From: Ken Raeburn Date: Fri, 2 Jun 2006 23:00:33 +0000 (+0000) Subject: Merge to rev 18077 of trunk X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef356390b1ae7df9fb7bb319f01e30a8d6382b86;p=thirdparty%2Fkrb5.git Merge to rev 18077 of trunk git-svn-id: svn://anonsvn.mit.edu/krb5/branches/ldap-integ@18078 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/README b/README index 2bfe2473c4..300df13d9a 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ - Kerberos Version 5, Release 1.3.5 + Kerberos Version 5, Release 1.5 Release Notes The MIT Kerberos Team @@ -7,20 +7,20 @@ Unpacking the Source Distribution --------------------------------- The source distribution of Kerberos 5 comes in a gzipped tarfile, -krb5-1.3.5.tar.gz. Instructions on how to extract the entire +krb5-1.5.tar.gz. Instructions on how to extract the entire distribution follow. If you have the GNU tar program and gzip installed, you can simply do: - gtar zxpf krb5-1.3.5.tar.gz + gtar zxpf krb5-1.5.tar.gz If you don't have GNU tar, you will need to get the FSF gzip distribution and use gzcat: - gzcat krb5-1.3.5.tar.gz | tar xpf - + gzcat krb5-1.5.tar.gz | tar xpf - -Both of these methods will extract the sources into krb5-1.3.5/src and -the documentation into krb5-1.3.5/doc. +Both of these methods will extract the sources into krb5-1.5/src and +the documentation into krb5-1.5/doc. Building and Installing Kerberos 5 ---------------------------------- @@ -59,940 +59,32 @@ http://krbdev.mit.edu/rt/ and logging in as "guest" with password "guest". -Major changes in 1.3.5 +Major changes in 1.5 ---------------------- -* [2682] Fix ftpd hang caused by empty PASS command. +Merged to the trunk and included in this alpha release: -* [2686] Fix double-free errors. [MITKRB5-SA-2004-002] +* plug-in architecture (in-progress) -* [2687] Fix denial-of-service vulnerability in ASN.1 - decoder. [MITKRB5-SA-2004-003] +Not yet merged to the trunk, thus not included in this alpha release: -Minor changes in 1.3.5 ----------------------- - -* [2016] Fix build problem in fake-addrinfo.h by including stdio.h so - that sprintf() gets prototyped where needed on some platforms. - -* [2353] Add missing prototype for gss_krb5int_unseal_token_v3(). - -* [2607] Fix enctype filtering and some memory leaks in MSLSA ccache. - -* [2608] Remove incorrect localization in MSLSA ccache which was - resulting in crashes. - -* [2619] Update MSLSA ccache to support new LSA flag. - -* [2623] Update MSLSA ccache to reflect differences in registry layout - between Windows client and server OSes. - -* [2624] Do not ignore the cache when obtaining TGTs from the MSLSA if - the requested enctype is the NULL enctype. - -* [2626] Add Terminal Server compatibility for KfW. - -* [2627] Fix cc_mslsa thread safety. - -* [2634] Remove the caching of the ccache principal name from - krb5_context. +* LDAP plug-in for KDB -* [2643] Fix another problem with krb4 ticket backdating. +* multi-mechanism GSS-API implementation -* [2675] Add new WiX-based MSI installer for KfW. +* SPNEGO implementation -* [2677] Add "-c ccache" option to kvno; use consistent memory - management to avoid crashes on Windows. - -* [2689] Misc MSLSA ccache fixes. - -* [2691] Improve documentation of ANSI C requirement. - -Major changes in 1.3.4 ----------------------- - -* [2024, 2583, 2584] Fixed buffer overflows in - krb5_aname_to_localname(). [MITKRB-SA-2004-001] - -Minor changes in 1.3.4 +Minor changes in 1.5 ---------------------- -* [957] The auth_to_local rules now allow for the client realm to be - examined. - -* [2527, 2528, 2531] Keytab file names lacking a "FILE:" prefix now work - under Windows. - -* [2533] Updated installer scripts for Windows. - -* [2534] Fixed memory leak for when an incorrect password is input to - krb5_get_init_creds_password(). - -* [2535] Added missing newline to dnssrv.c. - -* [2551, 2564] Use compile-time checks to determine endianness. - -* [2558] krb5_send_tgs() now correctly sets message_type after - receiving a KRB_ERROR message. - -* [2561, 2574] Fixed memory allocation errors in the MSLSA ccache. - -* [2562] The Windows installer works around cases where DLLs cannot be - unloaded. - -* [2585] Documentation correctly describes AES support in GSSAPI. - -Major changes in 1.3.3 ----------------------- - -* [2284] Fixed accept_sec_context to use a replay cache in the - GSS_C_NO_CREDENTIAL case. Reported by Cesar Garcia. - -* [2426] Fixed a spurious SIGPIPE that happened in the TCP sendto_kdc - code on AIX. Thanks to Bill Dodd. - -* [2430] Fixed a crash in the MSLSA ccache. - -* [2453] The AES string-to-key function no longer returns a pointer to - stack memory when given a password longer than 64 characters. - -Minor changes in 1.3.3 ----------------------- - -* [2277] In sendto_kdc, a socket leak on connection failure was fixed. - Thanks to Bill Dodd. - -* [2384] A memory leak in the TCP handling code in the KDC has been - fixed. Thanks to Will Fiveash. - -* [2521] The Windows NSIS installer scripts are in the source tree. - -* [2522] The MSLSA ccache now supports Windows 9x. - -Major changes in 1.3.2 ----------------------- - -* [2040, 1471, 2067, 2077, 2079, 2166, 2167, 2220, 2266] Support for - AES in GSSAPI has been implemented. This corresponds to the - in-progress work in the IETF (CFX). - -* [2049, 2139, 2148, 2153, 2182, 2183, 2184, 2190, 2202] Added a new - ccache type "MSLSA:" for read-only access to the MS Windows LSA - cache. - -* [982] On windows, krb5.exe now has a checkbox to request addressless - tickets. - -* [2189, 2234] To avoid compatibility problems, unrecognized TGS - options will now be ignored. Thanks to Wyllys Ingersoll for finding - a problem with a previous fix. - -* [2218] 128-bit AES has been added to the default enctypes. - -* [2223, 2229] AES cryptosystem now chains IVs. This WILL break - backwards compatibility for the kcmd applications, if they are using - AES session keys. Thanks to Wyllys Ingersoll for finding a problem - with a previous fix. - -Minor changes in 1.3.2 ----------------------- - -* [1437] Applied patch from Stephen Grau so kinit returns non-zero - status under certain failure conditions where it had previously - returned zero. - -* [1586] On Windows, the krb4 CREDENTIALS structure has been changed - to align with KfW's version of the structure. - -* [1613] Applied patch from Dave Shrimpton to avoid truncation of - dates output from the kadmin CLI when long time zone names are - used. - -* [1622] krshd no longer calls syslog from inside a signal handler, in - an effort to avoid deadlocks on exit. - -* [1649] A com_err test program compiles properly on Darwin now. - -* [1692] A new configuration file tag "master_kdc" has been added to - allow master KDCs to be designated separately from admin servers. - -* [1702] krb5_get_host_realm() and krb5_free_host_realm() are no - longer marked as KRB5_PRIVATE. - -* [1711] Applied patch from Harry McGavran Jr to allow fake-addrinfo.h - to compile on libc5 Linux platforms. - -* [1712] Applied patch from Cesar Garcia to fix lifetime computation - in krb524 ticket conversion. - -* [1714] Fixed a 64-bit endianness bug in ticket starttime encoding in - krb524d. Found by Cesar Garcia. - -* [1715] kadmind4 and v5passwdd are no longer installed on Mac OS X. - -* [1718] The krb4 library configure script now recognizes - OpenDarwin/x86. Bug found by Rob Braun. - -* [1721] krb5_get_init_creds_password() no longer returns a spurious - KRB5_REALM_UNKNOWN if DNS SRV record support is turned off. - -* [1730] krb_mk_auth() no longer overzealously clears the key - schedule. - -* [1731] A double-free related to reading forwarded credentials has - been fixed. Found by Joseph Galbraith. - -* [1770] Applied patch from Maurice Massar to fix a foreachaddr() - problem that was causing the KDC to segfault on startup. - -* [1790] The Linux build uses $(CC) to create shared libraries, - avoiding a libgcc problem when building libdb. - -* [1792] The lib/kadm5 unit tests now work around a Solaris 9 - pty-close bug. - -* [1793] The test suite works around some Tru64 and Irix RPATH - issues, which previously could prevent tests from running on a build - with shared libraries enabled. - -* [1799] kadmind supports callouts to the Apple password server. - -* [1893] KRB-SAFE messages from older releases can now be read - successfully. Prior 1.3.x releases did not save the encoded - KRB-SAFE message, and experienced problems when re-encoding. Found - by Scooter Morris. - -* [1962] MS LSA tickets with short remaining lifetimes will be - rejected in favor of retrieving tickets bypassing the LSA cache. - -* [1973] sendto_kdc.c now closes sockets with closesocket() instead of - close(), avoiding a descriptor leak on Windows. - -* [1979] An erroneously short initial sequence number mask has been - fixed. - -* [2028] KfW now displays a kinit dialog when GSS fails to find - tickets. - -* [2051] Missing exports have been added to krb4_32.def on Windows. - -* [2058] Some problems with krb4 ticket lifetime backdating have - fixed. - -* [2060] GSSAPI's idea of the default ccache is less sticky now. - -* [2068] The profile library includes prof-int.h before conditionals - that rely on it. - -* [2084] The resolver library is no longer referenced by library code - if not building with DNS SRV record support. - -* [2085] Updated Windows README file to reflect current compilation - requirements, etc. - -* [2104] On Windows, only define strcasecmp and strncasecmp - replacement macros if said functions are missing. - -* [2106] Return an error for unimplemented ccache functions, rather - than calling through a null pointer. - -* [2118] Applied patch from Will Fiveash to use correct parameter for - KDC TCP listening sockets. - -* [2144,2230] Memory management errors in the Windows gss.exe test - client have been fixed. - -* [2171] krb5_locate_kpasswd() now correctly calls htons() on the - kpasswd port number. Found by Arlene Berry. - -* [2180] The profile library now includes pthread.h when compiled with - USE_PTHREADS. - -* [2181, 2224] A timeout has been added to gss-server, and a missing - parameter to sign_server() has been added. - -* [2196] config.{guess,sub} have been updated from autoconf-2.59. - -* [2204] Windows gss.exe now has support for specifying credentials - cache, as well as some minor bugfixes. - -* [2210] GSSAPI accept_sec_context() no longer unconditionally sets - INTEG and CONF flags in contradiction to what the initiator sent. - -* [2212] The GSS sample application has some additional options to - support testing of SSPI vs GSSAPI. - -* [2217] Windows gss.exe has new UI elements to support more flag - settings. - -* [2225] In the gss sample client, some extraneous parameters have - been removed from client_establish_context(). - -* [2228] Copyright notices updated in GSS sample apps. - -* [2233] On Windows compiles with KRB5_KFW_COMPILE, the lib path for - krbcc32.lib is now correct. - -* [2195, 2236, 2241, 2245] The Solaris 9 pty-close bug, which was - affecting the test suite, has been worked around by hacking - scheduler priorities. See the installation notes for details. - Thanks to Bill Sommerfeld for some useful hints. - -* [2258] An incorrect memcpy() statement in fakeka has been fixed. - Reported by David Thompson. - -Notes, Major Changes, and Known Bugs for 1.3.1 ----------------------------------------------- - -* [1681] The incorrect encoding of the ETYPE-INFO2 preauthentication - hint is no longer emitted, and the both the incorrect and the - correct encodings of ETYPE-INFO2 are now accepted. We STRONGLY - encourage deploying krb5-1.3.1 in preference to 1.3, especially on - client installations, as the 1.3 release did not conform to the - internet-draft for the revised Kerberos protocol in its encoding of - ETYPE-INFO2. - -* [1683] The non-caching getaddrinfo() API on Mac OS X, which was - causing significant slowdowns under some circumstances, has been - worked around. - -Minor changes in 1.3.1 ----------------------- - -* [1015] gss_accept_sec_context() now passes correct arguments to - TREAD_STR() when reading options beyond the forwarded credential - option. Thanks to Emily Ratliff. - -* [1365] The GSSAPI initiator