From 7f642b1512b1891942008c7ae7ac64f3dfd83276 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 10 Jan 2020 21:31:31 +0000 Subject: [PATCH] New upstream beta release - 1.18-beta1 --- .gitignore | 2 + ...nonicalize_hostname-fallback-support.patch | 409 - ...on-and-enctype-flag-for-deprecations.patch | 183 - ...ing-newlines-to-deprecation-warnings.patch | 37 - Add-soft-pkcs11-source-code.patch | 2071 ----- Add-tests-for-KCM-ccache-type.patch | 294 - Add-zapfreedata-convenience-function.patch | 31 - Address-some-optimized-out-memset-calls.patch | 94 - ...anonicalization-in-non-krbtgt-AS-REP.patch | 64 - ...-alignment-warnings-in-openssl-rc4.c.patch | 63 - ...llocating-a-register-in-zap-assembly.patch | 55 - ...ore-errors-in-OpenSSL-crypto-backend.patch | 88 - ...er-comment-for-krb5_cc_start_seq_get.patch | 31 - ...able-flag-instead-of-denying-request.patch | 484 -- Display-unsupported-enctype-names.patch | 79 - ...s-canonicalize-enterprise-principals.patch | 113 - ...-error-on-invalid-enctypes-in-keytab.patch | 67 - ...n-kadmin-when-no-policy-is-specified.patch | 160 - ...ctypes-in-gss_set_allowable_enctypes.patch | 70 - ...ity-defects-in-soft-pkcs11-test-code.patch | 206 - ...C-crash-when-logging-PKINIT-enctypes.patch | 31 - ...-policy-enforcement-of-pw_expiration.patch | 302 - ...alm-change-logic-in-FILE-remove_cred.patch | 29 - ...g-of-invalid-CAMMAC-service-verifier.patch | 30 - Fix-memory-leaks-in-soft-pkcs11-code.patch | 122 - Fix-minor-errors-in-softpkcs11.patch | 41 - Fix-potential-close-1-in-cc_file.c.patch | 30 - ...xdr_bytes-strict-aliasing-violations.patch | 138 - ...5_cc_remove_cred-for-remaining-types.patch | 599 -- ...messages-from-kadmin-change_password.patch | 55 - ...ebug-log-proper-ticket-enctype-names.patch | 28 - ...ec-always-log-non-permitted-enctypes.patch | 54 - ...ize-some-data-structure-magic-fields.patch | 55 - ...known-enctypes-as-unsupported-in-KDC.patch | 52 - ...ype-names-in-KDC-logs-human-readable.patch | 296 - Mark-deprecated-enctypes-when-used.patch | 250 - ...-the-doc-kadm5-tex-files-as-historic.patch | 139 - ...ze-example-enctypes-in-documentation.patch | 232 - ...exit-path-in-gss_krb5int_copy_ccache.patch | 68 - Properly-size-ifdef-in-k5_cccol_lock.patch | 33 - ...beros-v4-support-vestiges-from-ccapi.patch | 1604 ---- ...-PKINIT-draft-9-ASN.1-code-and-types.patch | 967 --- Remove-PKINIT-draft-9-support.patch | 1712 ---- ...api-related-comments-in-configure.ac.patch | 34 - Remove-checksum-type-profile-variables.patch | 429 - Remove-confvalidator-utility.patch | 430 - ...d-variable-def_kslist-from-two-files.patch | 69 - ...ygen-generated-HTML-output-for-ccapi.patch | 7653 ----------------- ...admin-RPC-support-for-setting-v4-key.patch | 466 - Remove-krb5int_c_combine_keys.patch | 479 -- Remove-more-dead-code.patch | 276 - Remove-now-unused-checksum-functions.patch | 335 - ...ull-check-in-krb5_gss_duplicate_name.patch | 28 - ...ovsec_adm_export-dump-format-support.patch | 386 - Remove-srvtab-support.patch | 1411 --- Remove-strerror-calls-from-k5_get_error.patch | 34 - ...e-support-for-no-flags-SAM-2-preauth.patch | 73 - Remove-support-for-single-DES-and-CRC.patch | 3340 ------- Remove-the-v4-and-afs3-salt-types.patch | 509 -- Set-a-more-modern-default-ksu-CMD_PATH.patch | 26 - Simplify-SAM-2-as_key-handling.patch | 76 - Simplify-krb5_dbe_def_search_enctype.patch | 162 - Simply-OpenSSL-PKCS7-decryption-code.patch | 301 - Skip-URI-tests-when-using-asan.patch | 37 - ...arent-forward-null-in-clnttcp_create.patch | 34 - Support-389ds-s-lockout-model.patch | 63 - ....1-SAM-tests-to-use-a-modern-enctype.patch | 85 - ...lt-krb5kdc-mkey-manual-entry-enctype.patch | 54 - ...-suite-cert-message-digest-to-sha256.patch | 638 -- ...t-suite-to-avoid-single-DES-enctypes.patch | 2328 ----- ...d-version-of-OpenSSL-3-KDF-interface.patch | 14 +- Use-imported-soft-pkcs11-for-tests.patch | 471 - Use-secure_getenv-where-appropriate.patch | 240 - krb5-1.15-beta1-buildconf.patch | 2 +- ...t6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch | 6 +- ... krb5-1.18-beta1-Remove-3des-support.patch | 97 +- ...tch => krb5-1.18-beta1-selinux-label.patch | 99 +- ...12.1-pam.patch => krb5-1.18beta1-pam.patch | 46 +- krb5-1.3.1-dns.patch | 6 +- krb5-1.9-debuginfo.patch | 2 +- krb5.spec | 88 +- sources | 4 +- 82 files changed, 132 insertions(+), 32167 deletions(-) delete mode 100644 Add-dns_canonicalize_hostname-fallback-support.patch delete mode 100644 Add-function-and-enctype-flag-for-deprecations.patch delete mode 100644 Add-missing-newlines-to-deprecation-warnings.patch delete mode 100644 Add-soft-pkcs11-source-code.patch delete mode 100644 Add-tests-for-KCM-ccache-type.patch delete mode 100644 Add-zapfreedata-convenience-function.patch delete mode 100644 Address-some-optimized-out-memset-calls.patch delete mode 100644 Allow-client-canonicalization-in-non-krbtgt-AS-REP.patch delete mode 100644 Avoid-alignment-warnings-in-openssl-rc4.c.patch delete mode 100644 Avoid-allocating-a-register-in-zap-assembly.patch delete mode 100644 Check-more-errors-in-OpenSSL-crypto-backend.patch delete mode 100644 Clarify-header-comment-for-krb5_cc_start_seq_get.patch delete mode 100644 Clear-forwardable-flag-instead-of-denying-request.patch delete mode 100644 Display-unsupported-enctype-names.patch delete mode 100644 Do-not-always-canonicalize-enterprise-principals.patch delete mode 100644 Don-t-error-on-invalid-enctypes-in-keytab.patch delete mode 100644 Don-t-warn-in-kadmin-when-no-policy-is-specified.patch delete mode 100644 Filter-enctypes-in-gss_set_allowable_enctypes.patch delete mode 100644 Fix-Coverity-defects-in-soft-pkcs11-test-code.patch delete mode 100644 Fix-KDC-crash-when-logging-PKINIT-enctypes.patch delete mode 100644 Fix-LDAP-policy-enforcement-of-pw_expiration.patch delete mode 100644 Fix-config-realm-change-logic-in-FILE-remove_cred.patch delete mode 100644 Fix-handling-of-invalid-CAMMAC-service-verifier.patch delete mode 100644 Fix-memory-leaks-in-soft-pkcs11-code.patch delete mode 100644 Fix-minor-errors-in-softpkcs11.patch delete mode 100644 Fix-potential-close-1-in-cc_file.c.patch delete mode 100644 Fix-xdr_bytes-strict-aliasing-violations.patch delete mode 100644 Implement-krb5_cc_remove_cred-for-remaining-types.patch delete mode 100644 Improve-error-messages-from-kadmin-change_password.patch delete mode 100644 In-kpropd-debug-log-proper-ticket-enctype-names.patch delete mode 100644 In-rd_req_dec-always-log-non-permitted-enctypes.patch delete mode 100644 Initialize-some-data-structure-magic-fields.patch delete mode 100644 Log-unknown-enctypes-as-unsupported-in-KDC.patch delete mode 100644 Make-etype-names-in-KDC-logs-human-readable.patch delete mode 100644 Mark-deprecated-enctypes-when-used.patch delete mode 100644 Mark-the-doc-kadm5-tex-files-as-historic.patch delete mode 100644 Modernize-example-enctypes-in-documentation.patch delete mode 100644 Modernize-exit-path-in-gss_krb5int_copy_ccache.patch delete mode 100644 Properly-size-ifdef-in-k5_cccol_lock.patch delete mode 100644 Remove-Kerberos-v4-support-vestiges-from-ccapi.patch delete mode 100644 Remove-PKINIT-draft-9-ASN.1-code-and-types.patch delete mode 100644 Remove-PKINIT-draft-9-support.patch delete mode 100644 Remove-ccapi-related-comments-in-configure.ac.patch delete mode 100644 Remove-checksum-type-profile-variables.patch delete mode 100644 Remove-confvalidator-utility.patch delete mode 100644 Remove-dead-variable-def_kslist-from-two-files.patch delete mode 100644 Remove-doxygen-generated-HTML-output-for-ccapi.patch delete mode 100644 Remove-kadmin-RPC-support-for-setting-v4-key.patch delete mode 100644 Remove-krb5int_c_combine_keys.patch delete mode 100644 Remove-more-dead-code.patch delete mode 100644 Remove-now-unused-checksum-functions.patch delete mode 100644 Remove-null-check-in-krb5_gss_duplicate_name.patch delete mode 100644 Remove-ovsec_adm_export-dump-format-support.patch delete mode 100644 Remove-srvtab-support.patch delete mode 100644 Remove-strerror-calls-from-k5_get_error.patch delete mode 100644 Remove-support-for-no-flags-SAM-2-preauth.patch delete mode 100644 Remove-support-for-single-DES-and-CRC.patch delete mode 100644 Remove-the-v4-and-afs3-salt-types.patch delete mode 100644 Set-a-more-modern-default-ksu-CMD_PATH.patch delete mode 100644 Simplify-SAM-2-as_key-handling.patch delete mode 100644 Simplify-krb5_dbe_def_search_enctype.patch delete mode 100644 Simply-OpenSSL-PKCS7-decryption-code.patch delete mode 100644 Skip-URI-tests-when-using-asan.patch delete mode 100644 Squash-apparent-forward-null-in-clnttcp_create.patch delete mode 100644 Support-389ds-s-lockout-model.patch delete mode 100644 Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch delete mode 100644 Update-default-krb5kdc-mkey-manual-entry-enctype.patch delete mode 100644 Update-test-suite-cert-message-digest-to-sha256.patch delete mode 100644 Update-test-suite-to-avoid-single-DES-enctypes.patch delete mode 100644 Use-imported-soft-pkcs11-for-tests.patch delete mode 100644 Use-secure_getenv-where-appropriate.patch rename Remove-3des-support.patch => krb5-1.18-beta1-Remove-3des-support.patch (99%) rename krb5-1.17-beta1-selinux-label.patch => krb5-1.18-beta1-selinux-label.patch (92%) rename krb5-1.12.1-pam.patch => krb5-1.18beta1-pam.patch (96%) diff --git a/.gitignore b/.gitignore index 045b4dc..9c30463 100644 --- a/.gitignore +++ b/.gitignore @@ -177,3 +177,5 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.17.tar.gz.asc /krb5-1.17.1.tar.gz /krb5-1.17.1.tar.gz.asc +/krb5-1.18-beta1.tar.gz +/krb5-1.18-beta1.tar.gz.asc diff --git a/Add-dns_canonicalize_hostname-fallback-support.patch b/Add-dns_canonicalize_hostname-fallback-support.patch deleted file mode 100644 index f9bc3d3..0000000 --- a/Add-dns_canonicalize_hostname-fallback-support.patch +++ /dev/null @@ -1,409 +0,0 @@ -From b952b5ac5301ed9f4ae49300e90631ae0562b012 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Tue, 4 Dec 2018 15:22:55 -0500 -Subject: [PATCH] Add dns_canonicalize_hostname=fallback support - -Turn dns_canonicalize_hostname into a tristate variable, allowing the -value "fallback" as well as the true/false booleans. If it is set to -fallback, delay DNS canonicalization and attempt it only in -krb5_get_credentials() if the KDC responds that the requested server -principal name is unknown. - -[ghudson@mit.edu: added TGS tests; refactored code; edited commit -message and documentation] - -ticket: 8765 (new) -(cherry picked from commit 6c20cb1c89acaa03db897182a3b28d5f8f284907) ---- - doc/admin/conf_files/krb5_conf.rst | 4 ++ - src/include/k5-int.h | 8 ++- - src/include/k5-trace.h | 3 ++ - src/lib/krb5/krb/get_creds.c | 79 ++++++++++++++++++++++++++---- - src/lib/krb5/krb/init_ctx.c | 27 +++++++++- - src/lib/krb5/krb/t_copy_context.c | 2 +- - src/lib/krb5/os/os-proto.h | 4 ++ - src/lib/krb5/os/sn2princ.c | 19 +++++-- - src/tests/gcred.c | 5 +- - src/tests/t_sn2princ.py | 34 ++++++++++++- - 10 files changed, 167 insertions(+), 18 deletions(-) - -diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index 4adb084a6..d1e1a222d 100644 ---- a/doc/admin/conf_files/krb5_conf.rst -+++ b/doc/admin/conf_files/krb5_conf.rst -@@ -195,6 +195,10 @@ The libdefaults section may contain any of the following relations: - means that short hostnames will not be canonicalized to - fully-qualified hostnames. The default value is true. - -+ If this option is set to ``fallback`` (new in release 1.18), DNS -+ canonicalization will only be performed the server hostname is not -+ found with the original name when requesting credentials. -+ - **dns_lookup_kdc** - Indicate whether DNS SRV records should be used to locate the KDCs - and other servers for a realm, if they are not listed in the -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 255cee822..1e6a739e9 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -1159,6 +1159,12 @@ k5_plugin_register_dyn(krb5_context context, int interface_id, - void - k5_plugin_free_context(krb5_context context); - -+enum dns_canonhost { -+ CANONHOST_FALSE = 0, -+ CANONHOST_TRUE = 1, -+ CANONHOST_FALLBACK = 2 -+}; -+ - struct _kdb5_dal_handle; /* private, in kdb5.h */ - typedef struct _kdb5_dal_handle kdb5_dal_handle; - struct _kdb_log_context; -@@ -1222,7 +1228,7 @@ struct _krb5_context { - - krb5_boolean allow_weak_crypto; - krb5_boolean ignore_acceptor_hostname; -- krb5_boolean dns_canonicalize_hostname; -+ enum dns_canonhost dns_canonicalize_hostname; - - krb5_trace_callback trace_callback; - void *trace_callback_data; -diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h -index 2aa379b76..f3ed6a45d 100644 ---- a/src/include/k5-trace.h -+++ b/src/include/k5-trace.h -@@ -191,6 +191,9 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); - #define TRACE_FAST_REQUIRED(c) \ - TRACE(c, "Using FAST due to KRB5_FAST_REQUIRED flag") - -+#define TRACE_GET_CREDS_FALLBACK(c, hostname) \ -+ TRACE(c, "Falling back to canonicalized server hostname {str}", hostname) -+ - #define TRACE_GIC_PWD_CHANGED(c) \ - TRACE(c, "Getting initial TGT with changed password") - #define TRACE_GIC_PWD_CHANGEPW(c, tries) \ -diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c -index 69900adfa..0a04d68b9 100644 ---- a/src/lib/krb5/krb/get_creds.c -+++ b/src/lib/krb5/krb/get_creds.c -@@ -39,6 +39,7 @@ - - #include "k5-int.h" - #include "int-proto.h" -+#include "os-proto.h" - #include "fast.h" - - /* -@@ -1249,6 +1250,26 @@ krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx, - return EINVAL; - } - -+static krb5_error_code -+try_get_creds(krb5_context context, krb5_flags options, krb5_ccache ccache, -+ krb5_creds *in_creds, krb5_creds *creds_out) -+{ -+ krb5_error_code code; -+ krb5_tkt_creds_context ctx = NULL; -+ -+ code = krb5_tkt_creds_init(context, ccache, in_creds, options, &ctx); -+ if (code) -+ goto cleanup; -+ code = krb5_tkt_creds_get(context, ctx); -+ if (code) -+ goto cleanup; -+ code = krb5_tkt_creds_get_creds(context, ctx, creds_out); -+ -+cleanup: -+ krb5_tkt_creds_free(context, ctx); -+ return code; -+} -+ - krb5_error_code KRB5_CALLCONV - krb5_get_credentials(krb5_context context, krb5_flags options, - krb5_ccache ccache, krb5_creds *in_creds, -@@ -1256,7 +1277,10 @@ krb5_get_credentials(krb5_context context, krb5_flags options, - { - krb5_error_code code; - krb5_creds *ncreds = NULL; -- krb5_tkt_creds_context ctx = NULL; -+ krb5_creds canon_creds, store_creds; -+ krb5_principal_data canon_server; -+ krb5_data canon_components[2]; -+ char *hostname = NULL, *canon_hostname = NULL; - - *out_creds = NULL; - -@@ -1265,22 +1289,59 @@ krb5_get_credentials(krb5_context context, krb5_flags options, - if (ncreds == NULL) - goto cleanup; - -- /* Make and execute a krb5_tkt_creds context to get the credential. */ -- code = krb5_tkt_creds_init(context, ccache, in_creds, options, &ctx); -- if (code != 0) -+ code = try_get_creds(context, options, ccache, in_creds, ncreds); -+ if (!code) { -+ *out_creds = ncreds; -+ return 0; -+ } -+ -+ /* Possibly try again with the canonicalized hostname, if the server is -+ * host-based and we are configured for fallback canonicalization. */ -+ if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) - goto cleanup; -- code = krb5_tkt_creds_get(context, ctx); -- if (code != 0) -+ if (context->dns_canonicalize_hostname != CANONHOST_FALLBACK) - goto cleanup; -- code = krb5_tkt_creds_get_creds(context, ctx, ncreds); -- if (code != 0) -+ if (in_creds->server->type != KRB5_NT_SRV_HST || -+ in_creds->server->length != 2) - goto cleanup; - -+ hostname = k5memdup0(in_creds->server->data[1].data, -+ in_creds->server->data[1].length, &code); -+ if (hostname == NULL) -+ goto cleanup; -+ code = k5_expand_hostname(context, hostname, TRUE, &canon_hostname); -+ if (code) -+ goto cleanup; -+ -+ TRACE_GET_CREDS_FALLBACK(context, canon_hostname); -+ -+ /* Make shallow copies of in_creds and its server to alter the hostname. */ -+ canon_components[0] = in_creds->server->data[0]; -+ canon_components[1] = string2data(canon_hostname); -+ canon_server = *in_creds->server; -+ canon_server.data = canon_components; -+ canon_creds = *in_creds; -+ canon_creds.server = &canon_server; -+ -+ code = try_get_creds(context, options | KRB5_GC_NO_STORE, ccache, -+ &canon_creds, ncreds); -+ if (code) -+ goto cleanup; -+ -+ if (!