Pa /etc/nologin
Displayed and access refused.
.It Pa ~/.klogin
Login access for Kerberos.
.El
.Sh SEE ALSO
.Xr ftp 1 ,
.Xr otp 1 ,
.Xr getusershell 3 ,
.Xr ftpusers 5 ,
.Xr syslogd 8
.Sh STANDARDS
.Bl -tag -compact -width "RFC 1938"
.It Cm RFC 959
FTP PROTOCOL SPECIFICATION
.It Cm RFC 1938
OTP Specification
.It Cm RFC 2228
FTP Security Extensions.
.El
.Sh BUGS
The server must run as the super-user
to create sockets with privileged port numbers. It maintains
an effective user id of the logged in user, reverting to
the super-user only when binding addresses to sockets. The
possible security holes have been extensively
scrutinized, but are possibly incomplete.
.Sh HISTORY
The
.Nm
command appeared in
.Bx 4.2 .

2376
appl/ftp/ftpd/ftpd.c
View File

File diff suppressed because it is too large Load Diff

171
appl/ftp/ftpd/ftpd_locl.h
View File

@@ -1,171 +0,0 @@
/*
* Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
#ifndef __ftpd_locl_h__
#define __ftpd_locl_h__
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
/*
* FTP server.
*/
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_SYS_PARAM_H
#include <sys/param.h>
#endif
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
#include <sys/ioctl.h>
#endif
#ifdef HAVE_SYS_IOCCOM_H
#include <sys/ioccom.h>
#endif
#ifdef TIME_WITH_SYS_TIME
#include <sys/time.h>
#include <time.h>
#elif defined(HAVE_SYS_TIME_H)
#include <sys/time.h>
#else
#include <time.h>
#endif
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h>
#endif
#ifdef HAVE_SYS_WAIT_H
#include <sys/wait.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_IN_SYSTM_H
#include <netinet/in_systm.h>
#endif
#ifdef HAVE_NETINET_IP_H
#include <netinet/ip.h>
#endif
#ifdef HAVE_SYS_MMAN_H
#include <sys/mman.h>
#endif
#include <arpa/ftp.h>
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#ifdef HAVE_ARPA_TELNET_H
#include <arpa/telnet.h>
#endif
#include <ctype.h>
#ifdef HAVE_DIRENT_H
#include <dirent.h>
#endif
#include <errno.h>
#ifdef HAVE_FCNTL_H
#include <fcntl.h>
#endif
#include <glob.h>
#include <limits.h>
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#ifdef HAVE_SYSLOG_H
#include <syslog.h>
#endif
#include <time.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#ifdef HAVE_GRP_H
#include <grp.h>
#endif
#include <fnmatch.h>
#ifdef HAVE_BSD_BSD_H
#include <bsd/bsd.h>
#endif
#include <err.h>
#include "roken.h"
#include "pathnames.h"
#include "extern.h"
#include "common.h"
#include "security.h"
#ifdef KRB5
#include <krb5.h>
#endif /* KRB5 */
#if defined(KRB5)
#include <kafs.h>
#endif
#ifdef OTP
#include <otp.h>
#endif
#ifdef SOCKS
#include <socks.h>
extern int LIBPREFIX(fclose) (FILE *);
#endif
/* SunOS doesn't have any declaration of fclose */
int fclose(FILE *stream);
int yyparse(void);
#ifndef LOG_FTP
#define LOG_FTP LOG_DAEMON
#endif
#endif /* __ftpd_locl_h__ */

37
appl/ftp/ftpd/ftpusers.5
View File

@@ -1,37 +0,0 @@
.\" $Id$
.\"
.Dd May 7, 1997
.Dt FTPUSERS 5
.Os KTH-KRB
.Sh NAME
.Pa /etc/ftpusers
.Nd FTP access list file
.Sh DESCRIPTION
.Pa /etc/ftpusers
contains a list of users that should be allowed or denied FTP
access. Each line contains a user, optionally followed by
.Dq allow
(anything but
.Dq allow
is ignored). The semi-user
.Dq *
matches any user. Users that has an explicit
.Dq allow ,
or that does not match any line, are allowed access. Anyone else is
denied access.
.Pp
Note that this is compatible with the old format, where this file
contained a list of users that should be denied access.
.Sh EXAMPLES
This will deny anyone but
.Dq foo
and
.Dq bar
to use FTP:
.Bd -literal
foo allow
bar allow
*
.Ed
.Sh SEE ALSO
.Xr ftpd 8

154
appl/ftp/ftpd/gss_userok.c
View File

@@ -1,154 +0,0 @@
/*
* Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ftpd_locl.h"
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_krb5.h>
#include <krb5.h>
/* XXX a bit too much of krb5 dependency here...
What is the correct way to do this?
*/
struct gss_krb5_data {
krb5_context context;
};
/* XXX sync with gssapi.c */
struct gss_data {
gss_ctx_id_t context_hdl;
char *client_name;
gss_cred_id_t delegated_cred_handle;
void *mech_data;
};
int gss_userok(void*, char*); /* to keep gcc happy */
int gss_session(void*, char*); /* to keep gcc happy */
int
gss_userok(void *app_data, char *username)
{
struct gss_data *data = app_data;
krb5_error_code ret;
krb5_principal client;
struct gss_krb5_data *kdata;
kdata = calloc(1, sizeof(struct gss_krb5_data));
if (kdata == NULL)
return 1;
data->mech_data = kdata;
ret = krb5_init_context(&(kdata->context));
if (ret) {
free(kdata);
return 1;
}
ret = krb5_parse_name(kdata->context, data->client_name, &client);
if(ret) {
krb5_free_context(kdata->context);
free(kdata);
return 1;
}
ret = krb5_kuserok(kdata->context, client, username);
if (!ret) {
krb5_free_principal(kdata->context, client);
krb5_free_context(kdata->context);
free(kdata);
return 1;
}
ret = 0;
krb5_free_principal(kdata->context, client);
return ret;
}
int
gss_session(void *app_data, char *username)
{
struct gss_data *data = app_data;
krb5_error_code ret;
OM_uint32 minor_status;
struct gss_krb5_data *kdata;
ret = 0;
kdata = (struct gss_krb5_data *)(data->mech_data);
/* more of krb-depend stuff :-( */
/* gss_add_cred() ? */
if (data->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
krb5_ccache ccache = NULL;
const char* ticketfile;
struct passwd *kpw;
ret = krb5_cc_new_unique(kdata->context, NULL, NULL, &ccache);
if (ret)
goto fail;
ticketfile = krb5_cc_get_name(kdata->context, ccache);
ret = gss_krb5_copy_ccache(&minor_status,
data->delegated_cred_handle,
ccache);
if (ret) {
ret = 0;
goto fail;
}
do_destroy_tickets = 1;
kpw = getpwnam(username);
if (kpw == NULL) {
unlink(ticketfile);
ret = 1;
goto fail;
}
chown (ticketfile, kpw->pw_uid, kpw->pw_gid);
if (asprintf(&k5ccname, "FILE:%s", ticketfile) != -1) {
esetenv ("KRB5CCNAME", k5ccname, 1);
}
afslog(NULL, 1);
fail:
if (ccache)
krb5_cc_close(kdata->context, ccache);
}
gss_release_cred(&minor_status, &data->delegated_cred_handle);
krb5_free_context(kdata->context);
free(kdata);
return ret;
}

178
appl/ftp/ftpd/klist.c
View File

@@ -1,178 +0,0 @@
/*
* Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ftpd_locl.h"
#ifdef KRB5
static int
print_cred(krb5_context context, krb5_creds *cred)
{
char t1[128], t2[128], *str;
krb5_error_code ret;
krb5_timestamp sec;
krb5_timeofday (context, &sec);
if(cred->times.starttime)
krb5_format_time(context, cred->times.starttime, t1, sizeof(t1), 1);
else
krb5_format_time(context, cred->times.authtime, t1, sizeof(t1), 1);
if(cred->times.endtime > sec)
krb5_format_time(context, cred->times.endtime, t2, sizeof(t2), 1);
else
strlcpy(t2, ">>>Expired<<<", sizeof(t2));
ret = krb5_unparse_name (context, cred->server, &str);
if (ret) {
lreply(500, "krb5_unparse_name: %d", ret);
return 1;
}
lreply(200, "%-20s %-20s %s", t1, t2, str);
free(str);
return 0;
}
static int
print_tickets (krb5_context context,
krb5_ccache ccache,
krb5_principal principal)
{
krb5_error_code ret;
krb5_cc_cursor cursor;
krb5_creds cred;
char *str;
ret = krb5_unparse_name (context, principal, &str);
if (ret) {
lreply(500, "krb5_unparse_name: %d", ret);
return 500;
}
lreply(200, "%17s: %s:%s",
"Credentials cache",
krb5_cc_get_type(context, ccache),
krb5_cc_get_name(context, ccache));
lreply(200, "%17s: %s", "Principal", str);
free (str);
ret = krb5_cc_start_seq_get (context, ccache, &cursor);
if (ret) {
lreply(500, "krb5_cc_start_seq_get: %d", ret);
return 500;
}
lreply(200, " Issued Expires Principal");
while ((ret = krb5_cc_next_cred (context,
ccache,
&cursor,
&cred)) == 0) {
if (print_cred(context, &cred))
return 500;
krb5_free_cred_contents (context, &cred);
}
if (ret != KRB5_CC_END) {
lreply(500, "krb5_cc_get_next: %d", ret);
return 500;
}
ret = krb5_cc_end_seq_get (context, ccache, &cursor);
if (ret) {
lreply(500, "krb5_cc_end_seq_get: %d", ret);
return 500;
}
return 200;
}
static int
klist5(void)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache ccache;
krb5_principal principal;
int exit_status = 200;
ret = krb5_init_context (&context);
if (ret) {
lreply(500, "krb5_init_context failed: %d", ret);
return 500;
}
if (k5ccname)
ret = krb5_cc_resolve(context, k5ccname, &ccache);
else
ret = krb5_cc_default (context, &ccache);
if (ret) {
lreply(500, "krb5_cc_default: %d", ret);
return 500;
}
ret = krb5_cc_get_principal (context, ccache, &principal);
if (ret) {
if(ret == ENOENT)
lreply(500, "No ticket file: %s",
krb5_cc_get_name(context, ccache));
else
lreply(500, "krb5_cc_get_principal: %d", ret);
return 500;
}
exit_status = print_tickets (context, ccache, principal);
ret = krb5_cc_close (context, ccache);
if (ret) {
lreply(500, "krb5_cc_close: %d", ret);
exit_status = 500;
}
krb5_free_principal (context, principal);
krb5_free_context (context);
return exit_status;
}
#endif
void
klist(void)
{
#if KRB5
int res = klist5();
reply(res, " ");
#else
reply(500, "Command not implemented.");
#endif
}

