darlinghq/darling-Heimdal
1
0
Fork 0
mirror of https://github.com/darlinghq/darling-Heimdal.git synced 2024-11-26 21:50:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add source

Browse Source
This commit is contained in:
Andrew Hyatt 2017-04-20 17:39:51 -07:00
parent fd13c5e63d
commit b6d4e23165
2942 changed files with 1290932 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

485
ChangeLog Normal file
View File

@ -0,0 +1,485 @@
We stop writing change logs, see the source code version control systems history log instead
2008-07-28 Love Hornquist Astrand <lha@h5l.org>
* lib/krb5/v4_glue.c: The "kaserver" part of Heimdal occasionally
issues invalid AFS tokens
(here "occasionally" means for certain users in certain realms).
In lib/krb5/v4_glue.c, in the routine storage_to_etext the ticket
is padded to a multiple of 8 bytes. If it is already a multiple of
8 bytes, 8 additional 0-bytes are added.
This catches the AFS krb4 ticket decoder by surprise: unless the
ticket is exactly 56 bytes, it only supports the minimum necessary
padding. It detects the superfluous padding by comparing the
ticket length decoded to the advertised ticket length.
Hence a 7-letter userid in "cern.ch" which resulted in a ticket of
40 bytes, got "padded" to 48 bytes which the rxkad decoder
rejected.
From Rainer Toebbicke.
2008-07-25 Love Hörnquist Åstrand <lha@h5l.org>
* kuser/kinit.c: add --ok-as-delegate and --windows flags
* kpasswd/kpasswd-generator.c: Switch to krb5_set_password.
* kuser/kinit.c: Use krb5_cc_set_config.
* lib/krb5/cache.c: Add krb5_cc_[gs]et_config.
2008-07-22 Love Hörnquist Åstrand <lha@h5l.org>
* lib/krb5/crypto.c: Allow numbers to be enctypes to as long as
they are valid.
2008-07-17 Love Hörnquist Åstrand <lha@h5l.org>
* lib/hdb/version-script.map: some random bits needed for libkadm
2008-07-15 Love Hörnquist Åstrand <lha@h5l.org>
* lib/krb5/send_to_kdc_plugin.h: add name for send_to_kdc plugin.
* lib/krb5/krbhst.c: handle KRB5_PLUGIN_NO_HANDLE for lookup
plugin.
* lib/krb5/send_to_kdc.c: Add support for the send_to_kdc plugin
interface.
* lib/krb5/Makefile.am: add send_to_kdc_plugin.h
* lib/krb5/krb5_err.et: add plugin error codes
2008-07-14 Love Hornquist Astrand <lha@kth.se>
* lib/hdb/Makefile.am: EXTRA_DIST += version-script.map
2008-07-14 Love Hornquist Astrand <lha@kth.se>
* lib/krb5/krb5_{address,ccache}.3: spelling, from openbsd via janne
johansson
2008-07-13 Love Hörnquist Åstrand <lha@kth.se>
* lib/krb5/version-script.map: add krb5_free_error_message
2008-06-21 Love Hörnquist Åstrand <lha@kth.se>
* lib/krb5/init_creds_pw.c: switch to krb5_set_password().
2008-06-18 Love Hörnquist Åstrand <lha@kth.se>
* lib/krb5/time.c (krb5_set_real_time): handle negative usec
2008-05-31 Love Hörnquist Åstrand <lha@kth.se>
* lib/krb5/krb5_locl.h: Add <wind.h>
* lib/krb5/crypto.c: Use wind_utf8ucs2_length to convert the password to utf16.
2008-05-30 Love Hörnquist Åstrand <lha@kth.se>
* lib/krb5/kcm.c: Add back krb5_kcmcache argument to try_door().
2008-05-27 Love Hörnquist Åstrand <lha@kth.se>
* lib/krb5/error_string.c (krb5_free_error_message): constify
* lib/krb5/error_string.c: Add krb5_get_error_message().
* lib/krb5/doxygen.c: krb5_cc_new_unique() is name of the creation
function.
2008-04-30 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/hdb-ldap.c: Use the _ext api for OpenLDAP, from Honza
Machacek (gentoo).
2008-04-28 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/crypto.c: Use DES_set_key_unchecked().
* lib/krb5/krb5.conf.5: Document default_cc_type.
* lib/krb5/cache.c: Pick up [libdefaults]default_cc_type
2008-04-27 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kaserver.c: Use DES_set_key_unchecked().
2008-04-21 Love Hörnquist Åstrand <lha@it.su.se>
* doc/hx509.texi: About the pkcs11 module.
* doc/hx509.texi: Pick up version from vars.texi
* doc/hx509.texi: No MIT code in hx509.
* hx509 now includes a pkcs11 implementation.
2008-04-20 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/Makefile.am: Move OpenLDAP includes to AM_CPPFLAGS to
avoid dropping other defines for the library.
2008-04-17 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5: add __declspec() for windows.
* configure.in: Update rk_WIN32_EXPORT, add gssapi to
rk_WIN32_EXPORT.
* configure.in: Lets try dependency tracking for automake 1.10 and
later.
* configure.in: Use at least libtool-2.2.
* configure.in: Use LT_INIT the right way.
* lib/krb5/Makefile.am: Update make-proto usage.
* configure.in: Run autoupdate, use LT_INIT().
2008-04-15 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/test_forward.c: Don't print krb5_error_code since we
are using krb5_err().
* lib/krb5/ticket.c: Cast krb5_error_code to int to avoid warning.
* lib/krb5/scache.c: Cast krb5_error_code to int to avoid warning.
* lib/krb5/principal.c: Cast enum to int to avoid warning.
* lib/krb5/pkinit.c: Cast krb5_error_code to int to avoid warning.
* lib/krb5/pac.c: Cast size_t to unsigned long to avoid warning.
* lib/krb5/error_string.c: Cast krb5_error_code to int to avoid
warning.
* lib/krb5/keytab_keyfile.c: Make num_entries an uint32 to avoid
negative numbers and type warnings.
* lib/krb5: cc_get_version returns an int, update.
2008-04-10 Love Hörnquist Åstrand <lha@it.su.se>
* configure.in: Check for <asl.h>.
2008-04-09 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/version-script.map: sort and export _krb5_pk_kdf
* lib/krb5/crypto.c: Check kdf params. calculate the second half
of the key.
* lib/krb5/Makefile.am: Add test_pknistkdf
* lib/krb5/test_pknistkdf.c: Test the new pkinit nist kdf.
* lib/krb5/crypto.c: Complete _krb5_pk_kdf.
* lib/krb5/crypto.c: First version of KDF in
draft-ietf-krb-wg-pkinit-alg-agility-03.txt.
2008-04-08 Love Hörnquist Åstrand <lha@it.su.se>
* doc/setup.texi: Add text about smbk5pwd overlay from Buchan
Milne.
* lib/krb5/krb5_locl.h: Name the pkinit type enum.
* kdc/pkinit.c: Rename constants to match global header.
* lib/krb5/pkinit.c: Drop krb5_pk_identity and rename constants to
match global header.
* kdc/pkinit.c: Pick up krb5_pk_identity from krb5_locl.h.
* lib/krb5/scache.c (scc_alloc): %x is unsigned int.
2008-04-07 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/version-script.map: Sort and add krb5_cc_switch.
* lib/krb5/acache.c: Use unsigned where appropriate.
* kcm/glue.c: Adapt to chenge to krb5_cc_ops.
* kcm/acl.c: Add missing op.
* kdc/connect.c: Use unsigned where appropriate.
* lib/krb5/n-fold.c: Use size_t where appropriate.
* lib/krb5/get_addrs.c: Use unsigned where appropriate.
* lib/krb5/crypto.c: Use unsigned where appropriate.
* lib/krb5/crc.c: Use unsigned where appropriate.
* lib/krb5/changepw.c: simplify
* lib/krb5/copy_host_realm.c: simplify
* kuser/kswitch.c: Implement --principal.
2008-04-05 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/cache.c: allow returning the default cc-type.
* kuser/kswitch.c: Enable switching between existing caches.
* lib/krb5/cache.c: Add krb5_cc_switch, to set the default
credential cache.
* lib/krb5/acache.c: Implement set_default.
* lib/krb5/krb5.h: Extend krb5_cc_ops and add set_default to set
the default cc name for a credential type.
2008-04-04 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/test_cc.c: test remove
* lib/krb5/fcache.c: Make the remove cred slight more atomic, now
it might lose creds, but there will be no empty cache at any time.
* lib/krb5/scache.c: Do credential iteration by temporary table.
2008-04-02 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/acache.c: Translate ccErrInvalidCCache.
* lib/krb5/scache.c: implemetation of a sqlite3 backed credential
cache.
* lib/krb5/test_cc.c: test acc and scc
* lib/krb5/acache.c: Only release context if its in use.
2008-04-01 Love Hörnquist Åstrand <lha@it.su.se>
* doc/setup.texi: No patching of OpenLDAP is needed, from Buchan
Milne.
2008-03-30 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/Makefile.am: Add scache.
* lib/krb5/scache.c: initial implementation
* lib/Makefile.am: sqlite
* configure.in: lib/sqlite/Makefile
2008-03-26 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/fcache.c: Make the storing credential an atomic
write(2) to avoid signal races, bug traced by Harald Barth and Lars
Malinowsky.
2008-03-25 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/fcache.c: Make erase_file() do locking too.
* kcm/protocol.c: Make work when moving to a non-existant
cred-cache.
* lib/krb5/test_cc.c: more verbose info.
* lib/krb5/test_cc.c: test krb5_cc_move().
2008-03-23 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/get_cred.c: Try both kdc server referral and the old
client chasing mode.
* lib/krb5/get_cred.c: Don't do canonicalize by default, make
add_cred() sane, make loop detection in credential fetching
better.
* lib/krb5/krb5_locl.h: Add flag EXTRACT_TICKET_AS_REQ.
* lib/krb5/init_creds_pw.c: Tell _krb5_extract_ticket that this is
an AS-REQ.
* lib/krb5/get_in_tkt.c: Make server referral work.
2008-03-22 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/get_in_tkt.c: check no server referral, don't use
stringent length tests since encryption layer does padding for
us...
* kdc/kerberos5.c: Match name in ClientCanonicalizedNames with -10
* lib/krb5/principal.c (_krb5_principal_compare_PrincipalName):
new function to compare a principal to a PrincipalName.
* lib/krb5/init_creds_pw.c: Move client referral checking to
_krb5_extract_ticket().
* lib/krb5/get_in_tkt.c: More bits for server referral.
* lib/krb5/get_in_tkt.c: Make working with client referrals.
* lib/krb5/get_cred.c: Try moving referrals checking into
_krb5_extract_ticket().
* lib/krb5/get_in_tkt.c: Try moving referrals checking into
_krb5_extract_ticket().
2008-03-21 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/krb5tgs.c: Send SERVER-REFERRAL data in rep.padata instead
of auth_data in ticket.
2008-03-20 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/init_creds_pw.c: remove lost bits from using
krb5_principal_set_realm
* kdc/krb5tgs.c: Better referrals support, use canonicalize flag.
* kdc/hprop.c: use krb5_principal_set_realm
* lib/krb5/init_creds_pw.c: use krb5_principal_set_realm
* lib/krb5/verify_user.c: use krb5_principal_set_realm
* lib/krb5/version-script.map: add krb5_principal_set_realm
* lib/krb5/principal.c: add krb5_principal_set_realm
* lib/krb5/get_cred.c: Insecure tgs referrals.
* lib/krb5/get_cred.c: Dont try key usage KRB5_KU_AP_REQ_AUTH for
TGS-REQ. This drop compatibility with pre 0.3d KDCs.
* lib/krb5/get_cred.c: catch KRB5_GC_CANONICALIZE.
* lib/krb5/krb5.h: set KRB5_GC_CANONICALIZE.
* kuser/kgetcred.c: set KRB5_GC_CANONICALIZE.
* kuser/kgetcred.c: Add stub --canonicalize implementation.
2008-03-19 Love Hörnquist Åstrand <lha@it.su.se>
* doc/setup.texi: Fix sasl-regexp, from Howard Chu.
2008-03-14 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kx509.c: Adapt to hx509_env changes.
2008-03-10 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/pkinit.c: Try searchin the key by to use by first
looking for for PK-INIT EKU, then the Microsoft smart card EKU and
last, no special EKU at all.
2008-03-09 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/acache.c: Create a new credential cache is ->get_name
is called, make acc_initialize() reset the existing credential
cache if needed.
* lib/krb5/acache.c (acc_get_name): just return the cache_name
directly instead of trying to resolve it.
2008-02-23 Love Hörnquist Åstrand <lha@it.su.se>
* include/Makefile.am (CLEANFILES): add wind.h and wind_err.h and
sort.
2008-02-11 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/hdb-ldap.c: Use malloc() instead of static buffer.
* lib/hdb/hdb-ldap.c: Use ldap_get_values_len, from LaMont Jones
via Brian May and Debian.
* doc/Makefile.am: add libwind
2008-02-05 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/test_renew.c: Remove extra ;, From Dennis Davis.
* lib/krb5/store_emem.c: Make compile on-pre c99 compilers. From
Dennis Davis.
2008-02-03 Love Hörnquist Åstrand <lha@it.su.se>
* tools/heimdal-gssapi.pc.in: Add wind.
* tools/krb5-config.in: Add wind.
* lib/krb5/pac.c: Use libwind.
2008-02-01 Love Hörnquist Åstrand <lha@it.su.se>
* lib/Makefile.am: SUBDIRS: add wind
2008-01-29 Love Hörnquist Åstrand <lha@it.su.se>
* doc/programming.texi: See the Kerberos 5 API introduction and
documentation on the Heimdal webpage.
2008-01-27 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5: better error strings for the keytab fetching functions
* lib/krb5/verify_krb5_conf.c: Catch deprecated entries.
* lib/krb5/get_cred.c: Remove support
for [libdefaults]capath (not [libdefaults] capaths though).
2008-01-25 Love Hörnquist Åstrand <lha@it.su.se>
* tools/heimdal-gssapi.pc.in: Fix caps of prefix, from Joakim
Fallsjo.
2008-01-24 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/fcache.c (fcc_move): more explict why the fcc_move
failes, handle cross device moves.
2008-01-21 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/get_for_creds.c: Use on variable less.
* lib/krb5/get_for_creds.c: Try to handle ticket full and
ticketless tickets better. Add doxygen comments while here.
* lib/krb5/test_forward.c: Used for testing
krb5_get_forwarded_creds().
* lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward
* lib/krb5/Makefile.am: drop CHECK_SYMBOLS
* lib/hdb/Makefile.am: drop CHECK_SYMBOLS
* kdc/Makefile.am: drop CHECK_SYMBOLS
2008-01-18 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/version-script.map: Add krb5_digest_probe.
2008-01-13 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/pkinit.c: Replace hx509_name_to_der_name with
hx509_name_binary.
2008-01-12 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/Makefile.am: add missing files
* Happy new year.

3201
ChangeLog.1998 Normal file
View File

File diff suppressed because it is too large Load Diff

2194
ChangeLog.1999 Normal file
View File

File diff suppressed because it is too large Load Diff

1320
ChangeLog.2000 Normal file
View File

File diff suppressed because it is too large Load Diff

1122
ChangeLog.2001 Normal file
View File

File diff suppressed because it is too large Load Diff

726
ChangeLog.2002 Normal file
View File

@ -0,0 +1,726 @@
2002-12-19 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/mk_rep.c: free allocated storage; reported by Howard
Chu
2002-12-08 Johan Danielsson <joda@pdc.kth.se>
* kdc/kdc_locl.h: remove old encrypt_v4_ticket prototype
2002-12-02 Johan Danielsson <joda@pdc.kth.se>
* kpasswd/kpasswdd.c (doit): initialise sa_size to size of
sockaddr_storage
* kdc/connect.c (init_socket): initialise sa_size to size of
sockaddr_storage
2002-11-15 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/krb5.h: remove trailing comma in enum
2002-11-07 Johan Danielsson <joda@pdc.kth.se>
* kdc/524.c: implement crude b2 style (non-)conversion for use
with afs
* kdc/kerberos4.c: move encrypt_v4_ticket to 524.c, since that's
where it's used
2002-10-21 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/keytab_keyfile.c: more strcspn
* lib/krb5/store_emem.c (emem_store): limit how much we allocate
(from Olaf Kirch)
* lib/krb5/principal.c: don't allow trailing backslashes in
components
* kdc/connect.c: check that %-quotes are followed by two hex
digits
* lib/krb5/keytab_any.c: properly close the open keytabs (from
Larry Greenfield)
* kdc/kaserver.c: make sure life is positive (from John Godehn)
2002-10-17 Johan Danielsson <joda@pdc.kth.se>
* kuser/klist.c (display_tokens): allow tokens up to size of
buffer (from Magnus Holmberg)
2002-09-29 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/changepw.c (process_reply): fix reply length check
calculation (reported by various people)
2002-09-24 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/keytab_file.c (fkt_remove_entry): check return value
from start_seq_get (from Wynn Wilkes)
2002-09-19 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/context.c (krb5_set_config_files): return ENXIO instead
of ENOENT when "unconfigured"
2002-09-16 Jacques Vidrine <nectar@kth.se>
* lib/krb5/kuserok.c, lib/krb5/prompter_posix.c: use strcspn
to convert the newline to NUL in fgets results.
2002-09-13 Johan Danielsson <joda@pdc.kth.se>
* kuser/kinit.1: remove unneeded Ns
* lib/krb5/krb5_appdefault.3: remove extra "application"
* fix-export: remove autom4ate.cache
2002-09-10 Johan Danielsson <joda@pdc.kth.se>
* include/make_crypto.c: don't use function macros if possible
* lib/krb5/krb5_locl.h: get limits.h for UINT_MAX
* include/Makefile.am: use make_crypto to create crypto-headers.h
* include/make_crypto.c: crypto header generation tool
* configure.in: move crypto test to just after testing for krb4,
and move roken tests to after both, this speeds up various failure
cases with krb4
* lib/krb5/config_file.c: don't use NULL when we mean 0
* configure.in: we don't set package_libdir anymore, so no point
in testing for it
* tools/Makefile.am: subst INCLUDE_des
* tools/krb5-config.in: add INCLUDE_des to cflags
* configure.in: use AC_CONFIG_SRCDIR
* fix-export: remove some unneeded stuff
* kuser/kinit.c (do_524init): free principals
2002-09-09 Jacques Vidrine <nectar@kth.se>
* kdc/kerberos5.c (get_pa_etype_info, fix_transited_encoding),
kdc/kaserver.c (krb5_ret_xdr_data),
lib/krb5/transited.c (krb5_domain_x500_decode): Validate some
counts: Check that they are non-negative, and that they are small
enough to avoid integer overflow when used in memory allocation
calculations. Potential problem areas pointed out by
Sebastian Krahmer <krahmer@suse.de>.
* lib/krb5/keytab_keyfile.c (akf_add_entry): Use O_EXCL when
creating a new keyfile.
2002-09-09 Johan Danielsson <joda@pdc.kth.se>
* configure.in: don't try to build pam module
2002-09-05 Johan Danielsson <joda@pdc.kth.se>
* appl/kf/kf.c: fix warning string
* lib/krb5/log.c (krb5_vlog_msg): delay message formating till we
know we need it
2002-09-04 Assar Westerlund <assar@kth.se>
* kdc/kerberos5.c (encode_reply): correct error logging
2002-09-04 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/sendauth.c: close ccache if we opened it
* appl/kf/kf.c: handle new protocol
* appl/kf/kfd.c: use krb5_err instead of sysloging directly,
handle the new protocol, and bail out if an old client tries to
connect
* appl/kf/kf_locl.h: we need a protocol version string
* lib/hdb/hdb-ldap.c: use ASN1_MALLOC_ENCODE
* kdc/kerberos5.c: use ASN1_MALLOC_ENCODE
* kdc/hprop.c: set AP_OPTS_USE_SUBKEY
* lib/hdb/common.c: use ASN1_MALLOC_ENCODE
* lib/asn1/gen.c: add convenience macro that allocates a buffer
and encoded into that
* lib/krb5/get_cred.c (init_tgs_req): use
in_creds->session.keytype literally instead of trying to convert
to a list of enctypes (it should already be an enctype)
* lib/krb5/get_cred.c (init_tgs_req): init ret
2002-09-03 Johan Danielsson <joda@pdc.kth.se>
* lib/asn1/k5.asn1: remove ETYPE_DES3_CBC_NONE_IVEC
* lib/krb5/krb5.h: remove ENCTYPE_DES3_CBC_NONE_IVEC
* lib/krb5/crypto.c: get rid of DES3_CBC_encrypt_ivec, just use
zero ivec in DES3_CBC_encrypt if passed ivec is NULL
* lib/krb5/Makefile.am: back out 1.144, since it will re-create
krb5-protos.h at build-time, which requires perl, which is bad
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): don't
blindly use the local subkey
* lib/krb5/crypto.c: add function krb5_crypto_getblocksize that
extracts the required blocksize from a crypto context
* lib/krb5/build_auth.c: just get the length of the encoded
authenticator instead of trying to grow a buffer
2002-09-03 Assar Westerlund <assar@kth.se>
* configure.in: add --disable-mmap option, and tests for
sys/mman.h and mmap
2002-09-03 Jacques Vidrine <nectar@kth.se>
* lib/krb5/changepw.c: verify lengths in response
* lib/asn1/der_get.c (decode_integer, decode_unsigned): check for
truncated integers
2002-09-02 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/mk_req_ext.c: generate a local subkey if
AP_OPTS_USE_SUBKEY is set
* lib/krb5/build_auth.c: we don't have enough information about
whether to generate a local subkey here, so don't try to
* lib/krb5/auth_context.c: new function
krb5_auth_con_generatelocalsubkey
* lib/krb5/get_in_tkt.c: only set kdc_sec_offset if looking at an
initial ticket
* lib/krb5/context.c (init_context_from_config_file): simplify
initialisation of srv_lookup
* lib/krb5/changepw.c (send_request): set AP_OPTS_USE_SUBKEY
* lib/krb5/krb5.h: add AP_OPTS_USE_SUBKEY
2002-08-30 Assar Westerlund <assar@kth.se>
* lib/krb5/name-45-test.c: also test krb5_524_conv_principal
* lib/krb5/Makefile.am (TESTS): add name-45-test
* lib/krb5/name-45-test.c: add testcases for
krb5_425_conv_principal
2002-08-29 Assar Westerlund <assar@kth.se>
* lib/krb5/parse-name-test.c: also test unparse_short functions
* lib/asn1/asn1_print.c: use com_err/error_message API
* lib/krb5/Makefile.am: add parse-name-test
* lib/krb5/parse-name-test.c: add a program for testing parsing
and unparsing principal names
2002-08-28 Assar Westerlund <assar@kth.se>
* kdc/config.c: add missing ifdef DAEMON
2002-08-28 Johan Danielsson <joda@pdc.kth.se>
* configure.in: use rk_SUNOS
* kdc/config.c: add detach options
* kdc/main.c: maybe detach from console?
* kdc/kdc.8: markup changes
* configure.in: AC_TEST_PACKAGE_NEW -> rk_TEST_PACKAGE
* configure.in: use rk_TELNET, rename some other macros, and don't
add -ldes to krb4 link command
* kuser/kinit.1: whitespace fix (from NetBSD)
* include/bits.c: we may need unistd.h for ssize_t
2002-08-26 Assar Westerlund <assar@kth.se>
* lib/krb5/principal.c (krb5_425_conv_principal_ext): lookup AAAA
rrs before A ones when using the resolver to verify a mapping,
also use getaddrinfo when resolver is not available
* lib/hdb/keytab.c (find_db): const-correctness in parameters to
krb5_config_get_next
* lib/asn1/gen.c: include <string.h> in the generated files (for
memset)
2002-08-22 Assar Westerlund <assar@kth.se>
* lib/krb5/test_get_addrs.c, lib/krb5/krbhst-test.c: make it use
getarg so that it can handle --help and --version (and thus make
check can pass)
* lib/asn1/check-der.c: make this build again
2002-08-22 Assar Westerlund <assar@kth.se>
* lib/asn1/der_get.c (der_get_int): handle len == 0. based on a
patch from Love <lha@stacken.kth.se>
2002-08-22 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/krb5.h: we seem to call KRB5KDC_ERR_KEY_EXP
KRB5KDC_ERR_KEY_EXPIRED, so define the former to the latter
* kdc/kdc.8: add blurb about adding and removing addresses; update
kdc.conf section to match reality
* configure.in: KRB_SENDAUTH_VLEN seems to always have existed, so
don't define it
2002-08-21 Assar Westerlund <assar@kth.se>
* lib/asn1/asn1_print.c: print OIDs too, based on a patch from
Love <lha@stacken.kth.se>
2002-08-21 Johan Danielsson <joda@pdc.kth.se>
* kuser/kinit.c (do_v4_fallback): don't use krb_get_pw_in_tkt2
since it might not exist, and we don't actually care about the key
2002-08-20 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/krb5.conf.5: correct documentation for
verify_ap_req_nofail
* lib/krb5/log.c: rename syslog_data to avoid name conflicts (from
Mattias Amnefelt)
* kuser/klist.c (display_tokens): increase token buffer size, and
add more checks of the kernel data (from Love)
2002-08-19 Johan Danielsson <joda@pdc.kth.se>
* fix-export: use make to parse Makefile.am instead of perl
* configure.in: use argument-less AM_INIT_AUTOMAKE, now that it
groks AC_INIT with package name etc.
* kpasswd/kpasswdd.c: include <kadm5/private.h>
* lib/asn1/asn1_print.c: include com_right.h
* lib/krb5/addr_families.c: socklen_t -> krb5_socklen_t
* include/bits.c: define krb5_socklen_t type; this should really
go someplace else, but this was easy
* lib/krb5/verify_krb5_conf.c: don't bail out if parsing of a file
fails, just warn about it
* kdc/log.c (kdc_openlog): no need for a config_file parameter
* kdc/config.c: just treat kdc.conf like any other config file
* lib/krb5/context.c (krb5_get_default_config_files): ignore
duplicate files
2002-08-16 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/krb5.h: turn strings into pointers, so we can assign to
them
* lib/krb5/constants.c: turn strings into pointers, so we can
assign to them
* lib/krb5/get_addrs.c (get_addrs_int): initialise res if
SCAN_INTERFACES is not set
* lib/krb5/context.c: fix various borked stuff in previous commits
2002-08-16 Jacques Vidrine <n@nectar.com>
* lib/krb5/krbhst.c (kpasswd_get_next): if we fall back to using
the `admin_server' entry for kpasswd, override the `proto' result
to be UDP.
2002-08-15 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/auth_context.c: check return value of
krb5_sockaddr2address
* lib/krb5/addr_families.c: check return value of
krb5_sockaddr2address
* lib/krb5/context.c: get the default keytab from KRB5_KTNAME
2002-08-14 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/verify_krb5_conf.c: allow parsing of more than one file
* lib/krb5/context.c: allow changing config files with the
function krb5_set_config_files, there are also related functions
krb5_get_default_config_files and krb5_free_config_files; these
should work similar to their MIT counterparts
* lib/krb5/config_file.c: allow the use of more than one config
file by using the new function krb5_config_parse_file_multi
2002-08-12 Johan Danielsson <joda@pdc.kth.se>
* use sysconfdir instead of /etc
* configure.in: require autoconf 2.53; rename dpagaix_LDFLAGS etc
to appease automake; force sysconfdir and localstatedir to /etc
and /var/heimdal for now
* kdc/connect.c (addr_to_string): check return value of
sockaddr2address
2002-08-09 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/rd_cred.c: if the remote address isn't an addrport,
don't try comparing to one; this should make old clients work with
new servers
* lib/asn1/gen_decode.c: remove unused variable
2002-07-31 Johan Danielsson <joda@pdc.kth.se>
* kdc/{kerberos5,524}.c: ENOENT -> HDB_ERR_NOENTRY (from Derrick
Brashear)
* lib/krb5/principal.c: actually lower case the lower case
instance name (spotted by Derrick Brashear)
2002-07-24 Johan Danielsson <joda@pdc.kth.se>
* fix-export: if DATEDVERSION is set, change the version to
current date
* configure.in: don't use AC_PROG_RANLIB, and use magic foo to set
LTLIBOBJS
2002-07-04 Johan Danielsson <joda@pdc.kth.se>
* kdc/connect.c: add some cache-control-foo to the http responses
(from Gombas Gabor)
* lib/krb5/addr_families.c (krb5_print_address): don't copy size
if ret_len == NULL
2002-06-28 Johan Danielsson <joda@pdc.kth.se>
* kuser/klist.c (display_tokens): don't bail out before we get
EDOM (signaling the end of the tokens), the kernel can also return
ENOTCONN, meaning that the index does not exist anymore (for
example if the token has expired)
2002-06-06 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/changepw.c: make sure we return an error if there are
no changepw hosts found; from Wynn Wilkes
2002-05-29 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/cache.c (krb5_cc_register): break out of loop when the
same type is found; spotted by Wynn Wilkes
2002-05-28 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/keytab_file.c: check size of entry before trying to
read 32-bit kvno; also fix typo in previous
2002-05-24 Johan Danielsson <joda@pdc.kth.se>
* include/Makefile.am: only add to INCLUDES
* lib/45/mk_req.c: fix for storage change
* lib/hdb/print.c: fix for storage change
2002-05-15 Johan Danielsson <joda@pdc.kth.se>
* kdc/kerberos5.c: don't free encrypted padata until we're really
done with it
2002-05-07 Johan Danielsson <joda@pdc.kth.se>
* kdc/kerberos5.c: when decrypting pa-data, try all keys matching
enctype
* kuser/kinit.1: document -a
* kuser/kinit.c: add command line switch for extra addresses
2002-04-30 Johan Danielsson <joda@blubb.pdc.kth.se>
* configure.in: remove some duplicate tests
* configure.in: use AC_HELP_STRING
2002-04-29 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/crypto.c (usage2arcfour): don't abort if the usage is
unknown
2002-04-25 Johan Danielsson <joda@pdc.kth.se>
* configure.in: use rk_DESTDIRS
2002-04-22 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/krb5_verify_user.3: make it clear that _lrealm modifies
the principal
2002-04-19 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/verify_init.c: fix typo in error string
2002-04-18 Johan Danielsson <joda@pdc.kth.se>
* acconfig.h: remove some stuff that is defined elsewhere
* lib/krb5/krb5_locl.h: include <sys/file.h>
* lib/krb5/acl.c: rename acl_string parameter
* lib/krb5/Makefile.am: remove __P from protos, and put parameter
names in comments
* kuser/klist.c: better align some headers
* kdc/kerberos4.c: storage tweaks
* kdc/kaserver.c: storage tweaks
* kdc/524.c: storage tweaks
* lib/krb5/keytab_krb4.c: storage tweaks
* lib/krb5/keytab_keyfile.c: storage tweaks
* lib/krb5/keytab_file.c: storage tweaks; also try to handle zero
sized keytab files
* lib/krb5/keytab_any.c: use KRB5_KT_END instead of KRB5_CC_END
* lib/krb5/fcache.c: storage tweaks
* lib/krb5/store_mem.c: make the krb5_storage opaque, and add
function wrappers for store/fetch/seek, and also make the eof-code
configurable
* lib/krb5/store_fd.c: make the krb5_storage opaque, and add
function wrappers for store/fetch/seek, and also make the eof-code
configurable
* lib/krb5/store_emem.c: make the krb5_storage opaque, and add
function wrappers for store/fetch/seek, and also make the eof-code
configurable
* lib/krb5/store.c: make the krb5_storage opaque, and add function
wrappers for store/fetch/seek, and also make the eof-code
configurable
* lib/krb5/store-int.h: make the krb5_storage opaque, and add
function wrappers for store/fetch/seek, and also make the eof-code
configurable
* lib/krb5/krb5.h: make the krb5_storage opaque, and add function
wrappers for store/fetch/seek, and also make the eof-code
configurable
* include/bits.c: include <sys/socket.h> to get socklen_t
* kdc/kerberos5.c (get_pa_etype_info): sort ETYPE-INFOs by
requested KDC-REQ etypes
* kdc/hpropd.c: constify
* kdc/hprop.c: constify
* kdc/string2key.c: constify
* kdc/kdc_locl.h: make port_str const
* kdc/config.c: constify
* lib/krb5/config_file.c: constify
* kdc/kstash.c: constify
* lib/krb5/verify_user.c: remove unnecessary cast
* lib/krb5/recvauth.c: constify
* lib/krb5/principal.c (krb5_parse_name): const qualify
* lib/krb5/mcache.c (mcc_get_name): constify return type
* lib/krb5/context.c (krb5_free_context): don't try to free the
ccache prefix
* lib/krb5/cache.c (krb5_cc_register): don't make a copy of the
prefix
* lib/krb5/krb5.h: constify some struct members
* lib/krb5/log.c: constify
* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): const
qualify
* lib/krb5/get_in_tkt.c (krb5_init_etype): constify
* lib/krb5/crypto.c: constify some
* lib/krb5/config_file.c: constify
* lib/krb5/aname_to_localname.c (krb5_aname_to_localname):
constify local variable
* lib/krb5/addr_families.c (ipv4_sockaddr2port): constify
2002-04-17 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/verify_krb5_conf.c: add some log checking
* lib/krb5/log.c (krb5_addlog_dest): reorganise syslog parsing
2002-04-16 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/crypto.c (krb5_crypto_init): check that the key size
matches the expected length
2002-03-27 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/send_to_kdc.c: rename send parameter to send_data
* lib/krb5/mk_error.c: rename ctime parameter to client_time
2002-03-22 Johan Danielsson <joda@pdc.kth.se>
* kdc/kerberos5.c (find_etype): unsigned -> krb5_enctype (from
Reinoud Zandijk)
2002-03-18 Johan Danielsson <joda@pdc.kth.se>
* lib/asn1/k5.asn1: add the GSS-API checksum type here
2002-03-11 Assar Westerlund <assar@sics.se>
* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to
18:3:1
* lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 7:5:0
* lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump version to 6:0:0
2002-03-10 Assar Westerlund <assar@sics.se>
* lib/krb5/rd_cred.c: handle addresses with port numbers
* lib/krb5/keytab_file.c, lib/krb5/keytab.c:
store the kvno % 256 as the byte and the complete 32 bit kvno after
the end of the current keytab entry
* lib/krb5/init_creds_pw.c:
handle LR_PW_EXPTIME and LR_ACCT_EXPTIME in the same way
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
handle ports giving for the remote address
* lib/krb5/get_cred.c:
get a ticket with no addresses if no-addresses is set
* lib/krb5/crypto.c:
rename functions DES_* to krb5_* to avoid colliding with modern
openssl
* lib/krb5/addr_families.c:
make all functions taking 'struct sockaddr' actually take a socklen_t
instead of int and that acts as an in-out parameter (indicating the
maximum length of the sockaddr to be written)
* kdc/kerberos4.c:
make the kvno's in the krb4 universe by the real one % 256, since they
cannot only be 8 bit, and the v5 ones are actually 32 bits
2002-02-15 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/keytab_keyfile.c (akf_add_entry): don't create the file
before we need to write to it
(from Åke Sandgren)
2002-02-14 Johan Danielsson <joda@pdc.kth.se>
* configure.in: rk_RETSIGTYPE and rk_BROKEN_REALLOC are called via
rk_ROKEN (from Gombas Gabor); find inttypes by CHECK_TYPES
directly
* lib/krb5/rd_safe.c: actually use the correct key (from Daniel
Kouril)
2002-02-12 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/context.c (krb5_get_err_text): protect against NULL
context
2002-02-11 Johan Danielsson <joda@pdc.kth.se>
* admin/ktutil.c: no need to use the "modify" keytab anymore
* lib/krb5/keytab_any.c: implement add and remove
* lib/krb5/keytab_krb4.c: implement add and remove
* lib/krb5/store_emem.c (emem_free): clear memory before freeing
(this should perhaps be selectable with a flag)
2002-02-04 Johan Danielsson <joda@pdc.kth.se>
* kdc/config.c (get_dbinfo): if there are database specifications
in the config file, don't automatically try to use the default
values (from Gombas Gabor)
* lib/krb5/log.c (krb5_closelog): don't pass pointer to pointer
(from Gombas Gabor)
2002-01-30 Johan Danielsson <joda@pdc.kth.se>
* admin/list.c: get the default keytab from krb5.conf, and list
all parts of an ANY type keytab
* lib/krb5/context.c: default default_keytab_modify to NULL
* lib/krb5/keytab.c (krb5_kt_default_modify_name): if no modify
name is specified take it from the first component of the default
keytab name
2002-01-29 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/keytab.c: compare keytab types case insensitively
2002-01-07 Assar Westerlund <assar@sics.se>
* lib/krb5/crypto.c (create_checksum): make usage `unsigned' (it's
not really a krb5_key_usage). From Ben Harris <bjh21@netbsd.org>
* lib/krb5/get_in_tkt.c: use krb5_enctype consistently. From Ben
Harris <bjh21@netbsd.org>
* lib/krb5/crypto.c: use krb5_enctype consistently. From Ben
Harris <bjh21@netbsd.org>
* kdc/kerberos5.c: use krb5_enctype consistently. From Ben Harris
<bjh21@netbsd.org>