credentials are no longer cached inside - the GSSAPI library. - -* [1651] A buffer overflow in krb_get_admhst() has been fixed. - -* [1655] krb5_get_permitted_enctypes() and krb5_set_real_time() are - now exported for use by Samba. - -* [1656] gss_init_sec_context() no longer leaks credentials under some - error conditions. - -* [1657] krb_get_lrealm() no longer returns "ATHENA.MIT.EDU" - inappropriately. - -* [1664] The crypto library no longer has bogus dependencies on - com_err. - -* [1665] krb5_init_context() no longer multiply registers error tables - when called more than once, preventing a memory leak. - -* [1666] The GSS_C_NT_* symbols are now exported from gssapi32.dll on - Windows. - -* [1667] ms2mit now imports any tickets with supported enctypes, and - does not import invalid tickets. - -* [1677] krb5_gss_register_acceptor_identity() no longer has an - off-by-one in its memory allocation. - -* [1679] krb5_principal2salt is now exported on all platforms. - -* [1684] The file credentials cache is now supported if USE_CCAPI is - defined, i.e., for KfM and KfW. - -* [1691] Documentation for the obsolete kdc_supported_enctypes config - variable has been removed. - -Notes, Major Changes, and Known Bugs for 1.3 --------------------------------------------- - -* We now install the compile_et program, so other packages can use the - installed com_err library with their own error tables. (If you use - our com_err code, that is; see below.) - -* The header files we install now assume ANSI/ISO C ('89, not '99). - We have stopped testing on SunOS 4, even with gcc. Some of our code - now has C89-based assumptions, like free(NULL) being well defined, - that will probably frustrate any attempts to run this code under SunOS - 4 or other pre-C89 systems. - -* Some new code, bug fixes, and cleanup for IPv6 support. Most of the - code should support IPv6 transparently now. The RPC code (and - therefore the admin system, which is based on it) does not yet - support IPv6. The support for Kerberos 4 may work with IPv6 in very - limited ways, if the address checking is turned off. The FTP client - and server do not have support for the new protocol messages needed - for IPv6 support (RFC 2428). - -* We have upgraded to autoconf 2.52 (or later), and the syntax for - specifying certain configuration options have changed. For example, - autoconf 2.52 configure scripts let you specify command-line options - like "configure CC=/some/path/foo-cc", so we have removed some of - our old options like --with-cc in favor of this approach. - -* The client libraries can now use TCP to connect to the KDC. This - may be necessary when talking to Microsoft KDCs (domain controllers), - if they issue you tickets with lots of PAC data. - -* If you have versions of the com_err or ss installed locally, you can - use the --with-system-et and --with-system-ss configure options to - use them rather than using the versions supplied here. Note that - the interfaces are assumed to be similar to those we supply; in - particular, some older, divergent versions of the com_err library - may not work with the krb5 sources. Many configure-time variables - can be used to help the compiler and linker find the installed - packages; see the build documentation for details. - -* The AES cryptosystem has been implemented. However, support in the - Kerberos GSSAPI mechanism has not been written (or even fully - specified), so it's not fully enabled. See the documentation for - details. - -Major changes listed by ticket ID ---------------------------------- - -* [492] PRNG breakage on 64-bit platforms no longer an issue due to - new PRNG implementation. - -* [523] Client library is now compatible with the RC4-based - cryptosystem used by Windows 2000. - -* [709] krb4 long lifetime support has been implemented. - -* [880] krb5_gss_register_acceptor_identity() implemented (is called - gsskrb5_register_acceptor_identity() by Heimdal). - -* [1087] ftpd no longer requires channel bindings, allowing easier use - of ftp from behind a NAT. - -* [1156, 1209] It is now possible to use the system com_err to build - this release. - -* [1174] TCP support added to client library. - -* [1175] TCP support added to the KDC, but is disabled by default. - -* [1176] autoconf-2.5x is now required by the build system. - -* [1184] It is now possible to use the system Berkeley/Sleepycat DB - library to build this release. - -* [1189, 1251] The KfM krb4 library source base has been merged. - -* [1190] The default KDC master key type is now triple-DES. KDCs - being updated may need their config files updated if they are not - already specifying the master key type. - -* [1190] The default ticket lifetime and default maximum renewable - ticket lifetime have been extended to one day and one week, - respectively. - -* [1191] A new script, k5srvutil, may be used to manipulate keytabs in - ways similar to the krb4 ksrvutil utility. - -* [1281] The "fakeka" program, which emulates the AFS kaserver, has - been integrated. Thanks to Ken Hornstein. - -* [1343] The KDC now defaults to not answering krb4 requests. - -* [1344] Addressless tickets are requested by default now. - -* [1372] There is no longer a need to create a special keytab for - kadmind. The legacy administration daemons "kadmind4" and - "v5passwdd" will still require a keytab, though. - -* [1377, 1442, 1443] The Microsoft set-password protocol has been - implemented. Thanks to Paul Nelson. - -* [1385, 1395, 1410] The krb4 protocol vulnerabilities - [MITKRB5-SA-2003-004] have been worked around. Note that this will - disable krb4 cross-realm functionality, as well as krb4 triple-DES - functionality. Please see doc/krb4-xrealm.txt for details of the - patch. - -* [1393] The xdrmem integer overflows [MITKRB5-SA-2003-003] have - been fixed. - -* [1397] The krb5_principal buffer bounds problems - [MITKRB5-SA-2003-005] have been fixed. Thanks to Nalin Dahyabhai. - -* [1415] Subsession key negotiation has been fixed to allow for - server-selected subsession keys in the future. - -* [1418, 1429, 1446, 1484, 1486, 1487, 1535, 1621] The AES - cryptosystem has been implemented. It is not usable for GSSAPI, - though. - -* [1491] The client-side functionality of the krb524 library has been - moved into the krb5 library. - -* [1550] SRV record support exists for Kerberos v4. - -* [1551] The heuristic for locating the Kerberos v4 KDC by prepending - "kerberos." to the realm name if no config file or DNS information - is available has been removed. - -* [1568, 1067] A krb524 stub library is built on Windows. - -Minor changes listed by ticket ID ---------------------------------- - -* [90] default_principal_flags documented. - -* [175] Docs refer to appropriate example domains/IPs now. - -* [299] kadmin no longer complains about missing kdc.conf parameters - when it really means krb5.conf parameters. - -* [318] Run-time load path for tcl is set now when linking test - programs. - -* [443] --includedir honored now. - -* [479] unused argument in try_krb4() in login.c deleted. - -* [590] The des_read_pw_string() function in libdes425 has been - aligned with the original krb4 and CNS APIs. - -* [608] login.krb5 handles SIGHUP more sanely now and thus avoids - getting the session into a weird state w.r.t. job control. - -* [620] krb4 encrypted rcp should work a little better now. Thanks to - Greg Hudson. - -* [647] libtelnet/kerberos5.c no longer uses internal include files. - -* [673] Weird echoing of admin password in kadmin client worked around - by not using buffered stdio calls to read passwords. - -* [677] The build system has been reworked to allow the user to set - CFLAGS, LDFLAGS, CPPFLAGS, etc. reasonably. - -* [680] Related to [673], rewrite krb5_prompter_posix() to no longer - use longjmp(), thus avoiding some bugs relating to non-restoration - of terminal settings. - -* [697] login.krb5 no longer zeroes out the terminal window size. +For a list of bugs fixed in krb5-1.5, please consult -* [710] decomp_ticket() in libkrb4 now looks up the local realm name - more correctly. Thanks to Booker Bense. - -* [771] .rconf files are excluded from the release now. - -* [772] LOG_AUTHPRIV syslog facility is now usable for logging on - systems that support it. - -* [844] krshd now syslogs using the LOG_AUTH facility. - -* [850] Berekely DB build is better integrated into the krb5 library - build process. - -* [866] lib/krb5/os/localaddr.c and kdc/network.c use a common source - for local address enumeration now. - -* [882] gss-client now correctly deletes the context on error. - -* [919] kdc/network.c problems relating to SIOCGIFCONF have been - fixed. - -* [922] An overflow in the string-to-time conversion routines has been - fixed. - -* [933] krb524d now handles single-DES session keys other than of type - des-cbc-crc. - -* [935] des-cbc-md4 now included in default enctypes. - -* [939] A minor grammatical error has been fixed in a telnet client - error message. - -* [953] des3 no longer failing on Windows due to SHA1 implementation - problems. - -* [964] kdb_init_hist() no longer fails if master_key_enctype is not - in supported_enctypes. - -* [970] A minor inconsistency in ccache.tex has been fixed. - -* [971] option parsing bugs rendered irrelevant by removal of unused - gss mechanism. - -* [976] make install mentioned in build documentation. - -* [986] Related to [677], problems with the ordering of LDFLAGS - initialization rendered irrelevant by use of native autoconf - idioms. - -* [992] Related to [677], quirks with --with-cc no longer relevant as - AC_PROG_CC is used instead now. - -* [999] The kdc_default_options configuration variable is now honored. - Thanks to Emily Ratliff. - -* [1006] Client library, as well as KDC, now perform reasonable - sorting of ETYPE-INFO preauthentication data. - -* [1055] NULL pointer dereferences in code calling - krb5_change_password() have been fixed. - -* [1063] Initial credentials acquisition failures related to client - host having a large number of local network interfaces should be - fixed now. - -* [1064] Incorrect option parsing in the gssapi library is no longer - relevant due to removal of the "v2" mechanism. - -* [1065, 1225] krb5_get_init_creds_password() should properly warn about - password expiration. - -* [1066] printf() argument mismatches in rpc unit tests fixed. - -* [1085] The krb5.conf manpage has been re-synchronized with other - documentation. - -* [1102] gssapi_generic.h should now work with C++. - -* [1135] The kadm5 ACL system is better documented. - -* [1136] Some documentation for the setup of cross-realm - authentication has been added. - -* [1164] krb5_auth_con_gen_addrs() now properly returns errno instead - of -1 if getpeername() fails. - -* [1173] Address-less forwardable tickets will remain address-less - when forwarded. - -* [1178, 1228, 1244, 1246, 1249] Test suite has been stabilized - somewhat. - -* [1188] As part of the modernization of our usage of autoconf, - AC_CONFIG_FILES is now used instead of passing a list of files to - AC_OUTPUT. - -* [1194] configure will no longer recurse out of the top of the source - tree when attempting to locate the top of the source tree. - -* [1192] Documentation for the krb5 afs functionality of krb524d has - been written. - -* [1195] Example krb5.conf file modified to include all enctypes - supported by the release. - -* [1202] The KDC no longer rejects unrecognized flags. - -* [1203] krb5_get_init_creds_keytab() no longer does a double-free. - -* [1211] The ASN.1 code no longer passes (harmless) uninitialized - values around. - -* [1212] libkadm5 now allows for persistent exclusive database locks. - -* [1217] krb5_read_password() and des_read_password() are now - implemented via krb5_prompter_posix(). - -* [1224] For SAM challenges, omitted optional strings are no longer - encoded as zero-length strings. - -* [1226] Client-side support for SAM hardware-based preauth - implemented. - -* [1229] The keytab search logic no longer fails prematurely if an - incorrect encryption type is found. Thanks to Wyllys Ingersoll. - -* [1232] If the master KDC cannot be resolved, but a slave is - reachable, the client library now returns the real error from