(options & KRB5_GC_NO_STORE)) { -+ /* Store the creds under the originally requested server name. The -+ * ccache layer will also store them under the ticket server name. */ -+ store_creds = *ncreds; -+ store_creds.server = in_creds->server; -+ (void)krb5_cc_store_cred(context, ccache, &store_creds); -+ } -+ - *out_creds = ncreds; - ncreds = NULL; - - cleanup: -+ free(hostname); -+ free(canon_hostname); - krb5_free_creds(context, ncreds); -- krb5_tkt_creds_free(context, ctx); - return code; - } -diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c -index 947e50400..d263d5cc5 100644 ---- a/src/lib/krb5/krb/init_ctx.c -+++ b/src/lib/krb5/krb/init_ctx.c -@@ -101,6 +101,30 @@ get_boolean(krb5_context ctx, const char *name, int def_val, int *boolean_out) - return retval; - } - -+static krb5_error_code -+get_tristate(krb5_context ctx, const char *name, const char *third_option, -+ int third_option_val, int def_val, int *val_out) -+{ -+ krb5_error_code retval; -+ char *str; -+ int match; -+ -+ retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, name, -+ NULL, def_val, val_out); -+ if (retval != PROF_BAD_BOOLEAN) -+ return retval; -+ retval = profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS, name, -+ NULL, NULL, &str); -+ if (retval) -+ return retval; -+ match = (strcasecmp(third_option, str) == 0); -+ free(str); -+ if (!match) -+ return EINVAL; -+ *val_out = third_option_val; -+ return 0; -+} -+ - krb5_error_code KRB5_CALLCONV - krb5_init_context(krb5_context *context) - { -@@ -213,7 +237,8 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, - goto cleanup; - ctx->ignore_acceptor_hostname = tmp; - -- retval = get_boolean(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, 1, &tmp); -+ retval = get_tristate(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, "fallback", -+ CANONHOST_FALLBACK, 1, &tmp); - if (retval) - goto cleanup; - ctx->dns_canonicalize_hostname = tmp; -diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c -index fa810be8a..a6e48cd25 100644 ---- a/src/lib/krb5/krb/t_copy_context.c -+++ b/src/lib/krb5/krb/t_copy_context.c -@@ -145,7 +145,7 @@ main(int argc, char **argv) - ctx->udp_pref_limit = 2345; - ctx->use_conf_ktypes = TRUE; - ctx->ignore_acceptor_hostname = TRUE; -- ctx->dns_canonicalize_hostname = FALSE; -+ ctx->dns_canonicalize_hostname = CANONHOST_FALSE; - free(ctx->plugin_base_dir); - check((ctx->plugin_base_dir = strdup("/a/b/c/d")) != NULL); - -diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h -index 634e82d70..066d30221 100644 ---- a/src/lib/krb5/os/os-proto.h -+++ b/src/lib/krb5/os/os-proto.h -@@ -83,6 +83,10 @@ struct sendto_callback_info { - void *data; - }; - -+krb5_error_code k5_expand_hostname(krb5_context context, const char *host, -+ krb5_boolean is_fallback, -+ char **canonhost_out); -+ - krb5_error_code k5_locate_server(krb5_context, const krb5_data *realm, - struct serverlist *serverlist, - enum locate_service_type svc, -diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c -index 5932fd9b3..98d2600aa 100644 ---- a/src/lib/krb5/os/sn2princ.c -+++ b/src/lib/krb5/os/sn2princ.c -@@ -53,19 +53,23 @@ use_reverse_dns(krb5_context context) - return value; - } - --krb5_error_code KRB5_CALLCONV --krb5_expand_hostname(krb5_context context, const char *host, -- char **canonhost_out) -+krb5_error_code -+k5_expand_hostname(krb5_context context, const char *host, -+ krb5_boolean is_fallback, char **canonhost_out) - { - struct addrinfo *ai = NULL, hint; - char namebuf[NI_MAXHOST], *copy, *p; - int err; - const char *canonhost; -+ krb5_boolean use_dns; - - *canonhost_out = NULL; - - canonhost = host; -- if (context->dns_canonicalize_hostname) { -+ use_dns = (context->dns_canonicalize_hostname == CANONHOST_TRUE || -+ (is_fallback && -+ context->dns_canonicalize_hostname == CANONHOST_FALLBACK)); -+ if (use_dns) { - /* Try a forward lookup of the hostname. */ - memset(&hint, 0, sizeof(hint)); - hint.ai_flags = AI_CANONNAME; -@@ -112,6 +116,13 @@ cleanup: - return (*canonhost_out == NULL) ? ENOMEM : 0; - } - -+krb5_error_code KRB5_CALLCONV -+krb5_expand_hostname(krb5_context context, const char *host, -+ char **canonhost_out) -+{ -+ return k5_expand_hostname(context, host, FALSE, canonhost_out); -+} -+ - /* If hostname appears to have a :port or :instance trailer (used in MSSQLSvc - * principals), return a pointer to the separator. Otherwise return NULL. */ - static const char * -diff --git a/src/tests/gcred.c b/src/tests/gcred.c -index b14e4fc9a..cac524c51 100644 ---- a/src/tests/gcred.c -+++ b/src/tests/gcred.c -@@ -66,6 +66,7 @@ main(int argc, char **argv) - krb5_principal client, server; - krb5_ccache ccache; - krb5_creds in_creds, *creds; -+ krb5_ticket *ticket; - krb5_flags options = 0; - char *name; - int c; -@@ -102,9 +103,11 @@ main(int argc, char **argv) - in_creds.client = client; - in_creds.server = server; - check(krb5_get_credentials(ctx, options, ccache, &in_creds, &creds)); -- check(krb5_unparse_name(ctx, creds->server, &name)); -+ check(krb5_decode_ticket(&creds->ticket, &ticket)); -+ check(krb5_unparse_name(ctx, ticket->server, &name)); - printf("%s\n", name); - -+ krb5_free_ticket(ctx, ticket); - krb5_free_unparsed_name(ctx, name); - krb5_free_creds(ctx, creds); - krb5_free_principal(ctx, client); -diff --git a/src/tests/t_sn2princ.py b/src/tests/t_sn2princ.py -index 1ffda51f4..fe435a2d5 100755 ---- a/src/tests/t_sn2princ.py -+++ b/src/tests/t_sn2princ.py -@@ -7,10 +7,15 @@ conf = {'domain_realm': {'kerberos.org': 'R1', - 'mit.edu': 'R3'}} - no_rdns_conf = {'libdefaults': {'rdns': 'false'}} - no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}} -+fallback_canon_conf = {'libdefaults': -+ {'rdns': 'false', -+ 'dns_canonicalize_hostname': 'fallback'}} - --realm = K5Realm(create_kdb=False, krb5_conf=conf) -+realm = K5Realm(realm='R1', create_host=False, krb5_conf=conf) - no_rdns = realm.special_env('no_rdns', False, krb5_conf=no_rdns_conf) - no_canon = realm.special_env('no_canon', False, krb5_conf=no_canon_conf) -+fallback_canon = realm.special_env('fallback_canon', False, -+ krb5_conf=fallback_canon_conf) - - def testbase(host, nametype, princhost, princrealm, env=None): - # Run the sn2princ harness with a specified host and name type and -@@ -37,6 +42,10 @@ def testu(host, princhost, princrealm): - # Test with the unknown name type. - testbase(host, 'unknown', princhost, princrealm) - -+def testfc(host, princhost, princrealm): -+ # Test with the host-based name type with canonicalization fallback. -+ testbase(host, 'srv-hst', princhost, princrealm, env=fallback_canon) -+ - # With the unknown principal type, we do not canonicalize or downcase, - # but we do remove a trailing period and look up the realm. - mark('unknown type') -@@ -71,6 +80,29 @@ if offline: - oname = 'ptr-mismatch.kerberos.org' - fname = 'www.kerberos.org' - -+# Test fallback canonicalization krb5_sname_to_principal() results -+# (same as dns_canonicalize_hostname=false). -+mark('dns_canonicalize_host=fallback') -+testfc(oname, oname, 'R1') -+ -+# Test fallback canonicalization in krb5_get_credentials(). -+oprinc = 'host/' + oname -+fprinc = 'host/' + fname -+shutil.copy(realm.ccache, realm.ccache + '.save') -+realm.addprinc(fprinc) -+# oprinc doesn't exist, so we get the canonicalized fprinc as a fallback. -+msgs = ('Falling back to canonicalized server hostname ' + fname,) -+realm.run(['./gcred', 'srv-hst', oprinc], env=fallback_canon, -+ expected_msg=fprinc, expected_trace=msgs) -+realm.addprinc(oprinc) -+# oprinc now exists, but we still get the fprinc ticket from the cache. -+realm.run(['./gcred', 'srv-hst', oprinc], env=fallback_canon, -+ expected_msg=fprinc) -+# Without the cached result, we sould get oprinc in preference to fprinc. -+os.rename(realm.ccache + '.save', realm.ccache) -+realm.run(['./gcred', 'srv-hst', oprinc], env=fallback_canon, -+ expected_msg=oprinc) -+ - # Verify forward resolution before testing for it. - try: - ai = socket.getaddrinfo(oname, None, 0, 0, 0, socket.AI_CANONNAME) diff --git a/Add-function-and-enctype-flag-for-deprecations.patch b/Add-function-and-enctype-flag-for-deprecations.patch deleted file mode 100644 index 1e15da3..0000000 --- a/Add-function-and-enctype-flag-for-deprecations.patch +++ /dev/null @@ -1,183 +0,0 @@ -From 397ce771e195edf63f796f1cf917bc65b4eafd8c Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 15 Jan 2019 16:16:57 -0500 -Subject: [PATCH] Add function and enctype flag for deprecations - -krb5int_c_deprecated_enctype() checks for the ETYPE_DEPRECATED flag on -enctypes. All ENCTYPE_WEAK enctypes are currently deprecated; not all -deprecated enctypes are considered weak. Deprecations follow RFC 6649 -and RFC 8429. - -(cherry picked from commit 484a6e7712f9b66e782b2520f07b0883889e116f) ---- - src/include/k5-int.h | 1 + - src/lib/crypto/krb/crypto_int.h | 9 ++++++++- - src/lib/crypto/krb/enctype_util.c | 7 +++++++ - src/lib/crypto/krb/etypes.c | 19 ++++++++++--------- - src/lib/crypto/libk5crypto.exports | 1 + - src/lib/krb5_32.def | 3 +++ - 6 files changed, 30 insertions(+), 10 deletions(-) - -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 8f9329c59..255cee822 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -2077,6 +2077,7 @@ krb5_get_tgs_ktypes(krb5_context, krb5_const_principal, krb5_enctype **); - krb5_boolean krb5_is_permitted_enctype(krb5_context, krb5_enctype); - - krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype); -+krb5_boolean KRB5_CALLCONV krb5int_c_deprecated_enctype(krb5_enctype); - krb5_error_code k5_enctype_to_ssf(krb5_enctype enctype, unsigned int *ssf_out); - - krb5_error_code krb5_kdc_rep_decrypt_proc(krb5_context, const krb5_keyblock *, -diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h -index e5099291e..6c1c77cac 100644 ---- a/src/lib/crypto/krb/crypto_int.h -+++ b/src/lib/crypto/krb/crypto_int.h -@@ -114,7 +114,14 @@ struct krb5_keytypes { - unsigned int ssf; - }; - --#define ETYPE_WEAK 1 -+/* -+ * "Weak" means the enctype is believed to be vulnerable to practical attacks, -+ * and will be disabled unless allow_weak_crypto is set to true. "Deprecated" -+ * means the enctype has been deprecated by the IETF, and affects display and -+ * logging. -+ */ -+#define ETYPE_WEAK (1 << 0) -+#define ETYPE_DEPRECATED (1 << 1) - - extern const struct krb5_keytypes krb5int_enctypes_list[]; - extern const int krb5int_enctypes_length; -diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c -index b1b40e7ec..e394f4e19 100644 ---- a/src/lib/crypto/krb/enctype_util.c -+++ b/src/lib/crypto/krb/enctype_util.c -@@ -51,6 +51,13 @@ krb5int_c_weak_enctype(krb5_enctype etype) - return (ktp != NULL && (ktp->flags & ETYPE_WEAK) != 0); - } - -+krb5_boolean KRB5_CALLCONV -+krb5int_c_deprecated_enctype(krb5_enctype etype) -+{ -+ const struct krb5_keytypes *ktp = find_enctype(etype); -+ return ktp != NULL && (ktp->flags & ETYPE_DEPRECATED) != 0; -+} -+ - krb5_error_code KRB5_CALLCONV - krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2, - krb5_boolean *similar) -diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c -index 53d4a5c79..8f44c37e7 100644 ---- a/src/lib/crypto/krb/etypes.c -+++ b/src/lib/crypto/krb/etypes.c -@@ -33,6 +33,7 @@ - that the keytypes are all near each other. I'd rather not make - that assumption. */ - -+/* Deprecations come from RFC 6649 and RFC 8249. */ - const struct krb5_keytypes krb5int_enctypes_list[] = { - { ENCTYPE_DES_CBC_CRC, - "des-cbc-crc", { 0 }, "DES cbc mode with CRC-32", -@@ -42,7 +43,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_des_string_to_key, k5_rand2key_des, - krb5int_des_prf, - CKSUMTYPE_RSA_MD5_DES, -- ETYPE_WEAK, 56 }, -+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 }, - { ENCTYPE_DES_CBC_MD4, - "des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4", - &krb5int_enc_des, &krb5int_hash_md4, -@@ -51,7 +52,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_des_string_to_key, k5_rand2key_des, - krb5int_des_prf, - CKSUMTYPE_RSA_MD4_DES, -- ETYPE_WEAK, 56 }, -+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 }, - { ENCTYPE_DES_CBC_MD5, - "des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5", - &krb5int_enc_des, &krb5int_hash_md5, -@@ -60,7 +61,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_des_string_to_key, k5_rand2key_des, - krb5int_des_prf, - CKSUMTYPE_RSA_MD5_DES, -- ETYPE_WEAK, 56 }, -+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 }, - { ENCTYPE_DES_CBC_RAW, - "des-cbc-raw", { 0 }, "DES cbc mode raw", - &krb5int_enc_des, NULL, -@@ -69,7 +70,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_des_string_to_key, k5_rand2key_des, - krb5int_des_prf, - 0, -- ETYPE_WEAK, 56 }, -+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 }, - { ENCTYPE_DES3_CBC_RAW, - "des3-cbc-raw", { 0 }, "Triple DES cbc mode raw", - &krb5int_enc_des3, NULL, -@@ -78,7 +79,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_dk_string_to_key, k5_rand2key_des3, - NULL, /*PRF*/ - 0, -- ETYPE_WEAK, 112 }, -+ ETYPE_WEAK | ETYPE_DEPRECATED, 112 }, - - { ENCTYPE_DES3_CBC_SHA1, - "des3-cbc-sha1", { "des3-hmac-sha1", "des3-cbc-sha1-kd" }, -@@ -89,7 +90,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_dk_string_to_key, k5_rand2key_des3, - krb5int_dk_prf, - CKSUMTYPE_HMAC_SHA1_DES3, -- 0 /*flags*/, 112 }, -+ ETYPE_DEPRECATED, 112 }, - - { ENCTYPE_DES_HMAC_SHA1, - "des-hmac-sha1", { 0 }, "DES with HMAC/sha1", -@@ -99,7 +100,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_dk_string_to_key, k5_rand2key_des, - NULL, /*PRF*/ - 0, -- ETYPE_WEAK, 56 }, -+ ETYPE_WEAK | ETYPE_DEPRECATED, 56 }, - - /* rc4-hmac uses a 128-bit key, but due to weaknesses in the RC4 cipher, we - * consider its strength degraded and assign it an SSF value of 64. */ -@@ -113,7 +114,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key, - k5_rand2key_direct, krb5int_arcfour_prf, - CKSUMTYPE_HMAC_MD5_ARCFOUR, -- 0 /*flags*/, 64 }, -+ ETYPE_DEPRECATED, 64 }, - { ENCTYPE_ARCFOUR_HMAC_EXP, - "arcfour-hmac-exp", { "rc4-hmac-exp", "arcfour-hmac-md5-exp" }, - "Exportable ArcFour with HMAC/md5", -@@ -124,7 +125,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key, - k5_rand2key_direct, krb5int_arcfour_prf, - CKSUMTYPE_HMAC_MD5_ARCFOUR, -- ETYPE_WEAK, 40 -+ ETYPE_WEAK | ETYPE_DEPRECATED, 40 - }, - - { ENCTYPE_AES128_CTS_HMAC_SHA1_96, -diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports -index 82eb5f30c..90afdf5f7 100644 ---- a/src/lib/crypto/libk5crypto.exports -+++ b/src/lib/crypto/libk5crypto.exports -@@ -109,3 +109,4 @@ k5_allow_weak_pbkdf2iter - krb5_c_prfplus - krb5_c_derive_prfplus - k5_enctype_to_ssf -+krb5int_c_deprecated_enctype -diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def -index c35022931..e6a487593 100644 ---- a/src/lib/krb5_32.def -+++ b/src/lib/krb5_32.def -@@ -487,3 +487,6 @@ EXPORTS - encode_krb5_pa_spake @444 ; PRIVATE - decode_krb5_pa_spake @445 ; PRIVATE - k5_free_pa_spake @446 ; PRIVATE -+ -+; new in 1.18 -+ krb5int_c_deprecated_enctype @450 ; PRIVATE diff --git a/Add-missing-newlines-to-deprecation-warnings.patch b/Add-missing-newlines-to-deprecation-warnings.patch deleted file mode 100644 index ecfe47b..0000000 --- a/Add-missing-newlines-to-deprecation-warnings.