From f832e12377936b800833de400955e6ac8eba5c14 Mon Sep 17 00:00:00 2001 From: no author Date: Sat, 12 Apr 2003 02:22:44 +0000 Subject: [PATCH] This commit was manufactured by cvs2svn to create tag 'krb5-1-3-alpha2'. git-svn-id: svn://anonsvn.mit.edu/krb5/tags/krb5-1-3-alpha2@15347 dc483132-0cff-0310-8789-dd5450dbe970 --- README | 83 ++- doc/ChangeLog | 5 + doc/krb4-xrealm.txt | 143 ++++ src/ChangeLog | 27 + src/aclocal.m4 | 25 + src/appl/bsd/ChangeLog | 5 + src/appl/bsd/krshd.c | 6 +- src/appl/telnet/libtelnet/ChangeLog | 20 + src/appl/telnet/libtelnet/Makefile.in | 22 +- src/appl/telnet/libtelnet/configure.in | 5 +- src/appl/telnet/libtelnet/kerberos.c | 9 +- src/appl/telnet/libtelnet/kerberos5.c | 17 +- src/clients/ksu/ChangeLog | 7 + src/clients/ksu/heuristic.c | 2 +- src/clients/ksu/krb_auth_su.c | 4 +- src/config/ChangeLog | 7 + src/config/pre.in | 5 +- src/include/ChangeLog | 23 + src/include/configure.in | 3 + src/include/fake-addrinfo.h | 75 +- src/kdc/ChangeLog | 32 + src/kdc/do_tgs_req.c | 2 +- src/kdc/kdc_preauth.c | 20 +- src/kdc/kdc_util.c | 6 +- src/kdc/kdc_util.h | 1 + src/kdc/kerberos_v4.c | 129 ++-- src/kdc/main.c | 9 +- src/krb5-config.in | 5 +- src/krb524/ChangeLog | 13 + src/krb524/cnv_tkt_skey.c | 20 +- src/krb524/krb524d.c | 38 +- src/lib/gssapi/krb5/ChangeLog | 11 + src/lib/gssapi/krb5/accept_sec_context.c | 1 + src/lib/gssapi/krb5/gssapiP_krb5.h | 2 +- src/lib/gssapi/krb5/init_sec_context.c | 1 + src/lib/kadm5/srv/ChangeLog | 6 + src/lib/kadm5/srv/Makefile.in | 8 +- src/lib/kdb/ChangeLog | 23 + src/lib/kdb/Makefile.in | 15 +- src/lib/kdb/keytab.c | 49 +- src/lib/krb5/keytab/ChangeLog | 7 + src/lib/krb5/keytab/kt_file.c | 10 +- src/lib/krb5/krb/ChangeLog | 19 + src/lib/krb5/krb/gc_frm_kdc.c | 4 +- src/lib/krb5/krb/parse.c | 9 +- src/lib/krb5/krb/rd_req.c | 4 +- src/lib/krb5/krb/srv_rcache.c | 3 + src/lib/krb5/krb/unparse.c | 3 +- src/lib/rpc/ChangeLog | 6 + src/lib/rpc/xdr_mem.c | 21 +- src/mac/MacOSX/Headers/Kerberos5Prefix.h | 4 +- .../Projects/Kerberos5.pbproj/project.pbxproj | 29 +- .../MacOSX/Scripts/Kerberos5ServerBuild.jam | 11 + src/tests/dejagnu/config/ChangeLog | 6 + src/tests/dejagnu/config/default.exp | 100 +-- src/tests/dejagnu/krb-standalone/ChangeLog | 9 + src/tests/dejagnu/krb-standalone/v4gssftp.exp | 4 + .../dejagnu/krb-standalone/v4krb524d.exp | 4 + .../dejagnu/krb-standalone/v4standalone.exp | 5 + src/util/ChangeLog | 6 + src/util/db2/ChangeLog | 5 + src/util/db2/Makefile.in | 1 - src/util/db2/test/Makefile | 652 ------------------ src/util/reconf | 3 + src/windows/ChangeLog | 8 + src/windows/version.rc | 4 +- 66 files changed, 864 insertions(+), 957 deletions(-) create mode 100644 doc/krb4-xrealm.txt delete mode 100644 src/util/db2/test/Makefile diff --git a/README b/README index e161fcd70..a98ced94a 100644 --- a/README +++ b/README @@ -6,36 +6,21 @@ Unpacking the Source Distribution --------------------------------- -The source distribution of Kerberos 5 comes in three gzipped tarfiles, -krb5-1.3.src.tar.gz, krb5-1.3.doc.tar.gz, and krb5-1.3.crypto.tar.gz. -The krb5-1.3.doc.tar.gz contains the doc/ directory and this README -file. The krb5-1.3.src.tar.gz contains the src/ directory and this -README file, except for the crypto library sources, which are in -krb5-1.3.crypto.tar.gz. - -Instruction on how to extract the entire distribution follow. These -directions assume that you want to extract into a directory called -DIST. +The source distribution of Kerberos 5 comes in a gzipped tarfile, +krb5-1.3.tar.gz. Instructions on how to extract the entire +distribution follow. If you have the GNU tar program and gzip installed, you can simply do: - mkdir DIST - cd DIST - gtar zxpf krb5-1.3.src.tar.gz - gtar zxpf krb5-1.3.crypto.tar.gz - gtar zxpf krb5-1.3.doc.tar.gz + gtar zxpf krb5-1.3.tar.gz If you don't have GNU tar, you will need to get the FSF gzip distribution and use gzcat: - mkdir DIST - cd DIST - gzcat krb5-1.3.src.tar.gz | tar xpf - - gzcat krb5-1.3.crypto.tar.gz | tar xpf - - gzcat krb5-1.3.doc.tar.gz | tar xpf - + gzcat krb5-1.3.tar.gz | tar xpf - -Both of these methods will extract the sources into DIST/krb5-1.3/src -and the documentation into DIST/krb5-1.3/doc. +Both of these methods will extract the sources into krb5-1.3/src and +the documentation into krb5-1.3/doc. Building and Installing Kerberos 5 ---------------------------------- @@ -138,6 +123,18 @@ Major changes listed by ticket ID * [1189, 1251] The KfM krb4 library source base has been merged. +* [1385, 1395, 1410] The krb4 protocol vulnerabilities + [MITKRB5-SA-2003-004] have been worked around. Note that this will + disable krb4 cross-realm functionality, as well as krb4 triple-DES + functionality. Please see doc/krb4-xrealm.txt for details of the + patch. + +* [1393] The xdrmem integer overflows [MITKRB5-SA-2003-003] have + been fixed. + +* [1397] The krb5_principal buffer bounds problems + [MITKRB5-SA-2003-005] have been fixed. Thanks to Nalin Dahyabhai. + Minor changes listed by ticket ID --------------------------------- @@ -172,6 +169,11 @@ Minor changes listed by ticket ID * [771] .rconf files are excluded from the release now. +* [772] LOG_AUTHPRIV syslog facility is now usable for logging on + systems that support it. + +* [844] krshd now syslogs using the LOG_AUTH facility. + * [850] Berekely DB build is better integrated into the krb5 library build process. @@ -189,6 +191,8 @@ Minor changes listed by ticket ID * [953] des3 no longer failing on Windows due to SHA1 implementation problems. +* [970] A minor inconsistency in ccache.tex has been fixed. + * [971] option parsing bugs rendered irrelevant by removal of unused gss mechanism. @@ -211,6 +215,9 @@ Minor changes listed by ticket ID host having a large number of local network interfaces should be fixed now. +* [1064] krb5_auth_con_genaddrs() no longer inappropriately returns -1 + on some error cases. + * [1065, 1225] krb5_get_init_creds_password() should properly warn about password expiration. @@ -287,30 +294,46 @@ Minor changes listed by ticket ID * [1311] Output from krb5-config no longer contains spurious uses of $(PURE). +* [1324] The KDC no longer logs an inappropriate "no matching key" + error when an encrypted timestamp preauth password is incorrect. + +* [1342] gawk is no longer required for building kerbsrc.zip for the + Windows build. + * [1346] gss_krb5_ccache_name() no longer attempts to return a pointer to freed memory. +* [1352] GSS_C_PROT_READY_FLAG is no longer asserted inappropriately + during GSSAPI context establishment. + * [1356] krb5_gss_accept_sec_context() no longer attempts to validate a null credential if one is passed in. +* [1362] The "-a user" option to telnetd now does the right thing. + Thanks to Nathan Neulinger. + +* [1363] ksu no longer inappropriately syslogs to stderr. + * [1357] krb__get_srvtab_name() no longer leaks memory. * [1373] Handling of SAM preauth no longer attempts to stuff a size_t into an unsigned int. -[ DELETE BEFORE RELEASE ---changes to unreleased code, etc.--- ] - -* [1054] KRB-CRED messages for RC4 are encrypted now. +* [1387] BIND versions later than 8 now supported. -* [1177] krb5-1-2-2-branch merged onto trunk. +* [1392] The getaddrinfo() wrapper should work better on AIX. -* [1193] Punted comment about reworking key storage architecture. +* [1400] If DO_TIME is not set in the auth_context, and no replay + cache is available, no replay cache will be used. -* [1208] install-headers target implemented. +* [1406] libdb is no longer installed. If you installed + krb5-1.3-alpha1, you should ensure that no spurious libdb is left in + your install tree. -* [1223] asn1_decode_oid, asn1_encode_oid implemented +* [1412] ETYPE_INFO handling no longer goes into an infinite loop. -* [1276] Generated dependencies handle --without-krb4 properly now. +* [1414] libtelnet is now built using the same library build framework + as the rest of the tree. Copyright Notice and Legal Administrivia ---------------------------------------- diff --git a/doc/ChangeLog b/doc/ChangeLog index 709c55980..53d95b2aa 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,8 @@ +2003-04-08 Tom Yu + + * krb4-xrealm.txt: New file. Describe the krb4 cross-realm + patchkit. Copied from 2003-004-krb4_patchkit. + 2003-02-04 Sam Hartman * krb425.texinfo (Upgrading KDCs): Note that -4 needs to be specified diff --git a/doc/krb4-xrealm.txt b/doc/krb4-xrealm.txt new file mode 100644 index 000000000..f8c4566e5 --- /dev/null +++ b/doc/krb4-xrealm.txt @@ -0,0 +1,143 @@ +The following text was taken from the patchkit disabling cross-realm +authentication and triple-DES in krb4. + +PATCH KIT DESCRIPTION +===================== + +** FLAG DAY REQUIRED ** + +One of the things we decided to do (and must do for security reasons) +was drop support for the 3DES krb4 TGTs. Unfortunately the current +code will only accept 3DES TGTs if it issues 3DES TGTs. Since the new +code issues only DES TGTs, the old code will not understand its v4 +TGTs if the site has a 3DES key available for the krbtgt principal. +The new code will understand and accept both DES and 3DES v4 TGTs. + +So, the easiest upgrade option is to deploy the code on all KDCs at +once, being sure to deploy it on the master KDC last. Under this +scenario, a brief window exists where slaves may be able to issue +tickets that the master will not understand. However, the slaves will +understand tickets issued by the master throughout the upgrade. + +An alternate and more annoying upgrade strategy exists. At least one +max TGT life time before the upgrade, the TGT key can be changed to be +a single-des key. Since we support adding a new TGT key while +preserving the old one, this does not create an interruption in +service. Since no 3DES key is available then both the old and new +code will issue and accept DES v4 TGTs. After the upgrade, the TGT +key can again be rekeyed to add 3DES keys. This does require two TGT +key changes and creates a window where DES is used for the v5 TGT, but +creates no window in which slaves will issue TGTs the master cannot +accept. + +* What the patch does +===================== + +1) Kerberos 4 cross-realm authentication is disabled by default. A + "-X" switch is added to both krb524d and krb5kdc to enable v4 + cross-realm. This switch logs a note that a security hole has been + opened in the KDC log. We said while designing the patch, that we + were going to try to allow per-realm configuration; because of a + design problem in the kadm5 library, we could not do this without + bumping the ABI version of that library. We are unwilling to bump + an ABI version in a security patch release to get that feature, so + the configuration of v4 cross-realm is a global switch. + +2) Code responsible for v5 TGTs has been changed to require that the + enctype of the ticket service key be the same as the enctype that + would currently be issued for that kvno. This means that even if a + service has multiple keys, you cannot use a weak key to fake the + KDC into accepting tickets for that service. If you have a non-DES + TGT key, this separates keys used for v4 and v5. We actually relax + this requirement for cross-realm TGT keys (which in the new code + are only used for v5) because we cannot guarantee other Kerberos + implementations will choose keys the same way. + +3) We no longer issue 3DES v4 tickets either in the KDC or krb524d. + We add code to accept either DES or 3DES tickets for v4. None of + the attacks discovered so far can be implemented given a KDC that + accepts but does not issue 3DES tickets, so we believe that leaving + this functionality in as compatibility for a version or two is + reasonable. Note however that the attacks described do allow + successful attackers to print future tickets, so sites probably + want to rekey important keys after installing this update. Note + also that even if issuance of 3DES v4 tickets has been disabled, + outstanding tickets may be used to perform the 3DES cut-and-paste + attack. + +* Test Cases +============ + +This code is difficult to test for two reasons. First, you need a +cross-realm relationship between two KDCs. Secondly, you need a KDC +that will issue 3DES v4 tickets even though the code with the patch +applied can no longer do this. + +I propose to meet these requirements by setting up a cross-realm 3DES +key between a realm I control and the test environment. In order to +provide concrete examples of what I plan to test with the automated +tests, I assume a shared key between a realm PREPATCH.KRBTEST.COM