Unpacking the Source Distribution
---------------------------------
-The source distribution of Kerberos 5 comes in three gzipped tarfiles,
-krb5-1.3.src.tar.gz, krb5-1.3.doc.tar.gz, and krb5-1.3.crypto.tar.gz.
-The krb5-1.3.doc.tar.gz contains the doc/ directory and this README
-file. The krb5-1.3.src.tar.gz contains the src/ directory and this
-README file, except for the crypto library sources, which are in
-krb5-1.3.crypto.tar.gz.
-
-Instruction on how to extract the entire distribution follow. These
-directions assume that you want to extract into a directory called
-DIST.
+The source distribution of Kerberos 5 comes in a gzipped tarfile,
+krb5-1.3.tar.gz. Instructions on how to extract the entire
+distribution follow.
If you have the GNU tar program and gzip installed, you can simply do:
- mkdir DIST
- cd DIST
- gtar zxpf krb5-1.3.src.tar.gz
- gtar zxpf krb5-1.3.crypto.tar.gz
- gtar zxpf krb5-1.3.doc.tar.gz
+ gtar zxpf krb5-1.3.tar.gz
If you don't have GNU tar, you will need to get the FSF gzip
distribution and use gzcat:
- mkdir DIST
- cd DIST
- gzcat krb5-1.3.src.tar.gz | tar xpf -
- gzcat krb5-1.3.crypto.tar.gz | tar xpf -
- gzcat krb5-1.3.doc.tar.gz | tar xpf -
+ gzcat krb5-1.3.tar.gz | tar xpf -
-Both of these methods will extract the sources into DIST/krb5-1.3/src
-and the documentation into DIST/krb5-1.3/doc.
+Both of these methods will extract the sources into krb5-1.3/src and
+the documentation into krb5-1.3/doc.
Building and Installing Kerberos 5
----------------------------------
* [1189, 1251] The KfM krb4 library source base has been merged.
+* [1385, 1395, 1410] The krb4 protocol vulnerabilities
+ [MITKRB5-SA-2003-004] have been worked around. Note that this will
+ disable krb4 cross-realm functionality, as well as krb4 triple-DES
+ functionality. Please see doc/krb4-xrealm.txt for details of the
+ patch.
+
+* [1393] The xdrmem integer overflows [MITKRB5-SA-2003-003] have
+ been fixed.
+
+* [1397] The krb5_principal buffer bounds problems
+ [MITKRB5-SA-2003-005] have been fixed. Thanks to Nalin Dahyabhai.
+
Minor changes listed by ticket ID
---------------------------------
* [771] .rconf files are excluded from the release now.
+* [772] LOG_AUTHPRIV syslog facility is now usable for logging on
+ systems that support it.
+
+* [844] krshd now syslogs using the LOG_AUTH facility.
+
* [850] Berekely DB build is better integrated into the krb5 library
build process.
* [953] des3 no longer failing on Windows due to SHA1 implementation
problems.
+* [970] A minor inconsistency in ccache.tex has been fixed.
+
* [971] option parsing bugs rendered irrelevant by removal of unused
gss mechanism.
host having a large number of local network interfaces should be
fixed now.
+* [1064] krb5_auth_con_genaddrs() no longer inappropriately returns -1
+ on some error cases.
+
* [1065, 1225] krb5_get_init_creds_password() should properly warn about
password expiration.
* [1311] Output from krb5-config no longer contains spurious uses of
$(PURE).
+* [1324] The KDC no longer logs an inappropriate "no matching key"
+ error when an encrypted timestamp preauth password is incorrect.
+
+* [1342] gawk is no longer required for building kerbsrc.zip for the
+ Windows build.
+
* [1346] gss_krb5_ccache_name() no longer attempts to return a pointer
to freed memory.
+* [1352] GSS_C_PROT_READY_FLAG is no longer asserted inappropriately
+ during GSSAPI context establishment.
+
* [1356] krb5_gss_accept_sec_context() no longer attempts to validate
a null credential if one is passed in.
+* [1362] The "-a user" option to telnetd now does the right thing.
+ Thanks to Nathan Neulinger.
+
+* [1363] ksu no longer inappropriately syslogs to stderr.
+
* [1357] krb__get_srvtab_name() no longer leaks memory.
* [1373] Handling of SAM preauth no longer attempts to stuff a size_t
into an unsigned int.
-[ DELETE BEFORE RELEASE ---changes to unreleased code, etc.--- ]
-
-* [1054] KRB-CRED messages for RC4 are encrypted now.
+* [1387] BIND versions later than 8 now supported.
-* [1177] krb5-1-2-2-branch merged onto trunk.
+* [1392] The getaddrinfo() wrapper should work better on AIX.
-* [1193] Punted comment about reworking key storage architecture.
+* [1400] If DO_TIME is not set in the auth_context, and no replay
+ cache is available, no replay cache will be used.
-* [1208] install-headers target implemented.
+* [1406] libdb is no longer installed. If you installed
+ krb5-1.3-alpha1, you should ensure that no spurious libdb is left in
+ your install tree.
-* [1223] asn1_decode_oid, asn1_encode_oid implemented
+* [1412] ETYPE_INFO handling no longer goes into an infinite loop.
-* [1276] Generated dependencies handle --without-krb4 properly now.
+* [1414] libtelnet is now built using the same library build framework
+ as the rest of the tree.
Copyright Notice and Legal Administrivia
----------------------------------------
+2003-04-08 Tom Yu <tlyu@mit.edu>
+
+ * krb4-xrealm.txt: New file. Describe the krb4 cross-realm
+ patchkit. Copied from 2003-004-krb4_patchkit.
+
2003-02-04 Sam Hartman <hartmans@mit.edu>
* krb425.texinfo (Upgrading KDCs): Note that -4 needs to be specified
--- /dev/null
+The following text was taken from the patchkit disabling cross-realm
+authentication and triple-DES in krb4.
+
+PATCH KIT DESCRIPTION
+=====================
+
+** FLAG DAY REQUIRED **
+
+One of the things we decided to do (and must do for security reasons)
+was drop support for the 3DES krb4 TGTs. Unfortunately the current
+code will only accept 3DES TGTs if it issues 3DES TGTs. Since the new
+code issues only DES TGTs, the old code will not understand its v4
+TGTs if the site has a 3DES key available for the krbtgt principal.
+The new code will understand and accept both DES and 3DES v4 TGTs.
+
+So, the easiest upgrade option is to deploy the code on all KDCs at
+once, being sure to deploy it on the master KDC last. Under this
+scenario, a brief window exists where slaves may be able to issue
+tickets that the master will not understand. However, the slaves will
+understand tickets issued by the master throughout the upgrade.
+
+An alternate and more annoying upgrade strategy exists. At least one
+max TGT life time before the upgrade, the TGT key can be changed to be
+a single-des key. Since we support adding a new TGT key while
+preserving the old one, this does not create an interruption in
+service. Since no 3DES key is available then both the old and new
+code will issue and accept DES v4 TGTs. After the upgrade, the TGT
+key can again be rekeyed to add 3DES keys. This does require two TGT
+key changes and creates a window where DES is used for the v5 TGT, but
+creates no window in which slaves will issue TGTs the master cannot
+accept.
+
+* What the patch does
+=====================
+
+1) Kerberos 4 cross-realm authentication is disabled by default. A
+ "-X" switch is added to both krb524d and krb5kdc to enable v4
+ cross-realm. This switch logs a note that a security hole has been
+ opened in the KDC log. We said while designing the patch, that we
+ were going to try to allow per-realm configuration; because of a
+ design problem in the kadm5 library, we could not do this without
+ bumping the ABI version of that library. We are unwilling to bump
+ an ABI version in a security patch release to get that feature, so
+ the configuration of v4 cross-realm is a global switch.
+
+2) Code responsible for v5 TGTs has been changed to require that the
+ enctype of the ticket service key be the same as the enctype that
+ would currently be issued for that kvno. This means that even if a
+ service has multiple keys, you cannot use a weak key to fake the
+ KDC into accepting tickets for that service. If you have a non-DES
+ TGT key, this separates keys used for v4 and v5. We actually relax
+ this requirement for cross-realm TGT keys (which in the new code
+ are only used for v5) because we cannot guarantee other Kerberos
+ implementations will choose keys the same way.
+
+3) We no longer issue 3DES v4 tickets either in the KDC or krb524d.
+ We add code to accept either DES or 3DES tickets for v4. None of
+ the attacks discovered so far can be implemented given a KDC that
+ accepts but does not issue 3DES tickets, so we believe that leaving
+ this functionality in as compatibility for a version or two is
+ reasonable. Note however that the attacks described do allow
+ successful attackers to print future tickets, so sites probably
+ want to rekey important keys after installing this update. Note
+ also that even if issuance of 3DES v4 tickets has been disabled,
+ outstanding tickets may be used to perform the 3DES cut-and-paste
+ attack.
+
+* Test Cases
+============
+
+This code is difficult to test for two reasons. First, you need a
+cross-realm relationship between two KDCs. Secondly, you need a KDC
+that will issue 3DES v4 tickets even though the code with the patch
+applied can no longer do this.
+
+I propose to meet these requirements by setting up a cross-realm 3DES
+key between a realm I control and the test environment. In order to
+provide concrete examples of what I plan to test with the automated
+tests, I assume a shared key between a realm PREPATCH.KRBTEST.COM and the
+test realm PATCH.
+
+In all of the following tests I assume the following configuration.
+A principal v4test@PREPATCH.KRBTEST.COM exists with known password and
+without requiring preauthentication. The PREPATCH.KRBTEST.COM KDC will
+issue v4 tickets for this principal. A principal test@PATCH exists
+with known password and without requiring preauthentication. A
+principal service@PATCH exists. The TGT for the PATCH realm has a
+3des and des key. The shared TGT keys between PATCH and
+PREPATCH.KRBTEST.COM are identical in both directions (required for v4) and
+support both 3DES and DES keys.
+
+1) Run krb524d and krb5kdc for PATCH with no special options using a
+ krb5.conf without permitted_enctypes (fully permissive).
+
+
+A) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that kvno -4
+service@PATCH fails with an unknown principal error and logs an error
+about cross-realm being denied to the PATCH KDC log. This confirms
+that v4 cross-realm is not accepted.
+
+B) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that krb524init
+-p service@PATCH fails with a prohibited by policy error, but that
+klist -5 includes a ticket for service@PATCH. This confirms that v5
+cross-realm works but the krb524d denies converting such a ticket into
+a cross-realm ticket. Note that the krb524init currently in the
+mainline source tree will not be useful for this test because the
+client denies cross-realm for the simple reason that the v4 ticket
+file format is not flexible enough to support it. The krb524init in
+the 1.2.x release is useful for this test.
+
+
+2) Restart the krb5kdc and krb524d for PATCH with the -X option
+ enabling v4 cross-realm.
+
+A) Confirm that the security warning is written to kdc.log.
+
+B) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that kvno -4
+service@PATCH works and leaves a service@PATCH ticket in the cache.
+This confirms that v4 cross-realm works in the KDC. It also confirms
+that the KDC can accept 3DES v4 TGTs. The code path for decrypting a
+TGT is the same for the local realm and for foreign realms, so I don't
+see a need to test local 3DES TGTs in an automated manner although I
+did test it manually.
+
+C) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that krb524init
+-p service@PATCH works. This confirms that krb524d will issue
+cross-realm tickets. They're completely useless because the v4 ticket
+file can't represent them, but that's not our problem today.
+
+3) Start the kdc and krb524d with a krb5.conf that includes
+ permitted_enctypes only listing des-cbc-crc. Get tickets as
+ test@PATCH. Restart the KDC and confirm that kvno service fails
+ logging an error about permitted enctypes. This confirms that if
+ you manage to obtain a ticket of the wrong enctype it will not be
+ accepted later.
+
+These tests do not check to make sure that 3DES tickets are not
+issued by the v4 code. I'm fairly certain that is true as I've
+physically remove the calls to the routine that generates 3DES tickets
+from the code in both the KDC and krb524d. These tests also do not
+check to make sure that cross-realm TGTs are not required to follow
+the strict enctype policy. I've tested that manually but don't know
+how to test that without significantly complicating the test setup.
+2003-04-10 Tom Yu <tlyu@mit.edu>
+
+ * aclocal.m4: Revert requrement of autoconf-2.53, since MacOS X
+ doesn't have it.
+
+2003-04-01 Tom Yu <tlyu@mit.edu>
+
+ * aclocal.m4 (KRB5_AC_CHOOSE_DB): Set new variable KDB5_DB_LIB to
+ empty if using in-tree db. It is now used to pass -ldb to link
+ commands, if needed, when linking programs with libkdb5. DB_LIB
+ is now only used for programs that explicitly need the actual
+ libdb independently of libkdb5.
+
+ * krb5-config.in: Use $KDB5_DB_LIB instead of "-ldb" for kdb
+ libraries.