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 6946ea68b719da8434fc4c09b4ed97be91d8464b Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 21 May 2019 12:52:26 -0400 -Subject: [PATCH] Add missing newlines to deprecation warnings - -Commit 8d8e68283b599e680f9fe45eff8af397e827bd6c omitted newlines in -two warning messages sent to stderr. Add them now. - -ticket: 8773 -(cherry picked from commit 274fee295d1429668b31c6ed898fc5d11a7e3589) ---- - src/kdc/main.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/kdc/main.c b/src/kdc/main.c -index 04393772f..1596c1c5b 100644 ---- a/src/kdc/main.c -+++ b/src/kdc/main.c -@@ -223,7 +223,8 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm, - if (krb5_enctype_to_name(def_enctype, FALSE, ename, sizeof(ename))) - ename[0] = '\0'; - fprintf(stderr, -- _("Requested master password enctype %s in %s is DEPRECATED!"), -+ _("Requested master password enctype %s in %s is " -+ "DEPRECATED!\n"), - ename, realm); - } - -@@ -385,7 +386,7 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm, - if (krb5_enctype_to_name(rdp->realm_mkey.enctype, FALSE, ename, - sizeof(ename))) - ename[0] = '\0'; -- fprintf(stderr, _("Stash file %s uses DEPRECATED enctype %s!"), -+ fprintf(stderr, _("Stash file %s uses DEPRECATED enctype %s!\n"), - rdp->realm_stash, ename); - } - diff --git a/Add-soft-pkcs11-source-code.patch b/Add-soft-pkcs11-source-code.patch deleted file mode 100644 index ef8dc9d..0000000 --- a/Add-soft-pkcs11-source-code.patch +++ /dev/null @@ -1,2071 +0,0 @@ -From 5ede44dfeffca55c793fe5ea49b438497dff027b Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 20 Jun 2019 10:45:18 -0400 -Subject: [PATCH] Add soft-pkcs11 source code - -soft-pkcs11 is no longer available upstream and is not generally -packaged in distributions, making it inconvenient to use for tests. -Import the 1.8 source code, detabified and with trailing whitespace -removed but otherwise unmodified. - -(cherry picked from commit a4bc3e513a58b0d1292f3506ac3b35be8c178086) ---- - src/tests/softpkcs11/main.c | 2049 +++++++++++++++++++++++++++++++++++ - 1 file changed, 2049 insertions(+) - create mode 100644 src/tests/softpkcs11/main.c - -diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c -new file mode 100644 -index 000000000..2acec5169 ---- /dev/null -+++ b/src/tests/softpkcs11/main.c -@@ -0,0 +1,2049 @@ -+/* -+ * Copyright (c) 2004-2006, Stockholms universitet -+ * (Stockholm University, Stockholm Sweden) -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * 3. Neither the name of the university nor the names of its contributors -+ * may be used to endorse or promote products derived from this software -+ * without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -+ * POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "locl.h" -+ -+/* RCSID("$Id: main.c,v 1.24 2006/01/11 12:42:53 lha Exp $"); */ -+ -+#define OBJECT_ID_MASK 0xfff -+#define HANDLE_OBJECT_ID(h) ((h) & OBJECT_ID_MASK) -+#define OBJECT_ID(obj) HANDLE_OBJECT_ID((obj)->object_handle) -+ -+struct st_attr { -+ CK_ATTRIBUTE attribute; -+ int secret; -+}; -+ -+struct st_object { -+ CK_OBJECT_HANDLE object_handle; -+ struct st_attr *attrs; -+ int num_attributes; -+ enum { -+ STO_T_CERTIFICATE, -+ STO_T_PRIVATE_KEY, -+ STO_T_PUBLIC_KEY -+ } type; -+ union { -+ X509 *cert; -+ EVP_PKEY *public_key; -+ struct { -+ const char *file; -+ EVP_PKEY *key; -+ X509 *cert; -+ } private_key; -+ } u; -+}; -+ -+static struct soft_token { -+ CK_VOID_PTR application; -+ CK_NOTIFY notify; -+ struct { -+ struct st_object **objs; -+ int num_objs; -+ } object; -+ struct { -+ int hardware_slot; -+ int app_error_fatal; -+ int login_done; -+ } flags; -+ int open_sessions; -+ struct session_state { -+ CK_SESSION_HANDLE session_handle; -+ -+ struct { -+ CK_ATTRIBUTE *attributes; -+ CK_ULONG num_attributes; -+ int next_object; -+ } find; -+ -+ int encrypt_object; -+ CK_MECHANISM_PTR encrypt_mechanism; -+ int decrypt_object; -+ CK_MECHANISM_PTR decrypt_mechanism; -+ int sign_object; -+ CK_MECHANISM_PTR sign_mechanism; -+ int verify_object; -+ CK_MECHANISM_PTR verify_mechanism; -+ int digest_object; -+ } state[10]; -+#define MAX_NUM_SESSION (sizeof(soft_token.state)/sizeof(soft_token.state[0])) -+ FILE *logfile; -+} soft_token; -+ -+static void -+application_error(const char *fmt, ...) -+{ -+ va_list ap; -+ va_start(ap, fmt); -+ vprintf(fmt, ap); -+ va_end(ap); -+ if (soft_token.flags.app_error_fatal) -+ abort(); -+} -+ -+static void -+st_logf(const char *fmt, ...) -+{ -+ va_list ap; -+ if (soft_token.logfile == NULL) -+ return; -+ va_start(ap, fmt); -+ vfprintf(soft_token.logfile, fmt, ap); -+ va_end(ap); -+ fflush(soft_token.logfile); -+} -+ -+static void -+snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...) -+{ -+ int len; -+ va_list ap; -+ len = vsnprintf(str, size, fmt, ap); -+ va_end(ap); -+ if (len < 0 || len > size) -+ return; -+ while(len < size) -+ str[len++] = fillchar; -+} -+ -+#ifndef TEST_APP -+#define printf error_use_st_logf -+#endif -+ -+#define VERIFY_SESSION_HANDLE(s, state) \ -+{ \ -+ CK_RV ret; \ -+ ret = verify_session_handle(s, state); \ -+ if (ret != CKR_OK) { \ -+ /* return CKR_OK */; \ -+ } \ -+} -+ -+static CK_RV -+verify_session_handle(CK_SESSION_HANDLE hSession, -+ struct session_state **state) -+{ -+ int i; -+ -+ for (i = 0; i < MAX_NUM_SESSION; i++){ -+ if (soft_token.state[i].session_handle == hSession) -+ break; -+ } -+ if (i == MAX_NUM_SESSION) { -+ application_error("use of invalid handle: 0x%08lx\n", -+ (unsigned long)hSession); -+ return CKR_SESSION_HANDLE_INVALID; -+ } -+ if (state) -+ *state = &soft_token.state[i]; -+ return CKR_OK; -+} -+ -+static CK_RV -+object_handle_to_object(CK_OBJECT_HANDLE handle, -+ struct st_object **object) -+{ -+ int i = HANDLE_OBJECT_ID(handle); -+ -+ *object = NULL; -+ if (i >= soft_token.object.num_objs) -+ return CKR_ARGUMENTS_BAD; -+ if (soft_token.object.objs[i] == NULL) -+ return CKR_ARGUMENTS_BAD; -+ if (soft_token.object.objs[i]->object_handle != handle) -+ return CKR_ARGUMENTS_BAD; -+ *object = soft_token.object.objs[i]; -+ return CKR_OK; -+} -+ -+static int -+attributes_match(const struct st_object *obj, -+ const CK_ATTRIBUTE *attributes, -+ CK_ULONG num_attributes) -+{ -+ CK_ULONG i; -+ int j; -+ st_logf("attributes_match: %ld\n", (unsigned long)OBJECT_ID(obj)); -+ -+ for (i = 0; i < num_attributes; i++) { -+ int match = 0; -+ for (j = 0; j < obj->num_attributes; j++) { -+ if (attributes[i].type == obj->attrs[j].attribute.type && -+ attributes[i].ulValueLen == obj->attrs[j].attribute.ulValueLen && -+ memcmp(attributes[i].pValue, obj->attrs[j].attribute.pValue, -+ attributes[i].ulValueLen) == 0) { -+ match = 1; -+ break; -+ } -+ } -+ if (match == 0) { -+ st_logf("type %d attribute have no match\n", attributes[i].type); -+ return 0; -+ } -+ } -+ st_logf("attribute matches\n"); -+ return 1; -+} -+ -+static void -+print_attributes(const CK_ATTRIBUTE *attributes, -+ CK_ULONG num_attributes) -+{ -+ CK_ULONG i; -+ -+ st_logf("find objects: attrs: %lu\n", (unsigned long)num_attributes); -+ -+ for (i = 0; i < num_attributes; i++) { -+ st_logf(" type: "); -+ switch (attributes[i].type) { -+ case CKA_TOKEN: { -+ CK_BBOOL *ck_true; -+ if (attributes[i].ulValueLen != sizeof(CK_BBOOL)) { -+ application_error("token attribute wrong length\n"); -+ break; -+ } -+ ck_true = attributes[i].pValue; -+ st_logf("token: %s", *ck_true ? "TRUE" : "FALSE"); -+ break; -+ } -+ case CKA_CLASS: { -+ CK_OBJECT_CLASS *class; -+ if (attributes[i].ulValueLen != sizeof(CK_ULONG)) { -+ application_error("class attribute wrong length\n"); -+ break; -+ } -+ class = attributes[i].pValue; -+ st_logf("class "); -+ switch (*class) { -+ case CKO_CERTIFICATE: -+ st_logf("certificate"); -+ break; -+ case CKO_PUBLIC_KEY: -+ st_logf("public key"); -+ break; -+ case CKO_PRIVATE_KEY: -+ st_logf("private key"); -+ break; -+ case CKO_SECRET_KEY: -+ st_logf("secret key"); -+ break; -+ case CKO_DOMAIN_PARAMETERS: -+ st_logf("domain parameters"); -+ break; -+ default: -+ st_logf("[class %lx]", (long unsigned)*class); -+ break; -+ } -+ break; -+ } -+ case CKA_PRIVATE: -+ st_logf("private"); -+ break; -+ case CKA_LABEL: -+ st_logf("label"); -+ break; -+ case CKA_APPLICATION: -+ st_logf("application"); -+ break; -+ case CKA_VALUE: -+ st_logf("value"); -+ break; -+ case CKA_ID: -+ st_logf("id"); -+ break; -+ default: -+ st_logf("[unknown 0x%08lx]", (unsigned long)attributes[i].type); -+ break; -+ } -+ st_logf("\n"); -+ } -+} -+ -+static struct st_object * -+add_st_object(void) -+{ -+ struct st_object *o, **objs; -+ int i; -+ -+ o = malloc(sizeof(*o)); -+ if (o == NULL) -+ return NULL; -+ memset(o, 0, sizeof(*o)); -+ o->attrs = NULL; -+ o->num_attributes = 0; -+ -+ for (i = 0; i < soft_token.object.num_objs; i++) { -+ if (soft_token.object.objs == NULL) { -+ soft_token.object.objs[i] = o; -+ break; -+ } -+ } -+ if (i == soft_token.object.num_objs) { -+ objs = realloc(soft_token.object.objs, -+ (soft_token.object.num_objs + 1) * sizeof(soft_token.object.objs[0])); -+ if (objs == NULL) { -+ free(o); -+ return NULL; -+ } -+ soft_token.object.objs = objs; -+ soft_token.object.objs[soft_token.object.num_objs++] = o; -+ } -+ soft_token.object.objs[i]->object_handle = -+ (random() & (~OBJECT_ID_MASK)) | i; -+ -+ return o; -+} -+ -+static CK_RV -+add_object_attribute(struct st_object *o, -+ int secret, -+ CK_ATTRIBUTE_TYPE type, -+ CK_VOID_PTR pValue, -+ CK_ULONG ulValueLen) -+{ -+ struct st_attr *a; -+ int i; -+ -+ i = o->num_attributes; -+ a = realloc(o->attrs, (i + 1) * sizeof(o->attrs[0])); -+ if (a == NULL) -+ return CKR_DEVICE_MEMORY; -+ o->attrs = a; -+ o->attrs[i].secret = secret; -+ o->attrs[i].attribute.type = type; -+ o->attrs[i].attribute.pValue = malloc(ulValueLen); -+ if (o->attrs[i].attribute.pValue == NULL && ulValueLen != 0) -+ return CKR_DEVICE_MEMORY; -+ memcpy(o->attrs[i].attribute.pValue, pValue, ulValueLen); -+ o->attrs[i].attribute.ulValueLen = ulValueLen; -+ o->num_attributes++; -+ -+ return CKR_OK; -+} -+ -+static CK_RV -+add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key) -+{ -+ switch (key_type) { -+ case CKK_RSA: { -+ CK_BYTE *modulus = NULL; -+ size_t modulus_len = 0; -+ CK_ULONG modulus_bits = 0; -+ CK_BYTE *exponent = NULL; -+ size_t exponent_len = 0; -+ -+ modulus_bits = BN_num_bits(key->pkey.rsa->n); -+ -+ modulus_len = BN_num_bytes(key->pkey.rsa->n); -+ modulus = malloc(modulus_len); -+ BN_bn2bin(key->pkey.rsa->n, modulus); -+ -+ exponent_len = BN_num_bytes(key->pkey.rsa->e); -+ exponent = malloc(exponent_len); -+ BN_bn2bin(key->pkey.rsa->e, exponent); -+ -+ add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len); -+ add_object_attribute(o, 0, CKA_MODULUS_BITS, -+ &modulus_bits, sizeof(modulus_bits)); -+ add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT, -+ exponent, exponent_len); -+ -+ RSA_set_method(key->pkey.rsa, RSA_PKCS1_SSLeay()); -+ -+ free(modulus); -+ free(exponent); -+ } -+ default: -+ /* XXX */ -+ break; -+ } -+ return CKR_OK; -+} -+ -+ -+static int -+pem_callback(char *buf, int num, int w, void *key) -+{ -+ return -1; -+} -+ -+ -+static CK_RV -+add_certificate(char *label, -+ const char *cert_file, -+ const char *private_key_file, -+ char *id, -+ int anchor) -+{ -+ struct st_object *o = NULL; -+ CK_BBOOL bool_true = CK_TRUE; -+ CK_BBOOL bool_false = CK_FALSE; -+ CK_OBJECT_CLASS c; -+ CK_CERTIFICATE_TYPE cert_type = CKC_X_509; -+ CK_KEY_TYPE key_type; -+ CK_MECHANISM_TYPE mech_type; -+ void *cert_data = NULL; -+ size_t cert_length; -+ void *subject_data = NULL; -+ size_t subject_length; -+ void *issuer_data = NULL; -+ size_t issuer_length; -+ void *serial_data = NULL; -+ size_t serial_length; -+ CK_RV ret = CKR_GENERAL_ERROR; -+ X509 *cert; -+ EVP_PKEY *public_key; -+ -+ size_t id_len = strlen(id); -+ -+ { -+ FILE *f; -+ -+ f = fopen(cert_file, "r"); -+ if (f == NULL) { -+ st_logf("failed to open file %s\n", cert_file); -+ return CKR_GENERAL_ERROR; -+ } -+ -+ cert = PEM_read_X509(f, NULL, NULL, NULL); -+ fclose(f); -+ if (cert == NULL) { -+ st_logf("failed reading PEM cert\n"); -+ return CKR_GENERAL_ERROR; -+ } -+ -+ OPENSSL_ASN1_MALLOC_ENCODE(X509, cert_data, cert_length, cert, ret); -+ if (ret) -+ goto out; -+ -+ OPENSSL_ASN1_MALLOC_ENCODE(X509_NAME, issuer_data, issuer_length, -+ X509_get_issuer_name(cert), ret); -+ if (ret) -+ goto out; -+ -+ OPENSSL_ASN1_MALLOC_ENCODE(X509_NAME, subject_data, subject_length, -+ X509_get_subject_name(cert), ret); -+ if (ret) -+ goto out; -+ -+ OPENSSL_ASN1_MALLOC_ENCODE(ASN1_INTEGER, serial_data, serial_length, -+ X509_get_serialNumber(cert), ret); -+ if (ret) -+ goto out; -+ -+ } -+ -+ st_logf("done parsing, adding to internal structure\n"); -+ -+ o = add_st_object(); -+ if (o == NULL) { -+ ret = CKR_DEVICE_MEMORY; -+ goto out; -+ } -+ o->type = STO_T_CERTIFICATE; -+ o->u.cert = cert; -+ public_key = X509_get_pubkey(o->u.cert); -+ -+ switch (EVP_PKEY_type(public_key->type)) { -+ case EVP_PKEY_RSA: -+ key_type = CKK_RSA; -+ break; -+ case EVP_PKEY_DSA: -+ key_type = CKK_DSA; -+ break; -+ default: -+ /* XXX */ -+ break; -+ } -+ -+ c = CKO_CERTIFICATE; -+ add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c)); -+ add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true)); -+ add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false)); -+ add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false)); -+ add_object_attribute(o, 0, CKA_LABEL, label, strlen(label)); -+ -+ add_object_attribute(o, 0, CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type)); -+ add_object_attribute(o, 0, CKA_ID, id, id_len); -+ -+ add_object_attribute(o, 0, CKA_SUBJECT, subject_data, subject_length); -+ add_object_attribute(o, 0, CKA_ISSUER, issuer_data, issuer_length); -+ add_object_attribute(o, 0, CKA_SERIAL_NUMBER, serial_data, serial_length); -+ add_object_attribute(o, 0, CKA_VALUE, cert_data, cert_length); -+ if (anchor) -+ add_object_attribute(o, 0, CKA_TRUSTED, &bool_true, sizeof(bool_true)); -+ else -+ add_object_attribute(o, 0, CKA_TRUSTED, &bool_false, sizeof(bool_false)); -+ -+ st_logf("add cert ok: %lx\n", (unsigned long)OBJECT_ID(o)); -+ -+ o = add_st_object(); -+ if (o == NULL) { -+ ret = CKR_DEVICE_MEMORY; -+ goto out; -+ } -+ o->type = STO_T_PUBLIC_KEY; -+ o->u.public_key = public_key; -+ -+ c = CKO_PUBLIC_KEY; -+ add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c)); -+ add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true)); -+ add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false)); -+ add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false)); -+ add_object_attribute(o, 0, CKA_LABEL, label, strlen(label)); -+ -+ add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type)); -+ add_object_attribute(o, 0, CKA_ID, id, id_len); -+ add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */ -+ add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */ -+ add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false)); -+ add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false)); -+ mech_type = CKM_RSA_X_509; -+ add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type)); -+ -+ add_object_attribute(o, 0, CKA_SUBJECT, subject_data, subject_length); -+ add_object_attribute(o, 0, CKA_ENCRYPT, &bool_true, sizeof(bool_true)); -+ add_object_attribute(o, 0, CKA_VERIFY, &bool_true, sizeof(bool_true)); -+ add_object_attribute(o, 0, CKA_VERIFY_RECOVER, &bool_false, sizeof(bool_false)); -+ add_object_attribute(o, 0, CKA_WRAP, &bool_true, sizeof(bool_true)); -+ add_object_attribute(o, 0, CKA_TRUSTED, &bool_true, sizeof(bool_true)); -+ -+ add_pubkey_info(o, key_type, public_key); -+ -+ st_logf("add key ok: %lx\n", (unsigned long)OBJECT_ID(o)); -+ -+ if (private_key_file) { -+ CK_FLAGS flags; -+ FILE *f; -+ -+ o = add_st_object(); -+ if (o == NULL) { -+ ret = CKR_DEVICE_MEMORY; -+ goto out; -+ } -+ o->type = STO_T_PRIVATE_KEY; -+ o->u.private_key.file = strdup(private_key_file); -+ o->u.private_key.key = NULL; -+ -+ o->u.private_key.cert = cert; -+ -+ c = CKO_PRIVATE_KEY; -+ add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c)); -+ add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true)); -+ add_object_attribute(o, 0, CKA_PRIVATE, &bool_true, sizeof(bool_false)); -+ add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false)); -+ add_object_attribute(o, 0, CKA_LABEL, label, strlen(label)); -+ -+ add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type)); -+ add_object_attribute(o, 0, CKA_ID, id, id_len); -+ add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */ -+ add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */ -+ add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false)); -+ add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false)); -+ mech_type = CKM_RSA_X_509; -+ add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type)); -+ -+ add_object_attribute(o, 0, CKA_SUBJECT, subject_data, subject_length); -+ add_object_attribute(o, 0, CKA_SENSITIVE, &bool_true, sizeof(bool_true)); -+ add_object_attribute(o, 0, CKA_SECONDARY_AUTH, &bool_false, sizeof(bool_true)); -+ flags = 0; -+ add_object_attribute(o, 0, CKA_AUTH_PIN_FLAGS, &flags, sizeof(flags)); -+ -+ add_object_attribute(o, 0, CKA_DECRYPT, &bool_true, sizeof(bool_true)); -+ add_object_attribute(o, 0, CKA_SIGN, &bool_true, sizeof(bool_true)); -+ add_object_attribute(o, 0, CKA_SIGN_RECOVER, &bool_false, sizeof(bool_false)); -+ add_object_attribute(o, 0, CKA_UNWRAP, &bool_true, sizeof(bool_true)); -+ add_object_attribute(o, 0, CKA_EXTRACTABLE, &bool_true, sizeof(bool_true)); -+ add_object_attribute(o, 0, CKA_NEVER_EXTRACTABLE, &bool_false, sizeof(bool_false)); -+ -+ add_pubkey_info(o, key_type, public_key); -+ -+ f = fopen(private_key_file, "r"); -+ if (f == NULL) { -+ st_logf("failed to open private key\n"); -+ return CKR_GENERAL_ERROR; -+ } -+ -+ o->u.private_key.key = PEM_read_PrivateKey(f, NULL, pem_callback, NULL); -+ fclose(f); -+ if (o->u.private_key.key == NULL) { -+ st_logf("failed to read private key a startup\n"); -+ /* don't bother with this failure for now, -+ fix it at C_Login time */; -+ } else { -+ /* XXX verify keytype */ -+ -+ if (key_type == CKK_RSA) -+ RSA_set_method(o->u.private_key.key->pkey.rsa, -+ RSA_PKCS1_SSLeay()); -+ -+ if (X509_check_private_key(cert, o->u.private_key.key) != 1) { -+ EVP_PKEY_free(o->u.private_key.key); -+ o->u.private_key.key = NULL; -+ st_logf("private key doesn't verify\n"); -+ } else { -+ st_logf("private key usable\n"); -+ soft_token.flags.login_done = 1; -+ } -+ } -+ } -+ -+ ret = CKR_OK; -+ out: -+ if (ret != CKR_OK) { -+ st_logf("something went wrong when adding cert!\n"); -+ -+ /* XXX wack o */; -+ } -+ free(cert_data); -+ free(serial_data); -+ free(issuer_data); -+ free(subject_data); -+ -+ return ret; -+} -+ -+static void -+find_object_final(struct session_state *state) -+{ -+ if (state->find.attributes) { -+ CK_ULONG i; -+ -+ for (i = 0; i < state->find.num_attributes; i++) { -+ if (state->find.attributes[i].pValue) -+ free(state->find.attributes[i].pValue); -+ } -+ free(state->find.attributes); -+ state->find.attributes = NULL; -+ state->find.num_attributes = 0; -+ state->find.next_object = -1; -+ } -+} -+ -+static void -+reset_crypto_state(struct session_state *state) -+{ -+ state->encrypt_object = -1; -+ if (state->encrypt_mechanism) -+ free(state->encrypt_mechanism); -+ state->encrypt_mechanism = NULL_PTR; -+ state->decrypt_object = -1; -+ if (state->decrypt_mechanism) -+ free(state->decrypt_mechanism); -+ state->decrypt_mechanism = NULL_PTR; -+ state->sign_object = -1; -+ if (state->sign_mechanism) -+ free(state->sign_mechanism); -+ state->sign_mechanism = NULL_PTR; -+ state->verify_object = -1; -+ if (state->verify_mechanism) -+ free(state->verify_mechanism); -+ state->verify_mechanism = NULL_PTR; -+ state->digest_object = -1; -+} -+ -+static void -+close_session(struct session_state *state) -+{ -+ if (state->find.attributes) { -+ application_error("application didn't do C_FindObjectsFinal\n"); -+ find_object_final(state); -+ } -+ -+ state->session_handle = CK_INVALID_HANDLE; -+ soft_token.application = NULL_PTR; -+ soft_token.notify = NULL_PTR; -+ reset_crypto_state(state); -+} -+ -+static const char * -+has_session(void) -+{ -+ return soft_token.open_sessions > 0 ? "yes" : "no"; -+} -+ -+static void -+read_conf_file(const char *fn) -+{ -+ char buf[1024], *cert, *key, *id, *label, *s, *p; -+ int anchor; -+ FILE *f; -+ -+ f = fopen(fn, "r"); -+ if (f == NULL) { -+ st_logf("can't open configuration file %s\n", fn); -+ return; -+ } -+ -+ while(fgets(buf, sizeof(buf), f) != NULL) { -+ buf[strcspn(buf, "\n")] = '\0'; -+ -+ anchor = 0; -+ -+ st_logf("line: %s\n", buf); -+ -+ p = buf; -+ while (isspace(*p)) -+ p++; -+ if (*p == '#') -+ continue; -+ while (isspace(*p)) -+ p++; -+ -+ s = NULL; -+ id = strtok_r(p, "\t", &s); -+ if (id == NULL) -+ continue; -+ label = strtok_r(NULL, "\t", &s); -+ if (label == NULL) -+ continue; -+ cert = strtok_r(NULL, "\t", &s); -+ if (cert == NULL) -+ continue; -+ key = strtok_r(NULL, "\t", &s); -+ -+ /* XXX */ -+ if (strcmp(id, "anchor") == 0) { -+ id = "\x00\x00"; -+ anchor = 1; -+ } -+ -+ st_logf("adding: %s\n", label); -+ -+ add_certificate(label, cert, key, id, anchor); -+ } -+} -+ -+static CK_RV -+func_not_supported(void) -+{ -+ st_logf("function not supported\n"); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+CK_RV -+C_Initialize(CK_VOID_PTR a) -+{ -+ CK_C_INITIALIZE_ARGS_PTR args = a; -+ st_logf("Initialize\n"); -+ int i; -+ -+ OpenSSL_add_all_algorithms(); -+ ERR_load_crypto_strings(); -+ -+ srandom(getpid() ^ time(NULL)); -+ -+ for (i = 0; i < MAX_NUM_SESSION; i++) { -+ soft_token.state[i].session_handle = CK_INVALID_HANDLE; -+ soft_token.state[i].find.attributes = NULL; -+ soft_token.state[i].find.num_attributes = 0; -+ soft_token.state[i].find.next_object = -1; -+ reset_crypto_state(&soft_token.state[i]); -+ } -+ -+ soft_token.flags.hardware_slot = 1; -+ soft_token.flags.app_error_fatal = 0; -+ soft_token.flags.login_done = 0; -+ -+ soft_token.object.objs = NULL; -+ soft_token.object.num_objs = 0; -+ -+ soft_token.logfile = NULL; -+#if 0 -+ soft_token.logfile = stdout; -+#endif -+#if 0 -+ soft_token.logfile = fopen("/tmp/log-pkcs11.txt", "a"); -+#endif -+ -+ if (a != NULL_PTR) { -+ st_logf("\tCreateMutex:\t%p\n", args->CreateMutex); -+ st_logf("\tDestroyMutext\t%p\n", args->DestroyMutex); -+ st_logf("\tLockMutext\t%p\n", args->LockMutex); -+ st_logf("\tUnlockMutext\t%p\n", args->UnlockMutex); -+ st_logf("\tFlags\t%04x\n", (unsigned int)args->flags); -+ } -+ -+ { -+ char *fn = NULL, *home = NULL; -+ -+ if (getuid() == geteuid()) { -+ fn = getenv("SOFTPKCS11RC"); -+ if (fn) -+ fn = strdup(fn); -+ home = getenv("HOME"); -+ } -+ if (fn == NULL && home == NULL) { -+ struct passwd *pw = getpwuid(getuid()); -+ if(pw != NULL) -+ home = pw->pw_dir; -+ } -+ if (fn == NULL) { -+ if (home) -+ asprintf(&fn, "%s/.soft-token.rc", home); -+ else -+ fn = strdup("/etc/soft-token.rc"); -+ } -+ -+ read_conf_file(fn); -+ free(fn); -+ } -+ -+ return CKR_OK; -+} -+ -+CK_RV -+C_Finalize(CK_VOID_PTR args) -+{ -+ int i; -+ -+ st_logf("Finalize\n"); -+ -+ for (i = 0; i < MAX_NUM_SESSION; i++) { -+ if (soft_token.state[i].session_handle != CK_INVALID_HANDLE) { -+ application_error("application finalized without " -+ "closing session\n"); -+ close_session(&soft_token.state[i]); -+ } -+ } -+ -+ return CKR_OK; -+} -+ -+CK_RV -+C_GetInfo(CK_INFO_PTR args) -+{ -+ st_logf("GetInfo\n"); -+ -+ memset(args, 17, sizeof(*args)); -+ args->cryptokiVersion.major = 2; -+ args->cryptokiVersion.minor = 10; -+ snprintf_fill((char *)args->manufacturerID, -+ sizeof(args->manufacturerID), -+ ' ', -+ "SoftToken"); -+ snprintf_fill((char *)args->libraryDescription, -+ sizeof(args->libraryDescription), ' ', -+ "SoftToken"); -+ args->libraryVersion.major = 1; -+ args->libraryVersion.minor = 8; -+ -+ return CKR_OK; -+} -+ -+extern CK_FUNCTION_LIST funcs; -+ -+CK_RV -+C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) -+{ -+ *ppFunctionList = &funcs; -+ return CKR_OK; -+} -+ -+CK_RV -+C_GetSlotList(CK_BBOOL tokenPresent, -+ CK_SLOT_ID_PTR pSlotList, -+ CK_ULONG_PTR pulCount) -+{ -+ st_logf("GetSlotList: %s\n", -+ tokenPresent ? "tokenPresent" : "token not Present"); -+ if (pSlotList) -+ pSlotList[0] = 1; -+ *pulCount = 1; -+ return CKR_OK; -+} -+ -+CK_RV -+C_GetSlotInfo(CK_SLOT_ID slotID, -+ CK_SLOT_INFO_PTR pInfo) -+{ -+ st_logf("GetSlotInfo: slot: %d : %s\n", (int)slotID, has_session()); -+ -+ memset(pInfo, 18, sizeof(*pInfo)); -+ -+ if (slotID != 1) -+ return CKR_ARGUMENTS_BAD; -+ -+ snprintf_fill((char *)pInfo->slotDescription, -+ sizeof(pInfo->slotDescription), -+ ' ', -+ "SoftToken (slot)"); -+ snprintf_fill((char *)pInfo->manufacturerID, -+ sizeof(pInfo->manufacturerID), -+ ' ', -+ "SoftToken (slot)"); -+ pInfo->flags = CKF_TOKEN_PRESENT; -+ if (soft_token.flags.hardware_slot) -+ pInfo->flags |= CKF_HW_SLOT; -+ pInfo->hardwareVersion.major = 1; -+ pInfo->hardwareVersion.minor = 0; -+ pInfo->firmwareVersion.major = 1; -+ pInfo->firmwareVersion.minor = 0; -+ -+ return CKR_OK; -+} -+ -+CK_RV -+C_GetTokenInfo(CK_SLOT_ID slotID, -+ CK_TOKEN_INFO_PTR pInfo) -+{ -+ st_logf("GetTokenInfo: %s\n", has_session()); -+ -+ memset(pInfo, 19, sizeof(*pInfo)); -+ -+ snprintf_fill((char *)pInfo->label, -+ sizeof(pInfo->label), -+ ' ', -+ "SoftToken (token)"); -+ snprintf_fill((char *)pInfo->manufacturerID, -+ sizeof(pInfo->manufacturerID), -+ ' ', -+ "SoftToken (token)"); -+ snprintf_fill((char *)pInfo->model, -+ sizeof(pInfo->model), -+ ' ', -+ "SoftToken (token)"); -+ snprintf_fill((char *)pInfo->serialNumber, -+ sizeof(pInfo->serialNumber), -+ ' ', -+ "4711"); -+ pInfo->flags = -+ CKF_TOKEN_INITIALIZED | -+ CKF_USER_PIN_INITIALIZED; -+ -+ if (soft_token.flags.login_done == 0) -+ pInfo->flags |= CKF_LOGIN_REQUIRED; -+ -+ /* CFK_RNG | -+ CKF_RESTORE_KEY_NOT_NEEDED | -+ */ -+ pInfo->ulMaxSessionCount = MAX_NUM_SESSION; -+ pInfo->ulSessionCount = soft_token.open_sessions; -+ pInfo->ulMaxRwSessionCount = MAX_NUM_SESSION; -+ pInfo->ulRwSessionCount = soft_token.open_sessions; -+ pInfo->ulMaxPinLen = 1024; -+ pInfo->ulMinPinLen = 0; -+ pInfo->ulTotalPublicMemory = 4711; -+ pInfo->ulFreePublicMemory = 4712; -+ pInfo->ulTotalPrivateMemory = 4713; -+ pInfo->ulFreePrivateMemory = 4714; -+ pInfo->hardwareVersion.major = 2; -+ pInfo->hardwareVersion.minor = 0; -+ pInfo->firmwareVersion.major = 2; -+ pInfo->firmwareVersion.minor = 0; -+ -+ return CKR_OK; -+} -+ -+CK_RV -+C_GetMechanismList(CK_SLOT_ID slotID, -+ CK_MECHANISM_TYPE_PTR pMechanismList, -+ CK_ULONG_PTR pulCount) -+{ -+ st_logf("GetMechanismList\n"); -+ -+ *pulCount = 2; -+ if (pMechanismList == NULL_PTR) -+ return CKR_OK; -+ pMechanismList[0] = CKM_RSA_X_509; -+ pMechanismList[1] = CKM_RSA_PKCS; -+ -+ return CKR_OK; -+} -+ -+CK_RV -+C_GetMechanismInfo(CK_SLOT_ID slotID, -+ CK_MECHANISM_TYPE type, -+ CK_MECHANISM_INFO_PTR pInfo) -+{ -+ st_logf("GetMechanismInfo: slot %d type: %d\n", -+ (int)slotID, (int)type); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+CK_RV -+C_InitToken(CK_SLOT_ID slotID, -+ CK_UTF8CHAR_PTR pPin, -+ CK_ULONG ulPinLen, -+ CK_UTF8CHAR_PTR pLabel) -+{ -+ st_logf("InitToken: slot %d\n", (int)slotID); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+CK_RV -+C_OpenSession(CK_SLOT_ID slotID, -+ CK_FLAGS flags, -+ CK_VOID_PTR pApplication, -+ CK_NOTIFY Notify, -+ CK_SESSION_HANDLE_PTR phSession) -+{ -+ int i; -+ -+ st_logf("OpenSession: slot: %d\n", (int)slotID); -+ -+ if (soft_token.open_sessions == MAX_NUM_SESSION) -+ return CKR_SESSION_COUNT; -+ -+ soft_token.application = pApplication; -+ soft_token.notify = Notify; -+ -+ for (i = 0; i < MAX_NUM_SESSION; i++) -+ if (soft_token.state[i].session_handle == CK_INVALID_HANDLE) -+ break; -+ if (i == MAX_NUM_SESSION) -+ abort(); -+ -+ soft_token.open_sessions++; -+ -+ soft_token.state[i].session_handle = -+ (CK_SESSION_HANDLE)(random() & 0xfffff); -+ *phSession = soft_token.state[i].session_handle; -+ -+ return CKR_OK; -+} -+ -+CK_RV -+C_CloseSession(CK_SESSION_HANDLE hSession) -+{ -+ struct session_state *state; -+ st_logf("CloseSession\n"); -+ -+ if (verify_session_handle(hSession, &state) != CKR_OK) -+ application_error("closed session not open"); -+ else -+ close_session(state); -+ -+ return CKR_OK; -+} -+ -+CK_RV -+C_CloseAllSessions(CK_SLOT_ID slotID) -+{ -+ int i; -+ -+ st_logf("CloseAllSessions\n"); -+ -+ for (i = 0; i < MAX_NUM_SESSION; i++) -+ if (soft_token.state[i].session_handle != CK_INVALID_HANDLE) -+ close_session(&soft_token.state[i]); -+ -+ return CKR_OK; -+} -+ -+CK_RV -+C_GetSessionInfo(CK_SESSION_HANDLE hSession, -+ CK_SESSION_INFO_PTR pInfo) -+{ -+ st_logf("GetSessionInfo\n"); -+ -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ -+ memset(pInfo, 20, sizeof(*pInfo)); -+ -+ pInfo->slotID = 1; -+ if (soft_token.flags.login_done) -+ pInfo->state = CKS_RO_USER_FUNCTIONS; -+ else -+ pInfo->state = CKS_RO_PUBLIC_SESSION; -+ pInfo->flags = CKF_SERIAL_SESSION; -+ pInfo->ulDeviceError = 0; -+ -+ return CKR_OK; -+} -+ -+CK_RV -+C_Login(CK_SESSION_HANDLE hSession, -+ CK_USER_TYPE userType, -+ CK_UTF8CHAR_PTR pPin, -+ CK_ULONG ulPinLen) -+{ -+ char *pin = NULL; -+ int i; -+ -+ st_logf("Login\n"); -+ -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ -+ if (pPin != NULL_PTR) { -+ asprintf(&pin, "%.