1795
ChangeLog.2003 Normal file
View File

File diff suppressed because it is too large Load Diff

1485
ChangeLog.2004 Normal file
View File

File diff suppressed because it is too large Load Diff

2004
ChangeLog.2005 Normal file
View File

File diff suppressed because it is too large Load Diff

2047
ChangeLog.2006 Normal file
View File

File diff suppressed because it is too large Load Diff

1321
ChangeLog.2007 Normal file
View File

File diff suppressed because it is too large Load Diff

29428
Heimdal.xcodeproj/project.pbxproj Normal file
View File

File diff suppressed because it is too large Load Diff

33
LICENSE Normal file
View File

@ -0,0 +1,33 @@
Copyright (c) 1995 - 2011 Kungliga Tekniska Högskolan
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the Institute nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
Please see info documentation for the complete list of licenses.

58
Makefile.am Normal file
View File

@ -0,0 +1,58 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
if KCM
kcm_dir = kcm
endif
SUBDIRS= include base lib kuser kdc admin kadmin kpasswd
SUBDIRS+= $(kcm_dir) appl tools tests packages etc po
if HEIMDAL_DOCUMENTATION
SUBDIRS+= doc
endif
## ACLOCAL = @ACLOCAL@ -I cf
ACLOCAL_AMFLAGS = -I cf
EXTRA_DIST = \
NTMakefile \
windows \
TODO \
LICENSE \
README \
ChangeLog \
ChangeLog.1998 \
ChangeLog.1999 \
ChangeLog.2000 \
ChangeLog.2001 \
ChangeLog.2002 \
ChangeLog.2003 \
ChangeLog.2004 \
ChangeLog.2005 \
ChangeLog.2006 \
Makefile.am.common \
autogen.sh \
krb5.conf \
cf/make-proto.pl \
cf/install-catman.sh \
cf/ChangeLog \
cf/c-function.m4 \
cf/ChangeLog \
cf/have-pragma-weak.m4 \
cf/have-types.m4 \
cf/krb-func-getcwd-broken.m4 \
cf/krb-prog-ranlib.m4 \
cf/krb-prog-yacc.m4 \
cf/krb-sys-aix.m4 \
cf/krb-sys-nextstep.m4 \
cf/krb-version.m4 \
cf/roken.m4 \
cf/valgrind-suppressions \
cf/vararray.m4
print-distdir:
@echo $(distdir)

4
Makefile.am.common Normal file
View File

@ -0,0 +1,4 @@
# $Id$
include $(top_srcdir)/cf/Makefile.am.common

32
Modules/GSS-iPhoneOS.modulemap Normal file
View File

@ -0,0 +1,32 @@
framework module GSS [extern_c] {
export *
header "gssapi.h"
module apple {
header "gssapi_apple.h"
export *
}
explicit module krb5 {
header "gssapi_krb5.h"
export *
}
module oid {
header "gssapi_oid.h"
export *
}
module protos {
header "gssapi_protos.h"
export *
}
module spnego {
header "gssapi_spnego.h"
export *
}
}

42
Modules/GSS.modulemap Normal file
View File

@ -0,0 +1,42 @@
framework module GSS [extern_c] {
export *
header "gssapi.h"
module apple {
header "gssapi_apple.h"
export *
}
explicit module krb5 {
header "gssapi_krb5.h"
export *
}
explicit module netlogon {
header "gssapi_netlogon.h"
export *
}
explicit module ntlm {
header "gssapi_ntlm.h"
export *
}
module oid {
header "gssapi_oid.h"
export *
}
module protos {
header "gssapi_protos.h"
export *
}
module spnego {
header "gssapi_spnego.h"
export *
}
}

968
NEWS Normal file
View File

@ -0,0 +1,968 @@
Release Notes - Heimdal - Version Heimdal 1.5.1
Bug fixes
- Fix building on Solaris, requires c99
- Fix building on Windows
- Build system updates
Release Notes - Heimdal - Version Heimdal 1.5
New features
- Support GSS name extensions/attributes
- SHA512 support
- No Kerberos 4 support
- Basic support for MIT Admin protocol (SECGSS flavor)
in kadmind (extract keytab)
- Replace editline with libedit
Release Notes - Heimdal - Version Heimdal 1.4
New features
- Support for reading MIT database file directly
- KCM is polished up and now used in production
- NTLM first class citizen, credentials stored in KCM
- Table driven ASN.1 compiler, smaller!, not enabled by default
- Native Windows client support
Notes
- Disabled write support NDBM hdb backend (read still in there) since
it can't handle large records, please migrate to a diffrent backend
(like BDB4)
Release Notes - Heimdal - Version Heimdal 1.3.3
Bug fixes
- Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
- Check NULL pointers before dereference them [kdc]
Release Notes - Heimdal - Version Heimdal 1.3.2
Bug fixes
- Don't mix length when clearing hmac (could memset too much)
- More paranoid underrun checking when decrypting packets
- Check the password change requests and refuse to answer empty packets
- Build on OpenSolaris
- Renumber AD-SIGNED-TICKET since it was stolen from US
- Don't cache /dev/*random file descriptor, it doesn't get unloaded
- Make C++ safe
- Misc warnings
Release Notes - Heimdal - Version Heimdal 1.3.1
Bug fixes
- Store KDC offset in credentials
- Many many more bug fixes
Release Notes - Heimdal - Version Heimdal 1.3.1
New features
- Make work with OpenLDAPs krb5 overlay
Release Notes - Heimdal - Version Heimdal 1.3
New features
- Partial support for MIT kadmind rpc protocol in kadmind
- Better support for finding keytab entries when using SPN aliases in the KDC
- Support BER in ASN.1 library (needed for CMS)
- Support decryption in Keychain private keys
- Support for new sqlite based credential cache
- Try both KDC referals and the common DNS reverse lookup in GSS-API
- Fix the KCM to not leak resources on failure
- Add IPv6 support to iprop
- Support localization of error strings in
kinit/klist/kdestroy and Kerberos library
- Remove Kerberos 4 support in application (still in KDC)
- Deprecate DES
- Support i18n password in windows domains (using UTF-8)
- More complete API emulation of OpenSSL in hcrypto
- Support for ECDSA and ECDH when linking with OpenSSL
API changes
- Support for settin friendly name on credential caches
- Move to using doxygen to generate documentation.
- Sprinkling __attribute__((depricated)) for old function to be removed
- Support to export LAST-REQUST information in AS-REQ
- Support for client deferrals in in AS-REQ
- Add seek support for krb5_storage.
- Support for split AS-REQ, first step for IA-KERB
- Fix many memory leaks and bugs
- Improved regression test
- Support krb5_cccol
- Switch to krb5_set_error_message
- Support krb5_crypto_*_iov
- Switch to use EVP for most function
- Use SOCK_CLOEXEC and O_CLOEXEC (close on exec)
- Add support for GSS_C_DELEG_POLICY_FLAG
- Add krb5_cc_[gs]et_config to store data in the credential caches
- PTY testing application
Bugfixes
- Make building on AIX6 possible.
- Bugfixes in LDAP KDC code to make it more stable
- Make ipropd-slave reconnect when master down gown
Release Notes - Heimdal - Version Heimdal 1.2.1
* Bug
[HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris
[HEIMDAL-151] - Make canned tests work again after cert expired
[HEIMDAL-152] - iprop test: use full hostname to avoid realm
resolving errors
[HEIMDAL-153] - ftp: Use the correct length for unmap, msync
Release Notes - Heimdal - Version Heimdal 1.2
* Bug
[HEIMDAL-10] - Follow-up on bug report for SEGFAULT in
gss_display_name/gss_export_name when using SPNEGO
[HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1
[HEIMDAL-17] - Remove support for depricated [libdefaults]capath
[HEIMDAL-52] - hdb overwrite aliases for db databases
[HEIMDAL-54] - Two issues which affect credentials delegation
[HEIMDAL-58] - sockbuf.c calls setsockopt with bad args
[HEIMDAL-62] - Fix printing of sig_atomic_t
[HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto
[HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase
[HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241)
* Improvement
[HEIMDAL-67] - Fix locking and store credential in atomic writes
in the FILE credential cache
[HEIMDAL-106] - make compile on cygwin again
[HEIMDAL-107] - Replace old random key generation in des module
and use it with RAND_ function instead
[HEIMDAL-115] - Better documentation and compatibility in hcrypto
in regards to OpenSSL
* New Feature
[HEIMDAL-3] - pkinit alg agility PRF test vectors
[HEIMDAL-14] - Add libwind to Heimdal
[HEIMDAL-16] - Use libwind in hx509
[HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to
the negotiation
[HEIMDAL-74] - Add support to report extended error message back
in AS-REQ to support windows clients
[HEIMDAL-116] - test pty based application (using rkpty)
[HEIMDAL-120] - Use new OpenLDAP API (older deprecated)
* Task
[HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ.
This drop compatibility with pre 0.3d KDCs.
[HEIMDAL-64] - kcm: first implementation of kcm-move-cache
[HEIMDAL-65] - Failed to compile with --disable-pk-init
[HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some
wraparound checks doesn't apply to Heimdal
Changes in release 1.1
* Read-only PKCS11 provider built-in to hx509.
* Documentation for hx509, hcrypto and ntlm libraries improved.
* Better compatibilty with Windows 2008 Server pre-releases and Vista.
* Mac OS X 10.5 support for native credential cache.
* Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
* Bug fixes.
Changes in release 1.0.2
* Ubuntu packages.
* Bug fixes.
Changes in release 1.0.1
* Serveral bug fixes to iprop.
* Make work on platforms without dlopen.
* Add RFC3526 modp group14 as default.
* Handle [kdc] database = { } entries without realm = stanzas.
* Make krb5_get_renewed_creds work.
* Make kaserver preauth work again.
* Bug fixes.
Changes in release 1.0
* Add gss_pseudo_random() for mechglue and krb5.
* Make session key for the krbtgt be selected by the best encryption
type of the client.
* Better interoperability with other PK-INIT implementations.
* Inital support for Mac OS X Keychain for hx509.
* Alias support for inital ticket requests.
* Add symbol versioning to selected libraries on platforms that uses
GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
* New version of imath included in hcrypto.
* Fix memory leaks.
* Bugs fixes.
Changes in release 0.8.1
* Make ASN.1 library less paranoid to with regard to NUL in string to
make it inter-operate with MIT Kerberos again.
* Make GSS-API library work again when using gss_acquire_cred
* Add symbol versioning to libgssapi when using GNU ld.
* Fix memory leaks
* Bugs fixes
Changes in release 0.8
* PK-INIT support.
* HDB extensions support, used by PK-INIT.
* New ASN.1 compiler.
* GSS-API mechglue from FreeBSD.
* Updated SPNEGO to support RFC4178.
* Support for Cryptosystem Negotiation Extension (RFC 4537).
* A new X.509 library (hx509) and related crypto functions.
* A new ntlm library (heimntlm) and related crypto functions.
* Updated the built-in crypto library with bignum support using
imath, support for RSA and DH and renamed it to libhcrypto.
* Subsystem in the KDC, digest, that will perform the digest
operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL
DIGEST-MD5 NTLMv1 and NTLMv2.
* KDC will return the "response too big" error to force TCP retries
for large (default 1400 bytes) UDP replies. This is common for
PK-INIT requests.
* Libkafs defaults to use 2b tokens.
* Default to use the API cache on Mac OS X.
* krb5_kuserok() also checks ~/.k5login.d directory for acl files,
see manpage for krb5_kuserok for description.
* Many, many, other updates to code and info manual and manual pages.
* Bug fixes
Changes in release 0.7.2
* Fix security problem in rshd that enable an attacker to overwrite
and change ownership of any file that root could write.
* Fix a DOS in telnetd. The attacker could force the server to crash
in a NULL de-reference before the user logged in, resulting in inetd
turning telnetd off because it forked too fast.
* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
exists in the keytab before returning success. This allows servers
to check if its even possible to use GSSAPI.
* Fix receiving end of token delegation for GSS-API. It still wrongly
uses subkey for sending for compatibility reasons, this will change
in 0.8.
* telnetd, login and rshd are now more verbose in logging failed and
successful logins.
* Bug fixes
Changes in release 0.7.1
* Bug fixes
Changes in release 0.7
* Support for KCM, a process based credential cache
* Support CCAPI credential cache
* SPNEGO support
* AES (and the gssapi conterpart, CFX) support
* Adding new and improve old documentation
* Bug fixes
Changes in release 0.6.6
* Fix security problem in rshd that enable an attacker to overwrite
and change ownership of any file that root could write.
* Fix a DOS in telnetd. The attacker could force the server to crash
in a NULL de-reference before the user logged in, resulting in inetd
turning telnetd off because it forked too fast.
Changes in release 0.6.5
* fix vulnerabilities in telnetd
* unbreak Kerberos 4 and kaserver
Changes in release 0.6.4
* fix vulnerabilities in telnet
* rshd: encryption without a separate error socket should now work
* telnet now uses appdefaults for the encrypt and forward/forwardable
settings
* bug fixes
Changes in release 0.6.3
* fix vulnerabilities in ftpd
* support for linux AFS /proc "syscalls"
* support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
kpasswdd
* fix possible KDC denial of service
* bug fixes
Changes in release 0.6.2
* Fix possible buffer overrun in v4 kadmin (which now defaults to off)
Changes in release 0.6.1
* Fixed ARCFOUR suppport
* Cross realm vulnerability
* kdc: fix denial of service attack
* kdc: stop clients from renewing tickets into the future
* bug fixes
Changes in release 0.6
* The DES3 GSS-API mechanism has been changed to inter-operate with
other GSSAPI implementations. See man page for gssapi(3) how to turn
on generation of correct MIC messages. Next major release of heimdal
will generate correct MIC by default.
* More complete GSS-API support
* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
support in applications no longer requires Kerberos 4 libs
* Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
* other bug fixes
Changes in release 0.5.2
* kdc: add option for disabling v4 cross-realm (defaults to off)
* bug fixes
Changes in release 0.5.1
* kadmind: fix remote exploit
* kadmind: add option to disable kerberos 4
* kdc: make sure kaserver token life is positive
* telnet: use the session key if there is no subkey
* fix EPSV parsing in ftp
* other bug fixes
Changes in release 0.5
* add --detach option to kdc
* allow setting forward and forwardable option in telnet from
.telnetrc, with override from command line
* accept addresses with or without ports in krb5_rd_cred
* make it work with modern openssl
* use our own string2key function even with openssl (that handles weak
keys incorrectly)
* more system-specific requirements in login
* do not use getlogin() to determine root in su
* telnet: abort if telnetd does not support encryption
* update autoconf to 2.53
* update config.guess, config.sub
* other bug fixes
Changes in release 0.4e
* improve libcrypto and database autoconf tests
* do not care about salting of server principals when serving v4 requests
* some improvements to gssapi library
* test for existing compile_et/libcom_err
* portability fixes
* bug fixes
Changes in release 0.4d
* fix some problems when using libcrypto from openssl
* handle /dev/ptmx `unix98' ptys on Linux
* add some forgotten man pages
* rsh: clean-up and add man page
* fix -A and -a in builtin-ls in tpd
* fix building problem on Irix
* make `ktutil get' more efficient
* bug fixes
Changes in release 0.4c
* fix buffer overrun in telnetd
* repair some of the v4 fallback code in kinit
* add more shared library dependencies
* simplify and fix hprop handling of v4 databases
* fix some building problems (osf's sia and osfc2 login)
* bug fixes
Changes in release 0.4b
* update the shared library version numbers correctly
Changes in release 0.4a
* corrected key used for checksum in mk_safe, unfortunately this
makes it backwards incompatible
* update to autoconf 2.50, libtool 1.4
* re-write dns/config lookups (krb5_krbhst API)
* make order of using subkeys consistent
* add man page links
* add more man pages
* remove rfc2052 support, now only rfc2782 is supported
* always build with kaserver protocol support in the KDC (assuming
KRB4 is enabled) and support for reading kaserver databases in
hprop
Changes in release 0.3f
* change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
the new keytab type that tries both of these in order (SRVTAB is
also an alias for krb4:)
* improve error reporting and error handling (error messages should
be more detailed and more useful)
* improve building with openssl
* add kadmin -K, rcp -F
* fix two incorrect weak DES keys
* fix building of kaserver compat in KDC
* the API is closer to what MIT krb5 is using
* more compatible with windows 2000
* removed some memory leaks
* bug fixes
Changes in release 0.3e
* rcp program included
* fix buffer overrun in ftpd
* handle omitted sequence numbers as zeroes to handle MIT krb5 that
cannot generate zero sequence numbers
* handle v4 /.k files better
* configure/portability fixes
* fixes in parsing of options to kadmin (sub-)commands
* handle errors in kadmin load better
* bug fixes
Changes in release 0.3d
* add krb5-config
* fix a bug in 3des gss-api mechanism, making it compatible with the
specification and the MIT implementation
* make telnetd only allow a specific list of environment variables to
stop it from setting `sensitive' variables
* try to use an existing libdes
* lib/krb5, kdc: use correct usage type for ap-req messages. This
should improve compatability with MIT krb5 when using 3DES
encryption types
* kdc: fix memory allocation problem
* update config.guess and config.sub
* lib/roken: more stuff implemented
* bug fixes and portability enhancements
Changes in release 0.3c
* lib/krb5: memory caches now support the resolve operation
* appl/login: set PATH to some sane default
* kadmind: handle several realms
* bug fixes (including memory leaks)
Changes in release 0.3b
* kdc: prefer default-salted keys on v5 requests
* kdc: lowercase hostnames in v4 mode
* hprop: handle more types of MIT salts
* lib/krb5: fix memory leak
* bug fixes
Changes in release 0.3a:
* implement arcfour-hmac-md5 to interoperate with W2K
* modularise the handling of the master key, and allow for other
encryption types. This makes it easier to import a database from
some other source without having to re-encrypt all keys.
* allow for better control over which encryption types are created
* make kinit fallback to v4 if given a v4 KDC
* make klist work better with v4 and v5, and add some more MIT
compatibility options
* make the kdc listen on the krb524 (4444) port for compatibility
with MIT krb5 clients
* implement more DCE/DFS support, enabled with --enable-dce, see
lib/kdfs and appl/dceutils
* make the sequence numbers work correctly
* bug fixes
Changes in release 0.2t:
* bug fixes
Changes in release 0.2s:
* add OpenLDAP support in hdb
* login will get v4 tickets when it receives forwarded tickets
* xnlock supports both v5 and v4
* repair source routing for telnet
* fix building problems with krb4 (krb_mk_req)
* bug fixes
Changes in release 0.2r:
* fix realloc memory corruption bug in kdc
* `add --key' and `cpw --key' in kadmin
* klist supports listing v4 tickets
* update config.guess and config.sub
* make v4 -> v5 principal name conversion more robust
* support for anonymous tickets
* new man-pages
* telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
* use and set expiration and not password expiration when dumping
to/from ka server databases / krb4 databases
* make the code happier with 64-bit time_t
* follow RFC2782 and by default do not look for non-underscore SRV names
Changes in release 0.2q:
* bug fix in tcp-handling in kdc
* bug fix in expand_hostname
Changes in release 0.2p:
* bug fix in `kadmin load/merge'
* bug fix in krb5_parse_address
Changes in release 0.2o:
* gss_{import,export}_sec_context added to libgssapi
* new option --addresses to kdc (for listening on an explicit set of
addresses)
* bug fixes in the krb4 and kaserver emulation part of the kdc
* other bug fixes
Changes in release 0.2n:
* more robust parsing of dump files in kadmin
* changed default timestamp format for log messages to extended ISO
8601 format (Y-M-DTH:M:S)
* changed md4/md5/sha1 APIes to be de-facto `standard'
* always make hostname into lower-case before creating principal
* small bits of more MIT-compatability
* bug fixes
Changes in release 0.2m:
* handle glibc's getaddrinfo() that returns several ai_canonname
* new endian test
* man pages fixes
Changes in release 0.2l:
* bug fixes
Changes in release 0.2k:
* better IPv6 test
* make struct sockaddr_storage in roken work better on alphas
* some missing [hn]to[hn]s fixed.
* allow users to change their own passwords with kadmin (with initial
tickets)
* fix stupid bug in parsing KDC specification
* add `ktutil change' and `ktutil purge'
Changes in release 0.2j:
* builds on Irix
* ftpd works in passive mode
* should build on cygwin
* work around broken IPv6-code on OpenBSD 2.6, also add configure
option --disable-ipv6
Changes in release 0.2i:
* use getaddrinfo in the missing places.
* fix SRV lookup for admin server
* use get{addr,name}info everywhere. and implement it in terms of
getipnodeby{name,addr} (which uses gethostbyname{,2} and
gethostbyaddr)
Changes in release 0.2h:
* fix typo in kx (now compiles)
Changes in release 0.2g:
* lots of bug fixes:
* push works
* repair appl/test programs
* sockaddr_storage works on solaris (alignment issues)
* works better with non-roken getaddrinfo
* rsh works
* some non standard C constructs removed
Changes in release 0.2f:
* support SRV records for kpasswd
* look for both _kerberos and krb5-realm when doing host -> realm mapping
Changes in release 0.2e:
* changed copyright notices to remove `advertising'-clause.
* get{addr,name}info added to roken and used in the other code
(this makes things work much better with hosts with both v4 and v6
addresses, among other things)
* do pre-auth for both password and key-based get_in_tkt
* support for having several databases
* new command `del_enctype' in kadmin
* strptime (and new strftime) add to roken
* more paranoia about finding libdb
* bug fixes
Changes in release 0.2d:
* new configuration option [libdefaults]default_etypes_des
* internal ls in ftpd builds without KRB4
* kx/rsh/push/pop_debug tries v5 and v4 consistenly
* build bug fixes
* other bug fixes
Changes in release 0.2c:
* bug fixes (see ChangeLog's for details)
Changes in release 0.2b:
* bug fixes
* actually bump shared library versions
Changes in release 0.2a:
* a new program verify_krb5_conf for checking your /etc/krb5.conf
* add 3DES keys when changing password
* support null keys in database
* support multiple local realms
* implement a keytab backend for AFS KeyFile's
* implement a keytab backend for v4 srvtabs
* implement `ktutil copy'
* support password quality control in v4 kadmind
* improvements in v4 compat kadmind
* handle the case of having the correct cred in the ccache but with
the wrong encryption type better
* v6-ify the remaining programs.
* internal ls in ftpd
* rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
* add `ank --random-password' and `cpw --random-password' in kadmin
* some programs and documentation for trying to talk to a W2K KDC
* bug fixes
Changes in release 0.1m:
* support for getting default from krb5.conf for kinit/kf/rsh/telnet.
From Miroslav Ruda <ruda@ics.muni.cz>
* v6-ify hprop and hpropd
* support numeric addresses in krb5_mk_req
* shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
* make rsh/rshd IPv6-aware
* make the gssapi sample applications better at reporting errors
* lots of bug fixes
* handle systems with v6-aware libc and non-v6 kernels (like Linux
with glibc 2.1) better
* hide failure of ERPT in ftp
* lots of bug fixes
Changes in release 0.1l:
* make ftp and ftpd IPv6-aware
* add inet_pton to roken
* more IPv6-awareness
* make mini_inetd v6 aware
Changes in release 0.1k:
* bump shared libraries versions
* add roken version of inet_ntop
* merge more changes to rshd
Changes in release 0.1j:
* restore back to the `old' 3DES code. This was supposed to be done
in 0.1h and 0.1i but I did a CVS screw-up.
* make telnetd handle v6 connections
Changes in release 0.1i:
* start using `struct sockaddr_storage' which simplifies the code
(with a fallback definition if it's not defined)
* bug fixes (including in hprop and kf)
* don't use mawk which seems to mishandle roken.awk
* get_addrs should be able to handle v6 addresses on Linux (with the
required patch to the Linux kernel -- ask within)
* rshd builds with shadow passwords
Changes in release 0.1h:
* kf: new program for forwarding credentials
* portability fixes
* make forwarding credentials work with MIT code
* better conversion of ka database
* add etc/services.append
* correct `modified by' from kpasswdd
* lots of bug fixes
Changes in release 0.1g:
* kgetcred: new program for explicitly obtaining tickets
* configure fixes
* krb5-aware kx
* bug fixes
Changes in release 0.1f;
* experimental support for v4 kadmin protokoll in kadmind
* bug fixes
Changes in release 0.1e:
* try to handle old DCE and MIT kdcs
* support for older versions of credential cache files and keytabs
* postdated tickets work
* support for password quality checks in kpasswdd
* new flag --enable-kaserver for kdc
* renew fixes
* prototype su program
* updated (some) manpages
* support for KDC resource records
* should build with --without-krb4
* bug fixes
Changes in release 0.1d:
* Support building with DB2 (uses 1.85-compat API)
* Support krb5-realm.DOMAIN in DNS
* new `ktutil srvcreate'
* v4/kafs support in klist/kdestroy
* bug fixes
Changes in release 0.1c:
* fix ASN.1 encoding of signed integers
* somewhat working `ktutil get'
* some documentation updates
* update to Autoconf 2.13 and Automake 1.4
* the usual bug fixes
Changes in release 0.1b:
* some old -> new crypto conversion utils
* bug fixes
Changes in release 0.1a:
* new crypto code
* more bug fixes
* make sure we ask for DES keys in gssapi
* support signed ints in ASN1
* IPv6-bug fixes
Changes in release 0.0u:
* lots of bug fixes
Changes in release 0.0t:
* more robust parsing of krb5.conf
* include net{read,write} in lib/roken
* bug fixes
Changes in release 0.0s:
* kludges for parsing options to rsh
* more robust parsing of krb5.conf
* removed some arbitrary limits
* bug fixes
Changes in release 0.0r:
* default options for some programs
* bug fixes
Changes in release 0.0q:
* support for building shared libraries with libtool
* bug fixes
Changes in release 0.0p:
* keytab moved to /etc/krb5.keytab
* avoid false detection of IPv6 on Linux
* Lots of more functionality in the gssapi-library
* hprop can now read ka-server databases
* bug fixes
Changes in release 0.0o:
* FTP with GSSAPI support.
* Bug fixes.
Changes in release 0.0n:
* Incremental database propagation.
* Somewhat improved kadmin ui; the stuff in admin is now removed.
* Some support for using enctypes instead of keytypes.
* Lots of other improvement and bug fixes, see ChangeLog for details.