+
+2003-03-31 Tom Yu <tlyu@mit.edu>
+
+ * aclocal.m4: Require autoconf-2.53, since 2.52 generates
+ configure scripts that NetBSD /bin/sh doesn't like.
+
+2003-03-18 Alexandra Ellwood <lxs@mit.edu>
+
+ * aclocal.m4: Define KRB5_AC_NEED_BIND_8_COMPAT to check for bind 9
+ and higher. When bind 9 is present, BIND_8_COMPAT needs to be defined to
+ get bind 8 types.
+
2003-03-12 Tom Yu <tlyu@mit.edu>
* Makefile.in (AWK): Default to awk, not gawk. User can override
else
DB_HEADER_VERSION=redirect
fi
+ KDB5_DB_LIB="$DB_LIB"
else
DB_VERSION=k5
AC_DEFINE(HAVE_BT_RSEQ,1,[Define if bt_rseq is available, for recursive btree traversal.])
DB_HEADER=db.h
DB_HEADER_VERSION=k5
+ # libdb gets sucked into libkdb
+ KDB5_DB_LIB=
+ # needed for a couple of things that need libdb for its own sake
DB_LIB=-ldb
fi
AC_SUBST(DB_VERSION)
AC_SUBST(DB_HEADER)
AC_SUBST(DB_HEADER_VERSION)
AC_SUBST(DB_LIB)
+AC_SUBST(KDB5_DB_LIB)
+])
+dnl
+dnl
+dnl KRB5_AC_NEED_BIND_8_COMPAT --- check to see if we are on a bind 9 system
+dnl
+dnl
+AC_DEFUN(KRB5_AC_NEED_BIND_8_COMPAT,[
+AC_REQUIRE([AC_PROG_CC])dnl
+dnl
+dnl On a bind 9 system, we need to define BIND_8_COMPAT
+dnl
+AC_MSG_CHECKING(for bind 9 or higher)
+AC_CACHE_VAL(krb5_cv_need_bind_8_compat,[
+AC_TRY_COMPILE([#include <arpa/nameser.h>], [HEADER hdr;],
+krb5_cv_need_bind_8_compat=no,
+[AC_TRY_COMPILE([#define BIND_8_COMPAT
+#include <arpa/nameser.h>], [HEADER hdr;],
+krb5_cv_need_bind_8_compat=yes, krb5_cv_need_bind_8_compat=no)])])
+AC_MSG_RESULT($krb5_cv_need_bind_8_compat)
+test $krb5_cv_need_bind_8_compat = yes && AC_DEFINE(BIND_8_COMPAT,1,[Define if OS has bind 9])
])
dnl
+2003-04-08 Ken Raeburn <raeburn@mit.edu>
+
+ * krshd.c (main): Use LOG_AUTH syslog facility, not LOG_DAEMON,
+ for consistency with krlogind.c.
+
2003-03-04 Ken Raeburn <raeburn@mit.edu>
* compat_recv.c: Only include krb.h if KRB5_KRB4_COMPAT.
#ifndef LOG_ODELAY /* 4.2 syslog */
openlog(progname, LOG_PID);
#else
-#ifndef LOG_DAEMON
-#define LOG_DAEMON 0
+#ifndef LOG_AUTH
+#define LOG_AUTH 0
#endif
- openlog(progname, LOG_PID | LOG_ODELAY, LOG_DAEMON);
+ openlog(progname, LOG_PID | LOG_ODELAY, LOG_AUTH);
#endif /* 4.2 syslog */
#ifdef KERBEROS
+2003-04-10 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in: Use library build framework.
+
+ * configure.in: Add support for library build framework. Remove
+ old explicit checks for ranlib, etc.
+
+2003-04-09 Tom Yu <tlyu@mit.edu>
+
+ * kerberos.c (kerberos4_status): Always copy in username if
+ present. Patch from Nathan Neulinger to make "-a user" work.
+
+ * kerberos5.c (kerberos5_status): Always copy in username if
+ present. Patch from Nathan Neulinger to make "-a user" work.
+
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * kerberos5.c (kerberos5_is): Check principal name length before
+ examining components.
+
2003-01-07 Ken Raeburn <raeburn@mit.edu>
* Makefile.orig: Deleted.
SETENVSRC=@SETENVSRC@
SETENVOBJ=@SETENVOBJ@
-LIB= libtelnet.a
+LIB=telnet
+LIBMAJOR=0
+LIBMINOR=0
+RELDIR=../../../appl/telnet/libtelnet
+STOBJLISTS=OBJS.ST
+
SRCS= $(srcdir)/auth.c \
$(srcdir)/encrypt.c \
$(srcdir)/genget.c \
$(srcdir)/strftime.c \
$(srcdir)/strerror.c
-OBJS= auth.o encrypt.o genget.o \
+STLIBOBJS= auth.o encrypt.o genget.o \
misc.o kerberos.o kerberos5.o forward.o spx.o enc_des.o \
$(LIBOBJS) getent.o $(SETENVOBJ)
TELNET_H= $(srcdir)/../arpa/telnet.h
-all:: $(LIB)
-$(LIB): $(OBJS)
- $(RM) $(LIB)
- $(ARADD) $@ $(OBJS)
- $(RANLIB) $@
+all:: all-libs
-clean::
- $(RM) $(LIB)
+clean:: clean-libs clean-libobjs
auth.o: $(TELNET_H)
auth.o: encrypt.h
enc_des.o: key-proto.h
enc_des.o: misc-proto.h
install::
+
+# @lib_frag@
+# @libobj_frag@
+
# +++ Dependency line eater +++
#
# Makefile dependencies follow. This must be the last section in
AC_INIT(auth.c)
CONFIG_RULES
-AC_PROG_ARCHIVE
-AC_PROG_ARCHIVE_ADD
-AC_PROG_RANLIB
AC_REPLACE_FUNCS([strcasecmp strdup setsid strerror strftime getopt herror parsetos])
AC_CHECK_FUNCS(setenv unsetenv getenv gettosbyname cgetent)
AC_CHECK_HEADERS(stdlib.h string.h unistd.h)
AC_MSG_RESULT(Kerberos 4 authentication enabled)
AC_DEFINE(KRB4)
fi
+KRB5_BUILD_LIBRARY_STATIC
+KRB5_BUILD_LIBOBJS
V5_AC_OUTPUT_MAKEFILE
if (level < AUTH_USER)
return(level);
- if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
+ /*
+ * Always copy in UserNameRequested if the authentication
+ * is valid, because the higher level routines need it.
+ */
+ if (UserNameRequested) {
/* the name buffer comes from telnetd/telnetd{-ktd}.c */
strncpy(kname, UserNameRequested, 255);
name[255] = '\0';
+ }
+
+ if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
return(AUTH_VALID);
} else
return(AUTH_USER);
* first component of a service name especially since
* the default is of length 4.
*/
+ if (krb5_princ_size(telnet_context,ticket->server) < 1) {
+ (void) strcpy(errbuf, "malformed service name");
+ goto errout;
+ }
if (krb5_princ_component(telnet_context,ticket->server,0)->length < 256) {
char princ[256];
strncpy(princ,
if (level < AUTH_USER)
return(level);
+ /*
+ * Always copy in UserNameRequested if the authentication
+ * is valid, because the higher level routines need it.
+ * the name buffer comes from telnetd/telnetd{-ktd}.c
+ */
+ if (UserNameRequested) {
+ strncpy(name, UserNameRequested, 255);
+ name[255] = '\0';
+ }
+
if (UserNameRequested &&
krb5_kuserok(telnet_context, ticket->enc_part2->client,
UserNameRequested))
{
- /* the name buffer comes from telnetd/telnetd{-ktd}.c */
- strncpy(name, UserNameRequested, 255);
- name[255] = '\0';
return(AUTH_VALID);
} else
return(AUTH_USER);
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * heuristic.c (get_closest_principal): Don't try to examine
+ principal name components after the last.
+ * krb_auth_su.c (get_best_principal): Check principal name length
+ before examining components.
+
2002-12-23 Ezra Peisach <epeisach@bu.edu>
* authorization.c, heuristic.c, ksu.h: Use uid_t instead of int in
krb5_data *p2 =
krb5_princ_component(context, temp_client, j);
- if ((p1->length != p2->length) ||
+ if (!p1 || !p2 || (p1->length != p2->length) ||
memcmp(p1->data,p2->data,p1->length)){
got_one = FALSE;
break;
krb5_princ_realm(context, temp_client)->length))){
- if(nelem){
+ if (nelem &&
+ krb5_princ_size(context, *client) > 0 &&
+ krb5_princ_size(context, temp_client) > 0) {
krb5_data *p1 =
krb5_princ_component(context, *client, 0);
krb5_data *p2 =
+2003-04-01 Tom Yu <tlyu@mit.edu>
+
+ * pre.in (KDB5_DEPLIBS): Don't depend on $(DB_DEPLIB) anymore.
+ (KDB5_DB_LIB): New variable; is empty if not building with system
+ libdb.
+ (KDB5_LIBS): Use $(KDB5_DB_LIB) instead of $(DB_LIB).
+
2003-03-03 Tom Yu <tlyu@mit.edu>
* libobj.in: Change .c.so and .c.po rules to use ALL_CFLAGS.
KRB5_BASE_DEPLIBS = $(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(COM_ERR_DEPLIB)
KRB4COMPAT_DEPLIBS = $(KRB4_DEPLIB) $(DES425_DEPLIB) $(KRB5_BASE_DEPLIBS)
-KDB5_DEPLIBS = $(KDB5_DEPLIB) $(DB_DEPLIB)
+KDB5_DEPLIBS = $(KDB5_DEPLIB)
GSS_DEPLIBS = $(GSS_DEPLIB)
GSSRPC_DEPLIBS = $(GSSRPC_DEPLIB) $(GSS_DEPLIBS)
KADM_COMM_DEPLIBS = $(GSSRPC_DEPLIBS) $(KDB5_DEPLIBS) $(GSSRPC_DEPLIBS)
SS_LIB-k5 = $(TOPLIBD)/libss.a
KDB5_LIB = -lkdb5
DB_LIB = @DB_LIB@
+KDB5_DB_LIB = @KDB5_DB_LIB@
KRB5_LIB = -lkrb5
K5CRYPTO_LIB = -lk5crypto
KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(GEN_LIB) $(LIBS)
KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS)
-KDB5_LIBS = $(KDB5_LIB) $(DB_LIB)
+KDB5_LIBS = $(KDB5_LIB) $(KDB5_DB_LIB)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X!
GSSRPC_LIBS = -lgssrpc $(GSS_LIBS)
+2003-04-07 Ken Raeburn <raeburn@mit.edu>
+
+ * fake-addrinfo.h (getaddrinfo) [NUMERIC_SERVICE_BROKEN]:
+ Overwrite the port number only if a numeric service port was
+ supplied.
+
+2003-04-01 Ken Raeburn <raeburn@mit.edu>
+
+ * fake-addrinfo.h (COPY_FIRST_CANONNAME) [_AIX]: Define.
+ (GET_HOST_BY_NAME) [_AIX]: New version for AIX version of
+ gethostbyname_r.
+ (getaddrinfo) [NUMERIC_SERVICE_BROKEN]: Use "discard" as a dummy
+ service name instead of none at all. Don't check for unsigned
+ value less than zero.
+ (getaddrinfo) [COPY_FIRST_CANONNAME]: Set any ai_canonname fields
+ other than the first one to null.
+
+2003-03-18 Alexandra Ellwood <lxs@mit.edu>
+
+ * configure.in: Use KRB5_AC_NEED_BIND_8_COMPAT to check for bind 9
+ and higher. When bind 9 is present, BIND_8_COMPAT needs to be
+ defined to get bind 8 types.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* krb5.h: Removed enumsalwaysint because there are no typed
fi
dnl
dnl
+KRB5_AC_NEED_BIND_8_COMPAT
+dnl
+dnl
AC_ARG_ENABLE([athena],
[ --enable-athena build with MIT Project Athena configuration],
AC_DEFINE(KRB5_ATHENA_COMPAT,1,[Define if MIT Project Athena default configuration should be used]),)
#include "socket-utils.h"
#ifdef S_SPLINT_S
+/*@-incondefs@*/
extern int
getaddrinfo (/*@in@*/ /*@null@*/ const char *,
/*@in@*/ /*@null@*/ const char *,
/*@requires (maxSet(h)+1) >= hsz /\ (maxSet(s)+1) >= ssz @*/
/* too hard: maxRead(addr) >= (addrsz-1) */
/*@modifies *h, *s@*/;
-extern /*@dependent@*/ char *
-gai_strerror (int code) /*@*/;
+extern /*@dependent@*/ char *gai_strerror (int code) /*@*/;
+/*@=incondefs@*/
#endif
#ifdef _AIX
# define NUMERIC_SERVICE_BROKEN
+# define COPY_FIRST_CANONNAME
#endif
#define GET_HOST_BY_ADDR(ADDR, ADDRLEN, FAMILY, HP, ERR) \
{ (HP) = gethostbyaddr ((ADDR), (ADDRLEN), (FAMILY)); (ERR) = h_errno; }
#else
+#ifdef _AIX /* XXX should have a feature test! */
+#define GET_HOST_BY_NAME(NAME, HP, ERR) \
+ { \
+ struct hostent my_h_ent; \
+ struct hostent_data my_h_ent_data; \
+ (HP) = (gethostbyname_r((NAME), &my_h_ent, &my_h_ent_data) \
+ ? 0 \
+ : &my_h_ent); \
+ (ERR) = h_errno; \
+ }
+/*
+#define GET_HOST_BY_ADDR(ADDR, ADDRLEN, FAMILY, HP, ERR) \
+ { \
+ struct hostent my_h_ent; \
+ struct hostent_data my_h_ent_data; \
+ (HP) = (gethostbyaddr_r((ADDR), (ADDRLEN), (FAMILY), &my_h_ent, \
+ &my_h_ent_data) \
+ ? 0 \
+ : &my_h_ent); \
+ (ERR) = my_h_err; \
+ }
+*/
+#else
#ifdef GETHOSTBYNAME_R_RETURNS_INT
#define GET_HOST_BY_NAME(NAME, HP, ERR) \
{ \
my_h_buf, sizeof (my_h_buf), &my_h_err); \
(ERR) = my_h_err; \
}
-#endif
+#endif /* returns int? */
+#endif /* _AIX */
#endif
/* Now do the same for getservby* functions. */
/* AIX 4.3.3 is broken. (Or perhaps out of date?)
