diff options
| author | nectar <nectar@FreeBSD.org> | 2004-04-03 21:22:55 +0000 |
|---|---|---|
| committer | nectar <nectar@FreeBSD.org> | 2004-04-03 21:22:55 +0000 |
| commit | bfc5316dea97d244a21b45ed0dce56f39074ba1b (patch) | |
| tree | f009994dd04757b68eff8742614cca170aff5bb3 /crypto/heimdal/kdc | |
| parent | 084fdb0d6e4fe40ab8ff47ca033fdbcb7899aae1 (diff) | |
| download | FreeBSD-src-bfc5316dea97d244a21b45ed0dce56f39074ba1b.zip FreeBSD-src-bfc5316dea97d244a21b45ed0dce56f39074ba1b.tar.gz | |
Vendor import of Heimdal 0.6.1.
Diffstat (limited to 'crypto/heimdal/kdc')
| -rw-r--r-- | crypto/heimdal/kdc/Makefile.in | 380 | ||||
| -rw-r--r-- | crypto/heimdal/kdc/config.c | 24 | ||||
| -rw-r--r-- | crypto/heimdal/kdc/connect.c | 21 | ||||
| -rw-r--r-- | crypto/heimdal/kdc/kaserver.c | 11 | ||||
| -rw-r--r-- | crypto/heimdal/kdc/kdc.8 | 8 | ||||
| -rw-r--r-- | crypto/heimdal/kdc/kdc_locl.h | 6 | ||||
| -rw-r--r-- | crypto/heimdal/kdc/kerberos4.c | 38 | ||||
| -rw-r--r-- | crypto/heimdal/kdc/kerberos5.c | 178 |
8 files changed, 459 insertions, 207 deletions
diff --git a/crypto/heimdal/kdc/Makefile.in b/crypto/heimdal/kdc/Makefile.in index 298d382..458b6e9 100644 --- a/crypto/heimdal/kdc/Makefile.in +++ b/crypto/heimdal/kdc/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.6.1 from Makefile.am. +# Makefile.in generated by automake 1.7.9 from Makefile.am. # @configure_input@ -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 +# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003 # Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -18,109 +18,191 @@ # $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ -# $Id: Makefile.am.common,v 1.37.2.1 2003/05/08 17:08:09 joda Exp $ -SHELL = @SHELL@ +# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ srcdir = @srcdir@ top_srcdir = @top_srcdir@ VPATH = @srcdir@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ - -bindir = @bindir@ -sbindir = @sbindir@ -libexecdir = @libexecdir@ -datadir = @datadir@ -sysconfdir = @sysconfdir@ -sharedstatedir = @sharedstatedir@ -localstatedir = @localstatedir@ -libdir = @libdir@ -infodir = @infodir@ -mandir = @mandir@ -includedir = @includedir@ -oldincludedir = /usr/include pkgdatadir = $(datadir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ top_builddir = .. -ACLOCAL = @ACLOCAL@ -AUTOCONF = @AUTOCONF@ -AUTOMAKE = @AUTOMAKE@ -AUTOHEADER = @AUTOHEADER@ - am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_DATA = @INSTALL_DATA@ install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c -INSTALL_SCRIPT = @INSTALL_SCRIPT@ +install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) -transform = @program_transform_name@ +transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : -host_alias = @host_alias@ host_triplet = @host@ - -EXEEXT = @EXEEXT@ -OBJEXT = @OBJEXT@ -PATH_SEPARATOR = @PATH_SEPARATOR@ +ACLOCAL = @ACLOCAL@ +AIX4_FALSE = @AIX4_FALSE@ +AIX4_TRUE = @AIX4_TRUE@ +AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ +AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ +AIX_FALSE = @AIX_FALSE@ +AIX_TRUE = @AIX_TRUE@ AMTAR = @AMTAR@ -AS = @AS@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CANONICAL_HOST = @CANONICAL_HOST@ CATMAN = @CATMAN@ CATMANEXT = @CATMANEXT@ +CATMAN_FALSE = @CATMAN_FALSE@ +CATMAN_TRUE = @CATMAN_TRUE@ CC = @CC@ +CFLAGS = @CFLAGS@ COMPILE_ET = @COMPILE_ET@ CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ DBLIB = @DBLIB@ -DEPDIR = @DEPDIR@ +DCE_FALSE = @DCE_FALSE@ +DCE_TRUE = @DCE_TRUE@ +DEFS = @DEFS@ DIR_com_err = @DIR_com_err@ DIR_des = @DIR_des@ DIR_roken = @DIR_roken@ -DLLTOOL = @DLLTOOL@ ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ EXTRA_LIB45 = @EXTRA_LIB45@ +F77 = @F77@ +FFLAGS = @FFLAGS@ GROFF = @GROFF@ +HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ +HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ +HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ +HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ +HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ +HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ +HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ +HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ +HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ +HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ +HAVE_X_FALSE = @HAVE_X_FALSE@ +HAVE_X_TRUE = @HAVE_X_TRUE@ INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_ = @INCLUDE_@ INCLUDE_des = @INCLUDE_des@ +INCLUDE_hesiod = @INCLUDE_hesiod@ + +INCLUDE_krb4 = @INCLUDE_krb4@ + +INCLUDE_openldap = @INCLUDE_openldap@ + +INCLUDE_readline = @INCLUDE_readline@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +IRIX_FALSE = @IRIX_FALSE@ +IRIX_TRUE = @IRIX_TRUE@ +KRB4_FALSE = @KRB4_FALSE@ +KRB4_TRUE = @KRB4_TRUE@ +KRB5_FALSE = @KRB5_FALSE@ +KRB5_TRUE = @KRB5_TRUE@ +LDFLAGS = @LDFLAGS@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ -LIB_ = @LIB_@ LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ LIB_NDBM = @LIB_NDBM@ +LIB_XauFileName = @LIB_XauFileName@ + +LIB_XauReadAuth = @LIB_XauReadAuth@ +LIB_XauWriteAuth = @LIB_XauWriteAuth@ +LIB_bswap16 = @LIB_bswap16@ +LIB_bswap32 = @LIB_bswap32@ LIB_com_err = @LIB_com_err@ LIB_com_err_a = @LIB_com_err_a@ LIB_com_err_so = @LIB_com_err_so@ +LIB_crypt = @LIB_crypt@ +LIB_db_create = @LIB_db_create@ +LIB_dbm_firstkey = @LIB_dbm_firstkey@ +LIB_dbopen = @LIB_dbopen@ LIB_des = @LIB_des@ LIB_des_a = @LIB_des_a@ LIB_des_appl = @LIB_des_appl@ LIB_des_so = @LIB_des_so@ +LIB_dlopen = @LIB_dlopen@ +LIB_dn_expand = @LIB_dn_expand@ +LIB_el_init = @LIB_el_init@ +LIB_freeaddrinfo = @LIB_freeaddrinfo@ +LIB_gai_strerror = @LIB_gai_strerror@ +LIB_getaddrinfo = @LIB_getaddrinfo@ +LIB_gethostbyname = @LIB_gethostbyname@ +LIB_gethostbyname2 = @LIB_gethostbyname2@ +LIB_getnameinfo = @LIB_getnameinfo@ +LIB_getpwnam_r = @LIB_getpwnam_r@ +LIB_getsockopt = @LIB_getsockopt@ +LIB_hesiod = @LIB_hesiod@ +LIB_hstrerror = @LIB_hstrerror@ LIB_kdb = @LIB_kdb@ +LIB_krb4 = @LIB_krb4@ +LIB_krb_disable_debug = @LIB_krb_disable_debug@ +LIB_krb_enable_debug = @LIB_krb_enable_debug@ +LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ +LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ +LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ +LIB_loadquery = @LIB_loadquery@ +LIB_logout = @LIB_logout@ +LIB_logwtmp = @LIB_logwtmp@ +LIB_openldap = @LIB_openldap@ +LIB_openpty = @LIB_openpty@ LIB_otp = @LIB_otp@ +LIB_pidfile = @LIB_pidfile@ +LIB_readline = @LIB_readline@ +LIB_res_nsearch = @LIB_res_nsearch@ +LIB_res_search = @LIB_res_search@ LIB_roken = @LIB_roken@ LIB_security = @LIB_security@ +LIB_setsockopt = @LIB_setsockopt@ +LIB_socket = @LIB_socket@ +LIB_syslog = @LIB_syslog@ +LIB_tgetent = @LIB_tgetent@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ +MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ +MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ +MAKEINFO = @MAKEINFO@ NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ NROFF = @NROFF@ -OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTP_FALSE = @OTP_FALSE@ +OTP_TRUE = @OTP_TRUE@ PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ RANLIB = @RANLIB@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ @@ -132,14 +214,57 @@ X_EXTRA_LIBS = @X_EXTRA_LIBS@ X_LIBS = @X_LIBS@ X_PRE_LIBS = @X_PRE_LIBS@ YACC = @YACC@ -am__include = @am__include@ -am__quote = @am__quote@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +ac_ct_RANLIB = @ac_ct_RANLIB@ +ac_ct_STRIP = @ac_ct_STRIP@ +am__leading_dot = @am__leading_dot@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +datadir = @datadir@ +do_roken_rename_FALSE = @do_roken_rename_FALSE@ +do_roken_rename_TRUE = @do_roken_rename_TRUE@ dpagaix_cflags = @dpagaix_cflags@ dpagaix_ldadd = @dpagaix_ldadd@ dpagaix_ldflags = @dpagaix_ldflags@ +el_compat_FALSE = @el_compat_FALSE@ +el_compat_TRUE = @el_compat_TRUE@ +exec_prefix = @exec_prefix@ +have_err_h_FALSE = @have_err_h_FALSE@ +have_err_h_TRUE = @have_err_h_TRUE@ +have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ +have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ +have_glob_h_FALSE = @have_glob_h_FALSE@ +have_glob_h_TRUE = @have_glob_h_TRUE@ +have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ +have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ +have_vis_h_FALSE = @have_vis_h_FALSE@ +have_vis_h_TRUE = @have_vis_h_TRUE@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +includedir = @includedir@ +infodir = @infodir@ install_sh = @install_sh@ - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 +libdir = @libdir@ +libexecdir = @libexecdir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +oldincludedir = @oldincludedir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 @@ -152,44 +277,13 @@ AM_CFLAGS = $(WFLAGS) CP = cp buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_crypt = @LIB_crypt@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = @LIB_gethostbyname@ LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = @LIB_openpty@ -LIB_pidfile = @LIB_pidfile@ -LIB_res_search = @LIB_res_search@ LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ HESIODLIB = @HESIODLIB@ HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -LIB_hesiod = @LIB_hesiod@ - -INCLUDE_krb4 = @INCLUDE_krb4@ -LIB_krb4 = @LIB_krb4@ - -INCLUDE_openldap = @INCLUDE_openldap@ -LIB_openldap = @LIB_openldap@ - -INCLUDE_readline = @INCLUDE_readline@ -LIB_readline = @LIB_readline@ NROFF_MAN = groff -mandoc -Tascii @@ -267,6 +361,7 @@ LDADD = $(top_builddir)/lib/hdb/libhdb.la \ kdc_LDADD = $(LDADD) $(LIB_pidfile) subdir = kdc +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/include/config.h CONFIG_CLEAN_FILES = @@ -287,6 +382,8 @@ hpropd_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \ $(top_builddir)/lib/krb5/libkrb5.la \ $(top_builddir)/lib/asn1/libasn1.la hpropd_LDFLAGS = +am__kdc_SOURCES_DIST = config.c connect.c kdc_locl.h kerberos5.c log.c \ + main.c misc.c 524.c kerberos4.c kaserver.c rx.h @KRB4_TRUE@am__objects_1 = kaserver.$(OBJEXT) @KRB4_FALSE@am__objects_1 = am_kdc_OBJECTS = config.$(OBJEXT) connect.$(OBJEXT) kerberos5.$(OBJEXT) \ @@ -312,11 +409,7 @@ string2key_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \ $(top_builddir)/lib/asn1/libasn1.la string2key_LDFLAGS = -DEFS = @DEFS@ DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = @CPPFLAGS@ -LDFLAGS = @LDFLAGS@ -LIBS = @LIBS@ depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -326,11 +419,11 @@ LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ CCLD = $(CC) LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = @CFLAGS@ -DIST_SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) \ - $(kstash_SOURCES) $(string2key_SOURCES) +DIST_SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) \ + $(am__kdc_SOURCES_DIST) $(kstash_SOURCES) $(string2key_SOURCES) MANS = $(man_MANS) -DIST_COMMON = Makefile.am Makefile.in +DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ + $(top_srcdir)/cf/Makefile.am.common Makefile.am SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) $(kstash_SOURCES) $(string2key_SOURCES) all: all-am @@ -351,24 +444,26 @@ install-binPROGRAMS: $(bin_PROGRAMS) if test -f $$p \ || test -f $$p1 \ ; then \ - p1=`echo "$$p1" | sed -e 's,^.*/,,'`; \ - f=`echo $$p1|sed '$(transform);s/$$/$(EXEEXT)/'`; \ + f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f || exit 1; \ else :; fi; \ done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - f=`echo "$$f" | sed -e 's,^.*/,,'`; \ + f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ rm -f $(DESTDIR)$(bindir)/$$f; \ done clean-binPROGRAMS: - -test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS) + @list='$(bin_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) install-libexecPROGRAMS: $(libexec_PROGRAMS) @$(NORMAL_INSTALL) @@ -378,24 +473,26 @@ install-libexecPROGRAMS: $(libexec_PROGRAMS) if test -f $$p \ || test -f $$p1 \ ; then \ - p1=`echo "$$p1" | sed -e 's,^.*/,,'`; \ - f=`echo $$p1|sed '$(transform);s/$$/$(EXEEXT)/'`; \ + f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f || exit 1; \ else :; fi; \ done uninstall-libexecPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - f=`echo "$$f" | sed -e 's,^.*/,,'`; \ + f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ rm -f $(DESTDIR)$(libexecdir)/$$f; \ done clean-libexecPROGRAMS: - -test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS) + @list='$(libexec_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) install-sbinPROGRAMS: $(sbin_PROGRAMS) @$(NORMAL_INSTALL) @@ -405,24 +502,26 @@ install-sbinPROGRAMS: $(sbin_PROGRAMS) if test -f $$p \ || test -f $$p1 \ ; then \ - p1=`echo "$$p1" | sed -e 's,^.