and the +test realm PATCH. + +In all of the following tests I assume the following configuration. +A principal v4test@PREPATCH.KRBTEST.COM exists with known password and +without requiring preauthentication. The PREPATCH.KRBTEST.COM KDC will +issue v4 tickets for this principal. A principal test@PATCH exists +with known password and without requiring preauthentication. A +principal service@PATCH exists. The TGT for the PATCH realm has a +3des and des key. The shared TGT keys between PATCH and +PREPATCH.KRBTEST.COM are identical in both directions (required for v4) and +support both 3DES and DES keys. + +1) Run krb524d and krb5kdc for PATCH with no special options using a + krb5.conf without permitted_enctypes (fully permissive). + + +A) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that kvno -4 +service@PATCH fails with an unknown principal error and logs an error +about cross-realm being denied to the PATCH KDC log. This confirms +that v4 cross-realm is not accepted. + +B) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that krb524init +-p service@PATCH fails with a prohibited by policy error, but that +klist -5 includes a ticket for service@PATCH. This confirms that v5 +cross-realm works but the krb524d denies converting such a ticket into +a cross-realm ticket. Note that the krb524init currently in the +mainline source tree will not be useful for this test because the +client denies cross-realm for the simple reason that the v4 ticket +file format is not flexible enough to support it. The krb524init in +the 1.2.x release is useful for this test. + + +2) Restart the krb5kdc and krb524d for PATCH with the -X option + enabling v4 cross-realm. + +A) Confirm that the security warning is written to kdc.log. + +B) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that kvno -4 +service@PATCH works and leaves a service@PATCH ticket in the cache. +This confirms that v4 cross-realm works in the KDC. It also confirms +that the KDC can accept 3DES v4 TGTs. The code path for decrypting a +TGT is the same for the local realm and for foreign realms, so I don't +see a need to test local 3DES TGTs in an automated manner although I +did test it manually. + +C) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that krb524init +-p service@PATCH works. This confirms that krb524d will issue +cross-realm tickets. They're completely useless because the v4 ticket +file can't represent them, but that's not our problem today. + +3) Start the kdc and krb524d with a krb5.conf that includes + permitted_enctypes only listing des-cbc-crc. Get tickets as + test@PATCH. Restart the KDC and confirm that kvno service fails + logging an error about permitted enctypes. This confirms that if + you manage to obtain a ticket of the wrong enctype it will not be + accepted later. + +These tests do not check to make sure that 3DES tickets are not +issued by the v4 code. I'm fairly certain that is true as I've +physically remove the calls to the routine that generates 3DES tickets +from the code in both the KDC and krb524d. These tests also do not +check to make sure that cross-realm TGTs are not required to follow +the strict enctype policy. I've tested that manually but don't know +how to test that without significantly complicating the test setup. diff --git a/src/ChangeLog b/src/ChangeLog index 6f18978f5..0512f15e2 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,30 @@ +2003-04-10 Tom Yu + + * aclocal.m4: Revert requrement of autoconf-2.53, since MacOS X + doesn't have it. + +2003-04-01 Tom Yu + + * aclocal.m4 (KRB5_AC_CHOOSE_DB): Set new variable KDB5_DB_LIB to + empty if using in-tree db. It is now used to pass -ldb to link + commands, if needed, when linking programs with libkdb5. DB_LIB + is now only used for programs that explicitly need the actual + libdb independently of libkdb5. + + * krb5-config.in: Use $KDB5_DB_LIB instead of "-ldb" for kdb + libraries. + +2003-03-31 Tom Yu + + * aclocal.m4: Require autoconf-2.53, since 2.52 generates + configure scripts that NetBSD /bin/sh doesn't like. + +2003-03-18 Alexandra Ellwood + + * aclocal.m4: Define KRB5_AC_NEED_BIND_8_COMPAT to check for bind 9 + and higher. When bind 9 is present, BIND_8_COMPAT needs to be defined to + get bind 8 types. + 2003-03-12 Tom Yu * Makefile.in (AWK): Default to awk, not gawk. User can override diff --git a/src/aclocal.m4 b/src/aclocal.m4 index 3a0895f71..e36a3fd85 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -1506,16 +1506,41 @@ if test "x$with_system_db" = xyes ; then else DB_HEADER_VERSION=redirect fi + KDB5_DB_LIB="$DB_LIB" else DB_VERSION=k5 AC_DEFINE(HAVE_BT_RSEQ,1,[Define if bt_rseq is available, for recursive btree traversal.]) DB_HEADER=db.h DB_HEADER_VERSION=k5 + # libdb gets sucked into libkdb + KDB5_DB_LIB= + # needed for a couple of things that need libdb for its own sake DB_LIB=-ldb fi AC_SUBST(DB_VERSION) AC_SUBST(DB_HEADER) AC_SUBST(DB_HEADER_VERSION) AC_SUBST(DB_LIB) +AC_SUBST(KDB5_DB_LIB) +]) +dnl +dnl +dnl KRB5_AC_NEED_BIND_8_COMPAT --- check to see if we are on a bind 9 system +dnl +dnl +AC_DEFUN(KRB5_AC_NEED_BIND_8_COMPAT,[ +AC_REQUIRE([AC_PROG_CC])dnl +dnl +dnl On a bind 9 system, we need to define BIND_8_COMPAT +dnl +AC_MSG_CHECKING(for bind 9 or higher) +AC_CACHE_VAL(krb5_cv_need_bind_8_compat,[ +AC_TRY_COMPILE([#include ], [HEADER hdr;], +krb5_cv_need_bind_8_compat=no, +[AC_TRY_COMPILE([#define BIND_8_COMPAT +#include ], [HEADER hdr;], +krb5_cv_need_bind_8_compat=yes, krb5_cv_need_bind_8_compat=no)])]) +AC_MSG_RESULT($krb5_cv_need_bind_8_compat) +test $krb5_cv_need_bind_8_compat = yes && AC_DEFINE(BIND_8_COMPAT,1,[Define if OS has bind 9]) ]) dnl diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog index 303400170..00f96ebe6 100644 --- a/src/appl/bsd/ChangeLog +++ b/src/appl/bsd/ChangeLog @@ -1,3 +1,8 @@ +2003-04-08 Ken Raeburn + + * krshd.c (main): Use LOG_AUTH syslog facility, not LOG_DAEMON, + for consistency with krlogind.c. + 2003-03-04 Ken Raeburn * compat_recv.c: Only include krb.h if KRB5_KRB4_COMPAT. diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c index 2a67b7613..adad7ea2f 100644 --- a/src/appl/bsd/krshd.c +++ b/src/appl/bsd/krshd.c @@ -303,10 +303,10 @@ int main(argc, argv) #ifndef LOG_ODELAY /* 4.2 syslog */ openlog(progname, LOG_PID); #else -#ifndef LOG_DAEMON -#define LOG_DAEMON 0 +#ifndef LOG_AUTH +#define LOG_AUTH 0 #endif - openlog(progname, LOG_PID | LOG_ODELAY, LOG_DAEMON); + openlog(progname, LOG_PID | LOG_ODELAY, LOG_AUTH); #endif /* 4.2 syslog */ #ifdef KERBEROS diff --git a/src/appl/telnet/libtelnet/ChangeLog b/src/appl/telnet/libtelnet/ChangeLog index 899927446..ea46e4fb8 100644 --- a/src/appl/telnet/libtelnet/ChangeLog +++ b/src/appl/telnet/libtelnet/ChangeLog @@ -1,3 +1,23 @@ +2003-04-10 Tom Yu + + * Makefile.in: Use library build framework. + + * configure.in: Add support for library build framework. Remove + old explicit checks for ranlib, etc. + +2003-04-09 Tom Yu + + * kerberos.c (kerberos4_status): Always copy in username if + present. Patch from Nathan Neulinger to make "-a user" work. + + * kerberos5.c (kerberos5_status): Always copy in username if + present. Patch from Nathan Neulinger to make "-a user" work. + +2003-04-01 Nalin Dahyabhai + + * kerberos5.c (kerberos5_is): Check principal name length before + examining components. + 2003-01-07 Ken Raeburn * Makefile.orig: Deleted. diff --git a/src/appl/telnet/libtelnet/Makefile.in b/src/appl/telnet/libtelnet/Makefile.in index 93986e005..cad5d5f54 100644 --- a/src/appl/telnet/libtelnet/Makefile.in +++ b/src/appl/telnet/libtelnet/Makefile.in @@ -32,7 +32,12 @@ LIBOBJS=@LIBOBJS@ SETENVSRC=@SETENVSRC@ SETENVOBJ=@SETENVOBJ@ -LIB= libtelnet.a +LIB=telnet +LIBMAJOR=0 +LIBMINOR=0 +RELDIR=../../../appl/telnet/libtelnet +STOBJLISTS=OBJS.ST + SRCS= $(srcdir)/auth.c \ $(srcdir)/encrypt.c \ $(srcdir)/genget.c \ @@ -52,20 +57,15 @@ SRCS= $(srcdir)/auth.c \ $(srcdir)/strftime.c \ $(srcdir)/strerror.c -OBJS= auth.o encrypt.o genget.o \ +STLIBOBJS= auth.o encrypt.o genget.o \ misc.o kerberos.o kerberos5.o forward.o spx.o enc_des.o \ $(LIBOBJS) getent.o $(SETENVOBJ) TELNET_H= $(srcdir)/../arpa/telnet.h -all:: $(LIB) -$(LIB): $(OBJS) - $(RM) $(LIB) - $(ARADD) $@ $(OBJS) - $(RANLIB) $@ +all:: all-libs -clean:: - $(RM) $(LIB) +clean:: clean-libs clean-libobjs auth.o: $(TELNET_H) auth.o: encrypt.h @@ -88,6 +88,10 @@ enc_des.o: encrypt.h enc_des.o: key-proto.h enc_des.o: misc-proto.h install:: + +# @lib_frag@ +# @libobj_frag@ + # +++ Dependency line eater +++ # # Makefile dependencies follow. This must be the last section in diff --git a/src/appl/telnet/libtelnet/configure.in b/src/appl/telnet/libtelnet/configure.in index 8f2434eaa..8767cd7d0 100644 --- a/src/appl/telnet/libtelnet/configure.in +++ b/src/appl/telnet/libtelnet/configure.in @@ -1,8 +1,5 @@ AC_INIT(auth.c) CONFIG_RULES -AC_PROG_ARCHIVE -AC_PROG_ARCHIVE_ADD -AC_PROG_RANLIB AC_REPLACE_FUNCS([strcasecmp strdup setsid strerror strftime getopt herror parsetos]) AC_CHECK_FUNCS(setenv unsetenv getenv gettosbyname cgetent) AC_CHECK_HEADERS(stdlib.h string.h unistd.h) @@ -23,4 +20,6 @@ else AC_MSG_RESULT(Kerberos 4 authentication enabled) AC_DEFINE(KRB4) fi +KRB5_BUILD_LIBRARY_STATIC +KRB5_BUILD_LIBOBJS V5_AC_OUTPUT_MAKEFILE diff --git a/src/appl/telnet/libtelnet/kerberos.c b/src/appl/telnet/libtelnet/kerberos.c index 56a073191..8d4c7f330 100644 --- a/src/appl/telnet/libtelnet/kerberos.c +++ b/src/appl/telnet/libtelnet/kerberos.c @@ -612,10 +612,17 @@ kerberos4_status(ap, kname, level) if (level < AUTH_USER) return(level); - if (UserNameRequested && !kuserok(&adat, UserNameRequested)) { + /* + * Always copy in UserNameRequested if the authentication + * is valid, because the higher level routines need it. + */ + if (UserNameRequested) { /* the name buffer comes from telnetd/telnetd{-ktd}.c */ strncpy(kname, UserNameRequested, 255); name[255] = '\0'; + } + + if (UserNameRequested && !kuserok(&adat, UserNameRequested)) { return(AUTH_VALID); } else return(AUTH_USER); diff --git a/src/appl/telnet/libtelnet/kerberos5.c b/src/appl/telnet/libtelnet/kerberos5.c index 3a1c8f24e..59982d3bf 100644 --- a/src/appl/telnet/libtelnet/kerberos5.c +++ b/src/appl/telnet/libtelnet/kerberos5.c @@ -446,6 +446,10 @@ kerberos5_is(ap, data, cnt) * first component of a service name especially since * the default is of length 4. */ + if (krb5_princ_size(telnet_context,ticket->server) < 1) { + (void) strcpy(errbuf, "malformed service name"); + goto errout; + } if (krb5_princ_component(telnet_context,ticket->server,0)->length < 256) { char princ[256]; strncpy(princ, @@ -727,13 +731,20 @@ kerberos5_status(ap, name, level) if (level < AUTH_USER) return(level); + /* + * Always copy in UserNameRequested if the authentication + * is valid, because the higher level routines need it. + * the name buffer comes from telnetd/telnetd{-ktd}.c + */ + if (UserNameRequested) { + strncpy(name, UserNameRequested, 255); + name[255] = '\0'; + } + if (UserNameRequested && krb5_kuserok(telnet_context, ticket->enc_part2->client, UserNameRequested)) { - /* the name buffer comes from telnetd/telnetd{-ktd}.c */ - strncpy(name, UserNameRequested, 255); - name[255] = '\0'; return(AUTH_VALID); } else return(AUTH_USER); diff --git a/src/clients/ksu/ChangeLog b/src/clients/ksu/ChangeLog index 44415a033..17a1dffe8 100644 --- a/src/clients/ksu/ChangeLog +++ b/src/clients/ksu/ChangeLog @@ -1,3 +1,10 @@ +2003-04-01 Nalin Dahyabhai + + * heuristic.c (get_closest_principal): Don't try to examine + principal name components after the last. + * krb_auth_su.c (get_best_principal): Check principal name length + before examining components. + 2002-12-23 Ezra Peisach * authorization.c, heuristic.c, ksu.h: Use uid_t instead of int in diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c index c79f94369..85b94b5e2 100644 --- a/src/clients/ksu/heuristic.c +++ b/src/clients/ksu/heuristic.c @@ -364,7 +364,7 @@ krb5_error_code get_closest_principal(context, plist, client, found) krb5_data *p2 = krb5_princ_component(context, temp_client, j); - if ((p1->length != p2->length) || + if (!p1 || !p2 || (p1->length != p2->length) || memcmp(p1->data,p2->data,p1->length)){ got_one = FALSE; break; diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c index 6e76149c1..8e1834240 100644 --- a/src/clients/ksu/krb_auth_su.c +++ b/src/clients/ksu/krb_auth_su.c @@ -547,7 +547,9 @@ krb5_error_code get_best_principal(context, plist, client) krb5_princ_realm(context, temp_client)->length))){ - if(nelem){ + if (nelem && + krb5_princ_size(context, *client) > 0 && + krb5_princ_size(context, temp_client) > 