If a numeric service is provided, and it doesn't correspond to
- a known service name, an error code (for "host not found") is
- returned. If the port maps to a known service, all is
- well. */
+ a known service name for tcp or udp (as appropriate), an error
+ code (for "host not found") is returned. If the port maps to a
+ known service for both udp and tcp, all is well. */
if (serv && serv[0] && isdigit(serv[0])) {
unsigned long lport;
char *end;
lport = strtoul(serv, &end, 10);
if (!*end) {
- if (lport < 0 || lport > 65535)
+ if (lport > 65535)
return EAI_SOCKTYPE;
service_is_numeric = 1;
service_port = htons(lport);
- serv = 0;
+ serv = "discard"; /* defined for both udp and tcp */
if (hint)
socket_type = hint->ai_socktype;
}
approach: If getaddrinfo sets ai_canonname, we'll replace the
*first* one with allocated storage, and free up that pointer in
freeaddrinfo if it's set; the other ai_canonname fields will be
- left untouched.
+ left untouched. And we'll just pray that the application code
+ won't mess around with the list structure; if we start doing
+ that, we'll have to start replacing and freeing all of the
+ ai_canonname fields.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=133668 .
#endif
return EAI_MEMORY;
}
+ /* Zap the remaining ai_canonname fields glibc fills in, in
+ case the application messes around with the list
+ structure. */
+ while ((ai = ai->ai_next) != NULL)
+ ai->ai_canonname = 0;
}
#endif
#ifdef NUMERIC_SERVICE_BROKEN
- for (ai = *result; ai; ai = ai->ai_next) {
- if (socket_type != 0 && ai->ai_socktype == 0)
- ai->ai_socktype = socket_type;
- switch (ai->ai_family) {
- case AF_INET:
- ((struct sockaddr_in *)ai->ai_addr)->sin_port = service_port;
- break;
- case AF_INET6:
- ((struct sockaddr_in6 *)ai->ai_addr)->sin6_port = service_port;
- break;
+ if (service_port != 0) {
+ for (ai = *result; ai; ai = ai->ai_next) {
+ if (socket_type != 0 && ai->ai_socktype == 0)
+ /* Is this check actually needed? */
+ ai->ai_socktype = socket_type;
+ switch (ai->ai_family) {
+ case AF_INET:
+ ((struct sockaddr_in *)ai->ai_addr)->sin_port = service_port;
+ break;
+ case AF_INET6:
+ ((struct sockaddr_in6 *)ai->ai_addr)->sin6_port = service_port;
+ break;
+ }
}
}
#endif
+2003-04-02 Sam Hartman <hartmans@mit.edu>
+
+ * kdc_preauth.c (get_etype_info): Avoid infinite loop if request
+ does not contain des-cbc-crc and database does
+
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * do_tgs_req.c (process_tgs_req): Check that principal name
+ component 1 is present before examining it.
+ * kdc_util.c (krb5_is_tgs_principal, validate_tgs_request): Check
+ principal name length before examining components.
+
+2003-03-28 Tom Yu <tlyu@mit.edu>
+
+ * kdc_preauth.c (verify_enc_timestamp): Save decryption error, in
+ case we get NO_MATCHING_KEY later. This allows us to log a more
+ sane error if an incorrect password is used for encrypting the
+ enc-timestamp preauth.
+
+2003-03-16 Sam Hartman <hartmans@mit.edu>
+
+ * main.c (initialize_realms): Add support to call
+ enable_v4_crossrealm if the user wants insecure operation
+
+ * kerberos_v4.c: Add enable_v4_crossrealm. By default krb4
+ cross-realm is not allowed as it is insecure. Also, remove
+ support for generating krb4 tickets encrypted in 3DES as they are
+ insecure.
+
+ * kdc_util.h: Define enable_v4_crossrealm, new function to enable
+ secure krb4 cross-realm authentication
+
2003-03-05 Tom Yu <tlyu@mit.edu>
* main.c (init_realm): Update call to krb5_ktdb_resolve().
krb5_data *tgs_1 =
krb5_princ_component(kdc_context, tgs_server, 1);
- if (server_1->length != tgs_1->length ||
+ if (!tgs_1 || server_1->length != tgs_1->length ||
memcmp(server_1->data, tgs_1->data, tgs_1->length)) {
krb5_db_free_principal(kdc_context, &server, nprincs);
find_alternate_tgs(request, &server, &more, &nprincs);
krb5_key_data * client_key;
krb5_int32 start;
krb5_timestamp timenow;
-
+ krb5_error_code decrypt_err;
+
scratch.data = pa->contents;
scratch.length = pa->length;
goto cleanup;
start = 0;
+ decrypt_err = 0;
while (1) {
if ((retval = krb5_dbe_search_enctype(context, client,
&start, enc_data->enctype,
krb5_free_keyblock_contents(context, &key);
if (retval == 0)
break;
+ else
+ decrypt_err = retval;
}
if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
krb5_free_data_contents(context, &enc_ts_data);
if (pa_enc)
free(pa_enc);
+ /*
+ * If we get NO_MATCHING_KEY and decryption previously failed, and
+ * we failed to find any other keys of the correct enctype after
+ * that failed decryption, it probably means that the password was
+ * incorrect.
+ */
+ if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
+ retval = decrypt_err;
return retval;
}
while (1) {
if (!request_contains_enctype(context,
request, db_etype)) {
- if (db_etype == ENCTYPE_DES_CBC_CRC)
- continue;
+ if (db_etype == ENCTYPE_DES_CBC_CRC) {
+ db_etype = ENCTYPE_DES_CBC_MD5;
+ continue;
+ }
else break;
}
*/
krb5_boolean krb5_is_tgs_principal(krb5_principal principal)
{
- if ((krb5_princ_component(kdc_context, principal, 0)->length ==
+ if ((krb5_princ_size(kdc_context, principal) > 0) &&
+ (krb5_princ_component(kdc_context, principal, 0)->length ==
KRB5_TGS_NAME_SIZE) &&
(!memcmp(krb5_princ_component(kdc_context, principal, 0)->data,
KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE)))
return KRB_AP_ERR_NOT_US;
}
/* ...and that the second component matches the server realm... */
- if ((krb5_princ_component(kdc_context, ticket->server, 1)->length !=
+ if ((krb5_princ_size(kdc_context, ticket->server) <= 1) ||
+ (krb5_princ_component(kdc_context, ticket->server, 1)->length !=
krb5_princ_realm(kdc_context, request->server)->length) ||
memcmp(krb5_princ_component(kdc_context, ticket->server, 1)->data,
krb5_princ_realm(kdc_context, request->server)->data,
const krb5_fulladdr *,
krb5_data **);
void process_v4_mode (const char *, const char *);
+void enable_v4_crossrealm(char *);
#else
#define process_v4(foo,bar,quux,foobar) KRB5KRB_AP_ERR_BADVERSION
#endif
void kerberos_v4 (struct sockaddr_in *, KTEXT);
void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *);
-static int set_tgtkey (char *, krb5_kvno);
+static int set_tgtkey (char *, krb5_kvno, krb5_boolean);
/* Attributes converted from V5 to V4 - internal representation */
#define V4_KDB_REQUIRES_PREAUTH 0x1
static const int v4mode_table_nents = sizeof(v4mode_table)/
sizeof(v4mode_table[0]);
+static int allow_v4_crossrealm = 0;
+
void process_v4_mode(const char *program_name, const char *string)
{
int i, found;
return;
}
+void enable_v4_crossrealm ( char *programname) {
+ allow_v4_crossrealm = 1;
+ krb5_klog_syslog(LOG_ERR, "Enabling v4 cross-realm compatibility; this is a known security hole");
+}
+
krb5_error_code
process_v4(const krb5_data *pkt, const krb5_fulladdr *client_fulladdr,
krb5_data **resp)
/* array of name-components + NULL ptr
*/
+/*
+ * Previously this code returned either a v4 key or a v5 key and you
+ * could tell from the enctype of the v5 key whether the v4 key was
+ * useful. Now we return both keys so the code can try both des3 and
+ * des decryption. We fail if the ticket doesn't have a v4 key.
+ * Also, note as a side effect, the v5 key is basically useless in
+ * the client case. It is still returned so the caller can free it.