the - slave rather than the resolution failure from the master. Thanks to - Ben Cox. - -* [1234] Assigned numbers for SAM preauth have been corrected. - sam-pk-for-sad implementation has been aligned. - -* [1237] Profile-sharing optimizations from KfM have been merged. - -* [1240] Windows calling conventions for krb5int_c_combine_keys() have - been aligned. - -* [1242] Build system incompatibilities with Debian's chimeric - autoconf installation have been worked around. - -* [1256] Incorrect sizes passed to memset() in combine_keys() - operations have been corrected. - -* [1260] Client credential lookup now gets new service tickets in - preference to attempting to use expired ticketes. Thanks to Ben - Cox. - -* [1262, 1572] Sequence numbers are now unsigned; negative sequence - numbers will be accepted for the purposes of backwards - compatibility. - -* [1263] A heuristic for matching the incorrectly encoded sequence - numbers emitted by Heimdal implementations has been written. - -* [1284] kshd accepts connections by IPv6 now. - -* [1292] kvno manpage title fixed. - -* [1293] Source files no longer explicitly attempt to declare errno. - -* [1304] kadmind4 no longer leaves sa_flags uninitialized. - -* [1305] Expired tickets now cause KfM to pop up a password dialog. - -* [1309] krb5_send_tgs() no longer leaks the storage associated with - the TGS-REQ. - -* [1310] kadm5_get_either() no longer leaks regexp library memory. - -* [1311] Output from krb5-config no longer contains spurious uses of - $(PURE). - -* [1324] The KDC no longer logs an inappropriate "no matching key" - error when an encrypted timestamp preauth password is incorrect. - -* [1334] The KDC now returns a clockskew error when the timestamp in - the encrypted timestamp preauth is out of bounds, rather than just - returning a preauthentcation failure. - -* [1342] gawk is no longer required for building kerbsrc.zip for the - Windows build. - -* [1346] gss_krb5_ccache_name() no longer attempts to return a pointer - to freed memory. - -* [1351] The filename globbing vulnerability [CERT VU#258721] in the - ftp client's handling of filenames beginning with "|" or "-" - returned from the "mget" command has been fixed. - -* [1352] GSS_C_PROT_READY_FLAG is no longer asserted inappropriately - during GSSAPI context establishment. - -* [1356] krb5_gss_accept_sec_context() no longer attempts to validate - a null credential if one is passed in. - -* [1362] The "-a user" option to telnetd now does the right thing. - Thanks to Nathan Neulinger. - -* [1363] ksu no longer inappropriately syslogs to stderr. - -* [1357] krb__get_srvtab_name() no longer leaks memory. - -* [1370] GSS_C_NO_CREDENTIAL now accepts any principal in the keytab. - -* [1373] Handling of SAM preauth no longer attempts to stuff a size_t - into an unsigned int. - -* [1387] BIND versions later than 8 now supported. - -* [1392] The getaddrinfo() wrapper should work better on AIX. - -* [1400] If DO_TIME is not set in the auth_context, and no replay - cache is available, no replay cache will be used. - -* [1406, 1108] libdb is no longer installed. If you installed - krb5-1.3-alpha1, you should ensure that no spurious libdb is left in - your install tree. - -* [1412] ETYPE_INFO handling no longer goes into an infinite loop. - -* [1414] libtelnet is now built using the same library build framework - as the rest of the tree. - -* [1417] A minor memory leak in krb5_read_password() has been fixed. - -* [1419] A memory leak in asn1_decode_kdc_req_body() has been fixed. - -* [1435] inet_ntop() is now emulated when needed. - -* [1439] krb5_free_pwd_sequences() now correctly frees the entire - sequence of elements. - -* [1440] errno is no longer explicitly declared. - -* [1441] kadmind should now return useful errors if an unrecognized - version is received in a changepw request. - -* [1454, 1480, 1517, 1525] The etype-info2 preauth type is now - supported. - -* [1459] (KfM/KLL internal) config file resolution can now be - prevented from accessing the user's homedir. - -* [1463] Preauth handling in the KDC has been reorganized. - -* [1470] Double-free in client-side preauth code fixed. - -* [1473] Ticket forwarding when the TGS and the end service have - different enctypes should work somewhat better now. - -* [1474] ASN.1 testsuite memory management has been cleaned up a - little to allow for memory leak checking. - -* [1476] Documentation updated to reflect default krb4 mode. - -* [1482] RFC-1964 OIDs now provided using the suggested symbolic - names. - -* [1483, 1528] KRB5_DEPRECATED is now false by default on all - platforms. - -* [1488] The KDC will now return integrity errors if a decryption - error is responsible for preauthentication failure. - -* [1492] The autom4te.cache directories are now deleted from the - release tarfiles. - -* [1501] Writable keytabs are registered by default. - -* [1515] The check for cross-realm TGTs no longer reads past the end - of an array. - -* [1518] The kdc_default_options option is now actually honored. - -* [1519] The changepw protocol implementation in kadmind now logs - password changes. - -* [1520] Documentation of OS-specific build options has been updated. - -* [1536] A missing prototype for krb5_db_iterate_ext() has been - added. - -* [1537] An incorrect path to kdc.conf show in the kdc.conf manpage - has been fixed. - -* [1540] verify_as_reply() will only check the "renew-till" time - against the "till" time if the RENEWABLE is not set in the request. - -* [1547] gssftpd no longer uses vfork(), as this was causing problems - under RedHat 9. - -* [1549] SRV records with a value of "." are now interpreted as a lack - of support for the protocol. - -* [1553] The undocumented (and confusing!) kdc_supported_enctypes - kdc.conf variable is no longer used. - -* [1560] Some spurious double-colons in password prompts have been - fixed. - -* [1571] The test suite tries a little harder to get a root shell. - -* [1573] The KfM build process now sets localstatedir=/var/db. - -* [1576, 1575] The client library no longer requests RENEWABLE_OK if - the renew lifetime is greater than the ticket lifetime. - -* [1587] A more standard autoconf test to locate the C compiler allows - for gcc to be found by default without additional configuration - arguments. - -* [1593] Replay cache filenames are now escaped with hyphens, not - backslashes. - -* [1598] MacOS 9 support removed from in-tree com_err. - -* [1602] Fixed a memory leak in make_ap_req_v1(). Thanks to Kent Wu. - -* [1604] Fixed a memory leak in krb5_gss_init_sec_context(), and an - uninitialized memory reference in kg_unseal_v1(). Thanks to Kent - Wu. - -* [1607] kerberos-iv SRV records are now documented. - -* [1610] Fixed AES credential delegation under GSSAPI. - -* [1618] ms2mit no longer inserts local addresses into tickets - converted from the MS ccache if they began as addressless tickets. - -* [1619] etype_info parser (once again) accepts extra field emitted by - Heimdal. - -* [1643] Some typos in kdc.conf.M have been fixed. - -* [1648] For consistency, leading spaces before preprocessor - directives in profile.h have been removed. - ---[ DELETE BEFORE RELEASE ---changes to unreleased code, etc.--- ]-- - -* [1054] KRB-CRED messages for RC4 are encrypted now. - -* [1177] krb5-1-2-2-branch merged onto trunk. - -* [1193] Punted comment about reworking key storage architecture. - -* [1208] install-headers target implemented. - -* [1223] asn1_decode_oid, asn1_encode_oid implemented - -* [1248] RC4 is explicitly excluded from combine_keys. - -* [1276] Generated dependencies handle --without-krb4 properly now. - -* [1339] An inadvertent change to the krb4 get_adm_hst API (strcpy vs - strncpy etc.) has been fixed. - -* [1384, 1413] Use of autoconf-2.52 in util/reconf will now cause a - warning. - -* [1388] DNS support is turned on in KfM. - -* [1391] Fix kadmind startup failure with krb4 vuln patch. - -* [1409] get_ad_tkt() now prompts for password if there are no tickets - (in KfM). - -* [1447] vts_long() and vts_short() work now. - -* [1462] KfM adds exports of set_pw calls. - -* [1477] compile_et output not used in err_txt.c. - -* [1495] KfM now exports string_to_key_with_params. - -* [1512, 1522] afs_string_to_key now works with etype_info2. - -* [1514] krb5int_populate_gic_opt returns void now. - -* [1521] Using an afs3 salt for an AES key no longer causes - segfaults. - -* [1533] krb524.h no longer contains invalid Mac pragmas. - -* [1546] krb_mk_req_creds() no longer zeros the session key. - -* [1554] The krb4 string-to-key iteration now accounts correctly for - the decrypt-in-place semantics of libdes425. - -* [1557] KerberosLoginPrivate.h is now correctly included for the use - of __KLAllowHomeDirectoryAccess() in init_os_ctx.c (for KfM). - -* [1558] KfM exports the new krb524 interface. - -* [1563] krb__get_srvtaname() no longer returns a pointer that is - free()d upon a subsequent call. - -* [1569] A debug statement has been removed from krb524init. - -* [1592] Document possible file rename lossage when building against - system libdb. - -* [1594] Darwin gets an explicit dependency of err_txt.o on - krb_err.c. - -* [1596] Calling conventions, etc. tweaked for KfW build of - krb524.dll. - -* [1600] Minor tweaks to README to improve notes on IPv6, etc. - -* [1605] Fixed a leak of subkeys in krb5_rd_rep(). - -* [1630] krb5_get_in_tkt_with_keytab() works now; previously borken by - reimplementation in terms of krb5_get_init_creds(). - -* [1642] KfM build now inherits CFLAGS and LDFLAGS from parent project. +http://krbdev.mit.edu/rt/NoAuth/krb5-1.5/fixed-1.5.html Copyright Notice and Legal Administrivia ---------------------------------------- -Copyright (C) 1985-2004 by the Massachusetts Institute of Technology. +Copyright (C) 1985-2006 by the Massachusetts Institute of Technology. All rights reserved. @@ -1130,56 +222,15 @@ src/lib/crypto/aes has the following copyright: in respect of any properties, including, but not limited to, correctness and fitness for purpose. - - Acknowledgements ---------------- -Appreciation Time!!!! There are far too many people to try to thank -them all; many people have contributed to the development of Kerberos -V5. This is only a partial listing.... - -Thanks to Paul Vixie and the Internet Software Consortium for funding -the work of Barry Jaspan. This funding was invaluable for the OV -administration server integration, as well as the 1.0 release -preparation process. - -Thanks to John Linn, Scott Foote, and all of the folks at OpenVision -Technologies, Inc., who donated their administration server for use in -the MIT release of Kerberos. - -Thanks to Jeff Bigler, Mark Eichin, Marc Horowitz, Nancy Gilman, Ken -Raeburn, and all of the folks at Cygnus Support, who provided -innumerable bug fixes and portability enhancements to the Kerberos V5 -tree. Thanks especially to Jeff Bigler, for the new user and system -administrator's documentation. - -Thanks to Doug Engert from ANL for providing many bug fixes, as well -as testing to ensure DCE interoperability. - -Thanks to Ken Hornstein at NRL for providing many bug fixes and -suggestions, and for working on SAM preauthentication. - -Thanks to Matt Crawford at FNAL for bugfixes and enhancements. - -Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for -their many suggestions and bug fixes. - -Thanks to Nalin Dahyabhai of RedHat and Chris Evans for locating and -providing patches for numerous buffer overruns. - -Thanks to Christopher Thompson and Marcus Watts for discovering the -ftpd security bug. - -Thanks to Paul Nelson of Thursby Software Systems for implementing the -Microsoft set password protocol. - Thanks to the members of the Kerberos V5 development team at MIT, both -past and present: Danilo Almeida, Jeffrey Altman, Jay Berkenbilt, -Richard Basch, Mitch Berger, John Carr, Don Davis, Alexandra Ellwood, -Nancy Gilman, Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva -Jacobus, Miroslav Jurisic, Barry Jaspan, Geoffrey King, John Kohl, -Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park, -Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff -Schiller, Jen Selby, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall -Vale, Tom Yu. +past and present: Danilo Almeida, Jeffrey Altman, Richard Basch, Jay +Berkenbilt, Mitch Berger, Andrew Boardman, Joe Calzaretta, John Carr, +Don Davis, Alexandra Ellwood, Nancy Gilman, Matt Hancher, Sam Hartman, +Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav Jurisic, Barry Jaspan, +Geoffrey King, John Kohl, Peter Litwack, Scott McGuire, Kevin +Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris Provenzano, Ken +Raeburn, Jon Rochlis, Jeff Schiller, Jen Selby, Brad Thompson, Harry +Tsai, Ted Ts'o, Marshall Vale, Tom Yu. diff --git a/doc/copyright.texinfo b/doc/copyright.texinfo index 8eacbb682c..cfb9e2ec3f 100644 --- a/doc/copyright.texinfo +++ b/doc/copyright.texinfo @@ -1,4 +1,4 @@ -Copyright @copyright{} 1985-2002,2005 by the Massachusetts Institute of Technology. +Copyright @copyright{} 1985-2006 by the Massachusetts Institute of Technology. @quotation Export of software employing encryption from the United States of diff --git a/src/configure.in b/src/configure.in index 18a696fc25..ca5a411fc7 100644 --- a/src/configure.in +++ b/src/configure.in @@ -591,6 +591,261 @@ dnl Nothing for autoconf.h for now. AC_MSG_RESULT($ac_cv_printf_positional) dnl dnl +dnl for kadmin +dnl +AC_PROG_YACC +ath_compat= +AC_ARG_ENABLE([athena], +[ --enable-athena build with MIT Project Athena configuration], +ath_compat=compat,) +dnl The following are tests for the presence of programs required for +dnl kadmin testing. +AC_CHECK_PROG(have_RUNTEST,runtest,runtest) +AC_CHECK_PROG(have_PERL,perl,perl) +AC_KRB5_TCL +if test "$have_PERL" = perl -a "$have_RUNTEST" = runtest -a "$TCL_LIBS" != ""; then + DO_TEST=ok +fi +AC_SUBST(DO_TEST) +dnl +DO_V4_TEST= +if test "$have_PERL" = perl -a "$have_RUNTEST" = runtest -a "$TCL_LIBS" != "" -a "$ath_compat" != ""; then + DO_V4_TEST=ok +fi +AC_SUBST(DO_V4_TEST) +dnl The following are substituted into kadmin/testing/scripts/env-setup.sh +RBUILD=`pwd` +AC_SUBST(RBUILD) +case "$srcdir" in +/*) S_TOP=$srcdir ;; +*) S_TOP=`pwd`/$srcdir ;; +esac +AC_SUBST(S_TOP) +AC_PATH_PROG(PERL_PATH,perl) +AC_PATH_PROG(EXPECT,expect) +dnl For kadmin/testing/util/Makefile.in +if test "$TCL_LIBS" != "" ; then + DO_ALL=tcl +fi +AC_SUBST(DO_ALL) +KRB5_AC_PRIOCNTL_HACK +K5_GEN_FILE(kadmin/testing/scripts/env-setup.sh:kadmin/testing/scripts/env-setup.shin) +dnl for lib/kadm5 +AC_CHECK_PROG(RUNTEST,runtest,runtest) +AC_CHECK_PROG(PERL,perl,perl) +dnl +dnl +dnl for lib/krb4 +case $krb5_cv_host in + *-apple-darwin*) + KRB_ERR_TXT= + KRB_ERR= + KRB_ERR_C=krb_err.c + ;; + *) + KRB_ERR='$(OUTPRE)krb_err.$(OBJEXT)' + KRB_ERR_TXT=krb_err_txt.c + KRB_ERR_C= + ;; +esac +AC_SUBST([KRB_ERR_TXT]) +AC_SUBST([KRB_ERR]) +AC_SUBST([KRB_ERR_C]) +dnl +dnl +dnl lib/gssapi +AC_CHECK_HEADER(stdint.h,[ + include_stdint='awk '\''END{printf("%cinclude \n", 35);}'\'' < /dev/null'], + include_stdint='echo "/* no stdint.h */"') +AC_SUBST(include_stdint) +AC_CHECK_HEADER(inttypes.h,[ + include_inttypes='awk '\''END{printf("%cinclude \n", 35);}'\'' < /dev/null'], + include_inttypes='echo "/* no inttypes.h */"') +AC_SUBST(include_inttypes) +AC_CHECK_HEADER(xom.h,[ + include_xom='awk '\''END{printf("%cinclude \n", 35);}'\'' < /dev/null'], [ + include_xom='echo "/* no xom.h */"']) +AC_SUBST(include_xom) +dnl +dnl +dnl lib/rpc +### Check where struct rpcent is declared. +# +# This is necessary to determine: +# 1. If /usr/include/netdb.h declares struct rpcent +# 2. If /usr/include/rpc/netdb.h declares struct rpcent +# +# We have our own rpc/netdb.h, and if /usr/include/netdb.h includes +# rpc/netdb.h, then nastiness could happen. +# +# Logic: If /usr/include/netdb.h declares struct rpcent, then check +# rpc/netdb.h. If /usr/include/rpc/netdb.h declares struct rpcent, +# then define STRUCT_RPCENT_IN_RPC_NETDB_H, otherwise do not. If +# neither netdb.h nor rpc/netdb.h declares struct rpcent, then define +# STRUCT_RPCENT_IN_RPC_NETDB_H anyway. +# +AC_MSG_CHECKING([where struct rpcent is declared]) +AC_TRY_COMPILE([#include ], +[struct rpcent e; +char c = e.r_name[0]; +int i = e.r_number;], +[AC_TRY_COMPILE([#include ], +[struct rpcent e; +char c = e.r_name[0]; +int i = e.r_number;], +[AC_MSG_RESULT([rpc/netdb.h]) +rpcent_define='#define STRUCT_RPCENT_IN_RPC_NETDB_H'], +[AC_MSG_RESULT([netdb.h])])], +[AC_MSG_RESULT([nowhere]) +rpcent_define='#define STRUCT_RPCENT_IN_RPC_NETDB_H']) +AC_SUBST(rpcent_define) + +AC_CHECK_HEADERS(sys/select.h sys/time.h unistd.h) +if test $ac_cv_header_sys_select_h = yes; then + GSSRPC__SYS_SELECT_H='#include ' +else + GSSRPC__SYS_SELECT_H='/* #include */' +fi +AC_SUBST(GSSRPC__SYS_SELECT_H) +if test $ac_cv_header_sys_time_h = yes; then + GSSRPC__SYS_TIME_H='#include ' +else + GSSRPC__SYS_TIME_H='/* #include */' +fi +AC_SUBST(GSSRPC__SYS_TIME_H) +if test $ac_cv_header_unistd_h = yes; then + GSSRPC__UNISTD_H='#include ' +else + GSSRPC__UNISTD_H='/* #include */' +fi +AC_SUBST(GSSRPC__UNISTD_H) + +AC_CACHE_CHECK([for MAXHOSTNAMELEN in sys/param.h], + [krb5_cv_header_sys_param_h_maxhostnamelen], + [AC_TRY_COMPILE([#include ], + [int i = MAXHOSTNAMELEN;], + [krb5_cv_header_sys_param_h_maxhostnamelen=yes], + [krb5_cv_header_sys_param_h_maxhostnamelen=no])]) +AC_CACHE_CHECK([for MAXHOSTNAMELEN in netdb.h], + [krb5_cv_header_netdb_h_maxhostnamelen], + [AC_TRY_COMPILE([#include ], + [int i = MAXHOSTNAMELEN;], + [krb5_cv_header_netdb_h_maxhostnamelen=yes], + [krb5_cv_header_netdb_h_maxhostnamelen=no])]) + +GSSRPC__SYS_PARAM_H='/* #include */' +GSSRPC__NETDB_H='/* #include */' +if test $krb5_cv_header_sys_param_h_maxhostnamelen = yes; then + GSSRPC__SYS_PARAM_H='#include ' +else + if test $krb5_cv_header_netdb_h_maxhostnamelen = yes; then + GSSRPC__NETDB_H='#include ' + else + AC_MSG_WARN([can't find MAXHOSTNAMELEN definition; faking it]) + fi +fi +AC_SUBST(GSSRPC__SYS_PARAM_H) +AC_SUBST(GSSRPC__NETDB_H) + +AC_CACHE_CHECK([for uint32_t in sys/types.h], + [krb5_cv_header_sys_types_h_uint32_t], + [AC_TRY_COMPILE([#include ], + [uint32_t i = 0;], + [krb5_cv_header_sys_types_h_uint32_t=yes], + [krb5_cv_header_sys_types_h_uint32_t=no])]) +AC_CACHE_CHECK([for uint32_t in stdint.h], + [krb5_cv_header_stdint_h_uint32_t], + [AC_TRY_COMPILE([#include ], + [uint32_t i = 0;], + [krb5_cv_header_stdint_h_uint32_t=yes], + [krb5_cv_header_stdint_h_uint32_t=no])]) +AC_CACHE_CHECK([for uint32_t in inttypes.h], + [krb5_cv_header_inttypes_h_uint32_t], + [AC_TRY_COMPILE([#include ], + [uint32_t i = 0;], + [krb5_cv_header_inttypes_h_uint32_t=yes], + [krb5_cv_header_inttypes_h_uint32_t=no])]) +GSSRPC__STDINT_H='/* #include */' +GSSRPC__INTTYPES_H='/* #include */' +GSSRPC__FAKE_UINT32='/* #undef GSSRPC__FAKE_INT32 */' +if test $krb5_cv_header_sys_types_h_uint32_t = yes; then + : # already included sys/types.h +else + if test $krb5_cv_header_stdint_h_uint32_t = yes; then + GSSRPC__STDINT_H='#include ' + else + if test $krb5_cv_header_inttypes_h_uint32_t = yes; then + GSSRPC__INTTYPES_H='#include ' + else + AC_MSG_WARN([can't find a fixed-width 32-bit type anywhere; faking it]) + GSSRPC__FAKE_UINT32='#define GSSRPC__FAKE_UINT32 1' + fi + fi +fi +AC_SUBST(GSSRPC__STDINT_H) +AC_SUBST(GSSRPC__INTTYPES_H) +AC_SUBST(GSSRPC__FAKE_UINT32) + +AC_CACHE_CHECK([for BSD type aliases], [krb5_cv_type_bsdaliases], + [AC_TRY_COMPILE( + [#include +#if HAVE_UNISTD_H +#include +#endif], + [u_char c; +u_int i; +u_long l;], [krb5_cv_type_bsdaliases=yes], [krb5_cv_type_bsdaliases=no])]) +if test $krb5_cv_type_bsdaliases = yes; then + GSSRPC__BSD_TYPEALIASES='/* #undef GSSRPC__BSD_TYPEALIASES */' +else + GSSRPC__BSD_TYPEALIASES='#define GSSRPC__BSD_TYPEALIASES 1' +fi +AC_SUBST(GSSRPC__BSD_TYPEALIASES) +# +# sockaddr length field checks +# +AC_CHECK_MEMBERS([struct sockaddr_in.sin_len], , , + [#include +@%:@include ]) +AC_CHECK_MEMBERS([struct sockaddr.sa_len], , , + [#include +@%:@include ]) + +AC_MSG_CHECKING([return type of setrpcent]) +AC_CACHE_VAL(k5_cv_type_setrpcent, +[AC_TRY_COMPILE([#include +#ifdef __cplusplus +extern "C" +#endif +extern void setrpcent();], +[int i;], k5_cv_type_setrpcent=void, k5_cv_type_setrpcent=int)])dnl +AC_MSG_RESULT($k5_cv_type_setrpcent) +AC_DEFINE_UNQUOTED(SETRPCENT_TYPE, $k5_cv_type_setrpcent, [Define as return type of setrpcent]) +dnl +AC_MSG_CHECKING([return type of endrpcent]) +AC_CACHE_VAL(k5_cv_type_endrpcent, +[AC_TRY_COMPILE([#include +#ifdef __cplusplus +extern "C" +#endif +extern void endrpcent();], +[int i;], k5_cv_type_endrpcent=void, k5_cv_type_endrpcent=int)])dnl +AC_MSG_RESULT($k5_cv_type_endrpcent) +AC_DEFINE_UNQUOTED(ENDRPCENT_TYPE, $k5_cv_type_endrpcent, [Define as return type of endrpcent]) +K5_GEN_FILE(lib/rpc/types.h:lib/rpc/types.hin) +changequote(<<, >>) +case "$krb5_cv_host" in +*-*-solaris2.[012345]*) + PASS=tcp + ;; +*) + PASS="tcp udp" + ;; +esac +changequote([, ]) +AC_SUBST(PASS) +dnl +dnl dnl Check for thread safety issues. dnl (Is there a better place for this?) dnl tsfuncs="getpwnam_r getpwuid_r gethostbyname_r getservbyname_r gmtime_r localtime_r" @@ -631,15 +886,18 @@ fi if test "$SS_VERSION" = k5 ; then AC_CONFIG_SUBDIRS(util/ss) fi -AC_CONFIG_SUBDIRS(lib/crypto lib/krb5 lib/des425 lib/apputils) if test -n "$KRB4_LIB"; then - AC_CONFIG_SUBDIRS(lib/krb4) + K5_GEN_MAKEFILE(lib/krb4) fi -AC_CONFIG_SUBDIRS(lib/gssapi lib/rpc lib/kadm5) +dnl +dnl ldap_plugin_dir="" ldap_lib="" if test -n "$OPENLDAP_PLUGIN"; then AC_CHECK_HEADERS(ldap.h lber.h) + if test $ac_cv_header_ldap_h = no || test $ac_cv_header_lber_h = no; then + AC_ERROR(OpenLDAP headers missing) + fi AC_CONFIG_SUBDIRS(plugins/kdb/ldap/libkdb_ldap) K5_GEN_MAKEFILE(plugins/kdb/ldap) K5_GEN_MAKEFILE(plugins/kdb/ldap/ldap_util) @@ -647,12 +905,43 @@ if test -n "$OPENLDAP_PLUGIN"; then fi AC_SUBST(ldap_plugin_dir) -AC_CONFIG_SUBDIRS(kadmin plugins/kdb/db2 appl tests) +AC_CONFIG_SUBDIRS(lib/apputils plugins/kdb/db2 appl tests) dnl -if true; then +if false; then AC_CHECK_HEADERS(Python.h python2.3/Python.h) AC_CONFIG_SUBDIRS(plugins/locate/python) fi AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) -V5_AC_OUTPUT_MAKEFILE(. util util/support util/profile util/send-pr lib lib/kdb kdc slave krb524 config-files gen-manpages include include/kerberosIV clients clients/klist clients/kinit clients/kvno clients/kdestroy clients/kpasswd clients/ksu) +V5_AC_OUTPUT_MAKEFILE(. + + util util/support util/profile util/send-pr + + lib lib/des425 lib/kdb + + lib/crypto lib/crypto/crc32 lib/crypto/des lib/crypto/dk + lib/crypto/enc_provider lib/crypto/hash_provider + lib/crypto/keyhash_provider lib/crypto/md4 lib/crypto/md5 + lib/crypto/old lib/crypto/raw lib/crypto/sha1 + lib/crypto/arcfour lib/crypto/yarrow lib/crypto/aes + + lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache + lib/krb5/keytab lib/krb5/krb lib/krb5/rcache lib/krb5/os + + lib/gssapi lib/gssapi/generic lib/gssapi/krb5 + + lib/rpc lib/rpc/unit-test + + lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/unit-test + + kdc slave krb524 config-files gen-manpages include + include/kerberosIV + + clients clients/klist clients/kinit clients/kvno + clients/kdestroy clients/kpasswd clients/ksu + + kadmin kadmin/cli kadmin/dbutil kadmin/passwd + kadmin/passwd/unit-test kadmin/ktutil kadmin/server + kadmin/testing kadmin/testing/scripts kadmin/testing/util + +) diff --git a/src/include/krb5/locate_plugin.h b/src/include/krb5/locate_plugin.h index aed22c8690..f9f29baf7d 100644 --- a/src/include/krb5/locate_plugin.h +++ b/src/include/krb5/locate_plugin.h @@ -1,3 +1,32 @@ +/* + * + * + * Copyright 2006 Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * Service location plugin definitions for Kerberos 5. + */ + #ifndef KRB5_LOCATE_PLUGIN_H_INCLUDED #define KRB5_LOCATE_PLUGIN_H_INCLUDED #include diff --git a/src/include/stock/osconf.h b/src/include/stock/osconf.h index 26a28054e6..3a8ba49567 100644 --- a/src/include/stock/osconf.h +++ b/src/include/stock/osconf.h @@ -38,6 +38,10 @@ #endif #endif +#if defined(__MACH__) && defined(__APPLE__) +# include +#endif + #if defined(_WIN32) #define DEFAULT_PROFILE_FILENAME "krb5.ini" #define DEFAULT_LNAME_FILENAME "/aname" @@ -46,6 +50,8 @@ #if TARGET_OS_MAC #define DEFAULT_SECURE_PROFILE_PATH "/Library/Preferences/edu.mit.Kerberos:/etc/krb5.conf:@SYSCONFDIR/krb5.conf" #define DEFAULT_PROFILE_PATH ("~/Library/Preferences/edu.mit.Kerberos" ":" DEFAULT_SECURE_PROFILE_PATH) +#define KRB5_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosFrameworkPlugins" +#define KDB5_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosDatabasePlugins" #else #define DEFAULT_SECURE_PROFILE_PATH "/etc/krb5.conf:@SYSCONFDIR/krb5.conf" #define DEFAULT_PROFILE_PATH DEFAULT_SECURE_PROFILE_PATH @@ -69,7 +75,6 @@ #else #define DEFAULT_KDB_LIB_PATH { "@MODULEDIR/kdb", NULL } #endif -#define MODULE_PATH "@MODULEDIR" #define DEFAULT_KDC_ENCTYPE ENCTYPE_DES3_CBC_SHA1 #define KDCRCACHE "dfl:krb5kdc_rcache" diff --git a/src/kadmin/Makefile.in b/src/kadmin/Makefile.in index 3be9036a89..5c83425bc1 100644 --- a/src/kadmin/Makefile.in +++ b/src/kadmin/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=. +thisconfigdir=.. myfulldir=kadmin -mydir=. +mydir=kadmin BUILDTOP=$(REL).. LOCAL_SUBDIRS = cli dbutil passwd ktutil server testing diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in index c58e9f9ea5..3cbaa58e2e 100644 --- a/src/kadmin/cli/Makefile.in +++ b/src/kadmin/cli/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../.. myfulldir=kadmin/cli -mydir=cli +mydir=kadmin/cli BUILDTOP=$(REL)..