oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Compare commits

base: oysteikt:master
Branches Tags
oysteikt:master oysteikt:kadmin-get-printf-debugging oysteikt:sd-notify
oysteikt:git2svn-syncpoint-master oysteikt:switch-from-svn-to-git
..
compare: oysteikt:sd-notify
Branches Tags
oysteikt:kadmin-get-printf-debugging oysteikt:master oysteikt:sd-notify
oysteikt:git2svn-syncpoint-master oysteikt:switch-from-svn-to-git

5 Commits
master ... sd-notify

Author SHA1 Message Date
h7x4
cea03aebfb asdf 2025-03-29 17:30:49 +01:00
h7x4
161e2b8ed7 fixup! WIP: find libsystemd with autoconfig 2025-03-29 16:56:30 +01:00
h7x4
3761a26a59 WIP: find libsystemd with autoconfig 2025-03-26 13:01:01 +01:00
h7x4
5b9d81284c Set up nix tooling 2025-03-26 12:51:53 +01:00
h7x4
3fba586bf5 zed: set tab width 2025-03-26 12:51:52 +01:00
1117 changed files with 114199 additions and 25597 deletions
Expand all files Collapse all files

57
.github/workflows/coverage.yml vendored
View File

@@ -1,57 +0,0 @@
name: Test Coverage
on:
push:
branches:
- 'coverage-*'
jobs:
coverage:
runs-on: ubuntu-22.04
steps:
- name: Clone repository
uses: actions/checkout@v4
- name: Install packages
run: |
sudo apt-get update -qq
sudo apt-get install -y bison comerr-dev flex doxygen
sudo apt-get install -y libcap-ng-dev libdb-dev libedit-dev libjson-perl
sudo apt-get install -y libldap2-dev libncurses5-dev libperl4-corelibs-perl
sudo apt-get install -y libsqlite3-dev libkeyutils-dev pkg-config python3
sudo apt-get install -y ss-dev texinfo unzip netbase keyutils ldap-utils
sudo apt-get install -y gdb apport curl libmicrohttpd-dev jq valgrind
sudo apt-get install -y lcov
# Temporary workaround for:
# https://github.com/actions/virtual-environments/issues/3185
sudo hostname localhost
- name: Build with coverage
env:
CC: gcc
CFLAGS: '--coverage -O0 -g'
LDFLAGS: '--coverage'
run: |
/bin/sh ./autogen.sh
mkdir build
cd build
../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap --prefix=$HOME/inst CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS"
make -j4
- name: Test
run: |
cd build
sudo sysctl kernel.core_pattern=core.%p || true
ulimit -c unlimited
make check || true
- name: Generate coverage report
run: |
cd build
# Capture coverage data
lcov --capture --directory . --output-file coverage.info --ignore-errors source
# Remove coverage for system headers and generated files
lcov --remove coverage.info '/usr/*' '*/build/*asn1*' '*/build/*_err.*' --output-file coverage.info --ignore-errors unused
# List coverage summary
lcov --list coverage.info
- name: Upload to Coveralls
uses: coverallsapp/github-action@v2
with:
file: build/coverage.info
format: lcov

2
.github/workflows/coverity.yml vendored
View File

@@ -20,7 +20,7 @@ jobs:
compiler: clang
steps:
- name: Clone repository
uses: actions/checkout@v4
uses: actions/checkout@v1
- name: Install packages
if: startsWith(matrix.os, 'ubuntu')
run: |

54
.github/workflows/linux-interop.yml → .github/workflows/linux-mit-interop.yml vendored
View File

@@ -3,7 +3,7 @@ name: Linux Build
on:
push:
branches:
- 'interop*'
- 'interop-mit*'
jobs:
unix:
@@ -19,14 +19,9 @@ jobs:
cflags: ''
steps:
- name: Clone repository
uses: actions/checkout@v4
- name: Clone older Heimdal for interop testing
uses: actions/checkout@v4
with:
ref: older-branch-for-interop-testing
path: older-heimdal
uses: actions/checkout@v1
- name: Checkout MIT
uses: actions/checkout@v4
uses: actions/checkout@v3
with:
repository: krb5/krb5
path: mit
@@ -46,17 +41,6 @@ jobs:
# Temporary workaround for:
# https://github.com/actions/virtual-environments/issues/3185
sudo hostname localhost
- name: Build older Heimdal
env:
CC: ${{ matrix.compiler }}
run: |
cd older-heimdal
/bin/sh ./autogen.sh
mkdir build
cd build
../configure --prefix=$HOME/oh5l --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS CFLAGS="${{ matrix.cflags }} -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations"
make -j4
make install
- name: Build MIT
env:
CC: ${{ matrix.compiler }}
@@ -75,7 +59,7 @@ jobs:
/bin/sh ./autogen.sh
mkdir build
cd build
../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="${{ matrix.cflags }} -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" --with-mitkrb5=$HOME/mitkrb5 --with-older-heimdal=$HOME/oh5l
../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="${{ matrix.cflags }} -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" --with-mitkrb5=$HOME/mitkrb5
make -j4
- name: Test
env:
@@ -83,14 +67,8 @@ jobs:
MAKEVARS: ${{ matrix.makevars }}
run: |
cd build
sudo sysctl kernel.core_pattern=core.%p || true
ulimit -c unlimited
cd lib
make check
cd ../tests/bin
make check
cd ../kdc
make SCRIPT_TESTS='check-fast check-mit-kdc check-old-heimdal-client check-old-heimdal-kdc' check
- name: Make Install
env:
CC: ${{ matrix.compiler }}
@@ -113,13 +91,27 @@ jobs:
if: ${{ failure() }}
run: |
find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
- name: Make Dist
run: |
cd build
make dist
make distclean
if [ "$(git ls-files -o|grep -v ^build/ | wc -l)" -ne 0 ]; then
echo "Files not removed by make distclean:"
git ls-files -o|grep -v ^build/
fi
- name: Upload Install Tarball
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v2
with:
name: Install Tarball (interop)
name: Install Tarball
path: '~/heimdal-install-linux-${{ matrix.compiler }}.tgz'
- name: Upload Logs Tarball
uses: actions/upload-artifact@v4
- name: Upload Dist Tarball
uses: actions/upload-artifact@v2
with:
name: Test Logs (interop)
name: Dist Tarball
path: 'build/heimdal-*.tar.gz'
- name: Upload Logs Tarball
uses: actions/upload-artifact@v2
with:
name: Test Logs
path: '~/logs-linux-${{ matrix.compiler }}.tgz'

37
.github/workflows/linux.yml vendored
View File

@@ -19,11 +19,12 @@ on:
- '**.py'
- '**.asn1'
- '**.opt'
- '**.map'
- '**/COPYING'
- '**/INSTALL'
- '**/README*'
- '.github/workflows/linux.yml'
- '!appveyor.yml'
- '!.travis.yml'
pull_request:
paths:
@@ -44,28 +45,28 @@ on:
- '**/INSTALL'
- '**/README*'
- '.github/workflows/linux.yml'
- '!appveyor.yml'
- '!.travis.yml'
jobs:
unix:
# Run if no [only X] tag, or if [only linux] is present (check both push commits and PR titles)
if: >-
(!contains(github.event.head_commit.message, '[only ') &&
!contains(github.event.pull_request.title, '[only ')) ||
contains(github.event.head_commit.message, '[only linux]') ||
contains(github.event.pull_request.title, '[only linux]')
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
name: [linux-gcc]
name: [linux-clang, linux-gcc]
include:
- name: linux-clang
os: ubuntu-22.04
compiler: clang
cflags: ''
- name: linux-gcc
os: ubuntu-22.04
compiler: gcc
cflags: '-Wnonnull'
steps:
- name: Clone repository
uses: actions/checkout@v4
uses: actions/checkout@v1
- name: Install packages
if: startsWith(matrix.os, 'ubuntu')
run: |
@@ -95,7 +96,6 @@ jobs:
MAKEVARS: ${{ matrix.makevars }}
run: |
cd build
sudo sysctl kernel.core_pattern=core.%p || true
ulimit -c unlimited
make check
- name: Make Install
@@ -108,14 +108,11 @@ jobs:
cd /tmp/h5l
tar czf $HOME/heimdal-install-linux-${{ matrix.compiler }}.tgz .
- name: Core dump stacks
if: ${{ always() }}
run: |
find . -name '*core*' -print
echo "thread apply all bt" > /tmp/x
find . -name core\* -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done
find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done
if [ "$(find . -name core -print | wc -l)" -gt 0 ]; then false; fi
- name: Test logs
if: ${{ always() }}
run: |
find build -depth -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-${{ matrix.compiler }}.tgz --verbatim-files-from --files-from -
find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
@@ -133,17 +130,17 @@ jobs:
git ls-files -o|grep -v ^build/
fi
- name: Upload Install Tarball
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v2
with:
name: Install Tarball (${{ matrix.name }})
name: Install Tarball
path: '~/heimdal-install-linux-${{ matrix.compiler }}.tgz'
- name: Upload Dist Tarball
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v2
with:
name: Dist Tarball (${{ matrix.name }})
name: Dist Tarball
path: 'build/heimdal-*.tar.gz'
- name: Upload Logs Tarball
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v2
with:
name: Test Logs (${{ matrix.name }})
name: Test Logs
path: '~/logs-linux-${{ matrix.compiler }}.tgz'

29
.github/workflows/osx.yml vendored
View File

@@ -24,6 +24,8 @@ on:
- '**/INSTALL'
- '**/README*'
- '.github/workflows/osx.yml'
- '!appveyor.yml'
- '!.travis.yml'
pull_request:
paths:
@@ -44,15 +46,11 @@ on:
- '**/INSTALL'
- '**/README*'
- '.github/workflows/osx.yml'
- '!appveyor.yml'
- '!.travis.yml'
jobs:
osx:
# Run if no [only X] tag, or if [only osx] is present (check both push commits and PR titles)
if: >-
(!contains(github.event.head_commit.message, '[only ') &&
!contains(github.event.pull_request.title, '[only ')) ||
contains(github.event.head_commit.message, '[only osx]') ||
contains(github.event.pull_request.title, '[only osx]')
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
@@ -68,12 +66,10 @@ jobs:
echo "bison, flex, ncurses, texinfo, and unzip are in the base OS."
echo "berkeley-db, perl, python3, curl, and jq are installed in the"
echo "base image already."
brew install autoconf automake bison libtool cpanm texinfo texi2html bash openssl@3
brew install autoconf automake libtool cpanm texinfo texi2html
sudo cpanm install JSON
# Use Homebrew bash for tests (much faster than /bin/bash on macOS)
echo "$(brew --prefix)/bin" >> $GITHUB_PATH
- name: Clone repository
uses: actions/checkout@v4
uses: actions/checkout@v1
- name: Build
env:
CC: ${{ matrix.compiler }}
@@ -83,7 +79,7 @@ jobs:
/bin/sh ./autogen.sh
mkdir build
cd build
../configure --srcdir=`dirname "$PWD"` --disable-heimdal-documentation --enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst --with-openssl=/opt/homebrew/opt/openssl@3/ CFLAGS="-O0 -g -ggdb3 -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations"
../configure --srcdir=`dirname "$PWD"` --disable-heimdal-documentation --disable-afs-support --enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" CFLAGS="-O0 -g -ggdb3"
ulimit -c unlimited
PATH=/usr/local/opt/texinfo/bin:$PATH
export PATH
@@ -93,15 +89,12 @@ jobs:
# with:
# limit-access-to-actor: true
- name: Test
shell: bash
env:
CC: ${{ matrix.compiler }}
MAKEVARS: ${{ matrix.makevars }}
CONFIGURE_OPTS: ${{ matrix.configureopts }}
run: |
set -vx
# Verify we're using Homebrew bash (faster than system bash)
echo "Using bash: $(which bash) version $BASH_VERSION"
sudo lsof -nP -i:49188 || true
cd build
make check
@@ -120,12 +113,12 @@ jobs:
run: |
find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat
- name: Upload Install Tarball
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v2
with:
name: Install Tarball (osx)
name: Install Tarball
path: '~/heimdal-install-osx.tgz'
- name: Upload Artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v2
with:
name: Test Logs (osx)
name: Upload Test Logs
path: '~/logs-osx.cpio'

4
.github/workflows/scanbuild.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
compiler: clang
steps:
- name: Clone repository
uses: actions/checkout@v4
uses: actions/checkout@v1
- name: Install packages
if: startsWith(matrix.os, 'ubuntu')
run: |
@@ -61,7 +61,7 @@ jobs:
run: |
find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat
- name: Upload Artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v2
with:
name: Scan-Build Reports
path: '/tmp/scan-build*/'

11
.github/workflows/ubsan.yml vendored
View File

@@ -19,11 +19,12 @@ on:
- '**.py'
- '**.asn1'
- '**.opt'
- '**.map'
- '**/COPYING'
- '**/INSTALL'
- '**/README*'
- '.github/workflows/ubsan.yml'
- '!appveyor.yml'
- '!.travis.yml'
pull_request:
paths:
@@ -44,6 +45,8 @@ on:
- '**/INSTALL'
- '**/README*'
- '.github/workflows/ubsan.yml'
- '!appveyor.yml'
- '!.travis.yml'
jobs:
unix:
@@ -65,7 +68,7 @@ jobs:
ldflags: ''
steps:
- name: Clone repository
uses: actions/checkout@v4
uses: actions/checkout@v1
- name: Install packages
if: startsWith(matrix.os, 'ubuntu')
run: |
@@ -124,7 +127,7 @@ jobs:
run: |
find build -name \*.trs | sed -e 's/trs$/log/' | xargs cat
- name: Upload Logs Tarball
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v2
with:
name: Test Logs UBSAN (${{ matrix.name }})
name: Test Logs
path: '~/logs-linux-${{ matrix.compiler }}.tgz'

9
.github/workflows/valgrind.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
compiler: clang
steps:
- name: Clone repository
uses: actions/checkout@v4
uses: actions/checkout@v1
- name: Install packages
if: startsWith(matrix.os, 'ubuntu')
run: |
@@ -43,7 +43,7 @@ jobs:
/bin/sh ./autogen.sh
mkdir build
cd build
../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-gdwarf-4 -g -ggdb3 -O0 -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations"
../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-g -ggdb3 -O0 -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations"
make -j4
- name: Test
env:
@@ -51,7 +51,6 @@ jobs:
MAKEVARS: ${{ matrix.makevars }}
run: |
cd build
sudo sysctl kernel.core_pattern=core.%p || true
ulimit -c unlimited
make check-valgrind
- name: Valgrind output
@@ -66,7 +65,7 @@ jobs:
run: |
find build -name \*.trs|xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
- name: Upload Artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v2
with:
name: Test Logs (valgrind)
name: Test Logs
path: '~/logs-linux-valgrind.tgz'

90
.github/workflows/windows.yml vendored
View File

@@ -18,12 +18,13 @@ on:
- '**.asn1'
- '**.opt'
- '**.w32'
- '**.def'
- '**/NTMakefile*'
- '**/COPYING'
- '**/INSTALL'
- '**/README*'
- '.github/workflows/windows.yml'
- '!appveyor.yml'
- '!.travis.yml'
pull_request:
paths:
@@ -43,21 +44,12 @@ on:
- '**/INSTALL'
- '**/README*'
- '.github/workflows/windows.yml'
- '!appveyor.yml'
- '!.travis.yml'
jobs:
windows:
# Run if no [only X] tag, or if [only windows] is present (check both push commits and PR titles)
if: >-
(!contains(github.event.head_commit.message, '[only ') &&
!contains(github.event.pull_request.title, '[only ')) ||
contains(github.event.head_commit.message, '[only windows]') ||
contains(github.event.pull_request.title, '[only windows]')
runs-on: windows-latest
strategy:
fail-fast: false
matrix:
# clang-cl disabled due to LLVM 19 bug with MMX intrinsics in VS 2022 headers
compiler: [msvc]
env:
APPVER: '10.0'
CODESIGN_PKT: 0000000000000000
@@ -66,67 +58,37 @@ jobs:
WIXDIR: 'c:\Program Files (x86)\Windows Installer XML v3.5'
steps:
- name: Clone repository
uses: actions/checkout@v4
uses: actions/checkout@v1
- name: Find MSVC and run vcvarsall.bat
uses: ilammy/msvc-dev-cmd@v1
with:
arch: amd64
- name: Setup OpenSSL
shell: pwsh
run: |
# OpenSSL 3.x is pre-installed on windows-latest at C:\Program Files\OpenSSL
$opensslDir = "C:\Program Files\OpenSSL"
if (Test-Path $opensslDir) {
Write-Host "OpenSSL found at $opensslDir"
Get-ChildItem $opensslDir
# Show version
& "$opensslDir\bin\openssl.exe" version
} else {
Write-Host "OpenSSL not found, installing via chocolatey..."
choco install openssl -y
$opensslDir = "C:\Program Files\OpenSSL"
}
# Set environment variables for the build
echo "OPENSSL_DIR=$opensslDir" >> $env:GITHUB_ENV
echo "INCLUDE_openssl_crypto=$opensslDir\include" >> $env:GITHUB_ENV
echo "LIB_openssl_crypto=$opensslDir\lib\VC\x64\MD\libcrypto.lib" >> $env:GITHUB_ENV
- name: Install MSYS2 packages
- name: Build and Test
shell: cmd
run: |
C:\msys64\usr\bin\pacman.exe --noconfirm -Sy
C:\msys64\usr\bin\pacman.exe --noconfirm -S zstd autoconf automake flex bison perl perl-JSON texinfo
- name: Build
shell: cmd
run: |
set "PATH=%PATH%;C:\msys64\usr\bin"
set "PATH=%PATH%;C:\Program Files (x86)\HTML Help Workshop"
set "PATH=%PATH%;C:\Program Files\OpenSSL\bin"
set PATH=%PATH%;C:\msys64\usr\bin;C:\Program Files (x86)\HTML Help Workshop;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin
set CODESIGN_PKT=0000000000000000
set dbg__type=Debug
mkdir %INSTALL_DIR%
pacman --noconfirm -S zstd
pacman --noconfirm -S autoconf
pacman --noconfirm -S automake
pacman --noconfirm -S flex
pacman --noconfirm -S bison
pacman --noconfirm -S perl
pacman --noconfirm -S perl-JSON
pacman --noconfirm -S texinfo
set PATH=%PATH%;%wix%bin
title Heimdal Build %CPU% %dbg__type%
set "PATH=%PATH%;C:\Perl64\bin;C:\tools\cygwin\bin;C:\Program Files (x86)\HTML Help Workshop"
set "PATH=%PATH%;C:/msys64/usr/bin"
set "PATH=%PATH%;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin"
set "PATH=%PATH%;C:\Python310-x64"
echo PATH=%PATH%
echo INCLUDE_openssl_crypto=%INCLUDE_openssl_crypto%
echo LIB_openssl_crypto=%LIB_openssl_crypto%
echo Compiler: ${{ matrix.compiler }}
if "${{ matrix.compiler }}"=="clang-cl" (
clang-cl --version
nmake /f NTMakefile CC=clang-cl GHA=1 NO_INSTALLERS=1 INCLUDE_openssl_crypto="%INCLUDE_openssl_crypto%" LIB_openssl_crypto="%LIB_openssl_crypto%" CFLAGS="-msse2"
) else (
nmake /f NTMakefile GHA=1 NO_INSTALLERS=1 INCLUDE_openssl_crypto="%INCLUDE_openssl_crypto%" LIB_openssl_crypto="%LIB_openssl_crypto%"
)
- name: Test
shell: cmd
run: |
set "PATH=%PATH%;C:\msys64\usr\bin"
set "PATH=%PATH%;C:\Program Files\OpenSSL\bin"
nmake /f NTMakefile GHA=1 NO_INSTALLERS=1 test
nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1
nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 test
- name: Upload Artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v2
with:
name: Objects-${{ matrix.compiler }}
name: Objects
path: 'D:/a/heimdal/heimdal/out/'

2
.gitignore vendored
View File

@@ -37,6 +37,8 @@ asn1_*_asn1.c
*.log
*.trs
*.tmp
result
result-*
# Top-level files.