+ */
static int
kerb_get_principal(char *name, char *inst, /* could have wild cards */
Principal *principal,
return(0);
}
} else {
- /* XXX yes I know this is a hardcoded search order */
- if (krb5_dbe_find_enctype(kdc_context, &entries,
+ if ( krb5_dbe_find_enctype(kdc_context, &entries,
+ ENCTYPE_DES_CBC_CRC,
+ KRB5_KDB_SALTTYPE_V4, kvno, &pkey) &&
+ krb5_dbe_find_enctype(kdc_context, &entries,
+ ENCTYPE_DES_CBC_CRC,
+ -1, kvno, &pkey)) {
+ lt = klog(L_KRB_PERR,
+ "KDC V4: failed to find key for %s.%s #%d",
+ name, inst, kvno);
+ krb5_db_free_principal(kdc_context, &entries, nprinc);
+ return(0);
+ }
+ }
+
+ if (!compat_decrypt_key(pkey, k, k5key, issrv)) {
+ memcpy( &principal->key_low, k, LONGLEN);
+ memcpy( &principal->key_high, (krb5_ui_4 *) k + 1, LONGLEN);
+ }
+ memset(k, 0, sizeof k);
+ if (issrv) {
+ krb5_free_keyblock_contents (kdc_context, k5key);
+ if (krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES3_CBC_RAW,
-1, kvno, &pkey) &&
krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES_CBC_CRC,
-1, kvno, &pkey)) {
lt = klog(L_KRB_PERR,
- "KDC V4: failed to find key for %s.%s #%d",
+ "KDC V4: failed to find key for %s.%s #%d (after having found it once)",
name, inst, kvno);
krb5_db_free_principal(kdc_context, &entries, nprinc);
return(0);
}
- }
+ compat_decrypt_key(pkey, k, k5key, issrv);
+ memset (k, 0, sizeof k);
+ }
+
- if (!compat_decrypt_key(pkey, k, k5key, issrv)) {
- memcpy( &principal->key_low, k, LONGLEN);
- memcpy( &principal->key_high, (krb5_ui_4 *) k + 1, LONGLEN);
- }
/*
* Convert v5's entries struct to v4's Principal struct:
* v5's time-unit for lifetimes is 1 sec, while v4 uses 5 minutes,
kdb_encrypt_key(key, key, master_key,
master_key_schedule, DECRYPT);
/* construct and seal the ticket */
- if (K4KDC_ENCTYPE_OK(k5key.enctype)) {
- krb_create_ticket(tk, k_flags, a_name_data.name,
- a_name_data.instance, local_realm,
- client_host.s_addr, (char *) session_key,
- lifetime, kerb_time.tv_sec,
- s_name_data.name, s_name_data.instance,
- key);
- } else {
- krb_cr_tkt_krb5(tk, k_flags, a_name_data.name,
- a_name_data.instance, local_realm,
- client_host.s_addr, (char *) session_key,
- lifetime, kerb_time.tv_sec,
- s_name_data.name, s_name_data.instance,
- &k5key);
- }
+ /* We always issue des tickets; the 3des tickets are a broken hack*/
+ krb_create_ticket(tk, k_flags, a_name_data.name,
+ a_name_data.instance, local_realm,
+ client_host.s_addr, (char *) session_key,
+ lifetime, kerb_time.tv_sec,
+ s_name_data.name, s_name_data.instance,
+ key);
+
krb5_free_keyblock_contents(kdc_context, &k5key);
memset(key, 0, sizeof(key));
memset(key_s, 0, sizeof(key_s));
strncpy(tktrlm, (char *)auth->dat + 3, REALM_SZ);
tktrlm[REALM_SZ-1] = '\0';
kvno = (krb5_kvno)auth->dat[2];
- if (set_tgtkey(tktrlm, kvno)) {
- lt = klog(L_ERR_UNK,
+ if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) {
+ lt = klog(L_ERR_UNK,
+ "Cross realm ticket from %s denied by policy,", tktrlm);
+ kerb_err_reply(client, pkt,
+ KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+ return;
+ }
+ if (set_tgtkey(tktrlm, kvno, 0)) {
+ lt = klog(L_ERR_UNK,
"FAILED set_tgtkey realm %s, kvno %d. Host: %s ",
tktrlm, kvno, inet_ntoa(client_host));
/* no better error code */
}
kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
ad, 0);
+ if (kerno) {
+ if (set_tgtkey(tktrlm, kvno, 1)) {
+ lt = klog(L_ERR_UNK,
+ "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ",
+ tktrlm, kvno, inet_ntoa(client_host));
+ /* no better error code */
+ kerb_err_reply(client, pkt,
+ KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+ return;
+ }
+ kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
+ ad, 0);
+ }
if (kerno) {
klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s",
des_new_random_key(session_key);
#endif
- if (K4KDC_ENCTYPE_OK(k5key.enctype)) {
- krb_create_ticket(tk, k_flags, ad->pname, ad->pinst,
- ad->prealm, client_host.s_addr,
- (char *) session_key, lifetime,
- kerb_time.tv_sec,
- s_name_data.name, s_name_data.instance,
- key);
- } else {
- krb_cr_tkt_krb5(tk, k_flags, ad->pname, ad->pinst,
- ad->prealm, client_host.s_addr,
- (char *) session_key, lifetime,
- kerb_time.tv_sec,
- s_name_data.name, s_name_data.instance,
- &k5key);
- }
+ /* ALways issue des tickets*/
+ krb_create_ticket(tk, k_flags, ad->pname, ad->pinst,
+ ad->prealm, client_host.s_addr,
+ (char *) session_key, lifetime,
+ kerb_time.tv_sec,
+ s_name_data.name, s_name_data.instance,
+ key);
krb5_free_keyblock_contents(kdc_context, &k5key);
memset(key, 0, sizeof(key));
memset(key_s, 0, sizeof(key_s));
/* Set the key for krb_rd_req so we can check tgt */
static int
-set_tgtkey(char *r, krb5_kvno kvno)
+set_tgtkey(char *r, krb5_kvno kvno, krb5_boolean use_3des)
{
int n;
static char lastrealm[REALM_SZ] = "";
static int last_kvno = 0;
+ static krb5_boolean last_use_3des = 0;
static int more;
Principal p_st;
Principal *p = &p_st;
krb5_keyblock k5key;
k5key.contents = NULL;
- if (!strcmp(lastrealm, r) && last_kvno == kvno)
+ if (!strcmp(lastrealm, r) && last_kvno == kvno && last_use_3des == use_3des)
return (KSUCCESS);
/* log("Getting key for %s", r); */
return KFAILURE;
}
- if (!K4KDC_ENCTYPE_OK(k5key.enctype)) {
+ if (use_3des&&!K4KDC_ENCTYPE_OK(k5key.enctype)) {
krb_set_key_krb5(kdc_context, &k5key);
strncpy(lastrealm, r, sizeof(lastrealm) - 1);
lastrealm[sizeof(lastrealm) - 1] = '\0';
last_kvno = kvno;
+ last_use_3des = use_3des;
} else {
/* unseal tgt key from master key */
memcpy(key, &p->key_low, 4);
void
usage(char *name)
{
- fprintf(stderr, "usage: %s [-d dbpathname] [-r dbrealmname] [-R replaycachename ]\n\t[-m] [-k masterenctype] [-M masterkeyname] [-p port] [-4 v4mode] [-n]\n", name);
+ fprintf(stderr, "usage: %s [-d dbpathname] [-r dbrealmname] [-R replaycachename ]\n\t[-m] [-k masterenctype] [-M masterkeyname] [-p port] [-4 v4mode] [-X] [-n]\n", name);
return;
}
* Loop through the option list. Each time we encounter a realm name,
* use the previously scanned options to fill in for defaults.
*/
- while ((c = getopt(argc, argv, "r:d:mM:k:R:e:p:s:n4:3")) != -1) {
+ while ((c = getopt(argc, argv, "r:d:mM:k:R:e:p:s:n4:X3")) != -1) {
switch(c) {
case 'r': /* realm name for db */
if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) {
v4mode = strdup(optarg);
#endif
break;
+ case 'X':
+#ifdef KRB5_KRB4_COMPAT
+ enable_v4_crossrealm(argv[0]);
+#endif
+ break;
case '3':
#ifdef ATHENA_DES3_KLUDGE
if (krb5_enctypes_list[krb5_enctypes_length-1].etype
CC_LINK='@CC_LINK@'
KRB4_LIB=@KRB4_LIB@
DES425_LIB=@DES425_LIB@
+KDB5_DB_LIB=@KDB5_DB_LIB@
LDFLAGS='@LDFLAGS@'
RPATH_FLAG='@RPATH_FLAG@'
-e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
if test $library = 'kdb'; then
- lib_flags="$lib_flags -lkdb5 -ldb"
+ lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
fi
if test $library = 'kadm_server'; then
- lib_flags="$lib_flags -lkadm5srv -lkdb5 -ldb"
+ lib_flags="$lib_flags -lkadm5srv -lkdb5 $KDB5_DB_LIB"
library=kadm_common
fi
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * krb524d.c (do_connection): Use krb5_princ_size rather than
+ direct structure field access.
+
+2003-03-16 Sam Hartman <hartmans@mit.edu>
+
+ * krb524d.c (handle_classic_v4): Do not support 3des enctypes as
+ they are insecure. Also, by default do not allow krb4
+ cross-realm.
+
+ * cnv_tkt_skey.c (krb524_convert_tkt_skey): Don't support 3des tickets
+
2003-03-12 Ken Raeburn <raeburn@mit.edu>
* cnv_tkt_skey.c (krb524_convert_tkt_skey): Extract source IP
sname,
sinst,
v4_skey->contents);
- } else {
- /* Force enctype to be raw if using DES3. */
- if (v4_skey->enctype == ENCTYPE_DES3_CBC_SHA1 ||
- v4_skey->enctype == ENCTYPE_LOCAL_DES3_HMAC_SHA1)
- v4_skey->enctype = ENCTYPE_DES3_CBC_RAW;
- ret = krb524int_krb_cr_tkt_krb5(v4tkt,
- 0, /* flags */
- pname,
- pinst,
- prealm,
- sinp->sin_addr.s_addr,
- (char *) v5etkt->session->contents,
- lifetime,
- /* issue_data */
- server_time,
- sname,
- sinst,
- v4_skey);
}
-
+ else abort();
krb5_free_enc_tkt_part(context, v5etkt);
v5tkt->enc_part2 = NULL;
if (ret == KSUCCESS)
void *handle = NULL;
int use_keytab, use_master;
+int allow_v4_crossrealm = 0;
char *keytab = NULL;
krb5_keytab kt;
config_params.mask = 0;
while (argc) {
- if (strncmp(*argv, "-k", 2) == 0)
+ if (strncmp(*argv, "-X", 2) == 0) {
+ allow_v4_crossrealm = 1;
+ }
+ else if (strncmp(*argv, "-k", 2) == 0)
use_keytab = 1;
else if (strncmp(*argv, "-m", 2) == 0)
use_master = 1;
if (debug)
printf("V5 ticket decoded\n");
- if( v5tkt->server->length >= 1
+ if( krb5_princ_size(context, v5tkt->server) >= 1
&&krb5_princ_component(context, v5tkt->server, 0)->length == 3
&&strncmp(krb5_princ_component(context, v5tkt->server, 0)->data,
"afs", 3) == 0) {
&v5_service_key, NULL)))
goto error;
- if ((ret = lookup_service_key(context, v5tkt->server,
- ENCTYPE_DES3_CBC_RAW,
- 0, /* highest kvno */
- &v4_service_key, v4kvno)) &&
- (ret = lookup_service_key(context, v5tkt->server,
- ENCTYPE_LOCAL_DES3_HMAC_SHA1,
- 0,
- &v4_service_key, v4kvno)) &&
- (ret = lookup_service_key(context, v5tkt->server,
- ENCTYPE_DES3_CBC_SHA1,
- 0,
- &v4_service_key, v4kvno)) &&
- (ret = lookup_service_key(context, v5tkt->server,
+ if ( (ret = lookup_service_key(context, v5tkt->server,
ENCTYPE_DES_CBC_CRC,
0,
&v4_service_key, v4kvno)))
if (debug)
printf("service key retrieved\n");
+ if ((ret = krb5_decrypt_tkt_part(context, &v5_service_key, v5tkt))) {
+ goto error;
+ }
- ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
+ if (!(allow_v4_crossrealm || krb5_realm_compare(context, v5tkt->server,
+ v5tkt->enc_part2->client))) {
+ret = KRB5KDC_ERR_POLICY ;
+ goto error;
+ }
+ krb5_free_enc_tkt_part(context, v5tkt->enc_part2);
+ v5tkt->enc_part2= NULL;
+
+ ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
&v4_service_key,
(struct sockaddr_in *)saddr);
if (ret)
printf("v4 credentials encoded\n");
error:
+ if (v5tkt->enc_part2)
+ krb5_free_enc_tkt_part(context, v5tkt->enc_part2);
+
if(v5_service_key.contents)
krb5_free_keyblock_contents(context, &v5_service_key);
if (v4_service_key.contents)
+2003-03-14 Sam Hartman <hartmans@mit.edu>
+
+ * accept_sec_context.c (krb5_gss_accept_sec_context): Set
+ prot_ready here
+
+ * init_sec_context.c (krb5_gss_init_sec_context): Set prot_ready
+ after context established
+
+ * gssapiP_krb5.h (KG_IMPLFLAGS): Don't claim prot_ready until the
+ context is established because we don't currently support it.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* disp_status.c, gssapi_krb5.h, gssapiP_krb5.h:
&ctx->seq_send);
/* the reply token hasn't been sent yet, but that's ok. */
+ ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
ctx->established = 1;
token.length = g_token_size((gss_OID) mech_used, ap_rep.length);
#define KG_TOK_DEL_CTX 0x0102
#define KG_IMPLFLAGS(x) (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | \
- GSS_C_TRANS_FLAG | GSS_C_PROT_READY_FLAG | \
+ GSS_C_TRANS_FLAG | \
((x) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \
GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)))
g_order_init(&(ctx->seqstate), ctx->seq_recv,
(ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
(ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0);
+ ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
ctx->established = 1;
/* fall through to GSS_S_COMPLETE */
}
+2003-04-01 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in: Remove $(SHLIB_DBLIB_DEPS) and related variables.
+ (SHLIB_EXPDEPS): Remove $(SHLIB_DBLIB_DEPS).
+ (SHLIB_EXPLIBS): Change $(DB_LIB) to $(KDB5_DB_LIB).
+
2003-01-12 Ezra Peisach <epeisach@bu.edu>
* svr_iters.c (kadm5_get_either): For POSIX_REGEXPS
LIBMINOR=1
STOBJLISTS=../OBJS.ST OBJS.ST
-SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@)
-SHLIB_DBLIB-k5 = $(TOPLIBD)/libdb$(SHLIBEXT)
-SHLIB_DBLIB-sys =
-
SHLIB_EXPDEPS=\
$(TOPLIBD)/libgssrpc$(SHLIBEXT) \
$(TOPLIBD)/libgssapi_krb5$(SHLIBEXT) \
- $(TOPLIBD)/libkdb5$(SHLIBEXT) $(SHLIB_DBLIB_DEPS) \
+ $(TOPLIBD)/libkdb5$(SHLIBEXT) \
$(TOPLIBD)/libkrb5$(SHLIBEXT) \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
$(COM_ERR_DEPLIB)
-SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(DB_LIB) \
+SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(KDB5_DB_LIB) \
-lkrb5 -lk5crypto -lcom_err @GEN_LIB@
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
+2003-04-01 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in: Remove $(SHLIB_DBLIB_DEPS) and related variables.
+ (SHLIB_EXPDEPS): Remove $(SHLIB_DBLIB_DEPS).
+ (SHLIB_EXPLIBS): Change $(DB_LIB) to $(KDB5_DB_LIB).
+ (DBOBJLISTS, STOBJLISTS): Pull in object lists of in-tree libdb so
+ we don't need to install libdb. Don't do this if building with
+ system libdb, though, since we need to explicitly link against the
+ system libdb in that case.