42
NTMakefile Normal file
View File

@ -0,0 +1,42 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
!if exist(thirdparty/NTMakefile)
thirdparty=thirdparty
!endif
SUBDIRS = include lib\roken base lib kuser kdc admin kadmin kpasswd appl doc \
tools tests packages etc $(thirdparty) packages\windows\installer
!include windows/NTMakefile.w32
all::
@echo Build finished succesfully

18
README Normal file
View File

@ -0,0 +1,18 @@
Heimdal is a Kerberos 5 implementation.
For information how to install see <http://www.h5l.org/compile.html>.
There are briefer man pages for most of the commands.
Bug reports and bugs are appreciated, see more under Bug reports in
the manual on how we prefer them: <heimdal-bugs@h5l.org>.
For more information see the web-page at
<http://www.h5l.org/> or the mailing lists:
heimdal-announce@sics.se low-volume announcement
heimdal-discuss@sics.se high-volume discussion
send a mail to heimdal-announce-request@sics.se and
heimdal-discuss-request@sics.se respectively to subscribe.

11
README.fast Normal file
View File

@ -0,0 +1,11 @@
-- in order of preference
- client: plugin support for fast plugins
- kdc: plugin support for fast plugins
partly done with "struct kdc_patypes"
- kcm: support FAST armor ticket
-- using PK-INIT anonymous
-- using host key

29
README.pku2u Normal file
View File

@ -0,0 +1,29 @@
draft comments:
- tag for nameNotInCert (GeneralName is a choice)
- TargetName.exportedTargName have spelling error on OCTET STRING
- padata number is wrong (page 13)
still missing:
- storing credentials so we can skip pku2u
- mapping server names into kerberos name
- setting target asserted name
- Make target name have a real meaning
- Implemement GSS_C_NT_DN
- Verify ad-pku2u-client-name in acceptor
How to try:
- sudo dscl . append /Users/lha RecordName 'description=MobileMe Sharing Certificate,CN=bitcollector,OU=me.com,O=Apple Inc.,C=US'
- sudo chmod 644 /etc/krb5.keytab
- /usr/local/libexec/heimdal/bin/test_context --mech-type=PKU2U --mutual-auth --wrap service@host
sudo dscl . append /Users/lha RecordName 55D20C14EE9EB4C41962801D1AD88AD7ACF34D72
sudo dscl . append /Users/lha dsAttrTypeStandard:AltSecurityIdentities 'X509:<T>CN=Apple Root Certificate Authority,OU=Apple Computer Certificate Authority,O=Apple Computer\, Inc.,C=US<S>description=MobileMe Sharing Certificate,CN=bitcollector,OU=me.com,O=Apple Inc.,C=US'

19
Sample/Common/com.apple.Kerberos.plist Normal file
View File

@ -0,0 +1,19 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>logging</key>
<dict>
<key>libkrb5</key>
<string>0-/SYSLOG:</string>
</dict>
<key>realms</key>
<dict>
<key>CSD11.APPLE.COM</key>
<dict>
<key>kdc</key>
<string>csd11.apple.com</string>
</dict>
</dict>
</dict>
</plist>

BIN
Sample/Default-568h@2x.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

545
Sample/GSSSample.xcodeproj/project.pbxproj Normal file
View File

@ -0,0 +1,545 @@
// !$*UTF8*$!
{
archiveVersion = 1;
classes = {
};
objectVersion = 46;
objects = {
/* Begin PBXBuildFile section */
EB16840D146DC0B00019138B /* UIKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EB16840C146DC0B00019138B /* UIKit.framework */; };
EB16840F146DC0B00019138B /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EB16840E146DC0B00019138B /* Foundation.framework */; };
EB168411146DC0B00019138B /* CoreGraphics.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EB168410146DC0B00019138B /* CoreGraphics.framework */; };
EB168417146DC0B00019138B /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = EB168415146DC0B00019138B /* InfoPlist.strings */; };
EB168419146DC0B00019138B /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = EB168418146DC0B00019138B /* main.m */; };
EB16841D146DC0B00019138B /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = EB16841C146DC0B00019138B /* AppDelegate.m */; };
EB168420146DC0B00019138B /* MainStoryboard_iPhone.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = EB16841E146DC0B00019138B /* MainStoryboard_iPhone.storyboard */; };
EB168423146DC0B00019138B /* MainStoryboard_iPad.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = EB168421146DC0B00019138B /* MainStoryboard_iPad.storyboard */; };
EB168426146DC0B00019138B /* ViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = EB168425146DC0B00019138B /* ViewController.m */; };
EB25A172147063B1004E8CB8 /* Cocoa.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EB25A171147063B1004E8CB8 /* Cocoa.framework */; };
EB25A17C147063B1004E8CB8 /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = EB25A17A147063B1004E8CB8 /* InfoPlist.strings */; };
EB25A17E147063B1004E8CB8 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = EB25A17D147063B1004E8CB8 /* main.m */; };
EB25A182147063B1004E8CB8 /* Credits.rtf in Resources */ = {isa = PBXBuildFile; fileRef = EB25A180147063B1004E8CB8 /* Credits.rtf */; };
EB25A185147063B1004E8CB8 /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = EB25A184147063B1004E8CB8 /* AppDelegate.m */; };
EB25A188147063B2004E8CB8 /* MainMenu.xib in Resources */ = {isa = PBXBuildFile; fileRef = EB25A186147063B2004E8CB8 /* MainMenu.xib */; };
EB93C7B41471DBB200FE746E /* GSS.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EBBE486F146E1F7300A166D3 /* GSS.framework */; };
EBA5BE8C16B020FF00B480CA /* com.apple.Kerberos.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = EBA5BE8916B01BD500B480CA /* com.apple.Kerberos.plist */; };
EBB1EA0E16C2E76F00DC776D /* Default-568h@2x.png in Resources */ = {isa = PBXBuildFile; fileRef = EBB1EA0D16C2E76F00DC776D /* Default-568h@2x.png */; };
EBBE4870146E1F7300A166D3 /* GSS.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EBBE486F146E1F7300A166D3 /* GSS.framework */; };
/* End PBXBuildFile section */
/* Begin PBXCopyFilesBuildPhase section */
EBA5BE8B16B0208C00B480CA /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 12;
dstPath = "";
dstSubfolderSpec = 7;
files = (
EBA5BE8C16B020FF00B480CA /* com.apple.Kerberos.plist in CopyFiles */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXCopyFilesBuildPhase section */
/* Begin PBXFileReference section */
EB168408146DC0B00019138B /* GSSSampleIOS.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = GSSSampleIOS.app; sourceTree = BUILT_PRODUCTS_DIR; };
EB16840C146DC0B00019138B /* UIKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = UIKit.framework; path = System/Library/Frameworks/UIKit.framework; sourceTree = SDKROOT; };
EB16840E146DC0B00019138B /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; };
EB168410146DC0B00019138B /* CoreGraphics.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreGraphics.framework; path = System/Library/Frameworks/CoreGraphics.framework; sourceTree = SDKROOT; };
EB168414146DC0B00019138B /* GSSSampleIOS-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "GSSSampleIOS-Info.plist"; sourceTree = "<group>"; };
EB168416146DC0B00019138B /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = "<group>"; };
EB168418146DC0B00019138B /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
EB16841A146DC0B00019138B /* GSSSampleIOS-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "GSSSampleIOS-Prefix.pch"; sourceTree = "<group>"; };
EB16841B146DC0B00019138B /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = "<group>"; };
EB16841C146DC0B00019138B /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = "<group>"; };
EB16841F146DC0B00019138B /* en */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = en; path = en.lproj/MainStoryboard_iPhone.storyboard; sourceTree = "<group>"; };
EB168422146DC0B00019138B /* en */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = en; path = en.lproj/MainStoryboard_iPad.storyboard; sourceTree = "<group>"; };
EB168424146DC0B00019138B /* ViewController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ViewController.h; sourceTree = "<group>"; };
EB168425146DC0B00019138B /* ViewController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ViewController.m; sourceTree = "<group>"; };
EB25A16E147063B1004E8CB8 /* GSSSampleOSX.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = GSSSampleOSX.app; sourceTree = BUILT_PRODUCTS_DIR; };
EB25A171147063B1004E8CB8 /* Cocoa.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Cocoa.framework; path = Library/Frameworks/Cocoa.framework; sourceTree = DEVELOPER_DIR; };
EB25A174147063B1004E8CB8 /* AppKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AppKit.framework; path = Library/Frameworks/AppKit.framework; sourceTree = SDKROOT; };
EB25A175147063B1004E8CB8 /* CoreData.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreData.framework; path = Library/Frameworks/CoreData.framework; sourceTree = SDKROOT; };
EB25A176147063B1004E8CB8 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; };
EB25A179147063B1004E8CB8 /* DesktopSample-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "DesktopSample-Info.plist"; sourceTree = "<group>"; };
EB25A17B147063B1004E8CB8 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = "<group>"; };
EB25A17D147063B1004E8CB8 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
EB25A17F147063B1004E8CB8 /* DesktopSample-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "DesktopSample-Prefix.pch"; sourceTree = "<group>"; };
EB25A181147063B1004E8CB8 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.rtf; name = en; path = en.lproj/Credits.rtf; sourceTree = "<group>"; };
EB25A183147063B1004E8CB8 /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = "<group>"; };
EB25A184147063B1004E8CB8 /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = "<group>"; };
EB25A187147063B2004E8CB8 /* en */ = {isa = PBXFileReference; lastKnownFileType = file.xib; name = en; path = en.lproj/MainMenu.xib; sourceTree = "<group>"; };
EBA5BE8916B01BD500B480CA /* com.apple.Kerberos.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist; name = com.apple.Kerberos.plist; path = Common/com.apple.Kerberos.plist; sourceTree = "<group>"; };
EBB1EA0D16C2E76F00DC776D /* Default-568h@2x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; name = "Default-568h@2x.png"; path = "../Default-568h@2x.png"; sourceTree = "<group>"; };
EBB752D4146E298100A49C50 /* GSSSampleIOS.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.xml; path = GSSSampleIOS.entitlements; sourceTree = "<group>"; };
EBBE486F146E1F7300A166D3 /* GSS.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = GSS.framework; path = System/Library/Frameworks/GSS.framework; sourceTree = SDKROOT; };
/* End PBXFileReference section */
/* Begin PBXFrameworksBuildPhase section */
EB168405146DC0B00019138B /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
EBBE4870146E1F7300A166D3 /* GSS.framework in Frameworks */,
EB16840D146DC0B00019138B /* UIKit.framework in Frameworks */,
EB16840F146DC0B00019138B /* Foundation.framework in Frameworks */,
EB168411146DC0B00019138B /* CoreGraphics.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
EB25A16B147063B1004E8CB8 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
EB93C7B41471DBB200FE746E /* GSS.framework in Frameworks */,
EB25A172147063B1004E8CB8 /* Cocoa.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXFrameworksBuildPhase section */
/* Begin PBXGroup section */
EB1683FD146DC0B00019138B = {
isa = PBXGroup;
children = (
EBA5BE8816B01BAC00B480CA /* Common */,
EB168412146DC0B00019138B /* GSSSampleIOS */,
EB25A177147063B1004E8CB8 /* GSSSampleOSX */,
);
indentWidth = 8;
sourceTree = "<group>";
};
EB168409146DC0B00019138B /* Products */ = {
isa = PBXGroup;
children = (
EB168408146DC0B00019138B /* GSSSampleIOS.app */,
EB25A16E147063B1004E8CB8 /* GSSSampleOSX.app */,
);
name = Products;
path = ..;
sourceTree = "<group>";
};
EB16840B146DC0B00019138B /* Frameworks */ = {
isa = PBXGroup;
children = (
EBBE486F146E1F7300A166D3 /* GSS.framework */,
EB16840C146DC0B00019138B /* UIKit.framework */,
EB16840E146DC0B00019138B /* Foundation.framework */,
EB168410146DC0B00019138B /* CoreGraphics.framework */,
);
name = Frameworks;
path = ..;
sourceTree = "<group>";
};
EB168412146DC0B00019138B /* GSSSampleIOS */ = {
isa = PBXGroup;
children = (
EBB752D4146E298100A49C50 /* GSSSampleIOS.entitlements */,
EB16841B146DC0B00019138B /* AppDelegate.h */,
EB16841C146DC0B00019138B /* AppDelegate.m */,
EB16841E146DC0B00019138B /* MainStoryboard_iPhone.storyboard */,
EB168421146DC0B00019138B /* MainStoryboard_iPad.storyboard */,
EB168424146DC0B00019138B /* ViewController.h */,
EB168425146DC0B00019138B /* ViewController.m */,
EB168413146DC0B00019138B /* Supporting Files */,
EB16840B146DC0B00019138B /* Frameworks */,
EB168409146DC0B00019138B /* Products */,
);
path = GSSSampleIOS;
sourceTree = "<group>";
};
EB168413146DC0B00019138B /* Supporting Files */ = {
isa = PBXGroup;
children = (
EB168414146DC0B00019138B /* GSSSampleIOS-Info.plist */,
EB168415146DC0B00019138B /* InfoPlist.strings */,
EB168418146DC0B00019138B /* main.m */,
EB16841A146DC0B00019138B /* GSSSampleIOS-Prefix.pch */,
EBB1EA0D16C2E76F00DC776D /* Default-568h@2x.png */,
);
name = "Supporting Files";
sourceTree = "<group>";
};
EB25A170147063B1004E8CB8 /* Frameworks */ = {
isa = PBXGroup;
children = (
EB25A171147063B1004E8CB8 /* Cocoa.framework */,
EB25A173147063B1004E8CB8 /* Other Frameworks */,
);
name = Frameworks;
path = ..;
sourceTree = "<group>";
};
EB25A173147063B1004E8CB8 /* Other Frameworks */ = {
isa = PBXGroup;
children = (
EB25A174147063B1004E8CB8 /* AppKit.framework */,
EB25A175147063B1004E8CB8 /* CoreData.framework */,
EB25A176147063B1004E8CB8 /* Foundation.framework */,
);
name = "Other Frameworks";
sourceTree = "<group>";
};
EB25A177147063B1004E8CB8 /* GSSSampleOSX */ = {
isa = PBXGroup;
children = (
EB25A183147063B1004E8CB8 /* AppDelegate.h */,
EB25A184147063B1004E8CB8 /* AppDelegate.m */,
EB25A186147063B2004E8CB8 /* MainMenu.xib */,
EB25A178147063B1004E8CB8 /* Supporting Files */,
EB25A170147063B1004E8CB8 /* Frameworks */,
);
path = GSSSampleOSX;
sourceTree = "<group>";
};
EB25A178147063B1004E8CB8 /* Supporting Files */ = {
isa = PBXGroup;
children = (
EB25A179147063B1004E8CB8 /* DesktopSample-Info.plist */,
EB25A17A147063B1004E8CB8 /* InfoPlist.strings */,
EB25A17D147063B1004E8CB8 /* main.m */,
EB25A17F147063B1004E8CB8 /* DesktopSample-Prefix.pch */,
EB25A180147063B1004E8CB8 /* Credits.rtf */,
);
name = "Supporting Files";
sourceTree = "<group>";
};
EBA5BE8816B01BAC00B480CA /* Common */ = {
isa = PBXGroup;
children = (
EBA5BE8916B01BD500B480CA /* com.apple.Kerberos.plist */,
);
name = Common;
sourceTree = "<group>";
};
/* End PBXGroup section */
/* Begin PBXNativeTarget section */
EB168407146DC0B00019138B /* GSSSampleIOS */ = {
isa = PBXNativeTarget;
buildConfigurationList = EB168429146DC0B00019138B /* Build configuration list for PBXNativeTarget "GSSSampleIOS" */;
buildPhases = (
EB168404146DC0B00019138B /* Sources */,
EB168405146DC0B00019138B /* Frameworks */,
EB168406146DC0B00019138B /* Resources */,
EBA5BE8B16B0208C00B480CA /* CopyFiles */,
);
buildRules = (
);
dependencies = (
);
name = GSSSampleIOS;
productName = GSSSampleIOS;
productReference = EB168408146DC0B00019138B /* GSSSampleIOS.app */;
productType = "com.apple.product-type.application";
};
EB25A16D147063B1004E8CB8 /* GSSSampleOSX */ = {
isa = PBXNativeTarget;
buildConfigurationList = EB25A18B147063B2004E8CB8 /* Build configuration list for PBXNativeTarget "GSSSampleOSX" */;
buildPhases = (
EB25A16A147063B1004E8CB8 /* Sources */,
EB25A16B147063B1004E8CB8 /* Frameworks */,
EB25A16C147063B1004E8CB8 /* Resources */,
);
buildRules = (
);
dependencies = (
);
name = GSSSampleOSX;
productName = GSSSampleOSX;
productReference = EB25A16E147063B1004E8CB8 /* GSSSampleOSX.app */;
productType = "com.apple.product-type.application";
};
/* End PBXNativeTarget section */
/* Begin PBXProject section */
EB1683FF146DC0B00019138B /* Project object */ = {
isa = PBXProject;
attributes = {
LastUpgradeCheck = 0500;
TargetAttributes = {
EB168407146DC0B00019138B = {
DevelopmentTeam = XPSUQMMH5W;
};
};
};
buildConfigurationList = EB168402146DC0B00019138B /* Build configuration list for PBXProject "GSSSample" */;
compatibilityVersion = "Xcode 3.2";
developmentRegion = English;
hasScannedForEncodings = 0;
knownRegions = (
en,
);
mainGroup = EB1683FD146DC0B00019138B;
productRefGroup = EB168409146DC0B00019138B /* Products */;
projectDirPath = "";
projectRoot = "";
targets = (
EB168407146DC0B00019138B /* GSSSampleIOS */,
EB25A16D147063B1004E8CB8 /* GSSSampleOSX */,
);
};
/* End PBXProject section */
/* Begin PBXResourcesBuildPhase section */
EB168406146DC0B00019138B /* Resources */ = {
isa = PBXResourcesBuildPhase;
buildActionMask = 2147483647;
files = (
EB168417146DC0B00019138B /* InfoPlist.strings in Resources */,
EB168420146DC0B00019138B /* MainStoryboard_iPhone.storyboard in Resources */,
EB168423146DC0B00019138B /* MainStoryboard_iPad.storyboard in Resources */,
EBB1EA0E16C2E76F00DC776D /* Default-568h@2x.png in Resources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
EB25A16C147063B1004E8CB8 /* Resources */ = {
isa = PBXResourcesBuildPhase;
buildActionMask = 2147483647;
files = (
EB25A17C147063B1004E8CB8 /* InfoPlist.strings in Resources */,
EB25A182147063B1004E8CB8 /* Credits.rtf in Resources */,
EB25A188147063B2004E8CB8 /* MainMenu.xib in Resources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXResourcesBuildPhase section */
/* Begin PBXSourcesBuildPhase section */
EB168404146DC0B00019138B /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
EB168419146DC0B00019138B /* main.m in Sources */,
EB16841D146DC0B00019138B /* AppDelegate.m in Sources */,
EB168426146DC0B00019138B /* ViewController.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
EB25A16A147063B1004E8CB8 /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
EB25A17E147063B1004E8CB8 /* main.m in Sources */,
EB25A185147063B1004E8CB8 /* AppDelegate.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXSourcesBuildPhase section */
/* Begin PBXVariantGroup section */
EB168415146DC0B00019138B /* InfoPlist.strings */ = {
isa = PBXVariantGroup;
children = (
EB168416146DC0B00019138B /* en */,
);
name = InfoPlist.strings;
sourceTree = "<group>";
};
EB16841E146DC0B00019138B /* MainStoryboard_iPhone.storyboard */ = {
isa = PBXVariantGroup;
children = (
EB16841F146DC0B00019138B /* en */,
);
name = MainStoryboard_iPhone.storyboard;
sourceTree = "<group>";
};
EB168421146DC0B00019138B /* MainStoryboard_iPad.storyboard */ = {
isa = PBXVariantGroup;
children = (
EB168422146DC0B00019138B /* en */,
);
name = MainStoryboard_iPad.storyboard;
sourceTree = "<group>";
};
EB25A17A147063B1004E8CB8 /* InfoPlist.strings */ = {
isa = PBXVariantGroup;
children = (
EB25A17B147063B1004E8CB8 /* en */,
);
name = InfoPlist.strings;
sourceTree = "<group>";
};
EB25A180147063B1004E8CB8 /* Credits.rtf */ = {
isa = PBXVariantGroup;
children = (
EB25A181147063B1004E8CB8 /* en */,
);
name = Credits.rtf;
sourceTree = "<group>";
};
EB25A186147063B2004E8CB8 /* MainMenu.xib */ = {
isa = PBXVariantGroup;
children = (
EB25A187147063B2004E8CB8 /* en */,
);
name = MainMenu.xib;
sourceTree = "<group>";
};
/* End PBXVariantGroup section */
/* Begin XCBuildConfiguration section */
EB168427146DC0B00019138B /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
COPY_PHASE_STRIP = NO;
GCC_C_LANGUAGE_STANDARD = gnu99;
GCC_DYNAMIC_NO_PIC = NO;
GCC_OPTIMIZATION_LEVEL = 0;
GCC_PREPROCESSOR_DEFINITIONS = (
"DEBUG=1",
"$(inherited)",
);
GCC_SYMBOLS_PRIVATE_EXTERN = NO;
GCC_VERSION = com.apple.compilers.llvm.clang.1_0;
GCC_WARN_ABOUT_RETURN_TYPE = YES;
GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
GCC_WARN_UNUSED_FUNCTION = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
IPHONEOS_DEPLOYMENT_TARGET = 6.0;
ONLY_ACTIVE_ARCH = YES;
TARGETED_DEVICE_FAMILY = "1,2";
};
name = Debug;
};
EB168428146DC0B00019138B /* Release */ = {
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
COPY_PHASE_STRIP = YES;
GCC_C_LANGUAGE_STANDARD = gnu99;
GCC_VERSION = com.apple.compilers.llvm.clang.1_0;
GCC_WARN_ABOUT_RETURN_TYPE = YES;
GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
GCC_WARN_UNUSED_FUNCTION = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
IPHONEOS_DEPLOYMENT_TARGET = 6.0;
OTHER_CFLAGS = "-DNS_BLOCK_ASSERTIONS=1";
TARGETED_DEVICE_FAMILY = "1,2";
VALIDATE_PRODUCT = YES;
};
name = Release;
};
EB16842A146DC0B00019138B /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
CODE_SIGN_ENTITLEMENTS = GSSSampleIOS/GSSSampleIOS.entitlements;
CODE_SIGN_IDENTITY = "iPhone Developer";
GCC_PRECOMPILE_PREFIX_HEADER = YES;
GCC_PREFIX_HEADER = "GSSSampleIOS/GSSSampleIOS-Prefix.pch";
INFOPLIST_FILE = "GSSSampleIOS/GSSSampleIOS-Info.plist";
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = iphoneos;
SUPPORTED_PLATFORMS = "iphonesimulator iphoneos";
WRAPPER_EXTENSION = app;
};
name = Debug;
};
EB16842B146DC0B00019138B /* Release */ = {
isa = XCBuildConfiguration;
buildSettings = {
CODE_SIGN_ENTITLEMENTS = GSSSampleIOS/GSSSampleIOS.entitlements;
CODE_SIGN_IDENTITY = "iPhone Developer";
GCC_PRECOMPILE_PREFIX_HEADER = YES;
GCC_PREFIX_HEADER = "GSSSampleIOS/GSSSampleIOS-Prefix.pch";
INFOPLIST_FILE = "GSSSampleIOS/GSSSampleIOS-Info.plist";
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = iphoneos;
SUPPORTED_PLATFORMS = "iphonesimulator iphoneos";
WRAPPER_EXTENSION = app;
};
name = Release;
};
EB25A189147063B2004E8CB8 /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
COMBINE_HIDPI_IMAGES = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
"$(DEVELOPER_FRAMEWORKS_DIR)",
);
GCC_ENABLE_OBJC_EXCEPTIONS = YES;
GCC_PRECOMPILE_PREFIX_HEADER = YES;
GCC_PREFIX_HEADER = "GSSSampleOSX/DesktopSample-Prefix.pch";
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
INFOPLIST_FILE = "GSSSampleOSX/DesktopSample-Info.plist";
MACOSX_DEPLOYMENT_TARGET = 10.8;
ONLY_ACTIVE_ARCH = YES;
PRODUCT_NAME = "$(TARGET_NAME)";
SUPPORTED_PLATFORMS = macos;
WRAPPER_EXTENSION = app;
};
name = Debug;
};
EB25A18A147063B2004E8CB8 /* Release */ = {
isa = XCBuildConfiguration;
buildSettings = {
COMBINE_HIDPI_IMAGES = YES;
DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
"$(DEVELOPER_FRAMEWORKS_DIR)",
);
GCC_ENABLE_OBJC_EXCEPTIONS = YES;
GCC_PRECOMPILE_PREFIX_HEADER = YES;
GCC_PREFIX_HEADER = "GSSSampleOSX/DesktopSample-Prefix.pch";
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
INFOPLIST_FILE = "GSSSampleOSX/DesktopSample-Info.plist";
MACOSX_DEPLOYMENT_TARGET = 10.8;
PRODUCT_NAME = "$(TARGET_NAME)";
SUPPORTED_PLATFORMS = macos;
WRAPPER_EXTENSION = app;
};
name = Release;
};
/* End XCBuildConfiguration section */
/* Begin XCConfigurationList section */
EB168402146DC0B00019138B /* Build configuration list for PBXProject "GSSSample" */ = {
isa = XCConfigurationList;
buildConfigurations = (
EB168427146DC0B00019138B /* Debug */,
EB168428146DC0B00019138B /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
EB168429146DC0B00019138B /* Build configuration list for PBXNativeTarget "GSSSampleIOS" */ = {
isa = XCConfigurationList;
buildConfigurations = (
EB16842A146DC0B00019138B /* Debug */,
EB16842B146DC0B00019138B /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
EB25A18B147063B2004E8CB8 /* Build configuration list for PBXNativeTarget "GSSSampleOSX" */ = {
isa = XCConfigurationList;
buildConfigurations = (
EB25A189147063B2004E8CB8 /* Debug */,
EB25A18A147063B2004E8CB8 /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
/* End XCConfigurationList section */
};
rootObject = EB1683FF146DC0B00019138B /* Project object */;
}

7
Sample/GSSSample.xcodeproj/project.xcworkspace/contents.xcworkspacedata generated Normal file
View File

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<Workspace
version = "1.0">
<FileRef
location = "self:GSSSample.xcodeproj">
</FileRef>
</Workspace>

11
Sample/GSSSampleIOS/AppDelegate.h Normal file
View File

@ -0,0 +1,11 @@
//
// AppDelegate.h
//
#import <UIKit/UIKit.h>
@interface AppDelegate : UIResponder <UIApplicationDelegate>
@property (strong, nonatomic) UIWindow *window;
@end

44
Sample/GSSSampleIOS/AppDelegate.m Normal file
View File

@ -0,0 +1,44 @@
//
// AppDelegate.m
//
#import "AppDelegate.h"
@implementation AppDelegate
@synthesize window = _window;
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions
{
// Override point for customization after application launch.
return YES;
}
- (void)applicationWillResignActive:(UIApplication *)application
{
// Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
// Use this method to pause ongoing tasks, disable timers, and throttle down OpenGL ES frame rates. Games should use this method to pause the game.
}
- (void)applicationDidEnterBackground:(UIApplication *)application
{
// Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.
// If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.
}
- (void)applicationWillEnterForeground:(UIApplication *)application
{
// Called as part of the transition from the background to the inactive state; here you can undo many of the changes made on entering the background.
}
- (void)applicationDidBecomeActive:(UIApplication *)application
{
// Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.
}
- (void)applicationWillTerminate:(UIApplication *)application
{
// Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
}
@end

51
Sample/GSSSampleIOS/GSSSampleIOS-Info.plist Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleDisplayName</key>
<string>${PRODUCT_NAME}</string>
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIconFiles</key>
<array/>
<key>CFBundleIdentifier</key>
<string>com.apple.GSS.${PRODUCT_NAME:rfc1034identifier}</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>${PRODUCT_NAME}</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>LSRequiresIPhoneOS</key>
<true/>
<key>UIMainStoryboardFile</key>
<string>MainStoryboard_iPhone</string>
<key>UIMainStoryboardFile~ipad</key>
<string>MainStoryboard_iPad</string>
<key>UIRequiredDeviceCapabilities</key>
<array>
<string>armv7</string>
</array>
<key>UISupportedInterfaceOrientations</key>
<array>
<string>UIInterfaceOrientationPortrait</string>
<string>UIInterfaceOrientationLandscapeLeft</string>
<string>UIInterfaceOrientationLandscapeRight</string>
</array>
<key>UISupportedInterfaceOrientations~ipad</key>
<array>
<string>UIInterfaceOrientationPortrait</string>
<string>UIInterfaceOrientationPortraitUpsideDown</string>
<string>UIInterfaceOrientationLandscapeLeft</string>
<string>UIInterfaceOrientationLandscapeRight</string>
</array>
</dict>
</plist>

14
Sample/GSSSampleIOS/GSSSampleIOS-Prefix.pch Normal file
View File

@ -0,0 +1,14 @@
//
// Prefix header for all source files of the 'GSSSampleIOS' target in the 'GSSSampleIOS' project
//
#import <Availability.h>
#ifndef __IPHONE_5_0
#warning "This project uses features only available in iOS SDK 5.0 and later."
#endif
#ifdef __OBJC__
#import <UIKit/UIKit.h>
#import <Foundation/Foundation.h>
#endif

8
Sample/GSSSampleIOS/GSSSampleIOS.entitlements Normal file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>get-task-allow</key>
<true/>
</dict>
</plist>

19
Sample/GSSSampleIOS/ViewController.h Normal file
View File

@ -0,0 +1,19 @@
//
// ViewController.h
//
#import <UIKit/UIKit.h>
@interface ViewController : UIViewController {
dispatch_queue_t _queue;
}
@property (nonatomic, retain) IBOutlet UITextView *ticketView;
@property (nonatomic, retain) IBOutlet UITextField *authServerName;
@property (nonatomic, retain) IBOutlet UITextField *authServerResult;
@property (nonatomic, retain) IBOutlet UITextField *urlTextField;
@property (nonatomic, retain) IBOutlet UITextView *urlResultTextView;
- (IBAction)addCredential:(id)sender;
@end