182
appl/ftp/ftpd/logwtmp.c
View File

@@ -1,182 +0,0 @@
/*
* Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
RCSID("$Id$");
#endif
#include <stdio.h>
#include <string.h>
#ifdef TIME_WITH_SYS_TIME
#include <sys/time.h>
#include <time.h>
#elif defined(HAVE_SYS_TIME_H)
#include <sys/time.h>
#else
#include <time.h>
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#ifdef HAVE_FCNTL_H
#include <fcntl.h>
#endif
#ifdef HAVE_UTMP_H
#include <utmp.h>
#endif
#ifdef HAVE_UTMPX_H
#include <utmpx.h>
#endif
#ifdef HAVE_ASL_H
#include <asl.h>
#endif
#include <roken.h>
#include "extern.h"
#ifndef WTMP_FILE
#ifdef _PATH_WTMP
#define WTMP_FILE _PATH_WTMP
#else
#define WTMP_FILE "/var/adm/wtmp"
#endif
#endif
#ifdef HAVE_ASL_H
#ifndef ASL_KEY_FACILITY
#define ASL_KEY_FACILITY "Facility"
#endif
static void
ftpd_logwtmp_asl(char *line, char *name, char *host)
{
static aslmsg m = NULL;
static int init = 0;
if (!init) {
init = 1;
m = asl_new(ASL_TYPE_MSG);
if (m == NULL)
return;
asl_set(m, ASL_KEY_FACILITY, "org.h5l.ftpd");
}
if (m)
asl_log(NULL, m, ASL_LEVEL_NOTICE,
"host %s/%s user %s%sconnected pid %d",
host, line, name, name[0] ? " " : "dis", (int)getpid());
}
#endif
#ifndef HAVE_ASL_H
static void
ftpd_logwtmp_wtmp(char *line, char *name, char *host)
{
static int init = 0;
static int fd;
#ifdef WTMPX_FILE
static int fdx;
#endif
struct utmp ut;
#ifdef WTMPX_FILE
struct utmpx utx;
#endif
memset(&ut, 0, sizeof(struct utmp));
#ifdef HAVE_STRUCT_UTMP_UT_TYPE
if(name[0])
ut.ut_type = USER_PROCESS;
else
ut.ut_type = DEAD_PROCESS;
#endif
strncpy(ut.ut_line, line, sizeof(ut.ut_line));
strncpy(ut.ut_name, name, sizeof(ut.ut_name));
#ifdef HAVE_STRUCT_UTMP_UT_PID
ut.ut_pid = getpid();
#endif
#ifdef HAVE_STRUCT_UTMP_UT_HOST
strncpy(ut.ut_host, host, sizeof(ut.ut_host));
#endif
ut.ut_time = time(NULL);
#ifdef WTMPX_FILE
strncpy(utx.ut_line, line, sizeof(utx.ut_line));
strncpy(utx.ut_user, name, sizeof(utx.ut_user));
strncpy(utx.ut_host, host, sizeof(utx.ut_host));
#ifdef HAVE_STRUCT_UTMPX_UT_SYSLEN
utx.ut_syslen = strlen(host) + 1;
if (utx.ut_syslen > sizeof(utx.ut_host))
utx.ut_syslen = sizeof(utx.ut_host);
#endif
{
struct timeval tv;
gettimeofday (&tv, 0);
utx.ut_tv.tv_sec = tv.tv_sec;
utx.ut_tv.tv_usec = tv.tv_usec;
}
if(name[0])
utx.ut_type = USER_PROCESS;
else
utx.ut_type = DEAD_PROCESS;
#endif
if(!init){
fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0);
#ifdef WTMPX_FILE
fdx = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0);
#endif
init = 1;
}
if(fd >= 0) {
write(fd, &ut, sizeof(struct utmp)); /* XXX */
#ifdef WTMPX_FILE
write(fdx, &utx, sizeof(struct utmpx));
#endif
}
}
#endif /* !HAVE_ASL_H */
void
ftpd_logwtmp(char *line, char *name, char *host)
{
#ifdef HAVE_ASL_H
ftpd_logwtmp_asl(line, name, host);
#else
ftpd_logwtmp_wtmp(line, name, host);
#endif
}