92
.travis.yml Normal file
View File

@@ -0,0 +1,92 @@
os:
- linux
- osx
language: c
env:
global:
secure: "YKG77M7zMvJ+IeV2ziw//HcHqMqFoAzIZlE99Yw/aOn5pvMYKq6Ep7EFVhbfDu9yN0T7M5csCGQeH7/ylDlsZSRMUw72844ezMDM8e10T/lW/T/OYN7j1ZVHh3WSJgS+1D9VG6/Y0OY1Si3lb7PcOdAIU0fPJV5xQONN2+hpJeI="
before_install:
- if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get update -qq; fi
- if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils; fi
- if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq ldap-utils gdb apport; fi
- if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq curl libmicrohttpd-dev; fi
- if [ $TRAVIS_OS_NAME = linux -a -n "$COVERAGE" ]; then sudo apt-get install -qq jq; fi
- if [ $TRAVIS_OS_NAME = osx ]; then HOMEBREW_NO_AUTO_UPDATE=1 brew install cpanm bison flex berkeley-db lmdb openldap openssl; fi
- if [ $TRAVIS_OS_NAME = osx ]; then sudo cpanm install JSON; fi
- if [ $TRAVIS_OS_NAME = osx -a -n "$COVERAGE" ]; then brew install jq; fi
- mkdir ci-build
- mkdir coverity-build
- ./autogen.sh
install:
- cd ci-build
- |
if [ $TRAVIS_OS_NAME = osx ]; then
LDFLAGS="-L/usr/local/opt/berkeley-db/lib -L/usr/local/opt/lmdb/lib" \
CFLAGS="-I/usr/local/opt/lmdb/include" \
../configure \
--srcdir=`dirname "$PWD"` \
--prefix=/tmp/heimdal \
--enable-maintainer-mode $COVERAGE \
--enable-static=no \
--enable-pthread-support \
--disable-afs-support \
--disable-ndbm-db \
--with-openldap=/usr/local/opt/openldap \
--with-openssl=/usr/local/opt/openssl/ \
--with-hcrypto-default-backend=ossl \
--with-berkeley-db \
--with-berkeley-db-include=/usr/local/opt/berkeley-db/include
else
# This list of -Wno-error options should be reduced over time where possible
if [ x"$TRAVIS_COMPILER" != x"clang" ]; then
CFLAGS="-Wno-error=empty-body -Wno-error=shadow -Wno-error=unused-value -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" ../configure --enable-developer --srcdir=`dirname "$PWD"` --enable-maintainer-mode $COVERAGE
else
CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" ../configure --enable-developer --srcdir=`dirname "$PWD"` --enable-maintainer-mode $COVERAGE
fi
fi
- ulimit -c unlimited; make -j3
script:
- if [ x${COVERITY_SCAN_BRANCH} != x1 ]; then ulimit -c unlimited; make check${MAKE_CHECK_SUFFIX}; fi
after_script:
- if [ -n "$COVERAGE" ]; then ../tools/coveralls-tool -O $PWD -S ..; fi
- find . -name \*.log -print0|xargs -0 grep '^==[1-9]'
after_failure:
- find . -name test-suite.log -print0 | xargs -0 cat
- if [ $TRAVIS_OS_NAME = linux ]; then echo "thread apply all bt" > x; find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done; fi
- if [ $TRAVIS_OS_NAME = osx ]; then find . -name core -print | while read core; do echo bt | lldb --core "$core" `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done; fi
compiler:
- clang
- gcc
matrix:
include:
- os: linux
compiler: gcc
env: COVERAGE=--enable-gcov
exclude:
- os: osx
compiler: gcc
notifications:
email:
on_success: change
on_failure: always
addons:
coverity_scan:
project:
name: "heimdal/heimdal"
description: "Build submitted via Travis CI"
notification_email: heimdal-builders@secure-endpoints.com
build_command_prepend: ../configure --enable-maintainer-mode
build_command: make
branch_pattern: coverity_scan

1
Makefile.am
View File

@@ -52,7 +52,6 @@ EXTRA_DIST = \
cf/roken.m4 \
cf/valgrind-suppressions \
cf/maybe-valgrind.sh \
cf/maybe-helgrind.sh \
cf/symbol-version.py \
cf/w32-check-exported-symbols.pl \
cf/w32-def-from-dll.pl \

81
NEWS
View File

@@ -1,7 +1,8 @@
Release Notes - Heimdal - Version Heimdal 8.0 (future)
Partial news for a future Heimdal 8.0 release -- but NOTE WELL that this is NOT
a release at this time!
Bug fixes:
Bug fixes
- Errors found by the Coverity static analysis.
- Errors found by the LLVM scan-build static analyzer.
@@ -10,37 +11,17 @@ Release Notes - Heimdal - Version Heimdal 8.0 (future)
- iprop bugs, race conditions, and performance
- Many misc. bugs
Defaults changes:
Features:
- Default enctypes set to: aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192.
- 1DES now disabled by default in the build configuration.
Use `./configure --with-1des=yes` to re-enable 1DES.
(Use `--with-3des=no` to disable 3DES.)
(Use `--with-arcfour` to disable RC4.)
Features:
- OpenSSL 3 support (hcrypto has been removed).
- OpenSSL 3 provider support, including propq (e.g., for enabling FIPS) and
PKCS#11 providers such as the Latchset provider
(https://github.com/latchset/pkcs11-provider).
- PKINIT: RFC 8636 (algorithm agility) implemented.
- PKINIT: ECDH w/ NIST and X curves implemented.
- PKINIT: Support for ECDSA and EdDSA implemented.
- PKINIT: RSA key transport is disabled by default
- KDC: Add FAST support for TGS.
- KDC: Greatly improved plugin facility for Samba.
- KDC: Add httpkadmind service providing a subset of kadmin
functionality over HTTP.
- KDC: Add support for virtual service principal namespaces, which rekey
service principals on a clock.
- KDC: Add support for virtual service principal namespaces.
- KDC: Add support for synthetic client principals that exist if the
pre-authentication mechanism (e.g., PKINIT) can authenticate
them, thus not requiring an HDB entry.
Together with virtual service principal namespaces this allows for
realms with minimal, primarily read-only HDBs.
- KDC: Add experimental GSS-API pre-authentication support for Kerberos KDC
exchanges.
- KDC: Add experimental GSS-API pre-authentication support.
- KDC: Revamp and enhance kx509 support (though bx509d mostly replaces kx509).
- KDC: Better support for aliases and referrals.
- KDC: Always return the salt in the PA-ETYPE-INFO[2].
@@ -48,18 +29,14 @@ Release Notes - Heimdal - Version Heimdal 8.0 (future)
- KDC: allow anonymous AS requests with long-term keys.
- KDC: Do not include PAC for anonymous AS requests.
- KDC: Enable keepalive mode on incoming sockets.
- KDC: Greatly improved logging, with one structured log message per-request,
with all details as key/value pairs.
- KDC: Greatly improved logging.
- KDC: Remove KRB5SignedPath, to be replaced with PAC.
- PKIX: Add bx509d -- an online certification authority (CA) with an HTTP API.
- PKIX: Add support elliptic curve signatures (ECDSA and EdDSA).
- PKIX: Add support for modern password-based encryption ciphers for PKCS#12.
- kadmind: Add httpkadmind, an HTTP-based kadmin protocol.
- kadmin: Add HTTP-based kadmin protocol.
- kadmin: Add add_alias, del_alias.
- kadmin: Add command aliases to man page.
- kadmin: Add disallow-client attribute.
- kadmin: Improve -e enctype option support.
- kadmin: Add --hdb / -H argument.
- kadmin: add --hdb / -H argument.
- kadmin: Allow enforcing password quality on admin password change.
- kadmin: Improve ext_keytab usage.
- kadmin: Selective pruning of historic key for principal.
@@ -76,13 +53,12 @@ Release Notes - Heimdal - Version Heimdal 8.0 (future)
- krb5: Implement KRB5_TRACE environment variable.
- krb5: Add experimental name canonicalization rules configuration.
- krb5: Support start_realm ccconfig entry type.
- kinit: Add --default-for-principal option for ccache collection support.
- kinit: Add --default-for option for ccache collection support.
- kinit: Add --pk-anon-fast-armor option.
- kinit: Don't leave dangling temporary ccaches.
- klist: Better --json
- iprop: Many performance and scaling enhancements.
- iprop: Support hierarchical propagation.
- iprop: Support fast full props by using async writes during transfer.
- ASN.1: Document fuzzing process.
- ASN.1: Complete template backend.
- ASN.1: Add partial Information Object System support (template backend
@@ -95,50 +71,31 @@ Release Notes - Heimdal - Version Heimdal 8.0 (future)
- ASN.1: Support circular types.
- ASN.1: Topographically sort declarations.
- ASN.1: Proper support for IMPLICIT tags.
- GSS: Import gss-token(1) command.
- GSS: Add advanced credential store / load functionality.
- GSS: Add gss_acquire_cred_from() and credential store extensions.
- GSS: Add name attributes support, with support for many basic attributes
and PAC buffer accessors too.
- GSS: Add SANON mechanism for anonymous-only key exchange using
elliptic curve Diffie-Hellman (ECDH) with Curve25519.
elliptic curve Diffie-Hellman (ECDH) with Curve25519.
- GSS: Add gss_acquire_cred_from() and credential store extensions.
- GSS: Support fragmented tokens reassembly (for SMB).
- GSS: Support client keytab.
- GSS: Add NegoEx support.
- GSS: Import gss-token(1) command.
- GSS: Improve gsstoool(1) command.
- libhx509: Lots of improvements.
- hxtool: Add "acert" (assert cert contents) command
- hxtool: add cert type: https-negotiate-server
- hxtool: add generate-key command
- hxtool: Add OID symbol resolution and printing of OIDs known to hxtool.
- hxtool: Add print --raw-json option that shows certificates in JSON, with
all extensions and attributes known to Heimdal fully decoded.
- hxtool: Greatly improved SAN support.
- hxtool: Greatly improved CSR support.
- hxtool: Greatly improved manual page.
- hxtool: Improved SAN support.
- hxtool: Improved CSR support.
- Improved plugin interfaces.
- hcrypto: Add X25519.
- hcrypto: Better RSA key generation.
- hcrypto: import libtommath v1.2.0.
- roken: Add secure_getenv() and issuid(), use them extensively.
Features removed:
- NTLM support.
- "digest" server functionality in KDC (for NTLM).
- OTP.
- libhcrypto.
Feature removal warnings:
- 1DES and RC4 may be removed in Heimdal 8.2
Upgrade considerations:
- Due to a change in HDB schema operators should check that Heimdal 8.x can
dump HDBs modified by Heimdal 7.x before upgrading from 7.x to 8.x.
Downgrade considerations:
- Due to a change in HDB schema operators should check that Heimdal 7.x can
dump HDBs modified by Heimdal 8.x before downgrading from 8.x to 7.x.
Release Notes - Heimdal - Version Heimdal 7.8
Bug fixes

2
NTMakefile
View File

@@ -33,7 +33,7 @@
thirdparty=thirdparty
!endif
!ifdef GHA
!ifdef APPVEYOR
SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl \
tools tests packages etc
!else

4
README.md
View File

@@ -1,6 +1,8 @@
[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/linux.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Alinux)
[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/osx.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Aosx)
[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/windows.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Awindows)
[![Appveyor-CI build (Windows)](https://ci.appveyor.com/api/projects/status/6j0k0m7kd6jjj4tw/branch/master?svg=true)](https://ci.appveyor.com/project/heimdal/heimdal/branch/master)
[![Coverage Status](https://coveralls.io/repos/github/heimdal/heimdal/badge.svg?branch=master)](https://coveralls.io/github/heimdal/heimdal?branch=master)
Heimdal
=======
@@ -33,3 +35,5 @@ Build Status
[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/linux.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Alinux)
[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/osx.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Aosx)
[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/windows.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Awindows)
[![Appveyor-CI build (Windows)](https://ci.appveyor.com/api/projects/status/6j0k0m7kd6jjj4tw/branch/master?svg=true)](https://ci.appveyor.com/project/heimdal/heimdal/branch/master)
[![Coverage Status](https://coveralls.io/repos/github/heimdal/heimdal/badge.svg?branch=master)](https://coveralls.io/github/heimdal/heimdal?branch=master)

5
admin/Makefile.am
View File

@@ -2,14 +2,12 @@
include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += $(INCLUDE_readline) -I$(srcdir)/../lib/krb5
AM_CPPFLAGS += $(INCLUDE_readline)
man_MANS = ktutil.1
bin_PROGRAMS = ktutil
ktutil_CPPFLAGS = $(AM_CPPFLAGS) -I$(srcdir)/../lib/krb5
dist_ktutil_SOURCES = \
add.c \
change.c \
@@ -36,6 +34,7 @@ ktutil-commands.c ktutil-commands.h: ktutil-commands.in
LDADD = \
$(top_builddir)/lib/kadm5/libkadm5clnt.la \
$(top_builddir)/lib/krb5/libkrb5.la \
$(LIB_hcrypto) \
$(top_builddir)/lib/asn1/libasn1.la \
$(top_builddir)/lib/sl/libsl.la \
$(LIB_heimbase) \

4
admin/add.c
View File

@@ -96,8 +96,8 @@ kt_add(struct add_options *opt, int argc, char **argv)
goto out;
}
if(opt->password_string == NULL && opt->random_flag == 0) {
if(_krb5_UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: ",
UI_UTIL_FLAG_VERIFY)) {
if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: ",
UI_UTIL_FLAG_VERIFY)) {
ret = 1;
goto out;
}

1
admin/ktutil_locl.h
View File

@@ -55,7 +55,6 @@
#include "crypto-headers.h"
#include <krb5.h>
#include <krb5_locl.h>
#include <kadm5/admin.h>
#include <kadm5/kadm5_err.h>

8
appl/Makefile.am
View File

@@ -2,11 +2,19 @@
include $(top_srcdir)/Makefile.am.common
if OTP
dir_otp = otp
endif
if DCE
dir_dce = dceutils
endif
if !NO_AFS
dir_afsutil = afsutil
endif
SUBDIRS = \
$(dir_afsutil) \
dbutils \
$(dir_otp) \
gssmask \
test \
kf \

125
appl/afsutil/ChangeLog Normal file
View File

@@ -0,0 +1,125 @@
2007-04-11 Love Hörnquist Åstrand <lha@it.su.se>
* pagsh.1,afslog.1: - options must be lexicographically ordered;
again, options without arguments must be placed before options
with arguments. - manual page cross references are done using
the macro `.Xr', not the macro `.Nm' (used for command names
instead).
From Igor Sobrado.
2006-10-07 Love Hörnquist Åstrand <lha@it.su.se>
* Makefile.am: Add man_MANS to EXTRA_DIST
2006-01-03 Love Hörnquist Åstrand <lha@it.su.se>
* afslog.1: Document options to allow select principal or
credential cache when doing afslog.
* afslog.c: Add options to allow select principal or credential
cache when doing afslog.
2005-02-12 Love Hörnquist Åstrand <lha@it.su.se>
* Makefile.am: man_MANS += pagsh.1
* pagsh.c: add --cache-type that allows the user to control the
resulting credential cache type, inherit the type from the
invoking process
* pagsh.1: manpage for pagsh
2004-09-03 Love Hörnquist Åstrand <lha@it.su.se>
* afslog.c: use negative string help string for arg_negative_flag
Pointed out by Harald Barth
2004-07-27 Love Hörnquist Åstrand <lha@it.su.se>
* pagsh.c: use setprogname, if we stripped off -c, try use the
fallback code
2003-10-14 Johan Danielsson <joda@pdc.kth.se>
* pagsh.c: mkstemp formats must end in exactly six X's
2003-07-15 Love Hörnquist Åstrand <lha@it.su.se>
* afslog.c (do_afslog): is cell is unset, set it "<default cell>"
for error printing
* pagsh.c: unconditionally set KRBTKFILE
2003-04-23 Love Hörnquist Åstrand <lha@it.su.se>
* afslog.c (log_func): drop the error number
2003-04-14 Love Hörnquist Åstrand <lha@it.su.se>
* afslog.c: set kafs log function if verbose is turned on
2003-03-18 Love Hörnquist Åstrand <lha@it.su.se>
* Makefile.am (LDADD): use LIB_kafs
* afslog.1: --no-v4, --no-v5
* Makefile.am: always build afsutils now
* afslog.c: make build without KRB4
2002-11-26 Johan Danielsson <joda@pdc.kth.se>
* afslog.c: remove plural form in help string
* Makefile.am: add afslog manpage
* afslog.1: manpage
* afslog.c: try more files when trying to expand a cell name
* afslog.c: create a list of cells to get tokens for, before
actually doing anything, and try to get tokens via krb4 if krb5
fails, and give it a chance to work with krb4-only; also some bug
fixes, partially from Tomas Olsson.
2002-08-23 Assar Westerlund <assar@kth.se>
* pagsh.c: make it handle --version/--help
2001-05-17 Assar Westerlund <assar@sics.se>
* afslog.c (main): call free_getarg_strings
2000-12-31 Assar Westerlund <assar@sics.se>
* afslog.c (main): handle krb5_init_context failure consistently
2000-12-25 Assar Westerlund <assar@sics.se>
* afslog.c: clarify usage strings
1999-08-04 Assar Westerlund <assar@sics.se>
* pagsh.c (main): use mkstemp to generate temporary file names.
From Miroslav Ruda <ruda@ics.muni.cz>
1999-07-04 Assar Westerlund <assar@sics.se>
* afslog.c (expand_cell_name): terminate on #. From Miroslav Ruda
<ruda@ics.muni.cz>
1999-06-27 Assar Westerlund <assar@sics.se>
* Makefile.am (bin_PROGRAMS): only include pagsh if KRB4
1999-06-26 Assar Westerlund <assar@sics.se>
* Makefile.am: add pagsh
* pagsh.c: new file. contributed by Miroslav Ruda <ruda@ics.muni.cz>
Sat Mar 27 12:49:43 1999 Johan Danielsson <joda@blubb.pdc.kth.se>
* afslog.c: cleanup option parsing

19
appl/afsutil/Makefile.am Normal file
View File

@@ -0,0 +1,19 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
bin_PROGRAMS = afslog pagsh
afslog_SOURCES = afslog.c
pagsh_SOURCES = pagsh.c
man_MANS = afslog.1 pagsh.1
LDADD = $(LIB_kafs) \
$(top_builddir)/lib/krb5/libkrb5.la \
$(top_builddir)/lib/asn1/libasn1.la \
$(LIB_hcrypto) \
$(LIB_roken)
EXTRA_DIST = NTMakefile $(man_MANS)

35
appl/afsutil/NTMakefile Normal file
View File

@@ -0,0 +1,35 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=appl\afsutil
!include ../../windows/NTMakefile.w32

147
appl/afsutil/afslog.1 Normal file
View File

@@ -0,0 +1,147 @@
.\" Copyright (c) 2002 - 2007 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd November 26, 2002
.Dt AFSLOG 1
.Os HEIMDAL
.Sh NAME
.Nm afslog
.Nd obtain AFS tokens
.Sh SYNOPSIS
.Nm
.Op Fl h | Fl Fl help
.Op Fl Fl no-v5
.Op Fl u | Fl Fl unlog
.Op Fl v | Fl Fl verbose
.Op Fl Fl version
.Oo Fl c Ar cell \*(Ba Xo
.Fl Fl cell= Ns Ar cell
.Xc
.Oc
.Oo Fl k Ar realm \*(Ba Xo
.Fl Fl realm= Ns Ar realm
.Xc
.Oc
.Oo Fl P Ar principal \*(Ba Xo
.Fl Fl principal= Ns Ar principal
.Xc
.Oc
.Bk -words
.Oo Fl p Ar path \*(Ba Xo
.Fl Fl file= Ns Ar path
.Xc
.Oc
.Ek
.Op Ar cell | path ...
.Sh DESCRIPTION
.Nm
obtains AFS tokens for a number of cells. What cells to get tokens for
can either be specified as an explicit list, as file paths to get
tokens for, or be left unspecified, in which case
.Nm
will use whatever magic
.Xr krb_afslog 3
decides upon.
.Pp
Supported options:
.Bl -tag -width Ds
.It Fl Fl no-v5
This makes
.Nm
not try using Kerberos 5.
.It Xo
.Fl P Ar principal ,
.Fl Fl principal Ar principal
.Xc
select what Kerberos 5 principal to use.
.It Fl Fl cache Ar cache
select what Kerberos 5 credential cache to use.
.Fl Fl principal
overrides this option.
.It Xo
.Fl u ,
.Fl Fl unlog
.Xc
Destroy tokens instead of obtaining new. If this is specified, all
other options are ignored (except for
.Fl Fl help
and
.Fl Fl version ) .
.It Xo
.Fl v ,
.Fl Fl verbose
.Xc
Adds more verbosity for what is actually going on.
.It Xo
.Fl c Ar cell,
.Fl Fl cell= Ns Ar cell
.Xc
This specified one or more cell names to get tokens for.
.It Xo
.Fl k Ar realm ,
.Fl Fl realm= Ns Ar realm
.Xc
This is the Kerberos realm the AFS servers live in, this should
normally not be specified.
.It Xo
.Fl p Ar path ,
.Fl Fl file= Ns Ar path
.Xc
This specified one or more file paths for which tokens should be
obtained.
.El
.Pp
Instead of using
.Fl c
and
.Fl p ,
you may also pass a list of cells and file paths after any other
options. These arguments are considered files if they are either
the strings
.Do . Dc
or
.Dq ..
or they contain a slash, or if there exists a file by that name.
.Sh EXAMPLES
Assuming that there is no file called
.Dq openafs.org
in the current directory, and that
.Pa /afs/openafs.org
points to that cell, the follwing should be identical:
.Bd -literal -offset indent
$ afslog -c openafs.org
$ afslog openafs.org
$ afslog /afs/openafs.org/some/file
.Ed
.Sh SEE ALSO
.Xr krb_afslog 3