433
Sample/GSSSampleIOS/ViewController.m Normal file
View File

@ -0,0 +1,433 @@
//
// ViewController.m
//
#import "ViewController.h"
#import <GSS/GSS.h>
@interface ViewController ()
@end
@implementation ViewController
- (void)didReceiveMemoryWarning
{
[super didReceiveMemoryWarning];
// Release any cached data, images, etc that aren't in use.
}
#pragma mark - View lifecycle
- (void)viewDidLoad
{
[super viewDidLoad];
_queue = dispatch_queue_create("com.apple.GSSSampleIOS.credential.queue", NULL);
[self listCredentials:self];
}
- (NSUInteger)supportedInterfaceOrientations
{
return UIInterfaceOrientationMaskPortrait;
}
- (void)kdestroyAll
{
OM_uint32 min_stat;
gss_iter_creds(&min_stat, 0, NULL, ^(gss_OID oid, gss_cred_id_t gcred) {
if (gcred) {
NSLog(@"destroy credential: %@", gcred);
OM_uint32 foo;
gss_destroy_cred(&foo, &gcred);
}
});
}
- (gss_cred_id_t)getACred
{
OM_uint32 min_stat;
__block gss_cred_id_t first = NULL;
gss_iter_creds(&min_stat, 0, NULL, ^(gss_OID oid, gss_cred_id_t gcred) {
if (gcred) {
CFRetain(gcred);
first = gcred;
}
});
return first;
}
- (void)checkNoCredentials
{
__block unsigned num = 0;
OM_uint32 min_stat;
gss_iter_creds(&min_stat, 0, NULL, ^(gss_OID oid, gss_cred_id_t gcred) {
if (gcred != NULL) {
NSLog(@"unexpected cred: %@", gcred);
num++;
}
});
if (num)
NSLog(@"FAIL too many credential (more then 0)");
}
- (gss_cred_id_t)acquire_cred:(NSString *)name password:(NSString *)password
{
OM_uint32 maj_stat, min_stat;
gss_name_t gname = GSS_C_NO_NAME;
gss_cred_id_t cred = NULL;
CFErrorRef error = NULL;
gss_buffer_desc buffer;
NSLog(@"acquire: %@", name);
const char *str = [name UTF8String];
buffer.value = (void *)str;
buffer.length = strlen(str);
maj_stat = gss_import_name(&min_stat, &buffer, GSS_C_NT_USER_NAME, &gname);
if (maj_stat) {
NSLog(@"failed to import name: %@", name);
return NULL;
}
NSDictionary *attrs = @{ (id)kGSSICPassword : password };
maj_stat = gss_aapl_initial_cred(gname, GSS_KRB5_MECHANISM, (__bridge CFDictionaryRef)attrs, &cred, &error);
gss_release_name(&min_stat, &gname);
if (maj_stat) {
NSLog(@"error: %d %@", (int)maj_stat, error);
goto out;
}
NSLog(@"acquire: %@ done", name);
if (cred) {
CFUUIDRef uuid = GSSCredentialCopyUUID(cred);
if (uuid == NULL) {
NSLog(@"GSSCredentialCopyUUID error failed to get credential");
CFRelease(cred);
cred = NULL;
goto out;
}
gss_cred_id_t dupCred = GSSCreateCredentialFromUUID(uuid);
if (dupCred == GSS_C_NO_CREDENTIAL) {
NSLog(@"GSSCreateCredentialFromUUID error failed to get credential");
CFRelease(cred);
cred = NULL;
goto out;
}
CFRelease(uuid);
CFRelease(dupCred);
}
out:
return cred;
}
- (BOOL)checkCredentialCacheName
{
OM_uint32 maj_stat;
gss_name_t gname = GSS_C_NO_NAME;
gss_cred_id_t cred = NULL;
CFErrorRef error = NULL;
gname = GSSCreateName(@"ktestuser@ADS.APPLE.COM", GSS_C_NT_USER_NAME, NULL);
if (gname == NULL)
return false;
NSString *password = @"foobar";
CFUUIDRef uuid = CFUUIDCreateFromString(NULL, CFSTR("E5ECDD5B-1348-4452-A31A-A0A791F94114"));
NSDictionary *attrs = @{
(id)kGSSICPassword : password,
(id)kGSSICKerberosCacheName : @"XCACHE:E5ECDD5B-1348-4452-A31A-A0A791F94114"
};
maj_stat = gss_aapl_initial_cred(gname, GSS_KRB5_MECHANISM, (__bridge CFDictionaryRef)attrs, &cred, &error);
CFRelease(gname);
if (maj_stat) {
NSLog(@"error: %d %@", (int)maj_stat, error);
return false;
}
CFUUIDRef creduuid = GSSCredentialCopyUUID(cred);
if (!CFEqual(creduuid, uuid))
return false;
CFRelease(cred);
return true;
}
- (BOOL)authenticate:(gss_cred_id_t)cred nameType:(gss_OID)nameType toServer:(NSString *)serverName
{
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
gss_name_t server_name = GSS_C_NO_NAME;
gss_buffer_desc buffer;
OM_uint32 maj_stat, min_stat;
BOOL res;
NSLog(@"acquire: %@ to %@", cred, serverName);
const char *name = [serverName UTF8String];
buffer.value = (void *)name;
buffer.length = strlen(name);
maj_stat = gss_import_name(&min_stat, &buffer, nameType, &server_name);
if (maj_stat != GSS_S_COMPLETE) {
NSLog(@"import_name maj_stat: %d min_stat: %d", (int)maj_stat, (int)min_stat);
return FALSE;
}
maj_stat = gss_init_sec_context(&min_stat, cred,
&ctx, server_name, GSS_KRB5_MECHANISM,
GSS_C_REPLAY_FLAG|GSS_C_INTEG_FLAG, 0, GSS_C_NO_CHANNEL_BINDINGS,
NULL, NULL, &buffer, NULL, NULL);
if (maj_stat) {
NSLog(@"FAIL init_sec_context maj_stat: %d", (int)maj_stat);
res = FALSE;
} else {
NSLog(@"have a buffer of length: %d, success", (int)buffer.length);
res = TRUE;
}
gss_delete_sec_context(&min_stat, &ctx, NULL);
gss_release_name(&min_stat, &server_name);
gss_release_buffer(&min_stat, &buffer);
return res;
}
- (Boolean)testCSD11
{
gss_cred_id_t cred = NULL;
OM_uint32 min_stat;
cred = [self acquire_cred:@"testuser@CSD11.APPLE.COM" password:@"testuser"];
if (cred == NULL)
return false;
[self authenticate:cred nameType:GSS_C_NT_HOSTBASED_SERVICE toServer:@"HTTP@csd11.apple.com"];
gss_release_cred(&min_stat, &cred);
return true;
}
- (Boolean)testADS
{
OM_uint32 maj_stat, min_stat;
gss_name_t name = GSS_C_NO_NAME;
gss_cred_id_t cred = NULL;
cred = [self acquire_cred:@"ktestuser@ADS.APPLE.COM" password:@"foobar"];
if (cred == NULL)
return false;
maj_stat = gss_inquire_cred(&min_stat, cred, &name, NULL, NULL, NULL);
if (maj_stat != GSS_S_COMPLETE) {
NSLog(@"error inquire name: %d", (int)maj_stat);
} else {
NSLog(@"inquire name: %@", name);
}
gss_release_name(&min_stat, &name);
NSLog(@"start list");
maj_stat = gss_iter_creds(&min_stat, 0, NULL, ^(gss_OID mech, gss_cred_id_t gcred) {
if (gcred == NULL)
return;
OM_uint32 major, minor;
gss_name_t name2;
NSLog(@"list cred: %@", gcred);
major = gss_inquire_cred(&minor, gcred, &name2, NULL, NULL, NULL);
if (major != GSS_S_COMPLETE) {
NSLog(@"failed to inquire cred: %d/%d", major, minor);
return;
}
gss_release_cred(&minor, &gcred);
NSLog(@"list name: %@", name2);
});
NSLog(@"end list");
if (maj_stat)
NSLog(@"list error: %d", (int)maj_stat);
NSLog(@"authenticate");
[self authenticate:cred nameType:GSS_C_NT_HOSTBASED_SERVICE toServer:@"ldap@dc02.ads.apple.com"];
[self authenticate:cred nameType:GSS_KRB5_NT_PRINCIPAL_NAME toServer:@"ldap/dc02.ads.apple.com@ADS.APPLE.COM"];
return true;
}
- (IBAction)listCredentials:(id)sender
{
__block unsigned ncreds = 0;
OM_uint32 min_stat;
self.ticketView.text = @"<nocred>";
NSMutableString *str = [NSMutableString string];
gss_iter_creds(&min_stat, 0, NULL, ^(gss_OID mech, gss_cred_id_t cred) {
CFStringRef displayName = NULL;
CFStringRef uuidName = NULL;
gss_name_t name = NULL;
CFUUIDRef uuid = NULL;
if (cred == NULL)
return;
ncreds++;
name = GSSCredentialCopyName(cred);
if (name == NULL)
goto out;
displayName = GSSNameCreateDisplayString(name);
if (displayName == NULL)
goto out;
[str appendString:(__bridge NSString *)displayName];
uuid = GSSCredentialCopyUUID(cred);
if (uuid == NULL)
goto out;
uuidName = CFUUIDCreateString(NULL, uuid);
[str appendString:@" uuid: "];
[str appendString:(__bridge NSString *)uuidName];
out:
[str appendString:@"\n"];
if (displayName)
CFRelease(displayName);
if (name)
CFRelease(name);
if (uuidName)
CFRelease(uuidName);
if (uuid)
CFRelease(uuid);
});
NSLog(@"num creds in list: %u", ncreds);
self.ticketView.text = str;
}
- (IBAction)deleteAllCredentials:(id)sender
{
self.ticketView.text = @"<nocred>";
[self kdestroyAll];
}
- (IBAction)authServer:(id)sender
{
gss_cred_id_t cred = [self getACred];
NSString *res;
if ([self authenticate:cred nameType:GSS_C_NT_HOSTBASED_SERVICE toServer:[self.authServerName text]])
res = @"pass";
else
res = @"fail";
self.authServerResult.text = res;
}
- (IBAction)nsURLFetch:(id)sender
{
NSLog(@"nsURLFetch");
NSURL *url = [NSURL URLWithString:self.urlTextField.text];
NSError *error = NULL;
self.urlResultTextView.text = [NSString stringWithContentsOfURL:url encoding:NSUTF8StringEncoding error:&error];
if ( self.urlResultTextView.text == NULL)
self.urlResultTextView.text = [error localizedDescription];
if ( self.urlResultTextView.text == NULL)
self.urlResultTextView.text = @"why what ?, failed";
}
- (IBAction)acquirektestuserAtADS:(id)sender
{
[self acquire_cred:@"ktestuser@ADS.APPLE.COM" password:@"foobar"];
[self listCredentials:sender];
}
- (IBAction)addCredential:(id)sender {
static bool running = false;
NSLog(@"Add credential hit");
if (running)
return;
NSLog(@"Add credential");
running = true;
/*
* Run on queue in background since the all operations are blocking
*/
dispatch_async(_queue, ^{
NSLog(@"destroy all");
[self kdestroyAll];
NSLog(@"check none exists");
[self checkNoCredentials];
NSLog(@"test ADS");
if (![self testADS])
goto out;
[self kdestroyAll];
[self checkNoCredentials];
NSLog(@"test CSD11");
if (![self testCSD11])
goto out;
[self kdestroyAll];
[self checkNoCredentials];
NSLog(@"test checkCredentialCacheName");
[self checkCredentialCacheName];
[self kdestroyAll];
NSLog(@"complete");
out:
running = false;
});
}
@end

2
Sample/GSSSampleIOS/en.lproj/InfoPlist.strings Normal file
View File

@ -0,0 +1,2 @@
/* Localized versions of Info.plist keys */

160
Sample/GSSSampleIOS/en.lproj/MainStoryboard_iPad.storyboard Normal file
View File

@ -0,0 +1,160 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<document type="com.apple.InterfaceBuilder3.CocoaTouch.Storyboard.XIB" version="2.0" toolsVersion="4385" systemVersion="12E31" targetRuntime="iOS.CocoaTouch.iPad" propertyAccessControl="none" initialViewController="2">
<dependencies>
<plugIn identifier="com.apple.InterfaceBuilder.IBCocoaTouchPlugin" version="3628"/>
</dependencies>
<scenes>
<!--View Controller-->
<scene sceneID="4">
<objects>
<viewController id="2" customClass="ViewController" sceneMemberID="viewController">
<view key="view" contentMode="scaleToFill" id="5">
<rect key="frame" x="0.0" y="20" width="768" height="1004"/>
<autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
<subviews>
<button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="center" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" id="E0E-Xg-q3I">
<rect key="frame" x="94" y="59" width="90" height="44"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<fontDescription key="fontDescription" type="boldSystem" pointSize="15"/>
<state key="normal" title="Listcred">
<color key="titleColor" red="0.19607843459999999" green="0.30980393290000002" blue="0.52156865600000002" alpha="1" colorSpace="calibratedRGB"/>
<color key="titleShadowColor" white="0.5" alpha="1" colorSpace="calibratedWhite"/>
</state>
<state key="highlighted">
<color key="titleColor" white="1" alpha="1" colorSpace="calibratedWhite"/>
</state>
<connections>
<action selector="listCredentials:" destination="3" eventType="touchUpInside" id="ty7-0i-8M6"/>
</connections>
</button>
<button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="center" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" id="bhT-HI-th4">
<rect key="frame" x="299" y="679" width="90" height="44"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<fontDescription key="fontDescription" type="boldSystem" pointSize="15"/>
<state key="normal" title="test suite">
<color key="titleColor" red="0.19607843459999999" green="0.30980393290000002" blue="0.52156865600000002" alpha="1" colorSpace="calibratedRGB"/>
<color key="titleShadowColor" white="0.5" alpha="1" colorSpace="calibratedWhite"/>
</state>
<state key="highlighted">
<color key="titleColor" white="1" alpha="1" colorSpace="calibratedWhite"/>
</state>
<connections>
<action selector="addCredential:" destination="3" eventType="touchUpInside" id="4TE-hm-DXA"/>
</connections>
</button>
<button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="center" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" id="2DV-BI-ygr">
<rect key="frame" x="94" y="138" width="90" height="44"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<fontDescription key="fontDescription" type="boldSystem" pointSize="15"/>
<state key="normal" title="Delete all">
<color key="titleColor" red="0.19607843459999999" green="0.30980393290000002" blue="0.52156865600000002" alpha="1" colorSpace="calibratedRGB"/>
<color key="titleShadowColor" white="0.5" alpha="1" colorSpace="calibratedWhite"/>
</state>
<state key="highlighted">
<color key="titleColor" white="1" alpha="1" colorSpace="calibratedWhite"/>
</state>
<connections>
<action selector="deleteAllCredentials:" destination="3" eventType="touchUpInside" id="QuY-Wv-5C1"/>
</connections>
</button>
<textView clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="scaleToFill" showsHorizontalScrollIndicator="NO" id="yi3-Nj-ztp">
<rect key="frame" x="192" y="87" width="556" height="411"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<color key="backgroundColor" red="1" green="1" blue="1" alpha="1" colorSpace="calibratedRGB"/>
<fontDescription key="fontDescription" type="system" pointSize="14"/>
<textInputTraits key="textInputTraits" autocapitalizationType="sentences"/>
</textView>
<button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="center" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" id="Gh2-8g-KIf">
<rect key="frame" x="117" y="562" width="105" height="69"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<fontDescription key="fontDescription" type="boldSystem" pointSize="15"/>
<state key="normal" title="auth server">
<color key="titleColor" red="0.19607843459999999" green="0.30980393290000002" blue="0.52156865600000002" alpha="1" colorSpace="calibratedRGB"/>
<color key="titleShadowColor" white="0.5" alpha="1" colorSpace="calibratedWhite"/>
</state>
<state key="highlighted">
<color key="titleColor" white="1" alpha="1" colorSpace="calibratedWhite"/>
</state>
<connections>
<action selector="authServer:" destination="3" eventType="touchUpInside" id="LXN-RW-hWD"/>
</connections>
</button>
<textField opaque="NO" clipsSubviews="YES" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" text="ldap@dc02.ads.apple.com" borderStyle="roundedRect" minimumFontSize="17" id="05k-Rb-cDz">
<rect key="frame" x="265" y="562" width="419" height="30"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<fontDescription key="fontDescription" type="system" pointSize="14"/>
<textInputTraits key="textInputTraits"/>
</textField>
<textField opaque="NO" clipsSubviews="YES" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" text="untested" borderStyle="roundedRect" minimumFontSize="17" id="lTn-0J-wCx">
<rect key="frame" x="265" y="600" width="97" height="30"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<accessibility key="accessibilityConfiguration">
<accessibilityTraits key="traits" none="YES" staticText="YES"/>
</accessibility>
<fontDescription key="fontDescription" type="system" pointSize="14"/>
<textInputTraits key="textInputTraits"/>
</textField>
<button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="center" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" id="KBD-Us-LaX">
<rect key="frame" x="79" y="775" width="105" height="69"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<fontDescription key="fontDescription" type="boldSystem" pointSize="15"/>
<state key="normal" title="url test">
<color key="titleColor" red="0.19607843459999999" green="0.30980393290000002" blue="0.52156865600000002" alpha="1" colorSpace="calibratedRGB"/>
<color key="titleShadowColor" white="0.5" alpha="1" colorSpace="calibratedWhite"/>
</state>
<state key="highlighted">
<color key="titleColor" white="1" alpha="1" colorSpace="calibratedWhite"/>
</state>
<connections>
<action selector="nsURLFetch:" destination="2" eventType="touchUpInside" id="myG-mH-dcx"/>
</connections>
</button>
<textField opaque="NO" clipsSubviews="YES" contentMode="scaleToFill" contentHorizontalAlignment="left" contentVerticalAlignment="center" text="http://dc03.ads.apple.com/negotiate/" borderStyle="roundedRect" minimumFontSize="17" id="S22-IK-Gkd">
<rect key="frame" x="214" y="775" width="419" height="30"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<fontDescription key="fontDescription" type="system" pointSize="14"/>
<textInputTraits key="textInputTraits"/>
</textField>
<textView clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="scaleToFill" showsHorizontalScrollIndicator="NO" id="AVR-DL-4eE">
<rect key="frame" x="209" y="821" width="324" height="128"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<color key="backgroundColor" red="1" green="1" blue="1" alpha="1" colorSpace="calibratedRGB"/>
<fontDescription key="fontDescription" type="system" pointSize="14"/>
<textInputTraits key="textInputTraits" autocapitalizationType="sentences"/>
</textView>
<button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="center" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" id="94b-Br-VHd">
<rect key="frame" x="41" y="98" width="143" height="44"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<fontDescription key="fontDescription" type="boldSystem" pointSize="15"/>
<state key="normal" title="acquire ADs cred">
<color key="titleColor" red="0.19607843459999999" green="0.30980393290000002" blue="0.52156865600000002" alpha="1" colorSpace="calibratedRGB"/>
<color key="titleShadowColor" white="0.5" alpha="1" colorSpace="calibratedWhite"/>
</state>
<state key="highlighted">
<color key="titleColor" white="1" alpha="1" colorSpace="calibratedWhite"/>
</state>
<connections>
<action selector="acquirektestuserAtADS:" destination="2" eventType="touchUpInside" id="WM6-Ef-1jp"/>
</connections>
</button>
</subviews>
<color key="backgroundColor" white="1" alpha="1" colorSpace="custom" customColorSpace="calibratedWhite"/>
</view>
<connections>
<outlet property="authServerName" destination="05k-Rb-cDz" id="NVg-is-CqR"/>
<outlet property="authServerResult" destination="lTn-0J-wCx" id="Ud9-eu-5h5"/>
<outlet property="ticketView" destination="yi3-Nj-ztp" id="2XF-r2-dLM"/>
<outlet property="urlResultTextView" destination="AVR-DL-4eE" id="aHo-cp-VzH"/>
<outlet property="urlTextField" destination="S22-IK-Gkd" id="GoF-wc-VWr"/>
</connections>
</viewController>
<placeholder placeholderIdentifier="IBFirstResponder" id="3" sceneMemberID="firstResponder"/>
</objects>
</scene>
</scenes>
<simulatedMetricsContainer key="defaultSimulatedMetrics">
<simulatedStatusBarMetrics key="statusBar" statusBarStyle="blackTranslucent"/>
<simulatedOrientationMetrics key="orientation"/>
<simulatedScreenMetrics key="destination"/>
</simulatedMetricsContainer>
</document>

68
Sample/GSSSampleIOS/en.lproj/MainStoryboard_iPhone.storyboard Normal file
View File

@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<document type="com.apple.InterfaceBuilder3.CocoaTouch.Storyboard.XIB" version="2.0" toolsVersion="4131" systemVersion="13A372" targetRuntime="iOS.CocoaTouch" propertyAccessControl="none" initialViewController="2">
<dependencies>
<plugIn identifier="com.apple.InterfaceBuilder.IBCocoaTouchPlugin" version="3149"/>
</dependencies>
<scenes>
<!--View Controller-->
<scene sceneID="5">
<objects>
<viewController id="2" customClass="ViewController" sceneMemberID="viewController">
<view key="view" contentMode="scaleToFill" id="3">
<rect key="frame" x="0.0" y="20" width="320" height="460"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<subviews>
<tableView clipsSubviews="YES" contentMode="scaleToFill" alwaysBounceVertical="YES" dataMode="prototypes" style="plain" rowHeight="44" sectionHeaderHeight="22" sectionFooterHeight="22" id="xvq-er-6lW">
<rect key="frame" x="0.0" y="47" width="320" height="460"/>
<autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
<color key="backgroundColor" white="1" alpha="1" colorSpace="calibratedWhite"/>
<prototypes>
<tableViewCell contentMode="scaleToFill" selectionStyle="blue" hidesAccessoryWhenEditing="NO" indentationLevel="1" indentationWidth="0.0" reuseIdentifier="credential" id="mNB-l0-7CW">
<rect key="frame" x="0.0" y="22" width="320" height="44"/>
<autoresizingMask key="autoresizingMask"/>
<view key="contentView" opaque="NO" clipsSubviews="YES" multipleTouchEnabled="YES" contentMode="center">
<rect key="frame" x="10" y="0.0" width="310" height="43"/>
<autoresizingMask key="autoresizingMask"/>
<color key="backgroundColor" white="0.0" alpha="0.0" colorSpace="calibratedWhite"/>
</view>
</tableViewCell>
</prototypes>
</tableView>
<button opaque="NO" contentMode="scaleToFill" contentHorizontalAlignment="center" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" id="wzL-hN-wOC">
<rect key="frame" x="241" y="2" width="72" height="37"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<fontDescription key="fontDescription" type="boldSystem" pointSize="15"/>
<state key="normal" title="+">
<color key="titleColor" red="0.19607843459999999" green="0.30980393290000002" blue="0.52156865600000002" alpha="1" colorSpace="calibratedRGB"/>
<color key="titleShadowColor" white="0.5" alpha="1" colorSpace="calibratedWhite"/>
</state>
<state key="highlighted">
<color key="titleColor" white="1" alpha="1" colorSpace="calibratedWhite"/>
</state>
<connections>
<action selector="addCredential:" destination="2" eventType="touchUpInside" id="c22-H4-Ok9"/>
</connections>
</button>
</subviews>
<color key="backgroundColor" white="1" alpha="1" colorSpace="custom" customColorSpace="calibratedWhite"/>
</view>
</viewController>
<placeholder placeholderIdentifier="IBFirstResponder" id="4" sceneMemberID="firstResponder"/>
</objects>
<point key="canvasLocation" x="242" y="133"/>
</scene>
</scenes>
<classes>
<class className="ViewController" superclassName="UIViewController">
<source key="sourceIdentifier" type="project" relativePath="./Classes/ViewController.h"/>
<relationships>
<relationship kind="action" name="addCredential:"/>
</relationships>
</class>
</classes>
<simulatedMetricsContainer key="defaultSimulatedMetrics">
<simulatedStatusBarMetrics key="statusBar"/>
<simulatedOrientationMetrics key="orientation"/>
<simulatedScreenMetrics key="destination"/>
</simulatedMetricsContainer>
</document>

14
Sample/GSSSampleIOS/main.m Normal file
View File

@ -0,0 +1,14 @@
//
// main.m
//
#import <UIKit/UIKit.h>
#import "AppDelegate.h"
int main(int argc, char *argv[])
{
@autoreleasepool {
return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
}
}

17
Sample/GSSSampleOSX/AppDelegate.h Normal file
View File

@ -0,0 +1,17 @@
//
// AppDelegate.h
// GSSSampleOSX
//
// Created by Love Hörnquist Åstrand on 2011-11-13.
//
#import <Cocoa/Cocoa.h>
@interface AppDelegate : NSObject <NSApplicationDelegate>
@property (assign) IBOutlet NSWindow *window;
@property (assign) IBOutlet NSTableView *tableview;
@property (retain) IBOutlet NSMutableArray *credentials;
@property (assign) IBOutlet NSArrayController *arrayController;
@end

64
Sample/GSSSampleOSX/AppDelegate.m Normal file
View File

@ -0,0 +1,64 @@
//
// AppDelegate.m
// GSSSampleOSX
//
// Created by Love Hörnquist Åstrand on 2011-11-13.
//
#import "AppDelegate.h"
#import <GSS/GSSItem.h>
@implementation AppDelegate
@synthesize window = _window;
@synthesize tableview = _tableview;
@synthesize credentials = _credentials;
@synthesize arrayController = _arrayController;
- (void)applicationDidFinishLaunching:(NSNotification *)aNotification
{
[self refreshCredentials:nil];
}
- (IBAction)refreshCredentials:(id)sender
{
_credentials = [[NSMutableArray alloc] init];
CFMutableDictionaryRef attrs = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionaryAddValue(attrs, kGSSAttrClass, kGSSAttrClassKerberos);
CFErrorRef error = NULL;
CFArrayRef items = GSSItemCopyMatching(attrs, &error);
if (items) {
CFIndex n, count = CFArrayGetCount(items);
for (n = 0; n < count; n++) {
CFTypeRef item = CFArrayGetValueAtIndex(items, n);
NSLog(@"item %d = %@", (int)n, item);
NSDictionary *i;
i = [(__bridge NSDictionary *)item mutableCopy];
[i setValue:@"expire1" forKey:@"kGSSAttrTransientExpire"];
NSLog(@"%@ %@", i, [i className]);
[_credentials addObject:i];
}
CFRelease(items);
}
CFRelease(attrs);
[_credentials addObject:@{ @"kGSSAttrNameDisplay" : @"foo", @"kGSSAttrTransientExpire" : @"expire"}];
NSLog(@"%@", _credentials);
[_arrayController setContent:_credentials];
NSLog(@"item %@", [_arrayController valueForKeyPath:@"arrangedObjects.kGSSAttrNameDisplay"]);
NSLog(@"item %@", [_arrayController valueForKeyPath:@"arrangedObjects.kGSSAttrTransientExpire"]);
[_tableview reloadData];
}
@end

36
Sample/GSSSampleOSX/DesktopSample-Info.plist Normal file
View File

@ -0,0 +1,36 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIconFile</key>
<string></string>
<key>CFBundleIdentifier</key>
<string>com.apple.GSS.${PRODUCT_NAME:rfc1034identifier}</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>${PRODUCT_NAME}</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
<string>1</string>
<key>LSApplicationCategoryType</key>
<string>public.app-category.utilities</string>
<key>LSMinimumSystemVersion</key>
<string>${MACOSX_DEPLOYMENT_TARGET}</string>
<key>NSHumanReadableCopyright</key>
<string>Copyright © 2011 __MyCompanyName__. All rights reserved.</string>
<key>NSMainNibFile</key>
<string>MainMenu</string>
<key>NSPrincipalClass</key>
<string>NSApplication</string>
</dict>
</plist>

7
Sample/GSSSampleOSX/DesktopSample-Prefix.pch Normal file
View File

@ -0,0 +1,7 @@
//
// Prefix header for all source files of the 'GSSSampleOSX' target in the 'DesktopSample' project
//
#ifdef __OBJC__
#import <Cocoa/Cocoa.h>
#endif

30
Sample/GSSSampleOSX/en.lproj/Credits.rtf Normal file
View File

@ -0,0 +1,30 @@
{\rtf1\ansi\ansicpg1252\cocoartf1219\cocoasubrtf160
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\paperw11900\paperh16840\vieww9600\viewh8400\viewkind0
\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720
\f0\b\fs24 \cf0 Engineering:
\b0 \
Some people\
\
\b Human Interface Design:
\b0 \
Some other people\
\
\b Testing:
\b0 \
Hopefully not nobody\
\
\b Documentation:
\b0 \
Whoever\
\
\b With special thanks to:
\b0 \
Mom\
}

2
Sample/GSSSampleOSX/en.lproj/InfoPlist.strings Normal file
View File

@ -0,0 +1,2 @@
/* Localized versions of Info.plist keys */

4282
Sample/GSSSampleOSX/en.lproj/MainMenu.xib Normal file
View File

File diff suppressed because it is too large Load Diff

14
Sample/GSSSampleOSX/main.m Normal file
View File

@ -0,0 +1,14 @@
//
// main.m
// GSSSampleOSX
//
// Created by Love Hörnquist Åstrand on 2011-11-13.
// Copyright (c) 2011 __MyCompanyName__. All rights reserved.
//
#import <Cocoa/Cocoa.h>
int main(int argc, char *argv[])
{
return NSApplicationMain(argc, (const char **)argv);
}

30
TODO Normal file
View File

@ -0,0 +1,30 @@
-*- indented-text -*-
** lib/gssapi
cache delegation credentials to avoid hitting the kdc ? require time
stampless tickets, and was supported in the recv'ing end with 0.6.1.
make iov work for arcfour
make iov work for ntlm
interop test
make TYPE_STREAM work
** lib/kadm5
add policies?
** lib/krb5
verify_user: handle non-secure verification failing because of
host->realm mapping
* windows stuff
-- drop all double negation #ifndef NO_
-- got though windows specific ifdefs to minimized them
-- switch to use heim-ipc for services, like the kadmin change notification socket
-- Unify lib/krb5/expand_path_w32.c

20
TODO-apple Normal file
View File

@ -0,0 +1,20 @@
- Check performance of keytabs
- improve
- rd_req server
- Make free_entry a HDB function instead of entry function
- Add ability to HDB to push in configuration for the KDC
- Push CrackName() to hdb backends
- KDC configuration
- KDC behavior
-- ports
-- global configuration
-- listing port
-- per realm configuration
-- pkinit certificate

9
acinclude.m4 Normal file
View File

@ -0,0 +1,9 @@
dnl $Id$
dnl
dnl Only put things that for some reason can't live in the `cf'
dnl directory in this file.
dnl
dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
dnl
m4_define([upcase],`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl

1111
aclocal.m4 vendored Normal file
View File

File diff suppressed because it is too large Load Diff

70
admin/ChangeLog Normal file
View File

@ -0,0 +1,70 @@
2006-10-07 Love Hörnquist Åstrand <lha@it.su.se>
* Makefile.am: Add man_MANS to EXTRA_DIST
* Makefile.am: split build files into dist_ and noinst_ SOURCES
2005-07-07 Love Hörnquist Åstrand <lha@it.su.se>
* ktutil.c: rename optind to optidx
* list.c: make a copy of realm and admin_server to avoid
un-consting avoid shadowing
* get.c: make a copy of realm and admin_server to avoid
un-consting avoid shadowing
* change.c (change_entry): just use global context to avoid
shadowing; make a copy of realm and admin_server to avoid
un-consting.
2005-05-19 Love Hörnquist Åstrand <lha@it.su.se>
* change.c (kt_change): plug memory leak from
krb5_kt_remove_entry, print principal on error.
2005-05-02 Dave Love <d.love@dl.ac.uk>
* ktutil.c (help): Don't use non-constant initializer for `fake'.
2005-04-15 Love Hörnquist Åstrand <lha@it.su.se>
* ktutil_locl.h: include <hex.h>
2005-04-14 Love Hörnquist Åstrand <lha@it.su.se>
* add.c: add option -H --hex to the add command
* ktutil-commands.in: add option -H --hex to the add command
* ktutil.8: document option -H --hex to the add command
2004-09-29 Love Hörnquist Åstrand <lha@it.su.se>
* list.c: un c99'ify, from Anders.Magnusson@ltu.se
2004-09-23 Johan Danielsson <joda@pdc.kth.se>
* purge.c: convert to slc; don't purge keys older that a certain
time, instead purge keys that have newer versions that are at
least a certain age
* rename.c: convert to slc
* remove.c: convert to slc
* get.c: convert to slc; warn if resetting disallow-all-tix
* copy.c: convert to slc
* change.c: convert to slc
* add.c: convert to slc
* list.c: convert to slc
* ktutil_locl.h: convert to slc
* ktutil.c: convert to slc
* ktutil-commands.in: slc source file