*s", (int)ulPinLen, pPin); -+ st_logf("type: %d password: %s\n", (int)userType, pin); -+ } -+ -+ for (i = 0; i < soft_token.object.num_objs; i++) { -+ struct st_object *o = soft_token.object.objs[i]; -+ FILE *f; -+ -+ if (o->type != STO_T_PRIVATE_KEY) -+ continue; -+ -+ if (o->u.private_key.key) -+ continue; -+ -+ f = fopen(o->u.private_key.file, "r"); -+ if (f == NULL) { -+ st_logf("can't open private file: %s\n", o->u.private_key.file); -+ continue; -+ } -+ -+ o->u.private_key.key = PEM_read_PrivateKey(f, NULL, NULL, pin); -+ fclose(f); -+ if (o->u.private_key.key == NULL) { -+ st_logf("failed to read key: %s error: %s\n", -+ o->u.private_key.file, -+ ERR_error_string(ERR_get_error(), NULL)); -+ /* just ignore failure */; -+ continue; -+ } -+ -+ /* XXX check keytype */ -+ RSA_set_method(o->u.private_key.key->pkey.rsa, RSA_PKCS1_SSLeay()); -+ -+ if (X509_check_private_key(o->u.private_key.cert, o->u.private_key.key) != 1) { -+ EVP_PKEY_free(o->u.private_key.key); -+ o->u.private_key.key = NULL; -+ st_logf("private key %s doesn't verify\n", o->u.private_key.file); -+ continue; -+ } -+ -+ soft_token.flags.login_done = 1; -+ } -+ free(pin); -+ -+ return soft_token.flags.login_done ? CKR_OK : CKR_PIN_INCORRECT; -+} -+ -+CK_RV -+C_Logout(CK_SESSION_HANDLE hSession) -+{ -+ st_logf("Logout\n"); -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+CK_RV -+C_GetObjectSize(CK_SESSION_HANDLE hSession, -+ CK_OBJECT_HANDLE hObject, -+ CK_ULONG_PTR pulSize) -+{ -+ st_logf("GetObjectSize\n"); -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+CK_RV -+C_GetAttributeValue(CK_SESSION_HANDLE hSession, -+ CK_OBJECT_HANDLE hObject, -+ CK_ATTRIBUTE_PTR pTemplate, -+ CK_ULONG ulCount) -+{ -+ struct session_state *state; -+ struct st_object *obj; -+ CK_ULONG i; -+ CK_RV ret; -+ int j; -+ -+ st_logf("GetAttributeValue: %lx\n", -+ (unsigned long)HANDLE_OBJECT_ID(hObject)); -+ VERIFY_SESSION_HANDLE(hSession, &state); -+ -+ if ((ret = object_handle_to_object(hObject, &obj)) != CKR_OK) { -+ st_logf("object not found: %lx\n", -+ (unsigned long)HANDLE_OBJECT_ID(hObject)); -+ return ret; -+ } -+ -+ for (i = 0; i < ulCount; i++) { -+ st_logf(" getting 0x%08lx\n", (unsigned long)pTemplate[i].type); -+ for (j = 0; j < obj->num_attributes; j++) { -+ if (obj->attrs[j].secret) { -+ pTemplate[i].ulValueLen = (CK_ULONG)-1; -+ break; -+ } -+ if (pTemplate[i].type == obj->attrs[j].attribute.type) { -+ if (pTemplate[i].pValue != NULL_PTR && obj->attrs[j].secret == 0) { -+ if (pTemplate[i].ulValueLen >= obj->attrs[j].attribute.ulValueLen) -+ memcpy(pTemplate[i].pValue, obj->attrs[j].attribute.pValue, -+ obj->attrs[j].attribute.ulValueLen); -+ } -+ pTemplate[i].ulValueLen = obj->attrs[j].attribute.ulValueLen; -+ break; -+ } -+ } -+ if (j == obj->num_attributes) { -+ st_logf("key type: 0x%08lx not found\n", (unsigned long)pTemplate[i].type); -+ pTemplate[i].ulValueLen = (CK_ULONG)-1; -+ } -+ -+ } -+ return CKR_OK; -+} -+ -+CK_RV -+C_FindObjectsInit(CK_SESSION_HANDLE hSession, -+ CK_ATTRIBUTE_PTR pTemplate, -+ CK_ULONG ulCount) -+{ -+ struct session_state *state; -+ -+ st_logf("FindObjectsInit\n"); -+ -+ VERIFY_SESSION_HANDLE(hSession, &state); -+ -+ if (state->find.next_object != -1) { -+ application_error("application didn't do C_FindObjectsFinal\n"); -+ find_object_final(state); -+ } -+ if (ulCount) { -+ CK_ULONG i; -+ size_t len; -+ -+ print_attributes(pTemplate, ulCount); -+ -+ state->find.attributes = -+ calloc(1, ulCount * sizeof(state->find.attributes[0])); -+ if (state->find.attributes == NULL) -+ return CKR_DEVICE_MEMORY; -+ for (i = 0; i < ulCount; i++) { -+ state->find.attributes[i].pValue = -+ malloc(pTemplate[i].ulValueLen); -+ if (state->find.attributes[i].pValue == NULL) { -+ find_object_final(state); -+ return CKR_DEVICE_MEMORY; -+ } -+ memcpy(state->find.attributes[i].pValue, -+ pTemplate[i].pValue, pTemplate[i].ulValueLen); -+ state->find.attributes[i].type = pTemplate[i].type; -+ state->find.attributes[i].ulValueLen = pTemplate[i].ulValueLen; -+ } -+ state->find.num_attributes = ulCount; -+ state->find.next_object = 0; -+ } else { -+ st_logf("find all objects\n"); -+ state->find.attributes = NULL; -+ state->find.num_attributes = 0; -+ state->find.next_object = 0; -+ } -+ -+ return CKR_OK; -+} -+ -+CK_RV -+C_FindObjects(CK_SESSION_HANDLE hSession, -+ CK_OBJECT_HANDLE_PTR phObject, -+ CK_ULONG ulMaxObjectCount, -+ CK_ULONG_PTR pulObjectCount) -+{ -+ struct session_state *state; -+ int i; -+ -+ st_logf("FindObjects\n"); -+ -+ VERIFY_SESSION_HANDLE(hSession, &state); -+ -+ if (state->find.next_object == -1) { -+ application_error("application didn't do C_FindObjectsInit\n"); -+ return CKR_ARGUMENTS_BAD; -+ } -+ if (ulMaxObjectCount == 0) { -+ application_error("application asked for 0 objects\n"); -+ return CKR_ARGUMENTS_BAD; -+ } -+ *pulObjectCount = 0; -+ for (i = state->find.next_object; i < soft_token.object.num_objs; i++) { -+ st_logf("FindObjects: %d\n", i); -+ state->find.next_object = i + 1; -+ if (attributes_match(soft_token.object.objs[i], -+ state->find.attributes, -+ state->find.num_attributes)) { -+ *phObject++ = soft_token.object.objs[i]->object_handle; -+ ulMaxObjectCount--; -+ (*pulObjectCount)++; -+ if (ulMaxObjectCount == 0) -+ break; -+ } -+ } -+ return CKR_OK; -+} -+ -+CK_RV -+C_FindObjectsFinal(CK_SESSION_HANDLE hSession) -+{ -+ struct session_state *state; -+ -+ st_logf("FindObjectsFinal\n"); -+ VERIFY_SESSION_HANDLE(hSession, &state); -+ find_object_final(state); -+ return CKR_OK; -+} -+ -+static CK_RV -+commonInit(CK_ATTRIBUTE *attr_match, int attr_match_len, -+ const CK_MECHANISM_TYPE *mechs, int mechs_len, -+ const CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey, -+ struct st_object **o) -+{ -+ CK_RV ret; -+ int i; -+ -+ *o = NULL; -+ if ((ret = object_handle_to_object(hKey, o)) != CKR_OK) -+ return ret; -+ -+ ret = attributes_match(*o, attr_match, attr_match_len); -+ if (!ret) { -+ application_error("called commonInit on key that doesn't " -+ "support required attr"); -+ return CKR_ARGUMENTS_BAD; -+ } -+ -+ for (i = 0; i < mechs_len; i++) -+ if (mechs[i] == pMechanism->mechanism) -+ break; -+ if (i == mechs_len) { -+ application_error("called mech (%08lx) not supported\n", -+ pMechanism->mechanism); -+ return CKR_ARGUMENTS_BAD; -+ } -+ return CKR_OK; -+} -+ -+ -+static CK_RV -+dup_mechanism(CK_MECHANISM_PTR *dup, const CK_MECHANISM_PTR pMechanism) -+{ -+ CK_MECHANISM_PTR p; -+ -+ p = malloc(sizeof(*p)); -+ if (p == NULL) -+ return CKR_DEVICE_MEMORY; -+ -+ if (*dup) -+ free(*dup); -+ *dup = p; -+ memcpy(p, pMechanism, sizeof(*p)); -+ -+ return CKR_OK; -+} -+ -+ -+CK_RV -+C_EncryptInit(CK_SESSION_HANDLE hSession, -+ CK_MECHANISM_PTR pMechanism, -+ CK_OBJECT_HANDLE hKey) -+{ -+ struct session_state *state; -+ CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS, CKM_RSA_X_509 }; -+ CK_BBOOL bool_true = CK_TRUE; -+ CK_ATTRIBUTE attr[] = { -+ { CKA_ENCRYPT, &bool_true, sizeof(bool_true) } -+ }; -+ struct st_object *o; -+ CK_RV ret; -+ -+ st_logf("EncryptInit\n"); -+ VERIFY_SESSION_HANDLE(hSession, &state); -+ -+ ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]), -+ mechs, sizeof(mechs)/sizeof(mechs[0]), -+ pMechanism, hKey, &o); -+ if (ret) -+ return ret; -+ -+ ret = dup_mechanism(&state->encrypt_mechanism, pMechanism); -+ if (ret == CKR_OK) -+ state->encrypt_object = OBJECT_ID(o); -+ -+ return ret; -+} -+ -+CK_RV -+C_Encrypt(CK_SESSION_HANDLE hSession, -+ CK_BYTE_PTR pData, -+ CK_ULONG ulDataLen, -+ CK_BYTE_PTR pEncryptedData, -+ CK_ULONG_PTR pulEncryptedDataLen) -+{ -+ struct session_state *state; -+ struct st_object *o; -+ void *buffer = NULL; -+ CK_RV ret; -+ RSA *rsa; -+ int padding, len, buffer_len, padding_len; -+ -+ st_logf("Encrypt\n"); -+ -+ VERIFY_SESSION_HANDLE(hSession, &state); -+ -+ if (state->encrypt_object == -1) -+ return CKR_ARGUMENTS_BAD; -+ -+ o = soft_token.object.objs[state->encrypt_object]; -+ -+ if (o->u.public_key == NULL) { -+ st_logf("public key NULL\n"); -+ return CKR_ARGUMENTS_BAD; -+ } -+ -+ rsa = o->u.public_key->pkey.rsa; -+ -+ if (rsa == NULL) -+ return CKR_ARGUMENTS_BAD; -+ -+ RSA_blinding_off(rsa); /* XXX RAND is broken while running in mozilla ? */ -+ -+ buffer_len = RSA_size(rsa); -+ -+ buffer = malloc(buffer_len); -+ if (buffer == NULL) { -+ ret = CKR_DEVICE_MEMORY; -+ goto out; -+ } -+ -+ ret = CKR_OK; -+ switch(state->encrypt_mechanism->mechanism) { -+ case CKM_RSA_PKCS: -+ padding = RSA_PKCS1_PADDING; -+ padding_len = RSA_PKCS1_PADDING_SIZE; -+ break; -+ case CKM_RSA_X_509: -+ padding = RSA_NO_PADDING; -+ padding_len = 0; -+ break; -+ default: -+ ret = CKR_FUNCTION_NOT_SUPPORTED; -+ goto out; -+ } -+ -+ if (buffer_len + padding_len < ulDataLen) { -+ ret = CKR_ARGUMENTS_BAD; -+ goto out; -+ } -+ -+ if (pulEncryptedDataLen == NULL) { -+ st_logf("pulEncryptedDataLen NULL\n"); -+ ret = CKR_ARGUMENTS_BAD; -+ goto out; -+ } -+ -+ if (pData == NULL_PTR) { -+ st_logf("data NULL\n"); -+ ret = CKR_ARGUMENTS_BAD; -+ goto out; -+ } -+ -+ len = RSA_public_encrypt(ulDataLen, pData, buffer, rsa, padding); -+ if (len <= 0) { -+ ret = CKR_DEVICE_ERROR; -+ goto out; -+ } -+ if (len > buffer_len) -+ abort(); -+ -+ if (pEncryptedData != NULL_PTR) -+ memcpy(pEncryptedData, buffer, len); -+ *pulEncryptedDataLen = len; -+ -+ out: -+ if (buffer) { -+ memset(buffer, 0, buffer_len); -+ free(buffer); -+ } -+ return ret; -+} -+ -+CK_RV -+C_EncryptUpdate(CK_SESSION_HANDLE hSession, -+ CK_BYTE_PTR pPart, -+ CK_ULONG ulPartLen, -+ CK_BYTE_PTR pEncryptedPart, -+ CK_ULONG_PTR pulEncryptedPartLen) -+{ -+ st_logf("EncryptUpdate\n"); -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+ -+CK_RV -+C_EncryptFinal(CK_SESSION_HANDLE hSession, -+ CK_BYTE_PTR pLastEncryptedPart, -+ CK_ULONG_PTR pulLastEncryptedPartLen) -+{ -+ st_logf("EncryptFinal\n"); -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+ -+/* C_DecryptInit initializes a decryption operation. */ -+CK_RV -+C_DecryptInit(CK_SESSION_HANDLE hSession, -+ CK_MECHANISM_PTR pMechanism, -+ CK_OBJECT_HANDLE hKey) -+{ -+ struct session_state *state; -+ CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS, CKM_RSA_X_509 }; -+ CK_BBOOL bool_true = CK_TRUE; -+ CK_ATTRIBUTE attr[] = { -+ { CKA_DECRYPT, &bool_true, sizeof(bool_true) } -+ }; -+ struct st_object *o; -+ CK_RV ret; -+ -+ st_logf("DecryptInit\n"); -+ VERIFY_SESSION_HANDLE(hSession, &state); -+ -+ ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]), -+ mechs, sizeof(mechs)/sizeof(mechs[0]), -+ pMechanism, hKey, &o); -+ if (ret) -+ return ret; -+ -+ ret = dup_mechanism(&state->decrypt_mechanism, pMechanism); -+ if (ret == CKR_OK) -+ state->decrypt_object = OBJECT_ID(o); -+ -+ return CKR_OK; -+} -+ -+ -+CK_RV -+C_Decrypt(CK_SESSION_HANDLE hSession, -+ CK_BYTE_PTR pEncryptedData, -+ CK_ULONG ulEncryptedDataLen, -+ CK_BYTE_PTR pData, -+ CK_ULONG_PTR pulDataLen) -+{ -+ struct session_state *state; -+ struct st_object *o; -+ void *buffer = NULL; -+ CK_RV ret; -+ RSA *rsa; -+ int padding, len, buffer_len, padding_len; -+ -+ st_logf("Decrypt\n"); -+ -+ VERIFY_SESSION_HANDLE(hSession, &state); -+ -+ if (state->decrypt_object == -1) -+ return CKR_ARGUMENTS_BAD; -+ -+ o = soft_token.object.objs[state->decrypt_object]; -+ -+ if (o->u.private_key.key == NULL) { -+ st_logf("private key NULL\n"); -+ return CKR_ARGUMENTS_BAD; -+ } -+ -+ rsa = o->u.private_key.key->pkey.rsa; -+ -+ if (rsa == NULL) -+ return CKR_ARGUMENTS_BAD; -+ -+ RSA_blinding_off(rsa); /* XXX RAND is broken while running in mozilla ? */ -+ -+ buffer_len = RSA_size(rsa); -+ -+ buffer = malloc(buffer_len); -+ if (buffer == NULL) { -+ ret = CKR_DEVICE_MEMORY; -+ goto out; -+ } -+ -+ ret = CKR_OK; -+ switch(state->decrypt_mechanism->mechanism) { -+ case CKM_RSA_PKCS: -+ padding = RSA_PKCS1_PADDING; -+ padding_len = RSA_PKCS1_PADDING_SIZE; -+ break; -+ case CKM_RSA_X_509: -+ padding = RSA_NO_PADDING; -+ padding_len = 0; -+ break; -+ default: -+ ret = CKR_FUNCTION_NOT_SUPPORTED; -+ goto out; -+ } -+ -+ if (buffer_len + padding_len < ulEncryptedDataLen) { -+ ret = CKR_ARGUMENTS_BAD; -+ goto out; -+ } -+ -+ if (pulDataLen == NULL) { -+ st_logf("pulDataLen NULL\n"); -+ ret = CKR_ARGUMENTS_BAD; -+ goto out; -+ } -+ -+ if (pEncryptedData == NULL_PTR) { -+ st_logf("data NULL\n"); -+ ret = CKR_ARGUMENTS_BAD; -+ goto out; -+ } -+ -+ len = RSA_private_decrypt(ulEncryptedDataLen, pEncryptedData, buffer, -+ rsa, padding); -+ if (len <= 0) { -+ ret = CKR_DEVICE_ERROR; -+ goto out; -+ } -+ if (len > buffer_len) -+ abort(); -+ -+ if (pData != NULL_PTR) -+ memcpy(pData, buffer, len); -+ *pulDataLen = len; -+ -+ out: -+ if (buffer) { -+ memset(buffer, 0, buffer_len); -+ free(buffer); -+ } -+ return ret; -+} -+ -+ -+CK_RV -+C_DecryptUpdate(CK_SESSION_HANDLE hSession, -+ CK_BYTE_PTR pEncryptedPart, -+ CK_ULONG ulEncryptedPartLen, -+ CK_BYTE_PTR pPart, -+ CK_ULONG_PTR pulPartLen) -+ -+{ -+ st_logf("DecryptUpdate\n"); -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+ -+CK_RV -+C_DecryptFinal(CK_SESSION_HANDLE hSession, -+ CK_BYTE_PTR pLastPart, -+ CK_ULONG_PTR pulLastPartLen) -+{ -+ st_logf("DecryptFinal\n"); -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+CK_RV -+C_DigestInit(CK_SESSION_HANDLE hSession, -+ CK_MECHANISM_PTR pMechanism) -+{ -+ st_logf("DigestInit\n"); -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+CK_RV -+C_SignInit(CK_SESSION_HANDLE hSession, -+ CK_MECHANISM_PTR pMechanism, -+ CK_OBJECT_HANDLE hKey) -+{ -+ struct session_state *state; -+ CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS, CKM_RSA_X_509 }; -+ CK_BBOOL bool_true = CK_TRUE; -+ CK_ATTRIBUTE attr[] = { -+ { CKA_SIGN, &bool_true, sizeof(bool_true) } -+ }; -+ struct st_object *o; -+ CK_RV ret; -+ -+ st_logf("SignInit\n"); -+ VERIFY_SESSION_HANDLE(hSession, &state); -+ -+ ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]), -+ mechs, sizeof(mechs)/sizeof(mechs[0]), -+ pMechanism, hKey, &o); -+ if (ret) -+ return ret; -+ -+ ret = dup_mechanism(&state->sign_mechanism, pMechanism); -+ if (ret == CKR_OK) -+ state->sign_object = OBJECT_ID(o); -+ -+ return CKR_OK; -+} -+ -+CK_RV -+C_Sign(CK_SESSION_HANDLE hSession, -+ CK_BYTE_PTR pData, -+ CK_ULONG ulDataLen, -+ CK_BYTE_PTR pSignature, -+ CK_ULONG_PTR pulSignatureLen) -+{ -+ struct session_state *state; -+ struct st_object *o; -+ void *buffer = NULL; -+ CK_RV ret; -+ RSA *rsa; -+ int padding, len, buffer_len, padding_len; -+ -+ st_logf("Sign\n"); -+ VERIFY_SESSION_HANDLE(hSession, &state); -+ -+ if (state->sign_object == -1) -+ return CKR_ARGUMENTS_BAD; -+ -+ o = soft_token.object.objs[state->sign_object]; -+ -+ if (o->u.private_key.key == NULL) { -+ st_logf("private key NULL\n"); -+ return CKR_ARGUMENTS_BAD; -+ } -+ -+ rsa = o->u.private_key.key->pkey.rsa; -+ -+ if (rsa == NULL) -+ return CKR_ARGUMENTS_BAD; -+ -+ RSA_blinding_off(rsa); /* XXX RAND is broken while running in mozilla ? */ -+ -+ buffer_len = RSA_size(rsa); -+ -+ buffer = malloc(buffer_len); -+ if (buffer == NULL) { -+ ret = CKR_DEVICE_MEMORY; -+ goto out; -+ } -+ -+ switch(state->sign_mechanism->mechanism) { -+ case CKM_RSA_PKCS: -+ padding = RSA_PKCS1_PADDING; -+ padding_len = RSA_PKCS1_PADDING_SIZE; -+ break; -+ case CKM_RSA_X_509: -+ padding = RSA_NO_PADDING; -+ padding_len = 0; -+ break; -+ default: -+ ret = CKR_FUNCTION_NOT_SUPPORTED; -+ goto out; -+ } -+ -+ if (buffer_len < ulDataLen + padding_len) { -+ ret = CKR_ARGUMENTS_BAD; -+ goto out; -+ } -+ -+ if (pulSignatureLen == NULL) { -+ st_logf("signature len NULL\n"); -+ ret = CKR_ARGUMENTS_BAD; -+ goto out; -+ } -+ -+ if (pData == NULL_PTR) { -+ st_logf("data NULL\n"); -+ ret = CKR_ARGUMENTS_BAD; -+ goto out; -+ } -+ -+ len = RSA_private_encrypt(ulDataLen, pData, buffer, rsa, padding); -+ st_logf("private encrypt done\n"); -+ if (len <= 0) { -+ ret = CKR_DEVICE_ERROR; -+ goto out; -+ } -+ if (len > buffer_len) -+ abort(); -+ -+ if (pSignature != NULL_PTR) -+ memcpy(pSignature, buffer, len); -+ *pulSignatureLen = len; -+ -+ ret = CKR_OK; -+ -+ out: -+ if (buffer) { -+ memset(buffer, 0, buffer_len); -+ free(buffer); -+ } -+ return ret; -+} -+ -+CK_RV -+C_SignUpdate(CK_SESSION_HANDLE hSession, -+ CK_BYTE_PTR pPart, -+ CK_ULONG ulPartLen) -+{ -+ st_logf("SignUpdate\n"); -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+ -+CK_RV -+C_SignFinal(CK_SESSION_HANDLE hSession, -+ CK_BYTE_PTR pSignature, -+ CK_ULONG_PTR pulSignatureLen) -+{ -+ st_logf("SignUpdate\n"); -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+CK_RV -+C_VerifyInit(CK_SESSION_HANDLE hSession, -+ CK_MECHANISM_PTR pMechanism, -+ CK_OBJECT_HANDLE hKey) -+{ -+ struct session_state *state; -+ CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS, CKM_RSA_X_509 }; -+ CK_BBOOL bool_true = CK_TRUE; -+ CK_ATTRIBUTE attr[] = { -+ { CKA_VERIFY, &bool_true, sizeof(bool_true) } -+ }; -+ struct st_object *o; -+ CK_RV ret; -+ -+ st_logf("VerifyInit\n"); -+ VERIFY_SESSION_HANDLE(hSession, &state); -+ -+ ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]), -+ mechs, sizeof(mechs)/sizeof(mechs[0]), -+ pMechanism, hKey, &o); -+ if (ret) -+ return ret; -+ -+ ret = dup_mechanism(&state->verify_mechanism, pMechanism); -+ if (ret == CKR_OK) -+ state->verify_object = OBJECT_ID(o); -+ -+ return ret; -+} -+ -+CK_RV -+C_Verify(CK_SESSION_HANDLE hSession, -+ CK_BYTE_PTR pData, -+ CK_ULONG ulDataLen, -+ CK_BYTE_PTR pSignature, -+ CK_ULONG ulSignatureLen) -+{ -+ struct session_state *state; -+ struct st_object *o; -+ void *buffer = NULL; -+ CK_RV ret; -+ RSA *rsa; -+ int padding, len, buffer_len; -+ -+ st_logf("Verify\n"); -+ VERIFY_SESSION_HANDLE(hSession, &state); -+ -+ if (state->verify_object == -1) -+ return CKR_ARGUMENTS_BAD; -+ -+ o = soft_token.object.objs[state->verify_object]; -+ -+ if (o->u.public_key == NULL) { -+ st_logf("public key NULL\n"); -+ return CKR_ARGUMENTS_BAD; -+ } -+ -+ rsa = o->u.public_key->pkey.rsa; -+ -+ if (rsa == NULL) -+ return CKR_ARGUMENTS_BAD; -+ -+ RSA_blinding_off(rsa); /* XXX RAND is broken while running in mozilla ? */ -+ -+ buffer_len = RSA_size(rsa); -+ -+ buffer = malloc(buffer_len); -+ if (buffer == NULL) { -+ ret = CKR_DEVICE_MEMORY; -+ goto out; -+ } -+ -+ ret = CKR_OK; -+ switch(state->verify_mechanism->mechanism) { -+ case CKM_RSA_PKCS: -+ padding = RSA_PKCS1_PADDING; -+ break; -+ case CKM_RSA_X_509: -+ padding = RSA_NO_PADDING; -+ break; -+ default: -+ ret = CKR_FUNCTION_NOT_SUPPORTED; -+ goto out; -+ } -+ -+ if (buffer_len < ulDataLen) { -+ ret = CKR_ARGUMENTS_BAD; -+ goto out; -+ } -+ -+ if (pSignature == NULL) { -+ st_logf("signature NULL\n"); -+ ret = CKR_ARGUMENTS_BAD; -+ goto out; -+ } -+ -+ if (pData == NULL_PTR) { -+ st_logf("data NULL\n"); -+ ret = CKR_ARGUMENTS_BAD; -+ goto out; -+ } -+ -+ len = RSA_public_decrypt(ulDataLen, pData, buffer, rsa, padding); -+ st_logf("private encrypt done\n"); -+ if (len <= 0) { -+ ret = CKR_DEVICE_ERROR; -+ goto out; -+ } -+ if (len > buffer_len) -+ abort(); -+ -+ if (len != ulSignatureLen) { -+ ret = CKR_GENERAL_ERROR; -+ goto out; -+ } -+ -+ if (memcmp(pSignature, buffer, len) != 0) { -+ ret = CKR_GENERAL_ERROR; -+ goto out; -+ } -+ -+ out: -+ if (buffer) { -+ memset(buffer, 0, buffer_len); -+ free(buffer); -+ } -+ return ret; -+} -+ -+ -+CK_RV -+C_VerifyUpdate(CK_SESSION_HANDLE hSession, -+ CK_BYTE_PTR pPart, -+ CK_ULONG ulPartLen) -+{ -+ st_logf("VerifyUpdate\n"); -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+CK_RV -+C_VerifyFinal(CK_SESSION_HANDLE hSession, -+ CK_BYTE_PTR pSignature, -+ CK_ULONG ulSignatureLen) -+{ -+ st_logf("VerifyFinal\n"); -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+CK_RV -+C_GenerateRandom(CK_SESSION_HANDLE hSession, -+ CK_BYTE_PTR RandomData, -+ CK_ULONG ulRandomLen) -+{ -+ st_logf("GenerateRandom\n"); -+ VERIFY_SESSION_HANDLE(hSession, NULL); -+ return CKR_FUNCTION_NOT_SUPPORTED; -+} -+ -+ -+CK_FUNCTION_LIST funcs = { -+ { 2, 11 }, -+ C_Initialize, -+ C_Finalize, -+ C_GetInfo, -+ C_GetFunctionList, -+ C_GetSlotList, -+ C_GetSlotInfo, -+ C_GetTokenInfo, -+ C_GetMechanismList, -+ C_GetMechanismInfo, -+ C_InitToken, -+ (void *)func_not_supported, /* C_InitPIN */ -+ (void *)func_not_supported, /* C_SetPIN */ -+ C_OpenSession, -+ C_CloseSession, -+ C_CloseAllSessions, -+ C_GetSessionInfo, -+ (void *)func_not_supported, /* C_GetOperationState */ -+ (void *)func_not_supported, /* C_SetOperationState */ -+ C_Login, -+ C_Logout, -+ (void *)func_not_supported, /* C_CreateObject */ -+ (void *)func_not_supported, /* C_CopyObject */ -+ (void *)func_not_supported, /* C_DestroyObject */ -+ (void *)func_not_supported, /* C_GetObjectSize */ -+ C_GetAttributeValue, -+ (void *)func_not_supported, /* C_SetAttributeValue */ -+ C_FindObjectsInit, -+ C_FindObjects, -+ C_FindObjectsFinal, -+ C_EncryptInit, -+ C_Encrypt, -+ C_EncryptUpdate, -+ C_EncryptFinal, -+ C_DecryptInit, -+ C_Decrypt, -+ C_DecryptUpdate, -+ C_DecryptFinal, -+ C_DigestInit, -+ (void *)func_not_supported, /* C_Digest */ -+ (void *)func_not_supported, /* C_DigestUpdate */ -+ (void *)func_not_supported, /* C_DigestKey */ -+ (void *)func_not_supported, /* C_DigestFinal */ -+ C_SignInit, -+ C_Sign, -+ C_SignUpdate, -+ C_SignFinal, -+ (void *)func_not_supported, /* C_SignRecoverInit */ -+ (void *)func_not_supported, /* C_SignRecover */ -+ C_VerifyInit, -+ C_Verify, -+ C_VerifyUpdate, -+ C_VerifyFinal, -+ (void *)func_not_supported, /* C_VerifyRecoverInit */ -+ (void *)func_not_supported, /* C_VerifyRecover */ -+ (void *)func_not_supported, /* C_DigestEncryptUpdate */ -+ (void *)func_not_supported, /* C_DecryptDigestUpdate */ -+ (void *)func_not_supported, /* C_SignEncryptUpdate */ -+ (void *)func_not_supported, /* C_DecryptVerifyUpdate */ -+ (void *)func_not_supported, /* C_GenerateKey */ -+ (void *)func_not_supported, /* C_GenerateKeyPair */ -+ (void *)func_not_supported, /* C_WrapKey */ -+ (void *)func_not_supported, /* C_UnwrapKey */ -+ (void *)func_not_supported, /* C_DeriveKey */ -+ (void *)func_not_supported, /* C_SeedRandom */ -+ C_GenerateRandom, -+ (void *)func_not_supported, /* C_GetFunctionStatus */ -+ (void *)func_not_supported, /* C_CancelFunction */ -+ (void *)func_not_supported /* C_WaitForSlotEvent */ -+}; diff --git a/Add-tests-for-KCM-ccache-type.patch b/Add-tests-for-KCM-ccache-type.patch deleted file mode 100644 index 08d9215..0000000 --- a/Add-tests-for-KCM-ccache-type.patch +++ /dev/null @@ -1,294 +0,0 @@ -From 0b63afda1a399a37274021115524db1e65675cb9 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 22 Nov 2018 00:27:35 -0500 -Subject: [PATCH] Add tests for KCM ccache type - -Using a trivial Python implementation of a KCM server, run the -t_ccache.py tests against the KCM ccache type. - -(cherry picked from commit f0bcb86131e385b2603ccf0f3c7d65aa3891b220) ---- - src/tests/kcmserver.py | 246 +++++++++++++++++++++++++++++++++++++++++ - src/tests/t_ccache.py | 9 +- - 2 files changed, 254 insertions(+), 1 deletion(-) - create mode 100644 src/tests/kcmserver.py - -diff --git a/src/tests/kcmserver.py b/src/tests/kcmserver.py -new file mode 100644 -index 000000000..57432e5a7 ---- /dev/null -+++ b/src/tests/kcmserver.py -@@ -0,0 +1,246 @@ -+# This is a simple KCM test server, used to exercise the KCM ccache -+# client code. It will generally throw an uncaught exception if the -+# client sends anything unexpected, so is unsuitable for production. -+# (It also imposes no namespace or access constraints, and blocks -+# while reading requests and writing responses.) -+ -+# This code knows nothing about how to marshal and unmarshal principal -+# names and credentials as is required in the KCM protocol; instead, -+# it just remembers the marshalled forms and replays them to the -+# client when asked. This works because marshalled creds and -+# principal names are always the last part of marshalled request -+# arguments, and because we don't need to implement remove_cred (which -+# would need to know how to match a cred tag against previously stored -+# credentials). -+ -+# The following code is useful for debugging if anything appears to be -+# going wrong in the server, since daemon output is generally not -+# visible in Python test scripts. -+# -+# import sys, traceback -+# def ehook(etype, value, tb): -+# with open('/tmp/exception', 'w') as f: -+# traceback.print_exception(etype, value, tb, file=f) -+# sys.excepthook = ehook -+ -+import select -+import socket -+import struct -+import sys -+ -+caches = {} -+cache_uuidmap = {} -+defname = b'default' -+next_unique = 1 -+next_uuid = 1 -+ -+class KCMOpcodes(object): -+ GEN_NEW = 3 -+ INITIALIZE = 4 -+ DESTROY = 5 -+ STORE = 6 -+ GET_PRINCIPAL = 8 -+ GET_CRED_UUID_LIST = 9 -+ GET_CRED_BY_UUID = 10 -+ REMOVE_CRED = 11 -+ GET_CACHE_UUID_LIST = 18 -+ GET_CACHE_BY_UUID = 19 -+ GET_DEFAULT_CACHE = 20 -+ SET_DEFAULT_CACHE = 21 -+ GET_KDC_OFFSET = 22 -+ SET_KDC_OFFSET = 23 -+ -+ -+class KRB5Errors(object): -+ KRB5_CC_END = -1765328242 -+ KRB5_CC_NOSUPP = -1765328137 -+ KRB5_FCC_NOFILE = -1765328189 -+ -+ -+def make_uuid(): -+ global next_uuid -+ uuid = bytes(12) + struct.pack('>L', next_uuid) -+ next_uuid = next_uuid + 1 -+ return uuid -+ -+ -+class Cache(object): -+ def __init__(self, name): -+ self.name = name -+ self.princ = None -+ self.uuid = make_uuid() -+ self.cred_uuids = [] -+ self.creds = {} -+ self.time_offset = 0 -+ -+ -+def get_cache(name): -+ if name in caches: -+ return caches[name] -+ cache = Cache(name) -+ caches[name] = cache -+ cache_uuidmap[cache.uuid] = cache -+ return cache -+ -+ -+def unmarshal_name(argbytes): -+ offset = argbytes.find(b'\0') -+ return argbytes[0:offset], argbytes[offset+1:] -+ -+ -+def op_gen_new(argbytes): -+ # Does not actually check for uniqueness. -+ global next_unique -+ name = b'unique' + str(next_unique).encode('ascii') -+ next_unique += 1 -+ return 0, name + b'\0' -+ -+ -+def op_initialize(argbytes): -+ name, princ = unmarshal_name(argbytes) -+ cache = get_cache(name) -+ cache.princ = princ -+ cache.cred_uuids = [] -+ cache.creds = {} -+ cache.time_offset = 0 -+ return 0, b'' -+ -+ -+def op_destroy(argbytes): -+ name, rest = unmarshal_name(argbytes) -+ cache = get_cache(name) -+ del cache_uuidmap[cache.uuid] -+ del caches[name] -+ return 0, b'' -+ -+ -+def op_store(argbytes): -+ name, cred = unmarshal_name(argbytes) -+ cache = get_cache(name) -+ uuid = make_uuid() -+ cache.creds[uuid] = cred -+ cache.cred_uuids.append(uuid) -+ return 0, b'' -+ -+ -+def op_get_principal(argbytes): -+ name, rest = unmarshal_name(argbytes) -+ cache = get_cache(name) -+ if cache.princ is None: -+ return KRB5Errors.KRB5_FCC_NOFILE, b'' -+ return 0, cache.princ + b'\0' -+ -+ -+def op_get_cred_uuid_list(argbytes): -+ name, rest = unmarshal_name(argbytes) -+ cache = get_cache(name) -+ return 0, b''.join(cache.cred_uuids) -+ -+ -+def op_get_cred_by_uuid(argbytes): -+ name, uuid = unmarshal_name(argbytes) -+ cache = get_cache(name) -+ if uuid not in cache.creds: -+ return KRB5Errors.KRB5_CC_END, b'' -+ return 0, cache.creds[uuid] -+ -+ -+def op_remove_cred(argbytes): -+ return KRB5Errors.KRB5_CC_NOSUPP, b'' -+ -+ -+def op_get_cache_uuid_list(argbytes): -+ return 0, b''.join(cache_uuidmap.keys()) -+ -+ -+def op_get_cache_by_uuid(argbytes): -+ uuid = argbytes -+ if uuid not in cache_uuidmap: -+ return KRB5Errors.KRB5_CC_END, b'' -+ return 0, cache_uuidmap[uuid].name + b'\0' -+ -+ -+def op_get_default_cache(argbytes): -+ return 0, defname + b'\0' -+ -+ -+def op_set_default_cache(argbytes): -+ global defname -+ defname, rest = unmarshal_name(argbytes) -+ return 0, b'' -+ -+ -+def op_get_kdc_offset(argbytes): -+ name, rest = unmarshal_name(argbytes) -+ cache = get_cache(name) -+ return 0, struct.pack('>l', cache.time_offset) -+ -+ -+def op_set_kdc_offset(argbytes): -+ name, obytes = unmarshal_name(argbytes) -+ cache = get_cache(name) -+ cache.time_offset, = struct.unpack('>l', obytes) -+ return 0, b'' -+ -+ -+ophandlers = { -+ KCMOpcodes.GEN_NEW : op_gen_new, -+ KCMOpcodes.INITIALIZE : op_initialize, -+ KCMOpcodes.DESTROY : op_destroy, -+ KCMOpcodes.STORE : op_store, -+ KCMOpcodes.GET_PRINCIPAL : op_get_principal, -+ KCMOpcodes.GET_CRED_UUID_LIST : op_get_cred_uuid_list, -+ KCMOpcodes.GET_CRED_BY_UUID : op_get_cred_by_uuid, -+ KCMOpcodes.REMOVE_CRED : op_remove_cred, -+ KCMOpcodes.GET_CACHE_UUID_LIST : op_get_cache_uuid_list, -+ KCMOpcodes.GET_CACHE_BY_UUID : op_get_cache_by_uuid, -+ KCMOpcodes.GET_DEFAULT_CACHE : op_get_default_cache, -+ KCMOpcodes.SET_DEFAULT_CACHE : op_set_default_cache, -+ KCMOpcodes.GET_KDC_OFFSET : op_get_kdc_offset, -+ KCMOpcodes.SET_KDC_OFFSET : op_set_kdc_offset -+} -+ -+# Read and respond to a request from the socket s. -+def service_request(s): -+ lenbytes = b'' -+ while len(lenbytes) < 4: -+ lenbytes += s.recv(4 - len(lenbytes)) -+ if lenbytes == b'': -+ return False -+ -+ reqlen, = struct.unpack('>L', lenbytes) -+ req = b'' -+ while len(req) < reqlen: -+ req += s.recv(reqlen - len(req)) -+ -+ majver, minver, op = struct.unpack('>BBH', req[:4]) -+ argbytes = req[4:] -+ code, payload = ophandlers[op](argbytes) -+ -+ # The KCM response is the code (4 bytes) and the response payload. -+ # The Heimdal IPC response is the length of the KCM response (4 -+ # bytes), a status code which is essentially always 0 (4 bytes), -+ # and the KCM response. -+ kcm_response = struct.pack('>l', code) + payload -+ hipc_response = struct.pack('>LL', len(kcm_response), 0) + kcm_response -+ s.sendall(hipc_response) -+ return True -+ -+ -+server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) -+server.bind(sys.argv[1]) -+server.listen(5) -+select_input = [server,] -+sys.stderr.write('starting...