303
appl/afsutil/afslog.c Normal file
View File

@@ -0,0 +1,303 @@
/*
* Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
RCSID("$Id$");
#endif
#include <ctype.h>
#ifdef KRB5
#include <krb5.h>
#endif
#include <kafs.h>
#include <roken.h>
#include <getarg.h>
#include <err.h>
static int help_flag;
static int version_flag;
static getarg_strings cells;
static char *realm;
static getarg_strings files;
static int unlog_flag;
static int verbose;
#ifdef KRB5
static char *client_string;
static char *cache_string;
static int use_krb5 = 1;
#endif
struct getargs args[] = {
{ "cell", 'c', arg_strings, &cells, "cells to get tokens for", "cell" },
{ "file", 'p', arg_strings, &files, "files to get tokens for", "path" },
{ "realm", 'k', arg_string, &realm, "realm for afs cell", "realm" },
{ "unlog", 'u', arg_flag, &unlog_flag, "remove tokens", NULL },
#ifdef KRB5
{ "principal",'P',arg_string,&client_string,"principal to use","principal"},
{ "cache", 0, arg_string, &cache_string, "ccache to use", "cache"},
{ "v5", 0, arg_negative_flag, &use_krb5, "don't use Kerberos 5",
NULL },
#endif
{ "verbose",'v', arg_flag, &verbose, NULL, NULL },
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 'h', arg_flag, &help_flag, NULL, NULL },
};
static int num_args = sizeof(args) / sizeof(args[0]);
#ifdef KRB5
krb5_context context;
krb5_ccache id;
#endif
static const char *
expand_one_file(FILE *f, const char *cell)
{
static char buf[1024];
char *p;
while (fgets (buf, sizeof(buf), f) != NULL) {
if(buf[0] == '>') {
for(p = buf; *p && !isspace((unsigned char)*p) && *p != '#'; p++)
;
*p = '\0';
if(strncmp(buf + 1, cell, strlen(cell)) == 0)
return buf + 1;
}
buf[0] = '\0';
}
return NULL;
}
static const char *
expand_cell_name(const char *cell)
{
FILE *f;
const char *c;
const char **fn, *fns[] = { _PATH_CELLSERVDB,
_PATH_ARLA_CELLSERVDB,
_PATH_OPENAFS_DEBIAN_CELLSERVDB,
_PATH_ARLA_DEBIAN_CELLSERVDB,
NULL };
for(fn = fns; *fn; fn++) {
f = fopen(*fn, "r");
if(f == NULL)
continue;
c = expand_one_file(f, cell);
fclose(f);
if(c)
return c;
}
return NULL;
}
static void
usage(int ecode)
{
arg_printusage(args, num_args, NULL, "[cell|path]...");
exit(ecode);
}
struct cell_list {
char *cell;
struct cell_list *next;
} *cell_list;
static int
afslog_cell(const char *cell, int expand)
{
struct cell_list *p, **q;
const char *c = cell;
if(expand){
c = expand_cell_name(cell);
if(c == NULL){
warnx("No cell matching \"%s\" found.", cell);
return -1;
}
if(verbose && strcmp(c, cell) != 0)
warnx("Cell \"%s\" expanded to \"%s\"", cell, c);
}
/* add to list of cells to get tokens for, and also remove
duplicates; the actual afslog takes place later */
for(p = cell_list, q = &cell_list; p; q = &p->next, p = p->next)
if(strcmp(p->cell, c) == 0)
return 0;
p = malloc(sizeof(*p));
if(p == NULL)
return -1;
p->cell = strdup(c);
if(p->cell == NULL) {
free(p);
return -1;
}
p->next = NULL;
*q = p;
return 0;
}
static int
afslog_file(const char *path)
{
char cell[64];
if(k_afs_cell_of_file(path, cell, sizeof(cell))){
warnx("No cell found for file \"%s\".", path);
return -1;
}
if(verbose)
warnx("File \"%s\" lives in cell \"%s\"", path, cell);
return afslog_cell(cell, 0);
}
static int
do_afslog(const char *cell)
{
int k5ret;
k5ret = 0;
#ifdef KRB5
if(context != NULL && id != NULL && use_krb5) {
k5ret = krb5_afslog(context, id, cell, realm);
if(k5ret == 0)
return 0;
}
#endif
if (cell == NULL)
cell = "<default cell>";
#ifdef KRB5
if (k5ret)
krb5_warn(context, k5ret, "krb5_afslog(%s)", cell);
#endif
if (k5ret)
return 1;
return 0;
}
static void
log_func(void *ctx, const char *str)
{
fprintf(stderr, "%s\n", str);
}
int
main(int argc, char **argv)
{
int optidx = 0;
int i;
int num;
int ret = 0;
int failed = 0;
struct cell_list *p;
setprogname(argv[0]);
if(getarg(args, num_args, argc, argv, &optidx))
usage(1);
if(help_flag)
usage(0);
if(version_flag) {
print_version(NULL);
exit(0);
}
if(!k_hasafs())
errx(1, "AFS does not seem to be present on this machine");
if(unlog_flag){
k_unlog();
exit(0);
}
#ifdef KRB5
ret = krb5_init_context(&context);
if (ret) {
context = NULL;
} else {
if (client_string) {
krb5_principal client;
ret = krb5_parse_name(context, client_string, &client);
if (ret == 0)
ret = krb5_cc_cache_match(context, client, &id);
if (ret)
id = NULL;
}
if (id == NULL && cache_string) {
if(krb5_cc_resolve(context, cache_string, &id) != 0) {
krb5_warnx(context, "failed to open kerberos 5 cache '%s'",
cache_string);
id = NULL;
}
}
if (id == NULL)
if(krb5_cc_default(context, &id) != 0)
id = NULL;
}
#endif
if (verbose)
kafs_set_verbose(log_func, NULL);
num = 0;
for(i = 0; i < files.num_strings; i++){
afslog_file(files.strings[i]);
num++;
}
free_getarg_strings (&files);
for(i = 0; i < cells.num_strings; i++){
afslog_cell(cells.strings[i], 1);
num++;
}
free_getarg_strings (&cells);
for(i = optidx; i < argc; i++){
num++;
if(strcmp(argv[i], ".") == 0 ||
strcmp(argv[i], "..") == 0 ||
strchr(argv[i], '/') ||
access(argv[i], F_OK) == 0)
afslog_file(argv[i]);
else
afslog_cell(argv[i], 1);
}
if(num == 0) {
if(do_afslog(NULL))
failed++;
} else
for(p = cell_list; p; p = p->next) {
if(verbose)
warnx("Getting tokens for cell \"%s\"", p->cell);
if(do_afslog(p->cell))
failed++;
}
return failed;
}

94
appl/afsutil/pagsh.1 Normal file
View File

@@ -0,0 +1,94 @@
.\" Copyright (c) 2005 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd February 12, 2005
.Dt PAGSH 1
.Os
.Sh NAME
.Nm pagsh
.Nd creates a new credential cache sandbox
.Sh SYNOPSIS
.Nm
.Op Fl c Ar command-string
.Op Fl h | Fl Fl help
.Op Fl Fl version
.Op Fl Fl cache-type= Ns Ar string
.Ar command [args...]
.Sh DESCRIPTION
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl c Ar command-string
Executes command(s) contained in
.Ar command-string .
.Xc
.It Xo
.Fl Fl cache-type= Ns Ar string
.Xc
.It Xo
.Fl h ,
.Fl Fl help
.Xc
.It Xo
.Fl Fl version
.Xc
.El
.Pp
.Nm
creates a new credential cache sandbox for the user to live in.
If AFS is installed on the computer, the user is put in a newly
created Process Authentication Group (PAG).
.Pp
For Kerberos 5, the credential cache type that is used is the same as
the credential cache type that was used at the time of
.Nm
invocation.
The credential cache type can be controlled by the option
.Fl Fl cache-type .
.Sh EXAMPLES
Create a new sandbox where new credentials can be used, while the old
credentials can be used by other processes.
.Bd -literal -offset indent
$ klist
Credentials cache: FILE:/tmp/krb5cc_913
Principal: lha@E.KTH.SE
Issued Expires Principal
Feb 12 10:08:31 Feb 12 20:06:36 krbtgt/E.KTH.SE@E.KTH.SE
$ pagsh
$ klist
klist: No ticket file: /tmp/krb5cc_03014a
.Ed
.Sh SEE ALSO
.Xr afslog 1 ,
.Xr kinit 1

213
appl/afsutil/pagsh.c Normal file
View File

@@ -0,0 +1,213 @@
/*
* Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
RCSID("$Id$");
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#include <time.h>
#ifdef HAVE_FCNTL_H
#include <fcntl.h>
#endif
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
#ifdef KRB5
#include <krb5.h>
#endif
#include <kafs.h>
#include <err.h>
#include <roken.h>
#include <getarg.h>
#ifndef TKT_ROOT
#define TKT_ROOT "/tmp/tkt"
#endif
static int help_flag;
static int version_flag;
static int c_flag;
#ifdef KRB5
static char *typename_arg;
#endif
struct getargs getargs[] = {
{ NULL, 'c', arg_flag, &c_flag, NULL, NULL },
#ifdef KRB5
{ "cache-type", 0, arg_string, &typename_arg, NULL, NULL },
#endif
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 'h', arg_flag, &help_flag, NULL, NULL },
};
static int num_args = sizeof(getargs) / sizeof(getargs[0]);
static void
usage(int ecode)
{
arg_printusage(getargs, num_args, NULL, "command [args...]");
exit(ecode);
}
/*
* Run command with a new ticket file / credentials cache / token
*/
int
main(int argc, char **argv)
{
int f;
char tf[1024];
char shellbuf[MAX_PATH];
char *p;
char *path;
char **args;
unsigned int i;
int optidx = 0;
setprogname(argv[0]);
if(getarg(getargs, num_args, argc, argv, &optidx))
usage(1);
if(help_flag)
usage(0);
if(version_flag) {
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
#ifdef KRB5
{
krb5_error_code ret;
krb5_context context;
krb5_ccache id;
const char *name;
ret = krb5_init_context(&context);
if (ret) /* XXX should this really call exit ? */
errx(1, "no kerberos 5 support");
ret = krb5_cc_new_unique(context, typename_arg, NULL, &id);
if (ret)
krb5_err(context, 1, ret, "Failed generating credential cache");
name = krb5_cc_get_name(context, id);
if (name == NULL)
krb5_errx(context, 1, "Generated credential cache have no name");
snprintf(tf, sizeof(tf), "%s:%s", krb5_cc_get_type(context, id), name);
ret = krb5_cc_close(context, id);
if (ret)
krb5_err(context, 1, ret, "Failed closing credential cache");
krb5_free_context(context);
esetenv("KRB5CCNAME", tf, 1);
}
#endif
snprintf (tf, sizeof(tf), "%s_XXXXXX", TKT_ROOT);
f = mkstemp (tf);
if (f < 0)
err(1, "mkstemp failed");
close (f);
unlink (tf);
esetenv("KRBTKFILE", tf, 1);
i = 0;
args = (char **) malloc((argc + 10)*sizeof(char *));
if (args == NULL)
errx (1, "Out of memory allocating %lu bytes",
(unsigned long)((argc + 10)*sizeof(char *)));
if(*argv == NULL) {
if (roken_get_shell(shellbuf, sizeof(shellbuf)) != NULL)
path = strdup(shellbuf);
else
path = strdup("/bin/sh");
} else {
path = strdup(*argv++);
}
if (path == NULL)
errx (1, "Out of memory copying path");
p=strrchr(path, '/');
if(p)
args[i] = strdup(p+1);
else
args[i] = strdup(path);
if (args[i++] == NULL)
errx (1, "Out of memory copying arguments");
while(*argv)
args[i++] = *argv++;
args[i++] = NULL;
if(k_hasafs())
k_setpag();
unsetenv("PAGPID");
execvp(path, args);
if (errno == ENOENT || c_flag) {
char **sh_args = malloc ((i + 2) * sizeof(char *));
unsigned int j;
if (sh_args == NULL)
errx (1, "Out of memory copying sh arguments");
for (j = 1; j < i; ++j)
sh_args[j + 2] = args[j];
sh_args[0] = "sh";
sh_args[1] = "-c";
sh_args[2] = path;
execv ("/bin/sh", sh_args);
}
err (1, "execvp");
}

10
appl/gssmask/common.c
View File

@@ -95,13 +95,3 @@ permutate_all(struct getarg_strings *strings, size_t *size)
free(list);
return all;
}
void
tcp_nodelay(rk_socket_t sock)
{
#ifdef HAVE_NETINET_TCP_H
int on = 1;
(void)setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on));
#endif
}

6
appl/gssmask/common.h
View File

@@ -46,10 +46,6 @@
#include <sys/wait.h>
#endif
#ifdef HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#include <assert.h>
#include <krb5.h>
#include <gssapi/gssapi.h>
@@ -116,5 +112,3 @@ krb5_error_code store_string(krb5_storage *, const char *);
} while(0)
char *** permutate_all(struct getarg_strings *, size_t *);
void tcp_nodelay(rk_socket_t);

17
appl/gssmask/gssmaestro.c
View File

@@ -303,7 +303,6 @@ wait_log(struct client *c)
sock2 = accept(sock, (struct sockaddr *)&sast, &salen);
if (sock2 == rk_INVALID_SOCKET)
err(1, "failed to accept local socket for %s", c->moniker);
tcp_nodelay(sock2);
rk_closesocket(sock);
return sock2;
@@ -414,8 +413,7 @@ test_mic(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2)
krb5_data msg, mic;
int32_t val;
/* used read-only by get_mic, verify_mic */
msg.data = rk_UNCONST("foo");
msg.data = "foo";
msg.length = 3;
krb5_data_zero(&mic);
@@ -437,8 +435,7 @@ test_wrap(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2,
krb5_data msg, wrapped, out;
int32_t val;
/* used read_only by encrypt_token */
msg.data = rk_UNCONST("foo");
msg.data = "foo";
msg.length = 3;
krb5_data_zero(&wrapped);
@@ -477,16 +474,13 @@ test_wrap_ext(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2,
krb5_data header, msg, trailer, wrapped, out;
int32_t val;
/* used read-only by wrap_token_ext, unwrap_token_ext */
header.data = rk_UNCONST("header");
header.data = "header";
header.length = sizeof("header") - 1;
/* used read-only by wrap_token_ext */
msg.data = rk_UNCONST("0123456789abcdef"); /* padded for most enctypes */
msg.data = "0123456789abcdef"; /* padded for most enctypes */
msg.length = sizeof("0123456789abcdef") - 1;
/* used read-only by wrap_token_ext, unwrap_token_ext */
trailer.data = rk_UNCONST("trailer");
trailer.data = "trailer";
trailer.length = 7;
krb5_data_zero(&wrapped);
@@ -639,7 +633,6 @@ connect_client(const char *slave)
sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
if (sock == rk_INVALID_SOCKET)
continue;
tcp_nodelay(sock);
if (connect(sock, res->ai_addr, res->ai_addrlen) < 0) {
rk_closesocket(sock);
sock = rk_INVALID_SOCKET;

40
appl/gssmask/gssmask.c
View File

@@ -705,7 +705,6 @@ HandleOP(SetLoggingSocket)
sock = socket(((struct sockaddr *)&c->sa)->sa_family, SOCK_STREAM, 0);
if (sock == rk_INVALID_SOCKET)
return 0;
tcp_nodelay(sock);
ret = connect(sock, (struct sockaddr *)&c->sa, c->salen);
if (ret < 0) {
@@ -1181,9 +1180,6 @@ static int version_flag;
static int help_flag;
static char *logfile_str;
static char *moniker_str;
static int detach_flag;
static int daemon_child_fd = -1;
static char *pidfile_str;
static int port = 4711;
@@ -1196,12 +1192,6 @@ struct getargs args[] = {
"number-of-service" },
{ "moniker", 0, arg_string, &moniker_str, "nickname",
"name" },
{ "detach", 0, arg_flag, &detach_flag, "detach from console",
NULL },
{ "daemon-child", 0, arg_integer, &daemon_child_fd, "private argument, do not use",
NULL },
{ "pidfile", 0, arg_string, &pidfile_str, "write pid to file",
"file" },
{ "version", 0, arg_flag, &version_flag, "Print version",
NULL },
{ "help", 0, arg_flag, &help_flag, NULL,
@@ -1223,11 +1213,6 @@ main(int argc, char **argv)
{
int optidx = 0;
krb5_error_code ret;
struct addrinfo *ai, hints;
char portstr[NI_MAXSERV];
rk_socket_t *fds;
int num_fds;
int error;
setprogname (argv[0]);
@@ -1253,9 +1238,6 @@ main(int argc, char **argv)
errx (1, "Bad port `%s'", port_str);
}
if (detach_flag && daemon_child_fd == -1)
daemon_child_fd = roken_detach_prep(argc, argv, "--daemon-child");
ret = krb5_init_context(&context);
if (ret)
errx(1, "Error initializing kerberos: %d", ret);
@@ -1270,32 +1252,12 @@ main(int argc, char **argv)
err(1, "error opening %s", lf);
}
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_PASSIVE;
hints.ai_socktype = SOCK_STREAM;
hints.ai_family = PF_UNSPEC;
snprintf(portstr, sizeof(portstr), "%d", port);
error = getaddrinfo(NULL, portstr, &hints, &ai);
if (error)
errx(1, "getaddrinfo: %s", gai_strerror(error));
mini_inetd_addrinfo_listen(ai, &fds, &num_fds);
freeaddrinfo(ai);
if (pidfile_str)
rk_pidfile(pidfile_str);
roken_detach_finish(NULL, daemon_child_fd);
mini_inetd_accept(fds, num_fds, NULL);
mini_inetd(htons(port), NULL);
fprintf(logfile, "connected\n");
{
struct client *c;
tcp_nodelay(0);
c = create_client(0, port, moniker_str);
/* close(0); */

1
appl/kf/Makefile.am
View File

@@ -13,6 +13,7 @@ kf_SOURCES = kf.c kf_locl.h
kfd_SOURCES = kfd.c kf_locl.h
LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
$(LIB_hcrypto) \
$(top_builddir)/lib/asn1/libasn1.la \
$(LIB_roken)

4
appl/kf/kf.c
View File

@@ -184,7 +184,7 @@ proto (int sock, const char *hostname, const char *svc,
if (ccache_name == NULL)
ccache_name = "";
data_send.data = rk_UNCONST(remote_name);
data_send.data = (void *)remote_name;
data_send.length = strlen(remote_name) + 1;
status = krb5_write_priv_message(context, auth_context, &sock, &data_send);
if (status) {
@@ -192,7 +192,7 @@ proto (int sock, const char *hostname, const char *svc,
krb5_warn (context, status, "krb5_write_message");
return 1;
}
data_send.data = rk_UNCONST(ccache_name);
data_send.data = (void *)ccache_name;
data_send.length = strlen(ccache_name)+1;
status = krb5_write_priv_message(context, auth_context, &sock, &data_send);
if (status) {

15
appl/kf/kfd.c
View File

@@ -39,10 +39,10 @@ char krb5_tkfile[MAXPATHLEN];
static int help_flag;
static int version_flag;
static const char *port_str;
const char *service = KF_SERVICE;
static char *port_str;
char *service = KF_SERVICE;
int do_inetd = 0;
static const char *regpag_str = NULL;
static char *regpag_str=NULL;
static struct getargs args[] = {
{ "port", 'p', arg_string, &port_str, "port to listen to", "port" },
@@ -176,12 +176,9 @@ proto (int sock, const char *svc)
krb5_err(context, 1, status, "krb5_unparse_name");
if(protocol_version == 0) {
/*
* XXX old clients only had room for 10 bytes of message, and
* also didn't show it to the user
*/
/* used read-only by krb5_write_message */
data.data = rk_UNCONST("old clnt");
data.data = "old clnt"; /* XXX old clients only had room for
10 bytes of message, and also
didn't show it to the user */
data.length = strlen(data.data) + 1;
krb5_write_message(context, &sock, &data);
sleep(2); /* XXX give client time to finish */

58
appl/otp/ChangeLog Normal file
View File

@@ -0,0 +1,58 @@
2006-10-07 Love Hörnquist Åstrand <lha@it.su.se>
* Makefile.am: Add man_MANS to EXTRA_DIST
2005-05-29 Love Hörquist Åstrand <lha@it.su.se>
* Makefile.am: add LIB_roken as a explit dependency
2003-09-03 Love Hörquist Åstrand <lha@it.su.se>
* otpprint.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
* otp.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
2003-02-25 Love Hörquist Åstrand <lha@it.su.se>
* otp.c: remove \n from errx, from NetBSD
2000-11-29 Johan Danielsson <joda@pdc.kth.se>
* otpprint.1: sort parameters and close a list
* otp.1: sort parameters and close a list
1999-09-14 Assar Westerlund <assar@sics.se>
* otp.c (verify_user_otp): check return value from
des_read_pw_string
Thu Apr 1 16:51:07 1999 Johan Danielsson <joda@hella.pdc.kth.se>
* otpprint.c: use getarg
* otp.c: use getarg
Thu Mar 18 12:08:58 1999 Johan Danielsson <joda@hella.pdc.kth.se>
* Makefile.am: include Makefile.am.common
Thu Mar 4 19:45:40 1999 Johan Danielsson <joda@hella.pdc.kth.se>
* Makefile.am: DESTDIR
Sat Feb 27 19:44:25 1999 Johan Danielsson <joda@hella.pdc.kth.se>
* Makefile.am: add
Sun Nov 22 10:32:50 1998 Assar Westerlund <assar@sics.se>
* otpprint.c: more braces
* Makefile.in (WFLAGS): set
Sun Dec 21 09:31:30 1997 Assar Westerlund <assar@sics.se>
* otp.c (renew): don't set the OTP if the reading of the string
fails.