+
+2003-03-18 Tom Yu <tlyu@mit.edu>
+
+ * keytab.c (krb5_ktkdb_get_entry): Do not perform the enctype
+ comparison if the requested enctype is a wildcard.
+
+2003-03-16 Sam Hartman <hartmans@mit.edu>
+
+ * keytab.c (krb5_ktkdb_get_entry): Match only against the first
+ enctype for non-cross-realm tickets so we will only accept
+ tickets that the current configuration would have issued. For
+ cross-realm tickets be liberal and match against the specified
+ enctype.
+
2003-03-05 Tom Yu <tlyu@mit.edu>
* kdb_xdr.c (krb5_dbe_search_enctype): Check for ktype > 0 rather
LIBMINOR=0
RELDIR=kdb
# Depends on libk5crypto and libkrb5
-SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@)
-SHLIB_DBLIB-k5 = $(TOPLIBD)/libdb$(SHLIBEXT)
-SHLIB_DBLIB-sys =
SHLIB_EXPDEPS = \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
- $(TOPLIBD)/libkrb5$(SHLIBEXT) $(SHLIB_DBLIB_DEPS)
-SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto $(DB_LIB) $(LIBS)
+ $(TOPLIBD)/libkrb5$(SHLIBEXT)
+SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto $(KDB5_DB_LIB) $(LIBS)
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
+DBDIR = $(BUILDTOP)/util/db2
+DBOBJLISTS = $(DBOBJLISTS-@DB_VERSION@)
+DBOBJLISTS-sys =
+DBOBJLISTS-k5 = $(DBDIR)/hash/OBJS.ST $(DBDIR)/btree/OBJS.ST \
+ $(DBDIR)/db/OBJS.ST $(DBDIR)/mpool/OBJS.ST $(DBDIR)/recno/OBJS.ST \
+ $(DBDIR)/clib/OBJS.ST
all::
$(srcdir)/setup_mkey.c \
$(srcdir)/store_mkey.c
-STOBJLISTS=OBJS.ST
+STOBJLISTS=OBJS.ST $(DBOBJLISTS)
STLIBOBJS= \
keytab.o \
encrypt_key.o \
* or implied warranty.
*
*/
+#include <string.h>
#include "k5-int.h"
#include "kdb_kt.h"
+static int
+is_xrealm_tgt(krb5_context, krb5_const_principal);
+
krb5_error_code krb5_ktkdb_close (krb5_context, krb5_keytab);
krb5_error_code krb5_ktkdb_get_entry (krb5_context, krb5_keytab, krb5_const_principal,
krb5_db_entry db_entry;
krb5_boolean more = 0;
int n = 0;
+ int xrealm_tgt = is_xrealm_tgt(context, principal);
+ int similar;
if (ktkdb_ctx)
context = ktkdb_ctx;
if (kerror)
goto error;
+ /* For cross realm tgts, we match whatever enctype is provided;
+ * for other principals, we only match the first enctype that is
+ * found. Since the TGS and AS code do the same thing, then we
+ * will only successfully decrypt tickets we have issued.*/
kerror = krb5_dbe_find_enctype(context, &db_entry,
- enctype, -1, kvno, &key_data);
+ xrealm_tgt?enctype:-1,
+ -1, kvno, &key_data);
if (kerror)
goto error;
+
kerror = krb5_dbekd_decrypt_key_data(context, master_key,
key_data, &entry->key, NULL);
if (kerror)
goto error;
+ if (enctype > 0) {
+ kerror = krb5_c_enctype_compare(context, enctype,
+ entry->key.enctype, &similar);
+ if (kerror)
+ goto error;
+
+ if (!similar) {
+ kerror = KRB5_KDB_NO_PERMITTED_KEY;
+ goto error;
+ }
+ }
/*
* Coerce the enctype of the output keyblock in case we got an
* inexact match on the enctype.
krb5_db_close_database(context);
return(kerror);
}
+
+/*
+ * is_xrealm_tgt: Returns true if the principal is a cross-realm TGT
+ * principal-- a principal with first component krbtgt and second
+ * component not equal to realm.
+ */
+static int
+is_xrealm_tgt(krb5_context context, krb5_const_principal princ)
+{
+ krb5_data *dat;
+ if (krb5_princ_size(context, princ) != 2)
+ return 0;
+ dat = krb5_princ_component(context, princ, 0);
+ if (strncmp("krbtgt", dat->data, dat->length) != 0)
+ return 0;
+ dat = krb5_princ_component(context, princ, 1);
+ if (dat->length != princ->realm.length)
+ return 1;
+ if (strcmp(dat->data, princ->realm.data) == 0)
+ return 0;
+ return 1;
+
+}
+
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * kt_file.c (krb5_ktfileint_internal_read_entry): Use
+ krb5_princ_size instead of direct field access.
+ (krb5_ktfileint_write_entry, krb5_ktfileint_size_entry):
+ Likewise.
+
2003-02-08 Tom Yu <tlyu@mit.edu>
* kt_file.c (krb5_ktfile_get_entry): Fix comment; not going to
return 0;
fail:
- for (i = 0; i < ret_entry->principal->length; i++) {
+ for (i = 0; i < krb5_princ_size(context, ret_entry->principal); i++) {
princ = krb5_princ_component(context, ret_entry->principal, i);
if (princ->data)
free(princ->data);
}
if (KTVERSION(id) == KRB5_KT_VNO_1) {
- count = (krb5_int16) entry->principal->length + 1;
+ count = (krb5_int16) krb5_princ_size(context, entry->principal) + 1;
} else {
- count = htons((u_short) entry->principal->length);
+ count = htons((u_short) krb5_princ_size(context, entry->principal));
}
if (!xfwrite(&count, sizeof(count), 1, KTFILEP(id))) {
goto abend;
}
- count = (krb5_int16) entry->principal->length;
+ count = (krb5_int16) krb5_princ_size(context, entry->principal);
for (i = 0; i < count; i++) {
princ = krb5_princ_component(context, entry->principal, i);
size = princ->length;
krb5_int32 total_size, i;
krb5_error_code retval = 0;
- count = (krb5_int16) entry->principal->length;
+ count = (krb5_int16) krb5_princ_size(context, entry->principal);
total_size = sizeof(count);
total_size += krb5_princ_realm(context, entry->principal)->length + (sizeof(krb5_int16));
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Check principal name
+ length before examining components.
+
+ * parse.c (krb5_parse_name): Double-check principal name length
+ before filling in components.
+
+ * srv_rcache.c (krb5_get_server_rcache): Check for null pointer
+ supplied in place of name.
+
+ * unparse.c (krb5_unparse_name_ext): Don't move buffer pointer
+ backwards if nothing has been put into the buffer yet.
+
+2003-04-01 Sam Hartman <hartmans@mit.edu>
+
+ * rd_req.c (krb5_rd_req): If AUTH_CONTEXT_DO_TIME is cleared,
+ don't set up a replay cache.
+
2003-03-08 Ezra Peisach <epeisach@mit.edu>
* t_kerb.c: Only include krb.h if krb4 support compiled in,
for (next_server = top_server; *next_server; next_server++) {
krb5_data *realm_1 = krb5_princ_component(context, next_server[0], 1);
krb5_data *realm_2 = krb5_princ_component(context, tgtr->server, 1);
- if (realm_1->length == realm_2->length &&
+ if (realm_1 != NULL &&
+ realm_2 != NULL &&
+ realm_1->length == realm_2->length &&
!memcmp(realm_1->data, realm_2->data, realm_1->length)) {
break;
}
cp++;
size++;
} else if (c == COMPONENT_SEP) {
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
size = 0;
i++;
} else if (c == REALM_SEP) {
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
size = 0;
parsed_realm = cp+1;
} else
if (parsed_realm)
krb5_princ_realm(context, principal)->length = size;
else
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
if (i + 1 != components) {
#if !defined(_WIN32) && !defined(macintosh)
fprintf(stderr,
server = request->ticket->server;
}
/* Get an rcache if necessary. */
- if (((*auth_context)->rcache == NULL) && server) {
+ if (((*auth_context)->rcache == NULL)
+ && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
+&& server) {
if ((retval = krb5_get_server_rcache(context,
krb5_princ_component(context,server,0), &(*auth_context)->rcache)))
goto cleanup_auth_context;
unsigned long uid = geteuid();
#endif
+ if (piece == NULL)
+ return ENOMEM;
+
rcache = (krb5_rcache) malloc(sizeof(*rcache));
if (!rcache)
return ENOMEM;
*q++ = COMPONENT_SEP;
}
- q--; /* Back up last component separator */
+ if (i > 0)
+ q--; /* Back up last component separator */
*q++ = REALM_SEP;
cp = krb5_princ_realm(context, principal)->data;
+2003-03-24 Tom Yu <tlyu@mit.edu>
+
+ * xdr_mem.c (xdrmem_create): Perform some additional size checks.
+ (xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes): Check x_handy
+ prior to decrementing it.
+
2003-01-12 Ezra Peisach <epeisach@bu.edu>
* svc_auth_gssapi.c (_svcauth_gssapi_unset_names): If invoked more
#include <netinet/in.h>
#include <stdio.h>
#include <string.h>
+#include <limits.h>
static bool_t xdrmem_getlong(XDR *, long *);
static bool_t xdrmem_putlong(XDR *, long *);
xdrs->x_op = op;
xdrs->x_ops = &xdrmem_ops;
xdrs->x_private = xdrs->x_base = addr;
- xdrs->x_handy = size;
+ xdrs->x_handy = (size > INT_MAX) ? INT_MAX : size; /* XXX */
}
static void
long *lp;
{
- if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0)
+ if (xdrs->x_handy < sizeof(rpc_int32))
return (FALSE);
+ else
+ xdrs->x_handy -= sizeof(rpc_int32);
*lp = (long)ntohl(*((rpc_u_int32 *)(xdrs->x_private)));
xdrs->x_private = (char *)xdrs->x_private + sizeof(rpc_int32);
return (TRUE);
long *lp;
{
- if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0)
+ if (xdrs->x_handy < sizeof(rpc_int32))
return (FALSE);
+ else
+ xdrs->x_handy -= sizeof(rpc_int32);
*(rpc_int32 *)xdrs->x_private = (rpc_int32)htonl((rpc_u_int32)(*lp));
xdrs->x_private = (char *)xdrs->x_private + sizeof(rpc_int32);
return (TRUE);
register unsigned int len;
{
- if ((xdrs->x_handy -= len) < 0)
+ if (xdrs->x_handy < len)
return (FALSE);
+ else
+ xdrs->x_handy -= len;
memmove(addr, xdrs->x_private, len);
xdrs->x_private = (char *)xdrs->x_private + len;
return (TRUE);
register unsigned int len;
{
- if ((xdrs->x_handy -= len) < 0)
+ if (xdrs->x_handy < len)
return (FALSE);
+ else
+ xdrs->x_handy -= len;
memmove(xdrs->x_private, addr, len);
xdrs->x_private = (char *)xdrs->x_private + len;
return (TRUE);
{
rpc_int32 *buf = 0;
- if (xdrs->x_handy >= len) {
+ if (len >= 0 && xdrs->x_handy >= len) {
xdrs->x_handy -= len;
buf = (rpc_int32 *) xdrs->x_private;
xdrs->x_private = (char *)xdrs->x_private + len;
#define KRB4_USE_KEYTAB 1
#define KRB5 1
#define KRB524_PRIVATE 1
-#define KRB5_DNS_LOOKUP 0
-#define KRB5_DNS_LOOKUP_KDC 0
+#define KRB5_DNS_LOOKUP 1
+#define KRB5_DNS_LOOKUP_KDC 1
#define KRB5_KRB4_COMPAT 1
#define KRB5_PRIVATE 1
#define krb5_sigtype void
settings = {
};
};
+ A1BBFF1604226DBD00120114 = {
+ fileEncoding = 30;
+ isa = PBXFileReference;
+ path = configure.in;
+ refType = 4;
+ };
A1CA6042040F24850013F915 = {
fileRef = F517325103F1B65901120114;
isa = PBXBuildFile;
children = (
F51730E203F1B65801120114,
F51730E303F1B65801120114,
+ A1BBFF1604226DBD00120114,
F51730E503F1B65801120114,
F51730E603F1B65801120114,
F51730E703F1B65801120114,
F51730FF03F1B65801120114,
F517310003F1B65801120114,
F517310103F1B65801120114,
- F517310203F1B65801120114,
F517310303F1B65801120114,
F517310403F1B65801120114,
F517310503F1B65801120114,
F517310603F1B65801120114,
- F517310703F1B65801120114,
F517310803F1B65801120114,
F517310903F1B65801120114,
F517310A03F1B65801120114,
path = adm_proto.h;
refType = 4;
};
- F517310203F1B65801120114 = {
- children = (
- );
- isa = PBXGroup;
- path = asn.1;
- refType = 4;
- };
F517310303F1B65801120114 = {
fileEncoding = 30;
isa = PBXFileReference;
path = kdb_dbc.h;
refType = 4;
};
- F517310703F1B65801120114 = {
- fileEncoding = 30;
- isa = PBXFileReference;
- path = kdb_dbm.h;
- refType = 4;
- };
F517310803F1B65801120114 = {
fileEncoding = 30;
isa = PBXFileReference;
settings = {
};
};
- F51738E403F1BA7F01120114 = {
- fileRef = F517310D03F1B65801120114;
- isa = PBXBuildFile;
- settings = {
- };
- };
F51738E503F1BAF701120114 = {
fileRef = F51734DE03F1B65A01120114;
isa = PBXBuildFile;
F51738DE03F1BA2701120114,
F51738DF03F1BA2701120114,
F51738E303F1BA7501120114,
- F51738E403F1BA7F01120114,
F51738F303F1BB1701120114,
F51738F903F1BB1A01120114,
F517391B03F1BB2D01120114,
actions Make
{
mkdir -p "$(1:D)"
+ echo "*******************************************************"
+ echo "*** WARNING! Deleting KfM /usr/lib compat symlinks! ***"
+ echo "*******************************************************"
+ echo "(If you want us to stop doing this, fix ld: Radar 3176974)"
+ rm -f /usr/lib/libcom_err.dylib
+ rm -f /usr/lib/libdes425.dylib
+ rm -f /usr/lib/libgssapi_krb5.dylib
+ rm -f /usr/lib/libk5crypto.dylib
+ rm -f /usr/lib/libkrb4.dylib
+ rm -f /usr/lib/libkrb5.dylib
+ rm -f /usr/lib/libkrb524.dylib
cd "$(1:D)" && make && touch "$(1)" && echo "### HAPPINESS ###"
}
+2003-03-26 Tom Yu <tlyu@mit.edu>
+
+ * default.exp (v4kinit): Expect failure when kiniting to a des3
+ TGT, due to fix for MITKRB5-SA-2003-004.