$(S).. PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) diff --git a/src/kadmin/configure.in b/src/kadmin/configure.in deleted file mode 100644 index e18eec56be..0000000000 --- a/src/kadmin/configure.in +++ /dev/null @@ -1,59 +0,0 @@ -K5_AC_INIT(configure.in) -CONFIG_RULES -AC_PROG_INSTALL -AC_PROG_YACC -AC_PROG_AWK -AC_CHECK_HEADERS(unistd.h stdlib.h krb_db.h kdc.h regex.h alloca.h sys/time.h sys/select.h memory.h arpa/inet.h) -AC_CHECK_FUNCS(ftime timezone getcwd strstr waitpid vsprintf) -KRB5_AC_NEED_DAEMON -AC_HEADER_TIME -CHECK_SIGNALS -CHECK_WAIT_TYPE -CHECK_SETJMP -KRB5_GETSOCKNAME_ARGS -ath_compat= -AC_ARG_ENABLE([athena], -[ --enable-athena build with MIT Project Athena configuration], -ath_compat=compat,) -dnl -dnl The following are tests for the presence of programs required for testing -AC_CHECK_PROG(have_RUNTEST,runtest,runtest) -AC_CHECK_PROG(have_PERL,perl,perl) -AC_KRB5_TCL -if test "$have_PERL" = perl -a "$have_RUNTEST" = runtest -a "$TCL_LIBS" != ""; then - DO_TEST=ok -fi -AC_SUBST(DO_TEST) -dnl -DO_V4_TEST= -if test "$have_PERL" = perl -a "$have_RUNTEST" = runtest -a "$TCL_LIBS" != "" -a "$ath_compat" != ""; then - DO_V4_TEST=ok -fi -AC_SUBST(DO_V4_TEST) -dnl -dnl The following are substituted into testing/scripts/env-setup.sh -RBUILD=`pwd`/.. -AC_SUBST(RBUILD) -case "$srcdir" in -/*) - S_TOP=$srcdir/.. - ;; -*) - S_TOP=`pwd`/$srcdir/.. - ;; -esac -AC_SUBST(S_TOP) -AC_PATH_PROG(PERL,perl) -AC_PATH_PROG(EXPECT,expect) -dnl -KRB5_RUN_FLAGS -dnl For testing/util/Makefile.in -if test "$TCL_LIBS" != "" ; then - DO_ALL=tcl -fi -AC_SUBST(DO_ALL) -KRB5_BUILD_PROGRAM -KRB5_AC_PRIOCNTL_HACK -dnl -K5_GEN_FILE(testing/scripts/env-setup.sh:testing/scripts/env-setup.shin) -V5_AC_OUTPUT_MAKEFILE(. cli dbutil passwd passwd/unit-test ktutil server testing testing/scripts testing/util) diff --git a/src/kadmin/dbutil/Makefile.in b/src/kadmin/dbutil/Makefile.in index 61071382c9..82b3098947 100644 --- a/src/kadmin/dbutil/Makefile.in +++ b/src/kadmin/dbutil/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../.. myfulldir=kadmin/dbutil -mydir=dbutil +mydir=kadmin/dbutil BUILDTOP=$(REL)..$(S).. DEFINES = -DKDB4_DISABLE DEFS= diff --git a/src/kadmin/ktutil/Makefile.in b/src/kadmin/ktutil/Makefile.in index 76da34fcca..fbf0824e42 100644 --- a/src/kadmin/ktutil/Makefile.in +++ b/src/kadmin/ktutil/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../.. myfulldir=kadmin/ktutil -mydir=ktutil +mydir=kadmin/ktutil BUILDTOP=$(REL)..$(S).. LOCALINCLUDES = $(KRB4_INCLUDES) PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) diff --git a/src/kadmin/passwd/Makefile.in b/src/kadmin/passwd/Makefile.in index 7cddcb4ce4..d5f06f609e 100644 --- a/src/kadmin/passwd/Makefile.in +++ b/src/kadmin/passwd/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../.. myfulldir=kadmin/passwd -mydir=passwd +mydir=kadmin/passwd BUILDTOP=$(REL)..$(S).. LOCALINCLUDES = -I. DEFINES = -DUSE_KADM5_API_VERSION=1 diff --git a/src/kadmin/passwd/unit-test/Makefile.in b/src/kadmin/passwd/unit-test/Makefile.in index 5445a2811e..969ee8207e 100644 --- a/src/kadmin/passwd/unit-test/Makefile.in +++ b/src/kadmin/passwd/unit-test/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./../.. +thisconfigdir=../../.. myfulldir=kadmin/passwd/unit-test -mydir=passwd/unit-test +mydir=kadmin/passwd/unit-test BUILDTOP=$(REL)..$(S)..$(S).. check unit-test:: unit-test-@DO_TEST@ diff --git a/src/kadmin/server/Makefile.in b/src/kadmin/server/Makefile.in index 3e99a7094d..68ffe20f82 100644 --- a/src/kadmin/server/Makefile.in +++ b/src/kadmin/server/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../.. myfulldir=kadmin/server -mydir=server +mydir=kadmin/server BUILDTOP=$(REL)..$(S).. KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS) DEFS= diff --git a/src/kadmin/testing/Makefile.in b/src/kadmin/testing/Makefile.in index c164a7e248..74600d1c98 100644 --- a/src/kadmin/testing/Makefile.in +++ b/src/kadmin/testing/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../.. myfulldir=kadmin/testing -mydir=testing +mydir=kadmin/testing BUILDTOP=$(REL)..$(S).. LOCAL_SUBDIRS = scripts util diff --git a/src/kadmin/testing/scripts/Makefile.in b/src/kadmin/testing/scripts/Makefile.in index 3f58e9248f..6161b1db85 100644 --- a/src/kadmin/testing/scripts/Makefile.in +++ b/src/kadmin/testing/scripts/Makefile.in @@ -1,8 +1,8 @@ -thisconfigdir=./../.. +thisconfigdir=../../.. myfulldir=kadmin/testing/scripts -mydir=testing/scripts +mydir=kadmin/testing/scripts BUILDTOP=$(REL)..$(S)..$(S).. -PERL=@PERL@ +PERL_PATH=@PERL_PATH@ .SUFFIXES: .plin .pl @@ -17,7 +17,7 @@ env-setup.sh: env-setup.stamp env-setup.stamp: $(srcdir)/env-setup.shin $(thisconfigdir)/config.status \ Makefile cd $(thisconfigdir) && \ - CONFIG_FILES=./testing/scripts/env-setup.sh:./testing/scripts/env-setup.shin $(SHELL) \ + CONFIG_FILES=$(mydir)/env-setup.sh:$(mydir)/env-setup.shin $(SHELL) \ config.status chmod +x env-setup.sh touch env-setup.stamp @@ -28,7 +28,7 @@ restore_files.sh: .plin.pl: -rm -f $@.tmp - echo "#!$(PERL)" > $@.tmp + echo "#!$(PERL_PATH)" > $@.tmp sed 1d $< >> $@.tmp chmod +x $@.tmp mv $@.tmp $@ diff --git a/src/kadmin/testing/util/Makefile.in b/src/kadmin/testing/util/Makefile.in index fa3c3827f7..cf38caec13 100644 --- a/src/kadmin/testing/util/Makefile.in +++ b/src/kadmin/testing/util/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./../.. +thisconfigdir=../../.. myfulldir=kadmin/testing/util -mydir=testing/util +mydir=kadmin/testing/util BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = $(TCL_INCLUDES) -I$(BUILDTOP)/lib/kdb/ # Force Tcl headers to use stdarg.h, because krb5 does too, and if diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 1523d1f80e..6355e4bde4 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -428,23 +428,36 @@ process_as_req(krb5_kdc_req *request, const krb5_fulladdr *from, errout: if (status) { + char * emsg = 0; + if (errcode) + emsg = krb5_get_error_message (kdc_context, errcode); + krb5_klog_syslog(LOG_INFO, "AS_REQ (%s) %s: %s: %s for %s%s%s", ktypestr, fromstring, status, cname ? cname : "", sname ? sname : "", errcode ? ", " : "", - errcode ? krb5_get_error_message (kdc_context, errcode) : ""); + errcode ? emsg : ""); + if (errcode) + krb5_free_error_message (kdc_context, emsg); } if (errcode) { - if (status == 0) + int got_err = 0; + if (status == 0) { status = krb5_get_error_message (kdc_context, errcode); + got_err = 1; + } errcode -= ERROR_TABLE_BASE_krb5; if (errcode < 0 || errcode > 128) errcode = KRB_ERR_GENERIC; errcode = prepare_error_as(request, errcode, &e_data, response, status); + if (got_err) { + krb5_free_error_message (kdc_context, status); + status = 0; + } } if (encrypting_key.contents) diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 7f8f265a8e..fd868ff367 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -502,14 +502,17 @@ tgt_again: sname ? sname : "", enc_tkt_reply.transited.tr_contents.length, enc_tkt_reply.transited.tr_contents.data); - else + else { + char *emsg = krb5_get_error_message(kdc_context, errcode); krb5_klog_syslog (LOG_ERR, "unexpected error checking transit from '%s' to '%s' via '%.*s': %s", cname ? cname : "", sname ? sname : "", enc_tkt_reply.transited.tr_contents.length, enc_tkt_reply.transited.tr_contents.data, - krb5_get_error_message(kdc_context, errcode)); + emsg); + krb5_free_error_message(kdc_context, emsg); + } } else krb5_klog_syslog (LOG_INFO, "not checking transit path"); if (reject_bad_transit @@ -643,8 +646,11 @@ tgt_again: cleanup: if (status) { + char * emsg = NULL; if (!errcode) rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply); + if(errcode) + emsg = krb5_get_error_message (kdc_context, errcode); krb5_klog_syslog(LOG_INFO, "TGS_REQ (%s) %s: %s: authtime %d, " "%s%s %s for %s%s%s", @@ -655,18 +661,27 @@ cleanup: cname ? cname : "", sname ? sname : "", errcode ? ", " : "", - errcode ? krb5_get_error_message (kdc_context, errcode) : ""); + errcode ? emsg : ""); + if(errcode) + krb5_free_error_message (kdc_context, emsg); } if (errcode) { - if (status == 0) + int got_err = 0; + if (status == 0) { status = krb5_get_error_message (kdc_context, errcode); + got_err = 1; + } errcode -= ERROR_TABLE_BASE_krb5; if (errcode < 0 || errcode > 128) errcode = KRB_ERR_GENERIC; retval = prepare_error_tgs(request, header_ticket, errcode, fromstring, response, status); + if (got_err) { + krb5_free_error_message (kdc_context, status); + status = 0; + } } if (header_ticket) diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 48a6a6a7c5..cd74528adf 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -370,9 +370,10 @@ check_padata (krb5_context context, krb5_db_entry *client, retval = pa_sys->verify_padata(context, client, request, enc_tkt_reply, *padata); if (retval) { + char * emsg = krb5_get_error_message (context, retval); krb5_klog_syslog (LOG_INFO, "preauth (%s) verify failure: %s", - pa_sys->name, - krb5_get_error_message (context, retval)); + pa_sys->name, emsg); + krb5_free_error_message (context, emsg); if (pa_sys->flags & PA_REQUIRED) { pa_ok = 0; break; @@ -396,8 +397,9 @@ check_padata (krb5_context context, krb5_db_entry *client, return 0; if (!pa_found) { - krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", - krb5_get_error_message(context, retval)); + char *emsg = krb5_get_error_message(context, retval); + krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", emsg); + krb5_free_error_message(context, emsg); } /* The following switch statement allows us * to return some preauth system errors back to the client. diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in index f699e116af..55a7950907 100644 --- a/src/lib/crypto/Makefile.in +++ b/src/lib/crypto/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=. +thisconfigdir=../.. myfulldir=lib/crypto -mydir=. +mydir=lib/crypto BUILDTOP=$(REL)..$(S).. LOCAL_SUBDIRS=crc32 des dk enc_provider hash_provider keyhash_provider \ md4 md5 old raw sha1 arcfour yarrow aes diff --git a/src/lib/crypto/aes/Makefile.in b/src/lib/crypto/aes/Makefile.in index d3befe1450..417a2b6247 100644 --- a/src/lib/crypto/aes/Makefile.in +++ b/src/lib/crypto/aes/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/aes -mydir=aes +mydir=lib/crypto/aes BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../dk DEFS= diff --git a/src/lib/crypto/arcfour/Makefile.in b/src/lib/crypto/arcfour/Makefile.in index cc6f07d444..0311d1a2d1 100644 --- a/src/lib/crypto/arcfour/Makefile.in +++ b/src/lib/crypto/arcfour/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/arcfour -mydir=arcfour +mydir=lib/crypto/arcfour BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../md4 DEFS= diff --git a/src/lib/crypto/configure.in b/src/lib/crypto/configure.in deleted file mode 100644 index d663bf73bf..0000000000 --- a/src/lib/crypto/configure.in +++ /dev/null @@ -1,11 +0,0 @@ -K5_AC_INIT(configure.in) -CONFIG_RULES - -AC_CHECK_HEADERS(memory.h unistd.h endian.h machine/endian.h) - -KRB5_RUN_FLAGS -KRB5_BUILD_PROGRAM -KRB5_BUILD_LIBOBJS -KRB5_BUILD_LIBRARY_WITH_DEPS - -V5_AC_OUTPUT_MAKEFILE(. crc32 des dk enc_provider hash_provider keyhash_provider md4 md5 old raw sha1 arcfour yarrow aes) diff --git a/src/lib/crypto/crc32/Makefile.in b/src/lib/crypto/crc32/Makefile.in index ffc8cb248c..e16171bdd9 100644 --- a/src/lib/crypto/crc32/Makefile.in +++ b/src/lib/crypto/crc32/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/crc32 -mydir=crc32 +mydir=lib/crypto/crc32 BUILDTOP=$(REL)..