43
admin/Makefile.am Normal file
View File

@ -0,0 +1,43 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += $(INCLUDE_readline) $(INCLUDE_hcrypto)
man_MANS = ktutil.8
sbin_PROGRAMS = ktutil
dist_ktutil_SOURCES = \
add.c \
change.c \
copy.c \
destroy.c \
get.c \
ktutil.c \
ktutil_locl.h \
list.c \
purge.c \
remove.c \
rename.c
nodist_ktutil_SOURCES = \
ktutil-commands.c
$(ktutil_OBJECTS): ktutil-commands.h
CLEANFILES = ktutil-commands.h ktutil-commands.c
ktutil-commands.c ktutil-commands.h: ktutil-commands.in
$(SLC) $(srcdir)/ktutil-commands.in
LDADD = \
$(top_builddir)/lib/kadm5/libkadm5clnt.la \
$(top_builddir)/lib/krb5/libkrb5.la \
$(LIB_hcrypto) \
$(top_builddir)/lib/asn1/libasn1.la \
$(top_builddir)/lib/sl/libsl.la \
$(LIB_readline) \
$(LIB_roken)
EXTRA_DIST = NTMakefile ktutil-version.rc $(man_MANS) ktutil-commands.in

74
admin/NTMakefile Normal file
View File

@ -0,0 +1,74 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=admin
cincdirs=$(cincdirs) -I$(OBJ)
!include ../windows/NTMakefile.w32
SBINPROGRAMS=$(SBINDIR)\ktutil.exe
KTUTIL_OBJS= \
$(OBJ)\add.obj \
$(OBJ)\change.obj \
$(OBJ)\copy.obj \
$(OBJ)\destroy.obj \
$(OBJ)\get.obj \
$(OBJ)\ktutil.obj \
$(OBJ)\ktutil-commands.obj \
$(OBJ)\list.obj \
$(OBJ)\purge.obj \
$(OBJ)\remove.obj \
$(OBJ)\rename.obj
KTUTIL_LIBS= \
$(LIBHEIMDAL) \
$(LIBKADM5SRV) \
$(LIBSL) \
$(LIBROKEN) \
$(LIBVERS)
$(SBINDIR)\ktutil.exe: $(KTUTIL_OBJS) $(KTUTIL_LIBS) $(OBJ)\ktutil-version.res
$(EXECONLINK)
$(EXEPREP)
$(OBJ)\ktutil-commands.c $(OBJ)\ktutil-commands.h: ktutil-commands.in
cd $(OBJ)
$(CP) $(SRCDIR)\ktutil-commands.in $(OBJ)
$(BINDIR)\slc.exe ktutil-commands.in
cd $(SRCDIR)
INCFILES=\
$(OBJ)\ktutil-commands.h
all:: $(INCFILES) $(SBINPROGRAMS)
clean::
-$(RM) $(SBINPROGRAMS:.exe=.*)

178
admin/add.c Normal file
View File

@ -0,0 +1,178 @@
/*
* Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ktutil_locl.h"
RCSID("$Id$");
static char *
readstring(const char *prompt, char *buf, size_t len)
{
printf("%s", prompt);
if (fgets(buf, (int)len, stdin) == NULL)
return NULL;
buf[strcspn(buf, "\r\n")] = '\0';
return buf;
}
int
kt_add(struct add_options *opt, int argc, char **argv)
{
krb5_error_code ret;
krb5_keytab keytab;
krb5_keytab_entry entry;
char buf[1024];
krb5_enctype enctype;
if((keytab = ktutil_open_keytab()) == NULL)
return 1;
memset(&entry, 0, sizeof(entry));
if(opt->principal_string == NULL) {
if(readstring("Principal: ", buf, sizeof(buf)) == NULL)
return 1;
opt->principal_string = buf;
}
ret = krb5_parse_name(context, opt->principal_string, &entry.principal);
if(ret) {
krb5_warn(context, ret, "%s", opt->principal_string);
goto out;
}
if(opt->enctype_string == NULL) {
if(readstring("Encryption type: ", buf, sizeof(buf)) == NULL) {
ret = 1;
goto out;
}
opt->enctype_string = buf;
}
ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype);
if(ret) {
int t;
if(sscanf(opt->enctype_string, "%d", &t) == 1)
enctype = t;
else {
krb5_warn(context, ret, "%s", opt->enctype_string);
goto out;
}
}
if(opt->kvno_integer == -1) {
if(readstring("Key version: ", buf, sizeof(buf)) == NULL) {
ret = 1;
goto out;
}
if(sscanf(buf, "%u", &opt->kvno_integer) != 1)
goto out;
}
if (opt->pw_file_string) {
FILE *f;
if (strcasecmp("STDIN", opt->pw_file_string) == 0)
f = stdin;
else
f = fopen(opt->pw_file_string, "r");
if (f == NULL)
krb5_errx(context, 1, "Failed to open the password file %s",
opt->pw_file_string);
if (fgets(buf, sizeof(buf), f) == NULL)
krb5_errx(context, 1,
"Failed to read password from file %s",
opt->pw_file_string);
if (f != stdin)
fclose(f);
buf[strcspn(buf, "\n")] = '\0';
opt->password_string = buf;
}
if(opt->password_string == NULL && opt->random_flag == 0) {
if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: ", 1)) {
ret = 1;
goto out;
}
opt->password_string = buf;
}
if(opt->password_string) {
if (opt->hex_flag) {
size_t len;
void *data;
len = (strlen(opt->password_string) + 1) / 2;
data = malloc(len);
if (data == NULL) {
krb5_warn(context, ENOMEM, "malloc");
goto out;
}
if ((size_t)hex_decode(opt->password_string, data, len) != len) {
free(data);
krb5_warn(context, ENOMEM, "hex decode failed");
goto out;
}
ret = krb5_keyblock_init(context, enctype,
data, len, &entry.keyblock);
free(data);
} else if (!opt->salt_flag) {
krb5_salt salt;
krb5_data pw;
salt.salttype = KRB5_PW_SALT;
salt.saltvalue.data = NULL;
salt.saltvalue.length = 0;
pw.data = (void*)opt->password_string;
pw.length = strlen(opt->password_string);
ret = krb5_string_to_key_data_salt(context, enctype, pw, salt,
&entry.keyblock);
} else {
ret = krb5_string_to_key(context, enctype, opt->password_string,
entry.principal, &entry.keyblock);
}
memset (opt->password_string, 0, strlen(opt->password_string));
} else {
ret = krb5_generate_random_keyblock(context, enctype, &entry.keyblock);
}
if(ret) {
krb5_warn(context, ret, "add");
goto out;
}
entry.vno = opt->kvno_integer;
entry.timestamp = (uint32_t)time (NULL);
ret = krb5_kt_add_entry(context, keytab, &entry);
if(ret)
krb5_warn(context, ret, "add");
out:
krb5_kt_free_entry(context, &entry);
krb5_kt_close(context, keytab);
return ret != 0;
}

251
admin/change.c Normal file
View File

@ -0,0 +1,251 @@
/*
* Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ktutil_locl.h"
RCSID("$Id$");
static krb5_error_code
change_entry (krb5_keytab keytab,
krb5_principal principal, krb5_kvno kvno,
const char *realm, const char *admin_server, int server_port)
{
krb5_error_code ret;
kadm5_config_params conf;
void *kadm_handle;
char *client_name;
krb5_keyblock *keys;
int num_keys;
int i;
ret = krb5_unparse_name (context, principal, &client_name);
if (ret) {
krb5_warn (context, ret, "krb5_unparse_name");
return ret;
}
memset (&conf, 0, sizeof(conf));
if(realm == NULL)
realm = krb5_principal_get_realm(context, principal);
conf.realm = strdup(realm);
if (conf.realm == NULL) {
free (client_name);
krb5_set_error_message(context, ENOMEM, "malloc failed");
return ENOMEM;
}
conf.mask |= KADM5_CONFIG_REALM;
if (admin_server) {
conf.admin_server = strdup(admin_server);
if (conf.admin_server == NULL) {
free(client_name);
free(conf.realm);
krb5_set_error_message(context, ENOMEM, "malloc failed");
return ENOMEM;
}
conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
}
if (server_port) {
conf.kadmind_port = htons(server_port);
conf.mask |= KADM5_CONFIG_KADMIND_PORT;
}
ret = kadm5_init_with_skey_ctx (context,
client_name,
keytab_string,
KADM5_ADMIN_SERVICE,
&conf, 0, 0,
&kadm_handle);
free(conf.admin_server);
free(conf.realm);
if (ret) {
krb5_warn (context, ret,
"kadm5_c_init_with_skey_ctx: %s:", client_name);
free (client_name);
return ret;
}
ret = kadm5_randkey_principal (kadm_handle, principal, &keys, &num_keys);
kadm5_destroy (kadm_handle);
if (ret) {
krb5_warn(context, ret, "kadm5_randkey_principal: %s:", client_name);
free (client_name);
return ret;
}
free (client_name);
for (i = 0; i < num_keys; ++i) {
krb5_keytab_entry new_entry;
new_entry.principal = principal;
new_entry.timestamp = (uint32_t)time (NULL);
new_entry.vno = kvno + 1;
new_entry.keyblock = keys[i];
ret = krb5_kt_add_entry (context, keytab, &new_entry);
if (ret)
krb5_warn (context, ret, "krb5_kt_add_entry");
krb5_free_keyblock_contents (context, &keys[i]);
}
return ret;
}
/*
* loop over all the entries in the keytab (or those given) and change
* their keys, writing the new keys
*/
struct change_set {
krb5_principal principal;
krb5_kvno kvno;
};
int
kt_change (struct change_options *opt, int argc, char **argv)
{
krb5_error_code ret;
krb5_keytab keytab;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;
int i, j, max;
struct change_set *changeset;
int errors = 0;
if((keytab = ktutil_open_keytab()) == NULL)
return 1;
j = 0;
max = 0;
changeset = NULL;
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if(ret){
krb5_warn(context, ret, "%s", keytab_string);
goto out;
}
while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
int add = 0;
for (i = 0; i < j; ++i) {
if (krb5_principal_compare (context, changeset[i].principal,
entry.principal)) {
if (changeset[i].kvno < entry.vno)
changeset[i].kvno = entry.vno;
break;
}
}
if (i < j) {
krb5_kt_free_entry (context, &entry);
continue;
}
if (argc == 0) {
add = 1;
} else {
for (i = 0; i < argc; ++i) {
krb5_principal princ;
ret = krb5_parse_name (context, argv[i], &princ);
if (ret) {
krb5_warn (context, ret, "%s", argv[i]);
continue;
}
if (krb5_principal_compare (context, princ, entry.principal))
add = 1;
krb5_free_principal (context, princ);
}
}
if (add) {
if (j >= max) {
void *tmp;
max = max(max * 2, 1);
tmp = realloc (changeset, max * sizeof(*changeset));
if (tmp == NULL) {
krb5_kt_free_entry (context, &entry);
krb5_warnx (context, "realloc: out of memory");
ret = ENOMEM;
break;
}
changeset = tmp;
}
ret = krb5_copy_principal (context, entry.principal,
&changeset[j].principal);
if (ret) {
krb5_warn (context, ret, "krb5_copy_principal");
krb5_kt_free_entry (context, &entry);
break;
}
changeset[j].kvno = entry.vno;
++j;
}
krb5_kt_free_entry (context, &entry);
}
krb5_kt_end_seq_get(context, keytab, &cursor);
if (ret == KRB5_KT_END) {
for (i = 0; i < j; i++) {
if (verbose_flag) {
char *client_name;
ret = krb5_unparse_name (context, changeset[i].principal,
&client_name);
if (ret) {
krb5_warn (context, ret, "krb5_unparse_name");
} else {
printf("Changing %s kvno %d\n",
client_name, changeset[i].kvno);
free(client_name);
}
}
ret = change_entry (keytab,
changeset[i].principal, changeset[i].kvno,
opt->realm_string,
opt->admin_server_string,
opt->server_port_integer);
if (ret != 0)
errors = 1;
}
} else
errors = 1;
for (i = 0; i < j; i++)
krb5_free_principal (context, changeset[i].principal);
free (changeset);
out:
krb5_kt_close(context, keytab);
return errors;
}

179
admin/copy.c Normal file
View File

@ -0,0 +1,179 @@
/*
* Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ktutil_locl.h"
RCSID("$Id$");
static krb5_boolean
compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b)
{
if(a->keytype != b->keytype ||
a->keyvalue.length != b->keyvalue.length ||
memcmp(a->keyvalue.data, b->keyvalue.data, a->keyvalue.length) != 0)
return FALSE;
return TRUE;
}
int
kt_copy (struct copy_options *opt, int argc, char **argv)
{
krb5_keytab src_keytab = NULL, dst_keytab = NULL;
krb5_principal match_principal = NULL;
krb5_keytab_entry entry, dummy;
const char *from = argv[0];
const char *to = argv[1];
krb5_kt_cursor cursor;
krb5_error_code ret;
ret = krb5_kt_resolve (context, from, &src_keytab);
if (ret) {
krb5_warn (context, ret, "resolving src keytab `%s'", from);
goto out;
}
ret = krb5_kt_resolve (context, to, &dst_keytab);
if (ret) {
krb5_warn (context, ret, "resolving dst keytab `%s'", to);
goto out;
}
if (opt->match_principal_string) {
ret = krb5_parse_name(context,
opt->match_principal_string,
&match_principal);
if (ret) {
krb5_warn (context, ret, "failed parsing match principal `%s'",
opt->match_principal_string);
goto out;
}
if (verbose_flag) {
char *str = NULL;
ret = krb5_unparse_name(context, match_principal, &str);
if (ret == 0) {
fprintf(stderr, "matching on principal %s\n", str);
krb5_xfree(str);
}
}
}
ret = krb5_kt_start_seq_get (context, src_keytab, &cursor);
if (ret) {
krb5_warn (context, ret, "krb5_kt_start_seq_get %s", keytab_string);
goto out;
}
if (verbose_flag)
fprintf(stderr, "copying %s to %s\n", from, to);
while((ret = krb5_kt_next_entry(context, src_keytab,
&entry, &cursor)) == 0) {
char *name_str;
char *etype_str;
ret = krb5_unparse_name (context, entry.principal, &name_str);
if(ret) {
krb5_warn(context, ret, "krb5_unparse_name");
name_str = NULL; /* XXX */
}
ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str);
if(ret) {
krb5_warn(context, ret, "krb5_enctype_to_string");
etype_str = NULL; /* XXX */
}
if (match_principal &&
!krb5_principal_match(context, entry.principal, match_principal))
{
if (verbose_flag) {
krb5_warnx(context, "skipping %s, keytype %s, kvno %d",
name_str, etype_str, entry.vno);
}
free(name_str);
free(etype_str);
continue;
}
ret = krb5_kt_get_entry(context, dst_keytab,
entry.principal,
entry.vno,
entry.keyblock.keytype,
&dummy);
if(ret == 0) {
/* this entry is already in the new keytab, so no need to
copy it; if the keyblocks are not the same, something
is weird, so complain about that */
if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) {
krb5_warnx(context, "entry with different keyvalue "
"already exists for %s, keytype %s, kvno %d",
name_str, etype_str, entry.vno);
}
krb5_kt_free_entry(context, &dummy);
krb5_kt_free_entry (context, &entry);
free(name_str);
free(etype_str);
continue;
} else if(ret != KRB5_KT_NOTFOUND) {
krb5_warn (context, ret, "%s: fetching %s/%s/%u",
to, name_str, etype_str, entry.vno);
krb5_kt_free_entry (context, &entry);
free(name_str);
free(etype_str);
break;
}
if (verbose_flag)
fprintf (stderr, "copying %s, keytype %s, kvno %d\n", name_str,
etype_str, entry.vno);
ret = krb5_kt_add_entry (context, dst_keytab, &entry);
krb5_kt_free_entry (context, &entry);
if (ret) {
krb5_warn (context, ret, "%s: adding %s/%s/%u",
to, name_str, etype_str, entry.vno);
free(name_str);
free(etype_str);
break;
}
free(name_str);
free(etype_str);
}
krb5_kt_end_seq_get (context, src_keytab, &cursor);
out:
if (match_principal)
krb5_free_principal(context, match_principal);
if (src_keytab)
krb5_kt_close (context, src_keytab);
if (dst_keytab)
krb5_kt_close (context, dst_keytab);
return ret != 0;
}

52
admin/destroy.c Normal file
View File

@ -0,0 +1,52 @@
/*
* Copyright (c) 2009 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ktutil_locl.h"
int
kt_destroy (void *opt, int argc, char **argv)
{
krb5_error_code ret;
krb5_keytab keytab;
if((keytab = ktutil_open_keytab()) == NULL)
return 1;
ret = krb5_kt_destroy (context, keytab);
if (ret) {
krb5_warn (context, ret, "destroy keytab failed");
return 1;
}
return 0;
}

239
admin/get.c Normal file
View File

@ -0,0 +1,239 @@
/*
* Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ktutil_locl.h"
RCSID("$Id$");
static void*
open_kadmin_connection(char *principal,
const char *realm,
char *admin_server,
int server_port)
{
static kadm5_config_params conf;
krb5_error_code ret;
void *kadm_handle;
memset(&conf, 0, sizeof(conf));
if(realm) {
conf.realm = strdup(realm);
if (conf.realm == NULL) {
krb5_set_error_message(context, 0, "malloc: out of memory");
return NULL;
}
conf.mask |= KADM5_CONFIG_REALM;
}
if (admin_server) {
conf.admin_server = admin_server;
conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
}
if (server_port) {
conf.kadmind_port = htons(server_port);
conf.mask |= KADM5_CONFIG_KADMIND_PORT;
}
/* should get realm from each principal, instead of doing
everything with the same (local) realm */
ret = kadm5_init_with_password_ctx(context,
principal,
NULL,
KADM5_ADMIN_SERVICE,
&conf, 0, 0,
&kadm_handle);
free(conf.realm);
if(ret) {
krb5_warn(context, ret, "kadm5_init_with_password");
return NULL;
}
return kadm_handle;
}
int
kt_get(struct get_options *opt, int argc, char **argv)
{
krb5_error_code ret = 0;
krb5_keytab keytab;
void *kadm_handle = NULL;
krb5_enctype *etypes = NULL;
size_t netypes = 0;
size_t i;
int a, j;
unsigned int failed = 0;
if((keytab = ktutil_open_keytab()) == NULL)
return 1;
if(opt->realm_string)
krb5_set_default_realm(context, opt->realm_string);
if (opt->enctypes_strings.num_strings != 0) {
etypes = malloc (opt->enctypes_strings.num_strings * sizeof(*etypes));
if (etypes == NULL) {
krb5_warnx(context, "malloc failed");
goto out;
}
netypes = opt->enctypes_strings.num_strings;
for(i = 0; i < netypes; i++) {
ret = krb5_string_to_enctype(context,
opt->enctypes_strings.strings[i],
&etypes[i]);
if(ret) {
krb5_warnx(context, "unrecognized enctype: %s",
opt->enctypes_strings.strings[i]);
goto out;
}
}
}
for(a = 0; a < argc; a++){
krb5_principal princ_ent;
kadm5_principal_ent_rec princ;
int mask = 0;
krb5_keyblock *keys;
int n_keys;
int created = 0;
krb5_keytab_entry entry;
ret = krb5_parse_name(context, argv[a], &princ_ent);
if (ret) {
krb5_warn(context, ret, "can't parse principal %s", argv[a]);
failed++;
continue;
}
memset(&princ, 0, sizeof(princ));
princ.principal = princ_ent;
mask |= KADM5_PRINCIPAL;
princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
mask |= KADM5_ATTRIBUTES;
princ.princ_expire_time = 0;
mask |= KADM5_PRINC_EXPIRE_TIME;
if(kadm_handle == NULL) {
const char *r;
if(opt->realm_string != NULL)
r = opt->realm_string;
else
r = krb5_principal_get_realm(context, princ_ent);
kadm_handle = open_kadmin_connection(opt->principal_string,
r,
opt->admin_server_string,
opt->server_port_integer);
if(kadm_handle == NULL)
break;
}
ret = kadm5_create_principal(kadm_handle, &princ, mask, "x");
if(ret == 0)
created = 1;
else if(ret != KADM5_DUP) {
krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]);
krb5_free_principal(context, princ_ent);
failed++;
continue;
}
ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys);
if (ret) {
krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]);
krb5_free_principal(context, princ_ent);
failed++;
continue;
}
ret = kadm5_get_principal(kadm_handle, princ_ent, &princ,
KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
if (ret) {
krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[a]);
for (j = 0; j < n_keys; j++)
krb5_free_keyblock_contents(context, &keys[j]);
krb5_free_principal(context, princ_ent);
failed++;
continue;
}
if(!created && (princ.attributes & KRB5_KDB_DISALLOW_ALL_TIX))
krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[a]);
princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
mask = KADM5_ATTRIBUTES;
if(created) {
princ.kvno = 1;
mask |= KADM5_KVNO;
}
ret = kadm5_modify_principal(kadm_handle, &princ, mask);
if (ret) {
krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[a]);
for (j = 0; j < n_keys; j++)
krb5_free_keyblock_contents(context, &keys[j]);
krb5_free_principal(context, princ_ent);
failed++;
continue;
}
for(j = 0; j < n_keys; j++) {
int do_add = TRUE;
if (netypes) {
size_t k;
do_add = FALSE;
for (k = 0; k < netypes; ++k)
if (keys[j].keytype == etypes[k]) {
do_add = TRUE;
break;
}
}
if (do_add) {
entry.principal = princ_ent;
entry.vno = princ.kvno;
entry.keyblock = keys[j];
entry.timestamp = (uint32_t)time (NULL);
ret = krb5_kt_add_entry(context, keytab, &entry);
if (ret)
krb5_warn(context, ret, "krb5_kt_add_entry");
}
krb5_free_keyblock_contents(context, &keys[j]);
}
kadm5_free_principal_ent(kadm_handle, &princ);
krb5_free_principal(context, princ_ent);
}
out:
free(etypes);
if (kadm_handle)
kadm5_destroy(kadm_handle);
krb5_kt_close(context, keytab);
return ret != 0 || failed > 0;
}

256
admin/ktutil-commands.in Normal file
View File

@ -0,0 +1,256 @@
/*
* Copyright (c) 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
command = {
name = "add"
option = {
long = "principal"
short = "p"
type = "string"
help = "principal to add"
argument = "principal"
default = ""
}
option = {
long = "kvno"
short = "V"
type = "integer"
help = "key version number"
default = "-1"
}
option = {
long = "enctype"
short = "e"
type = "string"
argument = "enctype"
help = "encryption type"
}
option = {
long = "pw-file"
type = "string"
help = "path or STDIN where password is read from"
}
option = {
long = "password"
short = "w"
type = "string"
help = "password for key"
}
option = {
long = "salt"
short = "s"
type = "-flag"
help = "use unsalted keys"
default = "1"
}
option = {
long = "random"
short = "r"
type = "flag"
help = "generate random key"
}
option = {
long = "hex"
short = "H"
type = "flag"
help = "password is a hexadecimal string"
}
function = "kt_add"
help = "Adds a key to a keytab."
max_args = "0"
}
command = {
name = "change"
option = {
long = "realm"
short = "r"
type = "string"
argument = "realm"
help = "realm to use"
}
option = {
long = "admin-server"
short = "a"
type = "string"
argument = "host"
help = "server to contact"
}
option = {
long = "server-port"
short = "s"
type = "integer"
argument = "port number"
help = "port number on server"
}
function = "kt_change"
argument = "[principal...]"
help = "Change keys for specified principals (default all)."
}
command = {
option = {
long = "match-principal"
type = "string"
help = "copy only matching principals"
argument = "principal"
}
name = "copy"
function = "kt_copy"
argument = "source destination"
min_args = "2"
max_args = "2"
help = "Copies content of one keytab into another."
}
command = {
name = "get"
option = {
long = "principal"
short = "p"
type = "string"
help = "admin principal"
argument = "principal"
}
option = {
long = "enctypes"
short = "e"
type = "strings"
help = "encryption types to use"
argument = "enctype"
}
option = {
long = "realm"
short = "r"
type = "string"
argument = "realm"
help = "realm to use"
}
option = {
long = "admin-server"
short = "a"
type = "string"
argument = "host"
help = "server to contact"
}
option = {
long = "server-port"
short = "s"
type = "integer"
argument = "port number"
help = "port number on server"
}
function = "kt_get"
min_args = "1"
argument = "principal..."
help = "Change keys for specified principals, and add them to the keytab."
}
command = {
name = "list"
option = {
long = "keys"
type = "flag"
help = "show key values"
}
option = {
long = "timestamp"
type = "flag"
help = "show timestamps"
}
function = "kt_list"
help = "Show contents of keytab."
}
command = {
name = "purge"
option = {
long = "age"
type = "string"
help = "age to retiere"
default = "1 week";
argument = "time"
}
max_args = "0"
function = "kt_purge"
help = "Remove superceded keys from keytab."
}
command = {
name = "remove"
name = "delete"
option = {
long = "principal"
short = "p"
type = "string"
help = "principal to remove"
argument = "principal"
}
option = {
long = "kvno"
short = "V"
type = "integer"
help = "key version to remove"
argument = "enctype"
default = "0"
}
option = {
long = "enctype"
short = "e"
type = "string"
help = "enctype to remove"
argument = "enctype"
}
max_args = "0"
function = "kt_remove"
help = "Remove keys from keytab."
}
command = {
name = "rename"
function = "kt_rename"
argument = "from to"
min_args = "2"
max_args = "2"
help = "Renames an entry in the keytab."
option = {
long = "delete"
type = "-flag"
help = "don't delete orignal entry"
}
}
command = {
name = "destroy"
function = "kt_destroy"
help = "Destroy (remove) the keytab."
}
command = {
name = "help"
argument = "command"
max_args = "1"
function = "help"
}

36
admin/ktutil-version.rc Normal file
View File

@ -0,0 +1,36 @@
/***********************************************************************
* Copyright (c) 2010, Secure Endpoints Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*
**********************************************************************/
#define RC_FILE_TYPE VFT_APP
#define RC_FILE_DESC_0409 "Kerberos Keytab Tool"
#define RC_FILE_ORIG_0409 "ktutil.exe"
#include "../windows/version.rc"

133
admin/ktutil.8 Normal file
View File

@ -0,0 +1,133 @@
.\" Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd Dec 1, 2014
.Dt KTUTIL 8
.Os HEIMDAL
.Sh NAME
.Nm ktutil
.Nd manage Kerberos keytabs
.Sh SYNOPSIS
.Nm
.Oo Fl k Ar keytab \*(Ba Xo
.Fl Fl keytab= Ns Ar keytab
.Xc
.Oc
.Op Fl v | Fl Fl verbose
.Op Fl Fl version
.Op Fl h | Fl Fl help
.Ar command
.Op Ar args
.Sh DESCRIPTION
.Nm
is a program for managing keytabs.
Supported options:
.Bl -tag -width Ds
.It Fl v , Fl Fl verbose
Verbose output.
.El
.Pp
.Ar command
can be one of the following:
.Bl -tag -width srvconvert
.It add Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
Oo Fl V Ar kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \
Oo Fl Fl enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \
Oo Fl Fl pw-file= Ns Ar filename Oc \
Oo Fl Fl password= Ns Ar password Oc Oo Fl r Oc Oo Fl Fl random Oc \
Oo Fl s Oc Oo Fl Fl no-salt Oc Oo Fl H Oc Op Fl Fl hex
Adds a key to the keytab. Options that are not specified will be
prompted for. This requires that you know the password or the hex key of the
principal to add; if what you really want is to add a new principal to
the keytab, you should consider the
.Ar get
command, which talks to the kadmin server.
.Fl Fl pw-file
can specify either a file with a password, or the string STDIN. In the
latter case the password is read from stdin.
.It change Oo Fl r Ar realm Oc Oo Fl Fl realm= Ns Ar realm Oc \
Oo Fl Fl a Ar host Oc Oo Fl Fl admin-server= Ns Ar host Oc \
Oo Fl Fl s Ar port Oc Op Fl Fl server-port= Ns Ar port
Update one or several keys to new versions. By default, use the admin
server for the realm of a keytab entry. Otherwise it will use the
values specified by the options.
.Pp
If no principals are given, all the ones in the keytab are updated.
.It copy Oo Fl Fl filter-principal= Ns Ar string Oc
Ar keytab-src Ar keytab-dest
Copies all the entries from
.Ar keytab-src
to
.Ar keytab-dest .
Optionally a princial can be selected as a filter and then just
entries matching that principal is copied out.
The matching applies globing rules on each component (eg
foo*/host.domain@REALM) is a valid filter principal.
.It get Oo Fl p Ar admin principal Oc \
Oo Fl Fl principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \
Oo Fl Fl enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \
Oo Fl Fl realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \
Oo Fl Fl admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \
Oo Fl Fl server-port= Ns Ar server port Oc Ar principal ...
For each
.Ar principal ,
generate a new key for it (creating it if it doesn't already exist),
and put that key in the keytab.
.Pp
If no
.Ar realm
is specified, the realm to operate on is taken from the first
principal.
.It list Oo Fl Fl keys Oc Op Fl Fl timestamp
List the keys stored in the keytab.
.It remove Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
Oo Fl V kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \
Oo Fl Fl enctype= Ns Ar enctype Oc
Removes the specified key or keys. Not specifying a
.Ar kvno
removes keys with any version number. Not specifying an
.Ar enctype
removes keys of any type.
.It rename Ar from-principal Ar to-principal
Renames all entries in the keytab that match the
.Ar from-principal
to
.Ar to-principal .
.It purge Op Fl Fl age= Ns Ar age
Removes all old versions of a key for which there is a newer version
that is at least
.Ar age
(default one week) old.
.El
.Sh SEE ALSO
.Xr kadmin 8