891
appl/ftp/ftpd/ls.c
View File

@@ -1,891 +0,0 @@
/*
* Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of KTH nor the names of its contributors may be
* used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
#ifndef TEST
#include "ftpd_locl.h"
RCSID("$Id$");
#else
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <time.h>
#include <dirent.h>
#include <sys/stat.h>
#include <unistd.h>
#include <pwd.h>
#include <grp.h>
#include <errno.h>
#define sec_fprintf2 fprintf
#define sec_fflush fflush
static void list_files(FILE *out, const char **files, int n_files, int flags);
static int parse_flags(const char *options);
int
main(int argc, char **argv)
{
int i = 1;
int flags;
if(argc > 1 && argv[1][0] == '-') {
flags = parse_flags(argv[1]);
i = 2;
} else
flags = parse_flags(NULL);
list_files(stdout, (const char **)argv + i, argc - i, flags);
return 0;
}
#endif
struct fileinfo {
struct stat st;
int inode;
int bsize;
char mode[11];
int n_link;
char *user;
char *group;
char *size;
char *major;
char *minor;
char *date;
char *filename;
char *link;
};
static void
free_fileinfo(struct fileinfo *f)
{
free(f->user);
free(f->group);
free(f->size);
free(f->major);
free(f->minor);
free(f->date);
free(f->filename);
free(f->link);
}
#define LS_DIRS (1 << 0)
#define LS_IGNORE_DOT (1 << 1)
#define LS_SORT_MODE (3 << 2)
#define SORT_MODE(f) ((f) & LS_SORT_MODE)
#define LS_SORT_NAME (1 << 2)
#define LS_SORT_MTIME (2 << 2)
#define LS_SORT_SIZE (3 << 2)
#define LS_SORT_REVERSE (1 << 4)
#define LS_SIZE (1 << 5)
#define LS_INODE (1 << 6)
#define LS_TYPE (1 << 7)
#define LS_DISP_MODE (3 << 8)
#define DISP_MODE(f) ((f) & LS_DISP_MODE)
#define LS_DISP_LONG (1 << 8)
#define LS_DISP_COLUMN (2 << 8)
#define LS_DISP_CROSS (3 << 8)
#define LS_SHOW_ALL (1 << 10)
#define LS_RECURSIVE (1 << 11)
#define LS_EXTRA_BLANK (1 << 12)
#define LS_SHOW_DIRNAME (1 << 13)
#define LS_DIR_FLAG (1 << 14) /* these files come via list_dir */
#ifndef S_ISTXT
#define S_ISTXT S_ISVTX
#endif
#if !defined(_S_IFMT) && defined(S_IFMT)
#define _S_IFMT S_IFMT
#endif
#ifndef S_ISSOCK
#define S_ISSOCK(mode) (((mode) & _S_IFMT) == S_IFSOCK)
#endif
#ifndef S_ISLNK
#define S_ISLNK(mode) (((mode) & _S_IFMT) == S_IFLNK)
#endif
static size_t
block_convert(size_t blocks)
{
#ifdef S_BLKSIZE
return blocks * S_BLKSIZE / 1024;
#else
return blocks * 512 / 1024;
#endif
}
static int
make_fileinfo(FILE *out, const char *filename, struct fileinfo *file, int flags)
{
char buf[128];
int file_type = 0;
struct stat *st = &file->st;
file->inode = st->st_ino;
file->bsize = block_convert(st->st_blocks);
if(S_ISDIR(st->st_mode)) {
file->mode[0] = 'd';
file_type = '/';
}
else if(S_ISCHR(st->st_mode))
file->mode[0] = 'c';
else if(S_ISBLK(st->st_mode))
file->mode[0] = 'b';
else if(S_ISREG(st->st_mode)) {
file->mode[0] = '-';
if(st->st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))
file_type = '*';
}
else if(S_ISFIFO(st->st_mode)) {
file->mode[0] = 'p';
file_type = '|';
}
else if(S_ISLNK(st->st_mode)) {
file->mode[0] = 'l';
file_type = '@';
}
else if(S_ISSOCK(st->st_mode)) {
file->mode[0] = 's';
file_type = '=';
}
#ifdef S_ISWHT
else if(S_ISWHT(st->st_mode)) {
file->mode[0] = 'w';
file_type = '%';
}
#endif
else
file->mode[0] = '?';
{
char *x[] = { "---", "--x", "-w-", "-wx",
"r--", "r-x", "rw-", "rwx" };
strcpy(file->mode + 1, x[(st->st_mode & S_IRWXU) >> 6]);
strcpy(file->mode + 4, x[(st->st_mode & S_IRWXG) >> 3]);
strcpy(file->mode + 7, x[(st->st_mode & S_IRWXO) >> 0]);
if((st->st_mode & S_ISUID)) {
if((st->st_mode & S_IXUSR))
file->mode[3] = 's';
else
file->mode[3] = 'S';
}
if((st->st_mode & S_ISGID)) {
if((st->st_mode & S_IXGRP))
file->mode[6] = 's';
else
file->mode[6] = 'S';
}
if((st->st_mode & S_ISTXT)) {
if((st->st_mode & S_IXOTH))
file->mode[9] = 't';
else
file->mode[9] = 'T';
}
}
file->n_link = st->st_nlink;
{
struct passwd *pwd;
pwd = getpwuid(st->st_uid);
if(pwd == NULL) {
if (asprintf(&file->user, "%u", (unsigned)st->st_uid) == -1)
file->user = NULL;
} else
file->user = strdup(pwd->pw_name);
if (file->user == NULL) {
syslog(LOG_ERR, "out of memory");
return -1;
}
}
{
struct group *grp;
grp = getgrgid(st->st_gid);
if(grp == NULL) {
if (asprintf(&file->group, "%u", (unsigned)st->st_gid) == -1)
file->group = NULL;
} else
file->group = strdup(grp->gr_name);
if (file->group == NULL) {
syslog(LOG_ERR, "out of memory");
return -1;
}
}
if(S_ISCHR(st->st_mode) || S_ISBLK(st->st_mode)) {
#if defined(major) && defined(minor)
if (asprintf(&file->major, "%u", (unsigned)major(st->st_rdev)) == -1)
file->major = NULL;
if (asprintf(&file->minor, "%u", (unsigned)minor(st->st_rdev)) == -1)
file->minor = NULL;
#else
/* Don't want to use the DDI/DKI crap. */
if (asprintf(&file->major, "%u", (unsigned)st->st_rdev) == -1)
file->major = NULL;
if (asprintf(&file->minor, "%u", 0) == -1)
file->minor = NULL;
#endif
if (file->major == NULL || file->minor == NULL) {
syslog(LOG_ERR, "out of memory");
return -1;
}
} else {
if (asprintf(&file->size, "%lu", (unsigned long)st->st_size) == -1)
file->size = NULL;
}
{
time_t t = time(NULL);
time_t mtime = st->st_mtime;
struct tm *tm = localtime(&mtime);
if((t - mtime > 6*30*24*60*60) ||
(mtime - t > 6*30*24*60*60))
strftime(buf, sizeof(buf), "%b %e %Y", tm);
else
strftime(buf, sizeof(buf), "%b %e %H:%M", tm);
file->date = strdup(buf);
if (file->date == NULL) {
syslog(LOG_ERR, "out of memory");
return -1;
}
}
{
const char *p = strrchr(filename, '/');
if(p)
p++;
else
p = filename;
if((flags & LS_TYPE) && file_type != 0) {
if (asprintf(&file->filename, "%s%c", p, file_type) == -1)
file->filename = NULL;
} else
file->filename = strdup(p);
if (file->filename == NULL) {
syslog(LOG_ERR, "out of memory");
return -1;
}
}
if(S_ISLNK(st->st_mode)) {
int n;
n = readlink((char *)filename, buf, sizeof(buf) - 1);
if(n >= 0) {
buf[n] = '\0';
file->link = strdup(buf);
if (file->link == NULL) {
syslog(LOG_ERR, "out of memory");
return -1;
}
} else
sec_fprintf2(out, "readlink(%s): %s", filename, strerror(errno));
}
return 0;
}
static void
print_file(FILE *out,
int flags,
struct fileinfo *f,
int max_inode,
int max_bsize,
int max_n_link,
int max_user,
int max_group,
int max_size,
int max_major,
int max_minor,
int max_date)
{
if(f->filename == NULL)
return;
if(flags & LS_INODE) {
sec_fprintf2(out, "%*d", max_inode, f->inode);
sec_fprintf2(out, " ");
}
if(flags & LS_SIZE) {
sec_fprintf2(out, "%*d", max_bsize, f->bsize);
sec_fprintf2(out, " ");
}
sec_fprintf2(out, "%s", f->mode);
sec_fprintf2(out, " ");
sec_fprintf2(out, "%*d", max_n_link, f->n_link);
sec_fprintf2(out, " ");
sec_fprintf2(out, "%-*s", max_user, f->user);
sec_fprintf2(out, " ");
sec_fprintf2(out, "%-*s", max_group, f->group);
sec_fprintf2(out, " ");
if(f->major != NULL && f->minor != NULL)
sec_fprintf2(out, "%*s, %*s", max_major, f->major, max_minor, f->minor);
else
sec_fprintf2(out, "%*s", max_size, f->size);
sec_fprintf2(out, " ");
sec_fprintf2(out, "%*s", max_date, f->date);
sec_fprintf2(out, " ");
sec_fprintf2(out, "%s", f->filename);
if(f->link)
sec_fprintf2(out, " -> %s", f->link);
sec_fprintf2(out, "\r\n");
}
static int
compare_filename(struct fileinfo *a, struct fileinfo *b)
{
if(a->filename == NULL)
return 1;
if(b->filename == NULL)
return -1;
return strcmp(a->filename, b->filename);
}
static int
compare_mtime(struct fileinfo *a, struct fileinfo *b)
{
if(a->filename == NULL)
return 1;
if(b->filename == NULL)
return -1;
return b->st.st_mtime - a->st.st_mtime;
}
static int
compare_size(struct fileinfo *a, struct fileinfo *b)
{
if(a->filename == NULL)
return 1;
if(b->filename == NULL)
return -1;
return b->st.st_size - a->st.st_size;
}
static int list_dir(FILE*, const char*, int);
static int
find_log10(int num)
{
int i = 1;
while(num > 10) {
i++;
num /= 10;
}
return i;
}
/*
* Operate as lstat but fake up entries for AFS mount points so we don't
* have to fetch them.
*/
#ifdef KRB5
static int do_the_afs_dance = 1;
#endif
static int
lstat_file (const char *file, struct stat *sb)
{
#ifdef KRB5
if (do_the_afs_dance &&
k_hasafs()
&& strcmp(file, ".")
&& strcmp(file, "..")
&& strcmp(file, "/"))
{
struct ViceIoctl a_params;
char *dir, *last;
char *path_bkp;
static ino_t ino_counter = 0, ino_last = 0;
int ret;
const int maxsize = 2048;
path_bkp = strdup (file);
if (path_bkp == NULL)
return -1;
a_params.out = malloc (maxsize);
if (a_params.out == NULL) {
free (path_bkp);
return -1;
}
/* If path contains more than the filename alone - split it */
last = strrchr (path_bkp, '/');
if (last != NULL) {
if(last[1] == '\0')
/* if path ended in /, replace with `.' */
a_params.in = ".";
else
a_params.in = last + 1;
while(last > path_bkp && *--last == '/');
if(*last != '/' || last != path_bkp) {
*++last = '\0';
dir = path_bkp;
} else
/* we got to the start, so this must be the root dir */
dir = "/";
} else {