0) { krb5_data *p1 = krb5_princ_component(context, *client, 0); krb5_data *p2 = diff --git a/src/config/ChangeLog b/src/config/ChangeLog index 7a0623513..21bc14adc 100644 --- a/src/config/ChangeLog +++ b/src/config/ChangeLog @@ -1,3 +1,10 @@ +2003-04-01 Tom Yu + + * pre.in (KDB5_DEPLIBS): Don't depend on $(DB_DEPLIB) anymore. + (KDB5_DB_LIB): New variable; is empty if not building with system + libdb. + (KDB5_LIBS): Use $(KDB5_DB_LIB) instead of $(DB_LIB). + 2003-03-03 Tom Yu * libobj.in: Change .c.so and .c.po rules to use ALL_CFLAGS. diff --git a/src/config/pre.in b/src/config/pre.in index c36b4ee8b..b3bdec715 100644 --- a/src/config/pre.in +++ b/src/config/pre.in @@ -296,7 +296,7 @@ PTY_DEPLIB = $(TOPLIBD)/libpty.a KRB5_BASE_DEPLIBS = $(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(COM_ERR_DEPLIB) KRB4COMPAT_DEPLIBS = $(KRB4_DEPLIB) $(DES425_DEPLIB) $(KRB5_BASE_DEPLIBS) -KDB5_DEPLIBS = $(KDB5_DEPLIB) $(DB_DEPLIB) +KDB5_DEPLIBS = $(KDB5_DEPLIB) GSS_DEPLIBS = $(GSS_DEPLIB) GSSRPC_DEPLIBS = $(GSSRPC_DEPLIB) $(GSS_DEPLIBS) KADM_COMM_DEPLIBS = $(GSSRPC_DEPLIBS) $(KDB5_DEPLIBS) $(GSSRPC_DEPLIBS) @@ -338,6 +338,7 @@ SS_LIB-sys = @SS_LIB@ SS_LIB-k5 = $(TOPLIBD)/libss.a KDB5_LIB = -lkdb5 DB_LIB = @DB_LIB@ +KDB5_DB_LIB = @KDB5_DB_LIB@ KRB5_LIB = -lkrb5 K5CRYPTO_LIB = -lk5crypto @@ -361,7 +362,7 @@ HESIOD_LIBS = @HESIOD_LIBS@ KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(GEN_LIB) $(LIBS) KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS) -KDB5_LIBS = $(KDB5_LIB) $(DB_LIB) +KDB5_LIBS = $(KDB5_LIB) $(KDB5_DB_LIB) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on Mac OS X! GSSRPC_LIBS = -lgssrpc $(GSS_LIBS) diff --git a/src/include/ChangeLog b/src/include/ChangeLog index a8e7726f5..fea9e3ee1 100644 --- a/src/include/ChangeLog +++ b/src/include/ChangeLog @@ -1,3 +1,26 @@ +2003-04-07 Ken Raeburn + + * fake-addrinfo.h (getaddrinfo) [NUMERIC_SERVICE_BROKEN]: + Overwrite the port number only if a numeric service port was + supplied. + +2003-04-01 Ken Raeburn + + * fake-addrinfo.h (COPY_FIRST_CANONNAME) [_AIX]: Define. + (GET_HOST_BY_NAME) [_AIX]: New version for AIX version of + gethostbyname_r. + (getaddrinfo) [NUMERIC_SERVICE_BROKEN]: Use "discard" as a dummy + service name instead of none at all. Don't check for unsigned + value less than zero. + (getaddrinfo) [COPY_FIRST_CANONNAME]: Set any ai_canonname fields + other than the first one to null. + +2003-03-18 Alexandra Ellwood + + * configure.in: Use KRB5_AC_NEED_BIND_8_COMPAT to check for bind 9 + and higher. When bind 9 is present, BIND_8_COMPAT needs to be + defined to get bind 8 types. + 2003-03-06 Alexandra Ellwood * krb5.h: Removed enumsalwaysint because there are no typed diff --git a/src/include/configure.in b/src/include/configure.in index 7287f153e..71b47ff3d 100644 --- a/src/include/configure.in +++ b/src/include/configure.in @@ -181,6 +181,9 @@ if test $krb5_cv_has_type_socklen_t = yes; then fi dnl dnl +KRB5_AC_NEED_BIND_8_COMPAT +dnl +dnl AC_ARG_ENABLE([athena], [ --enable-athena build with MIT Project Athena configuration], AC_DEFINE(KRB5_ATHENA_COMPAT,1,[Define if MIT Project Athena default configuration should be used]),) diff --git a/src/include/fake-addrinfo.h b/src/include/fake-addrinfo.h index d32802a77..b019c3823 100644 --- a/src/include/fake-addrinfo.h +++ b/src/include/fake-addrinfo.h @@ -91,6 +91,7 @@ #include "socket-utils.h" #ifdef S_SPLINT_S +/*@-incondefs@*/ extern int getaddrinfo (/*@in@*/ /*@null@*/ const char *, /*@in@*/ /*@null@*/ const char *, @@ -108,8 +109,8 @@ getnameinfo (const struct sockaddr *addr, socklen_t addrsz, /*@requires (maxSet(h)+1) >= hsz /\ (maxSet(s)+1) >= ssz @*/ /* too hard: maxRead(addr) >= (addrsz-1) */ /*@modifies *h, *s@*/; -extern /*@dependent@*/ char * -gai_strerror (int code) /*@*/; +extern /*@dependent@*/ char *gai_strerror (int code) /*@*/; +/*@=incondefs@*/ #endif @@ -125,6 +126,7 @@ gai_strerror (int code) /*@*/; #ifdef _AIX # define NUMERIC_SERVICE_BROKEN +# define COPY_FIRST_CANONNAME #endif @@ -152,6 +154,29 @@ gai_strerror (int code) /*@*/; #define GET_HOST_BY_ADDR(ADDR, ADDRLEN, FAMILY, HP, ERR) \ { (HP) = gethostbyaddr ((ADDR), (ADDRLEN), (FAMILY)); (ERR) = h_errno; } #else +#ifdef _AIX /* XXX should have a feature test! */ +#define GET_HOST_BY_NAME(NAME, HP, ERR) \ + { \ + struct hostent my_h_ent; \ + struct hostent_data my_h_ent_data; \ + (HP) = (gethostbyname_r((NAME), &my_h_ent, &my_h_ent_data) \ + ? 0 \ + : &my_h_ent); \ + (ERR) = h_errno; \ + } +/* +#define GET_HOST_BY_ADDR(ADDR, ADDRLEN, FAMILY, HP, ERR) \ + { \ + struct hostent my_h_ent; \ + struct hostent_data my_h_ent_data; \ + (HP) = (gethostbyaddr_r((ADDR), (ADDRLEN), (FAMILY), &my_h_ent, \ + &my_h_ent_data) \ + ? 0 \ + : &my_h_ent); \ + (ERR) = my_h_err; \ + } +*/ +#else #ifdef GETHOSTBYNAME_R_RETURNS_INT #define GET_HOST_BY_NAME(NAME, HP, ERR) \ { \ @@ -196,7 +221,8 @@ gai_strerror (int code) /*@*/; my_h_buf, sizeof (my_h_buf), &my_h_err); \ (ERR) = my_h_err; \ } -#endif +#endif /* returns int? */ +#endif /* _AIX */ #endif /* Now do the same for getservby* functions. */ @@ -898,19 +924,19 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint, /* AIX 4.3.3 is broken. (Or perhaps out of date?) If a numeric service is provided, and it doesn't correspond to - a known service name, an error code (for "host not found") is - returned. If the port maps to a known service, all is - well. */ + a known service name for tcp or udp (as appropriate), an error + code (for "host not found") is returned. If the port maps to a + known service for both udp and tcp, all is well. */ if (serv && serv[0] && isdigit(serv[0])) { unsigned long lport; char *end; lport = strtoul(serv, &end, 10); if (!*end) { - if (lport < 0 || lport > 65535) + if (lport > 65535) return EAI_SOCKTYPE; service_is_numeric = 1; service_port = htons(lport); - serv = 0; + serv = "discard"; /* defined for both udp and tcp */ if (hint) socket_type = hint->ai_socktype; } @@ -948,7 +974,10 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint, approach: If getaddrinfo sets ai_canonname, we'll replace the *first* one with allocated storage, and free up that pointer in freeaddrinfo if it's set; the other ai_canonname fields will be - left untouched. + left untouched. And we'll just pray that the application code + won't mess around with the list structure; if we start doing + that, we'll have to start replacing and freeing all of the + ai_canonname fields. Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=133668 . @@ -1017,20 +1046,28 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint, #endif return EAI_MEMORY; } + /* Zap the remaining ai_canonname fields glibc fills in, in + case the application messes around with the list + structure. */ + while ((ai = ai->ai_next) != NULL) + ai->ai_canonname = 0; } #endif #ifdef NUMERIC_SERVICE_BROKEN - for (ai = *result; ai; ai = ai->ai_next) { - if (socket_type != 0 && ai->ai_socktype == 0) - ai->ai_socktype = socket_type; - switch (ai->ai_family) { - case AF_INET: - ((struct sockaddr_in *)ai->ai_addr)->sin_port = service_port; - break; - case AF_INET6: - ((struct sockaddr_in6 *)ai->ai_addr)->sin6_port = service_port; - break; + if (service_port != 0) { + for (ai = *result; ai; ai = ai->ai_next) { + if (socket_type != 0 && ai->ai_socktype == 0) + /* Is this check actually needed? */ + ai->ai_socktype = socket_type; + switch (ai->ai_family) { + case AF_INET: + ((struct sockaddr_in *)ai->ai_addr)->sin_port = service_port; + break; + case AF_INET6: + ((struct sockaddr_in6 *)ai->ai_addr)->sin6_port = service_port; + break; + } } } #endif diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index eb4273615..6fe495d34 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,35 @@ +2003-04-02 Sam Hartman + + * kdc_preauth.c (get_etype_info): Avoid infinite loop if request + does not contain des-cbc-crc and database does + +2003-04-01 Nalin Dahyabhai + + * do_tgs_req.c (process_tgs_req): Check that principal name + component 1 is present before examining it. + * kdc_util.c (krb5_is_tgs_principal, validate_tgs_request): Check + principal name length before examining components. + +2003-03-28 Tom Yu + + * kdc_preauth.c (verify_enc_timestamp): Save decryption error, in + case we get NO_MATCHING_KEY later. This allows us to log a more + sane error if an incorrect password is used for encrypting the + enc-timestamp preauth. + +2003-03-16 Sam Hartman + + * main.c (initialize_realms): Add support to call + enable_v4_crossrealm if the user wants insecure operation + + * kerberos_v4.c: Add enable_v4_crossrealm. By default krb4 + cross-realm is not allowed as it is insecure. Also, remove + support for generating krb4 tickets encrypted in 3DES as they are + insecure. + + * kdc_util.h: Define enable_v4_crossrealm, new function to enable + secure krb4 cross-realm authentication + 2003-03-05 Tom Yu * main.c (init_realm): Update call to krb5_ktdb_resolve(). diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 0c6116e21..c8b679bc2 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -174,7 +174,7 @@ tgt_again: krb5_data *tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1); - if (server_1->length != tgs_1->length || + if (!tgs_1 || server_1->length != tgs_1->length || memcmp(server_1->data, tgs_1->data, tgs_1->length)) { krb5_db_free_principal(kdc_context, &server, nprincs); find_alternate_tgs(request, &server, &more, &nprincs); diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 4747f27de..87b0358d7 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -457,7 +457,8 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, krb5_key_data * client_key; krb5_int32 start; krb5_timestamp timenow; - + krb5_error_code decrypt_err; + scratch.data = pa->contents; scratch.length = pa->length; @@ -471,6 +472,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, goto cleanup; start = 0; + decrypt_err = 0; while (1) { if ((retval = krb5_dbe_search_enctype(context, client, &start, enc_data->enctype, @@ -488,6 +490,8 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, krb5_free_keyblock_contents(context, &key); if (retval == 0) break; + else + decrypt_err = retval; } if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0) @@ -513,6 +517,14 @@ cleanup: krb5_free_data_contents(context, &enc_ts_data); if (pa_enc) free(pa_enc); + /* + * If we get NO_MATCHING_KEY and decryption previously failed, and + * we failed to find any other keys of the correct enctype after + * that failed decryption, it probably means that the password was + * incorrect. + */ + if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0) + retval = decrypt_err; return retval; } @@ -556,8 +568,10 @@ get_etype_info(krb5_context context, krb5_kdc_req *request, while (1) { if (!request_contains_enctype(context, request, db_etype)) { - if (db_etype == ENCTYPE_DES_CBC_CRC) - continue; + if (db_etype == ENCTYPE_DES_CBC_CRC) { + db_etype = ENCTYPE_DES_CBC_MD5; + continue; + } else break; } diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 736c51d12..9e9aa3f98 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -150,7 +150,8 @@ realm_compare(krb5_principal princ1, krb5_principal princ2) */ krb5_boolean krb5_is_tgs_principal(krb5_principal principal) { - if ((krb5_princ_component(kdc_context, principal, 0)->length == + if ((krb5_princ_size(kdc_context, principal) > 0) && + (krb5_princ_component(kdc_context, principal, 0)->length == KRB5_TGS_NAME_SIZE) && (!memcmp(krb5_princ_component(kdc_context, principal, 0)->data, KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE))) @@ -1162,7 +1163,8 @@ validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server, return KRB_AP_ERR_NOT_US; } /* ...and that the second component matches the server realm... */ - if ((krb5_princ_component(kdc_context, ticket->server, 1)->length != + if ((krb5_princ_size(kdc_context, ticket->server) <= 1) || + (krb5_princ_component(kdc_context, ticket->server, 1)->length != krb5_princ_realm(kdc_context, request->server)->length) || memcmp(krb5_princ_component(kdc_context, ticket->server, 1)->data, krb5_princ_realm(kdc_context, request->server)->data, diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 9abe3b860..05ba07f4f 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -176,6 +176,7 @@ krb5_error_code process_v4 (const krb5_data *, const krb5_fulladdr *, krb5_data **); void process_v4_mode (const char *, const char *); +void enable_v4_crossrealm(char *); #else #define process_v4(foo,bar,quux,foobar) KRB5KRB_AP_ERR_BADVERSION #endif diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c