+ (setup_kadmind_srvtab): Remove. It's not needed anymore.
+
2003-02-04 Tom Yu <tlyu@mit.edu>
* default.exp (start_kerberos_daemons): Use correct argument to
puts $conffile " database_name = $tmppwd/db"
puts $conffile " admin_database_name = $tmppwd/adb"
puts $conffile " admin_database_lockfile = $tmppwd/adb.lock"
- puts $conffile " admin_keytab = $tmppwd/admin-keytab"
puts $conffile " key_stash_file = $tmppwd/stash"
puts $conffile " acl_file = $tmppwd/acl"
puts $conffile " kadmind_port = 3750"
}
-# setup_kadmind_srvtab
-# A procedure to build the srvtab for kadmind5 so that kadmin5 and it
-# may successfully communicate.
-# Returns 1 on success, 0 on failure.
-proc setup_kadmind_srvtab { } {
- global REALMNAME
- global KADMIN_LOCAL
- global KEY
- global tmppwd
-
- catch "exec rm -f $tmppwd/admin-keytab"
- envstack_push
- setup_kerberos_env kdc
- spawn $KADMIN_LOCAL -r $REALMNAME
- envstack_pop
- catch expect_after
- expect_after {
- -re "(.*)\r\nkadmin.local: " {
- fail "kadmin.local admin-keytab (unmatched output: $expect_out(1,string)"
- catch "exec rm -f $tmppwd/admin-keytab"
- catch "expect_after"
- return 0
- }
- timeout {
- fail "kadmin.local admin-keytab (timeout)"
- catch "exec rm -f $tmppwd/admin-keytab"
- catch "expect_after"
- return 0
- }
- eof {
- fail "kadmin.local admin-keytab (eof)"
- catch "exec rm -f $tmppwd/admin-keytab"
- catch "expect_after"
- return 0
- }
- }
- expect "kadmin.local: "
- send "xst -k admin-new-srvtab kadmin/admin\r"
- expect "xst -k admin-new-srvtab kadmin/admin\r\n"
- expect -re ".*Entry for principal kadmin/admin.* added to keytab WRFILE:admin-new-srvtab."
- expect "kadmin.local: "
-
- catch "exec mv -f admin-new-srvtab changepw-new-srvtab" exec_output
- if ![string match "" $exec_output] {
- verbose -log "$exec_output"
- perror "can't mv admin-new-srvtab"
- catch expect_after
- return 0
- }
-
- send "xst -k changepw-new-srvtab kadmin/changepw\r"
- expect "xst -k changepw-new-srvtab kadmin/changepw\r\n"
- expect -re ".*Entry for principal kadmin/changepw.* added to keytab WRFILE:changepw-new-srvtab."
- expect "kadmin.local: "
- send "quit\r"
- expect eof
- catch expect_after
- if ![check_exit_status "kadmin.local admin-keytab"] {
- catch "exec rm -f $tmppwd/admin-keytab"
- perror "kadmin.local admin-keytab exited abnormally"
- return 0
- }
-
- catch "exec mv -f changepw-new-srvtab $tmppwd/admin-keytab" exec_output
- if ![string match "" $exec_output] {
- verbose -log "$exec_output"
- perror "can't mv new admin-keytab"
- return 0
- }
-
- # Make the srvtab file globally readable in case we are using a
- # root shell and the srvtab is NFS mounted.
- catch "exec chmod a+r $tmppwd/admin-keytab"
-
- return 1
-}
-
# setup_kerberos_db
# Initialize the Kerberos database. If the argument is non-zero, call
# pass at relevant points. Returns 1 on success, 0 on failure.
}
}
}
- # XXX should deal with envstack inside setup_kadmind_srvtab too
- set ret [setup_kadmind_srvtab]
envstack_pop
- if !$ret {
- return 0
- }
# create the admin database lock file
catch "exec touch $tmppwd/adb.lock"
global REALMNAME
global KINIT
global spawn_id
+ global des3_krbtgt
# Use kinit to get a ticket.
#
}
send "$pass\r"
expect eof
- if ![check_exit_status kinit] {
- return 0
+ if {$des3_krbtgt == 0} {
+ if ![check_exit_status v4kinit] {
+ return 0
+ }
+ } else {
+ # Fail if kinit is successful with a des3 TGT.
+ set status_list [wait -i $spawn_id]
+ set testname v4kinit
+ verbose "wait -i $spawn_id returned $status_list ($testname)"
+ if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 1 } {
+ verbose -log "exit status: $status_list"
+ fail "$testname (exit status)"
+ }
}
-
if {$standalone} {
pass "v4kinit"
}
+2003-03-26 Tom Yu <tlyu@mit.edu>
+
+ * v4gssftp.exp (v4ftp_test): Return early if $des3_krbtgt set.
+
+ * v4krb524d.exp (doit): Return early if $des3_krbtgt set.
+
+ * v4standalone.exp (check_and_destroy_v4_tix): Return early if
+ $des3_krbtgt set.
+
2003-01-01 Ezra Peisach <epeisach@bu.edu>
* standalone.exp: Only run the keytab to srvtab tests if kerberos 4
global tmppwd
global ftp_save_ktname
global ftp_save_ccname
+ global des3_krbtgt
+ if {$des3_krbtgt} {
+ return
+ }
# Start up the kerberos and kadmind daemons and get a srvtab and a
# ticket file.
if {![start_kerberos_daemons 0] \
global KDESTROY
global tmppwd
global REALMNAME
+ global des3_krbtgt
+ if {$des3_krbtgt} {
+ return
+ }
# Start up the kerberos and kadmind daemons.
if ![start_kerberos_daemons 1] {
return
proc check_and_destroy_v4_tix { client server } {
global REALMNAME
+ global des3_krbtgt
+ # Skip this if we're using a des3 TGT, since that's supposed to fail.
+ if {$des3_krbtgt} {
+ return
+ }
# Make sure that klist can see the ticket.
if ![v4klist "$client" "$server" "v4klist"] {
return
+2003-04-10 Tom Yu <tlyu@mit.edu>
+
+ * reconf: Warn if autoconf-2.52 is used, as it generates buggy
+ configure scripts that don't work with BSD /bin/sh, and don't
+ comply with POSIX.2 (no conditions inside "case" statement).
+
2003-02-05 Tom Yu <tlyu@mit.edu>
* mkrel: Exclude .rconf files.
+2003-04-01 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in (install-unix): Delete install-libs. We don't want
+ to install our in-tree libdb.
+
2003-01-10 Ken Raeburn <raeburn@mit.edu>
* configure.in: Don't explicitly invoke AC_PROG_INSTALL.
all-unix:: all-liblinks includes
clean-unix:: clean-liblinks clean-libs clean-includes
-install-unix:: install-libs
includes:: $(HDRS)
+++ /dev/null
-############################################################
-## config/pre.in
-## common prefix for all Makefile.in in the Kerberos V5 tree.
-##
-
-WHAT = unix
-SHELL=/bin/sh
-
-all:: all-$(WHAT)
-
-clean:: clean-$(WHAT)
-
-distclean:: distclean-$(WHAT)
-
-install:: install-$(WHAT)
-
-check:: check-$(WHAT)
-
-install-headers:: install-headers-$(WHAT)
-
-##############################
-# Recursion rule support
-#
-
-# The commands for the recursion targets live in config/post.in.
-#
-# General form of recursion rules:
-#
-# Each recursive target foo-unix has related targets: foo-prerecurse,
-# foo-recurse, and foo-postrecurse
-#
-# The foo-recurse rule is in post.in. It is what actually recursively
-# calls make.
-#
-# foo-recurse depends on foo-prerecurse, so any targets that must be
-# built before descending into subdirectories must be dependencies of
-# foo-prerecurse.
-#
-# foo-postrecurse depends on foo-recurse, but targets that must be
-# built after descending into subdirectories should be have
-# foo-recurse as dependencies in addition to being listed under
-# foo-postrecurse, to avoid ordering issues.
-#
-# The foo-prerecurse, foo-recurse, and foo-postrecurse rules are all
-# single-colon rules, to avoid nasty ordering problems with
-# double-colon rules.
-#
-# e.g.
-# all:: includes foo
-# foo:
-# echo foo
-# includes::
-# echo bar
-# includes::
-# echo baz
-#
-# will result in "bar", "foo", "baz" on AIX, and possibly others.
-all-unix:: all-postrecurse
-all-postrecurse: all-recurse
-all-recurse: all-prerecurse
-
-all-prerecurse:
-all-postrecurse:
-
-clean-unix:: clean-postrecurse
-clean-postrecurse: clean-recurse
-clean-recurse: clean-prerecurse
-
-clean-prerecurse:
-clean-postrecurse:
-
-distclean-unix: distclean-postrecurse
-distclean-postrecurse: distclean-recurse
-distclean-recurse: distclean-prerecurse
-
-distclean-prerecurse:
-distclean-postrecurse:
-
-install-unix:: install-postrecurse
-install-postrecurse: install-recurse
-install-recurse: install-prerecurse
-
-install-prerecurse:
-install-postrecurse:
-
-install-headers-unix:: install-headers-postrecurse
-install-headers-postrecurse: install-headers-recurse
-install-headers-recurse: install-headers-prerecurse
-
-install-headers-prerecurse:
-install-headers-postrecurse:
-
-check-unix:: check-postrecurse
-check-postrecurse: check-recurse
-check-recurse: check-prerecurse
-
-check-prerecurse:
-check-postrecurse:
-
-Makefiles: Makefiles-postrecurse
-Makefiles-postrecurse: Makefiles-recurse
-Makefiles-recurse: Makefiles-prerecurse
-
-Makefiles-prerecurse:
-Makefiles-postrecurse:
-
-#
-# end recursion rule support
-##############################
-
-# Directory syntax:
-#
-# begin relative path
-REL=
-# this is magic... should only be used for preceding a program invocation
-C=./
-# "/" for UNIX, "\" for Windows; *sigh*
-S=/
-
-SUBDIRS = $(LOCAL_SUBDIRS)
-srcdir = .
-SRCTOP = ./$(BUILDTOP)
-
-CONFIG_RELTOPDIR = ../..
-
-ALL_CFLAGS = $(DEFS) $(DEFINES) $(LOCALINCLUDES) $(CPPFLAGS) $(CFLAGS)
-CFLAGS = -g
-CPPFLAGS = -I$(BUILDTOP)/include -I$(SRCTOP)/include -I$(BUILDTOP)/include/krb5 -I$(SRCTOP)/include/krb5 -I/usr/athena/include -DKRB5_KRB4_COMPAT -DKRB5_PRIVATE=1
-DEFS = -DHAVE_CONFIG_H
-CC = /usr/gcc/bin/gcc
-LD = $(PURE) /usr/gcc/bin/gcc
-DEPLIBS = @DEPLIBS@
-LDFLAGS = -L/usr/athena/lib
-LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@
-LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
-LDARGS = @LDARGS@
-LIBS = -lsocket -lnsl -lresolv
-SRVLIBS = @SRVLIBS@
-SRVDEPLIBS = @SRVDEPLIBS@
-CLNTLIBS = @CLNTLIBS@
-CLNTDEPLIBS = @CLNTDEPLIBS@
-
-INSTALL=/usr/athena/bin/install -c
-INSTALL_STRIP=
-INSTALL_PROGRAM=${INSTALL} $(INSTALL_STRIP)
-INSTALL_DATA=${INSTALL} -m 644
-INSTALL_SHLIB=$(INSTALL_DATA)
-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
-## This is needed because autoconf will sometimes define ${prefix} to be
-## ${prefix}.