/* file is relative to cdir */
dir = ".";
a_params.in = path_bkp;
}
a_params.in_size = strlen (a_params.in) + 1;
a_params.out_size = maxsize;
ret = k_pioctl (dir, VIOC_AFS_STAT_MT_PT, &a_params, 0);
free (a_params.out);
if (ret < 0) {
free (path_bkp);
if (errno != EINVAL)
return ret;
else
/* if we get EINVAL this is probably not a mountpoint */
return lstat (file, sb);
}
/*
* wow this was a mountpoint, lets cook the struct stat
* use . as a prototype
*/
ret = lstat (dir, sb);
free (path_bkp);
if (ret < 0)
return ret;
if (ino_last == sb->st_ino)
ino_counter++;
else {
ino_last = sb->st_ino;
ino_counter = 0;
}
sb->st_ino += ino_counter;
sb->st_nlink = 3;
return 0;
}
#endif /* KRB5 */
return lstat (file, sb);
}
#define IS_DOT_DOTDOT(X) ((X)[0] == '.' && ((X)[1] == '\0' || \
((X)[1] == '.' && (X)[2] == '\0')))
static int
list_files(FILE *out, const char **files, int n_files, int flags)
{
struct fileinfo *fi;
int i;
int *dirs = NULL;
size_t total_blocks = 0;
int n_print = 0;
int ret = 0;
if(n_files == 0)
return 0;
if(n_files > 1)
flags |= LS_SHOW_DIRNAME;
fi = calloc(n_files, sizeof(*fi));
if (fi == NULL) {
syslog(LOG_ERR, "out of memory");
return -1;
}
for(i = 0; i < n_files; i++) {
if(lstat_file(files[i], &fi[i].st) < 0) {
sec_fprintf2(out, "%s: %s\r\n", files[i], strerror(errno));
fi[i].filename = NULL;
} else {
int include_in_list = 1;
total_blocks += block_convert(fi[i].st.st_blocks);
if(S_ISDIR(fi[i].st.st_mode)) {
if(dirs == NULL)
dirs = calloc(n_files, sizeof(*dirs));
if(dirs == NULL) {
syslog(LOG_ERR, "%s: %m", files[i]);
ret = -1;
goto out;
}
dirs[i] = 1;
if((flags & LS_DIRS) == 0)
include_in_list = 0;
}
if(include_in_list) {
ret = make_fileinfo(out, files[i], &fi[i], flags);
if (ret)
goto out;
n_print++;
}
}
}
switch(SORT_MODE(flags)) {
case LS_SORT_NAME:
qsort(fi, n_files, sizeof(*fi),
(int (*)(const void*, const void*))compare_filename);
break;
case LS_SORT_MTIME:
qsort(fi, n_files, sizeof(*fi),
(int (*)(const void*, const void*))compare_mtime);
break;
case LS_SORT_SIZE:
qsort(fi, n_files, sizeof(*fi),
(int (*)(const void*, const void*))compare_size);
break;
}
if(DISP_MODE(flags) == LS_DISP_LONG) {
int max_inode = 0;
int max_bsize = 0;
int max_n_link = 0;
int max_user = 0;
int max_group = 0;
int max_size = 0;
int max_major = 0;
int max_minor = 0;
int max_date = 0;
for(i = 0; i < n_files; i++) {
if(fi[i].filename == NULL)
continue;
if(fi[i].inode > max_inode)
max_inode = fi[i].inode;
if(fi[i].bsize > max_bsize)
max_bsize = fi[i].bsize;
if(fi[i].n_link > max_n_link)
max_n_link = fi[i].n_link;
if(strlen(fi[i].user) > max_user)
max_user = strlen(fi[i].user);
if(strlen(fi[i].group) > max_group)
max_group = strlen(fi[i].group);
if(fi[i].major != NULL && strlen(fi[i].major) > max_major)
max_major = strlen(fi[i].major);
if(fi[i].minor != NULL && strlen(fi[i].minor) > max_minor)
max_minor = strlen(fi[i].minor);
if(fi[i].size != NULL && strlen(fi[i].size) > max_size)
max_size = strlen(fi[i].size);
if(strlen(fi[i].date) > max_date)
max_date = strlen(fi[i].date);
}
if(max_size < max_major + max_minor + 2)
max_size = max_major + max_minor + 2;
else if(max_size - max_minor - 2 > max_major)
max_major = max_size - max_minor - 2;
max_inode = find_log10(max_inode);
max_bsize = find_log10(max_bsize);
max_n_link = find_log10(max_n_link);
if(n_print > 0)
sec_fprintf2(out, "total %lu\r\n", (unsigned long)total_blocks);
if(flags & LS_SORT_REVERSE)
for(i = n_files - 1; i >= 0; i--)
print_file(out,
flags,
&fi[i],
max_inode,
max_bsize,
max_n_link,
max_user,
max_group,
max_size,
max_major,
max_minor,
max_date);
else
for(i = 0; i < n_files; i++)
print_file(out,
flags,
&fi[i],
max_inode,
max_bsize,
max_n_link,
max_user,
max_group,
max_size,
max_major,
max_minor,
max_date);
} else if(DISP_MODE(flags) == LS_DISP_COLUMN ||
DISP_MODE(flags) == LS_DISP_CROSS) {
int max_len = 0;
int size_len = 0;
int num_files = n_files;
int columns;
int j;
for(i = 0; i < n_files; i++) {
if(fi[i].filename == NULL) {
num_files--;
continue;
}
if(strlen(fi[i].filename) > max_len)
max_len = strlen(fi[i].filename);
if(find_log10(fi[i].bsize) > size_len)
size_len = find_log10(fi[i].bsize);
}
if(num_files == 0)
goto next;
if(flags & LS_SIZE) {
columns = 80 / (size_len + 1 + max_len + 1);
max_len = 80 / columns - size_len - 1;
} else {
columns = 80 / (max_len + 1); /* get space between columns */
max_len = 80 / columns;
}
if(flags & LS_SIZE)
sec_fprintf2(out, "total %lu\r\n",
(unsigned long)total_blocks);
if(DISP_MODE(flags) == LS_DISP_CROSS) {
for(i = 0, j = 0; i < n_files; i++) {
if(fi[i].filename == NULL)
continue;
if(flags & LS_SIZE)
sec_fprintf2(out, "%*u %-*s", size_len, fi[i].bsize,
max_len, fi[i].filename);
else
sec_fprintf2(out, "%-*s", max_len, fi[i].filename);
j++;
if(j == columns) {
sec_fprintf2(out, "\r\n");
j = 0;
}
}
if(j > 0)
sec_fprintf2(out, "\r\n");
} else {
int skip = (num_files + columns - 1) / columns;
for(i = 0; i < skip; i++) {
for(j = i; j < n_files;) {
while(j < n_files && fi[j].filename == NULL)
j++;
if(flags & LS_SIZE)
sec_fprintf2(out, "%*u %-*s", size_len, fi[j].bsize,
max_len, fi[j].filename);
else
sec_fprintf2(out, "%-*s", max_len, fi[j].filename);
j += skip;
}
sec_fprintf2(out, "\r\n");
}
}
} else {
for(i = 0; i < n_files; i++) {
if(fi[i].filename == NULL)
continue;
sec_fprintf2(out, "%s\r\n", fi[i].filename);
}
}
next:
if(((flags & LS_DIRS) == 0 || (flags & LS_RECURSIVE)) && dirs != NULL) {
for(i = 0; i < n_files; i++) {
if(dirs[i]) {
const char *p = strrchr(files[i], '/');
if(p == NULL)
p = files[i];
else
p++;
if(!(flags & LS_DIR_FLAG) || !IS_DOT_DOTDOT(p)) {
if((flags & LS_SHOW_DIRNAME)) {
if ((flags & LS_EXTRA_BLANK))
sec_fprintf2(out, "\r\n");
sec_fprintf2(out, "%s:\r\n", files[i]);
}
list_dir(out, files[i], flags | LS_DIRS | LS_EXTRA_BLANK);
}
}
}
}
out:
for(i = 0; i < n_files; i++)
free_fileinfo(&fi[i]);
free(fi);
if(dirs != NULL)
free(dirs);
return ret;
}
static void
free_files (char **files, int n)
{
int i;
for (i = 0; i < n; ++i)
free (files[i]);
free (files);
}
static int
hide_file(const char *filename, int flags)
{
if(filename[0] != '.')
return 0;
if((flags & LS_IGNORE_DOT))
return 1;
if(filename[1] == '\0' || (filename[1] == '.' && filename[2] == '\0')) {
if((flags & LS_SHOW_ALL))
return 0;
else
return 1;
}
return 0;
}
static int
list_dir(FILE *out, const char *directory, int flags)
{
DIR *d = opendir(directory);
struct dirent *ent;
char **files = NULL;
int n_files = 0;
int ret;
if(d == NULL) {
syslog(LOG_ERR, "%s: %m", directory);
return -1;
}
while((ent = readdir(d)) != NULL) {
void *tmp;
if(hide_file(ent->d_name, flags))
continue;
tmp = realloc(files, (n_files + 1) * sizeof(*files));
if (tmp == NULL) {
syslog(LOG_ERR, "%s: out of memory", directory);
free_files (files, n_files);
closedir (d);
return -1;
}
files = tmp;
ret = asprintf(&files[n_files], "%s/%s", directory, ent->d_name);
if (ret == -1) {
syslog(LOG_ERR, "%s: out of memory", directory);
free_files (files, n_files);
closedir (d);
return -1;
}
++n_files;
}
closedir(d);
return list_files(out, (const char**)files, n_files, flags | LS_DIR_FLAG);
}
static int
parse_flags(const char *options)
{
#ifdef TEST
int flags = LS_SORT_NAME | LS_IGNORE_DOT | LS_DISP_COLUMN;
#else
int flags = LS_SORT_NAME | LS_IGNORE_DOT | LS_DISP_LONG;
#endif
const char *p;
if(options == NULL || *options != '-')
return flags;
for(p = options + 1; *p; p++) {
switch(*p) {
case '1':
flags = (flags & ~LS_DISP_MODE);
break;
case 'a':
flags |= LS_SHOW_ALL;
/*FALLTHROUGH*/
case 'A':
flags &= ~LS_IGNORE_DOT;
break;
case 'C':
flags = (flags & ~LS_DISP_MODE) | LS_DISP_COLUMN;
break;
case 'd':
flags |= LS_DIRS;
break;
case 'f':
flags = (flags & ~LS_SORT_MODE);
break;
case 'F':
flags |= LS_TYPE;
break;
case 'i':
flags |= LS_INODE;
break;
case 'l':
flags = (flags & ~LS_DISP_MODE) | LS_DISP_LONG;
break;
case 'r':
flags |= LS_SORT_REVERSE;
break;
case 'R':
flags |= LS_RECURSIVE;
break;
case 's':
flags |= LS_SIZE;
break;
case 'S':
flags = (flags & ~LS_SORT_MODE) | LS_SORT_SIZE;
break;
case 't':
flags = (flags & ~LS_SORT_MODE) | LS_SORT_MTIME;
break;
case 'x':
flags = (flags & ~LS_DISP_MODE) | LS_DISP_CROSS;
break;
/* these are a bunch of unimplemented flags from BSD ls */
case 'k': /* display sizes in kB */
case 'c': /* last change time */
case 'L': /* list symlink target */
case 'm': /* stream output */
case 'o': /* BSD file flags */
case 'p': /* display / after directories */
case 'q': /* print non-graphic characters */
case 'u': /* use last access time */
case 'T': /* display complete time */
case 'W': /* include whiteouts */
break;
}
}
return flags;
}
int
builtin_ls(FILE *out, const char *file)
{
int flags;
int ret;
if(*file == '-') {
flags = parse_flags(file);
file = ".";
} else
flags = parse_flags("");
ret = list_files(out, &file, 1, flags);
sec_fflush(out);
return ret;
}