\n') -+sys.stderr.flush() -+ -+while True: -+ iready, oready, xready = select.select(select_input, [], []) -+ for s in iready: -+ if s == server: -+ client, addr = server.accept() -+ select_input.append(client) -+ else: -+ if not service_request(s): -+ select_input.remove(s) -+ s.close() -diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py -index fcf1a611e..66804afa5 100755 ---- a/src/tests/t_ccache.py -+++ b/src/tests/t_ccache.py -@@ -22,7 +22,10 @@ - - from k5test import * - --realm = K5Realm(create_host=False) -+kcm_socket_path = os.path.join(os.getcwd(), 'testdir', 'kcm') -+conf = {'libdefaults': {'kcm_socket': kcm_socket_path, -+ 'kcm_mach_service': '-'}} -+realm = K5Realm(create_host=False, krb5_conf=conf) - - keyctl = which('keyctl') - out = realm.run([klist, '-c', 'KEYRING:process:abcd'], expected_code=1) -@@ -122,6 +125,10 @@ def collection_test(realm, ccname): - - - collection_test(realm, 'DIR:' + os.path.join(realm.testdir, 'cc')) -+kcmserver_path = os.path.join(srctop, 'tests', 'kcmserver.py') -+realm.start_server([sys.executable, kcmserver_path, kcm_socket_path], -+ 'starting...') -+collection_test(realm, 'KCM:') - if test_keyring: - def cleanup_keyring(anchor, name): - out = realm.run(['keyctl', 'list', anchor]) diff --git a/Add-zapfreedata-convenience-function.patch b/Add-zapfreedata-convenience-function.patch deleted file mode 100644 index b9ae932..0000000 --- a/Add-zapfreedata-convenience-function.patch +++ /dev/null @@ -1,31 +0,0 @@ -From b99ba3fa4bc99c2925fa4b509004d694e9d7ac68 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 14 Mar 2019 11:26:44 -0400 -Subject: [PATCH] Add zapfreedata() convenience function - -(cherry picked from commit abd974cf867db5a398aa87ba9b9aaa34346e12a4) ---- - src/include/k5-int.h | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index e0c557554..2bc59e636 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -663,6 +663,16 @@ zapfreestr(void *str) - } - } - -+/* Convenience function: zap and free krb5_data pointer if it is non-NULL. */ -+static inline void -+zapfreedata(krb5_data *data) -+{ -+ if (data != NULL) { -+ zapfree(data->data, data->length); -+ free(data); -+ } -+} -+ - /* - * Combine two keys (normally used by the hardware preauth mechanism) - */ diff --git a/Address-some-optimized-out-memset-calls.patch b/Address-some-optimized-out-memset-calls.patch deleted file mode 100644 index a97f91d..0000000 --- a/Address-some-optimized-out-memset-calls.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 95fec44aebd6a4d815f88a0b5a53517c4f3175f4 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Sun, 30 Dec 2018 16:40:28 -0500 -Subject: [PATCH] Address some optimized-out memset() calls - -Ilja Van Sprundel reported a list of memset() calls which gcc -optimizes out. In krb_auth_su.c, use zap() to clear the password, and -remove two memset() calls when there is no password to clear. In -iakerb.c, remove an unnecessary memset() before setting the only two -fields of the IAKERB header structure. In svr_principal.c, use -krb5_free_key_keyblock_contents() instead of hand-freeing key data. -In asn1_k_encode.c, remove an unnecessary memset() of the kdc_req_hack -shell before returning. - -(cherry picked from commit 1057b0befec1f1c0e9d4da5521a58496e2dc0997) ---- - src/clients/ksu/krb_auth_su.c | 4 +--- - src/lib/gssapi/krb5/iakerb.c | 1 - - src/lib/kadm5/srv/svr_principal.c | 10 ++-------- - src/lib/krb5/asn.1/asn1_k_encode.c | 1 - - 4 files changed, 3 insertions(+), 13 deletions(-) - -diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c -index 7af48195c..e39685fff 100644 ---- a/src/clients/ksu/krb_auth_su.c -+++ b/src/clients/ksu/krb_auth_su.c -@@ -183,21 +183,19 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password, - if (code ) { - com_err(prog_name, code, _("while reading password for '%s'\n"), - client_name); -- memset(password, 0, sizeof(password)); - return (FALSE); - } - - if ( pwsize == 0) { - fprintf(stderr, _("No password given\n")); - *zero_password = TRUE; -- memset(password, 0, sizeof(password)); - return (FALSE); - } - - code = krb5_get_init_creds_password(context, &creds, client, password, - krb5_prompter_posix, NULL, 0, NULL, - options); -- memset(password, 0, sizeof(password)); -+ zap(password, sizeof(password)); - - - if (code) { -diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c -index bb1072fe4..47c161ec9 100644 ---- a/src/lib/gssapi/krb5/iakerb.c -+++ b/src/lib/gssapi/krb5/iakerb.c -@@ -262,7 +262,6 @@ iakerb_make_token(iakerb_ctx_id_t ctx, - /* - * Assemble the IAKERB-HEADER from the realm and cookie - */ -- memset(&iah, 0, sizeof(iah)); - iah.target_realm = *realm; - iah.cookie = cookie; - -diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c -index 8582bbc56..be0922101 100644 ---- a/src/lib/kadm5/srv/svr_principal.c -+++ b/src/lib/kadm5/srv/svr_principal.c -@@ -2097,14 +2097,8 @@ static int decrypt_key_data(krb5_context context, - ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i], - NULL); - if (ret) { -- for (; i >= 0; i--) { -- if (keys[i].contents) { -- memset (keys[i].contents, 0, keys[i].length); -- free( keys[i].contents ); -- } -- } -- -- memset(keys, 0, n_key_data*sizeof(krb5_keyblock)); -+ for (; i >= 0; i--) -+ krb5_free_keyblock_contents(context, &keys[i]); - free(keys); - return ret; - } -diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c -index 65c84be2f..81a34bac9 100644 ---- a/src/lib/krb5/asn.1/asn1_k_encode.c -+++ b/src/lib/krb5/asn.1/asn1_k_encode.c -@@ -528,7 +528,6 @@ decode_kdc_req_body(const taginfo *t, const uint8_t *asn1, size_t len, - if (ret) { - free_kdc_req_body(b); - free(h.server_realm.data); -- memset(&h, 0, sizeof(h)); - return ret; - } - b->server->realm = h.server_realm; diff --git a/Allow-client-canonicalization-in-non-krbtgt-AS-REP.patch b/Allow-client-canonicalization-in-non-krbtgt-AS-REP.patch deleted file mode 100644 index 4402203..0000000 --- a/Allow-client-canonicalization-in-non-krbtgt-AS-REP.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 0bbb2104fd6c494552c9261137fac782941b6440 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Tue, 15 Oct 2019 20:41:49 +0300 -Subject: [PATCH] Allow client canonicalization in non-krbtgt AS-REP - -If a caller makes an AS-REQ with the canonicalize flag set (or with an -enterprise client principal or the anonymous flag), always allow the -KDC to change the client principal. Continue to restrict server name -changes to requests for TGS principals. - -Also remove the conditional for setting canon_ok for fully anonymous -requests. Both kinds of anonymous requests change the client -principal or realm, but neither kind changes the server principal or -realm, so this logic is no longer needed now that canon_ok only -applies to server name changes. - -[ghudson@mit.edu: clarified commit message; removed anonymous PKINIT -clause] - -ticket: 8843 (new) -(cherry picked from commit c6c19b1d35c6523cb7ed220c1f2e97e12e039293) ---- - src/lib/krb5/krb/get_in_tkt.c | 9 ++------- - src/tests/t_kdb.py | 3 +++ - 2 files changed, 5 insertions(+), 7 deletions(-) - -diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index 79dede2c6..9ee605888 100644 ---- a/src/lib/krb5/krb/get_in_tkt.c -+++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -230,17 +230,12 @@ verify_as_reply(krb5_context context, - if (canon_req) { - canon_ok = IS_TGS_PRINC(request->server) && - IS_TGS_PRINC(as_reply->enc_part2->server); -- if (!canon_ok && (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS)) { -- canon_ok = krb5_principal_compare_any_realm(context, -- as_reply->client, -- krb5_anonymous_principal()); -- } - } else - canon_ok = 0; - - if ((!canon_ok && -- (!krb5_principal_compare(context, as_reply->client, request->client) || -- !krb5_principal_compare(context, as_reply->enc_part2->server, request->server))) -+ !krb5_principal_compare(context, as_reply->enc_part2->server, request->server)) -+ || (!canon_req && !krb5_principal_compare(context, as_reply->client, request->client)) - || !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server) - || (request->nonce != as_reply->enc_part2->nonce) - /* XXX check for extraneous flags */ -diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py -index 7a082a5b9..cc5d2fc3c 100755 ---- a/src/tests/t_kdb.py -+++ b/src/tests/t_kdb.py -@@ -389,6 +389,9 @@ realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon']) - realm.kinit('canon', password('canon')) - realm.kinit('alias', password('canon'), ['-C']) - -+# Test client name canonicalization in non-krbtgt AS reply -+realm.kinit('alias', password('canon'), ['-C', '-S', 'kadmin/changepw']) -+ - mark('LDAP password history') - - # Test password history. diff --git a/Avoid-alignment-warnings-in-openssl-rc4.c.patch b/Avoid-alignment-warnings-in-openssl-rc4.c.patch deleted file mode 100644 index 9e7293a..0000000 --- a/Avoid-alignment-warnings-in-openssl-rc4.c.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 399b9ed8ef199b6280bf4d6564928c79a3611cc5 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 6 May 2019 15:14:49 -0400 -Subject: [PATCH] Avoid alignment warnings in openssl rc4.c - -Add a comment to k5_arcfour_init_state() explaining how we stretch the -krb5_data cipher state contract. Use void * casts when interpreting -the data pointer to avoid alignment warnings. - -[ghudson@mit.edu: moved and expanded comment; rewrote commit message] - -(cherry picked from commit 1cd41d76c12fc1cea0a8bf0d6a40f34623c60d6d) ---- - src/lib/crypto/openssl/enc_provider/rc4.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c -index 7f3c086ed..a65d57b7a 100644 ---- a/src/lib/crypto/openssl/enc_provider/rc4.c -+++ b/src/lib/crypto/openssl/enc_provider/rc4.c -@@ -57,7 +57,7 @@ struct arcfour_state { - - /* In-place IOV crypto */ - static krb5_error_code --k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data, -+k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data, - size_t num_data) - { - size_t i; -@@ -66,7 +66,7 @@ k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data, - EVP_CIPHER_CTX *ctx = NULL; - struct arcfour_state *arcstate; - -- arcstate = (state != NULL) ? (struct arcfour_state *) state->data : NULL; -+ arcstate = (state != NULL) ? (void *)state->data : NULL; - if (arcstate != NULL) { - ctx = arcstate->ctx; - if (arcstate->loopback != arcstate) -@@ -113,7 +113,7 @@ k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data, - static void - k5_arcfour_free_state(krb5_data *state) - { -- struct arcfour_state *arcstate = (struct arcfour_state *) state->data; -+ struct arcfour_state *arcstate = (void *)state->data; - - EVP_CIPHER_CTX_free(arcstate->ctx); - free(arcstate); -@@ -125,6 +125,15 @@ k5_arcfour_init_state(const krb5_keyblock *key, - { - struct arcfour_state *arcstate; - -+ /* -+ * The cipher state here is a saved pointer to a struct arcfour_state -+ * object, rather than a flat byte array as in most enc providers. The -+ * object includes a loopback pointer to detect if if the caller made a -+ * copy of the krb5_data value or otherwise assumed it was a simple byte -+ * array. When we cast the data pointer back, we need to go through void * -+ * to avoid increased alignment warnings. -+ */ -+ - /* Create a state structure with an uninitialized context. */ - arcstate = calloc(1, sizeof(*arcstate)); - if (arcstate == NULL) diff --git a/Avoid-allocating-a-register-in-zap-assembly.patch b/Avoid-allocating-a-register-in-zap-assembly.patch deleted file mode 100644 index 144d9ed..0000000 --- a/Avoid-allocating-a-register-in-zap-assembly.patch +++ /dev/null @@ -1,55 +0,0 @@ -From c896facca7dd9d0fbbd561d3a723a90216821b72 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 3 Jan 2019 17:19:32 +0100 -Subject: [PATCH] Avoid allocating a register in zap() assembly - -See https://bugs.llvm.org/show_bug.cgi?id=15495 - -Also add explicit_bzero() (glibc, FreeBSD) and explicit_memset() -(NetBSD) as alternatives. - -[ghudson@mit.edu: added explicit_bzero() and explicit_memset()] - -(cherry picked from commit 7391e8b541061d0f584193b4a53365b64364b0e8) ---- - src/configure.in | 2 +- - src/include/k5-platform.h | 6 +++++- - 2 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/configure.in b/src/configure.in -index feae21c3e..505dabb02 100644 ---- a/src/configure.in -+++ b/src/configure.in -@@ -421,7 +421,7 @@ AC_PROG_LEX - AC_C_CONST - AC_HEADER_DIRENT - AC_FUNC_STRERROR_R --AC_CHECK_FUNCS(strdup setvbuf seteuid setresuid setreuid setegid setresgid setregid setsid flock fchmod chmod strptime geteuid setenv unsetenv getenv gmtime_r localtime_r bswap16 bswap64 mkstemp getusershell access getcwd srand48 srand srandom stat strchr strerror timegm) -+AC_CHECK_FUNCS(strdup setvbuf seteuid setresuid setreuid setegid setresgid setregid setsid flock fchmod chmod strptime geteuid setenv unsetenv getenv gmtime_r localtime_r bswap16 bswap64 mkstemp getusershell access getcwd srand48 srand srandom stat strchr strerror timegm explicit_bzero explicit_memset) - - AC_CHECK_FUNC(mkstemp, - [MKSTEMP_ST_OBJ= -diff --git a/src/include/k5-platform.h b/src/include/k5-platform.h -index 997b655e1..1fcd68e8c 100644 ---- a/src/include/k5-platform.h -+++ b/src/include/k5-platform.h -@@ -1023,6 +1023,10 @@ static inline void zap(void *ptr, size_t len) - if (len > 0) - memset_s(ptr, len, 0, len); - } -+#elif defined(HAVE_EXPLICIT_BZERO) -+# define zap(ptr, len) explicit_bzero(ptr, len) -+#elif defined(HAVE_EXPLICIT_MEMSET) -+# define zap(ptr, len) explicit_memset(ptr, 0, len) - #elif defined(__GNUC__) || defined(__clang__) - /* - * Use an asm statement which declares a memory clobber to force the memset to -@@ -1032,7 +1036,7 @@ static inline void zap(void *ptr, size_t len) - { - if (len > 0) - memset(ptr, 0, len); -- __asm__ __volatile__("" : : "r" (ptr) : "memory"); -+ __asm__ __volatile__("" : : "g" (ptr) : "memory"); - } - #else - /* diff --git a/Check-more-errors-in-OpenSSL-crypto-backend.patch b/Check-more-errors-in-OpenSSL-crypto-backend.patch deleted file mode 100644 index 006177f..0000000 --- a/Check-more-errors-in-OpenSSL-crypto-backend.