$(S)..$(S).. DEFS= diff --git a/src/lib/crypto/des/Makefile.in b/src/lib/crypto/des/Makefile.in index d719a815ab..d249976250 100644 --- a/src/lib/crypto/des/Makefile.in +++ b/src/lib/crypto/des/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/des -mydir=des +mydir=lib/crypto/des BUILDTOP=$(REL)..$(S)..$(S).. DEFS= diff --git a/src/lib/crypto/dk/Makefile.in b/src/lib/crypto/dk/Makefile.in index 03f44ec199..baa93563f5 100644 --- a/src/lib/crypto/dk/Makefile.in +++ b/src/lib/crypto/dk/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/dk -mydir=dk +mydir=lib/crypto/dk BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir)/.. DEFS= diff --git a/src/lib/crypto/enc_provider/Makefile.in b/src/lib/crypto/enc_provider/Makefile.in index e665aa29fe..8ac9da7185 100644 --- a/src/lib/crypto/enc_provider/Makefile.in +++ b/src/lib/crypto/enc_provider/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/enc_provider -mydir=enc_provider +mydir=lib/crypto/enc_provider BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir)/../des -I$(srcdir)/../arcfour -I$(srcdir)/../aes DEFS= diff --git a/src/lib/crypto/hash_provider/Makefile.in b/src/lib/crypto/hash_provider/Makefile.in index 42bc32a7e0..7878c97888 100644 --- a/src/lib/crypto/hash_provider/Makefile.in +++ b/src/lib/crypto/hash_provider/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/hash_provider -mydir=hash_provider +mydir=lib/crypto/hash_provider BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir)/../crc32 -I$(srcdir)/../md4 \ -I$(srcdir)/../md5 -I$(srcdir)/../sha1 diff --git a/src/lib/crypto/keyhash_provider/Makefile.in b/src/lib/crypto/keyhash_provider/Makefile.in index 7c44c1d577..a3c5017ccd 100644 --- a/src/lib/crypto/keyhash_provider/Makefile.in +++ b/src/lib/crypto/keyhash_provider/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/keyhash_provider -mydir=keyhash_provider +mydir=lib/crypto/keyhash_provider BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir)/../des -I$(srcdir)/../md4 \ -I$(srcdir)/../md5 -I$(srcdir)/../arcfour \ diff --git a/src/lib/crypto/md4/Makefile.in b/src/lib/crypto/md4/Makefile.in index 84dc0e4a49..7bb87dce78 100644 --- a/src/lib/crypto/md4/Makefile.in +++ b/src/lib/crypto/md4/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/md4 -mydir=md4 +mydir=lib/crypto/md4 BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir) DEFS= diff --git a/src/lib/crypto/md5/Makefile.in b/src/lib/crypto/md5/Makefile.in index 9dcacb7944..e915e9e8a8 100644 --- a/src/lib/crypto/md5/Makefile.in +++ b/src/lib/crypto/md5/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/md5 -mydir=md5 +mydir=lib/crypto/md5 BUILDTOP=$(REL)..$(S)..$(S).. DEFS= diff --git a/src/lib/crypto/old/Makefile.in b/src/lib/crypto/old/Makefile.in index f9c003e3d1..006183db6f 100644 --- a/src/lib/crypto/old/Makefile.in +++ b/src/lib/crypto/old/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/old -mydir=old +mydir=lib/crypto/old BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir)/../des DEFS= diff --git a/src/lib/crypto/raw/Makefile.in b/src/lib/crypto/raw/Makefile.in index 8379a57e2e..c2389e1be2 100644 --- a/src/lib/crypto/raw/Makefile.in +++ b/src/lib/crypto/raw/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/raw -mydir=raw +mydir=lib/crypto/raw BUILDTOP=$(REL)..$(S)..$(S).. DEFS= diff --git a/src/lib/crypto/sha1/Makefile.in b/src/lib/crypto/sha1/Makefile.in index 7c6536b83a..49ec4437f9 100644 --- a/src/lib/crypto/sha1/Makefile.in +++ b/src/lib/crypto/sha1/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/sha1 -mydir=sha1 +mydir=lib/crypto/sha1 BUILDTOP=$(REL)..$(S)..$(S).. DEFS= diff --git a/src/lib/crypto/yarrow/Makefile.in b/src/lib/crypto/yarrow/Makefile.in index 99b46b8194..9610636e09 100644 --- a/src/lib/crypto/yarrow/Makefile.in +++ b/src/lib/crypto/yarrow/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/crypto/yarrow -mydir=yarrow +mydir=lib/crypto/yarrow BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../sha1 -I$(srcdir)/../enc_provider DEFS= diff --git a/src/lib/des425/Makefile.in b/src/lib/des425/Makefile.in index 3d71fbfc6e..61489fff6e 100644 --- a/src/lib/des425/Makefile.in +++ b/src/lib/des425/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=. +thisconfigdir=../.. myfulldir=lib/des425 -mydir=. +mydir=lib/des425 BUILDTOP=$(REL)..$(S).. LOCALINCLUDES = -I$(srcdir)/../crypto/des -I$(srcdir)/../../include/kerberosIV DEFS= diff --git a/src/lib/des425/configure.in b/src/lib/des425/configure.in deleted file mode 100644 index 4739c3a5d4..0000000000 --- a/src/lib/des425/configure.in +++ /dev/null @@ -1,9 +0,0 @@ -K5_AC_INIT(configure.in) -CONFIG_RULES -dnl -KRB5_RUN_FLAGS -KRB5_BUILD_LIBOBJS -KRB5_BUILD_LIBRARY_WITH_DEPS -KRB5_BUILD_PROGRAM -dnl -V5_AC_OUTPUT_MAKEFILE diff --git a/src/lib/gssapi/Makefile.in b/src/lib/gssapi/Makefile.in index 4ef0253bd7..daf0818ddc 100644 --- a/src/lib/gssapi/Makefile.in +++ b/src/lib/gssapi/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=. +thisconfigdir=../.. myfulldir=lib/gssapi -mydir=. +mydir=lib/gssapi BUILDTOP=$(REL)..$(S).. LOCAL_SUBDIRS= generic krb5 DEFS= diff --git a/src/lib/gssapi/configure.in b/src/lib/gssapi/configure.in deleted file mode 100644 index 0b880593b0..0000000000 --- a/src/lib/gssapi/configure.in +++ /dev/null @@ -1,19 +0,0 @@ -K5_AC_INIT(configure.in) -CONFIG_RULES -AC_PROG_AWK -AC_CHECK_HEADERS(stdlib.h sys/types.h limits.h memory.h) -AC_CHECK_HEADER(stdint.h,[ - include_stdint='awk '\''END{printf("%cinclude \n", 35);}'\'' < /dev/null'], - include_stdint='echo "/* no stdint.h */"') -AC_SUBST(include_stdint) -AC_CHECK_HEADER(inttypes.h,[ - include_inttypes='awk '\''END{printf("%cinclude \n", 35);}'\'' < /dev/null'], - include_inttypes='echo "/* no inttypes.h */"') -AC_SUBST(include_inttypes) -AC_CHECK_HEADER(xom.h,[ - include_xom='awk '\''END{printf("%cinclude \n", 35);}'\'' < /dev/null'], [ - include_xom='echo "/* no xom.h */"']) -AC_SUBST(include_xom) -KRB5_BUILD_LIBOBJS -KRB5_BUILD_LIBRARY_WITH_DEPS -V5_AC_OUTPUT_MAKEFILE(. generic krb5) diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in index cfdc1a7374..9dfa68e6fd 100644 --- a/src/lib/gssapi/generic/Makefile.in +++ b/src/lib/gssapi/generic/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/gssapi/generic -mydir=generic +mydir=lib/gssapi/generic BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I. -I$(srcdir) DEFS= diff --git a/src/lib/gssapi/krb5/Makefile.in b/src/lib/gssapi/krb5/Makefile.in index 217236d28f..7d9e8826ff 100644 --- a/src/lib/gssapi/krb5/Makefile.in +++ b/src/lib/gssapi/krb5/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/gssapi/krb5 -mydir=krb5 +mydir=lib/gssapi/krb5 BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I. -I$(srcdir) -I$(srcdir)/.. -I../generic -I$(srcdir)/../generic DEFS= diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in index a198c2374c..a597a360aa 100644 --- a/src/lib/kadm5/Makefile.in +++ b/src/lib/kadm5/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=. +thisconfigdir=../.. myfulldir=lib/kadm5 -mydir=. +mydir=lib/kadm5 BUILDTOP=$(REL)..$(S).. LOCAL_SUBDIRS = clnt srv unit-test DEFS= diff --git a/src/lib/kadm5/clnt/Makefile.in b/src/lib/kadm5/clnt/Makefile.in index 738f3518af..ed0cb41df2 100644 --- a/src/lib/kadm5/clnt/Makefile.in +++ b/src/lib/kadm5/clnt/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/kadm5/clnt -mydir=clnt +mydir=lib/kadm5/clnt BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I$(BUILDTOP)/include/kadm5 DEFS= diff --git a/src/lib/kadm5/configure.in b/src/lib/kadm5/configure.in deleted file mode 100644 index f9193a3f1b..0000000000 --- a/src/lib/kadm5/configure.in +++ /dev/null @@ -1,23 +0,0 @@ -K5_AC_INIT(configure.in) -CONFIG_RULES -AC_PROG_LEX -AC_PROG_AWK -AC_CHECK_HEADERS(syslog.h memory.h) -AC_CHECK_FUNCS(openlog syslog closelog strftime vsprintf) -KRB5_AC_REGEX_FUNCS -dnl The following are tests for the presence of programs required for testing -AC_CHECK_PROG(RUNTEST,runtest,runtest) -AC_CHECK_PROG(PERL,perl,perl) -AC_CHECK_FUNCS(srand48 srand srandom) -AC_KRB5_TCL -if test "$PERL" = perl -a "$RUNTEST" = runtest -a "$TCL_LIBS" != ""; then - DO_TEST=ok -fi -AC_SUBST(DO_TEST) -dnl -KRB5_BUILD_LIBOBJS -KRB5_BUILD_LIBRARY_WITH_DEPS -KRB5_BUILD_PROGRAM -KRB5_AC_PRIOCNTL_HACK -dnl -V5_AC_OUTPUT_MAKEFILE(. clnt srv unit-test) diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c index f78c7b48eb..24d845162b 100644 --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c @@ -194,10 +194,13 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list /* If reporting an error message, separate it. */ if (code) { + char *emsg; outbuf[sizeof(outbuf) - 1] = '\0'; - strncat(outbuf, krb5_get_error_message (err_context, code), sizeof(outbuf) - 1 - strlen(outbuf)); + emsg = krb5_get_error_message (err_context, code); + strncat(outbuf, emsg, sizeof(outbuf) - 1 - strlen(outbuf)); strncat(outbuf, " - ", sizeof(outbuf) - 1 - strlen(outbuf)); + krb5_free_error_message(err_context, emsg); } cp = &outbuf[strlen(outbuf)]; diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in index 84cdb7b389..63d9c5ad51 100644 --- a/src/lib/kadm5/srv/Makefile.in +++ b/src/lib/kadm5/srv/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/kadm5/srv -mydir=srv +mydir=lib/kadm5/srv BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I$(BUILDTOP)/include/kadm5 \ -I$(SRCTOP)/lib/gssapi/krb5 -I$(SRCTOP)/lib/gssapi/generic \ diff --git a/src/lib/kadm5/unit-test/Makefile.in b/src/lib/kadm5/unit-test/Makefile.in index a69a113811..c9c3f4fb1f 100644 --- a/src/lib/kadm5/unit-test/Makefile.in +++ b/src/lib/kadm5/unit-test/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/kadm5/unit-test -mydir=unit-test +mydir=lib/kadm5/unit-test BUILDTOP=$(REL)..$(S)..$(S).. DEFINES = -DUSE_KADM5_API_VERSION=1 PROG_LIBPATH=-L$(TOPLIBD) diff --git a/src/lib/krb4/Makefile.in b/src/lib/krb4/Makefile.in index b6d4203173..9812d15975 100644 --- a/src/lib/krb4/Makefile.in +++ b/src/lib/krb4/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=. +thisconfigdir=../.. myfulldir=lib/krb4 -mydir=. +mydir=lib/krb4 BUILDTOP=$(REL)..$(S).. LOCALINCLUDES = -I$(BUILDTOP)/include/kerberosIV -I$(srcdir)/../../include/kerberosIV -I. DEFINES= -DKRB4_USE_KEYTAB diff --git a/src/lib/krb4/configure.in b/src/lib/krb4/configure.in deleted file mode 100644 index 109120eed8..0000000000 --- a/src/lib/krb4/configure.in +++ /dev/null @@ -1,23 +0,0 @@ -K5_AC_INIT(configure.in) -CONFIG_RULES -AC_TYPE_MODE_T -AC_TYPE_UID_T -case $krb5_cv_host in - *-apple-darwin*) - KRB_ERR_TXT= - KRB_ERR= - KRB_ERR_C=krb_err.c - ;; - *) - KRB_ERR='$(OUTPRE)krb_err.