63
appl/ftp/ftpd/pathnames.h
View File

@@ -1,63 +0,0 @@
/*
* Copyright (c) 1989, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)pathnames.h 8.1 (Berkeley) 6/4/93
*/
#ifdef HAVE_PATHS_H
#include <paths.h>
#endif
#ifndef _PATH_DEVNULL
#define _PATH_DEVNULL "/dev/null"
#endif
#ifndef _PATH_NOLOGIN
#define _PATH_NOLOGIN "/etc/nologin"
#endif
#ifndef _PATH_BSHELL
#define _PATH_BSHELL "/bin/sh"
#endif
#ifndef _PATH_FTPUSERS
#define _PATH_FTPUSERS SYSCONFDIR "/ftpusers"
#endif
#define _PATH_FTPCHROOT SYSCONFDIR "/ftpchroot"
#define _PATH_FTPWELCOME SYSCONFDIR "/ftpwelcome"
#define _PATH_FTPLOGINMESG SYSCONFDIR "/motd"
#ifndef _PATH_ISSUE
#define _PATH_ISSUE SYSCONFDIR "/issue"
#endif
#define _PATH_ISSUE_NET SYSCONFDIR "/issue.net"

236
appl/ftp/ftpd/popen.c
View File

@@ -1,236 +0,0 @@
/*
* Copyright (c) 1988, 1993, 1994
* The Regents of the University of California. All rights reserved.
*
* This code is derived from software written by Ken Arnold and
* published in UNIX Review, Vol. 6, No. 8.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
RCSID("$Id$");
#endif
#include <sys/types.h>
#ifdef TIME_WITH_SYS_TIME
#include <sys/time.h>
#include <time.h>
#elif defined(HAVE_SYS_TIME_H)
#include <sys/time.h>
#else
#include <time.h>
#endif
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h>
#endif
#include <sys/wait.h>
#include <errno.h>
#include <glob.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <roken.h>
#include "extern.h"
/*
* Special version of popen which avoids call to shell. This ensures
* no one may create a pipe to a hidden program as a side effect of a
* list or dir command.
*/
static int *pids;
static int fds;
/* return path prepended with ~ftp if that file exists, otherwise
* return path unchanged
*/
const char *
ftp_rooted(const char *path)
{
static char home[MaxPathLen] = "";
static char newpath[MaxPathLen];
struct passwd *pwd;
if(!home[0])
if((pwd = k_getpwnam("ftp")))
strlcpy(home, pwd->pw_dir, sizeof(home));
snprintf(newpath, sizeof(newpath), "%s/%s", home, path);
if(access(newpath, X_OK))
strlcpy(newpath, path, sizeof(newpath));
return newpath;
}
#define MAXARGS 100
#define MAXGLOBS 1000
FILE *
ftpd_popen(char *program, char *type, int do_stderr, int no_glob)
{
char *cp;
FILE *iop;
int argc, gargc, pdes[2], pid;
char **pop, *argv[MAXARGS], *gargv[MAXGLOBS];
char *foo;
if (strcmp(type, "r") && strcmp(type, "w"))
return (NULL);
if (!pids) {
/* This function is ugly and should be rewritten, in
* modern unices there is no such thing as a maximum
* filedescriptor.
*/
fds = getdtablesize();
pids = (int*)calloc(fds, sizeof(int));
if(!pids)
return NULL;
}
if (pipe(pdes) < 0)
return (NULL);
/* break up string into pieces */
foo = NULL;
for (argc = 0, cp = program; argc < MAXARGS - 1; cp = NULL) {
if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
break;
}
argv[MAXARGS - 1] = NULL;
gargv[0] = (char*)ftp_rooted(argv[0]);
/* glob each piece */
for (gargc = argc = 1; argv[argc] && gargc < MAXGLOBS - 1; argc++) {
glob_t gl;
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE
|
#ifdef GLOB_MAXPATH
GLOB_MAXPATH
#else
GLOB_LIMIT
#endif
;
memset(&gl, 0, sizeof(gl));
if (no_glob ||
glob(argv[argc], flags, NULL, &gl) ||
gl.gl_pathc == 0)
gargv[gargc++] = strdup(argv[argc]);
else
for (pop = gl.gl_pathv;
*pop && gargc < MAXGLOBS - 1;
pop++)
gargv[gargc++] = strdup(*pop);
globfree(&gl);
}
gargv[gargc] = NULL;
iop = NULL;
switch(pid = fork()) {
case -1: /* error */
close(pdes[0]);
close(pdes[1]);
goto pfree;
/* NOTREACHED */
case 0: /* child */
if (*type == 'r') {
if (pdes[1] != STDOUT_FILENO) {
dup2(pdes[1], STDOUT_FILENO);
close(pdes[1]);
}
if(do_stderr)
dup2(STDOUT_FILENO, STDERR_FILENO);
close(pdes[0]);
} else {
if (pdes[0] != STDIN_FILENO) {
dup2(pdes[0], STDIN_FILENO);
close(pdes[0]);
}
close(pdes[1]);
}
execv(gargv[0], gargv);
gargv[0] = argv[0];
execv(gargv[0], gargv);
_exit(1);
}
/* parent; assume fdopen can't fail... */
if (*type == 'r') {
iop = fdopen(pdes[0], type);
close(pdes[1]);
} else {
iop = fdopen(pdes[1], type);
close(pdes[0]);
}
pids[fileno(iop)] = pid;
pfree:
for (argc = 1; gargv[argc] != NULL; argc++)
free(gargv[argc]);
return (iop);
}
int
ftpd_pclose(FILE *iop)
{
int fdes, status;
pid_t pid;
sigset_t sigset, osigset;
/*
* pclose returns -1 if stream is not associated with a
* `popened' command, or, if already `pclosed'.
*/
if (pids == 0 || pids[fdes = fileno(iop)] == 0)
return (-1);
fclose(iop);
sigemptyset(&sigset);
sigaddset(&sigset, SIGINT);
sigaddset(&sigset, SIGQUIT);
sigaddset(&sigset, SIGHUP);
sigprocmask(SIG_BLOCK, &sigset, &osigset);
while ((pid = waitpid(pids[fdes], &status, 0)) < 0 && errno == EINTR)
continue;
sigprocmask(SIG_SETMASK, &osigset, NULL);
pids[fdes] = 0;
if (pid < 0)
return (pid);
if (WIFEXITED(status))
return (WEXITSTATUS(status));
return (1);
}

3
appl/gssmask/Makefile.am
View File

@@ -8,5 +8,6 @@ gssmask_SOURCES = gssmask.c common.c common.h protocol.h
gssmaestro_SOURCES = gssmaestro.c common.c common.h protocol.h
LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LIB_roken)
LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LIB_roken) $(top_builddir)/lib/krb5/libkrb5.la
EXTRA_DIST = NTMakefile

35
appl/gssmask/NTMakefile Normal file
View File

@@ -0,0 +1,35 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=appl\gssmask
!include ../../windows/NTMakefile.w32

2
appl/gssmask/common.c
View File

@@ -55,7 +55,7 @@ add_list(char ****list, size_t *listlen, char **str, size_t len)
size_t i;
*list = erealloc(*list, sizeof(**list) * (*listlen + 1));
(*list)[*listlen] = ecalloc(len, sizeof(**list));
(*list)[*listlen] = ecalloc(len, sizeof(***list));
for (i = 0; i < len; i++)
(*list)[*listlen][i] = str[i];
(*listlen)++;