index a87a1d5e5..01359792f 100644 --- a/src/kdc/kerberos_v4.c +++ b/src/kdc/kerberos_v4.c @@ -146,7 +146,7 @@ static krb5_data *response; void kerberos_v4 (struct sockaddr_in *, KTEXT); void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); -static int set_tgtkey (char *, krb5_kvno); +static int set_tgtkey (char *, krb5_kvno, krb5_boolean); /* Attributes converted from V5 to V4 - internal representation */ #define V4_KDB_REQUIRES_PREAUTH 0x1 @@ -180,6 +180,8 @@ static const struct v4mode_lookup_entry v4mode_table[] = { static const int v4mode_table_nents = sizeof(v4mode_table)/ sizeof(v4mode_table[0]); +static int allow_v4_crossrealm = 0; + void process_v4_mode(const char *program_name, const char *string) { int i, found; @@ -205,6 +207,11 @@ void process_v4_mode(const char *program_name, const char *string) return; } +void enable_v4_crossrealm ( char *programname) { + allow_v4_crossrealm = 1; + krb5_klog_syslog(LOG_ERR, "Enabling v4 cross-realm compatibility; this is a known security hole"); +} + krb5_error_code process_v4(const krb5_data *pkt, const krb5_fulladdr *client_fulladdr, krb5_data **resp) @@ -382,6 +389,14 @@ compat_decrypt_key (krb5_key_data *in5, unsigned char *out4, /* array of name-components + NULL ptr */ +/* + * Previously this code returned either a v4 key or a v5 key and you + * could tell from the enctype of the v5 key whether the v4 key was + * useful. Now we return both keys so the code can try both des3 and + * des decryption. We fail if the ticket doesn't have a v4 key. + * Also, note as a side effect, the v5 key is basically useless in + * the client case. It is still returned so the caller can free it. + */ static int kerb_get_principal(char *name, char *inst, /* could have wild cards */ Principal *principal, @@ -461,8 +476,28 @@ kerb_get_principal(char *name, char *inst, /* could have wild cards */ return(0); } } else { - /* XXX yes I know this is a hardcoded search order */ - if (krb5_dbe_find_enctype(kdc_context, &entries, + if ( krb5_dbe_find_enctype(kdc_context, &entries, + ENCTYPE_DES_CBC_CRC, + KRB5_KDB_SALTTYPE_V4, kvno, &pkey) && + krb5_dbe_find_enctype(kdc_context, &entries, + ENCTYPE_DES_CBC_CRC, + -1, kvno, &pkey)) { + lt = klog(L_KRB_PERR, + "KDC V4: failed to find key for %s.%s #%d", + name, inst, kvno); + krb5_db_free_principal(kdc_context, &entries, nprinc); + return(0); + } + } + + if (!compat_decrypt_key(pkey, k, k5key, issrv)) { + memcpy( &principal->key_low, k, LONGLEN); + memcpy( &principal->key_high, (krb5_ui_4 *) k + 1, LONGLEN); + } + memset(k, 0, sizeof k); + if (issrv) { + krb5_free_keyblock_contents (kdc_context, k5key); + if (krb5_dbe_find_enctype(kdc_context, &entries, ENCTYPE_DES3_CBC_RAW, -1, kvno, &pkey) && krb5_dbe_find_enctype(kdc_context, &entries, @@ -478,17 +513,16 @@ kerb_get_principal(char *name, char *inst, /* could have wild cards */ ENCTYPE_DES_CBC_CRC, -1, kvno, &pkey)) { lt = klog(L_KRB_PERR, - "KDC V4: failed to find key for %s.%s #%d", + "KDC V4: failed to find key for %s.%s #%d (after having found it once)", name, inst, kvno); krb5_db_free_principal(kdc_context, &entries, nprinc); return(0); } - } + compat_decrypt_key(pkey, k, k5key, issrv); + memset (k, 0, sizeof k); + } + - if (!compat_decrypt_key(pkey, k, k5key, issrv)) { - memcpy( &principal->key_low, k, LONGLEN); - memcpy( &principal->key_high, (krb5_ui_4 *) k + 1, LONGLEN); - } /* * Convert v5's entries struct to v4's Principal struct: * v5's time-unit for lifetimes is 1 sec, while v4 uses 5 minutes, @@ -732,21 +766,14 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) kdb_encrypt_key(key, key, master_key, master_key_schedule, DECRYPT); /* construct and seal the ticket */ - if (K4KDC_ENCTYPE_OK(k5key.enctype)) { - krb_create_ticket(tk, k_flags, a_name_data.name, - a_name_data.instance, local_realm, - client_host.s_addr, (char *) session_key, - lifetime, kerb_time.tv_sec, - s_name_data.name, s_name_data.instance, - key); - } else { - krb_cr_tkt_krb5(tk, k_flags, a_name_data.name, - a_name_data.instance, local_realm, - client_host.s_addr, (char *) session_key, - lifetime, kerb_time.tv_sec, - s_name_data.name, s_name_data.instance, - &k5key); - } + /* We always issue des tickets; the 3des tickets are a broken hack*/ + krb_create_ticket(tk, k_flags, a_name_data.name, + a_name_data.instance, local_realm, + client_host.s_addr, (char *) session_key, + lifetime, kerb_time.tv_sec, + s_name_data.name, s_name_data.instance, + key); + krb5_free_keyblock_contents(kdc_context, &k5key); memset(key, 0, sizeof(key)); memset(key_s, 0, sizeof(key_s)); @@ -826,8 +853,15 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) strncpy(tktrlm, (char *)auth->dat + 3, REALM_SZ); tktrlm[REALM_SZ-1] = '\0'; kvno = (krb5_kvno)auth->dat[2]; - if (set_tgtkey(tktrlm, kvno)) { - lt = klog(L_ERR_UNK, + if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) { + lt = klog(L_ERR_UNK, + "Cross realm ticket from %s denied by policy,", tktrlm); + kerb_err_reply(client, pkt, + KERB_ERR_PRINCIPAL_UNKNOWN, lt); + return; + } + if (set_tgtkey(tktrlm, kvno, 0)) { + lt = klog(L_ERR_UNK, "FAILED set_tgtkey realm %s, kvno %d. Host: %s ", tktrlm, kvno, inet_ntoa(client_host)); /* no better error code */ @@ -837,6 +871,19 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) } kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, ad, 0); + if (kerno) { + if (set_tgtkey(tktrlm, kvno, 1)) { + lt = klog(L_ERR_UNK, + "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ", + tktrlm, kvno, inet_ntoa(client_host)); + /* no better error code */ + kerb_err_reply(client, pkt, + KERB_ERR_PRINCIPAL_UNKNOWN, lt); + return; + } + kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, + ad, 0); + } if (kerno) { klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", @@ -913,21 +960,13 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) des_new_random_key(session_key); #endif - if (K4KDC_ENCTYPE_OK(k5key.enctype)) { - krb_create_ticket(tk, k_flags, ad->pname, ad->pinst, - ad->prealm, client_host.s_addr, - (char *) session_key, lifetime, - kerb_time.tv_sec, - s_name_data.name, s_name_data.instance, - key); - } else { - krb_cr_tkt_krb5(tk, k_flags, ad->pname, ad->pinst, - ad->prealm, client_host.s_addr, - (char *) session_key, lifetime, - kerb_time.tv_sec, - s_name_data.name, s_name_data.instance, - &k5key); - } + /* ALways issue des tickets*/ + krb_create_ticket(tk, k_flags, ad->pname, ad->pinst, + ad->prealm, client_host.s_addr, + (char *) session_key, lifetime, + kerb_time.tv_sec, + s_name_data.name, s_name_data.instance, + key); krb5_free_keyblock_contents(kdc_context, &k5key); memset(key, 0, sizeof(key)); memset(key_s, 0, sizeof(key_s)); @@ -1107,11 +1146,12 @@ check_princ(char *p_name, char *instance, int lifetime, Principal *p, /* Set the key for krb_rd_req so we can check tgt */ static int -set_tgtkey(char *r, krb5_kvno kvno) +set_tgtkey(char *r, krb5_kvno kvno, krb5_boolean use_3des) { int n; static char lastrealm[REALM_SZ] = ""; static int last_kvno = 0; + static krb5_boolean last_use_3des = 0; static int more; Principal p_st; Principal *p = &p_st; @@ -1119,7 +1159,7 @@ set_tgtkey(char *r, krb5_kvno kvno) krb5_keyblock k5key; k5key.contents = NULL; - if (!strcmp(lastrealm, r) && last_kvno == kvno) + if (!strcmp(lastrealm, r) && last_kvno == kvno && last_use_3des == use_3des) return (KSUCCESS); /* log("Getting key for %s", r); */ @@ -1141,11 +1181,12 @@ set_tgtkey(char *r, krb5_kvno kvno) return KFAILURE; } - if (!K4KDC_ENCTYPE_OK(k5key.enctype)) { + if (use_3des&&!K4KDC_ENCTYPE_OK(k5key.enctype)) { krb_set_key_krb5(kdc_context, &k5key); strncpy(lastrealm, r, sizeof(lastrealm) - 1); lastrealm[sizeof(lastrealm) - 1] = '\0'; last_kvno = kvno; + last_use_3des = use_3des; } else { /* unseal tgt key from master key */ memcpy(key, &p->key_low, 4); diff --git a/src/kdc/main.c b/src/kdc/main.c index 3e5091cbf..5fb460b0a 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -551,7 +551,7 @@ setup_sam(void) void usage(char *name) { - fprintf(stderr, "usage: %s [-d dbpathname] [-r dbrealmname] [-R replaycachename ]\n\t[-m] [-k masterenctype] [-M masterkeyname] [-p port] [-4 v4mode] [-n]\n", name); + fprintf(stderr, "usage: %s [-d dbpathname] [-r dbrealmname] [-R replaycachename ]\n\t[-m] [-k masterenctype] [-M masterkeyname] [-p port] [-4 v4mode] [-X] [-n]\n", name); return; } @@ -606,7 +606,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) * Loop through the option list. Each time we encounter a realm name, * use the previously scanned options to fill in for defaults. */ - while ((c = getopt(argc, argv, "r:d:mM:k:R:e:p:s:n4:3")) != -1) { + while ((c = getopt(argc, argv, "r:d:mM:k:R:e:p:s:n4:X3")) != -1) { switch(c) { case 'r': /* realm name for db */ if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) { @@ -662,6 +662,11 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) v4mode = strdup(optarg); #endif break; + case 'X': +#ifdef KRB5_KRB4_COMPAT + enable_v4_crossrealm(argv[0]); +#endif + break; case '3': #ifdef ATHENA_DES3_KLUDGE if (krb5_enctypes_list[krb5_enctypes_length-1].etype diff --git a/src/krb5-config.in b/src/krb5-config.in index d5ace8b39..4096cccd4 100644 --- a/src/krb5-config.in +++ b/src/krb5-config.in @@ -34,6 +34,7 @@ libdir=@libdir@ CC_LINK='@CC_LINK@' KRB4_LIB=@KRB4_LIB@ DES425_LIB=@DES425_LIB@ +KDB5_DB_LIB=@KDB5_DB_LIB@ LDFLAGS='@LDFLAGS@' RPATH_FLAG='@RPATH_FLAG@' @@ -179,12 +180,12 @@ if test -n "$do_libs"; then -e 's#\$(CFLAGS)#'"$CFLAGS"'#'` if test $library = 'kdb'; then - lib_flags="$lib_flags -lkdb5 -ldb" + lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 fi if test $library = 'kadm_server'; then - lib_flags="$lib_flags -lkadm5srv -lkdb5 -ldb" + lib_flags="$lib_flags -lkadm5srv -lkdb5 $KDB5_DB_LIB" library=kadm_common fi diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog index 2a7b6cc54..80e6c891f 100644 --- a/src/krb524/ChangeLog +++ b/src/krb524/ChangeLog @@ -1,3 +1,16 @@ +2003-04-01 Nalin Dahyabhai + + * krb524d.c (do_connection): Use krb5_princ_size rather than + direct structure field access. + +2003-03-16 Sam Hartman + + * krb524d.c (handle_classic_v4): Do not support 3des enctypes as + they are insecure. Also, by default do not allow krb4 + cross-realm. + + * cnv_tkt_skey.c (krb524_convert_tkt_skey): Don't support 3des tickets + 2003-03-12 Ken Raeburn * cnv_tkt_skey.c (krb524_convert_tkt_skey): Extract source IP diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c index 595a1d392..3730ce43c 100644 --- a/src/krb524/cnv_tkt_skey.c +++ b/src/krb524/cnv_tkt_skey.c @@ -184,26 +184,8 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, sname, sinst, v4_skey->contents); - } else { - /* Force enctype to be raw if using DES3. */ - if (v4_skey->enctype == ENCTYPE_DES3_CBC_SHA1 || - v4_skey->enctype == ENCTYPE_LOCAL_DES3_HMAC_SHA1) - v4_skey->enctype = ENCTYPE_DES3_CBC_RAW; - ret = krb524int_krb_cr_tkt_krb5(v4tkt, - 0, /* flags */ - pname, - pinst, - prealm, - sinp->sin_addr.s_addr, - (char *) v5etkt->session->contents, - lifetime, - /* issue_data */ - server_time, - sname, - sinst, - v4_skey); } - + else abort(); krb5_free_enc_tkt_part(context, v5etkt); v5tkt->enc_part2 = NULL; if (ret == KSUCCESS) diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c index 4995b515f..76025067e 100644 --- a/src/krb524/krb524d.c +++ b/src/krb524/krb524d.c @@ -76,6 +76,7 @@ static int debug = 0; void *handle = NULL; int use_keytab, use_master; +int allow_v4_crossrealm = 0; char *keytab = NULL; krb5_keytab kt; @@ -137,7 +138,10 @@ int main(argc, argv) config_params.mask = 0; while (argc) { - if (strncmp(*argv, "-k", 2) == 0) + if (strncmp(*argv, "-X", 2) == 0) { + allow_v4_crossrealm = 1; + } + else if (strncmp(*argv, "-k", 2) == 0) use_keytab = 1; else if (strncmp(*argv, "-m", 2) == 0) use_master = 1; @@ -346,7 +350,7 @@ krb5_error_code do_connection(s, context) if (debug) printf("V5 ticket decoded\n"); - if( v5tkt->server->length >= 1 + if( krb5_princ_size(context, v5tkt->server) >= 1 &&krb5_princ_component(context, v5tkt->server, 0)->length == 3 &&strncmp(krb5_princ_component(context, v5tkt->server, 0)->data, "afs", 3) == 0) { @@ -524,19 +528,7 @@ handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt, &v5_service_key, NULL))) goto error; - if ((ret = lookup_service_key(context, v5tkt->server, - ENCTYPE_DES3_CBC_RAW, - 0, /* highest kvno */ - &v4_service_key, v4kvno)) && - (ret = lookup_service_key(context, v5tkt->server, - ENCTYPE_LOCAL_DES3_HMAC_SHA1, - 0, - &v4_service_key, v4kvno)) && - (ret = lookup_service_key(context, v5tkt->server, - ENCTYPE_DES3_CBC_SHA1, - 0, - &v4_service_key, v4kvno)) && - (ret = lookup_service_key(context, v5tkt->server, + if ( (ret = lookup_service_key(context, v5tkt->server, ENCTYPE_DES_CBC_CRC, 0, &v4_service_key, v4kvno))) @@ -544,8 +536,19 @@ handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt, if (debug) printf("service key retrieved\n"); + if ((ret = krb5_decrypt_tkt_part(context, &v5_service_key, v5tkt))) { + goto error; + } - ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key, + if (!