15
appl/otp/Makefile.am Normal file
View File

@@ -0,0 +1,15 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
bin_PROGRAMS = otp otpprint
bin_SUIDS = otp
otp_SOURCES = otp.c otp_locl.h
otp_LDADD = $(LIB_hcrypto) $(LIB_roken) $(top_builddir)/lib/otp/libotp.la
otpprint_SOURCES = otpprint.c otp_locl.h
otpprint_LDADD = $(LIB_hcrypto) $(LIB_roken) $(top_builddir)/lib/otp/libotp.la
man_MANS = otp.1 otpprint.1
EXTRA_DIST = NTMakefile $(man_MANS)

35
appl/otp/NTMakefile Normal file
View File

@@ -0,0 +1,35 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=appl\otp
!include ../../windows/NTMakefile.w32

90
appl/otp/otp.1 Normal file
View File

@@ -0,0 +1,90 @@
.\" Copyright (c) 1996, 2000 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd November 17, 1996
.Dt OTP 1
.Os KTH-KRB
.Sh NAME
.Nm otp
.Nd manages one-time passwords
.Sh SYNOPSIS
.Nm otp
.Op Fl dhlor
.Op Fl f Ar algorithm
.Op Fl u Ar user
.Ar sequence-number
.Ar seed
.Sh DESCRIPTION
The
.Nm
program initializes and updates your current series of one-time
passwords (OTPs).
.Pp
Use this to set a new series of one-time passwords. Only perform this
on the console or over an encrypted link as you will have to supply
your pass-phrase. The other two parameters are
.Ar sequence-number
and
.Ar seed .
.Pp
Options are:
.Bl -tag -width Ds
.It Fl d
To delete a one-time password.
.It Fl f
Choose a different
.Ar algorithm
from the default md5. Pick any of: md4, md5, and sha.
.It Fl h
For getting a help message.
.It Fl l
List the current table of one-time passwords.
.It Fl o
To open (unlock) the otp-entry for a user.
.It Fl r
To renew a one-time password series. This operation can be performed
over an potentially eavesdropped link because you do not supply the
pass-phrase. First you need to supply the current one-time password
and then the new one corresponding to the supplied
.Ar sequence-number
and
.Ar seed .
.It Fl u
To choose a different
.Ar user
to set one-time passwords for. This only works when running
.Nm
as root.
.El
.Sh SEE ALSO
.Xr otpprint 1

371
appl/otp/otp.c Normal file
View File

@@ -0,0 +1,371 @@
/*
* Copyright (c) 1995-1997, 1999 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "otp_locl.h"
#include <getarg.h>
RCSID("$Id$");
static int listp;
static int deletep;
static int openp;
static int renewp;
static char* alg_string;
static char *user;
static int version_flag;
static int help_flag;
struct getargs args[] = {
{ "list", 'l', arg_flag, &listp, "list OTP status", NULL },
{ "delete", 'd', arg_flag, &deletep, "delete OTP", NULL },
{ "open", 'o', arg_flag, &openp, "open a locked OTP", NULL },
{ "renew", 'r', arg_flag, &renewp, "securely renew OTP", NULL },
{ "hash", 'f', arg_string, &alg_string,
"hash algorithm (md4, md5, or sha)", "algorithm"},
{ "user", 'u', arg_string, &user,
"user other than current user (root only)", "user" },
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 'h', arg_flag, &help_flag, NULL, NULL }
};
int num_args = sizeof(args) / sizeof(args[0]);
static void
usage(int code)
{
arg_printusage(args, num_args, NULL, "[num seed]");
exit(code);
}
/*
* Renew the OTP for a user.
* The pass-phrase is not required (RFC 1938/8.0)
*/
static int
renew (int argc, char **argv, OtpAlgorithm *alg, char *inuser)
{
OtpContext newctx, *ctx;
char prompt[128];
char pw[64];
void *dbm;
int ret;
newctx.alg = alg;
newctx.user = inuser;
newctx.n = atoi (argv[0]);
strlcpy (newctx.seed, argv[1], sizeof(newctx.seed));
strlwr(newctx.seed);
snprintf (prompt, sizeof(prompt),
"[ otp-%s %u %s ]",
newctx.alg->name,
newctx.n,
newctx.seed);
if (UI_UTIL_read_pw_string (pw, sizeof(pw), prompt, 0) == 0 &&
otp_parse (newctx.key, pw, alg) == 0) {
ctx = &newctx;
ret = 0;
} else
return 1;
dbm = otp_db_open ();
if (dbm == NULL) {
warnx ("otp_db_open failed");
return 1;
}
otp_put (dbm, ctx);
otp_db_close (dbm);
return ret;
}
/*
* Return 0 if the user could enter the next OTP.
* I would rather have returned !=0 but it's shell-like here around.
*/
static int
verify_user_otp(char *username)
{
OtpContext ctx;
char passwd[OTP_MAX_PASSPHRASE + 1];
char ss[256];
char *prompt = NULL;
if (otp_challenge (&ctx, username, ss, sizeof(ss)) != 0) {
warnx("no otp challenge found for %s", username);
return 1;
}
if (asprintf(&prompt, "%s's %s Password: ", username, ss) == -1 ||
prompt == NULL)
err(1, "out of memory");
if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)) {
free(prompt);
return 1;
}
free(prompt);
return otp_verify_user (&ctx, passwd);
}
/*
* Set the OTP for a user
*/
static int
set (int argc, char **argv, OtpAlgorithm *alg, char *inuser)
{
void *db;
OtpContext ctx;
char pw[OTP_MAX_PASSPHRASE + 1];
int ret;
int i;
ctx.alg = alg;
ctx.user = strdup (inuser);
if (ctx.user == NULL)
err (1, "out of memory");
ctx.n = atoi (argv[0]);
strlcpy (ctx.seed, argv[1], sizeof(ctx.seed));
strlwr(ctx.seed);
do {
if (UI_UTIL_read_pw_string (pw, sizeof(pw), "Pass-phrase: ",
UI_UTIL_FLAG_VERIFY))
return 1;
if (strlen (pw) < OTP_MIN_PASSPHRASE)
printf ("Too short pass-phrase. Use at least %d characters\n",
OTP_MIN_PASSPHRASE);
} while(strlen(pw) < OTP_MIN_PASSPHRASE);
ctx.alg->init (ctx.key, pw, ctx.seed);
for (i = 0; i < ctx.n; ++i)
ctx.alg->next (ctx.key);
db = otp_db_open ();
if(db == NULL) {
free (ctx.user);
err (1, "otp_db_open failed");
}
ret = otp_put (db, &ctx);
otp_db_close (db);
free (ctx.user);
return ret;
}
/*
* Delete otp of user from the database
*/
static int
delete_otp (int argc, char **argv, char *inuser)
{
void *db;
OtpContext ctx;
int ret;
db = otp_db_open ();
if(db == NULL)
errx (1, "otp_db_open failed");
ctx.user = inuser;
ret = otp_delete(db, &ctx);
otp_db_close (db);
return ret;
}
/*
* Tell whether the user has an otp
*/
static int
has_an_otp(char *inuser)
{
void *db;
OtpContext ctx;
int ret;
db = otp_db_open ();
if(db == NULL) {
warnx ("otp_db_open failed");
return 0; /* if no db no otp! */
}
ctx.user = inuser;
ret = otp_simple_get(db, &ctx);
otp_db_close (db);
return !ret;
}
/*
* Get and print out the otp entry for some user
*/
static void
print_otp_entry_for_name (void *db, char *inuser)
{
OtpContext ctx;
ctx.user = inuser;
if (!otp_simple_get(db, &ctx)) {
fprintf(stdout,
"%s\totp-%s %d %s",
ctx.user, ctx.alg->name, ctx.n, ctx.seed);
if (ctx.lock_time)
fprintf(stdout,
"\tlocked since %s",
ctime(&ctx.lock_time));
else
fprintf(stdout, "\n");
}
}
static int
open_otp (int argc, char **argv, char *inuser)
{
void *db;
OtpContext ctx;
int ret;
db = otp_db_open ();
if (db == NULL)
errx (1, "otp_db_open failed");
ctx.user = inuser;
ret = otp_simple_get (db, &ctx);
if (ret == 0)
ret = otp_put (db, &ctx);
otp_db_close (db);
return ret;
}
/*
* Print otp entries for one or all users
*/
static int
list_otps (int argc, char **argv, char *inuser)
{
void *db;
struct passwd *pw;
db = otp_db_open ();
if(db == NULL)
errx (1, "otp_db_open failed");
if (inuser)
print_otp_entry_for_name(db, inuser);
else
/* scans all users... so as to get a deterministic order */
while ((pw = getpwent()))
print_otp_entry_for_name(db, pw->pw_name);
otp_db_close (db);
return 0;
}
int
main (int argc, char **argv)
{
int defaultp = 0;
int uid = getuid();
OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT);
int optidx = 0;
char userbuf[128];
setprogname (argv[0]);
if(getarg(args, num_args, argc, argv, &optidx))
usage(1);
if(help_flag)
usage(0);
if(version_flag) {
print_version(NULL);
exit(0);
}
if(deletep && uid != 0)
errx (1, "Only root can delete OTPs");
if(alg_string) {
alg = otp_find_alg (alg_string);
if (alg == NULL)
errx (1, "Unknown algorithm: %s", alg_string);
}
if (user && uid != 0)
errx (1, "Only root can use `-u'");
argc -= optidx;
argv += optidx;
if (!(listp || deletep || renewp || openp))
defaultp = 1;
if ( listp + deletep + renewp + defaultp + openp != 1)
usage(1); /* one of -d or -l or -r or none */
if(deletep || openp || listp) {
if(argc != 0)
errx(1, "delete, open, and list requires no arguments");
} else {
if(argc != 2)
errx(1, "setup, and renew requires `num', and `seed'");
}
if (listp)
return list_otps (argc, argv, user);
if (user == NULL) {
user = roken_get_username(userbuf, sizeof(userbuf));
if (user == NULL)
err (1, "You don't exist");
}
/*
* users other that root must provide the next OTP to update the sequence.
* it avoids someone to use a pending session to change an OTP sequence.
* see RFC 1938/8.0.
*/
if (uid != 0 && (defaultp || renewp)) {
if (!has_an_otp(user)) {
errx (1, "Only root can set an initial OTP");
} else { /* Check the next OTP (RFC 1938/8.0: SHOULD) */
if (verify_user_otp(user) != 0) {
errx (1, "User authentication failed");
}
}
}
if (deletep)
return delete_otp (argc, argv, user);
else if (renewp)
return renew (argc, argv, alg, user);
else if (openp)
return open_otp (argc, argv, user);
else
return set (argc, argv, alg, user);
}

56
appl/otp/otp_locl.h Normal file
View File

@@ -0,0 +1,56 @@
/*
* Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
#include <roken.h>
#include <err.h>
#include "crypto-headers.h" /* for des_read_pw_string */
#include <otp.h>

82
appl/otp/otpprint.1 Normal file
View File

@@ -0,0 +1,82 @@
.\" Copyright (c) 1996, 2000 - 2001 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd November 17, 1996
.Dt OTP 1
.Os KTH-KRB
.Sh NAME
.Nm otpprint
.Nd print lists of one-time passwords
.Sh SYNOPSIS
.Nm otp
.Op Fl n Ar count
.Op Fl e
.Op Fl h
.Op Fl f Ar algorithm
.Ar sequence-number
.Ar seed
.Sh DESCRIPTION
The
.Nm
program prints lists of OTPs.
.Pp
Use this to print out a series of one-time passwords. You will have
to supply the
.Ar sequence number
and the
.Ar seed
as arguments and then the program will prompt you for your pass-phrase.
.Pp
There are several different print formats. The default is to print
each password with six short english words.
.Pp
Options are:
.Bl -tag -width Ds
.It Fl e
Print the passwords in ``extended'' format. In this format a prefix
that says ``hex:'' or ``word:'' is included.
.It Fl f
To choose a different
.Ar algorithm
from the default md5. Pick any of: md4, md5, and sha.
.It Fl h
Print the passwords in hex.
.It Fl n
Print
.Ar count
one-time passwords, starting at
.Ar sequence-number
and going backwards. The default is 10.
.El
.Sh SEE ALSO
.Xr otp 1

136
appl/otp/otpprint.c Normal file
View File

@@ -0,0 +1,136 @@
/*
* Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "otp_locl.h"
#include <getarg.h>
RCSID("$Id$");
static int extendedp;
static int count = 10;
static int hexp;
static char* alg_string;
static int version_flag;
static int help_flag;
struct getargs args[] = {
{ "extended", 'e', arg_flag, &extendedp, "print keys in extended format",
NULL },
{ "count", 'n', arg_integer, &count, "number of keys to print", NULL },
{ "hexadecimal", 'h', arg_flag, &hexp, "output in hexadecimal", NULL },
{ "hash", 'f', arg_string, &alg_string,
"hash algorithm (md4, md5, or sha)", "algorithm"},
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 0, arg_flag, &help_flag, NULL, NULL }
};
int num_args = sizeof(args) / sizeof(args[0]);
static void
usage(int code)
{
arg_printusage(args, num_args, NULL, "num seed");
exit(code);
}
static int
print (int argc,
char **argv,
int incount,
OtpAlgorithm *alg,
void (*print_fn)(OtpKey, char *, size_t))
{
char pw[64];
OtpKey key;
int n;
int i;
char *seed;
if (argc != 2)
usage (1);
n = atoi(argv[0]);
seed = argv[1];
if (UI_UTIL_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 0))
return 1;
alg->init (key, pw, seed);
for (i = 0; i < n; ++i) {
char s[64];
alg->next (key);
if (i >= n - incount) {
(*print_fn)(key, s, sizeof(s));
printf ("%d: %s\n", i + 1, s);
}
}
return 0;
}
int
main (int argc, char **argv)
{
int optidx = 0;
void (*fn)(OtpKey, char *, size_t);
OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT);
setprogname (argv[0]);
if(getarg(args, num_args, argc, argv, &optidx))
usage(1);
if(help_flag)
usage(0);
if(version_flag) {
print_version(NULL);
exit(0);
}
if(alg_string) {
alg = otp_find_alg (alg_string);
if (alg == NULL)
errx(1, "Unknown algorithm: %s", alg_string);
}
argc -= optidx;
argv += optidx;
if (hexp) {
if (extendedp)
fn = otp_print_hex_extended;
else
fn = otp_print_hex;
} else {
if (extendedp)
fn = otp_print_stddict_extended;
else
fn = otp_print_stddict;
}
return print (argc, argv, count, alg, fn);
}

5
appl/test/Makefile.am
View File

@@ -4,8 +4,6 @@ include $(top_srcdir)/Makefile.am.common
WFLAGS += $(WFLAGS_LITE)
AUTOMAKE_OPTIONS = subdir-objects
noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \
uu_server uu_client nt_gss_server nt_gss_client http_client \
kinit_auditdns
@@ -54,11 +52,14 @@ kinit_auditdns_LDADD = \
$(top_builddir)/lib/krb5/libkrb5.la \
$(top_builddir)/lib/gssapi/libgssapi.la \
$(top_builddir)/lib/gss_preauth/libgss_preauth.la \
$(top_builddir)/lib/ntlm/libheimntlm.la \
$(LIB_hcrypto) \
$(top_builddir)/lib/asn1/libasn1.la \
$(LIB_libintl) \
$(LIB_roken)
LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
$(LIB_hcrypto) \
$(top_builddir)/lib/asn1/libasn1.la \
$(LIB_roken)

6
appl/test/common.c
View File

@@ -36,10 +36,10 @@
static int help_flag;
static int version_flag;
static char *port_str;
const char *keytab_str;
char *keytab_str;
krb5_keytab keytab;
const char *service = SERVICE;
const char *mech = "krb5";
char *service = SERVICE;
char *mech = "krb5";
int fork_flag;
char *password = NULL;

4
appl/test/gssapi_client.c
View File

@@ -50,7 +50,7 @@ do_trans (int sock, gss_ctx_id_t context_hdl)
/* get_mic */
input_token->length = 3;
input_token->value = rk_UNCONST("hej");
input_token->value = strdup("hej");
maj_stat = gss_get_mic(&min_stat,
context_hdl,
@@ -84,7 +84,7 @@ do_trans (int sock, gss_ctx_id_t context_hdl)
/* wrap */
input_token->length = 7;
input_token->value = rk_UNCONST("hemligt");
input_token->value = "hemligt";
maj_stat = gss_wrap (&min_stat,
context_hdl,

6
appl/test/gssapi_server.c
View File

@@ -149,8 +149,7 @@ process_it(int sock,
gss_release_buffer (&min_stat, input_token);
gss_release_buffer (&min_stat, output_token);
/* used read-only by gss_wrap */
input_token->value = rk_UNCONST("hejhej");
input_token->value = "hejhej";
input_token->length = 6;
maj_stat = gss_wrap (&min_stat,
@@ -191,8 +190,7 @@ proto (int sock, const char *service)
u_char init_buf[4];
u_char acct_buf[4];
gss_OID mech_oid;
const char *mech;
char *p;
char *mech, *p;
memset(&remote, 0, sizeof(remote));
local = remote;

24
appl/test/http_client.c
View File

@@ -85,13 +85,13 @@ fdprintf(int s, const char *fmt, ...)
size_t len;
ssize_t ret;
va_list ap;
char *str = NULL, *buf;
char *str, *buf;
va_start(ap, fmt);
ret = vasprintf(&str, fmt, ap);
vasprintf(&str, fmt, ap);
va_end(ap);
if (ret == -1 || str == NULL)
if (str == NULL)
errx(1, "vasprintf");
buf = str;
@@ -113,8 +113,8 @@ static int version_flag;
static int verbose_flag;
static int mutual_flag = 1;
static int delegate_flag;
static const char *port_str = "http";
static const char *gss_service = "HTTP";
static char *port_str = "http";
static char *gss_service = "HTTP";
static struct getargs http_args[] = {
{ "verbose", 'v', arg_flag, &verbose_flag, "verbose logging", NULL },
@@ -372,11 +372,8 @@ main(int argc, char **argv)
printf("Negotiate found\n");
if (server == GSS_C_NO_NAME) {
char *name = NULL;
if (asprintf(&name, "%s@%s", gss_service, host) == -1 ||
name == NULL)
err(1, "asprintf");
char *name;
asprintf(&name, "%s@%s", gss_service, host);
input_token.length = strlen(name);
input_token.value = name;
@@ -486,11 +483,8 @@ main(int argc, char **argv)
output_token.length,
&neg_token);
if (asprintf(&headers[num_headers],
"Authorization: Negotiate %s", neg_token) == -1 ||
headers[num_headers] == NULL)
err(1, "asprintf");
num_headers++;
asprintf(&headers[num_headers++], "Authorization: Negotiate %s",
neg_token);
free(neg_token);
gss_release_buffer(&min_stat, &output_token);