14
appl/gssmask/common.h
View File

@@ -37,13 +37,6 @@
#include <config.h>
#endif
/*
* pthread support is disable because the pthread
* test have no "application pthread libflags" variable,
* when this is fixed pthread support can be enabled again.
*/
#undef ENABLE_PTHREAD_SUPPORT
#include <sys/param.h>
#ifdef HAVE_SYS_UTSNAME_H
#include <sys/utsname.h>
@@ -65,6 +58,13 @@
#include "protocol.h"
/*
* pthread support is disable because the pthread
* test have no "application pthread libflags" variable,
* when this is fixed pthread support can be enabled again.
*/
#undef ENABLE_PTHREAD_SUPPORT
krb5_error_code store_string(krb5_storage *, const char *);

91
appl/gssmask/gssmaestro.c
View File

@@ -270,26 +270,27 @@ wait_log(struct client *c)
int32_t port;
struct sockaddr_storage sast;
socklen_t salen = sizeof(sast);
int fd, fd2, ret;
krb5_socket_t sock, sock2;
int ret;
memset(&sast, 0, sizeof(sast));
assert(sizeof(sast) >= c->salen);
fd = socket(c->sa->sa_family, SOCK_STREAM, 0);
if (fd < 0)
sock = socket(c->sa->sa_family, SOCK_STREAM, 0);
if (sock == rk_INVALID_SOCKET)
err(1, "failed to build socket for %s's logging port", c->moniker);
((struct sockaddr *)&sast)->sa_family = c->sa->sa_family;
ret = bind(fd, (struct sockaddr *)&sast, c->salen);
sast.ss_family = c->sa->sa_family;
ret = bind(sock, (struct sockaddr *)&sast, c->salen);
if (ret < 0)
err(1, "failed to bind %s's logging port", c->moniker);
if (listen(fd, SOMAXCONN) < 0)
if (listen(sock, SOMAXCONN) < 0)
err(1, "failed to listen %s's logging port", c->moniker);
salen = sizeof(sast);
ret = getsockname(fd, (struct sockaddr *)&sast, &salen);
ret = getsockname(sock, (struct sockaddr *)&sast, &salen);
if (ret < 0)
err(1, "failed to get address of local socket for %s", c->moniker);
@@ -299,12 +300,12 @@ wait_log(struct client *c)
put32(c, ntohs(port));
salen = sizeof(sast);
fd2 = accept(fd, (struct sockaddr *)&sast, &salen);
if (fd2 < 0)
sock2 = accept(sock, (struct sockaddr *)&sast, &salen);
if (sock2 == rk_INVALID_SOCKET)
err(1, "failed to accept local socket for %s", c->moniker);
close(fd);
rk_closesocket(sock);
return fd2;
return sock2;
}
@@ -327,7 +328,7 @@ build_context(struct client *ipeer, struct client *apeer,
krb5_data_zero(&itoken);
while (!iDone || !aDone) {
if (iDone) {
warnx("iPeer already done, aPeer want extra rtt");
val = GSMERR_ERROR;
@@ -405,7 +406,7 @@ build_context(struct client *ipeer, struct client *apeer,
out:
return val;
}
static void
test_mic(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2)
{
@@ -474,10 +475,10 @@ test_wrap_ext(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2,
int32_t val;
header.data = "header";
header.length = 6;
header.length = sizeof("header") - 1;
msg.data = "0123456789abcdef"; /* padded for most enctypes */
msg.length = 32;
msg.length = sizeof("0123456789abcdef") - 1;
trailer.data = "trailer";
trailer.length = 7;
@@ -540,17 +541,17 @@ test_token(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2, int w
if (val) return val;
val = test_wrap_ext(c2, hc2, c1, hc1, 1, 0);
if (val) return val;
val = test_wrap_ext(c1, hc1, c2, hc2, 1, 1);
if (val) return val;
val = test_wrap_ext(c2, hc2, c1, hc1, 1, 1);
if (val) return val;
val = test_wrap_ext(c1, hc1, c2, hc2, 0, 0);
if (val) return val;
val = test_wrap_ext(c2, hc2, c1, hc1, 0, 0);
if (val) return val;
val = test_wrap_ext(c1, hc1, c2, hc2, 0, 1);
if (val) return val;
val = test_wrap_ext(c2, hc2, c1, hc1, 0, 1);
@@ -565,7 +566,7 @@ log_function(void *ptr)
{
struct client *c = ptr;
int32_t cmd, line;
char *file, *string;
char *file = NULL, *string = NULL;
while (1) {
if (krb5_ret_int32(c->logsock, &cmd))
@@ -575,7 +576,6 @@ log_function(void *ptr)
case eLogSetMoniker:
if (krb5_ret_string(c->logsock, &file))
goto out;
free(file);
break;
case eLogInfo:
case eLogFailure:
@@ -590,8 +590,6 @@ log_function(void *ptr)
fprintf(logfile, "%s:%lu: %s\n",
file, (unsigned long)line, string);
fflush(logfile);
free(file);
free(string);
if (krb5_store_int32(c->logsock, 0))
goto out;
break;
@@ -600,6 +598,8 @@ log_function(void *ptr)
}
}
out:
free(file);
free(string);
return 0;
}
@@ -610,7 +610,8 @@ connect_client(const char *slave)
char *name, *port;
struct client *c = ecalloc(1, sizeof(*c));
struct addrinfo hints, *res0, *res;
int ret, fd;
int ret;
krb5_socket_t sock;
name = estrdup(slave);
port = strchr(name, ':');
@@ -628,13 +629,13 @@ connect_client(const char *slave)
if (ret)
errx(1, "error resolving %s", name);
for (res = res0, fd = -1; res; res = res->ai_next) {
fd = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
if (fd < 0)
for (res = res0, sock = rk_INVALID_SOCKET; res; res = res->ai_next) {
sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
if (sock == rk_INVALID_SOCKET)
continue;
if (connect(fd, res->ai_addr, res->ai_addrlen) < 0) {
close(fd);
fd = -1;
if (connect(sock, res->ai_addr, res->ai_addrlen) < 0) {
rk_closesocket(sock);
sock = rk_INVALID_SOCKET;
continue;
}
c->sa = ecalloc(1, res->ai_addrlen);
@@ -642,12 +643,12 @@ connect_client(const char *slave)
c->salen = res->ai_addrlen;
break; /* okay we got one */
}
if (fd < 0)
if (sock == rk_INVALID_SOCKET)
err(1, "connect to host: %s", name);
freeaddrinfo(res);
freeaddrinfo(res0);
c->sock = krb5_storage_from_fd(fd);
close(fd);
c->sock = krb5_storage_from_socket(sock);
rk_closesocket(sock);
if (c->sock == NULL)
errx(1, "krb5_storage_from_fd");
@@ -667,14 +668,12 @@ connect_client(const char *slave)
}
if (logfile) {
int fd;
printf("starting log socket to client %s\n", c->moniker);
fd = wait_log(c);
sock = wait_log(c);
c->logsock = krb5_storage_from_fd(fd);
close(fd);
c->logsock = krb5_storage_from_socket(sock);
rk_closesocket(sock);
if (c->logsock == NULL)
errx(1, "failed to create log krb5_storage");
#ifdef ENABLE_PTHREAD_SUPPORT
@@ -780,7 +779,7 @@ main(int argc, char **argv)
if (password == NULL)
errx(1, "password missing from %s", user);
*password++ = 0;
if (slaves.num_strings == 0)
errx(1, "no principals");
@@ -834,7 +833,7 @@ main(int argc, char **argv)
int32_t hCred, val, delegCred;
int32_t clientC, serverC;
struct client *c = clients[i];
if (c->target_name == NULL)
continue;
@@ -893,18 +892,18 @@ main(int argc, char **argv)
int32_t hCred, val, delegCred = 0;
int32_t clientC = 0, serverC = 0;
struct client *client, *server;
p = list[i];
client = get_client(p[0]);
val = acquire_cred(client, user, password, 1, &hCred);
if (val != GSMERR_OK)
errx(1, "failed to acquire_cred: %d", (int)val);
for (j = 1; j < num_clients + 1; j++) {
server = get_client(p[j % num_clients]);
if (server->target_name == NULL)
break;
@@ -921,11 +920,11 @@ main(int argc, char **argv)
warnx("build_context failed: %d", (int)val);
break;
}
val = test_token(client, clientC, server, serverC, wrap_ext);
if (val)
break;
toast_resource(client, clientC);
toast_resource(server, serverC);
if (!delegCred) {