178
admin/ktutil.c Normal file
View File

@ -0,0 +1,178 @@
/*
* Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ktutil_locl.h"
#include <err.h>
static void usage(int status) __attribute__((noreturn));
static int help_flag;
static int version_flag;
int verbose_flag;
char *keytab_string;
static char keytab_buf[256];
static struct getargs args[] = {
{
"version",
0,
arg_flag,
&version_flag,
NULL,
NULL
},
{
"help",
'h',
arg_flag,
&help_flag,
NULL,
NULL
},
{
"keytab",
'k',
arg_string,
&keytab_string,
"keytab",
"keytab to operate on"
},
{
"verbose",
'v',
arg_flag,
&verbose_flag,
"verbose",
"run verbosely"
}
};
static int num_args = sizeof(args) / sizeof(args[0]);
krb5_context context;
krb5_keytab
ktutil_open_keytab(void)
{
krb5_error_code ret;
krb5_keytab keytab;
if (keytab_string == NULL) {
ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf));
if (ret) {
krb5_warn(context, ret, "krb5_kt_default_name");
return NULL;
}
keytab_string = keytab_buf;
}
ret = krb5_kt_resolve(context, keytab_string, &keytab);
if (ret) {
krb5_warn(context, ret, "resolving keytab %s", keytab_string);
return NULL;
}
if (verbose_flag)
fprintf (stderr, "Using keytab %s\n", keytab_string);
return keytab;
}
int
help(void *opt, int argc, char **argv)
{
if(argc == 0) {
sl_help(commands, 1, argv - 1 /* XXX */);
} else {
SL_cmd *c = sl_match (commands, argv[0], 0);
if(c == NULL) {
fprintf (stderr, "No such command: %s. "
"Try \"help\" for a list of commands\n",
argv[0]);
} else {
if(c->func) {
char shelp[] = "--help";
char *fake[3];
fake[0] = argv[0];
fake[1] = shelp;
fake[2] = NULL;
(*c->func)(2, fake);
fprintf(stderr, "\n");
}
if(c->help && *c->help)
fprintf (stderr, "%s\n", c->help);
if((++c)->name && c->func == NULL) {
int f = 0;
fprintf (stderr, "Synonyms:");
while (c->name && c->func == NULL) {
fprintf (stderr, "%s%s", f ? ", " : " ", (c++)->name);
f = 1;
}
fprintf (stderr, "\n");
}
}
}
return 0;
}
static void
usage(int status)
{
arg_printusage(args, num_args, NULL, "command");
exit(status);
}
int
main(int argc, char **argv)
{
int optidx = 0;
krb5_error_code ret;
setprogname(argv[0]);
ret = krb5_init_context(&context);
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
if(getarg(args, num_args, argc, argv, &optidx))
usage(1);
if(help_flag)
usage(0);
if(version_flag) {
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if(argc == 0)
usage(1);
ret = sl_command(commands, argc, argv);
if(ret == -1)
krb5_warnx (context, "unrecognized command: %s", argv[0]);
return ret;
}

74
admin/ktutil_locl.h Normal file
View File

@ -0,0 +1,74 @@
/*
* Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* $Id$
*/
#ifndef __KTUTIL_LOCL_H__
#define __KTUTIL_LOCL_H__
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#ifdef HAVE_FCNTL_H
#include <fcntl.h>
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <parse_time.h>
#include <roken.h>
#include "crypto-headers.h"
#include <krb5.h>
#include <kadm5/admin.h>
#include <kadm5/kadm5_err.h>
#include <sl.h>
#include <getarg.h>
#include <hex.h>
extern krb5_context context;
extern int verbose_flag;
extern char *keytab_string;
krb5_keytab ktutil_open_keytab(void);
#include "ktutil-commands.h"
#endif /* __KTUTIL_LOCL_H__ */

169
admin/list.c Normal file
View File

@ -0,0 +1,169 @@
/*
* Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ktutil_locl.h"
#include <rtbl.h>
static int
do_list(struct list_options *opt, const char *keytab_str)
{
krb5_error_code ret;
krb5_keytab keytab;
krb5_keytab_entry entry;
krb5_kt_cursor cursor;
rtbl_t table;
/* XXX specialcase the ANY type */
if(strncasecmp(keytab_str, "ANY:", 4) == 0) {
int flag = 0;
char buf[1024];
keytab_str += 4;
ret = 0;
while (strsep_copy((const char**)&keytab_str, ",",
buf, sizeof(buf)) != -1) {
if(flag)
printf("\n");
if(do_list(opt, buf))
ret = 1;
flag = 1;
}
return ret;
}
ret = krb5_kt_resolve(context, keytab_str, &keytab);
if (ret) {
krb5_warn(context, ret, "resolving keytab %s", keytab_str);
return ret;
}
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if(ret) {
krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_str);
krb5_kt_close(context, keytab);
return ret;
}
printf ("%s:\n\n", keytab_str);
table = rtbl_create();
rtbl_add_column_by_id(table, 0, "Vno", RTBL_ALIGN_RIGHT);
rtbl_add_column_by_id(table, 1, "Type", 0);
rtbl_add_column_by_id(table, 2, "Principal", 0);
if (opt->timestamp_flag)
rtbl_add_column_by_id(table, 3, "Date", 0);
if(opt->keys_flag)
rtbl_add_column_by_id(table, 4, "Key", 0);
rtbl_add_column_by_id(table, 5, "Aliases", 0);
rtbl_set_separator(table, " ");
while(krb5_kt_next_entry(context, keytab, &entry, &cursor) == 0){
char buf[1024], *s;
snprintf(buf, sizeof(buf), "%d", entry.vno);
rtbl_add_column_entry_by_id(table, 0, buf);
ret = krb5_enctype_to_string(context,
entry.keyblock.keytype, &s);
if (ret != 0) {
snprintf(buf, sizeof(buf), "unknown (%d)", entry.keyblock.keytype);
rtbl_add_column_entry_by_id(table, 1, buf);
} else {
rtbl_add_column_entry_by_id(table, 1, s);
free(s);
}
krb5_unparse_name_fixed(context, entry.principal, buf, sizeof(buf));
rtbl_add_column_entry_by_id(table, 2, buf);
if (opt->timestamp_flag) {
krb5_format_time(context, entry.timestamp, buf,
sizeof(buf), FALSE);
rtbl_add_column_entry_by_id(table, 3, buf);
}
if(opt->keys_flag) {
size_t i;
s = malloc(2 * entry.keyblock.keyvalue.length + 1);
if (s == NULL) {
krb5_warnx(context, "malloc failed");
ret = ENOMEM;
goto out;
}
for(i = 0; i < entry.keyblock.keyvalue.length; i++)
snprintf(s + 2 * i, 3, "%02x",
((unsigned char*)entry.keyblock.keyvalue.data)[i]);
rtbl_add_column_entry_by_id(table, 4, s);
free(s);
}
if (entry.aliases) {
unsigned int i;
struct rk_strpool *p = NULL;
for (i = 0; i< entry.aliases->len; i++) {
krb5_unparse_name_fixed(context, entry.principal, buf, sizeof(buf));
rk_strpoolprintf(p, "%s%s", buf,
i + 1 < entry.aliases->len ? ", " : "");
}
rtbl_add_column_entry_by_id(table, 5, rk_strpoolcollect(p));
}
krb5_kt_free_entry(context, &entry);
}
ret = krb5_kt_end_seq_get(context, keytab, &cursor);
rtbl_format(table, stdout);
out:
rtbl_destroy(table);
krb5_kt_close(context, keytab);
return ret;
}
int
kt_list(struct list_options *opt, int argc, char **argv)
{
krb5_error_code ret;
char kt[1024];
if(verbose_flag)
opt->timestamp_flag = 1;
if (keytab_string == NULL) {
if((ret = krb5_kt_default_name(context, kt, sizeof(kt))) != 0) {
krb5_warn(context, ret, "getting default keytab name");
return 1;
}
keytab_string = kt;
}
return do_list(opt, keytab_string) != 0;
}

172
admin/purge.c Normal file
View File

@ -0,0 +1,172 @@
/*
* Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ktutil_locl.h"
RCSID("$Id$");
/*
* keep track of the highest version for every principal.
*/
struct e {
krb5_principal principal;
int max_vno;
time_t timestamp;
struct e *next;
};
static struct e *
get_entry (krb5_principal princ, struct e *head)
{
struct e *e;
for (e = head; e != NULL; e = e->next)
if (krb5_principal_compare (context, princ, e->principal))
return e;
return NULL;
}
static void
add_entry (krb5_principal princ, int vno, time_t timestamp, struct e **head)
{
krb5_error_code ret;
struct e *e;
e = get_entry (princ, *head);
if (e != NULL) {
if(e->max_vno < vno) {
e->max_vno = vno;
e->timestamp = timestamp;
}
return;
}
e = malloc (sizeof (*e));
if (e == NULL)
krb5_errx (context, 1, "malloc: out of memory");
ret = krb5_copy_principal (context, princ, &e->principal);
if (ret)
krb5_err (context, 1, ret, "krb5_copy_principal");
e->max_vno = vno;
e->timestamp = timestamp;
e->next = *head;
*head = e;
}
static void
delete_list (struct e *head)
{
while (head != NULL) {
struct e *next = head->next;
krb5_free_principal (context, head->principal);
free (head);
head = next;
}
}
/*
* Remove all entries that have newer versions and that are older
* than `age'
*/
int
kt_purge(struct purge_options *opt, int argc, char **argv)
{
krb5_error_code ret = 0;
krb5_kt_cursor cursor;
krb5_keytab keytab;
krb5_keytab_entry entry;
int age;
struct e *head = NULL;
time_t judgement_day;
age = parse_time(opt->age_string, "s");
if(age < 0) {
krb5_warnx(context, "unparasable time `%s'", opt->age_string);
return 1;
}
if((keytab = ktutil_open_keytab()) == NULL)
return 1;
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if(ret){
krb5_warn(context, ret, "%s", keytab_string);
goto out;
}
while(krb5_kt_next_entry(context, keytab, &entry, &cursor) == 0) {
add_entry (entry.principal, entry.vno, entry.timestamp, &head);
krb5_kt_free_entry(context, &entry);
}
krb5_kt_end_seq_get(context, keytab, &cursor);
judgement_day = time (NULL);
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if(ret){
krb5_warn(context, ret, "%s", keytab_string);
goto out;
}
while(krb5_kt_next_entry(context, keytab, &entry, &cursor) == 0) {
struct e *e = get_entry (entry.principal, head);
if (e == NULL) {
krb5_warnx (context, "ignoring extra entry");
continue;
}
if (entry.vno < e->max_vno
&& judgement_day - e->timestamp > age) {
if (verbose_flag) {
char *name_str;
krb5_unparse_name (context, entry.principal, &name_str);
printf ("removing %s vno %d\n", name_str, entry.vno);
free (name_str);
}
ret = krb5_kt_remove_entry (context, keytab, &entry);
if (ret)
krb5_warn (context, ret, "remove");
}
krb5_kt_free_entry(context, &entry);
}
ret = krb5_kt_end_seq_get(context, keytab, &cursor);
delete_list (head);
out:
krb5_kt_close (context, keytab);
return ret != 0;
}

93
admin/remove.c Normal file
View File

@ -0,0 +1,93 @@
/*
* Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ktutil_locl.h"
RCSID("$Id$");
int
kt_remove(struct remove_options *opt, int argc, char **argv)
{
krb5_error_code ret = 0;
krb5_keytab_entry entry;
krb5_keytab keytab;
krb5_principal principal = NULL;
krb5_enctype enctype = 0;
if(opt->principal_string) {
ret = krb5_parse_name(context, opt->principal_string, &principal);
if(ret) {
krb5_warn(context, ret, "%s", opt->principal_string);
return 1;
}
}
if(opt->enctype_string) {
ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype);
if(ret) {
int t;
if(sscanf(opt->enctype_string, "%d", &t) == 1)
enctype = t;
else {
krb5_warn(context, ret, "%s", opt->enctype_string);
if(principal)
krb5_free_principal(context, principal);
return 1;
}
}
}
if (!principal && !enctype && !opt->kvno_integer) {
krb5_warnx(context,
"You must give at least one of "
"principal, enctype or kvno.");
ret = EINVAL;
goto out;
}
if((keytab = ktutil_open_keytab()) == NULL) {
ret = 1;
goto out;
}
entry.principal = principal;
entry.keyblock.keytype = enctype;
entry.vno = opt->kvno_integer;
ret = krb5_kt_remove_entry(context, keytab, &entry);
krb5_kt_close(context, keytab);
if(ret)
krb5_warn(context, ret, "remove");
out:
if(principal)
krb5_free_principal(context, principal);
return ret != 0;
}

113
admin/rename.c Normal file
View File

@ -0,0 +1,113 @@
/*
* Copyright (c) 2001-2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ktutil_locl.h"
RCSID("$Id$");
int
kt_rename(struct rename_options *opt, int argc, char **argv)
{
krb5_error_code ret = 0;
krb5_keytab_entry entry;
krb5_keytab keytab;
krb5_kt_cursor cursor;
krb5_principal from_princ, to_princ;
ret = krb5_parse_name(context, argv[0], &from_princ);
if(ret != 0) {
krb5_warn(context, ret, "%s", argv[0]);
return 1;
}
ret = krb5_parse_name(context, argv[1], &to_princ);
if(ret != 0) {
krb5_free_principal(context, from_princ);
krb5_warn(context, ret, "%s", argv[1]);
return 1;
}
if((keytab = ktutil_open_keytab()) == NULL) {
krb5_free_principal(context, from_princ);
krb5_free_principal(context, to_princ);
return 1;
}
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if(ret) {
krb5_kt_close(context, keytab);
krb5_free_principal(context, from_princ);
krb5_free_principal(context, to_princ);
return 1;
}
while(1) {
ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
if(ret != 0) {
if(ret != KRB5_CC_END && ret != KRB5_KT_END)
krb5_warn(context, ret, "getting entry from keytab");
else
ret = 0;
break;
}
if(krb5_principal_compare(context, entry.principal, from_princ)) {
krb5_free_principal(context, entry.principal);
entry.principal = to_princ;
ret = krb5_kt_add_entry(context, keytab, &entry);
if(ret) {
entry.principal = NULL;
krb5_kt_free_entry(context, &entry);
krb5_warn(context, ret, "adding entry");
break;
}
if (opt->delete_flag) {
entry.principal = from_princ;
ret = krb5_kt_remove_entry(context, keytab, &entry);
if(ret) {
entry.principal = NULL;
krb5_kt_free_entry(context, &entry);
krb5_warn(context, ret, "removing entry");
break;
}
}
entry.principal = NULL;
}
krb5_kt_free_entry(context, &entry);
}
krb5_kt_end_seq_get(context, keytab, &cursor);
krb5_free_principal(context, from_princ);
krb5_free_principal(context, to_princ);
return ret != 0;
}

373
appl/GSSSimpleTest/GSSSimpleTest.xcodeproj/project.pbxproj Normal file
View File

@ -0,0 +1,373 @@
// !$*UTF8*$!
{
archiveVersion = 1;
classes = {
};
objectVersion = 46;
objects = {
/* Begin PBXBuildFile section */
EB30C50F181EE1FB00067C51 /* com.apple.Kerberos.plist in Copy resources */ = {isa = PBXBuildFile; fileRef = EB30C50C181EDD4900067C51 /* com.apple.Kerberos.plist */; };
EB30C511181EE89A00067C51 /* GSS.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EB30C510181EE89A00067C51 /* GSS.framework */; };
EBC48139181EBD7600DAAE90 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EBC48138181EBD7600DAAE90 /* Foundation.framework */; };
EBC4813B181EBD7600DAAE90 /* CoreGraphics.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EBC4813A181EBD7600DAAE90 /* CoreGraphics.framework */; };
EBC4813D181EBD7600DAAE90 /* UIKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EBC4813C181EBD7600DAAE90 /* UIKit.framework */; };
EBC48143181EBD7600DAAE90 /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = EBC48141181EBD7600DAAE90 /* InfoPlist.strings */; };
EBC48145181EBD7600DAAE90 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = EBC48144181EBD7600DAAE90 /* main.m */; };
EBC48149181EBD7600DAAE90 /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = EBC48148181EBD7600DAAE90 /* AppDelegate.m */; };
EBC4814C181EBD7600DAAE90 /* Main_iPhone.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = EBC4814A181EBD7600DAAE90 /* Main_iPhone.storyboard */; };
EBC4814F181EBD7600DAAE90 /* Main_iPad.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = EBC4814D181EBD7600DAAE90 /* Main_iPad.storyboard */; };
EBC48152181EBD7600DAAE90 /* ViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = EBC48151181EBD7600DAAE90 /* ViewController.m */; };
EBC48154181EBD7600DAAE90 /* Images.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = EBC48153181EBD7600DAAE90 /* Images.xcassets */; };
/* End PBXBuildFile section */
/* Begin PBXCopyFilesBuildPhase section */
EB30C50E181EE1F200067C51 /* Copy resources */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 12;
dstPath = "";
dstSubfolderSpec = 7;
files = (
EB30C50F181EE1FB00067C51 /* com.apple.Kerberos.plist in Copy resources */,
);
name = "Copy resources";
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXCopyFilesBuildPhase section */
/* Begin PBXFileReference section */
EB30C50C181EDD4900067C51 /* com.apple.Kerberos.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist; path = com.apple.Kerberos.plist; sourceTree = "<group>"; };
EB30C510181EE89A00067C51 /* GSS.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = GSS.framework; path = System/Library/Frameworks/GSS.framework; sourceTree = SDKROOT; };
EBC48135181EBD7600DAAE90 /* GSSSimpleTest.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = GSSSimpleTest.app; sourceTree = BUILT_PRODUCTS_DIR; };
EBC48138181EBD7600DAAE90 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; };
EBC4813A181EBD7600DAAE90 /* CoreGraphics.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreGraphics.framework; path = System/Library/Frameworks/CoreGraphics.framework; sourceTree = SDKROOT; };
EBC4813C181EBD7600DAAE90 /* UIKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = UIKit.framework; path = System/Library/Frameworks/UIKit.framework; sourceTree = SDKROOT; };
EBC48140181EBD7600DAAE90 /* GSSSimpleTest-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "GSSSimpleTest-Info.plist"; sourceTree = "<group>"; };
EBC48142181EBD7600DAAE90 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = "<group>"; };
EBC48144181EBD7600DAAE90 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
EBC48146181EBD7600DAAE90 /* GSSSimpleTest-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "GSSSimpleTest-Prefix.pch"; sourceTree = "<group>"; };
EBC48147181EBD7600DAAE90 /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = "<group>"; };
EBC48148181EBD7600DAAE90 /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = "<group>"; };
EBC4814B181EBD7600DAAE90 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main_iPhone.storyboard; sourceTree = "<group>"; };
EBC4814E181EBD7600DAAE90 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main_iPad.storyboard; sourceTree = "<group>"; };
EBC48150181EBD7600DAAE90 /* ViewController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ViewController.h; sourceTree = "<group>"; };
EBC48151181EBD7600DAAE90 /* ViewController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ViewController.m; sourceTree = "<group>"; };
EBC48153181EBD7600DAAE90 /* Images.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Images.xcassets; sourceTree = "<group>"; };
EBC4815A181EBD7600DAAE90 /* XCTest.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = XCTest.framework; path = Library/Frameworks/XCTest.framework; sourceTree = DEVELOPER_DIR; };
/* End PBXFileReference section */
/* Begin PBXFrameworksBuildPhase section */
EBC48132181EBD7600DAAE90 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
EB30C511181EE89A00067C51 /* GSS.framework in Frameworks */,
EBC4813B181EBD7600DAAE90 /* CoreGraphics.framework in Frameworks */,
EBC4813D181EBD7600DAAE90 /* UIKit.framework in Frameworks */,
EBC48139181EBD7600DAAE90 /* Foundation.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXFrameworksBuildPhase section */
/* Begin PBXGroup section */
EBC4812C181EBD7600DAAE90 = {
isa = PBXGroup;
children = (
EBC4813E181EBD7600DAAE90 /* GSSSimpleTest */,
EBC48137181EBD7600DAAE90 /* Frameworks */,
EBC48136181EBD7600DAAE90 /* Products */,
);
sourceTree = "<group>";
};
EBC48136181EBD7600DAAE90 /* Products */ = {
isa = PBXGroup;
children = (
EBC48135181EBD7600DAAE90 /* GSSSimpleTest.app */,
);
name = Products;
sourceTree = "<group>";
};
EBC48137181EBD7600DAAE90 /* Frameworks */ = {
isa = PBXGroup;
children = (
EB30C510181EE89A00067C51 /* GSS.framework */,
EBC48138181EBD7600DAAE90 /* Foundation.framework */,
EBC4813A181EBD7600DAAE90 /* CoreGraphics.framework */,
EBC4813C181EBD7600DAAE90 /* UIKit.framework */,
EBC4815A181EBD7600DAAE90 /* XCTest.framework */,
);
name = Frameworks;
sourceTree = "<group>";
};
EBC4813E181EBD7600DAAE90 /* GSSSimpleTest */ = {
isa = PBXGroup;
children = (
EBC48147181EBD7600DAAE90 /* AppDelegate.h */,
EBC48148181EBD7600DAAE90 /* AppDelegate.m */,
EBC4814A181EBD7600DAAE90 /* Main_iPhone.storyboard */,
EBC4814D181EBD7600DAAE90 /* Main_iPad.storyboard */,
EBC48150181EBD7600DAAE90 /* ViewController.h */,
EBC48151181EBD7600DAAE90 /* ViewController.m */,
EBC48153181EBD7600DAAE90 /* Images.xcassets */,
EBC4813F181EBD7600DAAE90 /* Supporting Files */,
);
path = GSSSimpleTest;
sourceTree = "<group>";
};
EBC4813F181EBD7600DAAE90 /* Supporting Files */ = {
isa = PBXGroup;
children = (
EBC48140181EBD7600DAAE90 /* GSSSimpleTest-Info.plist */,
EBC48141181EBD7600DAAE90 /* InfoPlist.strings */,
EBC48144181EBD7600DAAE90 /* main.m */,
EBC48146181EBD7600DAAE90 /* GSSSimpleTest-Prefix.pch */,
EB30C50C181EDD4900067C51 /* com.apple.Kerberos.plist */,
);
name = "Supporting Files";
sourceTree = "<group>";
};
/* End PBXGroup section */
/* Begin PBXNativeTarget section */
EBC48134181EBD7600DAAE90 /* GSSSimpleTest */ = {
isa = PBXNativeTarget;
buildConfigurationList = EBC4816A181EBD7600DAAE90 /* Build configuration list for PBXNativeTarget "GSSSimpleTest" */;
buildPhases = (
EBC48131181EBD7600DAAE90 /* Sources */,
EBC48132181EBD7600DAAE90 /* Frameworks */,
EB30C50E181EE1F200067C51 /* Copy resources */,
EBC48133181EBD7600DAAE90 /* Resources */,
);
buildRules = (
);
dependencies = (
);
name = GSSSimpleTest;
productName = GSSSimpleTest;
productReference = EBC48135181EBD7600DAAE90 /* GSSSimpleTest.app */;
productType = "com.apple.product-type.application";
};
/* End PBXNativeTarget section */
/* Begin PBXProject section */
EBC4812D181EBD7600DAAE90 /* Project object */ = {
isa = PBXProject;
attributes = {
LastUpgradeCheck = 0500;
ORGANIZATIONNAME = Apple;
TargetAttributes = {
EBC48134181EBD7600DAAE90 = {
DevelopmentTeam = XPSUQMMH5W;
SystemCapabilities = {
com.apple.InterAppAudio = {
enabled = 0;
};
};
};
};
};
buildConfigurationList = EBC48130181EBD7600DAAE90 /* Build configuration list for PBXProject "GSSSimpleTest" */;
compatibilityVersion = "Xcode 3.2";
developmentRegion = English;
hasScannedForEncodings = 0;
knownRegions = (
en,
Base,
);
mainGroup = EBC4812C181EBD7600DAAE90;
productRefGroup = EBC48136181EBD7600DAAE90 /* Products */;
projectDirPath = "";
projectRoot = "";
targets = (
EBC48134181EBD7600DAAE90 /* GSSSimpleTest */,
);
};
/* End PBXProject section */
/* Begin PBXResourcesBuildPhase section */
EBC48133181EBD7600DAAE90 /* Resources */ = {
isa = PBXResourcesBuildPhase;
buildActionMask = 2147483647;
files = (
EBC4814F181EBD7600DAAE90 /* Main_iPad.storyboard in Resources */,
EBC48154181EBD7600DAAE90 /* Images.xcassets in Resources */,
EBC4814C181EBD7600DAAE90 /* Main_iPhone.storyboard in Resources */,
EBC48143181EBD7600DAAE90 /* InfoPlist.strings in Resources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXResourcesBuildPhase section */
/* Begin PBXSourcesBuildPhase section */
EBC48131181EBD7600DAAE90 /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
EBC48152181EBD7600DAAE90 /* ViewController.m in Sources */,
EBC48149181EBD7600DAAE90 /* AppDelegate.m in Sources */,
EBC48145181EBD7600DAAE90 /* main.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXSourcesBuildPhase section */
/* Begin PBXVariantGroup section */
EBC48141181EBD7600DAAE90 /* InfoPlist.strings */ = {
isa = PBXVariantGroup;
children = (
EBC48142181EBD7600DAAE90 /* en */,
);
name = InfoPlist.strings;
sourceTree = "<group>";
};
EBC4814A181EBD7600DAAE90 /* Main_iPhone.storyboard */ = {
isa = PBXVariantGroup;
children = (
EBC4814B181EBD7600DAAE90 /* Base */,
);
name = Main_iPhone.storyboard;
sourceTree = "<group>";
};
EBC4814D181EBD7600DAAE90 /* Main_iPad.storyboard */ = {
isa = PBXVariantGroup;
children = (
EBC4814E181EBD7600DAAE90 /* Base */,
);
name = Main_iPad.storyboard;
sourceTree = "<group>";
};
/* End PBXVariantGroup section */
/* Begin XCBuildConfiguration section */
EBC48168181EBD7600DAAE90 /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
ARCHS = "$(ARCHS_STANDARD_INCLUDING_64_BIT)";
CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
CLANG_CXX_LIBRARY = "libc++";
CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
"CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer";
COPY_PHASE_STRIP = NO;
GCC_C_LANGUAGE_STANDARD = gnu99;
GCC_DYNAMIC_NO_PIC = NO;
GCC_OPTIMIZATION_LEVEL = 0;
GCC_PREPROCESSOR_DEFINITIONS = (
"DEBUG=1",
"$(inherited)",
);
GCC_SYMBOLS_PRIVATE_EXTERN = NO;
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
GCC_WARN_UNUSED_FUNCTION = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
IPHONEOS_DEPLOYMENT_TARGET = 7.0;
ONLY_ACTIVE_ARCH = YES;
SDKROOT = iphoneos;
TARGETED_DEVICE_FAMILY = "1,2";
};
name = Debug;
};
EBC48169181EBD7600DAAE90 /* Release */ = {
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
ARCHS = "$(ARCHS_STANDARD_INCLUDING_64_BIT)";
CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
CLANG_CXX_LIBRARY = "libc++";
CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
"CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer";
COPY_PHASE_STRIP = YES;
ENABLE_NS_ASSERTIONS = NO;
GCC_C_LANGUAGE_STANDARD = gnu99;
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
GCC_WARN_UNUSED_FUNCTION = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
IPHONEOS_DEPLOYMENT_TARGET = 7.0;
SDKROOT = iphoneos;
TARGETED_DEVICE_FAMILY = "1,2";
VALIDATE_PRODUCT = YES;
};
name = Release;
};
EBC4816B181EBD7600DAAE90 /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
ASSETCATALOG_COMPILER_LAUNCHIMAGE_NAME = LaunchImage;
CODE_SIGN_IDENTITY = "iPhone Developer";
"CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer";
GCC_PRECOMPILE_PREFIX_HEADER = YES;
GCC_PREFIX_HEADER = "GSSSimpleTest/GSSSimpleTest-Prefix.pch";
INFOPLIST_FILE = "GSSSimpleTest/GSSSimpleTest-Info.plist";
PRODUCT_NAME = "$(TARGET_NAME)";
PROVISIONING_PROFILE = "";
WRAPPER_EXTENSION = app;
};
name = Debug;
};
EBC4816C181EBD7600DAAE90 /* Release */ = {
isa = XCBuildConfiguration;
buildSettings = {
ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
ASSETCATALOG_COMPILER_LAUNCHIMAGE_NAME = LaunchImage;
CODE_SIGN_IDENTITY = "iPhone Developer";
"CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer";
GCC_PRECOMPILE_PREFIX_HEADER = YES;
GCC_PREFIX_HEADER = "GSSSimpleTest/GSSSimpleTest-Prefix.pch";
INFOPLIST_FILE = "GSSSimpleTest/GSSSimpleTest-Info.plist";
PRODUCT_NAME = "$(TARGET_NAME)";
PROVISIONING_PROFILE = "";
WRAPPER_EXTENSION = app;
};
name = Release;
};
/* End XCBuildConfiguration section */
/* Begin XCConfigurationList section */
EBC48130181EBD7600DAAE90 /* Build configuration list for PBXProject "GSSSimpleTest" */ = {
isa = XCConfigurationList;
buildConfigurations = (
EBC48168181EBD7600DAAE90 /* Debug */,
EBC48169181EBD7600DAAE90 /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
EBC4816A181EBD7600DAAE90 /* Build configuration list for PBXNativeTarget "GSSSimpleTest" */ = {
isa = XCConfigurationList;
buildConfigurations = (
EBC4816B181EBD7600DAAE90 /* Debug */,
EBC4816C181EBD7600DAAE90 /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
/* End XCConfigurationList section */
};
rootObject = EBC4812D181EBD7600DAAE90 /* Project object */;
}

14
appl/GSSSimpleTest/GSSSimpleTest/AppDelegate.h Normal file
View File

@ -0,0 +1,14 @@
//
// AppDelegate.h
// GSSSimpleTest
//
// Copyright (c) 2013 Apple. All rights reserved.
//
#import <UIKit/UIKit.h>
@interface AppDelegate : UIResponder <UIApplicationDelegate>
@property (strong, nonatomic) UIWindow *window;
@end

44
appl/GSSSimpleTest/GSSSimpleTest/AppDelegate.m Normal file
View File

@ -0,0 +1,44 @@
//
// AppDelegate.m
// GSSSimpleTest
//
// Copyright (c) 2013 Apple. All rights reserved.
//
#import "AppDelegate.h"
@implementation AppDelegate
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions
{
return YES;
}
- (void)applicationWillResignActive:(UIApplication *)application
{
// Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
// Use this method to pause ongoing tasks, disable timers, and throttle down OpenGL ES frame rates. Games should use this method to pause the game.
}
- (void)applicationDidEnterBackground:(UIApplication *)application
{
// Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.
// If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.
}
- (void)applicationWillEnterForeground:(UIApplication *)application
{
// Called as part of the transition from the background to the inactive state; here you can undo many of the changes made on entering the background.
}
- (void)applicationDidBecomeActive:(UIApplication *)application
{
// Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.
}
- (void)applicationWillTerminate:(UIApplication *)application
{
// Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
}
@end

58
appl/GSSSimpleTest/GSSSimpleTest/Base.lproj/Main_iPad.storyboard Normal file
View File