3
appl/test/nt_gss_client.c
View File

@@ -140,8 +140,7 @@ proto (int sock, const char *hostname, const char *service)
/* wrap */
input_token->length = 7;
/* used read-only by gss_wrap */
input_token->value = rk_UNCONST("hemligt");
input_token->value = "hemligt";
maj_stat = gss_wrap (&min_stat,

4
appl/test/nt_gss_server.c
View File

@@ -50,8 +50,8 @@ RCSID("$Id$");
static int help_flag;
static int version_flag;
static char *port_str;
const char *service = SERVICE;
static const char *auth_file;
char *service = SERVICE;
static char *auth_file;
static struct getargs args[] = {
{ "port", 'p', arg_string, &port_str, "port to listen to", "port" },

5
appl/test/tcp_client.c
View File

@@ -80,8 +80,7 @@ proto (int sock, const char *hostname, const char *service)
if (status)
krb5_err (context, 1, status, "krb5_sendauth");
/* used read-only by krb5_mk_safe */
data.data = rk_UNCONST("hej");
data.data = "hej";
data.length = 3;
krb5_data_zero (&packet);
@@ -102,7 +101,7 @@ proto (int sock, const char *hostname, const char *service)
if (krb5_net_write (context, &sock, packet.data, len) != len)
err (1, "krb5_net_write");
data.data = rk_UNCONST("hemligt");
data.data = "hemligt";
data.length = 7;
krb5_data_free (&packet);

6
appl/test/test_locl.h
View File

@@ -78,9 +78,9 @@
#define PORT "test"
extern const char *service;
extern const char *mech;
extern const char *keytab_str;
extern char *service;
extern char *mech;
extern char *keytab_str;
extern krb5_keytab keytab;
extern int fork_flag;
int server_setup(krb5_context*, int, char**);

6
appl/test/uu_client.c
View File

@@ -148,8 +148,7 @@ proto (int sock, const char *hostname, const char *service)
}
}
/* used read-only by krb5_mk_safe */
data.data = rk_UNCONST("hej");
data.data = "hej";
data.length = 3;
krb5_data_zero (&packet);
@@ -166,8 +165,7 @@ proto (int sock, const char *hostname, const char *service)
if(status)
krb5_err(context, 1, status, "krb5_write_message");
/* used read-only by krb5_mk_priv */
data.data = rk_UNCONST("hemligt");
data.data = "hemligt";
data.length = 7;
krb5_data_free (&packet);

85
appveyor.yml Normal file
View File

@@ -0,0 +1,85 @@
#
# This file tells appveyor.com how to build Heimdal on Windows.
# Appveyor is a continuous integration (CI) service for github and other
# users, and is free for public repositories.
#
version: '1.0.{build}'
image:
- Visual Studio 2019
install:
# HACK -- pacman installation in Appveyor seems broken
# Taken from https://github.com/johnkerl/miller/blob/master/appveyor.yml
# (which is gone)
#- ps: dir 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Microsoft SDKs\Windows' -Recurse
- set "PATH=C:\msys64\usr\bin;%PATH%"
- set "PATH=C:\%MSYS2_DIR%\%MSYSTEM%\bin;C:\%MSYS2_DIR%\usr\bin;%PATH%"
- bash -lc "mkdir -p /var/lib/pacman/sync/"
- bash -lc "pacman-key --init"
- bash -lc "pacman-key --populate msys2"
- bash -lc "curl -O http://repo.msys2.org/msys/x86_64/msys2-keyring-1~20211228-1-any.pkg.tar.zst"
- bash -lc "curl -O http://repo.msys2.org/msys/x86_64/msys2-keyring-1~20211228-1-any.pkg.tar.zst.sig"
- bash -lc "pacman --noconfirm -U --config <(echo) msys2-keyring-1~20211228-1-any.pkg.tar.zst"
- bash -lc "mkdir -p /var/lib/pacman/sync/"
- bash -lc "pacman-key --init"
- bash -lc "pacman-key --populate msys2"
- bash -lc "pacman -S --noconfirm --refresh pacman"
- bash -lc "pacman -S --needed --noconfirm pacman-mirrors"
- bash -lc "pacman -S --needed --noconfirm mingw-w64-x86_64-toolchain autoconf automake libtool make patch mingw-w64-x86_64-libtool"
- bash -lc "pacman -S --needed --noconfirm bison flex"
- bash -lc "pacman -S --needed --noconfirm perl perl-JSON"
build_script:
# build using Windows 10 SDK
- set "WINSDKVER=10.0.22000.0"
- call "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvarsall.bat" amd64 %WINSDKVER%
- set "WIXDIR=c:\Program Files (x86)\Windows Installer XML v3.5"
# We're not doing any codesigning in the Appveyor build yet.
- SET "CODESIGN_PKT=0000000000000000"
- set "PATH=%PATH%;C:\Perl64\bin;C:\tools\cygwin\bin;C:\Program Files (x86)\HTML Help Workshop"
- set "PATH=%PATH%;C:/msys64/usr/bin"
- set "PATH=%PATH%;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin"
# double check this, should it be x86 or x64?
- set "PATH=%PATH%;%WindowsSdkVerBinPath%\x86"
- set "PATH=C:\Python310-x64;%PATH%"
- set dbg__type=Debug
- title Heimdal Build %CPU% %dbg__type%
- echo PATH=%PATH%
# target Windows 10 API
- set APPVER=10.0
# Newer texinfo has no .exe's, so we have to invoke it as
# "perl ...\makeinfo ...". See doc/NTMakefile.
- nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1
- 7z a heimdal.zip C:\projects\heimdal
test_script:
# Packages are not validated in the Appveyor build, FYI.
- nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 test
artifacts:
- path: heimdal-out.zip
name: heimdal-out
- path: heimdal.zip
name: heimdal
on_failure:
- 7z a heimdal-out.zip C:\projects\heimdal
- appveyor PushArtifact heimdal-out.zip
# To get RDP access to an appveyor worker for debugging a build, just
# uncomment these next two lines and the last two lines too.
#init:
# - ps: iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
# Uncomment this to allow the RDP session to continue after the build
# finishes.
#
# There's a delete-me file on the desktop that one should delete when
# one is done with the worker. RDP sessions are capped at 60 minutes as
# of this writing.
#
#on_finish:
# - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))

7
cf/Makefile.am.common
View File

@@ -4,7 +4,7 @@ SUFFIXES = .et .h .pc.in .pc
DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include
AM_CPPFLAGS = $(INCLUDES_roken) $(INCLUDE_openssl_crypto)
AM_CPPFLAGS = $(INCLUDES_roken)
if do_roken_rename
ROKEN_RENAME = -DROKEN_RENAME
@@ -269,11 +269,6 @@ check-valgrind:
tsrcdir=`cd $(top_srcdir) && pwd` ; \
env TESTS_ENVIRONMENT="$${tsrcdir}/cf/maybe-valgrind.sh -s $${tsrcdir} -o $${tobjdir}" make check
check-helgrind:
tobjdir=`cd $(top_builddir) && pwd` ; \
tsrcdir=`cd $(top_srcdir) && pwd` ; \
env TESTS_ENVIRONMENT="$${tsrcdir}/cf/maybe-helgrind.sh -s $${tsrcdir} -o $${tobjdir}" make check
#
# Target to please samba build farm, builds distfiles in-tree.
# Will break when automake changes...

157
cf/crypto.m4
View File

@@ -6,13 +6,11 @@ dnl - own-built libhcrypto
m4_define([test_headers], [
#undef KRB5 /* makes md4.h et al unhappy */
#ifdef HAVE_HCRYPTO_W_OPENSSL
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#include <openssl/evp.h>
#include <openssl/provider.h>
#include <openssl/encoder.h>
#include <openssl/core_names.h>
#include <openssl/bn.h>
#include <openssl/md4.h>
#include <openssl/md5.h>
@@ -29,6 +27,18 @@ m4_define([test_headers], [
#include <openssl/rand.h>
#include <openssl/hmac.h>
#include <openssl/pkcs12.h>
#else
#include <hcrypto/evp.h>
#include <hcrypto/md4.h>
#include <hcrypto/md5.h>
#include <hcrypto/sha.h>
#include <hcrypto/des.h>
#include <hcrypto/rc4.h>
#include <hcrypto/aes.h>
#include <hcrypto/engine.h>
#include <hcrypto/hmac.h>
#include <hcrypto/pkcs12.h>
#endif
])
m4_define([test_body], [
void *schedule = 0;
@@ -44,7 +54,9 @@ m4_define([test_body], [
EVP_CIPHER_iv_length(((EVP_CIPHER*)0));
UI_UTIL_read_pw_string(0,0,0,0);
RAND_status();
#ifdef HAVE_HCRYPTO_W_OPENSSL
EC_KEY_new();
#endif
OpenSSL_add_all_algorithms();
AES_encrypt(0,0,0);
@@ -53,19 +65,25 @@ m4_define([test_body], [
AC_DEFUN([KRB_CRYPTO],[
AC_ARG_WITH([hcrypto-default-backend],
AS_HELP_STRING([--with-hcrypto-default-backend=ossl],
AS_HELP_STRING([--with-hcrypto-default-backend=cc|pkcs11_hcrypto|ossl|w32crypto|hcrypto],
[specify the default hcrypto backend]),
[
if test "$with_val" != ossl -a "$withval" != ""; then
AC_MSG_ERROR([hcrypto has been removed 0])
fi
]
)
CFLAGS="${CFLAGS} -DHCRYPTO_DEF_PROVIDER=${withval}"
case "$withval" in
cc) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [cc], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);;
pkcs11_hcrypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [pkcs11_hcrypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);;
ossl) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [ossl], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);;
w32crypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [w32crypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);;
hcrypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [hcrypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);;
*) echo "Invalid hcrypto provider name ($withval)"; exit 5;;
esac
],
[])
AC_ARG_WITH([hcrypto-fallback],
AS_HELP_STRING([--without-hcrypto-fallback],
[disable fallback on hcrypto for unavailable algorithms]),
[AC_MSG_ERROR([hcrypto has been removed 2])]
)
[AC_DEFINE([HCRYPTO_FALLBACK],0,[Set to 1 to allow fallback to hcrypto for unavailable algorithms])],
[AC_DEFINE([HCRYPTO_FALLBACK],1,[Set to 1 to allow fallback to hcrypto for unavailable algorithms])])
AC_WITH_ALL([openssl])
AC_MSG_CHECKING([for crypto library])
@@ -87,40 +105,10 @@ if test "$with_openssl" != "no"; then
fi
if test "$with_openssl_lib" != ""; then
LIB_openssl_crypto="-L${with_openssl_lib}"
openssl_libdir="${with_openssl_lib}"
elif test "${with_openssl}" != "/usr"; then
dnl Detect lib vs lib64: prefer lib64 on 64-bit Linux if it exists
dnl and contains libcrypto, otherwise fall back to lib
openssl_libdir=""
if test -f "${with_openssl}/lib64/libcrypto.so" -o \
-f "${with_openssl}/lib64/libcrypto.dylib"; then
openssl_libdir="${with_openssl}/lib64"
elif test -f "${with_openssl}/lib/libcrypto.so" -o \
-f "${with_openssl}/lib/libcrypto.dylib"; then
openssl_libdir="${with_openssl}/lib"
elif test -d "${with_openssl}/lib64"; then
openssl_libdir="${with_openssl}/lib64"
elif test -d "${with_openssl}/lib"; then
openssl_libdir="${with_openssl}/lib"
fi
if test -n "$openssl_libdir"; then
LIB_openssl_crypto="-L${openssl_libdir}"
fi
elif test "${with_openssl}" != "/usr" -a -d "${with_openssl}/lib"; then
LIB_openssl_crypto="-L${with_openssl}/lib"
fi
dnl Add rpath for non-system OpenSSL installations
if test -n "$openssl_libdir" -a "$openssl_libdir" != "/usr/lib" -a "$openssl_libdir" != "/usr/lib64"; then
case "$host_os" in
darwin*)
dnl macOS uses -rpath with @loader_path or absolute path
LIB_openssl_crypto="${LIB_openssl_crypto} -Wl,-rpath,${openssl_libdir}"
;;
*)
dnl Linux and other ELF systems
LIB_openssl_crypto="${LIB_openssl_crypto} -Wl,-rpath,${openssl_libdir}"
;;
esac
fi
CFLAGS="${INCLUDE_openssl_crypto} ${CFLAGS}"
CFLAGS="-DHAVE_HCRYPTO_W_OPENSSL ${INCLUDE_openssl_crypto} ${CFLAGS}"
LDFLAGS="${LIB_openssl_crypto} ${LDFLAGS}"
AC_CHECK_LIB([crypto], [OPENSSL_init],
[LIB_openssl_crypto="${LIB_openssl_crypto} -lcrypto"; openssl=yes], [openssl=no], [])
@@ -162,6 +150,13 @@ if test "$with_openssl" != "no"; then
LDFLAGS="${saved_LDFLAGS}"
fi
LIB_hcrypto='$(top_builddir)/lib/hcrypto/libhcrypto.la'
LIB_hcrypto_a='$(top_builddir)/lib/hcrypto/.libs/libhcrypto.a'
LIB_hcrypto_so='$(top_builddir)/lib/hcrypto/.libs/libhcrypto.so'
LIB_hcrypto_appl="-lhcrypto"
AC_MSG_RESULT([included libhcrypto])
AC_ARG_WITH(pkcs11-module,
AS_HELP_STRING([--with-pkcs11-module=path],
[use PKCS11 module in path]),
@@ -173,77 +168,15 @@ if test "$pkcs11_module" != ""; then
openssl=no
fi
dnl Check for OpenSSL PKCS#11 provider (pkcs11-provider project)
dnl It installs into the OpenSSL modules directory
openssl_pkcs11_provider=""
if test "$openssl" = "yes"; then
if test -n "$openssl_libdir"; then
pkcs11_provider_path="${openssl_libdir}/ossl-modules/pkcs11.so"
else
pkcs11_provider_path="/usr/lib/ossl-modules/pkcs11.so"
fi
AC_MSG_CHECKING([for OpenSSL PKCS11 provider])
if test -f "$pkcs11_provider_path"; then
openssl_pkcs11_provider="$pkcs11_provider_path"
AC_MSG_RESULT([$openssl_pkcs11_provider])
else
AC_MSG_RESULT([not found at $pkcs11_provider_path])
fi
fi
AC_SUBST(OPENSSL_PKCS11_PROVIDER, [$openssl_pkcs11_provider])
AM_CONDITIONAL([HAVE_OPENSSL_PKCS11_PROVIDER], [test "x$openssl_pkcs11_provider" != "x"])
if test "$openssl" != "yes"; then
AC_MSG_ERROR([OpenSSL is required])
AC_DEFINE([HAVE_HCRYPTO_W_OPENSSL], 1, [define to use openssl's libcrypto as the default backend for libhcrypto])
fi
AM_CONDITIONAL(HAVE_HCRYPTO_W_OPENSSL, test "$openssl" = yes)dnl
AC_SUBST(INCLUDE_openssl_crypto)
AC_SUBST(LIB_openssl_crypto)
dnl
dnl Legacy/weak encryption type options
dnl
dnl Single DES (weak crypto) - disabled by default for security
AC_ARG_WITH([1des],
AS_HELP_STRING([--with-1des], [enable single DES encryption (weak, for legacy compatibility)]),
[with_1des=$withval],
[with_1des=no])
AC_MSG_CHECKING([whether to enable single DES encryption])
if test "$with_1des" = "yes"; then
AC_DEFINE([HEIM_WEAK_CRYPTO], 1, [Define to enable single DES encryption support])
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
fi
AM_CONDITIONAL([HEIM_WEAK_CRYPTO], [test "$with_1des" = "yes"])
dnl Triple DES - enabled by default for legacy compatibility
AC_ARG_WITH([3des],
AS_HELP_STRING([--with-3des], [enable triple DES encryption (default: yes)]),
[with_3des=$withval],
[with_3des=yes])
AC_MSG_CHECKING([whether to enable triple DES encryption])
if test "$with_3des" = "yes"; then
AC_DEFINE([HEIM_DES3], 1, [Define to enable triple DES encryption support])
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
fi
AM_CONDITIONAL([HEIM_DES3], [test "$with_3des" = "yes"])
dnl ARCFOUR/RC4 - enabled by default (still used by some Windows systems)
AC_ARG_WITH([arcfour],
AS_HELP_STRING([--with-arcfour], [enable ARCFOUR/RC4 encryption (default: yes)]),
[with_arcfour=$withval],
[with_arcfour=yes])
AC_MSG_CHECKING([whether to enable ARCFOUR encryption])
if test "$with_arcfour" = "yes"; then
AC_DEFINE([HEIM_ARCFOUR], 1, [Define to enable ARCFOUR/RC4 encryption support])
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
fi
AM_CONDITIONAL([HEIM_ARCFOUR], [test "$with_arcfour" = "yes"])
AC_SUBST(LIB_hcrypto)
AC_SUBST(LIB_hcrypto_a)
AC_SUBST(LIB_hcrypto_so)
AC_SUBST(LIB_hcrypto_appl)
])

16
cf/largefile.m4
View File

@@ -7,16 +7,10 @@ AC_DEFUN([rk_SYS_LARGEFILE],[
AC_REQUIRE([AC_SYS_LARGEFILE])dnl
dnl need to set this on the command line, since it might otherwise break
dnl with generated code, such as lex
if test "$enable_largefile" != no; then
if test -n "$ac_cv_sys_large_files" && test "$ac_cv_sys_large_files" != no; then
CPPFLAGS="$CPPFLAGS -D_LARGE_FILES=$ac_cv_sys_large_files"
fi
if test -n "$ac_cv_sys_file_offset_bits" && test "$ac_cv_sys_file_offset_bits" != no; then
CPPFLAGS="$CPPFLAGS -D_FILE_OFFSET_BITS=$ac_cv_sys_file_offset_bits"
fi
if test -n "$ac_cv_sys_largefile_opts"; then
AS_CASE([$ac_cv_sys_largefile_opts],[-D_FILE_OFFSET_BITS=*|-D_LARGE_FILES=*],
[CPPFLAGS="$CPPFLAGS $ac_cv_sys_largefile_opts"])
fi
if test "$enable_largefile" != no -a "$ac_cv_sys_large_files" != no; then
CPPFLAGS="$CPPFLAGS -D_LARGE_FILES=$ac_cv_sys_large_files"
fi
if test "$enable_largefile" != no -a "$ac_cv_sys_file_offset_bits" != no && test -n "$ac_cv_sys_file_offset_bits"; then
CPPFLAGS="$CPPFLAGS -D_FILE_OFFSET_BITS=$ac_cv_sys_file_offset_bits"
fi
])

73
cf/maybe-helgrind.sh
View File

@@ -1,73 +0,0 @@
#!/bin/sh
#
# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
while true
do
case $1 in
-s) tsrcdir="$2"; shift 2;;
-o) tobjdir="$2"; shift 2;;
-*) echo "$0: Bad option $1"; echo $usage; exit 1;;
*) break;;
esac
done
if [ X"${tobjdir}" = "X" -o X"${tsrcdir}" = X ] ; then
echo "tobjdir or tsrcdir not defined"
exit 1
fi
if [ ! -f "${tobjdir}/libtool" ]; then
echo "libtool missing from \"${tobjdir}\""
exit 1
fi
doit=1
libtool="${tobjdir}/libtool --mode=execute"
helgrind="valgrind --tool=helgrind --quiet -q --num-callers=30"
# Add suppressions file if it exists
if [ -f "${tsrcdir}/cf/helgrind-suppressions" ]; then
helgrind="$helgrind --suppressions=${tsrcdir}/cf/helgrind-suppressions"
fi
if head -10 "$1" | grep 'Generated by ltmain.sh' > /dev/null ; then
uselibtool=1
elif head -10 "$1" | grep 'bin/sh' > /dev/null ; then
libtool=
helgrind=
fi
exec $libtool $helgrind "$@"

2
cf/maybe-valgrind.sh
View File

@@ -56,7 +56,7 @@ doit=1
libtool="${tobjdir}/libtool --mode=execute"
valgrind="valgrind --leak-check=full --show-leak-kinds=definite --quiet -q --num-callers=30 --suppressions=${tsrcdir}/cf/valgrind-suppressions"
valgrind="valgrind --leak-check=full --quiet -q --num-callers=30 --suppressions=${tsrcdir}/cf/valgrind-suppressions"
if head -10 "$1" | grep 'Generated by ltmain.sh' > /dev/null ; then
uselibtool=1