102
appl/gssmask/gssmask.c
View File

@@ -73,10 +73,13 @@ logmessage(struct client *c, const char *file, unsigned int lineno,
char *message;
va_list ap;
int32_t ackid;
int ret;
va_start(ap, fmt);
vasprintf(&message, fmt, ap);
ret = vasprintf(&message, fmt, ap);
va_end(ap);
if (ret == -1)
errx(1, "out of memory");
if (logfile)
fprintf(logfile, "%s:%u: %d %s\n", file, lineno, level, message);
@@ -229,7 +232,7 @@ acquire_cred(struct client *c,
"krb5_get_init_creds failed: %d", ret);
return convert_krb5_to_gsm(ret);
}
ret = krb5_cc_new_unique(context, "MEMORY", NULL, &id);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_initialize");
@@ -309,7 +312,8 @@ HandleOP(InitContext)
gss_ctx_id_t ctx;
gss_cred_id_t creds;
gss_name_t gss_target_name;
gss_buffer_desc input_token, output_token;
gss_buffer_desc input_token;
gss_buffer_desc output_token = {0, 0};
gss_OID oid = GSS_C_NO_OID;
gss_buffer_t input_token_ptr = GSS_C_NO_BUFFER;
@@ -358,7 +362,7 @@ HandleOP(InitContext)
if (ctx)
krb5_errx(context, 1, "initcreds, context not NULL, but first req");
}
if ((flags & GSS_C_DELEG_FLAG) != 0)
logmessage(c, __FILE__, __LINE__, 0, "init_sec_context delegating");
if ((flags & GSS_C_DCE_STYLE) != 0)
@@ -427,7 +431,6 @@ HandleOP(AcceptContext)
gss_ctx_id_t ctx;
gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
gss_buffer_desc input_token, output_token;
gss_buffer_t input_token_ptr = GSS_C_NO_BUFFER;
ret32(c, hContext);
ret32(c, flags);
@@ -440,7 +443,6 @@ HandleOP(AcceptContext)
if (in_token.length) {
input_token.length = in_token.length;
input_token.value = in_token.data;
input_token_ptr = &input_token;
} else {
input_token.length = 0;
input_token.value = NULL;
@@ -484,7 +486,7 @@ HandleOP(AcceptContext)
gss_release_cred(&min_stat, &deleg_cred);
deleg_hcred = 0;
}
gsm_error = convert_gss_to_gsm(maj_stat);
@@ -644,7 +646,8 @@ static int
HandleOP(GetVersionAndCapabilities)
{
int32_t cap = HAS_MONIKER;
char name[256] = "unknown", *str;
char *name = NULL, *str = NULL;
int ret;
if (targetname)
cap |= ISSERVER; /* is server */
@@ -653,18 +656,24 @@ HandleOP(GetVersionAndCapabilities)
{
struct utsname ut;
if (uname(&ut) == 0) {
snprintf(name, sizeof(name), "%s-%s-%s",
ut.sysname, ut.version, ut.machine);
if (asprintf(&name, "%s-%s-%s",
ut.sysname, ut.version, ut.machine) == -1) {
errx(1, "out of memory");
}
}
}
#endif
asprintf(&str, "gssmask %s %s", PACKAGE_STRING, name);
ret = asprintf(&str, "gssmask %s %s", PACKAGE_STRING,
name ? name : "unknown");
if (ret == -1)
errx(1, "out of memory");
put32(c, GSSMAGGOTPROTOCOL);
put32(c, cap);
putstring(c, str);
free(str);
free(name);
return 0;
}
@@ -683,7 +692,8 @@ static int
HandleOP(SetLoggingSocket)
{
int32_t portnum;
int fd, ret;
krb5_socket_t sock;
int ret;
ret32(c, portnum);
@@ -692,22 +702,22 @@ HandleOP(SetLoggingSocket)
socket_set_port((struct sockaddr *)(&c->sa), htons(portnum));
fd = socket(((struct sockaddr *)&c->sa)->sa_family, SOCK_STREAM, 0);
if (fd < 0)
sock = socket(((struct sockaddr *)&c->sa)->sa_family, SOCK_STREAM, 0);
if (sock == rk_INVALID_SOCKET)
return 0;
ret = connect(fd, (struct sockaddr *)&c->sa, c->salen);
ret = connect(sock, (struct sockaddr *)&c->sa, c->salen);
if (ret < 0) {
logmessage(c, __FILE__, __LINE__, 0, "failed connect to log port: %s",
strerror(errno));
close(fd);
rk_closesocket(sock);
return 0;
}
if (c->logging)
krb5_storage_free(c->logging);
c->logging = krb5_storage_from_fd(fd);
close(fd);
c->logging = krb5_storage_from_socket(sock);
rk_closesocket(sock);
krb5_store_int32(c->logging, eLogSetMoniker);
store_string(c->logging, c->moniker);
@@ -799,7 +809,7 @@ HandleOP(Unwrap)
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_unwrap failed: %d/%d", maj_stat, min_stat);
krb5_data_free(&token);
if (maj_stat == GSS_S_COMPLETE) {
token.data = output_token.value;
@@ -848,23 +858,12 @@ HandleOP(CallExtension)
errx(1, "CallExtension");
}
krb5_error_code KRB5_LIB_FUNCTION
_krb5_pk_enterprise_cert (
krb5_context /*context*/,
const char */*user_id*/,
krb5_const_realm /*realm*/,
krb5_principal */*principal*/);
static int
HandleOP(AcquirePKInitCreds)
{
krb5_error_code ret;
int32_t flags;
krb5_data pfxdata;
char fn[] = "FILE:/tmp/pkcs12-creds-XXXXXXX";
const char *default_realm = "H5L.ORG";
krb5_principal principal = NULL;
int fd;
ret32(c, flags);
@@ -878,16 +877,6 @@ HandleOP(AcquirePKInitCreds)
krb5_data_free(&pfxdata);
close(fd);
/* get credentials */
ret = _krb5_pk_enterprise_cert(context, fn, default_realm, &principal);
if (ret)
krb5_err(context, 1, ret, "krb5_pk_enterprise_certs");
if (principal)
krb5_free_principal(context, principal);
put32(c, -1); /* hResource */
put32(c, GSMERR_NOT_SUPPORTED);
return 0;
@@ -966,7 +955,9 @@ HandleOP(WrapExt)
memcpy(p, iov[4].buffer.value, iov[4].buffer.length);
p += iov[4].buffer.length;
memcpy(p, iov[5].buffer.value, iov[5].buffer.length);
#if 0 /* Would be needed to keep going, but presently unused */
p += iov[5].buffer.length;
#endif
gss_release_iov_buffer(NULL, iov, iov_len);
@@ -1030,7 +1021,7 @@ HandleOP(UnwrapExt)
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_unwrap failed: %d/%d", maj_stat, min_stat);
if (maj_stat == GSS_S_COMPLETE) {
token.data = iov[1].buffer.value;
token.length = iov[1].buffer.length;
@@ -1100,9 +1091,10 @@ find_op(int32_t op)
}
static struct client *
create_client(int fd, int port, const char *moniker)
create_client(krb5_socket_t sock, int port, const char *moniker)
{
struct client *c;
int ret;
c = ecalloc(1, sizeof(*c));
@@ -1111,23 +1103,28 @@ create_client(int fd, int port, const char *moniker)
} else {
char hostname[MAXHOSTNAMELEN];
gethostname(hostname, sizeof(hostname));
asprintf(&c->moniker, "gssmask: %s:%d", hostname, port);
ret = asprintf(&c->moniker, "gssmask: %s:%d", hostname, port);
if (ret == -1)
c->moniker = NULL;
}
if (!c->moniker)
errx(1, "out of memory");
{
c->salen = sizeof(c->sa);
getpeername(fd, (struct sockaddr *)&c->sa, &c->salen);
getpeername(sock, (struct sockaddr *)&c->sa, &c->salen);
getnameinfo((struct sockaddr *)&c->sa, c->salen,
c->servername, sizeof(c->servername),
NULL, 0, NI_NUMERICHOST);
NULL, 0, NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE);
}
c->sock = krb5_storage_from_fd(fd);
c->sock = krb5_storage_from_socket(sock);
if (c->sock == NULL)
errx(1, "krb5_storage_from_fd");
errx(1, "krb5_storage_from_socket");
close(fd);
rk_closesocket(sock);
return c;
}
@@ -1215,6 +1212,7 @@ int
main(int argc, char **argv)
{
int optidx = 0;
krb5_error_code ret;
setprogname (argv[0]);
@@ -1240,7 +1238,9 @@ main(int argc, char **argv)
errx (1, "Bad port `%s'", port_str);
}
krb5_init_context(&context);
ret = krb5_init_context(&context);
if (ret)
errx(1, "Error initializing kerberos: %d", ret);
{
const char *lf = logfile_str;
@@ -1252,7 +1252,7 @@ main(int argc, char **argv)
err(1, "error opening %s", lf);
}
mini_inetd(htons(port));
mini_inetd(htons(port), NULL);
fprintf(logfile, "connected\n");
{

2
appl/kf/Makefile.am
View File

@@ -17,4 +17,4 @@ LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
$(top_builddir)/lib/asn1/libasn1.la \
$(LIB_roken)
EXTRA_DIST = $(man_MANS)
EXTRA_DIST = NTMakefile $(man_MANS)

35
appl/kf/NTMakefile Normal file
View File

@@ -0,0 +1,35 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=appl\kf
!include ../../windows/NTMakefile.w32