-prefix=/usr/local
-INSTALL_PREFIX=$(prefix)
-INSTALL_EXEC_PREFIX=${prefix}
-exec_prefix=${prefix}
-SHLIB_TAIL_COMP=@SHLIB_TAIL_COMP@
-
-KRB5MANROOT = ${prefix}/man
-ADMIN_BINDIR = ${exec_prefix}/sbin
-SERVER_BINDIR = ${exec_prefix}/sbin
-CLIENT_BINDIR =${exec_prefix}/bin
-ADMIN_MANDIR = $(KRB5MANROOT)/man8
-SERVER_MANDIR = $(KRB5MANROOT)/man8
-CLIENT_MANDIR = $(KRB5MANROOT)/man1
-FILE_MANDIR = $(KRB5MANROOT)/man5
-KRB5_LIBDIR = ${exec_prefix}/lib
-KRB5_SHLIBDIR = ${exec_prefix}/lib$(SHLIB_TAIL_COMP)
-KRB5_INCDIR = ${prefix}/include
-KRB5_INCSUBDIRS = \
- $(KRB5_INCDIR)/gssapi \
- $(KRB5_INCDIR)/kerberosIV
-
-#
-# Macros used by the KADM5 (OV-based) unit test system.
-# XXX check which of these are actually used!
-#
-TESTDIR = $(BUILDTOP)/kadmin/testing
-STESTDIR = $(SRCTOP)/kadmin/testing
-COMPARE_DUMP = $(TESTDIR)/scripts/compare_dump.pl
-FIX_CONF_FILES = $(TESTDIR)/scripts/fixup-conf-files.pl
-INITDB = $(STESTDIR)/scripts/init_db
-MAKE_KEYTAB = $(TESTDIR)/scripts/make-host-keytab.pl
-LOCAL_MAKE_KEYTAB= $(TESTDIR)/scripts/make-host-keytab.pl
-RESTORE_FILES = $(STESTDIR)/scripts/restore_files.sh
-SAVE_FILES = $(STESTDIR)/scripts/save_files.sh
-ENV_SETUP = $(TESTDIR)/scripts/env-setup.sh
-CLNTTCL = $(TESTDIR)/util/ovsec_kadm_clnt_tcl
-SRVTCL = $(TESTDIR)/util/ovsec_kadm_srv_tcl
-# Dejagnu variables.
-# We have to set the host with --host so that setup_xfail will work.
-# If we don't set it, then the host type used is "native", which
-# doesn't match "*-*-*".
-host=sparc-sun-solaris2.8
-DEJAFLAGS = $(DEJALFLAGS) $(CLFLAGS) --debug --srcdir $(srcdir) --host \
- $(host)
-RUNTEST = runtest $(DEJAFLAGS)
-
-START_SERVERS = $(STESTDIR)/scripts/start_servers $(TEST_SERVER) $(TEST_PATH)
-START_SERVERS_LOCAL = $(STESTDIR)/scripts/start_servers_local
-
-STOP_SERVERS = $(STESTDIR)/scripts/stop_servers $(TEST_SERVER) $(TEST_PATH)
-STOP_SERVERS_LOCAL = $(STESTDIR)/scripts/stop_servers_local
-#
-# End of macros for the KADM5 unit test system.
-#
-
-transform = s,x,x,
-
-RM = rm -f
-CP = cp
-MV = mv -f
-CHMOD=chmod
-RANLIB = ranlib
-ARCHIVE = @ARCHIVE@
-ARADD = @ARADD@
-LN = ln -s
-AWK = @AWK@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-YACC = @YACC@
-AUTOCONF = autoconf
-AUTOCONFFLAGS =
-AUTOCONFINCFLAGS = --localdir
-AUTOHEADER = autoheader
-AUTOHEADERFLAGS =
-
-HOST_TYPE = @HOST_TYPE@
-SHEXT = @SHEXT@
-STEXT=@STEXT@
-VEXT=@VEXT@
-DO_MAKE_SHLIB = @DO_MAKE_SHLIB@
-SHLIB_STATIC_TARGET=@SHLIB_STATIC_TARGET@
-
-TOPLIBD = $(BUILDTOP)/lib
-
-OBJEXT = o
-LIBEXT = a
-EXEEXT =
-
-#
-# variables for libraries, for use in linking programs
-# -- this may want to get broken out into a separate frag later
-#
-#
-# Note: the following variables must be set in any Makefile.in that
-# uses KRB5_BUILD_PROGRAM
-#
-# PROG_LIBPATH list of dirs, in -Ldir form, to search for libraries at link
-# PROG_RPATH list of dirs, in dir1:dir2 form, for rpath purposes
-#
-# invocation is like:
-# prog: foo.o bar.o $(KRB5_BASE_DEPLIBS)
-# $(CC_LINK) -o $@ foo.o bar.o $(KRB5_BASE_LIBS)
-
-
-CC_LINK=$(PURE) $(CC) $(PROG_LIBPATH) $(LDFLAGS)
-
-# prefix (with no spaces after) for rpath flag to cc
-RPATH_FLAG=-R
-
-# this gets set by configure to either $(STLIBEXT) or $(SHLIBEXT),
-# depending on whether we're building with shared libraries.
-DEPLIBEXT=.a
-
-KADMCLNT_DEPLIB = $(TOPLIBD)/libkadm5clnt$(DEPLIBEXT)
-KADMSRV_DEPLIB = $(TOPLIBD)/libkadm5srv$(DEPLIBEXT)
-KDB5_DEPLIB = $(TOPLIBD)/libkdb5$(DEPLIBEXT)
-DB_DEPLIB = $(DB_DEPLIB-k5)
-DB_DEPLIB-k5 = $(TOPLIBD)/libdb$(DEPLIBEXT)
-DB_DEPLIB-sys =
-GSSRPC_DEPLIB = $(TOPLIBD)/libgssrpc$(DEPLIBEXT)
-GSS_DEPLIB = $(TOPLIBD)/libgssapi_krb5$(DEPLIBEXT)
-KRB4_DEPLIB = $(TOPLIBD)/libkrb4$(DEPLIBEXT) # $(TOPLIBD)/libkrb4$(DEPLIBEXT)
-DES425_DEPLIB = $(TOPLIBD)/libdes425$(DEPLIBEXT) # $(TOPLIBD)/libdes425$(DEPLIBEXT)
-KRB5_DEPLIB = $(TOPLIBD)/libkrb5$(DEPLIBEXT)
-CRYPTO_DEPLIB = $(TOPLIBD)/libk5crypto$(DEPLIBEXT)
-COM_ERR_DEPLIB = $(COM_ERR_DEPLIB-k5)
-COM_ERR_DEPLIB-sys = # empty
-COM_ERR_DEPLIB-k5 = $(TOPLIBD)/libcom_err$(DEPLIBEXT)
-
-# These are forced to use ".a" as an extension because they're never
-# built shared.
-SS_DEPLIB = $(SS_DEPLIB-k5)
-SS_DEPLIB-k5 = $(TOPLIBD)/libss.a
-SS_DEPLIB-sys =
-KRB524_DEPLIB = $(BUILDTOP)/krb524/libkrb524.a
-PTY_DEPLIB = $(TOPLIBD)/libpty.a
-
-KRB5_BASE_DEPLIBS = $(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(COM_ERR_DEPLIB)
-KRB4COMPAT_DEPLIBS = $(KRB4_DEPLIB) $(DES425_DEPLIB) $(KRB5_BASE_DEPLIBS)
-KDB5_DEPLIBS = $(KDB5_DEPLIB) $(DB_DEPLIB)
-GSS_DEPLIBS = $(GSS_DEPLIB)
-GSSRPC_DEPLIBS = $(GSSRPC_DEPLIB) $(GSS_DEPLIBS)
-KADM_COMM_DEPLIBS = $(GSSRPC_DEPLIBS) $(KDB5_DEPLIBS) $(GSSRPC_DEPLIBS)
-KADMSRV_DEPLIBS = $(KADMSRV_DEPLIB) $(KDB5_DEPLIBS) $(KADM_COMM_DEPLIBS)
-KADMCLNT_DEPLIBS = $(KADMCLNT_DEPLIB) $(KADM_COMM_DEPLIBS)
-
-# Header file dependencies we might override.
-# See util/depfix.sed.
-# Also see depend-verify-* in post.in, which wants to confirm that we're using
-# the in-tree versions.
-COM_ERR_VERSION = k5
-COM_ERR_DEPS = $(COM_ERR_DEPS-k5)
-COM_ERR_DEPS-sys =
-COM_ERR_DEPS-k5 = $(BUILDTOP)/include/com_err.h
-SS_VERSION = k5
-SS_DEPS = $(SS_DEPS-k5)
-SS_DEPS-sys =
-SS_DEPS-k5 = $(BUILDTOP)/include/ss/ss.h $(BUILDTOP)/include/ss/ss_err.h
-DB_VERSION = k5
-DB_DEPS = $(DB_DEPS-k5)
-DB_DEPS-sys =
-DB_DEPS-k5 = $(BUILDTOP)/include/db.h $(BUILDTOP)/include/db-config.h
-DB_DEPS-redirect = $(BUILDTOP)/include/db.h
-
-# Header file dependencies that might depend on whether krb4 support
-# is compiled.
-
-KRB_ERR_H_DEP = $(BUILDTOP)/include/kerberosIV/krb_err.h
-KRB524_H_DEP = $(BUILDTOP)/include/krb524.h
-KRB524_ERR_H_DEP= $(BUILDTOP)/include/krb524_err.h
-
-# LIBS gets substituted in... e.g. -lnsl -lsocket
-
-# GEN_LIB is -lgen if needed for regexp
-GEN_LIB =
-
-SS_LIB = $(SS_LIB-k5)
-SS_LIB-sys =
-SS_LIB-k5 = $(TOPLIBD)/libss.a
-KDB5_LIB = -lkdb5
-DB_LIB = -ldb
-
-KRB5_LIB = -lkrb5
-K5CRYPTO_LIB = -lk5crypto
-COM_ERR_LIB = -lcom_err
-GSS_KRB5_LIB = -lgssapi_krb5
-
-# KRB4_LIB is -lkrb4 if building --with-krb4
-# needs fixing if ever used on Mac OS X!
-KRB4_LIB = -lkrb4
-
-# DES425_LIB is -ldes425 if building --with-krb4
-# needs fixing if ever used on Mac OS X!
-DES425_LIB = -ldes425
-
-# KRB524_LIB is $(BUILDTOP)/krb524/libkrb524.a if building --with-krb4
-# needs fixing if ever used on Mac OS X!
-KRB524_LIB = $(BUILDTOP)/krb524/libkrb524.a
-
-# HESIOD_LIBS is -lhesiod...
-HESIOD_LIBS =
-
-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(GEN_LIB) $(LIBS)
-KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS)
-KDB5_LIBS = $(KDB5_LIB) $(DB_LIB)
-GSS_LIBS = $(GSS_KRB5_LIB)
-# needs fixing if ever used on Mac OS X!
-GSSRPC_LIBS = -lgssrpc $(GSS_LIBS)
-KADM_COMM_LIBS = $(GSSRPC_LIBS)
-# need fixing if ever used on Mac OS X!
-KADMSRV_LIBS = -lkadm5srv $(HESIOD_LIBS) $(KDB5_LIBS) $(KADM_COMM_LIBS)
-KADMCLNT_LIBS = -lkadm5clnt $(KADM_COMM_LIBS)
-
-# need fixing if ever used on Mac OS X!
-PTY_LIB = -lpty
-
-#
-# some more stuff for --with-krb4
-KRB4_LIBPATH =
-KRB4_INCLUDES = -I$(SRCTOP)/include/kerberosIV -I$(BUILDTOP)/include/kerberosIV
-
-#
-# variables for --with-tcl=
-TCL_LIBS = @TCL_LIBS@
-TCL_LIBPATH = @TCL_LIBPATH@
-TCL_RPATH = @TCL_RPATH@
-TCL_MAYBE_RPATH = @TCL_MAYBE_RPATH@
-TCL_INCLUDES = @TCL_INCLUDES@
-
-# error table rules
-#
-### /* these are invoked as $(...) foo.et, which works, but could be better */
-COMPILE_ET= $(COMPILE_ET-k5)
-COMPILE_ET-sys= compile_et
-COMPILE_ET-k5= $(BUILDTOP)/util/et/compile_et -d $(SRCTOP)/util/et
-
-.SUFFIXES: .h .c .et .ct
-
-# These versions cause both .c and .h files to be generated at once.