*/,,'`; \ - f=`echo $$p1|sed '$(transform);s/$$/$(EXEEXT)/'`; \ + f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) $$p $(DESTDIR)$(sbindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) $$p $(DESTDIR)$(sbindir)/$$f; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) $$p $(DESTDIR)$(sbindir)/$$f || exit 1; \ else :; fi; \ done uninstall-sbinPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - f=`echo "$$f" | sed -e 's,^.*/,,'`; \ + f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \ rm -f $(DESTDIR)$(sbindir)/$$f; \ done clean-sbinPROGRAMS: - -test -z "$(sbin_PROGRAMS)" || rm -f $(sbin_PROGRAMS) + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done hprop$(EXEEXT): $(hprop_OBJECTS) $(hprop_DEPENDENCIES) @rm -f hprop$(EXEEXT) $(LINK) $(hprop_LDFLAGS) $(hprop_OBJECTS) $(hprop_LDADD) $(LIBS) @@ -449,7 +548,7 @@ distclean-compile: $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< .c.obj: - $(COMPILE) -c `cygpath -w $<` + $(COMPILE) -c `if test -f '$<'; then $(CYGPATH_W) '$<'; else $(CYGPATH_W) '$(srcdir)/$<'; fi` .c.lo: $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< @@ -479,6 +578,10 @@ install-man8: $(man8_MANS) $(man_MANS) if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ else file=$$i; fi; \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ @@ -496,6 +599,10 @@ uninstall-man8: done; \ for i in $$list; do \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ @@ -506,6 +613,9 @@ uninstall-man8: ETAGS = etags ETAGSFLAGS = +CTAGS = ctags +CTAGSFLAGS = + tags: TAGS ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) @@ -531,20 +641,42 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$tags $$unique +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && cd $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) $$here distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) top_distdir = .. distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) distdir: $(DISTFILES) - @for file in $(DISTFILES); do \ + $(mkinstalldirs) $(distdir)/.. $(distdir)/../cf + @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ + list='$(DISTFILES)'; for file in $$list; do \ + case $$file in \ + $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ + $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ + esac; \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ if test "$$dir" != "$$file" && test "$$dir" != "."; then \ @@ -565,7 +697,7 @@ distdir: $(DISTFILES) fi; \ done $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ + top_distdir="$(top_distdir)" distdir="$(distdir)" \ dist-hook check-am: all-am $(MAKE) $(AM_MAKEFLAGS) check-local @@ -574,7 +706,6 @@ all-am: Makefile $(PROGRAMS) $(MANS) all-local installdirs: $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) $(DESTDIR)$(sbindir) $(DESTDIR)$(man8dir) - install: install-am install-exec: install-exec-am install-data: install-data-am @@ -586,7 +717,7 @@ install-am: all-am installcheck: installcheck-am install-strip: $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ `test -z '$(STRIP)' || \ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install mostlyclean-generic: @@ -594,7 +725,7 @@ mostlyclean-generic: clean-generic: distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) stamp-h stamp-h[0-9]* + -rm -f $(CONFIG_CLEAN_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -605,7 +736,7 @@ clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ clean-libtool clean-sbinPROGRAMS mostlyclean-am distclean: distclean-am - + -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-libtool distclean-tags @@ -633,7 +764,7 @@ install-man: install-man8 installcheck-am: maintainer-clean: maintainer-clean-am - + -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am @@ -641,22 +772,31 @@ mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + uninstall-am: uninstall-binPROGRAMS uninstall-info-am \ uninstall-libexecPROGRAMS uninstall-man uninstall-sbinPROGRAMS uninstall-man: uninstall-man8 -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool clean-sbinPROGRAMS distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-exec install-exec-am \ - install-info install-info-am install-libexecPROGRAMS \ - install-man install-man8 install-sbinPROGRAMS install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ +.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ + clean clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ + clean-libtool clean-sbinPROGRAMS ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am info info-am install \ + install-am install-binPROGRAMS install-data install-data-am \ + install-exec install-exec-am install-info install-info-am \ + install-libexecPROGRAMS install-man install-man8 \ + install-sbinPROGRAMS install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \ uninstall-am uninstall-binPROGRAMS uninstall-info-am \ uninstall-libexecPROGRAMS uninstall-man uninstall-man8 \ uninstall-sbinPROGRAMS diff --git a/crypto/heimdal/kdc/config.c b/crypto/heimdal/kdc/config.c index dbe952f..8ab826a 100644 --- a/crypto/heimdal/kdc/config.c +++ b/crypto/heimdal/kdc/config.c @@ -35,7 +35,7 @@ #include <getarg.h> #include <parse_bytes.h> -RCSID("$Id: config.c,v 1.46 2003/03/18 00:22:23 lha Exp $"); +RCSID("$Id: config.c,v 1.46.2.2 2003/10/27 11:06:52 joda Exp $"); static const char *config_file; /* location of kdc config file */ @@ -64,6 +64,8 @@ krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */ krb5_boolean check_ticket_addresses; krb5_boolean allow_null_ticket_addresses; krb5_boolean allow_anonymous; +int trpolicy; +static const char *trpolicy_str; static struct getarg_strings addresses_str; /* addresses to listen on */ krb5_addresses explicit_addresses; @@ -293,9 +295,8 @@ configure(int argc, char **argv) get_dbinfo(); - if(max_request_str){ + if(max_request_str) max_request = parse_bytes(max_request_str, NULL); - } if(max_request == 0){ p = krb5_config_get_string (context, @@ -366,6 +367,23 @@ configure(int argc, char **argv) allow_anonymous = krb5_config_get_bool(context, NULL, "kdc", "allow-anonymous", NULL); + trpolicy_str = + krb5_config_get_string_default(context, NULL, "always-check", "kdc", + "transited-policy", NULL); + if(strcasecmp(trpolicy_str, "always-check") == 0) + trpolicy = TRPOLICY_ALWAYS_CHECK; + else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) + trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; + else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) + trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; + else { + kdc_log(0, "unknown transited-policy: %s, reverting to always-check", + trpolicy_str); + trpolicy = TRPOLICY_ALWAYS_CHECK; + } + + krb5_config_get_bool_default(context, NULL, TRUE, "kdc", + "enforce-transited-policy", NULL); #ifdef KRB4 if(v4_realm == NULL){ p = krb5_config_get_string (context, NULL, diff --git a/crypto/heimdal/kdc/connect.c b/crypto/heimdal/kdc/connect.c index 3ad1c1d..7f3b10e 100644 --- a/crypto/heimdal/kdc/connect.c +++ b/crypto/heimdal/kdc/connect.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: connect.c,v 1.90 2003/02/18 15:39:10 lha Exp $"); +RCSID("$Id: connect.c,v 1.90.2.1 2003/08/25 11:46:55 lha Exp $"); /* * a tuple describing on what to listen @@ -547,21 +547,23 @@ grow_descr (struct descr *d, size_t n) { if (d->size - d->len < n) { unsigned char *tmp; + size_t grow; - d->size += max(1024, d->len + n); - if (d->size >= max_request) { + grow = max(1024, d->len + n); + if (d->size + grow > max_request) { kdc_log(0, "Request exceeds max request size (%lu bytes).", - (unsigned long)d->size); + (unsigned long)d->size + grow); clear_descr(d); return -1; } - tmp = realloc (d->buf, d->size); + tmp = realloc (d->buf, d->size + grow); if (tmp == NULL) { kdc_log(0, "Failed to re-allocate %lu bytes.", - (unsigned long)d->size); + (unsigned long)d->size + grow); clear_descr(d); return -1; } + d->size += grow; d->buf = tmp; } return 0; @@ -702,6 +704,11 @@ handle_tcp(struct descr *d, int index, int min_free) if(n < 0){ krb5_warn(context, errno, "recvfrom"); return; + } else if (n == 0) { + krb5_warnx(context, "connection closed before end of data after %d " + "bytes from %s", d[index].len, d[index].addr_string); + clear_descr (d + index); + return; } if (grow_descr (&d[index], n)) return; diff --git a/crypto/heimdal/kdc/kaserver.c b/crypto/heimdal/kdc/kaserver.c index 1a998ee..8694471 100644 --- a/crypto/heimdal/kdc/kaserver.c +++ b/crypto/heimdal/kdc/kaserver.