70
appl/kf/kf.1
View File

@@ -1,39 +1,39 @@
.\" Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd July 2, 2000
.Dt KF 1
.Os Heimdal
.Os
.Sh NAME
.Nm kf
.Nd securely forward tickets
@@ -41,20 +41,20 @@
.Nm
.Oo
.Fl p Ar port |
.Fl -port Ns = Ns Ar port
.Fl Fl port Ns = Ns Ar port
.Oc
.Oo
.Fl l Ar login |
.Fl -login Ns = Ns Ar login
.Fl Fl login Ns = Ns Ar login
.Oc
.Oo
.Fl c Ar ccache |
.Fl -ccache Ns = Ns Ar ccache
.Fl Fl ccache Ns = Ns Ar ccache
.Oc
.Op Fl F | -forwardable
.Op Fl G | -no-forwardable
.Op Fl h | -help
.Op Fl -version
.Op Fl Fl version
.Ar host ...
.Sh DESCRIPTION
The
@@ -65,17 +65,17 @@ Options supported are:
.Bl -tag -width indent
.It Xo
.Fl p Ar port ,
.Fl -port Ns = Ns Ar port
.Fl Fl port Ns = Ns Ar port
.Xc
port to connect to
.It Xo
.Fl l Ar login ,
.Fl -login Ns = Ns Ar login
.Fl Fl login Ns = Ns Ar login
.Xc
remote login name
.It Xo
.Fl c Ar ccache ,
.Fl -ccache Ns = Ns Ar ccache
.Fl Fl ccache Ns = Ns Ar ccache
.Xc
remote cred cache
.It Fl F , -forwardable
@@ -83,7 +83,7 @@ forward forwardable credentials
.It Fl G , -no-forwardable
do not forward forwardable credentials
.It Fl h , -help
.It Fl -version
.It Fl Fl version
.El
.Pp
.Nm
@@ -94,7 +94,7 @@ In order for
.Nm
to work you will need to acquire your initial ticket with forwardable
flag, i.e.
.Nm kinit Fl -forwardable .
.Nm kinit Fl Fl forwardable .
.Pp
.Nm telnet
is able to forward tickets by itself.

39
appl/kf/kf.c
View File

@@ -51,38 +51,38 @@ static struct getargs args[] = {
"Forward forwardable credentials", NULL },
{ "forwardable",'G',arg_negative_flag,&forwardable,
"Don't forward forwardable credentials", NULL },
{ "help", 'h', arg_flag, &help_flag },
{ "version", 0, arg_flag, &version_flag }
{ "help", 'h', arg_flag, &help_flag, NULL, NULL },
{ "version", 0, arg_flag, &version_flag, NULL, NULL }
};
static int num_args = sizeof(args) / sizeof(args[0]);
static void
usage(int code, struct getargs *args, int num_args)
usage(int code, struct getargs *inargs, int num_inargs)
{
arg_printusage(args, num_args, NULL, "hosts");
arg_printusage(inargs, num_inargs, NULL, "hosts");
exit(code);
}
static int
client_setup(krb5_context *context, int *argc, char **argv)
client_setup(krb5_context *ctx, int *argc, char **argv)
{
int optind = 0;
int optidx = 0;
int port = 0;
int status;
setprogname (argv[0]);
status = krb5_init_context (context);
status = krb5_init_context (ctx);
if (status)
errx(1, "krb5_init_context failed: %d", status);
forwardable = krb5_config_get_bool (*context, NULL,
forwardable = krb5_config_get_bool (*ctx, NULL,
"libdefaults",
"forwardable",
NULL);
if (getarg (args, num_args, *argc, argv, &optind))
if (getarg (args, num_args, *argc, argv, &optidx))
usage(1, args, num_args);
if(help_flag)
@@ -107,11 +107,11 @@ client_setup(krb5_context *context, int *argc, char **argv)
}
if (port == 0)
port = krb5_getportbyname (*context, KF_PORT_NAME, "tcp", KF_PORT_NUM);
port = krb5_getportbyname (*ctx, KF_PORT_NAME, "tcp", KF_PORT_NUM);
if(*argc - optind < 1)
if(*argc - optidx < 1)
usage(1, args, num_args);
*argc = optind;
*argc = optidx;
return port;
}
@@ -122,7 +122,7 @@ client_setup(krb5_context *context, int *argc, char **argv)
*/
static int
proto (int sock, const char *hostname, const char *service,
proto (int sock, const char *hostname, const char *svc,
char *message, size_t len)
{
krb5_auth_context auth_context;
@@ -153,7 +153,7 @@ proto (int sock, const char *hostname, const char *service,
status = krb5_sname_to_principal (context,
hostname,
service,
svc,
KRB5_NT_SRV_HST,
&server);
if (status) {
@@ -277,11 +277,11 @@ proto (int sock, const char *hostname, const char *service,
}
krb5_data_free (&data);
return(strcmp(message, "ok"));
return strcmp(message, "ok") != 0;
}
static int
doit (const char *hostname, int port, const char *service,
doit (const char *hostname, int port, const char *svc,
char *message, size_t len)
{
struct addrinfo *ai, *a;
@@ -312,7 +312,9 @@ doit (const char *hostname, int port, const char *service,
continue;
}
freeaddrinfo (ai);
return proto (s, hostname, service, message, len);
error = proto(s, hostname, svc, message, len);
close(s);
return error;
}
warnx ("failed to contact %s", hostname);
freeaddrinfo (ai);
@@ -322,6 +324,7 @@ doit (const char *hostname, int port, const char *service,
int
main(int argc, char **argv)
{
char userbuf[128];
int argcc,port,i;
int ret=0;
@@ -329,7 +332,7 @@ main(int argc, char **argv)
port = client_setup(&context, &argcc, argv);
if (remote_name == NULL) {
remote_name = get_default_username ();
remote_name = roken_get_username(userbuf, sizeof(userbuf));
if (remote_name == NULL)
errx (1, "who are you?");
}

62
appl/kf/kfd.8
View File

@@ -1,39 +1,39 @@
.\" Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd July 2, 2000
.Dt KFD 8
.Os Heimdal
.Os
.Sh NAME
.Nm kfd
.Nd receive forwarded tickets
@@ -41,15 +41,15 @@
.Nm
.Oo
.Fl p Ar port |
.Fl -port Ns = Ns Ar port
.Fl Fl port Ns = Ns Ar port
.Oc
.Op Fl i | -inetd
.Oo
.Fl R Ar regpag |
.Fl -regpag Ns = Ns Ar regpag
.Fl Fl regpag Ns = Ns Ar regpag
.Oc
.Op Fl h | -help
.Op Fl -version
.Op Fl Fl version
.Sh DESCRIPTION
This is the daemon for
.Xr kf 1 .
@@ -57,14 +57,14 @@ Supported options:
.Bl -tag -width indent
.It Xo
.Fl p Ar port ,
.Fl -port Ns = Ns Ar port
.Fl Fl port Ns = Ns Ar port
.Xc
port to listen to
.It Fl i , -inetd
not started from inetd
.It Xo
.Fl R Ar regpag ,
.Fl -regpag= Ns Ar regpag
.Fl Fl regpag= Ns Ar regpag
.Xc
path to regpag binary
.El

24
appl/kf/kfd.c
View File

@@ -49,26 +49,26 @@ static struct getargs args[] = {
{ "inetd",'i',arg_flag, &do_inetd,
"Not started from inetd", NULL },
{ "regpag",'R',arg_string,&regpag_str,"path to regpag binary","regpag"},
{ "help", 'h', arg_flag, &help_flag },
{ "version", 0, arg_flag, &version_flag }
{ "help", 'h', arg_flag, &help_flag, NULL, NULL },
{ "version", 0, arg_flag, &version_flag, NULL, NULL }
};
static int num_args = sizeof(args) / sizeof(args[0]);
static void
usage(int code, struct getargs *args, int num_args)
usage(int code, struct getargs *inargs, int num_inargs)
{
arg_printusage(args, num_args, NULL, "");
arg_printusage(inargs, num_inargs, NULL, "");
exit(code);
}
static int
server_setup(krb5_context *context, int argc, char **argv)
server_setup(krb5_context *ctx, int argc, char **argv)
{
int port = 0;
int local_argc;
local_argc = krb5_program_setup(context, argc, argv, args, num_args, usage);
local_argc = krb5_program_setup(ctx, argc, argv, args, num_args, usage);
if(help_flag)
(*usage)(0, args, num_args);
@@ -92,7 +92,7 @@ server_setup(krb5_context *context, int argc, char **argv)
}
if (port == 0)
port = krb5_getportbyname (*context, KF_PORT_NAME, "tcp", KF_PORT_NUM);
port = krb5_getportbyname (*ctx, KF_PORT_NAME, "tcp", KF_PORT_NUM);
if(argv[local_argc] != NULL)
usage(1, args, num_args);
@@ -120,7 +120,7 @@ kfd_match_version(const void *arg, const char *version)
}
static int
proto (int sock, const char *service)
proto (int sock, const char *svc)
{
krb5_auth_context auth_context;
krb5_error_code status;
@@ -151,7 +151,7 @@ proto (int sock, const char *service)
status = krb5_sname_to_principal (context,
hostname,
service,
svc,
KRB5_NT_SRV_HST,
&server);
if (status)
@@ -281,11 +281,11 @@ proto (int sock, const char *service)
}
static int
doit (int port, const char *service)
doit (int port, const char *svc)
{
if (do_inetd)
mini_inetd(port);
return proto (STDIN_FILENO, service);
mini_inetd(port, NULL);
return proto (STDIN_FILENO, svc);
}
int

Some files were not shown because too many files have changed in this diff Show More