(allow_v4_crossrealm || krb5_realm_compare(context, v5tkt->server, + v5tkt->enc_part2->client))) { +ret = KRB5KDC_ERR_POLICY ; + goto error; + } + krb5_free_enc_tkt_part(context, v5tkt->enc_part2); + v5tkt->enc_part2= NULL; + + ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key, &v4_service_key, (struct sockaddr_in *)saddr); if (ret) @@ -561,6 +564,9 @@ handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt, printf("v4 credentials encoded\n"); error: + if (v5tkt->enc_part2) + krb5_free_enc_tkt_part(context, v5tkt->enc_part2); + if(v5_service_key.contents) krb5_free_keyblock_contents(context, &v5_service_key); if (v4_service_key.contents) diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 7424a251d..47f718d16 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,14 @@ +2003-03-14 Sam Hartman + + * accept_sec_context.c (krb5_gss_accept_sec_context): Set + prot_ready here + + * init_sec_context.c (krb5_gss_init_sec_context): Set prot_ready + after context established + + * gssapiP_krb5.h (KG_IMPLFLAGS): Don't claim prot_ready until the + context is established because we don't currently support it. + 2003-03-06 Alexandra Ellwood * disp_status.c, gssapi_krb5.h, gssapiP_krb5.h: diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 5ff6146ea..a004acb22 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -719,6 +719,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, &ctx->seq_send); /* the reply token hasn't been sent yet, but that's ok. */ + ctx->gss_flags |= GSS_C_PROT_READY_FLAG; ctx->established = 1; token.length = g_token_size((gss_OID) mech_used, ap_rep.length); diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 325108612..f50653dbf 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -83,7 +83,7 @@ #define KG_TOK_DEL_CTX 0x0102 #define KG_IMPLFLAGS(x) (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | \ - GSS_C_TRANS_FLAG | GSS_C_PROT_READY_FLAG | \ + GSS_C_TRANS_FLAG | \ ((x) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \ GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))) diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 8877052ba..ba630f1eb 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -688,6 +688,7 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, g_order_init(&(ctx->seqstate), ctx->seq_recv, (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0); + ctx->gss_flags |= GSS_C_PROT_READY_FLAG; ctx->established = 1; /* fall through to GSS_S_COMPLETE */ } diff --git a/src/lib/kadm5/srv/ChangeLog b/src/lib/kadm5/srv/ChangeLog index 6d3e3de5b..334d063cd 100644 --- a/src/lib/kadm5/srv/ChangeLog +++ b/src/lib/kadm5/srv/ChangeLog @@ -1,3 +1,9 @@ +2003-04-01 Tom Yu + + * Makefile.in: Remove $(SHLIB_DBLIB_DEPS) and related variables. + (SHLIB_EXPDEPS): Remove $(SHLIB_DBLIB_DEPS). + (SHLIB_EXPLIBS): Change $(DB_LIB) to $(KDB5_DB_LIB). + 2003-01-12 Ezra Peisach * svr_iters.c (kadm5_get_either): For POSIX_REGEXPS diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in index db61a8c57..0b0ad3626 100644 --- a/src/lib/kadm5/srv/Makefile.in +++ b/src/lib/kadm5/srv/Makefile.in @@ -13,18 +13,14 @@ LIBMAJOR=5 LIBMINOR=1 STOBJLISTS=../OBJS.ST OBJS.ST -SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@) -SHLIB_DBLIB-k5 = $(TOPLIBD)/libdb$(SHLIBEXT) -SHLIB_DBLIB-sys = - SHLIB_EXPDEPS=\ $(TOPLIBD)/libgssrpc$(SHLIBEXT) \ $(TOPLIBD)/libgssapi_krb5$(SHLIBEXT) \ - $(TOPLIBD)/libkdb5$(SHLIBEXT) $(SHLIB_DBLIB_DEPS) \ + $(TOPLIBD)/libkdb5$(SHLIBEXT) \ $(TOPLIBD)/libkrb5$(SHLIBEXT) \ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ $(COM_ERR_DEPLIB) -SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(DB_LIB) \ +SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(KDB5_DB_LIB) \ -lkrb5 -lk5crypto -lcom_err @GEN_LIB@ SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) diff --git a/src/lib/kdb/ChangeLog b/src/lib/kdb/ChangeLog index d685be6d9..de4ff5a5e 100644 --- a/src/lib/kdb/ChangeLog +++ b/src/lib/kdb/ChangeLog @@ -1,3 +1,26 @@ +2003-04-01 Tom Yu + + * Makefile.in: Remove $(SHLIB_DBLIB_DEPS) and related variables. + (SHLIB_EXPDEPS): Remove $(SHLIB_DBLIB_DEPS). + (SHLIB_EXPLIBS): Change $(DB_LIB) to $(KDB5_DB_LIB). + (DBOBJLISTS, STOBJLISTS): Pull in object lists of in-tree libdb so + we don't need to install libdb. Don't do this if building with + system libdb, though, since we need to explicitly link against the + system libdb in that case. + +2003-03-18 Tom Yu + + * keytab.c (krb5_ktkdb_get_entry): Do not perform the enctype + comparison if the requested enctype is a wildcard. + +2003-03-16 Sam Hartman + + * keytab.c (krb5_ktkdb_get_entry): Match only against the first + enctype for non-cross-realm tickets so we will only accept + tickets that the current configuration would have issued. For + cross-realm tickets be liberal and match against the specified + enctype. + 2003-03-05 Tom Yu * kdb_xdr.c (krb5_dbe_search_enctype): Check for ktype > 0 rather diff --git a/src/lib/kdb/Makefile.in b/src/lib/kdb/Makefile.in index ea80b7652..76261194a 100644 --- a/src/lib/kdb/Makefile.in +++ b/src/lib/kdb/Makefile.in @@ -12,17 +12,20 @@ LIBMAJOR=4 LIBMINOR=0 RELDIR=kdb # Depends on libk5crypto and libkrb5 -SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@) -SHLIB_DBLIB-k5 = $(TOPLIBD)/libdb$(SHLIBEXT) -SHLIB_DBLIB-sys = SHLIB_EXPDEPS = \ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ - $(TOPLIBD)/libkrb5$(SHLIBEXT) $(SHLIB_DBLIB_DEPS) -SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto $(DB_LIB) $(LIBS) + $(TOPLIBD)/libkrb5$(SHLIBEXT) +SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto $(KDB5_DB_LIB) $(LIBS) SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) +DBDIR = $(BUILDTOP)/util/db2 +DBOBJLISTS = $(DBOBJLISTS-@DB_VERSION@) +DBOBJLISTS-sys = +DBOBJLISTS-k5 = $(DBDIR)/hash/OBJS.ST $(DBDIR)/btree/OBJS.ST \ + $(DBDIR)/db/OBJS.ST $(DBDIR)/mpool/OBJS.ST $(DBDIR)/recno/OBJS.ST \ + $(DBDIR)/clib/OBJS.ST all:: @@ -38,7 +41,7 @@ SRCS= \ $(srcdir)/setup_mkey.c \ $(srcdir)/store_mkey.c -STOBJLISTS=OBJS.ST +STOBJLISTS=OBJS.ST $(DBOBJLISTS) STLIBOBJS= \ keytab.o \ encrypt_key.o \ diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c index 6ec375ac2..90a81cac8 100644 --- a/src/lib/kdb/keytab.c +++ b/src/lib/kdb/keytab.c @@ -24,10 +24,14 @@ * or implied warranty. * */ +#include #include "k5-int.h" #include "kdb_kt.h" +static int +is_xrealm_tgt(krb5_context, krb5_const_principal); + krb5_error_code krb5_ktkdb_close (krb5_context, krb5_keytab); krb5_error_code krb5_ktkdb_get_entry (krb5_context, krb5_keytab, krb5_const_principal, @@ -116,6 +120,8 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) krb5_db_entry db_entry; krb5_boolean more = 0; int n = 0; + int xrealm_tgt = is_xrealm_tgt(context, principal); + int similar; if (ktkdb_ctx) context = ktkdb_ctx; @@ -150,16 +156,33 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) if (kerror) goto error; + /* For cross realm tgts, we match whatever enctype is provided; + * for other principals, we only match the first enctype that is + * found. Since the TGS and AS code do the same thing, then we + * will only successfully decrypt tickets we have issued.*/ kerror = krb5_dbe_find_enctype(context, &db_entry, - enctype, -1, kvno, &key_data); + xrealm_tgt?enctype:-1, + -1, kvno, &key_data); if (kerror) goto error; + kerror = krb5_dbekd_decrypt_key_data(context, master_key, key_data, &entry->key, NULL); if (kerror) goto error; + if (enctype > 0) { + kerror = krb5_c_enctype_compare(context, enctype, + entry->key.enctype, &similar); + if (kerror) + goto error; + + if (!similar) { + kerror = KRB5_KDB_NO_PERMITTED_KEY; + goto error; + } + } /* * Coerce the enctype of the output keyblock in case we got an * inexact match on the enctype. @@ -176,3 +199,27 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) krb5_db_close_database(context); return(kerror); } + +/* + * is_xrealm_tgt: Returns true if the principal is a cross-realm TGT + * principal-- a principal with first component krbtgt and second + * component not equal to realm. + */ +static int +is_xrealm_tgt(krb5_context context, krb5_const_principal princ) +{ + krb5_data *dat; + if (krb5_princ_size(context, princ) != 2) + return 0; + dat = krb5_princ_component(context, princ, 0); + if (strncmp("krbtgt", dat->data, dat->length) != 0) + return 0; + dat = krb5_princ_component(context, princ, 1); + if (dat->length != princ->realm.length) + return 1; + if (strcmp(dat->data, princ->realm.data) == 0) + return 0; + return 1; + +} + diff --git a/src/lib/krb5/keytab/ChangeLog b/src/lib/krb5/keytab/ChangeLog index ef0e702f1..864a412e7 100644 --- a/src/lib/krb5/keytab/ChangeLog +++ b/src/lib/krb5/keytab/ChangeLog @@ -1,3 +1,10 @@ +2003-04-01 Nalin Dahyabhai + + * kt_file.c (krb5_ktfileint_internal_read_entry): Use + krb5_princ_size instead of direct field access. + (krb5_ktfileint_write_entry, krb5_ktfileint_size_entry): + Likewise. + 2003-02-08 Tom Yu * kt_file.c (krb5_ktfile_get_entry): Fix comment; not going to diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c index 9e4f15aa7..9b7b9ae8f 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c @@ -1324,7 +1324,7 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke return 0; fail: - for (i = 0; i < ret_entry->principal->length; i++) { + for (i = 0; i < krb5_princ_size(context, ret_entry->principal); i++) { princ = krb5_princ_component(context, ret_entry->principal, i); if (princ->data) free(princ->data); @@ -1375,9 +1375,9 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent } if (KTVERSION(id) == KRB5_KT_VNO_1) { - count = (krb5_int16) entry->principal->length + 1; + count = (krb5_int16) krb5_princ_size(context, entry->principal) + 1; } else { - count = htons((u_short) entry->principal->length); + count = htons((u_short) krb5_princ_size(context, entry->principal)); } if (!xfwrite(&count, sizeof(count), 1, KTFILEP(id))) { @@ -1396,7 +1396,7 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent goto abend; } - count = (krb5_int16) entry->principal->length; + count = (krb5_int16) krb5_princ_size(context, entry->principal); for (i = 0; i < count; i++) { princ = krb5_princ_component(context, entry->principal, i); size = princ->length; @@ -1494,7 +1494,7 @@ krb5_ktfileint_size_entry(krb5_context context, krb5_keytab_entry *entry, krb5_i krb5_int32 total_size, i; krb5_error_code retval = 0; - count = (krb5_int16) entry->principal->length; + count = (krb5_int16) krb5_princ_size(context, entry->principal); total_size = sizeof(count); total_size += krb5_princ_realm(context, entry->principal)->length + (sizeof(krb5_int16)); diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index c936ca4fd..e70c3b6f6 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,22 @@ +2003-04-01 Nalin Dahyabhai + + * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Check principal name + length before examining components. + + * parse.c (krb5_parse_name): Double-check principal name length + before filling in components. + + * srv_rcache.c (krb5_get_server_rcache): Check for null pointer + supplied in place of name. + + * unparse.c (krb5_unparse_name_ext): Don't move buffer pointer + backwards if nothing has been put into the buffer yet. + +2003-04-01 Sam Hartman + + * rd_req.c (krb5_rd_req): If AUTH_CONTEXT_DO_TIME is cleared, + don't set up a replay cache. + 2003-03-08 Ezra Peisach * t_kerb.c: Only include krb.h if krb4 support compiled in, diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index fdf00e6b1..b5c99428a 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -341,7 +341,9 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds for (next_server = top_server; *next_server; next_server++) { krb5_data *realm_1 = krb5_princ_component(context, next_server[0], 1); krb5_data *realm_2 = krb5_princ_component(context, tgtr->server, 1); - if (realm_1->length == realm_2->length && + if (realm_1 != NULL && + realm_2 != NULL && + realm_1->length == realm_2->length && !memcmp(realm_1->data, realm_2->data, realm_1->length)) { break; } diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c index abbcfbe2d..3debb6acf 100644 --- a/src/lib/krb5/krb/parse.c +++ b/src/lib/krb5/krb/parse.c @@ -170,11 +170,13 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip cp++; size++; } else if (c == COMPONENT_SEP) { - krb5_princ_component(context, principal, i)->length = size; + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; size = 0; i++; } else if (c == REALM_SEP) { - krb5_princ_component(context, principal, i)->length = size; + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; size = 0; parsed_realm = cp+1; } else @@ -183,7 +185,8 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip if (parsed_realm) krb5_princ_realm(context, principal)->length = size; else - krb5_princ_component(context, principal, i)->length = size; + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; if (i + 1 != components) { #if !defined(_WIN32) && !defined(macintosh) fprintf(stderr, diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c index f844e3cd6..9a2f4589d 100644 --- a/src/lib/krb5/krb/rd_req.c +++ b/src/lib/krb5/krb/rd_req.c @@ -83,7 +83,9 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, const krb5_da server = request->ticket->server; } /* Get an rcache if necessary. */ - if (((*auth_context)->rcache == NULL) && server) { + if (((*auth_context)->rcache == NULL) + && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) +&& server) { if ((retval = krb5_get_server_rcache(context, krb5_princ_component(context,server,0), &(*auth_context)->rcache))) goto cleanup_auth_context; diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c index aa41bc52b..e2e5ed690 100644 --- a/src/lib/krb5/krb/srv_rcache.c +++ b/src/lib/krb5/krb/srv_rcache.c @@ -48,6 +48,9 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache unsigned long uid = geteuid(); #endif + if (piece == NULL) + return ENOMEM; + rcache = (krb5_rcache) malloc(sizeof(*rcache)); if (!rcache) return ENOMEM; diff --git a/src/lib/krb5/krb/unparse.c b/src/lib/krb5/krb/unparse.c index f0e52dcee..6f1a3c9e8 100644 --- a/src/lib/krb5/krb/unparse.c +++ b/src/lib/krb5/krb/unparse.c @@ -149,7 +149,8 @@ krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, regi *q++ = COMPONENT_SEP; } - q--; /* Back up last component separator */ + if (i > 0) + q--; /* Back up last component separator */ *q++ = REALM_SEP; cp = krb5_princ_realm(context, principal)->data; diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog index 653424054..725db86bc 100644 --- a/src/lib/rpc/ChangeLog +++ b/src/lib/rpc/ChangeLog @@ -1,3 +1,9 @@ +2003-03-24 Tom Yu + + * xdr_mem.c (xdrmem_create): Perform some additional size checks. + (xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes): Check x_handy + prior to decrementing it. + 2003-01-12 Ezra Peisach * svc_auth_gssapi.c (_svcauth_gssapi_unset_names): If invoked more diff --git a/src/lib/rpc/xdr_mem.c b/src/lib/rpc/xdr_mem.c index 18265da81..58e2d82a3 100644 --- a/src/lib/rpc/xdr_mem.c +++ b/src/lib/rpc/xdr_mem.c @@ -48,6 +48,7 @@ static char sccsid[] = "@(#)xdr_mem.c 1.19 87/08/11 Copyr 1984 Sun Micro"; #include #include #include +#include static bool_t xdrmem_getlong(XDR *, long *); static bool_t xdrmem_putlong(XDR *, long *); @@ -84,7 +85,7 @@ xdrmem_create(xdrs, addr, size, op) xdrs->x_op = op; xdrs->x_ops = &xdrmem_ops; xdrs->x_private = xdrs->x_base = addr; - xdrs->x_handy = size; + xdrs->x_handy = (size > INT_MAX) ? INT_MAX : size; /* XXX */ } static void @@ -99,8 +100,10 @@ xdrmem_getlong(xdrs, lp) long *lp; { - if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0) + if (xdrs->x_handy < sizeof(rpc_int32)) return (FALSE); + else + xdrs->x_handy -= sizeof(rpc_int32); *lp = (long)ntohl(*((rpc_u_int32 *)(xdrs->x_private))); xdrs->x_private = (char *)xdrs->x_private + sizeof(rpc_int32); return (TRUE); @@ -112,8 +115,10 @@ xdrmem_putlong(xdrs, lp) long *lp; { - if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0) + if (xdrs->x_handy < sizeof(rpc_int32)) return (FALSE); + else + xdrs->x_handy -= sizeof(rpc_int32); *(rpc_int32 *)xdrs->x_private = (rpc_int32)htonl((rpc_u_int32)(*lp)); xdrs->x_private = (char *)xdrs->x_private + sizeof(rpc_int32); return (TRUE); @@ -126,8 +131,10 @@ xdrmem_getbytes(xdrs, addr, len) register unsigned int len; { - if ((xdrs->x_handy -= len) < 0) + if (xdrs->x_handy < len) return (FALSE); + else + xdrs->x_handy -= len; memmove(addr, xdrs->x_private, len); xdrs->x_private = (char *)xdrs->x_private + len; return (TRUE); @@ -140,8 +147,10 @@ xdrmem_putbytes(xdrs, addr, len) register unsigned int len; { - if ((xdrs->x_handy -= len) < 0) + if (xdrs->x_handy < len) return (FALSE); + else + xdrs->x_handy -= len; memmove(xdrs->x_private, addr, len); xdrs->x_private = (char *)xdrs->x_private + len; return (TRUE); @@ -180,7 +189,7 @@ xdrmem_inline(xdrs, len) { rpc_int32 *buf = 0; - if (xdrs->x_handy >= len) { + if (len >= 0 && xdrs->x_handy >= len) { xdrs->x_handy -= len; buf = (rpc_int32 *) xdrs->x_private; xdrs->x_private = (char *)xdrs->x_private + len; diff --git a/src/mac/MacOSX/Headers/Kerberos5Prefix.h b/src/mac/MacOSX/Headers/Kerberos5Prefix.h index 24acb4845..acd5ebb4f 100644 --- a/src/mac/MacOSX/Headers/Kerberos5Prefix.h +++ b/src/mac/MacOSX/Headers/Kerberos5Prefix.h @@ -146,8 +146,8 @@ #define KRB4_USE_KEYTAB 1 #define KRB5 1 #define KRB524_PRIVATE 1 -#define KRB5_DNS_LOOKUP 0 -#define KRB5_DNS_LOOKUP_KDC 0 +#define KRB5_DNS_LOOKUP 1 +#define KRB5_DNS_LOOKUP_KDC 1 #define KRB5_KRB4_COMPAT 1 #define KRB5_PRIVATE 1 #define krb5_sigtype void diff --git a/src/mac/MacOSX/Projects/Kerberos5.pbproj/project.pbxproj b/src/mac/MacOSX/Projects/Kerberos5.pbproj/project.pbxproj index c674f4b5b..01b54af79 100644 --- a/src/mac/MacOSX/Projects/Kerberos5.pbproj/project.pbxproj +++ b/src/mac/MacOSX/Projects/Kerberos5.pbproj/project.pbxproj @@ -1695,6 +1695,12 @@ settings = { }; }; + A1BBFF1604226DBD00120114 = { + fileEncoding = 30; + isa = PBXFileReference; + path = configure.in; + refType = 4; + }; A1CA6042040F24850013F915 = { fileRef = F517325103F1B65901120114; isa = PBXBuildFile; @@ -2339,6 +2345,7 @@ children = ( F51730E203F1B65801120114, F51730E303F1B65801120114, + A1BBFF1604226DBD00120114, F51730E503F1B65801120114, F51730E603F1B65801120114, F51730E703F1B65801120114, @@ -2525,12 +2532,10 @@ F51730FF03F1B65801120114, F517310003F1B65801120114, F517310103F1B65801120114, - F517310203F1B65801120114, F517310303F1B65801120114, F517310403F1B65801120114, F517310503F1B65801120114, F517310603F1B65801120114, - F517310703F1B65801120114, F517310803F1B65801120114, F517310903F1B65801120114, F517310A03F1B65801120114, @@ -2557,13 +2562,6 @@ path = adm_proto.h; refType = 4; }; - F517310203F1B65801120114 = { - children = ( - ); - isa = PBXGroup; - path = asn.1; - refType = 4; - }; F517310303F1B65801120114 = { fileEncoding = 30; isa = PBXFileReference; @@ -2588,12 +2586,6 @@ path = kdb_dbc.h; refType = 4; }; - F517310703F1B65801120114 = { - fileEncoding = 30; - isa = PBXFileReference; - path = kdb_dbm.h; - refType = 4; - }; F517310803F1B65801120114 = { fileEncoding = 30; isa = PBXFileReference; @@ -8721,12 +8713,6 @@ settings = { }; }; - F51738E403F1BA7F01120114 = { - fileRef = F517310D03F1B65801120114; - isa = PBXBuildFile; - settings = { - }; - }; F51738E503F1BAF701120114 = { fileRef = F51734DE03F1B65A01120114; isa = PBXBuildFile; @@ -10466,7 +10452,6 @@ F51738DE03F1BA2701120114, F51738DF03F1BA2701120114, F51738E303F1BA7501120114, - F51738E403F1BA7F01120114, F51738F303F1BB1701120114, F51738F903F1BB1A01120114, F517391B03F1BB2D01120114, diff --git a/src/mac/MacOSX/Scripts/Kerberos5ServerBuild.jam b/src/mac/MacOSX/Scripts/Kerberos5ServerBuild.jam index 9969720be..1a3c4351c 100644 --- a/src/mac/MacOSX/Scripts/Kerberos5ServerBuild.jam +++ b/src/mac/MacOSX/Scripts/Kerberos5ServerBuild.jam @@ -45,6 +45,17 @@ rule Make actions Make { mkdir -p "$(1:D)" + echo "*******************************************************" + echo "*** WARNING! Deleting KfM /usr/lib compat symlinks! ***" + echo "*******************************************************" + echo "(If you want us to stop doing this, fix ld: Radar 3176974)" + rm -f /usr/lib/libcom_err.dylib + rm -f /usr/lib/libdes425.dylib + rm -f /usr/lib/libgssapi_krb5.dylib + rm -f /usr/lib/libk5crypto.dylib + rm -f /usr/lib/libkrb4.dylib + rm -f /usr/lib/libkrb5.dylib + rm -f /usr/lib/libkrb524.dylib cd "$(1:D)" && make && touch "$(1)" && echo "### HAPPINESS ###" } diff --git a/src/tests/dejagnu/config/ChangeLog b/src/tests/dejagnu/config/ChangeLog index 7d8589b47..e2092a8d9 100644 --- a/src/tests/dejagnu/config/ChangeLog +++ b/src/tests/dejagnu/config/ChangeLog @@ -1,3 +1,9 @@ +2003-03-26 Tom Yu + + * default.exp (v4kinit): Expect failure when kiniting to a des3 + TGT, due to fix for MITKRB5-SA-2003-004. + (setup_kadmind_srvtab): Remove. It's not needed anymore. + 2003-02-04 Tom Yu * default.exp (start_kerberos_daemons): Use correct argument to diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index f025eb763..82b69525e 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -692,7 +692,6 @@ proc setup_kerberos_files { } { puts $conffile " database_name = $tmppwd/db" puts $conffile " admin_database_name = $tmppwd/adb" puts $conffile " admin_database_lockfile = $tmppwd/adb.lock" - puts $conffile " admin_keytab = $tmppwd/admin-keytab" puts $conffile " key_stash_file = $tmppwd/stash" puts $conffile " acl_file = $tmppwd/acl" puts $conffile " kadmind_port = 3750" @@ -938,83 +937,6 @@ proc restore_kerberos_env { } { } -# setup_kadmind_srvtab -# A procedure to build the srvtab for kadmind5 so that kadmin5 and it -# may successfully communicate. -# Returns 1 on success, 0 on failure. -proc setup_kadmind_srvtab { } { - global REALMNAME - global KADMIN_LOCAL - global KEY - global tmppwd - - catch "exec rm -f $tmppwd/admin-keytab" - envstack_push - setup_kerberos_env kdc - spawn $KADMIN_LOCAL -r $REALMNAME - envstack_pop - catch expect_after - expect_after { - -re "(.*)\r\nkadmin.local: " { - fail "kadmin.local admin-keytab (unmatched output: $expect_out(1,string)" - catch "exec rm -f $tmppwd/admin-keytab" - catch "expect_after" - return 0 - } - timeout { - fail "kadmin.local admin-keytab (timeout)" - catch "exec rm -f $tmppwd/admin-keytab" - catch "expect_after" - return 0 - } - eof { - fail "kadmin.local admin-keytab (eof)" - catch "exec rm -f $tmppwd/admin-keytab" - catch "expect_after" - return 0 - } - } - expect "kadmin.local: " - send "xst -k admin-new-srvtab kadmin/admin\r" - expect "xst -k admin-new-srvtab kadmin/admin\r\n" - expect -re ".*Entry for principal kadmin/admin.* added to keytab WRFILE:admin-new-srvtab." - expect "kadmin.local: " - - catch "exec mv -f admin-new-srvtab changepw-new-srvtab" exec_output - if ![string match "" $exec_output] { - verbose -log "$exec_output" - perror "can't mv admin-new-srvtab" - catch expect_after - return 0 - } - - send "xst -k changepw-new-srvtab kadmin/changepw\r" - expect "xst -k changepw-new-srvtab kadmin/changepw\r\n" - expect -re ".*Entry for principal kadmin/changepw.* added to keytab WRFILE:changepw-new-srvtab." - expect "kadmin.local: " - send "quit\r" - expect eof - catch expect_after - if ![check_exit_status "kadmin.local admin-keytab"] { - catch "exec rm -f $tmppwd/admin-keytab" - perror "kadmin.local admin-keytab exited abnormally" - return 0 - } - - catch "exec mv -f changepw-new-srvtab $tmppwd/admin-keytab" exec_output - if ![string match "" $exec_output] { - verbose -log "$exec_output" - perror "can't mv new admin-keytab" - return 0 - } - - # Make the srvtab file globally readable in case we are using a - # root shell and the srvtab is NFS mounted. - catch "exec chmod a+r $tmppwd/admin-keytab" - - return 1 -} - # setup_kerberos_db # Initialize the Kerberos database. If the argument is non-zero, call # pass at relevant points. Returns 1 on success, 0 on failure. @@ -1270,12 +1192,7 @@ proc setup_kerberos_db { standalone } { } } } - # XXX should deal with envstack inside setup_kadmind_srvtab too - set ret [setup_kadmind_srvtab] envstack_pop - if !