21
cf/otp.m4
View File

@@ -3,8 +3,25 @@ dnl
dnl check requirements for OTP library
dnl
AC_DEFUN([rk_OTP],[
AC_REQUIRE([rk_DB])dnl
AC_ARG_ENABLE(otp,
AS_HELP_STRING([--disable-otp],[if you don't want OTP support]))
AC_MSG_ERROR([OTP has been removed],
AC_MSG_ERROR([OTP has been removed])
if test "$enable_otp" = yes -a "$db_type" = unknown; then
AC_MSG_ERROR([OTP requires a NDBM/DB compatible library])
fi
if test "$enable_otp" != no; then
if test "$db_type" != unknown; then
enable_otp=yes
else
enable_otp=no
fi
fi
if test "$enable_otp" = yes; then
AC_DEFINE(OTP, 1, [Define if you want OTP support in applications.])
LIB_otp='$(top_builddir)/lib/otp/libotp.la'
AC_SUBST(LIB_otp)
fi
AC_MSG_CHECKING([whether to enable OTP library])
AC_MSG_RESULT($enable_otp)
AM_CONDITIONAL(OTP, test "$enable_otp" = yes)dnl
])

4
cf/resolv.m4
View File

@@ -73,13 +73,13 @@ AC_FIND_FUNC(res_ndestroy, resolv,
],
[0])
AC_FIND_FUNC(dns_search, resolv,
AC_FIND_FUNC_NO_LIBS(dns_search,,
[
#ifdef HAVE_DNS_H
#include <dns.h>
#endif
],
[0])
[0,0,0,0,0,0,0,0])
AC_FIND_FUNC(dn_expand, resolv,

9
cf/roken-frag.m4
View File

@@ -28,7 +28,7 @@ dnl C characteristics
AC_REQUIRE([AC_C___ATTRIBUTE__])
AC_REQUIRE([AC_C_INLINE])
AC_REQUIRE([AC_C_CONST])
rk_WFLAGS(-Wall -Wextra -Wno-sign-compare -Wno-unused-parameter -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -Wshadow -Wdiscarded-qualifiers -Wcast-qual -Wimplicit-fallthrough -Wenum-compare -Wunused-but-set-variable -Wunused-const-variable -Wunused-result -Wold-style-definition -Wwrite-strings)
rk_WFLAGS(-Wall -Wextra -Wno-sign-compare -Wno-unused-parameter -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -Wshadow)
dnl -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wstrict-prototypes
dnl -Wcast-qual -Wswitch -Wformat=2 -Wwrite-strings
@@ -334,16 +334,15 @@ AC_BROKEN([ \
err \
errx \
fchown \
flock \
fnmatch \
freehostent \
getcwd \
getdelim \
getdtablesize \
getegid \
geteuid \
getgid \
gethostname \
getline \
getifaddrs \
getipnodebyaddr \
getipnodebyname \
@@ -401,10 +400,6 @@ AC_BROKEN([ \
rk_LIBOBJ(closefrom)
dnl Check for flock() - we always provide rk_flock() but need to know if
dnl the system has flock() for our fallback chain
AC_CHECK_FUNCS([flock])
AM_CONDITIONAL(have_fnmatch_h,
test "$ac_cv_header_fnmatch_h" = yes -a "$ac_cv_func_fnmatch" = yes)

21
cf/wflags.m4
View File

@@ -18,26 +18,7 @@ if test -z "$WFLAGS" -a "$GCC" = "yes"; then
# -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
# -Wmissing-declarations -Wnested-externs
# -Wstrict-overflow=5
# Check if this is Clang (which also sets GCC=yes for compatibility)
if $CC --version 2>&1 | grep -qi clang; then
rk_CLANG=yes
else
rk_CLANG=no
fi
wflags="ifelse($#, 0,-Wall, $1)"
# Replace GCC-specific warning flags with Clang equivalents
if test "$rk_CLANG" = yes; then
# -Wimplicit-fallthrough removed: flex-generated code triggers it and can't be fixed
wflags=`echo "$wflags" | sed -e 's/-Wdiscarded-qualifiers/-Wignored-qualifiers/g' \
-e 's/ -Wunused-but-set-variable//g' \
-e 's/ -Wunused-const-variable//g' \
-e 's/ -Wimplicit-fallthrough//g'`
fi
WFLAGS="$wflags $dwflags"
WFLAGS="ifelse($#, 0,-Wall, $1) $dwflags"
#
# WFLAGS_LITE can be appended to WFLAGS to turn off a host of warnings

117
configure.ac
View File

@@ -130,7 +130,7 @@ AC_SUBST([SLC_DEP])
dnl ---
dnl HEIM_WEAK_CRYPTO is now controlled by --with-1des in cf/crypto.m4
AC_DEFINE(HEIM_WEAK_CRYPTO, 1, [Define if you want support for weak crypto])
rk_TEST_PACKAGE(openldap,
[#include <lber.h>
@@ -230,37 +230,60 @@ AM_CONDITIONAL([HAVE_MICROHTTPD], [test "$with_microhttpd" != "no"])
AC_SUBST([MICROHTTPD_CFLAGS])
AC_SUBST([MICROHTTPD_LIBS])
dnl libcjwt
AC_ARG_WITH([cjwt],
AC_HELP_STRING([--with-cjwt], [(Experimental) use cjwt to validate JWT tokens @<:@default=check@:>@]),
[],
[with_cjwt=check])
if test "$with_cjwt" != "no"; then
PKG_CHECK_MODULES([CJWT], [libcjwt >= 1.0.0],
[with_cjwt=yes],[with_cjwt=no])
fi
if test "$with_cjwt" = "yes"; then
AC_DEFINE_UNQUOTED([HAVE_CJWT], 1, [whether libcjwt is available for KDC REST API])
fi
AM_CONDITIONAL([HAVE_CJWT], [test "$with_cjwt" != "no"])
AC_SUBST([CJWT_CFLAGS])
AC_SUBST([CJWT_LIBS])
dnl libsystemd
AC_ARG_WITH([systemd],
AC_HELP_STRING([--with-systemd], [(Experimental) notify systemd about daemon state @<:@default=check@:>@]),
[],
[with_systemd=check])
if test "$with_systemd" != "no"; then
PKG_CHECK_MODULES([SYSTEMD], [libsystemd >= 256.0],
[with_systemd=yes],[with_systemd=no])
fi
if test "$with_systemd" = "yes"; then
AC_DEFINE_UNQUOTED([HAVE_SYSTEMD], 1, [whether libsystemd is available])
fi
AM_CONDITIONAL([HAVE_SYSTEMD], [test "$with_systemd" != "no"])
AC_SUBST([SYSTEMD_CFLAGS])
AC_SUBST([SYSTEMD_LIBS])
dnl libcjson
AC_ARG_WITH([cjson],
AC_HELP_STRING([--with-cjson], [(Experimental) use cJSON to extract private claims from JWT tokens @<:@default=check@:>@]),
[],
[with_cjson=check])
if test "$with_cjson" != "no"; then
PKG_CHECK_MODULES([CJSON], [libcjson >= 1.0.0],
[with_cjson=yes],[with_cjson=no])
fi
if test "$with_cjson" = "yes"; then
AC_DEFINE_UNQUOTED([HAVE_CJSON], 1, [whether libcjson is available for KDC REST API])
fi
AM_CONDITIONAL([HAVE_CJSON], [test "$with_cjson" != "no"])
AC_SUBST([CJSON_CFLAGS])
AC_SUBST([CJSON_LIBS])
dnl mitkrb5
AC_ARG_WITH([mitkrb5],
AC_HELP_STRING([--with-mitkrb5=PATH], [Path to MIT Kerberos for interop testing]),
AC_HELP_STRING([--with-mitkrb5], [Path to MIT Kerberos for interop testing @<:@default=check@:>@]),
[],
[with_mitkrb5=no])
MITKRB5=
if test "$with_mitkrb5" != "no" && test "$with_mitkrb5" != "yes"; then
if test -d "$with_mitkrb5"; then
MITKRB5="$with_mitkrb5"
else
AC_MSG_WARN([MIT Kerberos directory $with_mitkrb5 does not exist])
fi
fi
AC_SUBST(MITKRB5)
AM_CONDITIONAL([MITKRB5], [test -n "$MITKRB5"])
dnl older-heimdal (for interop testing)
AC_ARG_WITH([older-heimdal],
AC_HELP_STRING([--with-older-heimdal=PATH], [Path to older version of Heimdal for interop testing]),
[],
[with_older_heimdal=no])
OLD_HEIMDAL=
if test "$with_older_heimdal" != "no" && test "$with_older_heimdal" != "yes"; then
if test -d "$with_older_heimdal"; then
OLD_HEIMDAL="$with_older_heimdal"
else
AC_MSG_WARN([Older Heimdal directory $with_older_heimdal does not exist])
fi
fi
AC_SUBST(OLD_HEIMDAL)
AM_CONDITIONAL([OLD_HEIMDAL], [test -n "$OLD_HEIMDAL"])
[with_mikrb5=check])
AM_CONDITIONAL([MITKRB5], [test "$with_mitkrb5" != "no"])
dnl Check for sqlite
rk_TEST_PACKAGE(sqlite3,
@@ -335,14 +358,8 @@ AC_SUBST(dpagaix_ldadd)
AC_SUBST(dpagaix_ldflags)
AC_ARG_ENABLE([afs-support],
AS_HELP_STRING([--enable-afs-support],[enable support for AFS]),
[enable_afs_support=yes],
[enable_afs_support=no])
if test "$enable_afs_support" = yes; then
NO_AFS="0"
AC_MSG_ERROR([AFS no longer supported])
else
# XXX This is pointless now, should be removed
AS_HELP_STRING([--disable-afs-support],[if you don't want support for AFS]))
if test "$enable_afs_support" = no; then
AC_DEFINE(NO_AFS, 1, [Define if you don't wan't support for AFS.])
NO_AFS="1"
fi
@@ -358,6 +375,8 @@ LIBADD_roken="$LIB_roken"
AC_SUBST(LIBADD_roken)dnl
LIB_roken="\$(top_builddir)/lib/vers/libvers.la $LIB_roken"
rk_OTP
rk_LIBDISPATCH
AC_CHECK_OSFC2
@@ -547,13 +566,16 @@ dnl Deal with switch fallthrough warnings
AH_TOP([
#if defined(DISPATCH_FALLTHROUGH)
# define HEIM_FALLTHROUGH DISPATCH_FALLTHROUGH
#elif defined(__clang__)
/* Clang sets __GNUC__ to 4 for compat, but supports fallthrough attr */
# define HEIM_FALLTHROUGH __attribute__((fallthrough))
#elif defined(__GNUC__) && __GNUC__ >= 7
# define HEIM_FALLTHROUGH __attribute__((fallthrough))
#else
# define HEIM_FALLTHROUGH do {} while (0) /* fallthrough */
# if defined(__GNUC__)
# if __GNUC__ >= 7
# define HEIM_FALLTHROUGH __attribute__((fallthrough))
# else
# define HEIM_FALLTHROUGH do {} while (0) /* fallthrough */
# endif
# else
# define HEIM_FALLTHROUGH do {} while (0) /* fallthrough */
# endif
#endif
])
@@ -728,18 +750,23 @@ AC_CONFIG_FILES(Makefile \
etc/Makefile \
include/Makefile \
include/gssapi/Makefile \
include/hcrypto/Makefile \
include/kadm5/Makefile \
lib/Makefile \
lib/base/Makefile \
lib/base/Makefile \
lib/asn1/Makefile \
lib/com_err/Makefile \
lib/hcrypto/Makefile \
lib/hx509/Makefile \
lib/gssapi/Makefile \
lib/ntlm/Makefile \
lib/hdb/Makefile \
lib/ipc/Makefile \
lib/kadm5/Makefile \
lib/kafs/Makefile \
lib/kdfs/Makefile \
lib/krb5/Makefile \
lib/otp/Makefile \
lib/roken/Makefile \
lib/sl/Makefile \
lib/sqlite/Makefile \
@@ -754,8 +781,10 @@ AC_CONFIG_FILES(Makefile \
kcm/Makefile \
kdc/Makefile \
appl/Makefile \
appl/afsutil/Makefile \
appl/dbutils/Makefile \
appl/gssmask/Makefile \
appl/otp/Makefile \
appl/test/Makefile \
appl/kf/Makefile \
appl/dceutils/Makefile \

20
doc/Makefile.am
View File

@@ -18,6 +18,11 @@ dxy_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
-e 's,[@]objdir[@],.,g' \
-e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g'
hcrypto.dxy: hcrypto.din Makefile
$(dxy_subst) < $(srcdir)/hcrypto.din > hcrypto.dxy.tmp
chmod +x hcrypto.dxy.tmp
mv hcrypto.dxy.tmp hcrypto.dxy
hdb.dxy: hdb.din Makefile
$(dxy_subst) < $(srcdir)/hdb.din > hdb.dxy.tmp
chmod +x hdb.dxy.tmp
@@ -43,6 +48,11 @@ krb5.dxy: krb5.din Makefile
chmod +x krb5.dxy.tmp
mv krb5.dxy.tmp krb5.dxy
ntlm.dxy: ntlm.din Makefile
$(dxy_subst) < $(srcdir)/ntlm.din > ntlm.dxy.tmp
chmod +x ntlm.dxy.tmp
mv ntlm.dxy.tmp ntlm.dxy
wind.dxy: wind.din Makefile
$(dxy_subst) < $(srcdir)/wind.din > wind.dxy.tmp
chmod +x wind.dxy.tmp
@@ -57,9 +67,11 @@ vars.texi: vars.tin Makefile
chmod +x vars.texi.tmp
mv vars.texi.tmp vars.texi
PROJECTS = base hdb hx509 gssapi krb5 wind
PROJECTS = base hdb hx509 gssapi krb5 ntlm wind
doxyout doxygen: base.dxy hdb.dxy hx509.dxy gssapi.dxy krb5.dxy wind.dxy
PROJECTS += hcrypto
doxyout doxygen: base.dxy hdb.dxy hx509.dxy hcrypto.dxy gssapi.dxy krb5.dxy ntlm.dxy wind.dxy
@test -d $(srcdir)/doxyout && \
find $(srcdir)/doxyout -type d ! -perm -200 -exec chmod u+w {} ';' ; \
rm -rf $(srcdir)/doxyout ; \
@@ -125,11 +137,13 @@ EXTRA_DIST = \
footer.html \
gssapi.din \
hdb.din \
hcrypto.din \
header.html \
heimdal.css \
base.din \
hx509.din \
krb5.din \
ntlm.din \
init-creds \
latin1.tex \
layman.asc \
@@ -141,10 +155,12 @@ EXTRA_DIST = \
vars.tin
CLEANFILES = \
hcrypto.dxy* \
base.dxy* \
hx509.dxy* \
hdb.dxy* \
gssapi.dxy* \
krb5.dxy* \
ntlm.dxy* \
wind.dxy* \
vars.texi*

4
doc/NTMakefile
View File

@@ -61,7 +61,9 @@ hx509_TEXINFOS = \
MAKEINFOFLAGS = --css-include=$(SRCDIR)/heimdal.css
# MAKEINFO = $(PERL) C:\msys64\usr\bin\makeinfo
!ifdef APPVEYOR
MAKEINFO = $(PERL) C:\msys64\usr\bin\makeinfo
!endif
######################################################################
# Build heimdal.chm

11
doc/ack.texi
View File

@@ -2,6 +2,17 @@
@comment node-name, next, previous, up
@appendix Acknowledgments
Eric Young wrote ``libdes''. Heimdal used to use libdes, without it
kth-krb would never have existed. Since there are no longer any Eric
Young code left in the library, we renamed it to libhcrypto.
All functions in libhcrypto have been re-implemented or used available
public domain code. The core AES function where written by Vincent
Rijmen, Antoon Bosselaers and Paulo Barreto. The core DES SBOX
transformation was written by Richard Outerbridge. @code{imath} that
is used for public key crypto support is written by Michael
J. Fromberger.
The University of California at Berkeley initially wrote @code{telnet},
and @code{telnetd}. The authentication and encryption code of
@code{telnet} and @code{telnetd} was added by David Borman (then of Cray

178
doc/copyright.texi
View File

@@ -16,7 +16,6 @@
@copyrightstart
@verbatim
SPDX-License-Identifier: BSD-3-Clause
Copyright (c) 1997-2011 Kungliga Tekniska Högskolan
(Royal Institute of Technology, Stockholm, Sweden).
@@ -59,7 +58,6 @@ SUCH DAMAGE.
The parts of the libtelnet that handle Kerberos.
@verbatim
SPDX-License-Identifier: HPND-export-US
Copyright (C) 1990 by the Massachusetts Institute of Technology
@@ -88,7 +86,6 @@ The parts of the libroken, most of libtelnet, telnet, ftp,
and popper.
@verbatim
SPDX-License-Identifier: BSD-3-Clause
Copyright (c) 1988, 1990, 1993
The Regents of the University of California. All rights reserved.
@@ -128,7 +125,6 @@ SUCH DAMAGE.
libedit
@verbatim
SPDX-License-Identifier: BSD-3-Clause
Copyright (c) 1992, 1993
The Regents of the University of California. All rights reserved.
@@ -163,6 +159,16 @@ SUCH DAMAGE.
@end verbatim
@copynext
@heading TomsFastMath / LibTomMath
Tom's fast math (bignum support) and LibTomMath
@verbatim
LibTomMath is hereby released into the Public Domain.
@end verbatim
@copynext
@heading Doug Rabson
@@ -170,7 +176,6 @@ SUCH DAMAGE.
GSS-API mechglue layer.
@verbatim
SPDX-License-Identifier: BSD-2-Clause
Copyright (c) 2005 Doug Rabson
All rights reserved.
@@ -208,7 +213,6 @@ SUCH DAMAGE.
@end table
@verbatim
SPDX-License-Identifier: BSD-3-Clause
Copyright (c) 2003-2011, PADL Software Pty Ltd.
Copyright (c) 2004, Andrew Bartlett.
@@ -246,6 +250,70 @@ SUCH DAMAGE.
@end verbatim
@copynext
@heading Marko Kreen
Fortuna in libhcrypto
@verbatim
Copyright (c) 2005 Marko Kreen
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
@end verbatim
@copynext
@heading NTT (Nippon Telegraph and Telephone Corporation)
Camellia in libhcrypto
@verbatim
Copyright (c) 2006,2007
NTT (Nippon Telegraph and Telephone Corporation) . All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer as
the first lines of this file unmodified.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY NTT ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@end verbatim
@copynext
@heading The NetBSD Foundation, Inc.
@@ -253,7 +321,6 @@ SUCH DAMAGE.
vis.c in libroken
@verbatim
SPDX-License-Identifier: BSD-2-Clause
Copyright (c) 1999, 2005 The NetBSD Foundation, Inc.
All rights reserved.
@@ -282,6 +349,37 @@ POSSIBILITY OF SUCH DAMAGE.
@end verbatim
@copynext
@heading Vincent Rijmen, Antoon Bosselaers, Paulo Barreto
AES in libhcrypto
@verbatim
rijndael-alg-fst.c
@version 3.0 (December 2000)
Optimised ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
This code is hereby placed in the public domain.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@end verbatim
@copynext
@heading Apple, Inc
@@ -289,7 +387,6 @@ POSSIBILITY OF SUCH DAMAGE.
kdc/announce.c
@verbatim
SPDX-License-Identifier: HPND-export2-US
Copyright (c) 2008 Apple Inc. All Rights Reserved.
@@ -313,6 +410,30 @@ THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
@end verbatim
@copynext
@heading Richard Outerbridge
DES core in libhcrypto
@verbatim
D3DES (V5.09) -
A portable, public domain, version of the Data Encryption Standard.
Written with Symantec's THINK (Lightspeed) C by Richard Outerbridge.
Thanks to: Dan Hoey for his excellent Initial and Inverse permutation
code; Jim Gillogly & Phil Karn for the DES key schedule code; Dennis
Ferguson, Eric Young and Dana How for comparing notes; and Ray Lau,
for humouring me on.
Copyright (c) 1988,1989,1990,1991,1992 by Richard Outerbridge.
(GEnie : OUTER; CIS : [71755,204]) Graven Imagery, 1992.
@end verbatim
@copynext
@@ -322,7 +443,6 @@ WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Windows support
@verbatim
SPDX-License-Identifier: BSD-2-Clause
Copyright (c) 2009-2015, Secure Endpoints Inc.
All rights reserved.
@@ -356,4 +476,44 @@ OF THE POSSIBILITY OF SUCH DAMAGE.
@copynext
@heading Novell, Inc
lib/hcrypto/test_dh.c
@verbatim
Copyright (c) 2007, Novell, Inc.
Author: Matthias Koenig <mkoenig@suse.de>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the Novell nor the names of its contributors may be used
to endorse or promote products derived from this software without specific
prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
@end verbatim
@copyrightend