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<document type="com.apple.InterfaceBuilder3.CocoaTouch.Storyboard.XIB" version="3.0" toolsVersion="4514" systemVersion="14A51" targetRuntime="iOS.CocoaTouch.iPad" propertyAccessControl="none" useAutolayout="YES" initialViewController="BYZ-38-t0r">
<dependencies>
<plugIn identifier="com.apple.InterfaceBuilder.IBCocoaTouchPlugin" version="3746"/>
</dependencies>
<scenes>
<!--View Controller-->
<scene sceneID="tne-QT-ifu">
<objects>
<viewController id="BYZ-38-t0r" customClass="ViewController" sceneMemberID="viewController">
<layoutGuides>
<viewControllerLayoutGuide type="top" id="vS1-kK-wcP"/>
<viewControllerLayoutGuide type="bottom" id="Zd6-SM-VW2"/>
</layoutGuides>
<view key="view" contentMode="scaleToFill" id="8bC-Xf-vdC">
<rect key="frame" x="0.0" y="0.0" width="768" height="1024"/>
<autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
<subviews>
<button opaque="NO" contentMode="scaleToFill" fixedFrame="YES" contentHorizontalAlignment="center" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="dTR-9H-wBq">
<rect key="frame" x="699" y="20" width="49" height="30"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<state key="normal" title="Reload">
<color key="titleShadowColor" white="0.5" alpha="1" colorSpace="calibratedWhite"/>
</state>
<connections>
<action selector="checkURL:" destination="BYZ-38-t0r" eventType="touchUpInside" id="0Bc-At-Oey"/>
</connections>
</button>
<textField opaque="NO" clipsSubviews="YES" contentMode="scaleToFill" fixedFrame="YES" contentHorizontalAlignment="left" contentVerticalAlignment="center" text="http://dc03.ads.apple.com/negotiate/" borderStyle="roundedRect" placeholder="URL" minimumFontSize="17" translatesAutoresizingMaskIntoConstraints="NO" id="CwY-bl-2BR">
<rect key="frame" x="20" y="20" width="671" height="30"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<fontDescription key="fontDescription" type="system" pointSize="14"/>
<textInputTraits key="textInputTraits" autocorrectionType="no" keyboardType="URL" returnKeyType="go"/>
</textField>
<webView contentMode="scaleToFill" fixedFrame="YES" translatesAutoresizingMaskIntoConstraints="NO" id="ocd-XY-fpe">
<rect key="frame" x="0.0" y="58" width="773" height="966"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<color key="backgroundColor" red="1" green="1" blue="1" alpha="1" colorSpace="calibratedRGB"/>
</webView>
</subviews>
<color key="backgroundColor" white="1" alpha="1" colorSpace="custom" customColorSpace="calibratedWhite"/>
</view>
<connections>
<outlet property="result" destination="ocd-XY-fpe" id="Utq-Wb-lV4"/>
<outlet property="url" destination="CwY-bl-2BR" id="cYE-XX-G07"/>
</connections>
</viewController>
<placeholder placeholderIdentifier="IBFirstResponder" id="dkx-z0-nzr" sceneMemberID="firstResponder"/>
</objects>
<point key="canvasLocation" x="-139" y="-474"/>
</scene>
</scenes>
<simulatedMetricsContainer key="defaultSimulatedMetrics">
<simulatedStatusBarMetrics key="statusBar" statusBarStyle="blackOpaque"/>
<simulatedOrientationMetrics key="orientation"/>
<simulatedScreenMetrics key="destination"/>
</simulatedMetricsContainer>
</document>

60
appl/GSSSimpleTest/GSSSimpleTest/Base.lproj/Main_iPhone.storyboard Normal file
View File

@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<document type="com.apple.InterfaceBuilder3.CocoaTouch.Storyboard.XIB" version="3.0" toolsVersion="4514" systemVersion="14A51" targetRuntime="iOS.CocoaTouch" propertyAccessControl="none" useAutolayout="YES" initialViewController="vXZ-lx-hvc">
<dependencies>
<plugIn identifier="com.apple.InterfaceBuilder.IBCocoaTouchPlugin" version="3746"/>
</dependencies>
<scenes>
<!--View Controller-->
<scene sceneID="ufC-wZ-h7g">
<objects>
<viewController id="vXZ-lx-hvc" customClass="ViewController" sceneMemberID="viewController">
<layoutGuides>
<viewControllerLayoutGuide type="top" id="ugk-s2-JrR"/>
<viewControllerLayoutGuide type="bottom" id="kNF-hm-BZr"/>
</layoutGuides>
<view key="view" contentMode="scaleToFill" id="kh9-bI-dsS">
<rect key="frame" x="0.0" y="0.0" width="320" height="568"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<subviews>
<textField opaque="NO" clipsSubviews="YES" contentMode="scaleToFill" fixedFrame="YES" contentHorizontalAlignment="left" contentVerticalAlignment="center" text="http://dc03.ads.apple.com/negotiate/" borderStyle="roundedRect" placeholder="URL" minimumFontSize="17" translatesAutoresizingMaskIntoConstraints="NO" id="czr-2q-ymp">
<rect key="frame" x="0.0" y="20" width="277" height="30"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<fontDescription key="fontDescription" type="system" pointSize="14"/>
<textInputTraits key="textInputTraits" autocorrectionType="no" keyboardType="URL" returnKeyType="go" enablesReturnKeyAutomatically="YES"/>
<connections>
<action selector="checkURL:" destination="vXZ-lx-hvc" eventType="editingDidEndOnExit" id="cMA-ZT-uaY"/>
</connections>
</textField>
<webView contentMode="scaleToFill" fixedFrame="YES" translatesAutoresizingMaskIntoConstraints="NO" id="sE2-K8-DVQ">
<rect key="frame" x="0.0" y="50" width="320" height="518"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<color key="backgroundColor" red="1" green="1" blue="1" alpha="1" colorSpace="calibratedRGB"/>
</webView>
<button opaque="NO" contentMode="scaleToFill" fixedFrame="YES" contentHorizontalAlignment="center" contentVerticalAlignment="center" buttonType="roundedRect" lineBreakMode="middleTruncation" translatesAutoresizingMaskIntoConstraints="NO" id="2Lm-WE-YIW">
<rect key="frame" x="285" y="20" width="30" height="30"/>
<autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
<state key="normal" title="rld">
<color key="titleShadowColor" white="0.5" alpha="1" colorSpace="calibratedWhite"/>
</state>
<connections>
<action selector="checkURL:" destination="vXZ-lx-hvc" eventType="touchUpInside" id="feJ-7L-HWv"/>
</connections>
</button>
</subviews>
<color key="backgroundColor" white="1" alpha="1" colorSpace="custom" customColorSpace="calibratedWhite"/>
</view>
<connections>
<outlet property="result" destination="sE2-K8-DVQ" id="owg-Li-jsD"/>
<outlet property="url" destination="czr-2q-ymp" id="K7T-nF-oV9"/>
</connections>
</viewController>
<placeholder placeholderIdentifier="IBFirstResponder" id="x5A-6p-PRh" sceneMemberID="firstResponder"/>
</objects>
</scene>
</scenes>
<simulatedMetricsContainer key="defaultSimulatedMetrics">
<simulatedStatusBarMetrics key="statusBar"/>
<simulatedOrientationMetrics key="orientation"/>
<simulatedScreenMetrics key="destination" type="retina4"/>
</simulatedMetricsContainer>
</document>

49
appl/GSSSimpleTest/GSSSimpleTest/GSSSimpleTest-Info.plist Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleDisplayName</key>
<string>${PRODUCT_NAME}</string>
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIdentifier</key>
<string>com.apple.${PRODUCT_NAME:rfc1034identifier}</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>${PRODUCT_NAME}</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>LSRequiresIPhoneOS</key>
<true/>
<key>UIMainStoryboardFile</key>
<string>Main_iPhone</string>
<key>UIMainStoryboardFile~ipad</key>
<string>Main_iPad</string>
<key>UIRequiredDeviceCapabilities</key>
<array>
<string>armv7</string>
</array>
<key>UISupportedInterfaceOrientations</key>
<array>
<string>UIInterfaceOrientationPortrait</string>
<string>UIInterfaceOrientationLandscapeLeft</string>
<string>UIInterfaceOrientationLandscapeRight</string>
</array>
<key>UISupportedInterfaceOrientations~ipad</key>
<array>
<string>UIInterfaceOrientationPortrait</string>
<string>UIInterfaceOrientationPortraitUpsideDown</string>
<string>UIInterfaceOrientationLandscapeLeft</string>
<string>UIInterfaceOrientationLandscapeRight</string>
</array>
</dict>
</plist>

16
appl/GSSSimpleTest/GSSSimpleTest/GSSSimpleTest-Prefix.pch Normal file
View File

@ -0,0 +1,16 @@
//
// Prefix header
//
// The contents of this file are implicitly included at the beginning of every source file.
//
#import <Availability.h>
#ifndef __IPHONE_5_0
#warning "This project uses features only available in iOS SDK 5.0 and later."
#endif
#ifdef __OBJC__
#import <UIKit/UIKit.h>
#import <Foundation/Foundation.h>
#endif

53
appl/GSSSimpleTest/GSSSimpleTest/Images.xcassets/AppIcon.appiconset/Contents.json Normal file
View File

@ -0,0 +1,53 @@
{
"images" : [
{
"idiom" : "iphone",
"size" : "29x29",
"scale" : "2x"
},
{
"idiom" : "iphone",
"size" : "40x40",
"scale" : "2x"
},
{
"idiom" : "iphone",
"size" : "60x60",
"scale" : "2x"
},
{
"idiom" : "ipad",
"size" : "29x29",
"scale" : "1x"
},
{
"idiom" : "ipad",
"size" : "29x29",
"scale" : "2x"
},
{
"idiom" : "ipad",
"size" : "40x40",
"scale" : "1x"
},
{
"idiom" : "ipad",
"size" : "40x40",
"scale" : "2x"
},
{
"idiom" : "ipad",
"size" : "76x76",
"scale" : "1x"
},
{
"idiom" : "ipad",
"size" : "76x76",
"scale" : "2x"
}
],
"info" : {
"version" : 1,
"author" : "xcode"
}
}

51
appl/GSSSimpleTest/GSSSimpleTest/Images.xcassets/LaunchImage.launchimage/Contents.json Normal file
View File

@ -0,0 +1,51 @@
{
"images" : [
{
"orientation" : "portrait",
"idiom" : "iphone",
"extent" : "full-screen",
"minimum-system-version" : "7.0",
"scale" : "2x"
},
{
"orientation" : "portrait",
"idiom" : "iphone",
"subtype" : "retina4",
"extent" : "full-screen",
"minimum-system-version" : "7.0",
"scale" : "2x"
},
{
"orientation" : "portrait",
"idiom" : "ipad",
"extent" : "full-screen",
"minimum-system-version" : "7.0",
"scale" : "1x"
},
{
"orientation" : "landscape",
"idiom" : "ipad",
"extent" : "full-screen",
"minimum-system-version" : "7.0",
"scale" : "1x"
},
{
"orientation" : "portrait",
"idiom" : "ipad",
"extent" : "full-screen",
"minimum-system-version" : "7.0",
"scale" : "2x"
},
{
"orientation" : "landscape",
"idiom" : "ipad",
"extent" : "full-screen",
"minimum-system-version" : "7.0",
"scale" : "2x"
}
],
"info" : {
"version" : 1,
"author" : "xcode"
}
}

15
appl/GSSSimpleTest/GSSSimpleTest/ViewController.h Normal file
View File

@ -0,0 +1,15 @@
//
// ViewController.h
// GSSSimpleTest
//
// Copyright (c) 2013 Apple. All rights reserved.
//
#import <UIKit/UIKit.h>
@interface ViewController : UIViewController
@property (assign) IBOutlet UITextField *url;
@property (assign) IBOutlet UIWebView *result;
@end

118
appl/GSSSimpleTest/GSSSimpleTest/ViewController.m Normal file
View File

@ -0,0 +1,118 @@
//
// ViewController.m
// GSSSimpleTest
//
// Copyright (c) 2013 Apple. All rights reserved.
//
#import "ViewController.h"
#import <Foundation/Foundation.h>
@interface ViewController () <NSURLConnectionDelegate>
@property (retain) NSURL *baseURL;
@property (retain) NSMutableData *content;
@property (retain) NSOperationQueue *opQueue;
@property (retain) NSURLResponse *response;
@property (retain) NSURLConnection *conn;
@end
@implementation ViewController
- (void)viewDidLoad
{
[super viewDidLoad];
self.opQueue = [[NSOperationQueue alloc] init];
}
#pragma mark HTTP test
- (void)connection:(NSURLConnection *)connection didReceiveData:(NSData *)data
{
[self.content appendData:data];
}
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
{
NSLog(@"canAuthenticateAgainstProtectionSpace: %@", [protectionSpace authenticationMethod]);
if ([[protectionSpace authenticationMethod] isEqualToString:NSURLAuthenticationMethodNegotiate])
return YES;
return NO;
}
- (void)connection:(NSURLConnection *)connection didReceiveResponse:(NSURLResponse *)response {
NSLog(@"Connection didReceiveResponse! Response - %@", response);
self.response = response;
}
- (void)connectionDidFinishLoading:(NSURLConnection *)connection {
__block NSString *html = [[NSString alloc] initWithData:self.content encoding:NSUTF8StringEncoding];
__block NSString *status;
self.content = NULL;
if ([self.response isKindOfClass:[NSHTTPURLResponse class]]) {
NSHTTPURLResponse *urlResponse = (NSHTTPURLResponse *)self.response;
status = [NSString stringWithFormat:@"complete with status: %d", (int)[urlResponse statusCode]];
} else {
status = [NSString stringWithFormat:@"complete"];
}
NSLog(@"data: %@", html);
dispatch_async(dispatch_get_main_queue(), ^{
[self.result loadHTMLString:html baseURL:self.baseURL];
});
}
- (void)connection:(NSURLConnection *)connection didFailWithError:(NSError *)error
{
NSLog(@"didFailWithError");
dispatch_async(dispatch_get_main_queue(), ^{
[self.result loadHTMLString:@"failed" baseURL:nil];
});
}
- (NSURLRequest *)connection:(NSURLConnection *)connection willSendRequest:(NSURLRequest *)request redirectResponse:(NSURLResponse *)redirectResponse
{
NSLog(@"willSendRequest");
return request;
}
- (BOOL)connectionShouldUseCredentialStorage:(NSURLConnection *)connection
{
NSLog(@"connectionShouldUseCredentialStorage");
return YES;
}
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
NSURLProtectionSpace *protectionSpace = [challenge protectionSpace];
NSLog(@"didReceiveAuthenticationChallenge: %@ %@", [protectionSpace authenticationMethod], [protectionSpace host]);
[[challenge sender] performDefaultHandlingForAuthenticationChallenge:challenge];
}
- (IBAction)checkURL:(id)sender {
[self.url resignFirstResponder];
self.baseURL = [NSURL URLWithString:[self.url text]];
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:self.baseURL];
[request setCachePolicy:NSURLRequestReloadIgnoringCacheData];
self.conn = [[NSURLConnection alloc] initWithRequest: request delegate: self startImmediately:NO];
self.content = [NSMutableData data];
[self.result loadHTMLString:@"<html><body>performing test</body></html>" baseURL:nil];
[self.conn setDelegateQueue:self.opQueue];
[self.conn start];
}
@end

11
appl/GSSSimpleTest/GSSSimpleTest/com.apple.Kerberos.plist Normal file
View File

@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>logging</key>
<dict>
<key>krb5</key>
<string>0-/SYSLOG:</string>
</dict>
</dict>
</plist>

2
appl/GSSSimpleTest/GSSSimpleTest/en.lproj/InfoPlist.strings Normal file
View File

@ -0,0 +1,2 @@
/* Localized versions of Info.plist keys */

17
appl/GSSSimpleTest/GSSSimpleTest/main.m Normal file
View File

@ -0,0 +1,17 @@
//
// main.m
// GSSSimpleTest
//
// Copyright (c) 2013 Apple. All rights reserved.
//
#import <UIKit/UIKit.h>
#import "AppDelegate.h"
int main(int argc, char * argv[])
{
@autoreleasepool {
return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
}
}

22
appl/GSSSimpleTest/GSSSimpleTestTests/GSSSimpleTestTests-Info.plist Normal file
View File

@ -0,0 +1,22 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIdentifier</key>
<string>com.apple.${PRODUCT_NAME:rfc1034identifier}</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>BNDL</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
<string>1</string>
</dict>
</plist>

34
appl/GSSSimpleTest/GSSSimpleTestTests/GSSSimpleTestTests.m Normal file
View File

@ -0,0 +1,34 @@
//
// GSSSimpleTestTests.m
// GSSSimpleTestTests
//
// Created by Love Hörnquist Åstrand on 2013-10-28.
// Copyright (c) 2013 Apple. All rights reserved.
//
#import <XCTest/XCTest.h>
@interface GSSSimpleTestTests : XCTestCase
@end
@implementation GSSSimpleTestTests
- (void)setUp
{
[super setUp];
// Put setup code here. This method is called before the invocation of each test method in the class.
}
- (void)tearDown
{
// Put teardown code here. This method is called after the invocation of each test method in the class.
[super tearDown];
}
- (void)testExample
{
XCTFail(@"No implementation for \"%s\"", __PRETTY_FUNCTION__);
}
@end

2
appl/GSSSimpleTest/GSSSimpleTestTests/en.lproj/InfoPlist.strings Normal file
View File

@ -0,0 +1,2 @@
/* Localized versions of Info.plist keys */

29
appl/Makefile.am Normal file
View File

@ -0,0 +1,29 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
if OTP
dir_otp = otp
endif
if DCE
dir_dce = dceutils
endif
SUBDIRS = \
afsutil \
ftp \
login \
$(dir_otp) \
gssmask \
popper \
push \
rsh \
rcp \
su \
xnlock \
telnet \
test \
kx \
kf \
$(dir_dce)
EXTRA_DIST = NTMakefile

35
appl/NTMakefile Normal file
View File

@ -0,0 +1,35 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=appl
!include ../windows/NTMakefile.w32

125
appl/afsutil/ChangeLog Normal file
View File

@ -0,0 +1,125 @@
2007-04-11 Love Hörnquist Åstrand <lha@it.su.se>
* pagsh.1,afslog.1: - options must be lexicographically ordered;
again, options without arguments must be placed before options
with arguments. - manual page cross references are done using
the macro `.Xr', not the macro `.Nm' (used for command names
instead).
From Igor Sobrado.
2006-10-07 Love Hörnquist Åstrand <lha@it.su.se>
* Makefile.am: Add man_MANS to EXTRA_DIST
2006-01-03 Love Hörnquist Åstrand <lha@it.su.se>
* afslog.1: Document options to allow select principal or
credential cache when doing afslog.
* afslog.c: Add options to allow select principal or credential
cache when doing afslog.
2005-02-12 Love Hörnquist Åstrand <lha@it.su.se>
* Makefile.am: man_MANS += pagsh.1
* pagsh.c: add --cache-type that allows the user to control the
resulting credential cache type, inherit the type from the
invoking process
* pagsh.1: manpage for pagsh
2004-09-03 Love Hörnquist Åstrand <lha@it.su.se>
* afslog.c: use negative string help string for arg_negative_flag
Pointed out by Harald Barth
2004-07-27 Love Hörnquist Åstrand <lha@it.su.se>
* pagsh.c: use setprogname, if we stripped off -c, try use the
fallback code
2003-10-14 Johan Danielsson <joda@pdc.kth.se>
* pagsh.c: mkstemp formats must end in exactly six X's
2003-07-15 Love Hörnquist Åstrand <lha@it.su.se>
* afslog.c (do_afslog): is cell is unset, set it "<default cell>"
for error printing
* pagsh.c: unconditionally set KRBTKFILE
2003-04-23 Love Hörnquist Åstrand <lha@it.su.se>
* afslog.c (log_func): drop the error number
2003-04-14 Love Hörnquist Åstrand <lha@it.su.se>
* afslog.c: set kafs log function if verbose is turned on
2003-03-18 Love Hörnquist Åstrand <lha@it.su.se>
* Makefile.am (LDADD): use LIB_kafs
* afslog.1: --no-v4, --no-v5
* Makefile.am: always build afsutils now
* afslog.c: make build without KRB4
2002-11-26 Johan Danielsson <joda@pdc.kth.se>
* afslog.c: remove plural form in help string
* Makefile.am: add afslog manpage
* afslog.1: manpage
* afslog.c: try more files when trying to expand a cell name
* afslog.c: create a list of cells to get tokens for, before
actually doing anything, and try to get tokens via krb4 if krb5
fails, and give it a chance to work with krb4-only; also some bug
fixes, partially from Tomas Olsson.
2002-08-23 Assar Westerlund <assar@kth.se>
* pagsh.c: make it handle --version/--help
2001-05-17 Assar Westerlund <assar@sics.se>
* afslog.c (main): call free_getarg_strings
2000-12-31 Assar Westerlund <assar@sics.se>
* afslog.c (main): handle krb5_init_context failure consistently
2000-12-25 Assar Westerlund <assar@sics.se>
* afslog.c: clarify usage strings
1999-08-04 Assar Westerlund <assar@sics.se>
* pagsh.c (main): use mkstemp to generate temporary file names.
From Miroslav Ruda <ruda@ics.muni.cz>
1999-07-04 Assar Westerlund <assar@sics.se>
* afslog.c (expand_cell_name): terminate on #. From Miroslav Ruda
<ruda@ics.muni.cz>
1999-06-27 Assar Westerlund <assar@sics.se>
* Makefile.am (bin_PROGRAMS): only include pagsh if KRB4
1999-06-26 Assar Westerlund <assar@sics.se>
* Makefile.am: add pagsh
* pagsh.c: new file. contributed by Miroslav Ruda <ruda@ics.muni.cz>
Sat Mar 27 12:49:43 1999 Johan Danielsson <joda@blubb.pdc.kth.se>
* afslog.c: cleanup option parsing

19
appl/afsutil/Makefile.am Normal file
View File

@ -0,0 +1,19 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
bin_PROGRAMS = afslog pagsh
afslog_SOURCES = afslog.c
pagsh_SOURCES = pagsh.c
man_MANS = afslog.1 pagsh.1
LDADD = $(LIB_kafs) \
$(top_builddir)/lib/krb5/libkrb5.la \
$(top_builddir)/lib/asn1/libasn1.la \
$(LIB_hcrypto) \
$(LIB_roken)
EXTRA_DIST = NTMakefile $(man_MANS)

35
appl/afsutil/NTMakefile Normal file
View File

@ -0,0 +1,35 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=appl\afsutil
!include ../../windows/NTMakefile.w32

152
appl/afsutil/afslog.1 Normal file
View File

@ -0,0 +1,152 @@
.\" Copyright (c) 2002 - 2007 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd November 26, 2002
.Dt AFSLOG 1
.Os HEIMDAL
.Sh NAME
.Nm afslog
.Nd obtain AFS tokens
.Sh SYNOPSIS
.Nm
.Op Fl h | Fl Fl help
.Op Fl Fl no-v4
.Op Fl Fl no-v5
.Op Fl u | Fl Fl unlog
.Op Fl v | Fl Fl verbose
.Op Fl Fl version
.Oo Fl c Ar cell \*(Ba Xo
.Fl Fl cell= Ns Ar cell
.Xc
.Oc
.Oo Fl k Ar realm \*(Ba Xo
.Fl Fl realm= Ns Ar realm
.Xc
.Oc
.Oo Fl P Ar principal \*(Ba Xo
.Fl Fl principal= Ns Ar principal
.Xc
.Oc
.Bk -words
.Oo Fl p Ar path \*(Ba Xo
.Fl Fl file= Ns Ar path
.Xc
.Oc
.Ek
.Op Ar cell | path ...
.Sh DESCRIPTION
.Nm
obtains AFS tokens for a number of cells. What cells to get tokens for
can either be specified as an explicit list, as file paths to get
tokens for, or be left unspecified, in which case
.Nm
will use whatever magic
.Xr krb_afslog 3
decides upon.
.Pp
Supported options:
.Bl -tag -width Ds
.It Fl Fl no-v4
This makes
.Nm
not try using Kerberos 4.
.It Fl Fl no-v5
This makes
.Nm
not try using Kerberos 5.
.It Xo
.Fl P Ar principal ,
.Fl Fl principal Ar principal
.Xc
select what Kerberos 5 principal to use.
.It Fl Fl cache Ar cache
select what Kerberos 5 credential cache to use.
.Fl Fl principal
overrides this option.
.It Xo
.Fl u ,
.Fl Fl unlog
.Xc
Destroy tokens instead of obtaining new. If this is specified, all
other options are ignored (except for
.Fl Fl help
and
.Fl Fl version ) .
.It Xo
.Fl v ,
.Fl Fl verbose
.Xc
Adds more verbosity for what is actually going on.
.It Xo
.Fl c Ar cell,
.Fl Fl cell= Ns Ar cell
.Xc
This specified one or more cell names to get tokens for.
.It Xo
.Fl k Ar realm ,
.Fl Fl realm= Ns Ar realm
.Xc
This is the Kerberos realm the AFS servers live in, this should
normally not be specified.
.It Xo
.Fl p Ar path ,
.Fl Fl file= Ns Ar path
.Xc
This specified one or more file paths for which tokens should be
obtained.
.El
.Pp
Instead of using
.Fl c
and
.Fl p ,
you may also pass a list of cells and file paths after any other
options. These arguments are considered files if they are either
the strings
.Do . Dc
or
.Dq ..
or they contain a slash, or if there exists a file by that name.
.Sh EXAMPLES
Assuming that there is no file called
.Dq openafs.org
in the current directory, and that
.Pa /afs/openafs.org
points to that cell, the follwing should be identical:
.Bd -literal -offset indent
$ afslog -c openafs.org
$ afslog openafs.org
$ afslog /afs/openafs.org/some/file
.Ed
.Sh SEE ALSO
.Xr krb_afslog 3

302
appl/afsutil/afslog.c Normal file
View File

@ -0,0 +1,302 @@
/*
* Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
RCSID("$Id$");
#endif
#include <ctype.h>
#ifdef KRB5
#include <krb5.h>
#endif
#include <kafs.h>
#include <roken.h>
#include <getarg.h>
#include <err.h>
static int help_flag;
static int version_flag;
static getarg_strings cells;
static char *realm;
static getarg_strings files;
static int unlog_flag;
static int verbose;
#ifdef KRB5
static char *client_string;
static char *cache_string;
static int use_krb5 = 1;
#endif
struct getargs args[] = {
{ "cell", 'c', arg_strings, &cells, "cells to get tokens for", "cell" },
{ "file", 'p', arg_strings, &files, "files to get tokens for", "path" },
{ "realm", 'k', arg_string, &realm, "realm for afs cell", "realm" },
{ "unlog", 'u', arg_flag, &unlog_flag, "remove tokens" },
#ifdef KRB5
{ "principal",'P',arg_string,&client_string,"principal to use","principal"},
{ "cache", 0, arg_string, &cache_string, "ccache to use", "cache"},
{ "v5", 0, arg_negative_flag, &use_krb5, "don't use Kerberos 5" },
#endif
{ "verbose",'v', arg_flag, &verbose },
{ "version", 0, arg_flag, &version_flag },
{ "help", 'h', arg_flag, &help_flag },
};
static int num_args = sizeof(args) / sizeof(args[0]);
#ifdef KRB5
krb5_context context;
krb5_ccache id;
#endif
static const char *
expand_one_file(FILE *f, const char *cell)
{
static char buf[1024];
char *p;
while (fgets (buf, sizeof(buf), f) != NULL) {
if(buf[0] == '>') {
for(p = buf; *p && !isspace((unsigned char)*p) && *p != '#'; p++)
;
*p = '\0';
if(strncmp(buf + 1, cell, strlen(cell)) == 0)
return buf + 1;
}
buf[0] = '\0';
}
return NULL;
}
static const char *
expand_cell_name(const char *cell)
{
FILE *f;
const char *c;
const char **fn, *files[] = { _PATH_CELLSERVDB,
_PATH_ARLA_CELLSERVDB,
_PATH_OPENAFS_DEBIAN_CELLSERVDB,
_PATH_ARLA_DEBIAN_CELLSERVDB,
NULL };
for(fn = files; *fn; fn++) {
f = fopen(*fn, "r");
if(f == NULL)
continue;
c = expand_one_file(f, cell);
fclose(f);
if(c)
return c;
}
return cell;
}
static void
usage(int ecode)
{
arg_printusage(args, num_args, NULL, "[cell|path]...");
exit(ecode);
}
struct cell_list {
char *cell;
struct cell_list *next;
} *cell_list;
static int
afslog_cell(const char *cell, int expand)
{
struct cell_list *p, **q;
const char *c = cell;
if(expand){
c = expand_cell_name(cell);
if(c == NULL){
warnx("No cell matching \"%s\" found.", cell);
return -1;
}
if(verbose && strcmp(c, cell) != 0)
warnx("Cell \"%s\" expanded to \"%s\"", cell, c);
}
/* add to list of cells to get tokens for, and also remove
duplicates; the actual afslog takes place later */
for(p = cell_list, q = &cell_list; p; q = &p->next, p = p->next)
if(strcmp(p->cell, c) == 0)
return 0;
p = malloc(sizeof(*p));
if(p == NULL)
return -1;
p->cell = strdup(c);
if(p->cell == NULL) {
free(p);
return -1;
}
p->next = NULL;
*q = p;
return 0;
}
static int
afslog_file(const char *path)
{
char cell[64];
if(k_afs_cell_of_file(path, cell, sizeof(cell))){
warnx("No cell found for file \"%s\".", path);
return -1;
}
if(verbose)
warnx("File \"%s\" lives in cell \"%s\"", path, cell);
return afslog_cell(cell, 0);
}
static int
do_afslog(const char *cell)
{
int k5ret;
k5ret = 0;
#ifdef KRB5
if(context != NULL && id != NULL && use_krb5) {
k5ret = krb5_afslog(context, id, cell, realm);
if(k5ret == 0)
return 0;
}
#endif
if (cell == NULL)
cell = "<default cell>";
#ifdef KRB5
if (k5ret)
krb5_warn(context, k5ret, "krb5_afslog(%s)", cell);
#endif
if (k5ret)
return 1;
return 0;
}
static void
log_func(void *ctx, const char *str)
{
fprintf(stderr, "%s\n", str);
}
int
main(int argc, char **argv)
{
int optind = 0;
int i;
int num;
int ret = 0;
int failed = 0;
struct cell_list *p;
setprogname(argv[0]);
if(getarg(args, num_args, argc, argv, &optind))
usage(1);
if(help_flag)
usage(0);
if(version_flag) {
print_version(NULL);
exit(0);
}
if(!k_hasafs())
errx(1, "AFS does not seem to be present on this machine");
if(unlog_flag){
k_unlog();
exit(0);
}
#ifdef KRB5
ret = krb5_init_context(&context);
if (ret) {
context = NULL;
} else {
if (client_string) {
krb5_principal client;
ret = krb5_parse_name(context, client_string, &client);
if (ret == 0)
ret = krb5_cc_cache_match(context, client, &id);
if (ret)
id = NULL;
}
if (id == NULL && cache_string) {
if(krb5_cc_resolve(context, cache_string, &id) != 0) {
krb5_warnx(context, "failed to open kerberos 5 cache '%s'",
cache_string);
id = NULL;
}
}
if (id == NULL)
if(krb5_cc_default(context, &id) != 0)
id = NULL;
}
#endif
if (verbose)
kafs_set_verbose(log_func, NULL);
num = 0;
for(i = 0; i < files.num_strings; i++){
afslog_file(files.strings[i]);
num++;
}
free_getarg_strings (&files);
for(i = 0; i < cells.num_strings; i++){
afslog_cell(cells.strings[i], 1);
num++;
}
free_getarg_strings (&cells);
for(i = optind; i < argc; i++){
num++;
if(strcmp(argv[i], ".") == 0 ||
strcmp(argv[i], "..") == 0 ||
strchr(argv[i], '/') ||
access(argv[i], F_OK) == 0)
afslog_file(argv[i]);
else
afslog_cell(argv[i], 1);
}
if(num == 0) {
if(do_afslog(NULL))
failed++;
} else
for(p = cell_list; p; p = p->next) {
if(verbose)
warnx("Getting tokens for cell \"%s\"", p->cell);
if(do_afslog(p->cell))
failed++;
}
return failed;
}