$ret { - return 0 - } # create the admin database lock file catch "exec touch $tmppwd/adb.lock" @@ -2029,6 +1946,7 @@ proc v4kinit { name pass standalone } { global REALMNAME global KINIT global spawn_id + global des3_krbtgt # Use kinit to get a ticket. # @@ -2052,10 +1970,20 @@ proc v4kinit { name pass standalone } { } send "$pass\r" expect eof - if ![check_exit_status kinit] { - return 0 + if {$des3_krbtgt == 0} { + if ![check_exit_status v4kinit] { + return 0 + } + } else { + # Fail if kinit is successful with a des3 TGT. + set status_list [wait -i $spawn_id] + set testname v4kinit + verbose "wait -i $spawn_id returned $status_list ($testname)" + if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 1 } { + verbose -log "exit status: $status_list" + fail "$testname (exit status)" + } } - if {$standalone} { pass "v4kinit" } diff --git a/src/tests/dejagnu/krb-standalone/ChangeLog b/src/tests/dejagnu/krb-standalone/ChangeLog index fe3f185a6..01f490230 100644 --- a/src/tests/dejagnu/krb-standalone/ChangeLog +++ b/src/tests/dejagnu/krb-standalone/ChangeLog @@ -1,3 +1,12 @@ +2003-03-26 Tom Yu + + * v4gssftp.exp (v4ftp_test): Return early if $des3_krbtgt set. + + * v4krb524d.exp (doit): Return early if $des3_krbtgt set. + + * v4standalone.exp (check_and_destroy_v4_tix): Return early if + $des3_krbtgt set. + 2003-01-01 Ezra Peisach * standalone.exp: Only run the keytab to srvtab tests if kerberos 4 diff --git a/src/tests/dejagnu/krb-standalone/v4gssftp.exp b/src/tests/dejagnu/krb-standalone/v4gssftp.exp index c0b95d0ae..c4d5fd35c 100644 --- a/src/tests/dejagnu/krb-standalone/v4gssftp.exp +++ b/src/tests/dejagnu/krb-standalone/v4gssftp.exp @@ -179,7 +179,11 @@ proc v4ftp_test { } { global tmppwd global ftp_save_ktname global ftp_save_ccname + global des3_krbtgt + if {$des3_krbtgt} { + return + } # Start up the kerberos and kadmind daemons and get a srvtab and a # ticket file. if {![start_kerberos_daemons 0] \ diff --git a/src/tests/dejagnu/krb-standalone/v4krb524d.exp b/src/tests/dejagnu/krb-standalone/v4krb524d.exp index 5506a06b7..6e922c7e1 100644 --- a/src/tests/dejagnu/krb-standalone/v4krb524d.exp +++ b/src/tests/dejagnu/krb-standalone/v4krb524d.exp @@ -78,7 +78,11 @@ proc doit { } { global KDESTROY global tmppwd global REALMNAME + global des3_krbtgt + if {$des3_krbtgt} { + return + } # Start up the kerberos and kadmind daemons. if ![start_kerberos_daemons 1] { return diff --git a/src/tests/dejagnu/krb-standalone/v4standalone.exp b/src/tests/dejagnu/krb-standalone/v4standalone.exp index 62db0a794..cc42e8dab 100644 --- a/src/tests/dejagnu/krb-standalone/v4standalone.exp +++ b/src/tests/dejagnu/krb-standalone/v4standalone.exp @@ -26,7 +26,12 @@ if ![setup_kerberos_db 1] { proc check_and_destroy_v4_tix { client server } { global REALMNAME + global des3_krbtgt + # Skip this if we're using a des3 TGT, since that's supposed to fail. + if {$des3_krbtgt} { + return + } # Make sure that klist can see the ticket. if ![v4klist "$client" "$server" "v4klist"] { return diff --git a/src/util/ChangeLog b/src/util/ChangeLog index 926b6c46d..5401447ad 100644 --- a/src/util/ChangeLog +++ b/src/util/ChangeLog @@ -1,3 +1,9 @@ +2003-04-10 Tom Yu + + * reconf: Warn if autoconf-2.52 is used, as it generates buggy + configure scripts that don't work with BSD /bin/sh, and don't + comply with POSIX.2 (no conditions inside "case" statement). + 2003-02-05 Tom Yu * mkrel: Exclude .rconf files. diff --git a/src/util/db2/ChangeLog b/src/util/db2/ChangeLog index acac38ef1..7c9d1dfa9 100644 --- a/src/util/db2/ChangeLog +++ b/src/util/db2/ChangeLog @@ -1,3 +1,8 @@ +2003-04-01 Tom Yu + + * Makefile.in (install-unix): Delete install-libs. We don't want + to install our in-tree libdb. + 2003-01-10 Ken Raeburn * configure.in: Don't explicitly invoke AC_PROG_INSTALL. diff --git a/src/util/db2/Makefile.in b/src/util/db2/Makefile.in index 0d4634ff0..6ca755097 100644 --- a/src/util/db2/Makefile.in +++ b/src/util/db2/Makefile.in @@ -17,7 +17,6 @@ HDRS = $(HDRDIR)/db.h $(HDRDIR)/db-config.h $(HDRDIR)/db-ndbm.h all-unix:: all-liblinks includes clean-unix:: clean-liblinks clean-libs clean-includes -install-unix:: install-libs includes:: $(HDRS) diff --git a/src/util/db2/test/Makefile b/src/util/db2/test/Makefile deleted file mode 100644 index 6685decb5..000000000 --- a/src/util/db2/test/Makefile +++ /dev/null @@ -1,652 +0,0 @@ -############################################################ -## config/pre.in -## common prefix for all Makefile.in in the Kerberos V5 tree. -## - -WHAT = unix -SHELL=/bin/sh - -all:: all-$(WHAT) - -clean:: clean-$(WHAT) - -distclean:: distclean-$(WHAT) - -install:: install-$(WHAT) - -check:: check-$(WHAT) - -install-headers:: install-headers-$(WHAT) - -############################## -# Recursion rule support -# - -# The commands for the recursion targets live in config/post.in. -# -# General form of recursion rules: -# -# Each recursive target foo-unix has related targets: foo-prerecurse, -# foo-recurse, and foo-postrecurse -# -# The foo-recurse rule is in post.in. It is what actually recursively -# calls make. -# -# foo-recurse depends on foo-prerecurse, so any targets that must be -# built before descending into subdirectories must be dependencies of -# foo-prerecurse. -# -# foo-postrecurse depends on foo-recurse, but targets that must be -# built after descending into subdirectories should be have -# foo-recurse as dependencies in addition to being listed under -# foo-postrecurse, to avoid ordering issues. -# -# The foo-prerecurse, foo-recurse, and foo-postrecurse rules are all -# single-colon rules, to avoid nasty ordering problems with -# double-colon rules. -# -# e.g. -# all:: includes foo -# foo: -# echo foo -# includes:: -# echo bar -# includes:: -# echo baz -# -# will result in "bar", "foo", "baz" on AIX, and possibly others. -all-unix:: all-postrecurse -all-postrecurse: all-recurse -all-recurse: all-prerecurse - -all-prerecurse: -all-postrecurse: - -clean-unix:: clean-postrecurse -clean-postrecurse: clean-recurse -clean-recurse: clean-prerecurse - -clean-prerecurse: -clean-postrecurse: - -distclean-unix: distclean-postrecurse -distclean-postrecurse: distclean-recurse -distclean-recurse: distclean-prerecurse - -distclean-prerecurse: -distclean-postrecurse: - -install-unix:: install-postrecurse -install-postrecurse: install-recurse -install-recurse: install-prerecurse - -install-prerecurse: -install-postrecurse: - -install-headers-unix:: install-headers-postrecurse -install-headers-postrecurse: install-headers-recurse -install-headers-recurse: install-headers-prerecurse - -install-headers-prerecurse: -install-headers-postrecurse: - -check-unix:: check-postrecurse -check-postrecurse: check-recurse -check-recurse: check-prerecurse - -check-prerecurse: -check-postrecurse: - -Makefiles: Makefiles-postrecurse -Makefiles-postrecurse: Makefiles-recurse -Makefiles-recurse: Makefiles-prerecurse - -Makefiles-prerecurse: -Makefiles-postrecurse: - -# -# end recursion rule support -############################## - -# Directory syntax: -# -# begin relative path -REL= -# this is magic... should only be used for preceding a program invocation -C=./ -# "/" for UNIX, "\" for Windows; *sigh* -S=/ - -SUBDIRS = $(LOCAL_SUBDIRS) -srcdir = . -SRCTOP = ./$(BUILDTOP) - -CONFIG_RELTOPDIR = ../.. - -ALL_CFLAGS = $(DEFS) $(DEFINES) $(LOCALINCLUDES) $(CPPFLAGS) $(CFLAGS) -CFLAGS = -g -CPPFLAGS = -I$(BUILDTOP)/include -I$(SRCTOP)/include -I$(BUILDTOP)/include/krb5 -I$(SRCTOP)/include/krb5 -I/usr/athena/include -DKRB5_KRB4_COMPAT -DKRB5_PRIVATE=1 -DEFS = -DHAVE_CONFIG_H -CC = /usr/gcc/bin/gcc -LD = $(PURE) /usr/gcc/bin/gcc -DEPLIBS = @DEPLIBS@ -LDFLAGS = -L/usr/athena/lib -LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@ -LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@ -LDARGS = @LDARGS@ -LIBS = -lsocket -lnsl -lresolv -SRVLIBS = @SRVLIBS@ -SRVDEPLIBS = @SRVDEPLIBS@ -CLNTLIBS = @CLNTLIBS@ -CLNTDEPLIBS = @CLNTDEPLIBS@ - -INSTALL=/usr/athena/bin/install -c -INSTALL_STRIP= -INSTALL_PROGRAM=${INSTALL} $(INSTALL_STRIP) -INSTALL_DATA=${INSTALL} -m 644 -INSTALL_SHLIB=$(INSTALL_DATA) -INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root -## This is needed because autoconf will sometimes define ${prefix} to be -## ${prefix}. -prefix=/usr/local -INSTALL_PREFIX=$(prefix) -INSTALL_EXEC_PREFIX=${prefix} -exec_prefix=${prefix} -SHLIB_TAIL_COMP=@SHLIB_TAIL_COMP@ - -KRB5MANROOT = ${prefix}/man -ADMIN_BINDIR = ${exec_prefix}/sbin -SERVER_BINDIR = ${exec_prefix}/sbin -CLIENT_BINDIR =${exec_prefix}/bin -ADMIN_MANDIR = $(KRB5MANROOT)/man8 -SERVER_MANDIR = $(KRB5MANROOT)/man8 -CLIENT_MANDIR = $(KRB5MANROOT)/man1 -FILE_MANDIR = $(KRB5MANROOT)/man5 -KRB5_LIBDIR = ${exec_prefix}/lib -KRB5_SHLIBDIR = ${exec_prefix}/lib$(SHLIB_TAIL_COMP) -KRB5_INCDIR = ${prefix}/include -KRB5_INCSUBDIRS = \ - $(KRB5_INCDIR)/gssapi \ - $(KRB5_INCDIR)/kerberosIV - -# -# Macros used by the KADM5 (OV-based) unit test system. -# XXX check which of these are actually used! -# -TESTDIR = $(BUILDTOP)/kadmin/testing -STESTDIR = $(SRCTOP)/kadmin/testing -COMPARE_DUMP = $(TESTDIR)/scripts/compare_dump.pl -FIX_CONF_FILES = $(TESTDIR)/scripts/fixup-conf-files.pl -INITDB = $(STESTDIR)/scripts/init_db -MAKE_KEYTAB = $(TESTDIR)/scripts/make-host-keytab.pl -LOCAL_MAKE_KEYTAB= $(TESTDIR)/scripts/make-host-keytab.pl -RESTORE_FILES = $(STESTDIR)/scripts/restore_files.sh -SAVE_FILES = $(STESTDIR)/scripts/save_files.sh -ENV_SETUP = $(TESTDIR)/scripts/env-setup.sh -CLNTTCL = $(TESTDIR)/util/ovsec_kadm_clnt_tcl -SRVTCL = $(TESTDIR)/util/ovsec_kadm_srv_tcl -# Dejagnu variables. -# We have to set the host with --host so that setup_xfail will work. -# If we don't set it, then the host type used is "native", which -# doesn't match "*-*-*". -host=sparc-sun-solaris2.8 -DEJAFLAGS = $(DEJALFLAGS) $(CLFLAGS) --debug --srcdir $(srcdir) --host \ - $(host) -RUNTEST = runtest $(DEJAFLAGS) - -START_SERVERS = $(STESTDIR)/scripts/start_servers $(TEST_SERVER) $(TEST_PATH) -START_SERVERS_LOCAL = $(STESTDIR)/scripts/start_servers_local - -STOP_SERVERS = $(STESTDIR)/scripts/stop_servers $(TEST_SERVER) $(TEST_PATH) -STOP_SERVERS_LOCAL = $(STESTDIR)/scripts/stop_servers_local -# -# End of macros for the KADM5 unit test system. -# - -transform = s,x,x, - -RM = rm -f -CP = cp -MV = mv -f -CHMOD=chmod -RANLIB = ranlib -ARCHIVE = @ARCHIVE@ -ARADD = @ARADD@ -LN = ln -s -AWK = @AWK@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -YACC = @YACC@ -AUTOCONF = autoconf -AUTOCONFFLAGS = -AUTOCONFINCFLAGS = --localdir -AUTOHEADER = autoheader -AUTOHEADERFLAGS = - -HOST_TYPE = @HOST_TYPE@ -SHEXT = @SHEXT@ -STEXT=@STEXT@ -VEXT=@VEXT@ -DO_MAKE_SHLIB = @DO_MAKE_SHLIB@ -SHLIB_STATIC_TARGET=@SHLIB_STATIC_TARGET@ - -TOPLIBD = $(BUILDTOP)/lib - -OBJEXT = o -LIBEXT = a -EXEEXT = - -# -# variables for libraries, for use in linking programs -# -- this may want to get broken out into a separate frag later -# -# -# Note: the following variables must be set in any Makefile.in that -# uses KRB5_BUILD_PROGRAM -# -# PROG_LIBPATH list of dirs, in -Ldir form, to search for libraries at link -# PROG_RPATH list of dirs, in dir1:dir2 form, for rpath purposes -# -# invocation is like: -# prog: foo.o bar.o $(KRB5_BASE_DEPLIBS) -# $(CC_LINK) -o $@ foo.o bar.o $(KRB5_BASE_LIBS) - - -CC_LINK=$(PURE) $(CC) $(PROG_LIBPATH) $(LDFLAGS) - -# prefix (with no spaces after) for rpath flag to cc -RPATH_FLAG=-R - -# this gets set by configure to either $(STLIBEXT) or $(SHLIBEXT), -# depending on whether we're building with shared libraries. -DEPLIBEXT=.a - -KADMCLNT_DEPLIB = $(TOPLIBD)/libkadm5clnt$(DEPLIBEXT) -KADMSRV_DEPLIB = $(TOPLIBD)/libkadm5srv$(DEPLIBEXT) -KDB5_DEPLIB = $(TOPLIBD)/libkdb5$(DEPLIBEXT) -DB_DEPLIB = $(DB_DEPLIB-k5) -DB_DEPLIB-k5 = $(TOPLIBD)/libdb$(DEPLIBEXT) -DB_DEPLIB-sys = -GSSRPC_DEPLIB = $(TOPLIBD)/libgssrpc$(DEPLIBEXT) -GSS_DEPLIB = $(TOPLIBD)/libgssapi_krb5$(DEPLIBEXT) -KRB4_DEPLIB = $(TOPLIBD)/libkrb4$(DEPLIBEXT) # $(TOPLIBD)/libkrb4$(DEPLIBEXT) -DES425_DEPLIB = $(TOPLIBD)/libdes425$(DEPLIBEXT) # $(TOPLIBD)/libdes425$(DEPLIBEXT) -KRB5_DEPLIB = $(TOPLIBD)/libkrb5$(DEPLIBEXT) -CRYPTO_DEPLIB = $(TOPLIBD)/libk5crypto$(DEPLIBEXT) -COM_ERR_DEPLIB = $(COM_ERR_DEPLIB-k5) -COM_ERR_DEPLIB-sys = # empty -COM_ERR_DEPLIB-k5 = $(TOPLIBD)/libcom_err$(DEPLIBEXT) - -# These are forced to use ".a" as an extension because they're never -# built shared. -SS_DEPLIB = $(SS_DEPLIB-k5) -SS_DEPLIB-k5 = $(TOPLIBD)/libss.a -SS_DEPLIB-sys = -KRB524_DEPLIB = $(BUILDTOP)/krb524/libkrb524.a -PTY_DEPLIB = $(TOPLIBD)/libpty.a - -KRB5_BASE_DEPLIBS = $(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(COM_ERR_DEPLIB) -KRB4COMPAT_DEPLIBS = $(KRB4_DEPLIB) $(DES425_DEPLIB) $(KRB5_BASE_DEPLIBS) -KDB5_DEPLIBS = $(KDB5_DEPLIB) $(DB_DEPLIB) -GSS_DEPLIBS = $(GSS_DEPLIB) -GSSRPC_DEPLIBS = $(GSSRPC_DEPLIB) $(GSS_DEPLIBS) -KADM_COMM_DEPLIBS = $(GSSRPC_DEPLIBS) $(KDB5_DEPLIBS) $(GSSRPC_DEPLIBS) -KADMSRV_DEPLIBS = $(KADMSRV_DEPLIB) $(KDB5_DEPLIBS) $(KADM_COMM_DEPLIBS) -KADMCLNT_DEPLIBS = $(KADMCLNT_DEPLIB) $(KADM_COMM_DEPLIBS) - -# Header file dependencies we might override. -# See util/depfix.sed. -# Also see depend-verify-* in post.in, which wants to confirm that we're using -# the in-tree versions. -COM_ERR_VERSION = k5 -COM_ERR_DEPS = $(COM_ERR_DEPS-k5) -COM_ERR_DEPS-sys = -COM_ERR_DEPS-k5 = $(BUILDTOP)/include/com_err.h -SS_VERSION = k5 -SS_DEPS = $(SS_DEPS-k5) -SS_DEPS-sys = -SS_DEPS-k5 = $(BUILDTOP)/include/ss/ss.h $(BUILDTOP)/include/ss/ss_err.h -DB_VERSION = k5 -DB_DEPS = $(DB_DEPS-k5) -DB_DEPS-sys = -DB_DEPS-k5 = $(BUILDTOP)/include/db.h $(BUILDTOP)/include/db-config.h -DB_DEPS-redirect = $(BUILDTOP)/include/db.h - -# Header file dependencies that might depend on whether krb4 support -# is compiled. - -KRB_ERR_H_DEP = $(BUILDTOP)/include/kerberosIV/krb_err.h -KRB524_H_DEP = $(BUILDTOP)/include/krb524.h -KRB524_ERR_H_DEP= $(BUILDTOP)/include/krb524_err.h - -# LIBS gets substituted in... e.g. -lnsl -lsocket - -# GEN_LIB is -lgen if needed for regexp -GEN_LIB = - -SS_LIB = $(SS_LIB-k5) -SS_LIB-sys = -SS_LIB-k5 = $(TOPLIBD)/libss.a -KDB5_LIB = -lkdb5 -DB_LIB = -ldb - -KRB5_LIB = -lkrb5 -K5CRYPTO_LIB = -lk5crypto -COM_ERR_LIB = -lcom_err -GSS_KRB5_LIB = -lgssapi_krb5 - -# KRB4_LIB is -lkrb4 if building --with-krb4 -# needs fixing if ever used on Mac OS X! -KRB4_LIB = -lkrb4 - -# DES425_LIB is -ldes425 if building --with-krb4 -# needs fixing if ever used on Mac OS X! -DES425_LIB = -ldes425 - -# KRB524_LIB is $(BUILDTOP)/krb524/libkrb524.a if building --with-krb4 -# needs fixing if ever used on Mac OS X! -KRB524_LIB = $(BUILDTOP)/krb524/libkrb524.a - -# HESIOD_LIBS is -lhesiod... -HESIOD_LIBS = - -KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(GEN_LIB) $(LIBS) -KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS) -KDB5_LIBS = $(KDB5_LIB) $(DB_LIB) -GSS_LIBS = $(GSS_KRB5_LIB) -# needs fixing if ever used on Mac OS X! -GSSRPC_LIBS = -lgssrpc $(GSS_LIBS) -KADM_COMM_LIBS = $(GSSRPC_LIBS) -# need fixing if ever used on Mac OS X! -KADMSRV_LIBS = -lkadm5srv $(HESIOD_LIBS) $(KDB5_LIBS) $(KADM_COMM_LIBS) -KADMCLNT_LIBS = -lkadm5clnt $(KADM_COMM_LIBS) - -# need fixing if ever used on Mac OS X! -PTY_LIB = -lpty - -# -# some more stuff for --with-krb4 -KRB4_LIBPATH = -KRB4_INCLUDES = -I$(SRCTOP)/include/kerberosIV -I$(BUILDTOP)/include/kerberosIV - -# -# variables for --with-tcl= -TCL_LIBS = @TCL_LIBS@ -TCL_LIBPATH = @TCL_LIBPATH@ -TCL_RPATH = @TCL_RPATH@ -TCL_MAYBE_RPATH = @TCL_MAYBE_RPATH@ -TCL_INCLUDES = @TCL_INCLUDES@ - -# error table rules -# -### /* these are invoked as $(...) foo.et, which works, but could be better */ -COMPILE_ET= $(COMPILE_ET-k5) -COMPILE_ET-sys= compile_et -COMPILE_ET-k5= $(BUILDTOP)/util/et/compile_et -d $(SRCTOP)/util/et - -.SUFFIXES: .h .c .et .ct - -# These versions cause both .c and .h files to be generated at once. -# But GNU make doesn't understand this, and parallel builds can trigger -# both of them at once, causing them to stomp on each other. The versions -# below only update one of the files, so compile_et has to get run twice, -# but it won't break parallel builds. -#.et.h: ; $(COMPILE_ET) $< -#.et.c: ; $(COMPILE_ET) $< - -.et.h: - d=ettmp$$$$ ; (cp $< $$d.et && $(COMPILE_ET) $$d.et && mv $$d.h $*.h) ; \ - e=$$? ; rm -f $$d.* ; exit $$e - -.et.c: - d=ettmp$$$$ ; (cp $< $$d.et && $(COMPILE_ET) $$d.et && mv $$d.c $*.c) ; \ - e=$$? ; rm -f $$d.* ; exit $$e - -# rule to make object files -# -.SUFFIXES: .c .o -.c.o: - $(CC) $(ALL_CFLAGS) -c $< - -# ss command table rules -# -MAKE_COMMANDS= $(MAKE_COMMANDS-k5) -MAKE_COMMANDS-sys= mk_cmds -MAKE_COMMANDS-k5= $(BUILDTOP)/util/ss/mk_cmds - -.ct.c: - $(MAKE_COMMANDS) $< - -## -## end of pre.in -############################################################ -thisconfigdir=./.. -myfulldir=util/db2/test -mydir=test -BUILDTOP=$(REL)..$(S)..$(S).. - -FCTSH = /usr/bin/sh -TMPDIR=. - -LOCALINCLUDES= -I. -I$(srcdir)/../include -I../include -I$(srcdir)/../mpool \ - -I$(srcdir)/../btree -I$(srcdir)/../hash -I$(srcdir)/../db - -PROG_LIBPATH=-L$(TOPLIBD) -PROG_RPATH=$(KRB5_LIBDIR) - -KRB5_RUN_ENV= - -all:: - -dbtest: dbtest.o $(DB_DEPLIB) - $(CC_LINK) -o $@ dbtest.o $(STRERROR_OBJ) $(DB_LIB) - -check:: dbtest - $(KRB5_RUN_ENV) srcdir=$(srcdir) TMPDIR=$(TMPDIR) $(FCTSH) $(srcdir)/run.test - -bttest.o: $(srcdir)/btree.tests/main.c - $(CC) $(ALL_CFLAGS) -c $(srcdir)/btree.tests/main.c -o $@ - -bttest: bttest.o $(DB_DEPLIB) - $(CC_LINK) -o $@ bttest.o $(STRERROR_OBJ) $(DB_LIB) - -clean-unix:: - $(RM) dbtest.o dbtest __dbtest - $(RM) bttest.o bttest -############################################################ -## config/post.in -## - -# in case there is no default target (very unlikely) -all:: - -check-windows:: - -############################## -# dependency generation -# - -depend:: depend-postrecurse -depend-postrecurse: depend-recurse -depend-recurse: depend-prerecurse - -depend-prerecurse: -depend-postrecurse: - -depend-postrecurse: depend-update-makefile - -ALL_DEP_SRCS= $(SRCS) $(EXTRADEPSRCS) - -# be sure to check ALL_DEP_SRCS against *what it would be if SRCS and -# EXTRADEPSRCS are both empty* -.depend-verify-srcdir: - @if test "$(srcdir)" = "." ; then \ - echo 1>&2 error: cannot build dependencies with srcdir=. ; \ - echo 1>&2 "(can't distinguish generated files from source files)" ; \ - exit 1 ; \ - else \ - if test -r .depend-verify-srcdir; then :; \ - else (set -x; touch .depend-verify-srcdir); fi \ - fi -.depend-verify-et: depend-verify-et-$(COM_ERR_VERSION) -depend-verify-et-k5: - @if test -r .depend-verify-et; then :; \ - else (set -x; touch .depend-verify-et); fi -depend-verify-et-sys: - @echo 1>&2 error: cannot build dependencies using system et package - @exit 1 -.depend-verify-ss: depend-verify-ss-$(SS_VERSION) -depend-verify-ss-k5: - @if test -r .depend-verify-ss; then :; \ - else (set -x; touch .depend-verify-ss); fi -depend-verify-ss-sys: - @echo 1>&2 error: cannot build dependencies using system ss package - @exit 1 -.depend-verify-db: depend-verify-db-$(DB_VERSION) -depend-verify-db-k5: - @if test -r .depend-verify-db; then :; \ - else (set -x; touch .depend-verify-db); fi -depend-verify-db-sys: - @echo 1>&2 error: cannot build dependencies using system db package - @exit 1 -.depend-verify-gcc: depend-verify-gcc-yes -depend-verify-gcc-yes: - @if test -r .depend-verify-gcc; then :; \ - else (set -x; touch .depend-verify-gcc); fi -depend-verify-gcc-no: - @echo 1>&2 error: The '"depend"' rules are written for gcc. - @echo 1>&2 Please use gcc, or update the rules to handle your compiler. - @exit 1 - -DEP_CFG_VERIFY = .depend-verify-srcdir \ - .depend-verify-et .depend-verify-ss .depend-verify-db -DEP_VERIFY = $(DEP_CFG_VERIFY) .depend-verify-gcc - -.d: $(ALL_DEP_SRCS) $(DEP_CFG_VERIFY) depend-dependencies - if test "$(ALL_DEP_SRCS)" != " " ; then \ - $(RM) .dtmp && $(MAKE) .dtmp && mv -f .dtmp .d ; \ - else \ - touch .d ; \ - fi - -# These are dependencies of the depend target that do not get fed to -# the compiler. Examples include generated header files. -depend-dependencies: - -# .dtmp must *always* be out of date so that $? can be used to perform -# VPATH searches on the sources. -# -# NOTE: This will fail when using Make programs whose VPATH support is -# broken. -.dtmp: $(ALL_DEP_SRCS) - $(CC) -M $(ALL_CFLAGS) $? > .dtmp - -# Generate a script for dropping in the appropriate make variables, using -# directory-specific parameters. General substitutions independent of local -# make variables happen in depfix.sed. -.depfix2.sed: .depend-verify-gcc Makefile $(SRCTOP)/util/depgen.sed - x=`$(CC) -print-libgcc-file-name` ; \ - echo '$(SRCTOP)' '$(myfulldir)' '$(srcdir)' '$(BUILDTOP)' "$$x" | sed -f $(SRCTOP)/util/depgen.sed > .depfix2.tmp - mv -f .depfix2.tmp .depfix2.sed - -DEPLIBOBJNAMEFIX = sed -e 's;^\$$(OUTPRE)\([a-zA-Z0-9_\-]*\)\.\$$(OBJEXT):;\1.so \1.po &;' - -# NOTE: This will also generate spurious $(OUTPRE) and $(OBJEXT) -# references in rules for non-library objects in a directory where -# library objects happen to be built. It's mostly harmless. -.depend: .d .depfix2.sed $(SRCTOP)/util/depfix.sed - sed -f .depfix2.sed < .d | sed -f $(SRCTOP)/util/depfix.sed | \ - (if test "x$(STLIBOBJS)" != "x"; then $(DEPLIBOBJNAMEFIX) ; else cat; fi ) \ - > .depend - -depend-update-makefile: .depend depend-recurse - if test -n "$(SRCS)" ; then \ - sed -e '/^# +++ Dependency line eater +++/,$$d' \ - < $(srcdir)/Makefile.in | cat - .depend \ - > $(srcdir)/Makefile.in.new; \ - $(SRCTOP)/config/move-if-changed $(srcdir)/Makefile.in.new $(srcdir)/Makefile.in ; \ - else :; fi - -DEPTARGETS = .depend .d .dtmp .depfix2.sed .depfix2.tmp $(DEP_VERIFY) - -# -# end dependency generation -############################## - -clean:: clean-$(WHAT) - -clean-unix:: - $(RM) $(OBJS) $(DEPTARGETS) - -clean-windows:: - $(RM) *.$(OBJEXT) - $(RM) msvc.pdb *.err - -distclean:: distclean-$(WHAT) - -distclean-normal-clean: - $(MAKE) NORECURSE=true clean -distclean-prerecurse: distclean-normal-clean -distclean-nuke-configure-state: - $(RM) config.log config.cache config.status Makefile -distclean-postrecurse: distclean-nuke-configure-state - -Makefiles-prerecurse: Makefile - -# thisconfigdir = relative path from this Makefile to config.status -# mydir = relative path from config.status to this Makefile -Makefile: $(srcdir)/Makefile.in $(thisconfigdir)/config.status \ - $(SRCTOP)/config/pre.in $(SRCTOP)/config/post.in - cd $(thisconfigdir) && $(SHELL) config.status $(mydir)/Makefile -$(thisconfigdir)/config.status: $(srcdir)/$(thisconfigdir)/configure - cd $(thisconfigdir) && $(SHELL) config.status --recheck -$(srcdir)/$(thisconfigdir)/configure: $(srcdir)/$(thisconfigdir)/configure.in \ - $(SRCTOP)/aclocal.m4 - -$(RM) -r $(srcdir)/$(thisconfigdir)/autom4te.cache - cd $(srcdir)/$(thisconfigdir) && \ - $(AUTOCONF) ${AUTOCONFINCFLAGS}=$(CONFIG_RELTOPDIR) $(AUTOCONFFLAGS) - -$(RM) -r $(srcdir)/$(thisconfigdir)/autom4te.cache - -RECURSE_TARGETS=all-recurse clean-recurse distclean-recurse install-recurse \ - check-recurse depend-recurse Makefiles-recurse install-headers-recurse - -# MY_SUBDIRS overrides any setting of SUBDIRS generated by the -# configure script that generated this Makefile. This is needed when -# the configure script that produced this Makefile creates multiple -# Makefiles in different directories; the setting of SUBDIRS will be -# the same in each. -# -# LOCAL_SUBDIRS seems to account for the case where the configure -# script doesn't call any other subsidiary configure scripts, but -# generates multiple Makefiles. -$(RECURSE_TARGETS): - @case "`echo 'x$(MFLAGS)'|sed -e 's/^x//' -e 's/ --.*$$//'`" \ - in *[ik]*) e="status=1" ;; *) e="exit 1";; esac; \ - if test -z "$(MY_SUBDIRS)" ; then \ - do_subdirs="$(SUBDIRS)" ; \ - else \ - do_subdirs="$(MY_SUBDIRS)" ; \ - fi; \ - status=0; \ - if test -n "$$do_subdirs" && test -z "$(NORECURSE)"; then \ - for i in $$do_subdirs ; do \ - if test -d $$i && test -r $$i/Makefile ; then \ - case $$i in .);; *) \ - target=`echo $@|sed s/-recurse//`; \ - echo "making $$target in $(CURRENT_DIR)$$i..."; \ - if (cd $$i ; $(MAKE) \ - CURRENT_DIR=$(CURRENT_DIR)$$i/ $$target) then :; \ - else eval $$e; fi; \ - ;; \ - esac; \ - else \ - echo "Skipping missing directory $(CURRENT_DIR)$$i" ; \ - fi; \ - done; \ - else :; \ - fi;\ - exit $$status - -## -## end of post.in -############################################################ diff --git a/src/util/reconf b/src/util/reconf index c24627203..5ee6bc331 100644 --- a/src/util/reconf +++ b/src/util/reconf @@ -51,6 +51,9 @@ if autoreconf --version | sed -e "$sedcmd1" -e "$sedcmd2" | egrep "$patb" >/dev/ # Determine if we need to patch autoreconf for 2.53 case "$autoconfversion" in + 2.52) + echo "WARNING: autoconf 2.52 is known to generate buggy configure scripts!" + ;; 2.53) echo "Patching autoreconf" # Walk the path to find autoreconf diff --git a/src/windows/ChangeLog b/src/windows/ChangeLog index 5fa15b833..58771c06c 100644 --- a/src/windows/ChangeLog +++ b/src/windows/ChangeLog @@ -1,3 +1,11 @@ +2003-04-11 Tom Yu + + * version.rc: krb5-1.3-alpha2. + +2003-03-14 Tom Yu + + * version.rc: krb5-1.3-alpha1. + 2002-04-10 Danilo Almeida * Makefile.in: Build ms2mit. diff --git a/src/windows/version.rc b/src/windows/version.rc index 1b8ca9d9f..9580e0a62 100644 --- a/src/windows/version.rc +++ b/src/windows/version.rc @@ -8,7 +8,7 @@ #define PRE_RELEASE #ifdef PRE_RELEASE -#define BETA_STR " beta" +#define BETA_STR " alpha 2" #define BETA_FLAG VS_FF_PRERELEASE #else #define BETA_STR "" @@ -23,7 +23,7 @@ /* we're going to stamp all the DLLs with the same version number */ -#define K5_PRODUCT_VERSION_STRING "1.3 (TEST)" BETA_STR "\0" +#define K5_PRODUCT_VERSION_STRING "1.3" BETA_STR "\0" #define K5_PRODUCT_VERSION 1, 3, 0, 0 #define K5_COPYRIGHT "Copyright (C) 1997-2000 by the Massachusetts Institute of Technology\0" -- 2.26.2