16
doc/hcrypto.din Normal file
View File

@@ -0,0 +1,16 @@
# Doxyfile 1.5.3
PROJECT_NAME = "Heimdal crypto library"
PROJECT_NUMBER = @PACKAGE_VERSION@
OUTPUT_DIRECTORY = @srcdir@/doxyout/hcrypto
INPUT = @srcdir@/../lib/hcrypto
EXAMPLE_PATH = @srcdir@/../lib/hcrypto
WARN_IF_UNDOCUMENTED = YES
PERL_PATH = /usr/bin/perl
HTML_HEADER = "@srcdir@/header.html"
HTML_FOOTER = "@srcdir@/footer.html"
@INCLUDE = "@srcdir@/doxytmpl.dxy"

3
doc/layman.asc
View File

@@ -23,8 +23,7 @@ subset of OSI's Abstract Syntax Notation One (ASN.1), Basic
Encoding Rules (BER), and Distinguished Encoding Rules
(DER). The particular purpose of this note is to provide
background material sufficient for understanding and
implementing the PKCS family of standards. NOTE WELL: This
document is full of errors and not to be used.
implementing the PKCS family of standards.
1. Introduction

16
doc/ntlm.din Normal file
View File

@@ -0,0 +1,16 @@
# Doxyfile 1.5.3
PROJECT_NAME = Heimdal ntlm library
PROJECT_NUMBER = @PACKAGE_VERSION@
OUTPUT_DIRECTORY = @srcdir@/doxyout/ntlm
INPUT = @srcdir@/../lib/ntlm
EXAMPLE_PATH = @srcdir@/../lib/ntlm
WARN_IF_UNDOCUMENTED = YES
PERL_PATH = /usr/bin/perl
HTML_HEADER = "@srcdir@/header.html"
HTML_FOOTER = "@srcdir@/footer.html"
@INCLUDE = "@srcdir@/doxytmpl.dxy"

9
include/Makefile.am
View File

@@ -2,7 +2,7 @@
include $(top_srcdir)/Makefile.am.common
SUBDIRS = kadm5 gssapi
SUBDIRS = kadm5 hcrypto gssapi
noinst_PROGRAMS = bits
CHECK_LOCAL = no-check-local
@@ -69,6 +69,8 @@ CLEANFILES = \
heimbase.h \
heimbase-svc.h \
heimbase-protos.h \
heimntlm-protos.h \
heimntlm.h \
hex.h \
hx509-private.h \
hx509-protos.h \
@@ -96,8 +98,10 @@ CLEANFILES = \
kx509_err.h \
locate_plugin.h \
login-protos.h \
ntlm_err.h \
ocsp_asn1.h \
ocsp_template_asn1.h \
otp.h \
parse_bytes.h \
parse_time.h \
parse_units.h \
@@ -122,7 +126,6 @@ CLEANFILES = \
send_to_kdc_plugin.h \
sl.h \
sqlite3.h \
sqlite3_namespace.h \
sqlite3ext.h \
test-mem.h \
vers.h \
@@ -134,7 +137,9 @@ CLEANFILES = \
kdc-audit.h \
csr_authorizer_plugin.h \
gss_preauth_authorizer_plugin.h \
token_validator_plugin.h \
xdbm.h \
x25519_ref10.h \
x690sample_asn1.h \
x690sample_template_asn1.h

7
include/NTMakefile
View File

@@ -31,7 +31,7 @@
RELDIR=include
SUBDIRS=kadm5 gssapi
SUBDIRS=kadm5 hcrypto gssapi
!include ../windows/NTMakefile.w32
!include ../windows/NTMakefile.version
@@ -62,13 +62,12 @@ while(<>) {
if ("$(KRB5)") { print "#define KRB5 1\n"; }
if ("$(KRB4)") { print "#define KRB4 1\n"; }
if ("$(WEAK_CRYPTO)") { print "#define HEIM_WEAK_CRYPTO 1\n"; }
# Always enable 3DES and ARCFOUR for Windows builds (needed for interop)
print "#define HEIM_DES3 1\n";
print "#define HEIM_ARCFOUR 1\n";
if ("$(HCRYPTO_FALLBACK)") { print "#define HCRYPTO_FALLBACK 1\n"; } else { print "#define HCRYPTO_FALLBACK 0\n"; }
if ("$(PKINIT)") { print "#define PKINIT 1\n"; }
if ("$(NO_AFS)") { print "#define NO_AFS 1\n"; }
if ("$(OPENLDAP)") { print "#define OPENLDAP 1\n"; }
if ("$(OPENLDAP_MODULE)") { print "#define OPENLDAP_MODULE 1\n"; }
if ("$(OTP)") { print "#define OTP 1 \n"; }
if ("$(AUTHENTICATION)") { print "#define AUTHENTICATION 1\n"; }
if ("$(DIAGNOSTICS)") { print "#define DIAGNOSTICS 1\n"; }
if ("$(ENCRYPTION)") { print "#define ENCRYPTION 1\n"; }

7
include/bits.c
View File

@@ -139,7 +139,6 @@ int main(int argc, char **argv)
int flag;
char *p = NULL;
const char *hb;
char *freeme = NULL;
if (argc > 1 && strcmp(argv[1], "--version") == 0) {
printf("some version");
@@ -150,12 +149,13 @@ int main(int argc, char **argv)
hb = "__BITS_H__";
f = stdout;
} else {
p = freeme = malloc(strlen(argv[1]) + 5);
p = malloc(strlen(argv[1]) + 5);
sprintf(p, "__%s__", argv[1]);
hb = p;
for(; *p; p++)
for(; *p; p++){
if(!isalnum((unsigned char)*p))
*p = '_';
}
f = fopen(argv[1], "w");
}
fprintf(f, "#ifndef %s\n", hb);
@@ -325,6 +325,5 @@ int main(int argc, char **argv)
if (f != stdout)
fclose(f);
free(freeme);
return 0;
}

3
include/config.h.w32
View File

@@ -693,6 +693,9 @@ static const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
/* Define to 1 if you have the `openpty' function. */
/* #define HAVE_OPENPTY 1 */
/* define to 1 to use openssl's libcrypto as a (default) backend for libhcrypto */
/* #undef HAVE_HCRYPTO_W_OPENSSL */
/* Define to enable basic OSF C2 support. */
/* #undef HAVE_OSFC2 */

29
include/crypto-headers.h
View File

@@ -9,22 +9,17 @@
#include <krb5-types.h>
#endif
#include <openssl/evp.h>
#include <openssl/des.h>
#include <openssl/md4.h>
#include <openssl/md5.h>
#include <openssl/sha.h>
#include <openssl/rc4.h>
#include <openssl/rc2.h>
#include <openssl/ui.h>
#include <openssl/rand.h>
#include <openssl/engine.h>
#include <openssl/pkcs12.h>
#include <openssl/hmac.h>
#include <openssl/provider.h>
#include <openssl/encoder.h>
#include <openssl/core_names.h>
#include <openssl/param_build.h>
#include <openssl/x509.h>
#include <hcrypto/evp.h>
#include <hcrypto/des.h>
#include <hcrypto/md4.h>
#include <hcrypto/md5.h>
#include <hcrypto/sha.h>
#include <hcrypto/rc4.h>
#include <hcrypto/rc2.h>
#include <hcrypto/ui.h>
#include <hcrypto/rand.h>
#include <hcrypto/engine.h>
#include <hcrypto/pkcs12.h>
#include <hcrypto/hmac.h>
#endif /* __crypto_header__ */

2
include/gssapi/Makefile.am
View File

@@ -2,6 +2,6 @@
include $(top_srcdir)/Makefile.am.common
CLEANFILES = gssapi.h gssapi_krb5.h gssapi_spnego.h gssapi_oid.h
CLEANFILES = gssapi.h gssapi_krb5.h gssapi_spnego.h gssapi_ntlm.h gssapi_oid.h
EXTRA_DIST = NTMakefile

30
include/hcrypto/Makefile.am Normal file
View File

@@ -0,0 +1,30 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
CLEANFILES = \
aes.h \
bn.h \
des.h \
dh.h \
dsa.h \
ec.h \
ecdsa.h \
ecdh.h \
engine.h \
evp.h \
evp-hcrypto.h \
evp-cc.h \
hmac.h \
md4.h \
md5.h \
pkcs12.h \
rand.h \
rc2.h \
rc4.h \
rsa.h \
sha.h \
ui.h \
undef.h
EXTRA_DIST = NTMakefile

34
include/hcrypto/NTMakefile Normal file
View File

@@ -0,0 +1,34 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=include\hcrypto
!include ../../windows/NTMakefile.w32

47
include/heim_threads.h
View File

@@ -103,7 +103,6 @@ typedef unsigned long HEIM_PRIV_thread_key;
#define HEIMDAL_THREAD_ID thr_t
#define HEIMDAL_THREAD_create(t,f,a) thr_create((t), 0, (f), (a))
#define HEIMDAL_THREAD_join(t,r) thr_join((t), 0, (r))
#elif defined(ENABLE_PTHREAD_SUPPORT) && (!defined(__NetBSD__) || __NetBSD_Version__ >= 299001200)
@@ -143,12 +142,9 @@ typedef unsigned long HEIM_PRIV_thread_key;
#define HEIMDAL_THREAD_ID pthread_t
#define HEIMDAL_THREAD_create(t,f,a) pthread_create((t), 0, (f), (a))
#define HEIMDAL_THREAD_join(t,r) pthread_join((t), (r))
#elif defined(_WIN32)
#define _Atomic
typedef struct heim_mutex {
HANDLE h;
} heim_mutex_t;
@@ -292,44 +288,9 @@ heim_rwlock_destroy(heim_rwlock_t *l)
#define HEIMDAL_getspecific(k) (heim_w32_getspecific(k))
#define HEIMDAL_key_delete(k) (heim_w32_delete_key(k))
typedef struct heim_thread {
HANDLE handle;
DWORD id;
} heim_thread_t;
static inline int
heim_thread_create(heim_thread_t *t, LPTHREAD_START_ROUTINE f, void *a)
{
t->handle = CreateThread(NULL, 0, f, a, 0, &t->id);
if (t->handle == NULL || t->handle == INVALID_HANDLE_VALUE)
return EINVAL;
return 0;
}
static inline int
heim_thread_join(heim_thread_t t, void **retval)
{
DWORD ret;
DWORD exitcode;
ret = WaitForSingleObject(t.handle, INFINITE);
if (ret != WAIT_OBJECT_0) {
CloseHandle(t.handle);
return EINVAL;
}
if (retval) {
if (GetExitCodeThread(t.handle, &exitcode))
*retval = (void *)(uintptr_t)exitcode;
else
*retval = NULL;
}
CloseHandle(t.handle);
return 0;
}
#define HEIMDAL_THREAD_ID heim_thread_t
#define HEIMDAL_THREAD_create(t,f,a) heim_thread_create((t), (f), (a))
#define HEIMDAL_THREAD_join(t,r) heim_thread_join((t), (r))
#define HEIMDAL_THREAD_ID DWORD
#define HEIMDAL_THREAD_create(t,f,a) \
((CreateThread(0, 0, (f), (a), 0, (t)) == INVALID_HANDLE_VALUE) ? EINVAL : 0)
#elif defined(HEIMDAL_DEBUG_THREADS)
@@ -357,7 +318,6 @@ heim_thread_join(heim_thread_t t, void **retval)
#define HEIMDAL_THREAD_ID int
#define HEIMDAL_THREAD_create(t,f,a) abort()
#define HEIMDAL_THREAD_join(t,r) abort()
#else /* no thread support, no debug case */
@@ -380,7 +340,6 @@ heim_thread_join(heim_thread_t t, void **retval)
#define HEIMDAL_THREAD_ID int
#define HEIMDAL_THREAD_create(t,f,a) abort()
#define HEIMDAL_THREAD_join(t,r) abort()
#define HEIMDAL_internal_thread_key 1

71
kadmin/FUZZING.md
View File

@@ -1,71 +0,0 @@
# Fuzzing kadmin
Kadmind includes built-in fuzzing support via the `--fuzz-stdin` flag, which
processes a single RPC message from stdin without requiring network setup or
authentication.
## Running
### Standalone mode
```bash
# Process a single corpus file
./kadmind --fuzz-stdin < fuzz/get_existing_test.bin
# With a specific realm
./kadmind -r TEST.H5L.SE --fuzz-stdin < fuzz/create_new.bin
```
### With AFL++
```bash
# Build with AFL instrumentation
CC=afl-clang-fast CXX=afl-clang-fast++ \
../configure --enable-maintainer-mode --enable-developer
make
# Run fuzzer
afl-fuzz -i kadmin/fuzz -o findings -- ./kadmind --fuzz-stdin
```
### With libFuzzer
To use libFuzzer, create a harness that calls the internal fuzzing entry point:
```c
#include <stdint.h>
extern int kadmind_fuzz_input(const uint8_t *data, size_t size);
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
kadmind_fuzz_input(data, size);
return 0;
}
```
## Seed Corpus
The `fuzz/` directory contains seed inputs covering:
- All kadm_ops commands (GET, DELETE, CREATE, RENAME, CHPASS, MODIFY, RANDKEY, etc.)
- Edge cases (invalid commands, truncated data, malformed principals)
- Overflow tests (large/negative array counts)
See `fuzz/README` for detailed corpus file descriptions.
## Regenerating Corpus
```bash
cd fuzz
python3 gen_corpus.py
```
## Message Format
Each corpus file contains a length-prefixed message:
```
[4-byte big-endian length][message payload]
```
The payload starts with a 4-byte command number (see `kadm_ops` enum in
`lib/kadm5/kadm5-private.h`).

5
kadmin/Makefile.am
View File

@@ -63,6 +63,7 @@ check_PROGRAMS = $(TESTS)
LDADD_common = \
$(top_builddir)/lib/hdb/libhdb.la \
$(top_builddir)/lib/krb5/libkrb5.la \
$(LIB_hcrypto) \
$(top_builddir)/lib/asn1/libasn1.la \
$(LIB_roken) \
$(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB)
@@ -74,6 +75,10 @@ kadmind_LDADD = $(top_builddir)/lib/kadm5/libkadm5srv.la \
$(LIB_pidfile) \
$(LIB_dlopen)
if HAVE_SYSTEMD
kadmind_LDADD += $(SYSTEMD_LIBS)
endif
kadmin_LDADD = \
$(top_builddir)/lib/kadm5/libkadm5clnt.la \
$(top_builddir)/lib/kadm5/libkadm5srv.la \

10
kadmin/ank.c
View File

@@ -150,9 +150,9 @@ add_one_principal(const char *name,
krb5_set_error_message(context, ret, "out of memory");
goto out;
}
ret = _krb5_UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), prompt,
UI_UTIL_FLAG_VERIFY |
UI_UTIL_FLAG_VERIFY_SILENT);
ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), prompt,
UI_UTIL_FLAG_VERIFY |
UI_UTIL_FLAG_VERIFY_SILENT);
free (prompt);
if (ret) {
ret = KRB5_LIBOS_BADPWDMATCH;
@@ -275,7 +275,7 @@ add_new_key(struct add_options *opt, int argc, char **argv)
enctypes = krb5_config_get_string(context, NULL, "libdefaults",
"supported_enctypes", NULL);
if (enctypes == NULL || enctypes[0] == '\0')
enctypes = "aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192";
enctypes = "aes128-cts-hmac-sha1-96";
ret = krb5_string_to_keysalts2(context, enctypes, &nkstuple, &kstuple);
if (ret) {
fprintf(stderr, "enctype(s) unknown\n");
@@ -505,7 +505,7 @@ add_new_namespace(struct add_namespace_options *opt, int argc, char **argv)
enctypes = krb5_config_get_string(context, NULL, "libdefaults",
"supported_enctypes", NULL);
if (enctypes == NULL || enctypes[0] == '\0')
enctypes = "aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192";
enctypes = "aes128-cts-hmac-sha1-96";
ret = krb5_string_to_keysalts2(context, enctypes, &nkstuple, &kstuple);
if (ret) {
fprintf(stderr, "enctype(s) unknown\n");

66
kadmin/cpw.c
View File

@@ -39,39 +39,24 @@ struct cpw_entry_data {
int random_key;
int random_password;
char *password;
const char *enctypes;
krb5_key_data *key_data;
void *kadm_handle;
};
static int
set_random_key(void *dup_kadm_handle,
krb5_principal principal,
const char *enctypes,
int keepold)
set_random_key(void *dup_kadm_handle, krb5_principal principal, int keepold)
{
krb5_error_code ret;
krb5_key_salt_tuple *key_salt_tuples = NULL;
size_t nkey_salt_tuples = 0;
int i;
krb5_keyblock *keys;
int num_keys;
if (enctypes) {
ret = krb5_string_to_keysalts2(context, enctypes, &nkey_salt_tuples,
&key_salt_tuples);
if (ret)
return ret;
}
ret = kadm5_randkey_principal_3(dup_kadm_handle, principal, keepold,
nkey_salt_tuples, key_salt_tuples, &keys,
&num_keys);
ret = kadm5_randkey_principal_3(dup_kadm_handle, principal, keepold, 0,
NULL, &keys, &num_keys);
if(ret)
return ret;
for(i = 0; i < num_keys; i++)
krb5_free_keyblock_contents(context, &keys[i]);
free(key_salt_tuples);
free(keys);
return 0;
}
@@ -79,12 +64,9 @@ set_random_key(void *dup_kadm_handle,
static int
set_random_password(void *dup_kadm_handle,
krb5_principal principal,
const char *enctypes,
int keepold)
{
krb5_error_code ret;
krb5_key_salt_tuple *key_salt_tuples = NULL;
size_t nkey_salt_tuples = 0;
char pw[128];
char *princ_name;
@@ -92,19 +74,11 @@ set_random_password(void *dup_kadm_handle,
if (ret)
return ret;
if (enctypes) {
ret = krb5_string_to_keysalts2(context, enctypes, &nkey_salt_tuples,
&key_salt_tuples);
if (ret)
return ret;
}
random_password(pw, sizeof(pw));
ret = kadm5_chpass_principal_3(dup_kadm_handle, principal, keepold,
nkey_salt_tuples, key_salt_tuples, pw);
ret = kadm5_chpass_principal_3(dup_kadm_handle, principal, keepold, 0,
NULL, pw);
if (ret == 0)
printf ("%s's password set to \"%s\"\n", princ_name, pw);
free(key_salt_tuples);
free(princ_name);
memset_s(pw, sizeof(pw), 0, sizeof(pw));
return ret;
@@ -113,13 +87,10 @@ set_random_password(void *dup_kadm_handle,
static int
set_password(void *dup_kadm_handle,
krb5_principal principal,
const char *enctypes,
char *password,
int keepold)
{
krb5_error_code ret = 0;
krb5_key_salt_tuple *key_salt_tuples = NULL;
size_t nkey_salt_tuples = 0;
char pwbuf[128];
int aret;
@@ -134,29 +105,19 @@ set_password(void *dup_kadm_handle,
free (princ_name);
if (aret == -1)
return ENOMEM;
ret = _krb5_UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), prompt,
UI_UTIL_FLAG_VERIFY |
UI_UTIL_FLAG_VERIFY_SILENT);
ret = UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), prompt,
UI_UTIL_FLAG_VERIFY |
UI_UTIL_FLAG_VERIFY_SILENT);
free (prompt);
if(ret){
return KRB5_LIBOS_BADPWDMATCH;
}
password = pwbuf;
}
if (enctypes) {
ret = krb5_string_to_keysalts2(context, enctypes, &nkey_salt_tuples,
&key_salt_tuples);
if (ret)
return ret;
}
if(ret == 0)
ret = kadm5_chpass_principal_3(dup_kadm_handle, principal, keepold,
nkey_salt_tuples, key_salt_tuples,
password);
ret = kadm5_chpass_principal_3(dup_kadm_handle, principal, keepold, 0,
NULL, password);
memset_s(pwbuf, sizeof(pwbuf), 0, sizeof(pwbuf));
free(key_salt_tuples);
return ret;
}
@@ -179,13 +140,13 @@ do_cpw_entry(krb5_principal principal, void *data)
struct cpw_entry_data *e = data;
if (e->random_key)
return set_random_key(e->kadm_handle, principal, e->enctypes, e->keepold);
return set_random_key(e->kadm_handle, principal, e->keepold);
else if (e->random_password)
return set_random_password(e->kadm_handle, principal, e->enctypes, e->keepold);
return set_random_password(e->kadm_handle, principal, e->keepold);
else if (e->key_data)
return set_key_data(e->kadm_handle, principal, e->key_data, e->keepold);
else
return set_password(e->kadm_handle, principal, e->enctypes, e->password, e->keepold);
return set_password(e->kadm_handle, principal, e->password, e->keepold);
}
int
@@ -203,7 +164,6 @@ cpw_entry(struct passwd_options *opt, int argc, char **argv)
ret = kadm5_dup_context(kadm_handle, &data.kadm_handle);
if (ret)
krb5_err(context, 1, ret, "Could not duplicate kadmin connection");
data.enctypes = opt->enctypes_string;
data.random_key = opt->random_key_flag;
data.random_password = opt->random_password_flag;
data.password = opt->password_string;