$(OBJEXT)' - KRB_ERR_TXT=krb_err_txt.c - KRB_ERR_C= - ;; -esac -AC_SUBST([KRB_ERR_TXT]) -AC_SUBST([KRB_ERR]) -AC_SUBST([KRB_ERR_C]) -AC_PROG_AWK -KRB5_BUILD_LIBOBJS -KRB5_BUILD_LIBRARY_WITH_DEPS -V5_AC_OUTPUT_MAKEFILE diff --git a/src/lib/krb4/krb4int.h b/src/lib/krb4/krb4int.h index e513cfedab..7125435f9e 100644 --- a/src/lib/krb4/krb4int.h +++ b/src/lib/krb4/krb4int.h @@ -90,7 +90,8 @@ int krb_net_rd_sendauth(int, KTEXT, KRB4_32 *); char *krb_stime(long *); /* tf_util.c */ -int tf_save_cred(char *, char *, char *, C_Block, int , int, KTEXT, long); +int tf_save_cred(char *, char *, char *, C_Block, int , int, KTEXT, KRB4_32); + /* unix_glue.c */ int krb_start_session(char *); @@ -112,7 +113,7 @@ void krb4int_et_init(void); void krb4int_et_fini(void); int krb4int_save_credentials_addr( - char *, char *, char *, C_Block, int, int, KTEXT, long, KRB_UINT32); + char *, char *, char *, C_Block, int, int, KTEXT, KRB4_32, KRB_UINT32); int krb4int_send_to_kdc_addr(KTEXT, KTEXT, char *, struct sockaddr *, socklen_t *); diff --git a/src/lib/krb4/memcache.c b/src/lib/krb4/memcache.c index 47244dd95a..18a74126bf 100644 --- a/src/lib/krb4/memcache.c +++ b/src/lib/krb4/memcache.c @@ -470,7 +470,7 @@ krb4int_save_credentials_addr(sname, sinst, srealm, session, int lifetime; /* Lifetime */ int kvno; /* Key version number */ KTEXT ticket; /* The ticket itself */ - long issue_date; /* The issue time */ + KRB4_32 issue_date; /* The issue time */ KRB_UINT32 laddr; { CREDENTIALS cr; @@ -500,7 +500,7 @@ krb_save_credentials( int lifetime, int kvno, KTEXT ticket, - long issue_date) + KRB4_32 issue_date) { return krb4int_save_credentials_addr(name, inst, realm, session, lifetime, kvno, ticket, diff --git a/src/lib/krb4/save_creds.c b/src/lib/krb4/save_creds.c index 62961c1b55..5cc8ae8ece 100644 --- a/src/lib/krb4/save_creds.c +++ b/src/lib/krb4/save_creds.c @@ -54,7 +54,7 @@ krb4int_save_credentials_addr(service, instance, realm, session, lifetime, kvno, int lifetime; /* Lifetime */ int kvno; /* Key version number */ KTEXT ticket; /* The ticket itself */ - long issue_date; /* The issue time */ + KRB4_32 issue_date; /* The issue time */ KRB_UINT32 local_addr; { int tf_status; /* return values of the tf_util calls */ @@ -83,5 +83,5 @@ krb_save_credentials( { return krb4int_save_credentials_addr(service, instance, realm, session, lifetime, kvno, - ticket, issue_date, 0); + ticket, (KRB4_32)issue_date, 0); } diff --git a/src/lib/krb4/tf_util.c b/src/lib/krb4/tf_util.c index 6cb9eeb8f1..b083c73b87 100644 --- a/src/lib/krb4/tf_util.c +++ b/src/lib/krb4/tf_util.c @@ -28,6 +28,7 @@ #include "k5-int.h" #include "krb4int.h" + #include #include #include @@ -43,6 +44,8 @@ #include #endif /* TKT_SHMEM */ + + #define TOO_BIG -1 #define TF_LCK_RETRY ((unsigned)2) /* seconds to sleep before * retry if ticket file is @@ -93,6 +96,165 @@ int utimes(path, times) #endif #endif + +#ifdef K5_LE +/* This was taken from jhutz's patch for heimdal krb4. It only + * applies to little endian systems. Big endian systems have a + * less elegant solution documented below. + * + * This record is written after every real ticket, to ensure that + * both 32- and 64-bit readers will perceive the next real ticket + * as starting in the same place. This record looks like a ticket + * with the following properties: + * Field 32-bit 64-bit + * ============ ================= ================= + * sname "." "." + * sinst "" "" + * srealm ".." ".." + * session key 002E2E00 xxxxxxxx xxxxxxxx 00000000 + * lifetime 0 0 + * kvno 0 12 + * ticket 12 nulls 4 nulls + * issue 0 0 + * + * Our code always reads and writes the 32-bit format, but knows + * to skip 00000000 at the front of a record, and to completely + * ignore tickets for the special alignment principal. + */ +static unsigned char align_rec[] = { + 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, 0x00, 0x2e, + 0x2e, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, + 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00 +}; + +#else /* Big Endian */ + +/* These alignment records are for big endian systems. We need more + * of them because the portion of the 64-bit issue_date that overlaps + * with the start of a ticket on 32-bit systems contains an unpredictable + * number of NULL bytes. Preceeding these records is a second copy of the + * 32-bit issue_date. The srealm for the alignment records is always one of + * ".." or "?.." + */ + +/* No NULL bytes + * This is actually two alignment records since both 32- and 64-bit + * readers will agree on everything in the first record up through the + * issue_date size, except where sname starts. + * Field (1) 32-bit 64-bit + * ============ ================= ================= + * sname "????." "." + * sinst "" "" + * srealm ".." ".." + * session key 00000000 xxxxxxxx 00000000 xxxxxxxx + * lifetime 0 0 + * kvno 0 0 + * ticket 4 nulls 4 nulls + * issue 0 0 + * + * Field (2) 32-bit 64-bit + * ============ ================= ================= + * sname "." "." + * sinst "" "" + * srealm ".." ".." + * session key 002E2E00 xxxxxxxx xxxxxxxx 00000000 + * lifetime 0 0 + * kvno 0 12 + * ticket 12 nulls 4 nulls + * issue 0 0 + * + */ +static unsigned char align_rec_0[] = { + 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, + 0x00, 0x2e, 0x2e, 0x00, 0xff, 0xff, 0xff, 0xff, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00 +}; + +/* One NULL byte + * Field 32-bit 64-bit + * ============ ================= ================= + * sname "x" |"xx"|"xxx" "." + * sinst "xx."|"x."|"." ".." + * srealm ".." "..." + * session key 2E2E2E00 xxxxxxxx xxxxxxxx 00000000 + * lifetime 0 0 + * kvno 0 12 + * ticket 12 nulls 4 nulls + * issue 0 0 + */ +static unsigned char align_rec_1[] = { + 0x2e, 0x00, 0x2e, 0x2e, 0x00, 0x2e, 0x2e, 0x2e, + 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00 +}; + +/* Two NULL bytes + * Field 32-bit 64-bit + * ============ ================= ================= + * sname "x" |"x" |"xx" ".." + * sinst "" |"x" |"" "" + * srealm "x.."|".."|".." ".." + * session key 002E2E00 xxxxxxxx xxxxxxxx 00000000 + * lifetime 0 0 + * kvno 0 12 + * ticket 12 nulls 4 nulls + * issue 0 0 + */ + static unsigned char align_rec_2[] = { + 0x2e, 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, 0xff, + 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, + 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + +/* Three NULL bytes + * Things break here for 32-bit krb4 libraries that don't + * understand this alignment record. We can't really do + * anything about the fact that the three strings ended + * in the duplicate timestamp. The good news is that this + * only happens once every 0x1000000 seconds, once roughly + * every six and a half months. We'll live. + * + * Discussion on the krbdev list has suggested the + * issue_date be incremented by one in this case to avoid + * the problem. I'm leaving this here just in case. + * + * Field 32-bit 64-bit + * ============ ================= ================= + * sname "" "." + * sinst "" "" + * srealm "" ".." + * session key 2E00002E 2E00FFFF xxxx0000 0000xxxx + * lifetime 0 0 + * kvno 4294901760 917504 + * ticket 14 nulls 4 nulls + * issue 0 0 + */ +/* +static unsigned char align_rec_3[] = { + 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, 0xff, 0xff, + 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; +*/ +#endif /* K5_LE*/ + /* * fd must be initialized to something that won't ever occur as a real * file descriptor. Since open(2) returns only non-negative numbers as @@ -136,7 +298,7 @@ static int tf_gets (char *, int), tf_read (char *, int); * int lifetime * int kvno * KTEXT_ST ticket_st - * long issue_date + * KRB4_32 issue_date * * Strings are stored NUL-terminated, and read back until a NUL is * found or the indicated number of bytes have been read. (So if you @@ -519,19 +681,43 @@ int KRB5_CALLCONV tf_get_pinst(inst) * EOF - end of file encountered */ -int KRB5_CALLCONV tf_get_cred(c) +static int real_tf_get_cred(c) CREDENTIALS *c; { KTEXT ticket = &c->ticket_st; /* pointer to ticket */ int k_errno; - long issue_date; + unsigned char nullbuf[3]; /* used for 64-bit issue_date tf compatibility */ if (fd < 0) { if (krb_debug) fprintf(stderr, "tf_get_cred called before tf_init.\n"); return TKT_FIL_INI; } - if ((k_errno = tf_gets(c->service, SNAME_SZ)) < 2) + if ((k_errno = tf_gets(c->service, SNAME_SZ)) < 2) { + +#ifdef K5_BE + /* If we're big endian then we can have a null service name as part of + * an alignment record. */ + if (k_errno < 2) + switch (k_errno) { + case TOO_BIG: + tf_close(); + return TKT_FIL_FMT; + case 0: + return EOF; + } +#else /* Little Endian */ + /* If we read an empty service name, it's possible that's because + * the file was written by someone who thinks issue_date should be + * 64 bits. If that is the case, there will be three more zeros, + * followed by the real record.*/ + + if (k_errno == 1 && + tf_read(nullbuf, 3) == 3 && + !nullbuf[0] && !nullbuf[1] && !nullbuf[2]) + k_errno = tf_gets(c->service, SNAME_SZ); + + if (k_errno < 2) switch (k_errno) { case TOO_BIG: case 1: /* can't be just a null */ @@ -540,6 +726,9 @@ int KRB5_CALLCONV tf_get_cred(c) case 0: return EOF; } +#endif/*K5_BE*/ + + } if ((k_errno = tf_gets(c->instance, INST_SZ)) < 1) switch (k_errno) { case TOO_BIG: @@ -547,7 +736,7 @@ int KRB5_CALLCONV tf_get_cred(c) case 0: return EOF; } - if ((k_errno = tf_gets(c->realm, REALM_SZ)) < 2) + if ((k_errno = tf_gets(c->realm, REALM_SZ)) < 2) { switch (k_errno) { case TOO_BIG: case 1: /* can't be just a null */ @@ -556,6 +745,8 @@ int KRB5_CALLCONV tf_get_cred(c) case 0: return EOF; } + } + if ( tf_read((char *) (c->session), KEY_SZ) < 1 || tf_read((char *) &(c->lifetime), sizeof(c->lifetime)) < 1 || @@ -565,12 +756,74 @@ int KRB5_CALLCONV tf_get_cred(c) /* don't try to read a silly amount into ticket->dat */ ticket->length > MAX_KTXT_LEN || tf_read((char *) (ticket->dat), ticket->length) < 1 || - tf_read((char *) &(issue_date), sizeof(issue_date)) < 1 + tf_read((char *) &(c->issue_date), sizeof(c->issue_date)) < 1 ) { tf_close(); return TKT_FIL_FMT; } - c->issue_date = issue_date; + +#ifdef K5_BE + /* If the issue_date is 0 and we're not dealing with an alignment + record, then it's likely we've run into an issue_date written by + a 64-bit library that is using long instead of KRB4_32. Let's get + the next four bytes instead. + */ + if (0 == c->issue_date) { + int len = strlen(c->realm); + if (!(2 == len && 0 == strcmp(c->realm, "..")) && + !(3 == len && 0 == strcmp(c->realm + 1, ".."))) { + if (tf_read((char *) &(c->issue_date), sizeof(c->issue_date)) < 1) { + tf_close(); + return TKT_FIL_FMT; + } + } + } + +#endif + + return KSUCCESS; +} + +int KRB5_CALLCONV tf_get_cred(c) + CREDENTIALS *c; +{ + int k_errno; + int fake; + + do { + fake = 0; + k_errno = real_tf_get_cred(c); + if (k_errno) + return k_errno; + +#ifdef K5_BE + /* Here we're checking to see if the realm is one of the + * alignment record realms, ".." or "?..", so we can skip it. + * If it's not, then we need to verify that the service name + * was not null as this should be a valid ticket. + */ + { + int len = strlen(c->realm); + if (2 == len && 0 == strcmp(c->realm, "..")) + fake = 1; + if (3 == len && 0 == strcmp(c->realm + 1, "..")) + fake = 1; + if (!fake && 0 == strlen(c->service)) { + tf_close(); + return TKT_FIL_FMT; + } + } +#else /* Little Endian */ + /* Here we're checking to see if the service principal is the + * special alignment record principal ".@..", so we can skip it. + */ + if (strcmp(c->service, ".") == 0 && + strcmp(c->instance, "") == 0 && + strcmp(c->realm, "..") == 0) + fake = 1; +#endif/*K5_BE*/ + } while (fake); + #ifdef TKT_SHMEM memcpy(c->session, tmp_shm_addr, KEY_SZ); tmp_shm_addr += KEY_SZ; @@ -711,7 +964,7 @@ int tf_save_cred(service, instance, realm, session, lifetime, kvno, int lifetime; /* Lifetime */ int kvno; /* Key version number */ KTEXT ticket; /* The ticket itself */ - long issue_date; /* The issue time */ + KRB4_32 issue_date; /* The issue time */ { off_t lseek(); @@ -777,9 +1030,65 @@ int tf_save_cred(service, instance, realm, session, lifetime, kvno, if (write(fd, (char *) (ticket->dat), count) != count) goto bad; /* Issue date */ - if (write(fd, (char *) &issue_date, sizeof(long)) - != sizeof(long)) + if (write(fd, (char *) &issue_date, sizeof(KRB4_32)) + != sizeof(KRB4_32)) + goto bad; + /* Alignment Record */ +#ifdef K5_BE + { + int null_bytes = 0; + if (0 == (issue_date & 0xff000000)) + ++null_bytes; + if (0 == (issue_date & 0x00ff0000)) + ++null_bytes; + if (0 == (issue_date & 0x0000ff00)) + ++null_bytes; + if (0 == (issue_date & 0x000000ff)) + ++null_bytes; + + switch(null_bytes) { + case 0: + /* Issue date */ + if (write(fd, (char *) &issue_date, sizeof(KRB4_32)) + != sizeof(KRB4_32)) + goto bad; + if (write(fd, align_rec_0, sizeof(align_rec_0)) + != sizeof(align_rec_0)) + goto bad; + break; + + case 1: + if (write(fd, (char *) &issue_date, sizeof(KRB4_32)) + != sizeof(KRB4_32)) + goto bad; + if (write(fd, align_rec_1, sizeof(align_rec_1)) + != sizeof(align_rec_1)) + goto bad; + break; + + case 3: + /* Three NULLS are troublesome but rare. We'll just pretend + * they don't exist by decrementing the issue_date. + */ + --issue_date; + case 2: + if (write(fd, (char *) &issue_date, sizeof(KRB4_32)) + != sizeof(KRB4_32)) + goto bad; + if (write(fd, align_rec_2, sizeof(align_rec_2)) + != sizeof(align_rec_2)) + goto bad; + break; + + default: + goto bad; + } + + } +#else + if (write(fd, align_rec, sizeof(align_rec)) != sizeof(align_rec)) goto bad; +#endif /* Actually, we should check each write for success */ return (KSUCCESS); diff --git a/src/lib/krb5/Makefile.in b/src/lib/krb5/Makefile.in index 222c1ee985..fcf2ea28c7 100644 --- a/src/lib/krb5/Makefile.in +++ b/src/lib/krb5/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=. +thisconfigdir=../.. myfulldir=lib/krb5 -mydir=. +mydir=lib/krb5 BUILDTOP=$(REL)..