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kaserver.c,v 1.21 2002/10/21 12:59:41 joda Exp $"); +RCSID("$Id: kaserver.c,v 1.21.2.1 2003/10/06 21:02:35 lha Exp $"); #include <rx.h> @@ -402,6 +402,10 @@ do_authenticate (struct rx_header *hdr, unparse_auth_args (sp, &name, &instance, &start_time, &end_time, &request, &max_seq_len); + if (request.length < 8) { + make_error_reply (hdr, KABADREQUEST, reply); + goto out; + } snprintf (client_name, sizeof(client_name), "%s.%s@%s", name, instance, v4_realm); @@ -600,6 +604,11 @@ do_getticket (struct rx_header *hdr, unparse_getticket_args (sp, &kvno, &auth_domain, &aticket, &name, &instance, ×, &max_seq_len); + if (times.length < 8) { + make_error_reply (hdr, KABADREQUEST, reply); + goto out; + + } snprintf (server_name, sizeof(server_name), "%s.%s@%s", name, instance, v4_realm); diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8 index baae563..29cca73 100644 --- a/crypto/heimdal/kdc/kdc.8 +++ b/crypto/heimdal/kdc/kdc.8 @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: kdc.8,v 1.23 2003/04/06 17:48:40 lha Exp $ +.\" $Id: kdc.8,v 1.23.2.1 2003/10/21 20:06:01 lha Exp $ .\" -.Dd August 22, 2002 +.Dd October 21, 2003 .Dt KDC 8 .Os HEIMDAL .Sh NAME @@ -185,6 +185,10 @@ Permit tickets with no addresses. This option is only relevant when check-ticket-addresses is TRUE. .It Li allow-anonymous = Va boolean Permit anonymous tickets with no addresses. +.It Li enforce-transited-policy = Va boolean +Always verify the transited policy, ignoring the +.Va disable-transited-check +flag if set in the KDC client request. .It encode_as_rep_as_tgs_rep = Va boolean Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The Heimdal clients allow both. diff --git a/crypto/heimdal/kdc/kdc_locl.h b/crypto/heimdal/kdc/kdc_locl.h index 9c19f54..ed69f54 100644 --- a/crypto/heimdal/kdc/kdc_locl.h +++ b/crypto/heimdal/kdc/kdc_locl.h @@ -32,7 +32,7 @@ */ /* - * $Id: kdc_locl.h,v 1.58 2003/03/18 00:23:06 lha Exp $ + * $Id: kdc_locl.h,v 1.58.2.2 2003/10/27 11:07:16 joda Exp $ */ #ifndef __KDC_LOCL_H__ @@ -62,6 +62,10 @@ extern krb5_boolean encode_as_rep_as_tgs_rep; extern krb5_boolean check_ticket_addresses; extern krb5_boolean allow_null_ticket_addresses; extern krb5_boolean allow_anonymous; +enum { TRPOLICY_ALWAYS_CHECK, + TRPOLICY_ALLOW_PER_PRINCIPAL, + TRPOLICY_ALWAYS_HONOUR_REQUEST }; +extern int trpolicy; extern int enable_524; extern int enable_v4_cross_realm; diff --git a/crypto/heimdal/kdc/kerberos4.c b/crypto/heimdal/kdc/kerberos4.c index 8c6c3f0..050db5d 100644 --- a/crypto/heimdal/kdc/kerberos4.c +++ b/crypto/heimdal/kdc/kerberos4.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos4.c,v 1.45 2003/03/17 05:37:55 assar Exp $"); +RCSID("$Id: kerberos4.c,v 1.45.2.1 2004/03/30 10:29:27 lha Exp $"); #ifdef KRB4 @@ -133,7 +133,7 @@ do_version4(unsigned char *buf, char *name = NULL, *inst = NULL, *realm = NULL; char *sname = NULL, *sinst = NULL; int32_t req_time; - time_t max_life; + time_t max_life, max_end, actual_end, issue_time; u_int8_t life; char client_name[256]; char server_name[256]; @@ -425,17 +425,22 @@ do_version4(unsigned char *buf, goto out2; } - max_life = krb_life_to_time(ad.time_sec, ad.life); - max_life = min(max_life, krb_life_to_time(kdc_time, life)); - life = min(life, krb_time_to_life(kdc_time, max_life)); - max_life = krb_life_to_time(0, life); -#if 0 - if(client->max_life) - max_life = min(max_life, *client->max_life); -#endif - if(server->max_life) - max_life = min(max_life, *server->max_life); + max_end = krb_life_to_time(ad.time_sec, ad.life); + max_end = min(max_end, krb_life_to_time(kdc_time, life)); + life = min(life, krb_time_to_life(kdc_time, max_end)); + issue_time = kdc_time; + actual_end = krb_life_to_time(issue_time, life); + while (actual_end > max_end && life > 1) { + /* move them into the next earlier lifetime bracket */ + life--; + actual_end = krb_life_to_time(issue_time, life); + } + if (actual_end > max_end) { + /* if life <= 1 and it's still too long, backdate the ticket */ + issue_time -= actual_end - max_end; + } + { KTEXT_ST cipher, ticket; KTEXT r; @@ -443,13 +448,14 @@ do_version4(unsigned char *buf, des_new_random_key(&session); krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm, - addr->sin_addr.s_addr, &session, life, kdc_time, + addr->sin_addr.s_addr, &session, life, + issue_time, sname, sinst, skey->key.keyvalue.data); create_ciph(&cipher, session, sname, sinst, v4_realm, life, server->kvno % 256, &ticket, - kdc_time, &ad.session); - + issue_time, &ad.session); + memset(&session, 0, sizeof(session)); memset(ad.session, 0, sizeof(ad.session)); diff --git a/crypto/heimdal/kdc/kerberos5.c b/crypto/heimdal/kdc/kerberos5.c index 232c3ad..9dc3673 100644 --- a/crypto/heimdal/kdc/kerberos5.c +++ b/crypto/heimdal/kdc/kerberos5.