4
kadmin/ext.c
View File

@@ -144,7 +144,7 @@ do_ext_keytab(krb5_principal principal, void *data)
kadm5_free_principal_ent(e->kadm_handle, &princ);
if (k) {
for (i = 0; i < n_k; i++)
krb5_free_keyblock_contents(context, &k[i]);
memset(k[i].keyvalue.data, 0, k[i].keyvalue.length);
free(k);
}
free(unparsed);
@@ -199,7 +199,7 @@ ext_keytab(struct ext_keytab_options *opt, int argc, char **argv)
enctypes = krb5_config_get_string(context, NULL, "libdefaults",
"supported_enctypes", NULL);
if (enctypes == NULL || enctypes[0] == '\0')
enctypes = "aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192";
enctypes = "aes128-cts-hmac-sha1-96";
ret = krb5_string_to_keysalts2(context, enctypes, &data.nkstuple,
&data.kstuple);
if (ret) {

81
kadmin/fuzz/README
View File

@@ -1,81 +0,0 @@
Kadmind Fuzzing Corpus
======================
This directory contains seed inputs for fuzzing kadmind RPC handling.
Usage
-----
Run kadmind in fuzzing mode:
./kadmind --fuzz-stdin < corpus_file.bin > output.bin
Or with a specific realm:
./kadmind -r MY.REALM --fuzz-stdin < corpus_file.bin
Message Format
--------------
Each corpus file contains a length-prefixed message:
[4-byte big-endian length][message payload]
The message payload starts with a 4-byte command number (kadm_ops enum):
kadm_get = 0 - Get principal
kadm_delete = 1 - Delete principal
kadm_create = 2 - Create principal
kadm_rename = 3 - Rename principal
kadm_chpass = 4 - Change password
kadm_modify = 5 - Modify principal
kadm_randkey = 6 - Randomize keys
kadm_get_privs = 7 - Get admin privileges
kadm_get_princs = 8 - List principals
kadm_chpass_with_key = 9 - Change password with explicit keys
kadm_nop = 10 - No operation (ping/interrupt)
kadm_prune = 11 - Prune old keys
Corpus Files
------------
Normal operations:
nop_reply.bin - NOP with reply requested
nop_noreply.bin - NOP without reply (interrupt)
get_principal.bin - GET with basic mask
get_principal_all.bin - GET with all fields
delete_principal.bin - DELETE principal
create_principal.bin - CREATE with minimal fields
create_principal_attrs.bin - CREATE with attributes
modify_principal.bin - MODIFY principal
rename_principal.bin - RENAME principal
chpass_principal.bin - CHPASS
chpass_principal_keepold.bin - CHPASS keeping old keys
randkey_principal.bin - RANDKEY simple
randkey_principal_full.bin - RANDKEY with ks_tuples
get_privs.bin - GET_PRIVS
get_princs_all.bin - LIST all principals
get_princs_expr.bin - LIST with expression
get_princs_iter.bin - LIST with online iteration
prune_principal.bin - PRUNE to specific kvno
prune_principal_all.bin - PRUNE (no kvno)
chpass_with_key.bin - CHPASS_WITH_KEY
create_with_tldata.bin - CREATE with TL_DATA
create_empty_password.bin - CREATE with empty password
Edge cases and malformed inputs:
invalid_cmd.bin - Invalid command number
truncated_get.bin - GET with missing data
malformed_principal.bin - Bad principal encoding
long_principal.bin - Very long principal name
many_components.bin - Principal with many components
large_nkeydata.bin - Large n_key_data (overflow test)
negative_nkeydata.bin - Negative n_key_data
empty_message.bin - Zero-length message
Regenerating
------------
Run gen_corpus.py to regenerate all corpus files:
python3 gen_corpus.py

BIN
kadmin/fuzz/chpass_existing.bin
View File

Binary file not shown.

BIN
kadmin/fuzz/chpass_existing_keepold.bin
View File

Binary file not shown.

BIN
kadmin/fuzz/chpass_key_existing.bin
View File

Binary file not shown.

BIN
kadmin/fuzz/chpass_multikey.bin
View File

Binary file not shown.

BIN
kadmin/fuzz/create_empty_password.bin
View File

Binary file not shown.

BIN
kadmin/fuzz/create_new.bin
View File

Binary file not shown.

BIN
kadmin/fuzz/create_service.bin
View File

Binary file not shown.

BIN
kadmin/fuzz/create_with_attrs.bin
View File

Binary file not shown.

BIN
kadmin/fuzz/create_with_tldata.bin
View File

Binary file not shown.

BIN
kadmin/fuzz/delete_existing.bin
View File

Binary file not shown.

BIN
kadmin/fuzz/delete_nonexisting.bin
View File

Binary file not shown.

BIN
kadmin/fuzz/empty_message.bin
View File

Binary file not shown.

472
kadmin/fuzz/gen_corpus.py
View File

@@ -1,472 +0,0 @@
#!/usr/bin/env python3
"""
Generate fuzz corpus for kadmind RPC testing.
Message format:
4-byte big-endian length prefix
N bytes of message data
The message data starts with a 4-byte command number (kadm_ops enum).
The fuzzer pre-populates the HDB with these principals (in FUZZ.REALM):
- test
- admin/admin
- user1
- user2
- host/localhost
- HTTP/www.example.com
- krbtgt/FUZZ.REALM
"""
import struct
import os
# kadm_ops enum values
KADM_GET = 0
KADM_DELETE = 1
KADM_CREATE = 2
KADM_RENAME = 3
KADM_CHPASS = 4
KADM_MODIFY = 5
KADM_RANDKEY = 6
KADM_GET_PRIVS = 7
KADM_GET_PRINCS = 8
KADM_CHPASS_WITH_KEY = 9
KADM_NOP = 10
KADM_PRUNE = 11
# Pre-populated principals (must match kadmind.c fuzz_stdin)
EXISTING_PRINCIPALS = [
"test",
"admin/admin",
"user1",
"user2",
"host/localhost",
"HTTP/www.example.com",
"krbtgt/FUZZ.REALM",
]
# KADM5 mask bits (from admin.h)
KADM5_PRINCIPAL = 0x000001
KADM5_PRINC_EXPIRE_TIME = 0x000002
KADM5_PW_EXPIRATION = 0x000004
KADM5_LAST_PWD_CHANGE = 0x000008
KADM5_ATTRIBUTES = 0x000010
KADM5_MAX_LIFE = 0x000020
KADM5_MOD_TIME = 0x000040
KADM5_MOD_NAME = 0x000080
KADM5_KVNO = 0x000100
KADM5_MKVNO = 0x000200
KADM5_AUX_ATTRIBUTES = 0x000400
KADM5_POLICY = 0x000800
KADM5_POLICY_CLR = 0x001000
KADM5_MAX_RLIFE = 0x002000
KADM5_LAST_SUCCESS = 0x004000
KADM5_LAST_FAILED = 0x008000
KADM5_FAIL_AUTH_COUNT = 0x010000
KADM5_KEY_DATA = 0x020000
KADM5_TL_DATA = 0x040000
def pack_int32(val):
"""Pack a 32-bit big-endian integer."""
return struct.pack('>i', val)
def pack_uint32(val):
"""Pack a 32-bit big-endian unsigned integer."""
return struct.pack('>I', val)
def pack_string(s):
"""Pack a string (4-byte length + data + null terminator)."""
# Heimdal krb5_store_string includes null terminator in length
data = s.encode('utf-8') + b'\x00'
return pack_uint32(len(data)) + data
def pack_data(d):
"""Pack binary data (4-byte length + data)."""
return pack_uint32(len(d)) + d
def pack_principal(name, realm="FUZZ.REALM"):
"""
Pack a Kerberos principal.
Format: name_type (4), num_components (4), realm (string),
components (string each)
"""
parts = name.split('/')
# KRB5_NT_PRINCIPAL = 1
result = pack_int32(1) # name_type
result += pack_int32(len(parts)) # num_components
result += pack_string(realm) # realm
for part in parts:
result += pack_string(part)
return result
def pack_principal_ent(principal_name, mask, realm="FUZZ.REALM"):
"""
Pack a kadm5_principal_ent structure.
Only includes fields indicated by mask.
"""
result = pack_int32(mask) # mask comes first
if mask & KADM5_PRINCIPAL:
result += pack_principal(principal_name, realm)
if mask & KADM5_PRINC_EXPIRE_TIME:
result += pack_int32(0) # princ_expire_time
if mask & KADM5_PW_EXPIRATION:
result += pack_int32(0) # pw_expiration
if mask & KADM5_LAST_PWD_CHANGE:
result += pack_int32(0) # last_pwd_change
if mask & KADM5_MAX_LIFE:
result += pack_int32(86400) # max_life = 1 day
if mask & KADM5_MOD_NAME:
result += pack_int32(0) # mod_name is NULL
if mask & KADM5_MOD_TIME:
result += pack_int32(0) # mod_date
if mask & KADM5_ATTRIBUTES:
result += pack_int32(0) # attributes
if mask & KADM5_KVNO:
result += pack_int32(1) # kvno
if mask & KADM5_MKVNO:
result += pack_int32(1) # mkvno
if mask & KADM5_POLICY:
result += pack_int32(0) # policy is NULL
if mask & KADM5_AUX_ATTRIBUTES:
result += pack_int32(0) # aux_attributes
if mask & KADM5_MAX_RLIFE:
result += pack_int32(604800) # max_renewable_life = 1 week
if mask & KADM5_LAST_SUCCESS:
result += pack_int32(0)
if mask & KADM5_LAST_FAILED:
result += pack_int32(0)
if mask & KADM5_FAIL_AUTH_COUNT:
result += pack_int32(0)
if mask & KADM5_KEY_DATA:
result += pack_int32(0) # n_key_data = 0
if mask & KADM5_TL_DATA:
result += pack_int32(0) # n_tl_data = 0
return result
def wrap_message(data):
"""Wrap message data with 4-byte length prefix."""
return pack_uint32(len(data)) + data
def write_corpus(filename, data):
"""Write a corpus file."""
path = os.path.join(os.path.dirname(__file__), filename)
with open(path, 'wb') as f:
f.write(wrap_message(data))
print(f"Created {filename} ({len(data)} bytes payload)")
# Generate corpus files
# ========== Basic operations ==========
# 1. NOP with reply wanted
write_corpus("nop_reply.bin",
pack_int32(KADM_NOP) + pack_int32(1))
# 2. NOP without reply (interrupt request)
write_corpus("nop_noreply.bin",
pack_int32(KADM_NOP) + pack_int32(0))
# 3. GET_PRIVS
write_corpus("get_privs.bin",
pack_int32(KADM_GET_PRIVS))
# ========== Operations on EXISTING principals ==========
# These should exercise deeper code paths since the principals exist
# 4. GET existing principal "test"
write_corpus("get_existing_test.bin",
pack_int32(KADM_GET) +
pack_principal("test") +
pack_int32(KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES))
# 5. GET existing principal with all fields
write_corpus("get_existing_all.bin",
pack_int32(KADM_GET) +
pack_principal("test") +
pack_int32(0x7FFFF)) # All mask bits
# 6. GET existing admin/admin
write_corpus("get_existing_admin.bin",
pack_int32(KADM_GET) +
pack_principal("admin/admin") +
pack_int32(KADM5_PRINCIPAL | KADM5_KVNO))
# 7. GET existing host principal
write_corpus("get_existing_host.bin",
pack_int32(KADM_GET) +
pack_principal("host/localhost") +
pack_int32(KADM5_PRINCIPAL | KADM5_KEY_DATA))
# 8. GET existing HTTP service
write_corpus("get_existing_http.bin",
pack_int32(KADM_GET) +
pack_principal("HTTP/www.example.com") +
pack_int32(KADM5_PRINCIPAL))
# 9. GET krbtgt (special principal)
write_corpus("get_existing_krbtgt.bin",
pack_int32(KADM_GET) +
pack_principal("krbtgt/FUZZ.REALM") +
pack_int32(KADM5_PRINCIPAL | KADM5_KVNO | KADM5_MAX_LIFE))
# 10. CHPASS on existing principal
write_corpus("chpass_existing.bin",
pack_int32(KADM_CHPASS) +
pack_principal("user1") +
pack_string("newpassword123") +
pack_int32(0)) # keepold = false
# 11. CHPASS on existing with keepold
write_corpus("chpass_existing_keepold.bin",
pack_int32(KADM_CHPASS) +
pack_principal("user2") +
pack_string("anotherpassword") +
pack_int32(1)) # keepold = true
# 12. RANDKEY on existing principal
write_corpus("randkey_existing.bin",
pack_int32(KADM_RANDKEY) +
pack_principal("test"))
# 13. RANDKEY on existing with ks_tuples
write_corpus("randkey_existing_full.bin",
pack_int32(KADM_RANDKEY) +
pack_principal("user1") +
pack_int32(1) + # keepold
pack_int32(2) + # n_ks_tuple
pack_int32(17) + pack_int32(0) + # aes128-cts-hmac-sha1-96
pack_int32(18) + pack_int32(0)) # aes256-cts-hmac-sha1-96
# 14. MODIFY existing principal
mask = KADM5_PRINCIPAL | KADM5_ATTRIBUTES | KADM5_MAX_LIFE
write_corpus("modify_existing.bin",
pack_int32(KADM_MODIFY) +
pack_principal_ent("test", mask) +
pack_int32(mask))
# 15. MODIFY existing - change max_renewable_life
mask = KADM5_PRINCIPAL | KADM5_MAX_RLIFE
write_corpus("modify_existing_rlife.bin",
pack_int32(KADM_MODIFY) +
pack_principal_ent("user1", mask) +
pack_int32(mask))
# 16. PRUNE existing principal
write_corpus("prune_existing.bin",
pack_int32(KADM_PRUNE) +
pack_principal("test") +
pack_int32(1)) # keep kvno >= 1
# 17. RENAME existing to new
write_corpus("rename_existing.bin",
pack_int32(KADM_RENAME) +
pack_principal("user2") +
pack_principal("user2_renamed"))
# 18. CHPASS_WITH_KEY on existing
key_data = (
pack_int32(2) + # key_data_ver
pack_int32(2) + # key_data_kvno
pack_int32(17) + # aes128
pack_data(b'\x00' * 16) +
pack_int32(0) + # no salt type
pack_data(b'')
)
write_corpus("chpass_key_existing.bin",
pack_int32(KADM_CHPASS_WITH_KEY) +
pack_principal("test") +
pack_int32(1) + # n_key_data
pack_int32(0) + # keepold
key_data)
# ========== Operations on NON-EXISTING principals ==========
# 19. GET non-existing principal
write_corpus("get_nonexisting.bin",
pack_int32(KADM_GET) +
pack_principal("does/not/exist") +
pack_int32(KADM5_PRINCIPAL))
# 20. DELETE non-existing principal
write_corpus("delete_nonexisting.bin",
pack_int32(KADM_DELETE) +
pack_principal("nonexistent"))
# 21. CREATE new principal
mask = KADM5_PRINCIPAL | KADM5_MAX_LIFE | KADM5_MAX_RLIFE
write_corpus("create_new.bin",
pack_int32(KADM_CREATE) +
pack_principal_ent("newprinc", mask) +
pack_int32(mask) +
pack_string("password123"))
# 22. CREATE with various attributes
mask = KADM5_PRINCIPAL | KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_PRINC_EXPIRE_TIME
write_corpus("create_with_attrs.bin",
pack_int32(KADM_CREATE) +
pack_principal_ent("newprinc2", mask) +
pack_int32(mask) +
pack_string("password456"))
# ========== GET_PRINCS listing ==========
# 23. GET_PRINCS - list all
write_corpus("get_princs_all.bin",
pack_int32(KADM_GET_PRINCS) +
pack_int32(0)) # no expression
# 24. GET_PRINCS with wildcard
write_corpus("get_princs_wildcard.bin",
pack_int32(KADM_GET_PRINCS) +
pack_int32(1) +
pack_string("*"))
# 25. GET_PRINCS with pattern
write_corpus("get_princs_user.bin",
pack_int32(KADM_GET_PRINCS) +
pack_int32(1) +
pack_string("user*"))
# 26. GET_PRINCS with host pattern
write_corpus("get_princs_host.bin",
pack_int32(KADM_GET_PRINCS) +
pack_int32(1) +
pack_string("host/*"))
# 27. GET_PRINCS online iteration mode
write_corpus("get_princs_iter.bin",
pack_int32(KADM_GET_PRINCS) +
pack_int32(0x55555555) +
pack_string("*"))
# ========== Edge cases and malformed inputs ==========
# 28. Invalid command
write_corpus("invalid_cmd.bin",
pack_int32(99))
# 29. Truncated message
write_corpus("truncated_get.bin",
pack_int32(KADM_GET))
# 30. Malformed principal (bad component count)
write_corpus("malformed_principal.bin",
pack_int32(KADM_GET) +
pack_int32(1) + # name_type
pack_int32(-1) + # invalid num_components
pack_string("FUZZ.REALM"))
# 31. Very long principal name
write_corpus("long_principal.bin",
pack_int32(KADM_GET) +
pack_principal("A" * 1000))
# 32. Principal with many components
write_corpus("many_components.bin",
pack_int32(KADM_GET) +
pack_principal("/".join(["c"] * 50)))
# 33. Empty password create
mask = KADM5_PRINCIPAL
write_corpus("create_empty_password.bin",
pack_int32(KADM_CREATE) +
pack_principal_ent("emptypass", mask) +
pack_int32(mask) +
pack_string(""))
# 34. Create with TL_DATA
mask = KADM5_PRINCIPAL | KADM5_TL_DATA
tl_data = (
pack_int32(1) + # tl_data_type
pack_data(b'test tl data content')
)
princ_with_tl = (
pack_int32(mask) +
pack_principal("withtldata") +
pack_int32(1) + # n_tl_data
tl_data
)
write_corpus("create_with_tldata.bin",
pack_int32(KADM_CREATE) +
princ_with_tl +
pack_int32(mask) +
pack_string("password"))
# 35. Large n_key_data (integer overflow)
write_corpus("large_nkeydata.bin",
pack_int32(KADM_CHPASS_WITH_KEY) +
pack_principal("test") +
pack_int32(0x7FFFFFFF) +
pack_int32(0))
# 36. Negative n_key_data
write_corpus("negative_nkeydata.bin",
pack_int32(KADM_CHPASS_WITH_KEY) +
pack_principal("test") +
pack_int32(-1) +
pack_int32(0))
# 37. Zero-length message
with open(os.path.join(os.path.dirname(__file__), "empty_message.bin"), 'wb') as f:
f.write(pack_uint32(0))
print("Created empty_message.bin (0 bytes payload)")
# 38. Multiple key_data entries
multi_key = b''
for i in range(3):
multi_key += (
pack_int32(2) + # ver
pack_int32(i + 1) + # kvno
pack_int32(17) + # aes128
pack_data(b'\x00' * 16) +
pack_int32(0) +
pack_data(b'')
)
write_corpus("chpass_multikey.bin",
pack_int32(KADM_CHPASS_WITH_KEY) +
pack_principal("test") +
pack_int32(3) + # n_key_data
pack_int32(1) + # keepold
multi_key)
# 39. MODIFY with policy (even though we don't have policies)
mask = KADM5_PRINCIPAL | KADM5_POLICY
write_corpus("modify_with_policy.bin",
pack_int32(KADM_MODIFY) +
pack_int32(mask) +
pack_principal("test") +
pack_int32(1) + # policy is present
pack_string("default") +
pack_int32(mask))
# 40. DELETE existing principal (exercising actual delete path)
write_corpus("delete_existing.bin",
pack_int32(KADM_DELETE) +
pack_principal("user1"))
# 41. Cross-realm principal reference
write_corpus("get_crossrealm.bin",
pack_int32(KADM_GET) +
pack_principal("user", "OTHER.REALM") +
pack_int32(KADM5_PRINCIPAL))
# 42. Service principal with instance
write_corpus("create_service.bin",
pack_int32(KADM_CREATE) +
pack_principal_ent("ldap/server.example.com", KADM5_PRINCIPAL | KADM5_MAX_LIFE) +
pack_int32(KADM5_PRINCIPAL | KADM5_MAX_LIFE) +
pack_string("servicepass"))
print("\nCorpus generation complete!")

BIN
kadmin/fuzz/get_crossrealm.bin
View File

Binary file not shown.

BIN
kadmin/fuzz/get_existing_admin.bin
View File

Binary file not shown.

BIN
kadmin/fuzz/get_existing_all.bin
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More