-# But GNU make doesn't understand this, and parallel builds can trigger
-# both of them at once, causing them to stomp on each other. The versions
-# below only update one of the files, so compile_et has to get run twice,
-# but it won't break parallel builds.
-#.et.h: ; $(COMPILE_ET) $<
-#.et.c: ; $(COMPILE_ET) $<
-
-.et.h:
- d=ettmp$$$$ ; (cp $< $$d.et && $(COMPILE_ET) $$d.et && mv $$d.h $*.h) ; \
- e=$$? ; rm -f $$d.* ; exit $$e
-
-.et.c:
- d=ettmp$$$$ ; (cp $< $$d.et && $(COMPILE_ET) $$d.et && mv $$d.c $*.c) ; \
- e=$$? ; rm -f $$d.* ; exit $$e
-
-# rule to make object files
-#
-.SUFFIXES: .c .o
-.c.o:
- $(CC) $(ALL_CFLAGS) -c $<
-
-# ss command table rules
-#
-MAKE_COMMANDS= $(MAKE_COMMANDS-k5)
-MAKE_COMMANDS-sys= mk_cmds
-MAKE_COMMANDS-k5= $(BUILDTOP)/util/ss/mk_cmds
-
-.ct.c:
- $(MAKE_COMMANDS) $<
-
-##
-## end of pre.in
-############################################################
-thisconfigdir=./..
-myfulldir=util/db2/test
-mydir=test
-BUILDTOP=$(REL)..$(S)..$(S)..
-
-FCTSH = /usr/bin/sh
-TMPDIR=.
-
-LOCALINCLUDES= -I. -I$(srcdir)/../include -I../include -I$(srcdir)/../mpool \
- -I$(srcdir)/../btree -I$(srcdir)/../hash -I$(srcdir)/../db
-
-PROG_LIBPATH=-L$(TOPLIBD)
-PROG_RPATH=$(KRB5_LIBDIR)
-
-KRB5_RUN_ENV=
-
-all::
-
-dbtest: dbtest.o $(DB_DEPLIB)
- $(CC_LINK) -o $@ dbtest.o $(STRERROR_OBJ) $(DB_LIB)
-
-check:: dbtest
- $(KRB5_RUN_ENV) srcdir=$(srcdir) TMPDIR=$(TMPDIR) $(FCTSH) $(srcdir)/run.test
-
-bttest.o: $(srcdir)/btree.tests/main.c
- $(CC) $(ALL_CFLAGS) -c $(srcdir)/btree.tests/main.c -o $@
-
-bttest: bttest.o $(DB_DEPLIB)
- $(CC_LINK) -o $@ bttest.o $(STRERROR_OBJ) $(DB_LIB)
-
-clean-unix::
- $(RM) dbtest.o dbtest __dbtest
- $(RM) bttest.o bttest
-############################################################
-## config/post.in
-##
-
-# in case there is no default target (very unlikely)
-all::
-
-check-windows::
-
-##############################
-# dependency generation
-#
-
-depend:: depend-postrecurse
-depend-postrecurse: depend-recurse
-depend-recurse: depend-prerecurse
-
-depend-prerecurse:
-depend-postrecurse:
-
-depend-postrecurse: depend-update-makefile
-
-ALL_DEP_SRCS= $(SRCS) $(EXTRADEPSRCS)
-
-# be sure to check ALL_DEP_SRCS against *what it would be if SRCS and
-# EXTRADEPSRCS are both empty*
-.depend-verify-srcdir:
- @if test "$(srcdir)" = "." ; then \
- echo 1>&2 error: cannot build dependencies with srcdir=. ; \
- echo 1>&2 "(can't distinguish generated files from source files)" ; \
- exit 1 ; \
- else \
- if test -r .depend-verify-srcdir; then :; \
- else (set -x; touch .depend-verify-srcdir); fi \
- fi
-.depend-verify-et: depend-verify-et-$(COM_ERR_VERSION)
-depend-verify-et-k5:
- @if test -r .depend-verify-et; then :; \
- else (set -x; touch .depend-verify-et); fi
-depend-verify-et-sys:
- @echo 1>&2 error: cannot build dependencies using system et package
- @exit 1
-.depend-verify-ss: depend-verify-ss-$(SS_VERSION)
-depend-verify-ss-k5:
- @if test -r .depend-verify-ss; then :; \
- else (set -x; touch .depend-verify-ss); fi
-depend-verify-ss-sys:
- @echo 1>&2 error: cannot build dependencies using system ss package
- @exit 1
-.depend-verify-db: depend-verify-db-$(DB_VERSION)
-depend-verify-db-k5:
- @if test -r .depend-verify-db; then :; \
- else (set -x; touch .depend-verify-db); fi
-depend-verify-db-sys:
- @echo 1>&2 error: cannot build dependencies using system db package
- @exit 1
-.depend-verify-gcc: depend-verify-gcc-yes
-depend-verify-gcc-yes:
- @if test -r .depend-verify-gcc; then :; \
- else (set -x; touch .depend-verify-gcc); fi
-depend-verify-gcc-no:
- @echo 1>&2 error: The '"depend"' rules are written for gcc.
- @echo 1>&2 Please use gcc, or update the rules to handle your compiler.
- @exit 1
-
-DEP_CFG_VERIFY = .depend-verify-srcdir \
- .depend-verify-et .depend-verify-ss .depend-verify-db
-DEP_VERIFY = $(DEP_CFG_VERIFY) .depend-verify-gcc
-
-.d: $(ALL_DEP_SRCS) $(DEP_CFG_VERIFY) depend-dependencies
- if test "$(ALL_DEP_SRCS)" != " " ; then \
- $(RM) .dtmp && $(MAKE) .dtmp && mv -f .dtmp .d ; \
- else \
- touch .d ; \
- fi
-
-# These are dependencies of the depend target that do not get fed to
-# the compiler. Examples include generated header files.
-depend-dependencies:
-
-# .dtmp must *always* be out of date so that $? can be used to perform
-# VPATH searches on the sources.
-#
-# NOTE: This will fail when using Make programs whose VPATH support is
-# broken.
-.dtmp: $(ALL_DEP_SRCS)
- $(CC) -M $(ALL_CFLAGS) $? > .dtmp
-
-# Generate a script for dropping in the appropriate make variables, using
-# directory-specific parameters. General substitutions independent of local
-# make variables happen in depfix.sed.
-.depfix2.sed: .depend-verify-gcc Makefile $(SRCTOP)/util/depgen.sed
- x=`$(CC) -print-libgcc-file-name` ; \
- echo '$(SRCTOP)' '$(myfulldir)' '$(srcdir)' '$(BUILDTOP)' "$$x" | sed -f $(SRCTOP)/util/depgen.sed > .depfix2.tmp
- mv -f .depfix2.tmp .depfix2.sed
-
-DEPLIBOBJNAMEFIX = sed -e 's;^\$$(OUTPRE)\([a-zA-Z0-9_\-]*\)\.\$$(OBJEXT):;\1.so \1.po &;'
-
-# NOTE: This will also generate spurious $(OUTPRE) and $(OBJEXT)
-# references in rules for non-library objects in a directory where
-# library objects happen to be built. It's mostly harmless.
-.depend: .d .depfix2.sed $(SRCTOP)/util/depfix.sed
- sed -f .depfix2.sed < .d | sed -f $(SRCTOP)/util/depfix.sed | \
- (if test "x$(STLIBOBJS)" != "x"; then $(DEPLIBOBJNAMEFIX) ; else cat; fi ) \
- > .depend
-
-depend-update-makefile: .depend depend-recurse
- if test -n "$(SRCS)" ; then \
- sed -e '/^# +++ Dependency line eater +++/,$$d' \
- < $(srcdir)/Makefile.in | cat - .depend \
- > $(srcdir)/Makefile.in.new; \
- $(SRCTOP)/config/move-if-changed $(srcdir)/Makefile.in.new $(srcdir)/Makefile.in ; \
- else :; fi
-
-DEPTARGETS = .depend .d .dtmp .depfix2.sed .depfix2.tmp $(DEP_VERIFY)
-
-#
-# end dependency generation
-##############################
-
-clean:: clean-$(WHAT)
-
-clean-unix::
- $(RM) $(OBJS) $(DEPTARGETS)
-
-clean-windows::
- $(RM) *.$(OBJEXT)
- $(RM) msvc.pdb *.err
-
-distclean:: distclean-$(WHAT)
-
-distclean-normal-clean:
- $(MAKE) NORECURSE=true clean
-distclean-prerecurse: distclean-normal-clean
-distclean-nuke-configure-state:
- $(RM) config.log config.cache config.status Makefile
-distclean-postrecurse: distclean-nuke-configure-state
-
-Makefiles-prerecurse: Makefile
-
-# thisconfigdir = relative path from this Makefile to config.status
-# mydir = relative path from config.status to this Makefile
-Makefile: $(srcdir)/Makefile.in $(thisconfigdir)/config.status \
- $(SRCTOP)/config/pre.in $(SRCTOP)/config/post.in
- cd $(thisconfigdir) && $(SHELL) config.status $(mydir)/Makefile
-$(thisconfigdir)/config.status: $(srcdir)/$(thisconfigdir)/configure
- cd $(thisconfigdir) && $(SHELL) config.status --recheck
-$(srcdir)/$(thisconfigdir)/configure: $(srcdir)/$(thisconfigdir)/configure.in \
- $(SRCTOP)/aclocal.m4
- -$(RM) -r $(srcdir)/$(thisconfigdir)/autom4te.cache
- cd $(srcdir)/$(thisconfigdir) && \
- $(AUTOCONF) ${AUTOCONFINCFLAGS}=$(CONFIG_RELTOPDIR) $(AUTOCONFFLAGS)
- -$(RM) -r $(srcdir)/$(thisconfigdir)/autom4te.cache
-
-RECURSE_TARGETS=all-recurse clean-recurse distclean-recurse install-recurse \
- check-recurse depend-recurse Makefiles-recurse install-headers-recurse
-
-# MY_SUBDIRS overrides any setting of SUBDIRS generated by the
-# configure script that generated this Makefile. This is needed when
-# the configure script that produced this Makefile creates multiple
-# Makefiles in different directories; the setting of SUBDIRS will be
-# the same in each.
-#
-# LOCAL_SUBDIRS seems to account for the case where the configure
-# script doesn't call any other subsidiary configure scripts, but
-# generates multiple Makefiles.
-$(RECURSE_TARGETS):
- @case "`echo 'x$(MFLAGS)'|sed -e 's/^x//' -e 's/ --.*$$//'`" \
- in *[ik]*) e="status=1" ;; *) e="exit 1";; esac; \
- if test -z "$(MY_SUBDIRS)" ; then \
- do_subdirs="$(SUBDIRS)" ; \
- else \
- do_subdirs="$(MY_SUBDIRS)" ; \
- fi; \
- status=0; \
- if test -n "$$do_subdirs" && test -z "$(NORECURSE)"; then \
- for i in $$do_subdirs ; do \
- if test -d $$i && test -r $$i/Makefile ; then \
- case $$i in .);; *) \
- target=`echo $@|sed s/-recurse//`; \
- echo "making $$target in $(CURRENT_DIR)$$i..."; \
- if (cd $$i ; $(MAKE) \
- CURRENT_DIR=$(CURRENT_DIR)$$i/ $$target) then :; \
- else eval $$e; fi; \
- ;; \
- esac; \
- else \
- echo "Skipping missing directory $(CURRENT_DIR)$$i" ; \
- fi; \
- done; \
- else :; \
- fi;\
- exit $$status
-
-##
-## end of post.in
-############################################################
# Determine if we need to patch autoreconf for 2.53
case "$autoconfversion" in
+ 2.52)
+ echo "WARNING: autoconf 2.52 is known to generate buggy configure scripts!"
+ ;;
2.53)
echo "Patching autoreconf"
# Walk the path to find autoreconf
+2003-04-11 Tom Yu <tlyu@mit.edu>
+
+ * version.rc: krb5-1.3-alpha2.
+
+2003-03-14 Tom Yu <tlyu@mit.edu>
+
+ * version.rc: krb5-1.3-alpha1.
+
2002-04-10 Danilo Almeida <dalmeida@mit.edu>
* Makefile.in: Build ms2mit.
#define PRE_RELEASE
#ifdef PRE_RELEASE
-#define BETA_STR " beta"
+#define BETA_STR " alpha 2"
#define BETA_FLAG VS_FF_PRERELEASE
#else
#define BETA_STR ""
/* we're going to stamp all the DLLs with the same version number */
-#define K5_PRODUCT_VERSION_STRING "1.3 (TEST)" BETA_STR "\0"
+#define K5_PRODUCT_VERSION_STRING "1.3" BETA_STR "\0"
#define K5_PRODUCT_VERSION 1, 3, 0, 0
#define K5_COPYRIGHT "Copyright (C) 1997-2000 by the Massachusetts Institute of Technology\0"
projects / krb5.git / commitdiff