$(S).. LOCALINCLUDES = -I$(srcdir)/ccache -I$(srcdir)/keytab -I$(srcdir)/rcache -I$(srcdir)/os LOCAL_SUBDIRS= error_tables asn.1 ccache keytab krb os rcache diff --git a/src/lib/krb5/asn.1/Makefile.in b/src/lib/krb5/asn.1/Makefile.in index d903c8e8ac..3c440fe561 100644 --- a/src/lib/krb5/asn.1/Makefile.in +++ b/src/lib/krb5/asn.1/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/krb5/asn.1 -mydir=asn.1 +mydir=lib/krb5/asn.1 BUILDTOP=$(REL)..$(S)..$(S).. DEFS= diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in index 99241c981c..7906aebb00 100644 --- a/src/lib/krb5/ccache/Makefile.in +++ b/src/lib/krb5/ccache/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/krb5/ccache -mydir=ccache +mydir=lib/krb5/ccache BUILDTOP=$(REL)..$(S)..$(S).. LOCAL_SUBDIRS = DEFS= diff --git a/src/lib/krb5/configure.in b/src/lib/krb5/configure.in deleted file mode 100644 index 2559d356f3..0000000000 --- a/src/lib/krb5/configure.in +++ /dev/null @@ -1,23 +0,0 @@ -K5_AC_INIT(configure.in) -CONFIG_RULES -AC_PROG_AWK -dnl -AC_C_CONST -AC_TYPE_UID_T -AC_TYPE_OFF_T -dnl -dnl -KRB5_AC_REGEX_FUNCS -KRB5_NEED_PROTO([#include ],strptime) -dnl -KRB5_SIGTYPE -CHECK_SIGNALS -KRB5_SOCKADDR_SA_LEN -KRB5_GETPEERNAME_ARGS -KRB5_GETSOCKNAME_ARGS -KRB5_BUILD_LIBRARY_WITH_DEPS -KRB5_BUILD_LIBOBJS -KRB5_BUILD_PROGRAM -KRB5_RUN_FLAGS -dnl -V5_AC_OUTPUT_MAKEFILE(. error_tables asn.1 ccache keytab krb rcache os) diff --git a/src/lib/krb5/error_tables/Makefile.in b/src/lib/krb5/error_tables/Makefile.in index 3d8a8fb5ab..df4191ff6d 100644 --- a/src/lib/krb5/error_tables/Makefile.in +++ b/src/lib/krb5/error_tables/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/krb5/error_tables -mydir=error_tables +mydir=lib/krb5/error_tables BUILDTOP=$(REL)..$(S)..$(S).. DEFS= diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in index 11ab55de77..73b11f72a4 100644 --- a/src/lib/krb5/keytab/Makefile.in +++ b/src/lib/krb5/keytab/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/krb5/keytab -mydir=keytab +mydir=lib/krb5/keytab BUILDTOP=$(REL)..$(S)..$(S).. DEFS= diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in index 270feab2f0..edf6d5f2f1 100644 --- a/src/lib/krb5/krb/Makefile.in +++ b/src/lib/krb5/krb/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/krb5/krb -mydir=krb +mydir=lib/krb5/krb BUILDTOP=$(REL)..$(S)..$(S).. RUN_SETUP = @KRB5_RUN_ENV@ PROG_LIBPATH=-L$(TOPLIBD) diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in index abce069ea9..db391ab15f 100644 --- a/src/lib/krb5/os/Makefile.in +++ b/src/lib/krb5/os/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/krb5/os -mydir=os +mydir=lib/krb5/os BUILDTOP=$(REL)..$(S)..$(S).. KRB5_RUN_ENV = @KRB5_RUN_ENV@ PROG_LIBPATH=-L$(TOPLIBD) diff --git a/src/lib/krb5/rcache/Makefile.in b/src/lib/krb5/rcache/Makefile.in index 2b886bfe9d..05b7609558 100644 --- a/src/lib/krb5/rcache/Makefile.in +++ b/src/lib/krb5/rcache/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=./.. +thisconfigdir=../../.. myfulldir=lib/krb5/rcache -mydir=rcache +mydir=lib/krb5/rcache BUILDTOP=$(REL)..$(S)..$(S).. DEFS= diff --git a/src/lib/rpc/Makefile.in b/src/lib/rpc/Makefile.in index 02eb370101..1d3c6eacbf 100644 --- a/src/lib/rpc/Makefile.in +++ b/src/lib/rpc/Makefile.in @@ -1,10 +1,12 @@ -thisconfigdir=. +thisconfigdir=../.. myfulldir=lib/rpc -mydir=. +mydir=lib/rpc BUILDTOP=$(REL)..$(S).. DEFINES = -DGSSAPI_KRB5 -DDEBUG_GSSAPI=0 -DGSSRPC__IMPL DEFS= +SUBDIRS=unit-test + ##DOSBUILDTOP = ..\.. ##DOSLIBNAME=libgssrpc.lib @@ -267,7 +269,7 @@ do-dyn-lclint:: # makefile post-processing is unconditional and would trash the makefile. types.h: types.stamp types.stamp: $(srcdir)/types.hin config.status - $(SHELL) config.status + cd $(thisconfigdir) && $(SHELL) config.status $(mydir)/types.h touch types.stamp clean-unix:: diff --git a/src/lib/rpc/configure.in b/src/lib/rpc/configure.in deleted file mode 100644 index 2b76c4adad..0000000000 --- a/src/lib/rpc/configure.in +++ /dev/null @@ -1,175 +0,0 @@ -K5_AC_INIT(auth_gssapi.c) -CONFIG_RULES -AC_CONFIG_SUBDIRS(unit-test) -AC_CHECK_HEADERS(sys/uio.h sys/param.h) -AC_TYPE_GETGROUPS -### Check where struct rpcent is declared. -# -# This is necessary to determine: -# 1. If /usr/include/netdb.h declares struct rpcent -# 2. If /usr/include/rpc/netdb.h declares struct rpcent -# -# We have our own rpc/netdb.h, and if /usr/include/netdb.h includes -# rpc/netdb.h, then nastiness could happen. -# -# Logic: If /usr/include/netdb.h declares struct rpcent, then check -# rpc/netdb.h. If /usr/include/rpc/netdb.h declares struct rpcent, -# then define STRUCT_RPCENT_IN_RPC_NETDB_H, otherwise do not. If -# neither netdb.h nor rpc/netdb.h declares struct rpcent, then define -# STRUCT_RPCENT_IN_RPC_NETDB_H anyway. -# -AC_MSG_CHECKING([where struct rpcent is declared]) -AC_TRY_COMPILE([#include ], -[struct rpcent e; -char c = e.r_name[0]; -int i = e.r_number;], -[AC_TRY_COMPILE([#include ], -[struct rpcent e; -char c = e.r_name[0]; -int i = e.r_number;], -[AC_MSG_RESULT([rpc/netdb.h]) -rpcent_define='#define STRUCT_RPCENT_IN_RPC_NETDB_H'], -[AC_MSG_RESULT([netdb.h])])], -[AC_MSG_RESULT([nowhere]) -rpcent_define='#define STRUCT_RPCENT_IN_RPC_NETDB_H']) -AC_SUBST(rpcent_define) - -AC_CHECK_HEADERS(sys/select.h sys/time.h unistd.h) -if test $ac_cv_header_sys_select_h = yes; then - GSSRPC__SYS_SELECT_H='#include ' -else - GSSRPC__SYS_SELECT_H='/* #include */' -fi -AC_SUBST(GSSRPC__SYS_SELECT_H) -if test $ac_cv_header_sys_time_h = yes; then - GSSRPC__SYS_TIME_H='#include ' -else - GSSRPC__SYS_TIME_H='/* #include */' -fi -AC_SUBST(GSSRPC__SYS_TIME_H) -if test $ac_cv_header_unistd_h = yes; then - GSSRPC__UNISTD_H='#include ' -else - GSSRPC__UNISTD_H='/* #include */' -fi -AC_SUBST(GSSRPC__UNISTD_H) - -AC_CACHE_CHECK([for MAXHOSTNAMELEN in sys/param.h], - [krb5_cv_header_sys_param_h_maxhostnamelen], - [AC_TRY_COMPILE([#include ], - [int i = MAXHOSTNAMELEN;], - [krb5_cv_header_sys_param_h_maxhostnamelen=yes], - [krb5_cv_header_sys_param_h_maxhostnamelen=no])]) -AC_CACHE_CHECK([for MAXHOSTNAMELEN in netdb.h], - [krb5_cv_header_netdb_h_maxhostnamelen], - [AC_TRY_COMPILE([#include ], - [int i = MAXHOSTNAMELEN;], - [krb5_cv_header_netdb_h_maxhostnamelen=yes], - [krb5_cv_header_netdb_h_maxhostnamelen=no])]) - -GSSRPC__SYS_PARAM_H='/* #include */' -GSSRPC__NETDB_H='/* #include */' -if test $krb5_cv_header_sys_param_h_maxhostnamelen = yes; then - GSSRPC__SYS_PARAM_H='#include ' -else - if test $krb5_cv_header_netdb_h_maxhostnamelen = yes; then - GSSRPC__NETDB_H='#include ' - else - AC_MSG_WARN([can't find MAXHOSTNAMELEN definition; faking it]) - fi -fi -AC_SUBST(GSSRPC__SYS_PARAM_H) -AC_SUBST(GSSRPC__NETDB_H) - -AC_CACHE_CHECK([for uint32_t in sys/types.h], - [krb5_cv_header_sys_types_h_uint32_t], - [AC_TRY_COMPILE([#include ], - [uint32_t i = 0;], - [krb5_cv_header_sys_types_h_uint32_t=yes], - [krb5_cv_header_sys_types_h_uint32_t=no])]) -AC_CACHE_CHECK([for uint32_t in stdint.h], - [krb5_cv_header_stdint_h_uint32_t], - [AC_TRY_COMPILE([#include ], - [uint32_t i = 0;], - [krb5_cv_header_stdint_h_uint32_t=yes], - [krb5_cv_header_stdint_h_uint32_t=no])]) -AC_CACHE_CHECK([for uint32_t in inttypes.h], - [krb5_cv_header_inttypes_h_uint32_t], - [AC_TRY_COMPILE([#include ], - [uint32_t i = 0;], - [krb5_cv_header_inttypes_h_uint32_t=yes], - [krb5_cv_header_inttypes_h_uint32_t=no])]) -GSSRPC__STDINT_H='/* #include */' -GSSRPC__INTTYPES_H='/* #include */' -GSSRPC__FAKE_UINT32='/* #undef GSSRPC__FAKE_INT32 */' -if test $krb5_cv_header_sys_types_h_uint32_t = yes; then - : # already included sys/types.h -else - if test $krb5_cv_header_stdint_h_uint32_t = yes; then - GSSRPC__STDINT_H='#include ' - else - if test $krb5_cv_header_inttypes_h_uint32_t = yes; then - GSSRPC__INTTYPES_H='#include ' - else - AC_MSG_WARN([can't find a fixed-width 32-bit type anywhere; faking it]) - GSSRPC__FAKE_UINT32='#define GSSRPC__FAKE_UINT32 1' - fi - fi -fi -AC_SUBST(GSSRPC__STDINT_H) -AC_SUBST(GSSRPC__INTTYPES_H) -AC_SUBST(GSSRPC__FAKE_UINT32) - -AC_CACHE_CHECK([for BSD type aliases], [krb5_cv_type_bsdaliases], - [AC_TRY_COMPILE( - [#include -#if HAVE_UNISTD_H -#include -#endif], - [u_char c; -u_int i; -u_long l;], [krb5_cv_type_bsdaliases=yes], [krb5_cv_type_bsdaliases=no])]) -if test $krb5_cv_type_bsdaliases = yes; then - GSSRPC__BSD_TYPEALIASES='/* #undef GSSRPC__BSD_TYPEALIASES */' -else - GSSRPC__BSD_TYPEALIASES='#define GSSRPC__BSD_TYPEALIASES 1' -fi -AC_SUBST(GSSRPC__BSD_TYPEALIASES) - -AC_CHECK_FUNCS(strerror) -# -# sockaddr length field checks -# -AC_CHECK_MEMBERS([struct sockaddr_in.sin_len], , , - [#include -@%:@include ]) -AC_CHECK_MEMBERS([struct sockaddr.sa_len], , , - [#include -@%:@include ]) - -AC_MSG_CHECKING([return type of setrpcent]) -AC_CACHE_VAL(k5_cv_type_setrpcent, -[AC_TRY_COMPILE([#include -#ifdef __cplusplus -extern "C" -#endif -extern void setrpcent();], -[int i;], k5_cv_type_setrpcent=void, k5_cv_type_setrpcent=int)])dnl -AC_MSG_RESULT($k5_cv_type_setrpcent) -AC_DEFINE_UNQUOTED(SETRPCENT_TYPE, $k5_cv_type_setrpcent, [Define as return type of setrpcent]) -dnl -AC_MSG_CHECKING([return type of endrpcent]) -AC_CACHE_VAL(k5_cv_type_endrpcent, -[AC_TRY_COMPILE([#include -#ifdef __cplusplus -extern "C" -#endif -extern void endrpcent();], -[int i;], k5_cv_type_endrpcent=void, k5_cv_type_endrpcent=int)])dnl -AC_MSG_RESULT($k5_cv_type_endrpcent) -AC_DEFINE_UNQUOTED(ENDRPCENT_TYPE, $k5_cv_type_endrpcent, [Define as return type of endrpcent]) -DECLARE_SYS_ERRLIST -KRB5_BUILD_LIBOBJS -KRB5_BUILD_LIBRARY_WITH_DEPS -K5_GEN_FILE(types.h:types.hin) -V5_AC_OUTPUT_MAKEFILE diff --git a/src/lib/rpc/unit-test/Makefile.in b/src/lib/rpc/unit-test/Makefile.in index 8cc030907c..77959377ae 100644 --- a/src/lib/rpc/unit-test/Makefile.in +++ b/src/lib/rpc/unit-test/Makefile.in @@ -1,6 +1,6 @@ -thisconfigdir=. +thisconfigdir=../../.. myfulldir=lib/rpc/unit-test -mydir=. +mydir=lib/rpc/unit-test BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I. PROG_LIBPATH=-L$(TOPLIBD) diff --git a/src/lib/rpc/unit-test/configure.in b/src/lib/rpc/unit-test/configure.in deleted file mode 100644 index 6a6bcf1f6c..0000000000 --- a/src/lib/rpc/unit-test/configure.in +++ /dev/null @@ -1,29 +0,0 @@ -K5_AC_INIT(client.c) -CONFIG_RULES -dnl sets $(krb5_cv_host) -KRB5_BUILD_PROGRAM -dnl -AC_CHECK_HEADERS(unistd.h) -dnl The following are tests for the presence of programs required for testing -AC_CHECK_PROG(RUNTEST,runtest,runtest) -AC_CHECK_PROG(PERL,perl,perl) -AC_KRB5_TCL -if test "$PERL" = perl -a "$RUNTEST" = runtest -a "$TCL_LIBS" != ""; then - DO_TEST=ok -fi -AC_SUBST(DO_TEST) -changequote(<<, >>) -case "$krb5_cv_host" in -*-*-solaris2.[012345]*) - PASS=tcp - ;; -*) - PASS="tcp udp" - ;; -esac -changequote([, ]) -AC_SUBST(PASS) -dnl -CHECK_SIGNALS -KRB5_AC_PRIOCNTL_HACK -V5_AC_OUTPUT_MAKEFILE diff --git a/src/patchlevel.h b/src/patchlevel.h index 7d0bf1c23f..1a7bc741b6 100644 --- a/src/patchlevel.h +++ b/src/patchlevel.h @@ -53,6 +53,6 @@ #define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 5 #define KRB5_PATCHLEVEL 0 -#define KRB5_RELTAIL "prerelease" +#define KRB5_RELTAIL "alpha1-postrelease" /* #undef KRB5_RELDATE */ /* #undef KRB5_RELTAG */ diff --git a/src/util/support/plugins.c b/src/util/support/plugins.c index 0945d3995f..9d025942ec 100644 --- a/src/util/support/plugins.c +++ b/src/util/support/plugins.c @@ -567,7 +567,7 @@ krb5int_get_plugin_dir_data (struct plugin_dir_handle *dirhandle, void **newp = NULL; count++; - newp = realloc (p, ((count + 1) + sizeof (*p))); /* +1 for NULL */ + newp = realloc (p, ((count + 1) * sizeof (*p))); /* +1 for NULL */ if (newp == NULL) { err = errno; } else { @@ -626,7 +626,7 @@ krb5int_get_plugin_dir_func (struct plugin_dir_handle *dirhandle, void (**newp)() = NULL; count++; - newp = realloc (p, ((count + 1) + sizeof (*p))); /* +1 for NULL */ + newp = realloc (p, ((count + 1) * sizeof (*p))); /* +1 for NULL */ if (newp == NULL) { err = errno; } else {