94
appl/afsutil/pagsh.1 Normal file
View File

@ -0,0 +1,94 @@
.\" Copyright (c) 2005 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd February 12, 2005
.Dt PAGSH 1
.Os Heimdal
.Sh NAME
.Nm pagsh
.Nd creates a new credential cache sandbox
.Sh SYNOPSIS
.Nm
.Op Fl c Ar command-string
.Op Fl h | Fl Fl help
.Op Fl Fl version
.Op Fl Fl cache-type= Ns Ar string
.Ar command [args...]
.Sh DESCRIPTION
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl c Ar command-string
Executes command(s) contained in
.Ar command-string .
.Xc
.It Xo
.Fl Fl cache-type= Ns Ar string
.Xc
.It Xo
.Fl h ,
.Fl Fl help
.Xc
.It Xo
.Fl Fl version
.Xc
.El
.Pp
.Nm
creates a new credential cache sandbox for the user to live in.
If AFS is installed on the computer, the user is put in a newly
created Process Authentication Group (PAG).
.Pp
For Kerberos 5, the credential cache type that is used is the same as
the credential cache type that was used at the time of
.Nm
invocation.
The credential cache type can be controlled by the option
.Fl Fl cache-type .
.Sh EXAMPLES
Create a new sandbox where new credentials can be used, while the old
credentials can be used by other processes.
.Bd -literal -offset indent
$ klist
Credentials cache: FILE:/tmp/krb5cc_913
Principal: lha@E.KTH.SE
Issued Expires Principal
Feb 12 10:08:31 Feb 12 20:06:36 krbtgt/E.KTH.SE@E.KTH.SE
$ pagsh
$ klist
klist: No ticket file: /tmp/krb5cc_03014a
.Ed
.Sh SEE ALSO
.Xr afslog 1 ,
.Xr kinit 1

215
appl/afsutil/pagsh.c Normal file
View File

@ -0,0 +1,215 @@
/*
* Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
RCSID("$Id$");
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#include <time.h>
#ifdef HAVE_FCNTL_H
#include <fcntl.h>
#endif
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
#ifdef KRB5
#include <krb5.h>
#endif
#include <kafs.h>
#include <err.h>
#include <roken.h>
#include <getarg.h>
#ifndef TKT_ROOT
#define TKT_ROOT "/tmp/tkt"
#endif
static int help_flag;
static int version_flag;
static int c_flag;
#ifdef KRB5
static char *typename_arg;
#endif
struct getargs getargs[] = {
{ NULL, 'c', arg_flag, &c_flag },
#ifdef KRB5
{ "cache-type", 0, arg_string, &typename_arg },
#endif
{ "version", 0, arg_flag, &version_flag },
{ "help", 'h', arg_flag, &help_flag },
};
static int num_args = sizeof(getargs) / sizeof(getargs[0]);
static void
usage(int ecode)
{
arg_printusage(getargs, num_args, NULL, "command [args...]");
exit(ecode);
}
/*
* Run command with a new ticket file / credentials cache / token
*/
int
main(int argc, char **argv)
{
int f;
char tf[1024];
char *p;
char *path;
char **args;
unsigned int i;
int optind = 0;
setprogname(argv[0]);
if(getarg(getargs, num_args, argc, argv, &optind))
usage(1);
if(help_flag)
usage(0);
if(version_flag) {
print_version(NULL);
exit(0);
}
argc -= optind;
argv += optind;
#ifdef KRB5
{
krb5_error_code ret;
krb5_context context;
krb5_ccache id;
const char *name;
ret = krb5_init_context(&context);
if (ret) /* XXX should this really call exit ? */
errx(1, "no kerberos 5 support");
ret = krb5_cc_new_unique(context, typename_arg, NULL, &id);
if (ret)
krb5_err(context, 1, ret, "Failed generating credential cache");
name = krb5_cc_get_name(context, id);
if (name == NULL)
krb5_errx(context, 1, "Generated credential cache have no name");
snprintf(tf, sizeof(tf), "%s:%s", krb5_cc_get_type(context, id), name);
ret = krb5_cc_close(context, id);
if (ret)
krb5_err(context, 1, ret, "Failed closing credential cache");
krb5_free_context(context);
esetenv("KRB5CCNAME", tf, 1);
}
#endif
snprintf (tf, sizeof(tf), "%s_XXXXXX", TKT_ROOT);
f = mkstemp (tf);
if (f < 0)
err(1, "mkstemp failed");
close (f);
unlink (tf);
esetenv("KRBTKFILE", tf, 1);
i = 0;
args = (char **) malloc((argc + 10)*sizeof(char *));
if (args == NULL)
errx (1, "Out of memory allocating %lu bytes",
(unsigned long)((argc + 10)*sizeof(char *)));
if(*argv == NULL) {
path = getenv("SHELL");
if(path == NULL){
struct passwd *pw = k_getpwuid(geteuid());
if (pw == NULL)
errx(1, "no such user: %d", (int)geteuid());
path = strdup(pw->pw_shell);
}
} else {
path = strdup(*argv++);
}
if (path == NULL)
errx (1, "Out of memory copying path");
p=strrchr(path, '/');
if(p)
args[i] = strdup(p+1);
else
args[i] = strdup(path);
if (args[i++] == NULL)
errx (1, "Out of memory copying arguments");
while(*argv)
args[i++] = *argv++;
args[i++] = NULL;
if(k_hasafs())
k_setpag();
unsetenv("PAGPID");
execvp(path, args);
if (errno == ENOENT || c_flag) {
char **sh_args = malloc ((i + 2) * sizeof(char *));
unsigned int j;
if (sh_args == NULL)
errx (1, "Out of memory copying sh arguments");
for (j = 1; j < i; ++j)
sh_args[j + 2] = args[j];
sh_args[0] = "sh";
sh_args[1] = "-c";
sh_args[2] = path;
execv ("/bin/sh", sh_args);
}
err (1, "execvp");
}

39
appl/dceutils/ChangeLog Normal file
View File

@ -0,0 +1,39 @@
2007-12-13 Love Hörnquist Åstrand <lha@it.su.se>
* Makefile.am: Add missing files, from Buchan Milne.
2006-08-08 Love Hörnquist Åstrand <lha@it.su.se>
* k5dcecon.c: Check for seteuid failure, prompted by MIT advisory.
2005-04-06 Love Hörnquist Åstrand <lha@it.su.se>
* testpag.c: use NULL as last argument to execl, not 0
2002-08-12 Johan Danielsson <joda@pdc.kth.se>
* Makefile.am: rename dpagaix_LDFLAGS etc to appease automake
2001-08-24 Assar Westerlund <assar@sics.se>
* Makefile.am (dpagaix): make sure of using $(EXEEXT) just to
please automake (this is aix-only code)
2001-02-07 Assar Westerlund <assar@sics.se>
* Makefile.am (dpagaix): needs to be linked with ld, add an
explicit command for it. from Ake Sandgren <ake@cs.umu.se>
2000-10-02 Assar Westerlund <assar@sics.se>
* Makefile.am: link with roken on everything except irix, where
apperently it fails. reported by Ake Sandgren <ake@cs.umu.se>
2000-07-17 Johan Danielsson <joda@pdc.kth.se>
* Makefile.am: set compiler flags
2000-07-01 Assar Westerlund <assar@sics.se>
* imported stuff from Ake Sandgren <ake@cs.umu.se>

37
appl/dceutils/Makefile.am Normal file
View File

@ -0,0 +1,37 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
DFSPROGS = k5dcecon
if AIX
AIX_DFSPROGS = dpagaix
endif
libexec_PROGRAMS = $(DFSPROGS) $(AIX_DFSPROGS)
dpagaix_CFLAGS = $(dpagaix_cflags)
dpagaix_LDFLAGS = $(dpagaix_ldflags)
dpagaix_LDADD = $(dpagaix_ldadd)
dpagaix$(EXEEXT): $(dpagaix_OBJECTS)
ld -edpagaix -o dpagaix$(EXEEXT) $(dpagaix_OBJECTS) $(srcdir)/dfspag.exp
LIB_dce = -ldce
k5dcecon_SOURCES = k5dcecon.c k5dce.h
dpagaix_SOURCES = dpagaix.c
EXTRA_DIST = \
NTMakefile \
dfspag.exp \
README.dcedfs \
README.original \
testpag.c
if IRIX
LDADD = $(LIB_dce)
else
LDADD = $(LIB_roken) $(LIB_dce)
endif

35
appl/dceutils/NTMakefile Normal file
View File

@ -0,0 +1,35 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=appl\dceutils
!include ../../windows/NTMakefile.w32

59
appl/dceutils/README.dcedfs Normal file
View File

@ -0,0 +1,59 @@
This is a set of patches and files to get a DFS ticket from a k5 ticket.
This code comes from Doug Engert, Argonne Nat. Lab (See dce/README.original
for more info)
The files in dce are;
testpag: for testing if this is at all possible.
k5dfspag: included in libkrb5
k5dcecon: Creates (or searches for) the actual DFSPAG ticketfile.
dpagaix: An AIX syscall stub.
README.original: Original README file from Doug Engert
Certain applications (rshd/telnetd) have been patched to call the
functions in k5dfspag when the situation is right. They are ifdef
with DCE. The patches are also originally from Doug but they
where against MIT krb5 code and have been merged into heimdal by me.
I will try to fix ftpd soon...
There is also an ifdefs for DCE && AIX that can be used to make AIX
use DCE for getting group/passwd entries. This is needed if one is running
with a bare bones passwd/group file and AUTHSTATE set to DCE (This will be
more or less clear to people doing this...) I have forced this on for now.
k5dfspag.c is in lib/krb5
k5dfspag.c is dependent on DCE only.
It is also POSIX systems only. There are defines for the location of
k5dcecon and dpagaix that needs a correct configure setting.
k5dcecon needs no special things for the compile except whatever is needed
on the target system to compile dce programs.
(On aix the dce compile flags are: -D_THREAD_SAFE -D_AIX32_THREADS=1 -D_AIX41 -D_AES_SOURCE or one can use xlc_r4 if it is version 3.6.4 or later)
k5dcecon wants the following libs (on aix 4.3):
-ldce (and setenv from somewhere)
dpagaix is only needed on AIX (see k5dfspag.c).
dpagaix needs dfspag.exp and is linked with
ld -edpagaix -o dpagaix dpagaix.o dfspag.exp
Hope to get this into heimdal soon :-) although I know that you will have to
change some things to get it cleanly into configure. Since I don't know the
structure of the code (heimdal), nor enough of configure, good enough I
just won't try it myself.
One more thing, to get this to work one has to put fcache_version = x in
krb5.conf where x = whatever the DCE implementation understands, (usually
1 or 2).
Thanks for adding that...
Åke Sandgren (ake@hpc2n.umu.se)
HPC2N
Umeå University
Sweden
PS
I have now added patches for configure.in and some Makefile.am's to get this
all cleanly (I hope) into heimdal.

335
appl/dceutils/README.original Normal file
View File

@ -0,0 +1,335 @@
KERBEROS and DCE INTEROPERABILITY ROUTINES
WHAT'S NEW
When k5dcecon was examining the ticket caches looking to
update one with a newer TGT, it might update the wrong
one for the correct user. This problem was reported by PNNL,
and is now fixed.
Any Kerberized application can now use a forwarded TGT to establish a
DCE context, or can use a previously established DCE context. This is
both a functional improvement and a performance improvement.
BACKGROUND
The MIT Kerberos 5 Release 1.x and DCE 1.1 can interoperate in a
number of ways. This is possible because:
o DCE used Kerberos 5 internally. Based on the MIT code as of beta 4
or so, with additional changes.
o The DCE security server can act as a K5 KDC, as defined in RFC 1510
and responds on port 88.
o On the clients, DCE and Kerberos use the same format for the ticket
cache, and then can share it. The KRB5CCNAME environment variable points
at the cache.
o On the clients, DCE and Kerberos use the same format for the srvtab
file. DCE refers to is a /krb5/v5srvtab and Kerberos as
/etc/krb5.keytab. They can be symlinked.
o MIT has added many options to the krb5.conf configuration file
which allows newer features of Release 1.0 to be turned off to match
the earlier version of Kerberos upon which DCE is based.
o DCE will accept a externally obtained Kerberos TGT in place of a
password when establishing a DCE context.
There are some areas where they differ, including the following:
o Administration of the database and the keytab files is done by the
DCE routines, rather the the Kerberos kadmin.
o User password changes must be done using the DCE commands. Kpasswd
does not work. (But there are mods to Kerberos to use the v5passwd
with DCE.
o DCE goes beyond authentication only, and provides authorization via
the PAC, and the dce-ptgt tickets stored in the cache. Thus a
Kerberos KDC can not act as a DCE security server.
o A DCE cell and Kerberos realm can cross-realm authenticate, but
there can be no intermediate realms. (There are other problems
in this area as well. But directly connected realms/cells do work.)
o You can't link a module with the DCE library and the Kerberos
library. They have conflicting routines, static data and structures.
One of the main features of DCE is the Distributed File System
DFS. Access to DFS requires authentication and authorization, and when
one uses a Kerberized network utility such as telnet, a forwarded
Kerberos ticket can be used to establish the DCE context to allow
access to DFS.
NEW TO THIS RELEASE
This release introduces sharing of a DCE context, and PAG, and allows
any Kerberized application to establish or share the context. This is
made possible by using an undocumented feature of DCE which is on at
least the Transarc and IBM releases of DCE 1.1.
I am in the process of trying to get this contributed to the general
DCE 1.2.2 release as a patch, so it could be included in other vendors
products. HP has expressed interest in doing this, as well as the
OpenGroup if the modification is contributed. You can help by
requesting Transarc and/or IBM to submit this modification to the
OpenGroup and ask your vendor to adopt this modification.
The feature is a modification to the setpag() system call which will
allow an authorized process to set the PAG to a specific value, and
thus allow unrelated processes to share the same PAG.
This then allows the Kerberized daemons such as kshd, to exec a DCE
module which established the DCE context. Kshd then sets the
KRB5CCNAME environment variable and then issues the setpag() to use
this context. This solves the linking problem. This is done via the
k5dfspag.c routine.
The k5dfspag.c code is compiled with the lib/krb5/os routines and
included in the libkrb5. A daemon calls krb5_dfs_pag after the
krb5_kuserok has determined that the Kerberos principal and local
userid pair are acceptable. This should be done early so as to give
the daemon access to the home directory which may be located on DFS.
If the .k5login file is used by krb5_kuserok it will need to be
accessed by the daemon and will need special ACL handling.
The krb5_dfs_pag routine will exec the k5dcecon module to do all the
real work. Upon return, if a PAG is obtained, krb5_dfs_pag with set
the PAG for the current process to the returned PAG value. It will
also set the KRB5CCNAME environment as well. Under DCE the PAG value
is the nnnnnnn part of the name of the cache:
FILE:/opt/dcelocal/var/security/creds/dcecred_nnnnnnnn.
The k5dcecon routine will attempt to use TGT which may have been
forwarded, to convert it to a DCE context. If there is no TGT, an
attempt will be made to join an existing PAG for the local userid, and
Kerberos principal. If there are existing PAGs, and a forwarded TGT,
k5dcecon will check the lifetime of the forwarded TGT, and if it is
less than the lifetime of the PAG, it will just join the PAG. If it
is greater, it will refresh the PAG using the forwarded TGT.
This approach has the advantage of not requiring many new tickets from
having to be obtained, and allows one to refresh a DCE context, or use
an already established context.
If the system also has AFS, the AFS krb5_afs_pag should be called
after the krb5_dfs_pag, since cache pointed at via the KRB5CCNAME may
have changed, such as if a DFS PAG has been joined. The AFS code does
not have the capability to join an existing AFS PAG, but can use the
same cache which might already had a
afsx/<afs.cell.name>@<k5.realm.name> service ticket.
WHAT'S IN THIS RELEASE
The k5prelogin, k5dcelogin, k5afslogin (with ak5log) were designed to
be slipped in between telnetd or klogind and login.krb5. They would
use a forwarded Kerberos ticket to establish a DCE context. They are
the older programs which are included here. They work on all DCE
platforms, and don't take advantage of the undocumented setpag
feature. (A version of k5dcelogin is being included with DCE 1.2.2)
K5dcecon is the new program which can be used to create, update or
join a DCE context. k5dcecon returns KRB5CCNAME string which contains
the PAG.
k5dfspag.c is to be built in the MIT Kerberos 5 release 1.0 patchlevel
1 and added to the libkrb5. It will exec k5dcecon and upon return set
the KRB5CCNAME and PAG. Mods to Kerberized klogind, rshd, telnetd,
ftpd are available to use the k5dfspag.
Testpag.c is a test programs to see if the PAG can be set.
The cpwkey.c routine can be used to change a key in the DCE registry,
by adding the key directly, or by setting the salt/pepper and password
or by providing the key and the pepper. This could be useful when
coping keys from a K4 or AFS database to DCE. It can also be used when
setting a DCE to K5 cross-cell key. This program is a test program
For mass inserts, it should be rewritten to read from stdin.
K5dcelogin can also be called directly, much like dce_login.
I use the following commands in effect do the same thing as dce_login
and get a forwardable ticket, DCE context and an AFS token:
#!/bin/csh
# simulate a dce_login using krb5 kinit and k5dcelogin
#
setenv KRB5CCNAME FILE:/tmp/krb5cc_p$$
/krb5/bin/kinit -f
exec /krb5/sbin/k5dcelogin /krb5/sbin/k5afslogin /bin/csh
#exec /krb5/sbin/k5dcelogin /bin/csh
This could be useful in a mixed cell where "AS_REQ" messages are
handled by a K5 KDC, but DCE RPCs are handled by the DCE security
server.
TESTING THE SETPAG
The krb5_dfs_pag routine relies on an undocumented feature which is
in the AIX and Transarc Solaris ports of DCE and has been recently
added to the SGI version. To test if this feature is present
on some other DFS implementation use the testpag routine.
The testpag routine attempts to set a PAG value to one you supply. It
uses the afs_syscall with the afs_setpag, and passes the supplied
PAG value as the next parameter. On an unmodifed system, this
will be ignored, and a new will be set. You should also check that
if run as a user, you cannot join a PAG owned by another user.
When run as root, any PAG should be usable.
On a machine with DFS running, do a dce_login to get a DCE context and
PAG. ECHO the KRB5CCNAME and look at the nnnnnnnn at the end. It
should look like an 8 char hex value, which may be 41ffxxxx on some
systems.
Su to root and unsetenv KRB5CCNAME. Do a testpag -n nnnnnnnn where
nnnnnnnn is the PAG obtained for the above name.
It should look like this example on an AIX 4.1.4 system:
pembroke# ./testpag -n 63dc9997
calling k5dcepag newpag=63dc9997
PAG returned = 63dc9997
You will be running under a new shell with the PAG and KRB5CCNAME set.
If the PAG returned is the same as the newpag, then it worked. You can
further verify this by doing a DCE klist, cd to DFS and a DCE klist
again. The klist should show some tickets for DFS servers.
If the PAG returned is not the same, and repeated attempts show a
returned PAG decremented by 1 from the previous returned PAG, then
this system does not have the modification For example:
# ./testpag -n 41fffff9
calling k5dcepag newpag=41fffff9
PAG returned = 41fffff8
# ./testpag -n 41fffff9
calling k5dcepag newpag=41fffff9
PAG returned = 41fffff7
In this case the syscall is ignoring the newpag parameter.
Running it with -n 0 should get the next PAG value with or without
this modification.
If the DFS kernel extensions are not installed, you would get
something like this:
caliban.ctd.anl.gov% ./testpag -n 012345678
calling k5dcepag newpag=012345678
Setpag failed with a system error
PAG returned = ffffffff
Not a good pag value
If you DFS implementation does not have this modification, you could
attempt to install it yourself. But this requires source and requires
modifications to the kernel extensions. At the end of this note is an
untested sample using the DCE 1.2.2 source code. You can also contact
your system vendor and ask for this modification.
UNICOS has a similar function setppag(newpag) which can be used to set
the PAG of the parent. Contact me if you are interested.
HOW TO INSTALL
Examine the k5dfspag.c file to make sure the DFS syscalls are correct
for your platform. See the /opt/dcelocal/share/include/dcedfs/syscall.h
on Solaris for example.
You should build the testpag routine and make sure it works before
adding all the other mods. If it fails you can still use the klogind
and telnetd with the k5prelogin and k5dcelogin code.
If you intend to install with a prefix other than /krb5, change:
DPAGAIX and K5DCECON in k5dfspag.c; the three references in
k5prelogin.c; and the DESTDIR in the Makefile.
Get k5101.cdiff.xxxxxx.tar file and install the mods for ANL_DFS_PAG
and ANL_DCE to the MIT Kerberos 5 source. These mods turn on some DCE
related changes and the calls to krb5_dfs_pag.
Symlink or copy the k5dfspag.c to the src/lib/krb5/os directory.
Add the -DANL_DFS_PAG and -DANL_DCE flags to the configuration.
Configure and Build the Kerberos v5.
Modify the k5dce Makefile for your system.
Build the k5dcecon and related programs.
Install both the MIT Kerberos v5 and the k5dcecon and dpagaix if AIX.
The makefile can also build k5dcelogin and k5prelogin. The install
can install k5dcelogin, k5prelogin and update the links for login.krb5
-> k5prelogin and moving login.krb5 to login.k5. If you will be using
the k5dcecon/k5dfspag with the Kerberos mods, you don't need
k5prelogin, or the links changed, and may not need k5dcelogin.
Note that Transarc has obfuscated the entries to the lib, and
the 1.0.3a is different from the 1.1. You may need to build two
versions of the k5dcelogin and/or k5dcecon one for each.
AIX ONLY
The dpagaix routine is needed for AIX because of the way they do the
syscalls.
The following fix.aix.libdce.mk is not needed if dce 2.1.0.21
has been installed. This PTF exposed the needed entrypoints.
The fix.aix.libdce.mk is a Makefile for AIX 4.x to add the required
external entry points to the libdce.a. These are needed by k5dcecon
and k5dcelogin. A bug report was submitted to IBM on this, and it was
rejected. But since DCE 1.2.2 will have a k5dcelogin, this should not
be needed with 1.2.2
Copy /usr/lib/libdce.a to /usr/libdce.a.orig before starting. Copy the
makefile to its own directory. It will create a new libdce.a which you
need to copy back to /usr/lib/libdce.a You will need to reboot the
machine. See the /usr/lpp/dce/examples/inst/README.AIX for a similar
procedure. IBM was not responsive in a request to have these added.
UNTESTED KERNEL EXTENSION FOR SETPAG
*** src/file/osi/,osi_pag.c Wed Oct 2 13:03:05 1996
--- src/file/osi/osi_pag.c Mon Jul 28 13:53:13 1997
***************
*** 293,298 ****
--- 293,302 ----
int code;
osi_MakePreemptionRight();
+ /* allow sharing of a PAG by non child processes DEE- 6/6/97 */
+ if (unused && osi_GetUID(osi_getucred()) == 0) {
+ newpag = unused;
+ } else {
osi_mutex_enter(&osi_pagLock);
now = osi_Time();
soonest = osi_firstPagTime +
***************
*** 309,314 ****
--- 313,319 ----
}
osi_mutex_exit(&osi_pagLock);
newpag = osi_genpag();
+ }
osi_pcred_lock(p);
credp = crcopy(osi_getucred());
code = osi_SetPagInCred(credp, newpag);
Created 07/08/96
Modified 09/30/96
Modified 11/19/96
Modified 12/19/96
Modified 06/20/97
Modified 07/28/97
Modified 02/18/98
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

3
appl/dceutils/dfspag.exp Normal file
View File

@ -0,0 +1,3 @@
#!/unix
* kernel extentions used to get the pag
kafs_syscall syscall

23
appl/dceutils/dpagaix.c Normal file
View File

@ -0,0 +1,23 @@
/*
* dpagaix.c
* On AIX we need to get the kernel extentions
* with the DFS kafs_syscall in it.
* We might be running on a system
* where DFS is not active.
* So we use this dummy routine which
* might not load to do the dirty work
*
* DCE does this with the /usr/lib/drivers/dfsloadobj
*
*/
int dpagaix(parm1, parm2, parm3, parm4, parm5, parm6)
int parm1;
int parm2;
int parm3;
int parm4;
int parm5;
int parm6;
{
return(kafs_syscall(parm1, parm2, parm3, parm4, parm5, parm6));
}

165
appl/dceutils/k5dce.h Normal file
View File

@ -0,0 +1,165 @@
/* dummy K5 routines which are needed to get this to
* compile without having access ti the DCE versions
* of the header files.
* Thiis is very crude, and OSF needs to expose the K5
* API.
*/
#ifdef sun
/* Transarc obfascates these routines */
#ifdef DCE_1_1
#define krb5_init_ets _dce_PkjKqOaklP
#define krb5_copy_creds _dce_LuFxPiITzD
#define krb5_unparse_name _dce_LWHtAuNgRV
#define krb5_get_default_realm _dce_vDruhprWGh
#define krb5_build_principal _dce_qwAalSzTtF
#define krb5_build_principal_ext _dce_vhafIQlejW
#define krb5_build_principal_va _dce_alsqToMmuJ
#define krb5_cc_default _dce_KZRshhTXhE
#define krb5_cc_default_name _dce_bzJVAjHXVQ
#define sec_login_krb5_add_cred _dce_ePDtOJTZvU
#else /* DCE 1.0.3a */
#define krb5_init_ets _dce_BmLRpOVsBo
#define krb5_copy_creds _dce_VGwSEBNwaf
#define krb5_unparse_name _dce_PgAOkJoMXA
#define krb5_get_default_realm _dce_plVOzStKyK
#define krb5_build_principal _dce_uAKSsluIFy
#define krb5_build_principal_ext _dce_tRMpPiRada
#define krb5_build_principal_va _dce_SxnLejZemH
#define krb5_cc_default _dce_SeKosWFnsv
#define krb5_cc_default_name _dce_qJeaphJWVc
#define sec_login_krb5_add_cred _dce_uHwRasumsN
#endif
#endif
/* Define the bare minimum k5 structures which are needed
* by this program. Since the krb5 includes are not supplied
* with DCE, these were based on the MIT Kerberos 5 beta 3
* which should match the DCE as of 1.0.3 at least.
* The tricky one is the krb5_creds, since one is allocated
* by this program, and it needs access to the client principal
* in it.
* Note that there are no function prototypes, so there is no
* compile time checking.
* DEE 07/11/95
*/
#define NPROTOTYPE(x) ()
typedef int krb5_int32; /* assuming all DCE systems are 32 bit */
typedef short krb5short; /* assuming short is 16 bit */
typedef krb5_int32 krb5_error_code;
typedef unsigned char krb5_octet;
typedef krb5_octet krb5_boolean;
typedef krb5short krb5_keytype; /* in k5.2 it's a short */
typedef krb5_int32 krb5_flags;
typedef krb5_int32 krb5_timestamp; /* is a time_t in krb5.h */
typedef char * krb5_pointer; /* pointer to unexposed data */
typedef struct _krb5_ccache {
struct _krb5_cc_ops *ops;
krb5_pointer data;
} *krb5_ccache;
typedef struct _krb5_cc_ops {
char *prefix;
char *(*get_name) NPROTOTYPE((krb5_ccache));
krb5_error_code (*resolve) NPROTOTYPE((krb5_ccache *, char *));
krb5_error_code (*gen_new) NPROTOTYPE((krb5_ccache *));
krb5_error_code (*init) NPROTOTYPE((krb5_ccache, krb5_principal));
krb5_error_code (*destroy) NPROTOTYPE((krb5_ccache));
krb5_error_code (*close) NPROTOTYPE((krb5_ccache));
krb5_error_code (*store) NPROTOTYPE((krb5_ccache, krb5_creds *));
krb5_error_code (*retrieve) NPROTOTYPE((krb5_ccache, krb5_flags,
krb5_creds *, krb5_creds *));
krb5_error_code (*get_princ) NPROTOTYPE((krb5_ccache,
krb5_principal *));
krb5_error_code (*get_first) NPROTOTYPE((krb5_ccache,
krb5_cc_cursor *));
krb5_error_code (*get_next) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *,
krb5_creds *));
krb5_error_code (*end_get) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *));
krb5_error_code (*remove_cred) NPROTOTYPE((krb5_ccache, krb5_flags,
krb5_creds *));
krb5_error_code (*set_flags) NPROTOTYPE((krb5_ccache, krb5_flags));
} krb5_cc_ops;
typedef struct _krb5_keyblock {
krb5_keytype keytype;
int length;
krb5_octet *contents;
} krb5_keyblock;
typedef struct _krb5_ticket_times {
krb5_timestamp authtime;
krb5_timestamp starttime;
krb5_timestamp endtime;
krb5_timestamp renew_till;
} krb5_ticket_times;
typedef krb5_pointer krb5_cc_cursor;
typedef struct _krb5_data {
int length;
char *data;
} krb5_data;
typedef struct _krb5_authdata {
int ad_type;
int length;
krb5_octet *contents;
} krb5_authdata;
typedef struct _krb5_creds {
krb5_pointer client;
krb5_pointer server;
krb5_keyblock keyblock;
krb5_ticket_times times;
krb5_boolean is_skey;
krb5_flags ticket_flags;
krb5_pointer **addresses;
krb5_data ticket;
krb5_data second_ticket;
krb5_pointer **authdata;
} krb5_creds;
typedef krb5_pointer krb5_principal;
#define KRB5_CC_END 336760974
#define KRB5_TC_OPENCLOSE 0x00000001
/* Ticket flags */
/* flags are 32 bits; each host is responsible to put the 4 bytes
representing these bits into net order before transmission */
/* #define TKT_FLG_RESERVED 0x80000000 */
#define TKT_FLG_FORWARDABLE 0x40000000
#define TKT_FLG_FORWARDED 0x20000000
#define TKT_FLG_PROXIABLE 0x10000000
#define TKT_FLG_PROXY 0x08000000
#define TKT_FLG_MAY_POSTDATE 0x04000000
#define TKT_FLG_POSTDATED 0x02000000
#define TKT_FLG_INVALID 0x01000000
#define TKT_FLG_RENEWABLE 0x00800000
#define TKT_FLG_INITIAL 0x00400000
#define TKT_FLG_PRE_AUTH 0x00200000
#define TKT_FLG_HW_AUTH 0x00100000
#ifdef PK_INIT
#define TKT_FLG_PUBKEY_PREAUTH 0x00080000
#define TKT_FLG_DIGSIGN_PREAUTH 0x00040000
#define TKT_FLG_PRIVKEY_PREAUTH 0x00020000
#endif
#define krb5_cc_get_principal(cache, principal) (*(cache)->ops->get_princ)(cache, principal)
#define krb5_cc_set_flags(cache, flags) (*(cache)->ops->set_flags)(cache, flags)
#define krb5_cc_get_name(cache) (*(cache)->ops->get_name)(cache)
#define krb5_cc_start_seq_get(cache, cursor) (*(cache)->ops->get_first)(cache, cursor)
#define krb5_cc_next_cred(cache, cursor, creds) (*(cache)->ops->get_next)(cache, cursor, creds)
#define krb5_cc_destroy(cache) (*(cache)->ops->destroy)(cache)
#define krb5_cc_end_seq_get(cache, cursor) (*(cache)->ops->end_get)(cache, cursor)
/* end of k5 dummy typedefs */

Some files were not shown because too many files have changed in this diff Show More