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos5.c,v 1.145 2003/04/15 11:07:39 lha Exp $"); +RCSID("$Id: kerberos5.c,v 1.145.2.3 2003/12/14 19:43:04 lha Exp $"); #define MAX_TIME ((time_t)((1U << 31) - 1)) @@ -496,8 +496,8 @@ as_rep(KDC_REQ *req, krb5_enctype cetype, setype; EncTicketPart et; EncKDCRepPart ek; - krb5_principal client_princ, server_princ; - char *client_name, *server_name; + krb5_principal client_princ = NULL, server_princ = NULL; + char *client_name = NULL, *server_name = NULL; krb5_error_code ret = 0; const char *e_text = NULL; krb5_crypto crypto; @@ -506,27 +506,30 @@ as_rep(KDC_REQ *req, memset(&rep, 0, sizeof(rep)); if(b->sname == NULL){ - server_name = "<unknown server>"; ret = KRB5KRB_ERR_GENERIC; e_text = "No server in request"; } else{ principalname2krb5_principal (&server_princ, *(b->sname), b->realm); krb5_unparse_name(context, server_princ, &server_name); } + if (ret) { + kdc_log(0, "AS-REQ malformed server name from %s", from); + goto out; + } if(b->cname == NULL){ - client_name = "<unknown client>"; ret = KRB5KRB_ERR_GENERIC; e_text = "No client in request"; } else { principalname2krb5_principal (&client_princ, *(b->cname), b->realm); krb5_unparse_name(context, client_princ, &client_name); } - kdc_log(0, "AS-REQ %s from %s for %s", - client_name, from, server_name); - - if(ret) + if (ret) { + kdc_log(0, "AS-REQ malformed client name from %s", from); goto out; + } + + kdc_log(0, "AS-REQ %s from %s for %s", client_name, from, server_name); ret = db_fetch(client_princ, &client); if(ret){ @@ -842,13 +845,8 @@ as_rep(KDC_REQ *req, copy_HostAddresses(b->addresses, et.caddr); } - { - krb5_data empty_string; - - krb5_data_zero(&empty_string); - et.transited.tr_type = DOMAIN_X500_COMPRESS; - et.transited.contents = empty_string; - } + et.transited.tr_type = DOMAIN_X500_COMPRESS; + krb5_data_zero(&et.transited.contents); copy_EncryptionKey(&et.key, &ek.key); @@ -930,9 +928,11 @@ as_rep(KDC_REQ *req, ret = 0; } out2: - krb5_free_principal(context, client_princ); + if (client_princ) + krb5_free_principal(context, client_princ); free(client_name); - krb5_free_principal(context, server_princ); + if (server_princ) + krb5_free_principal(context, server_princ); free(server_name); if(client) free_ent(client); @@ -1055,33 +1055,35 @@ check_tgs_flags(KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et) } static krb5_error_code -fix_transited_encoding(TransitedEncoding *tr, +fix_transited_encoding(krb5_boolean check_policy, + TransitedEncoding *tr, + EncTicketPart *et, const char *client_realm, const char *server_realm, const char *tgt_realm) { krb5_error_code ret = 0; - if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)){ - char **realms = NULL, **tmp; - int num_realms = 0; - int i; - if(tr->tr_type && tr->contents.length != 0) { - if(tr->tr_type != DOMAIN_X500_COMPRESS){ - kdc_log(0, "Unknown transited type: %u", - tr->tr_type); - return KRB5KDC_ERR_TRTYPE_NOSUPP; - } - ret = krb5_domain_x500_decode(context, - tr->contents, - &realms, - &num_realms, - client_realm, - server_realm); - if(ret){ - krb5_warn(context, ret, "Decoding transited encoding"); - return ret; - } - } + char **realms, **tmp; + int num_realms; + int i; + + if(tr->tr_type != DOMAIN_X500_COMPRESS) { + kdc_log(0, "Unknown transited type: %u", tr->tr_type); + return KRB5KDC_ERR_TRTYPE_NOSUPP; + } + + ret = krb5_domain_x500_decode(context, + tr->contents, + &realms, + &num_realms, + client_realm, + server_realm); + if(ret){ + krb5_warn(context, ret, "Decoding transited encoding"); + return ret; + } + if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { + /* not us, so add the previous realm to transited set */ if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) { ret = ERANGE; goto free_realms; @@ -1098,16 +1100,46 @@ fix_transited_encoding(TransitedEncoding *tr, goto free_realms; } num_realms++; - free_TransitedEncoding(tr); - tr->tr_type = DOMAIN_X500_COMPRESS; - ret = krb5_domain_x500_encode(realms, num_realms, &tr->contents); - if(ret) - krb5_warn(context, ret, "Encoding transited encoding"); - free_realms: + } + if(num_realms == 0) { + if(strcmp(client_realm, server_realm)) + kdc_log(0, "cross-realm %s -> %s", client_realm, server_realm); + } else { + size_t l = 0; + char *rs; for(i = 0; i < num_realms; i++) - free(realms[i]); - free(realms); + l += strlen(realms[i]) + 2; + rs = malloc(l); + if(rs != NULL) { + *rs = '\0'; + for(i = 0; i < num_realms; i++) { + if(i > 0) + strlcat(rs, ", ", l); + strlcat(rs, realms[i], l); + } + kdc_log(0, "cross-realm %s -> %s via [%s]", client_realm, server_realm, rs); + free(rs); + } } + if(check_policy) { + ret = krb5_check_transited(context, client_realm, + server_realm, + realms, num_realms, NULL); + if(ret) { + krb5_warn(context, ret, "cross-realm %s -> %s", + client_realm, server_realm); + goto free_realms; + } + et->flags.transited_policy_checked = 1; + } + et->transited.tr_type = DOMAIN_X500_COMPRESS; + ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents); + if(ret) + krb5_warn(context, ret, "Encoding transited encoding"); + free_realms: + for(i = 0; i < num_realms; i++) + free(realms[i]); + free(realms); return ret; } @@ -1175,8 +1207,28 @@ tgs_make_reply(KDC_REQ_BODY *b, if(ret) goto out; - copy_TransitedEncoding(&tgt->transited, &et.transited); - ret = fix_transited_encoding(&et.transited, + /* We should check the transited encoding if: + 1) the request doesn't ask not to be checked + 2) globally enforcing a check + 3) principal requires checking + 4) we allow non-check per-principal, but principal isn't marked as allowing this + 5) we don't globally allow this + */ + +#define GLOBAL_FORCE_TRANSITED_CHECK (trpolicy == TRPOLICY_ALWAYS_CHECK) +#define GLOBAL_ALLOW_PER_PRINCIPAL (trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL) +#define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK (trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST) +/* these will consult the database in future release */ +#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0 +#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0 + + ret = fix_transited_encoding(!f.disable_transited_check || + GLOBAL_FORCE_TRANSITED_CHECK || + PRINCIPAL_FORCE_TRANSITED_CHECK(server) || + !((GLOBAL_ALLOW_PER_PRINCIPAL && + PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) || + GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK), + &tgt->transited, &et, *krb5_princ_realm(context, client_principal), *krb5_princ_realm(context, server->principal), *krb5_princ_realm(context, krbtgt->principal)); @@ -1276,7 +1328,7 @@ tgs_make_reply(KDC_REQ_BODY *b, DES3? */ ret = encode_reply(&rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey, 0, &tgt->key, e_text, reply); -out: + out: free_TGS_REP(&rep); free_TransitedEncoding(&et.transited); if(et.starttime) @@ -1378,13 +1430,13 @@ get_krbtgt_realm(const PrincipalName *p) } static Realm -find_rpath(Realm r) +find_rpath(Realm crealm, Realm srealm) { const char *new_realm = krb5_config_get_string(context, NULL, - "libdefaults", - "capath", - r, + "capaths", + crealm, + srealm, NULL); return (Realm)new_realm; } @@ -1676,7 +1728,7 @@ tgs_rep2(KDC_REQ_BODY *b, if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) { if(loop++ < 2) { - new_rlm = find_rpath(req_rlm); + new_rlm = find_rpath(tgt->crealm, req_rlm); if(new_rlm) { kdc_log(5, "krbtgt for realm %s not found, trying %s", req_rlm, new_rlm); @@ -1725,6 +1777,18 @@ tgs_rep2(KDC_REQ_BODY *b, } #endif + if(strcmp(krb5_principal_get_realm(context, sp), + krb5_principal_get_comp_string(context, krbtgt->principal, 1)) != 0) { + char *tpn; + ret = krb5_unparse_name(context, krbtgt->principal, &tpn); + kdc_log(0, "Request with wrong krbtgt: %s", (ret == 0) ? tpn : "<unknown>"); + if(ret == 0) + free(tpn); + ret = KRB5KRB_AP_ERR_NOT_US; + goto out; + + } + ret = check_flags(client, cpn, server, spn, FALSE); if(ret) goto out; |