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 57e48b63b1f0b34861c66fb24dafc0feb524f47c Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Mon, 22 Apr 2019 14:26:42 -0400 -Subject: [PATCH] Check more errors in OpenSSL crypto backend - -In krb5int_hmac_keyblock() and krb5int_pbkdf2_hmac(), check for errors -from previously unchecked OpenSSL function calls and return -KRB5_CRYPTO_INTERNAL if they fail. - -HMAC_Init() is deprecated in OpenSSL 1.0 and later; as we are -modifying the call to check for errors, call HMAC_Init_ex() instead. - -ticket: 8799 (new) -(cherry picked from commit 2298e5c2ff1122bcaff715129f5b746e77c3f42a) ---- - src/lib/crypto/openssl/hmac.c | 18 +++++++++--------- - src/lib/crypto/openssl/pbkdf2.c | 9 +++++---- - 2 files changed, 14 insertions(+), 13 deletions(-) - -diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c -index b2db6ec02..7dc59dcc0 100644 ---- a/src/lib/crypto/openssl/hmac.c -+++ b/src/lib/crypto/openssl/hmac.c -@@ -117,7 +117,7 @@ krb5int_hmac_keyblock(const struct krb5_hash_provider *hash, - const krb5_crypto_iov *data, size_t num_data, - krb5_data *output) - { -- unsigned int i = 0, md_len = 0; -+ unsigned int i = 0, md_len = 0, ok; - unsigned char md[EVP_MAX_MD_SIZE]; - HMAC_CTX *ctx; - size_t hashsize, blocksize; -@@ -137,22 +137,22 @@ krb5int_hmac_keyblock(const struct krb5_hash_provider *hash, - if (ctx == NULL) - return ENOMEM; - -- HMAC_Init(ctx, keyblock->contents, keyblock->length, map_digest(hash)); -- for (i = 0; i < num_data; i++) { -+ ok = HMAC_Init_ex(ctx, keyblock->contents, keyblock->length, -+ map_digest(hash), NULL); -+ for (i = 0; ok && i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; - - if (SIGN_IOV(iov)) -- HMAC_Update(ctx, (uint8_t *)iov->data.data, iov->data.length); -+ ok = HMAC_Update(ctx, (uint8_t *)iov->data.data, iov->data.length); - } -- HMAC_Final(ctx, md, &md_len); -- if ( md_len <= output->length) { -+ if (ok) -+ ok = HMAC_Final(ctx, md, &md_len); -+ if (ok && md_len <= output->length) { - output->length = md_len; - memcpy(output->data, md, output->length); - } - HMAC_CTX_free(ctx); -- return 0; -- -- -+ return ok ? 0 : KRB5_CRYPTO_INTERNAL; - } - - krb5_error_code -diff --git a/src/lib/crypto/openssl/pbkdf2.c b/src/lib/crypto/openssl/pbkdf2.c -index 00c2116fc..732ec6405 100644 ---- a/src/lib/crypto/openssl/pbkdf2.c -+++ b/src/lib/crypto/openssl/pbkdf2.c -@@ -35,6 +35,7 @@ krb5int_pbkdf2_hmac(const struct krb5_hash_provider *hash, - const krb5_data *pass, const krb5_data *salt) - { - const EVP_MD *md = NULL; -+ int ok; - - /* Get the message digest handle corresponding to the hash. */ - if (hash == &krb5int_hash_sha1) -@@ -46,8 +47,8 @@ krb5int_pbkdf2_hmac(const struct krb5_hash_provider *hash, - if (md == NULL) - return KRB5_CRYPTO_INTERNAL; - -- PKCS5_PBKDF2_HMAC(pass->data, pass->length, (unsigned char *)salt->data, -- salt->length, count, md, out->length, -- (unsigned char *)out->data); -- return 0; -+ ok = PKCS5_PBKDF2_HMAC(pass->data, pass->length, -+ (unsigned char *)salt->data, salt->length, count, -+ md, out->length, (unsigned char *)out->data); -+ return ok ? 0 : KRB5_CRYPTO_INTERNAL; - } diff --git a/Clarify-header-comment-for-krb5_cc_start_seq_get.patch b/Clarify-header-comment-for-krb5_cc_start_seq_get.patch deleted file mode 100644 index 0173bf8..0000000 --- a/Clarify-header-comment-for-krb5_cc_start_seq_get.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 037981b197a6046574539ec405cc1d67b9f22473 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 2 Apr 2019 14:18:57 -0400 -Subject: [PATCH] Clarify header comment for krb5_cc_start_seq_get() - -Previously this comment seemed to suggest that applications needed to -block all other access to the ccache (including by other processes) -during iteration. - -(cherry picked from commit f4f51a25dd38601357e2f64b17b51eb23f45a53e) ---- - src/include/krb5/krb5.hin | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index 3ff86d7ff..346e796a5 100644 ---- a/src/include/krb5/krb5.hin -+++ b/src/include/krb5/krb5.hin -@@ -2491,8 +2491,10 @@ krb5_cc_get_principal(krb5_context context, krb5_ccache cache, - * - * krb5_cc_end_seq_get() must be called to complete the retrieve operation. - * -- * @note If @a cache is modified between the time of the call to this function -- * and the time of the final krb5_cc_end_seq_get(), the results are undefined. -+ * @note If the cache represented by @a cache is modified between the time of -+ * the call to this function and the time of the final krb5_cc_end_seq_get(), -+ * these changes may not be reflected in the results of krb5_cc_next_cred() -+ * calls. - * - * @retval 0 Success; otherwise - Kerberos error codes - */ diff --git a/Clear-forwardable-flag-instead-of-denying-request.patch b/Clear-forwardable-flag-instead-of-denying-request.patch deleted file mode 100644 index 88e3641..0000000 --- a/Clear-forwardable-flag-instead-of-denying-request.patch +++ /dev/null @@ -1,484 +0,0 @@ -From 54b5eceb45db9cf6ff86eea5efebba66cf48153e Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 15 Nov 2018 13:40:43 -0500 -Subject: [PATCH] Clear forwardable flag instead of denying request - -If the client requests a forwardable or proxiable ticket and the -option cannot be honored by policy, issue a non-forwardable or -non-proxiable ticket rather than denying the request. - -Add a test script for testing KDC request options and populate it with -tests for the forwardable and proxiable flags. - -ticket: 7871 -(cherry picked from commit 08e948cce2c79a3604066fcf7a64fc527456f83d) ---- - src/kdc/do_as_req.c | 19 ++------ - src/kdc/do_tgs_req.c | 56 ++++----------------- - src/kdc/kdc_util.c | 82 ++++++++++++++++++------------- - src/kdc/kdc_util.h | 9 ++-- - src/kdc/tgs_policy.c | 8 +-- - src/tests/Makefile.in | 1 + - src/tests/gcred.c | 28 ++++++++--- - src/tests/t_kdcoptions.py | 100 ++++++++++++++++++++++++++++++++++++++ - 8 files changed, 189 insertions(+), 114 deletions(-) - create mode 100644 src/tests/t_kdcoptions.py - -diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c -index 588c1375a..8a96c12a9 100644 ---- a/src/kdc/do_as_req.c -+++ b/src/kdc/do_as_req.c -@@ -192,13 +192,6 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) - - au_state->stage = ENCR_REP; - -- if ((errcode = validate_forwardable(state->request, *state->client, -- *state->server, state->kdc_time, -- &state->status))) { -- errcode += ERROR_TABLE_BASE_krb5; -- goto egress; -- } -- - errcode = check_indicators(kdc_context, state->server, - state->auth_indicators); - if (errcode) { -@@ -708,12 +701,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, - } - - /* Copy options that request the corresponding ticket flags. */ -- state->enc_tkt_reply.flags = OPTS2FLAGS(state->request->kdc_options); -+ state->enc_tkt_reply.flags = get_ticket_flags(state->request->kdc_options, -+ state->client, state->server, -+ NULL); - state->enc_tkt_reply.times.authtime = state->authtime; - -- setflag(state->enc_tkt_reply.flags, TKT_FLG_INITIAL); -- setflag(state->enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP); -- - /* - * It should be noted that local policy may affect the - * processing of any of these flags. For example, some -@@ -732,10 +724,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, - state->enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; - state->enc_tkt_reply.transited.tr_contents = empty_string; - -- if (isflagset(state->request->kdc_options, KDC_OPT_POSTDATED)) { -- setflag(state->enc_tkt_reply.flags, TKT_FLG_INVALID); -+ if (isflagset(state->request->kdc_options, KDC_OPT_POSTDATED)) - state->enc_tkt_reply.times.starttime = state->request->from; -- } else -+ else - state->enc_tkt_reply.times.starttime = state->kdc_time; - - kdc_get_ticket_endtime(kdc_active_realm, -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 587342a6c..1da099318 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -378,15 +378,16 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, - else - ticket_reply.server = request->server; /* XXX careful for realm... */ - -- enc_tkt_reply.flags = OPTS2FLAGS(request->kdc_options); -- enc_tkt_reply.flags |= COPY_TKT_FLAGS(header_enc_tkt->flags); -+ enc_tkt_reply.flags = get_ticket_flags(request->kdc_options, client, -+ server, header_enc_tkt); - enc_tkt_reply.times.starttime = 0; - -- if (isflagset(server->attributes, KRB5_KDB_OK_AS_DELEGATE)) -- setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); -- -- /* Indicate support for encrypted padata (RFC 6806). */ -- setflag(enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP); -+ /* OK_TO_AUTH_AS_DELEGATE must be set on the service requesting S4U2Self -+ * for forwardable tickets to be issued. */ -+ if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && -+ !is_referral && -+ !isflagset(server->attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) -+ clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); - - /* don't use new addresses unless forwarded, see below */ - -@@ -401,37 +402,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, - * realms may refuse to issue renewable tickets - */ - -- if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) { -- -- if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) { -- /* -- * If S4U2Self principal is not forwardable, then mark ticket as -- * unforwardable. This behaviour matches Windows, but it is -- * different to the MIT AS-REQ path, which returns an error -- * (KDC_ERR_POLICY) if forwardable tickets cannot be issued. -- * -- * Consider this block the S4U2Self equivalent to -- * validate_forwardable(). -- */ -- if (client != NULL && -- isflagset(client->attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) -- clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); -- /* -- * Forwardable flag is propagated along referral path. -- */ -- else if (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE)) -- clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); -- /* -- * OK_TO_AUTH_AS_DELEGATE must be set on the service requesting -- * S4U2Self in order for forwardable tickets to be returned. -- */ -- else if (!is_referral && -- !isflagset(server->attributes, -- KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) -- clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); -- } -- } -- - if (isflagset(request->kdc_options, KDC_OPT_FORWARDED) || - isflagset(request->kdc_options, KDC_OPT_PROXY)) { - -@@ -440,16 +410,10 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, - enc_tkt_reply.caddrs = request->addresses; - reply_encpart.caddrs = request->addresses; - } -- /* We don't currently handle issuing anonymous tickets based on -- * non-anonymous ones, so just ignore the option. */ -- if (isflagset(request->kdc_options, KDC_OPT_REQUEST_ANONYMOUS) && -- !isflagset(header_enc_tkt->flags, TKT_FLG_ANONYMOUS)) -- clear(enc_tkt_reply.flags, TKT_FLG_ANONYMOUS); - -- if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) { -- setflag(enc_tkt_reply.flags, TKT_FLG_INVALID); -+ if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) - enc_tkt_reply.times.starttime = request->from; -- } else -+ else - enc_tkt_reply.times.starttime = kdc_time; - - if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) { -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 96c88edc1..f2741090e 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -697,29 +697,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm, - return(KDC_ERR_CANNOT_POSTDATE); - } - -- /* -- * A Windows KDC will return KDC_ERR_PREAUTH_REQUIRED instead of -- * KDC_ERR_POLICY in the following case: -- * -- * - KDC_OPT_FORWARDABLE is set in KDCOptions but local -- * policy has KRB5_KDB_DISALLOW_FORWARDABLE set for the -- * client, and; -- * - KRB5_KDB_REQUIRES_PRE_AUTH is set for the client but -- * preauthentication data is absent in the request. -- * -- * Hence, this check most be done after the check for preauth -- * data, and is now performed by validate_forwardable() (the -- * contents of which were previously below). -- */ -- -- /* Client and server must allow proxiable tickets */ -- if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE) && -- (isflagset(client.attributes, KRB5_KDB_DISALLOW_PROXIABLE) || -- isflagset(server.attributes, KRB5_KDB_DISALLOW_PROXIABLE))) { -- *status = "PROXIABLE NOT ALLOWED"; -- return(KDC_ERR_POLICY); -- } -- - /* Check to see if client is locked out */ - if (isflagset(client.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { - *status = "CLIENT LOCKED OUT"; -@@ -752,19 +729,54 @@ validate_as_request(kdc_realm_t *kdc_active_realm, - return 0; - } - --int --validate_forwardable(krb5_kdc_req *request, krb5_db_entry client, -- krb5_db_entry server, krb5_timestamp kdc_time, -- const char **status) -+/* -+ * Compute ticket flags based on the request, the client and server DB entry -+ * (which may prohibit forwardable or proxiable tickets), and the header -+ * ticket. client may be NULL for a TGS request (although it may be set, such -+ * as for an S4U2Self request). header_enc may be NULL for an AS request. -+ */ -+krb5_flags -+get_ticket_flags(krb5_flags reqflags, krb5_db_entry *client, -+ krb5_db_entry *server, krb5_enc_tkt_part *header_enc) - { -- *status = NULL; -- if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE) && -- (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE) || -- isflagset(server.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))) { -- *status = "FORWARDABLE NOT ALLOWED"; -- return(KDC_ERR_POLICY); -- } else -- return 0; -+ krb5_flags flags; -+ -+ /* Indicate support for encrypted padata (RFC 6806), and set flags based on -+ * request options and the header ticket. */ -+ flags = OPTS2FLAGS(reqflags) | TKT_FLG_ENC_PA_REP; -+ if (reqflags & KDC_OPT_POSTDATED) -+ flags |= TKT_FLG_INVALID; -+ if (header_enc != NULL) -+ flags |= COPY_TKT_FLAGS(header_enc->flags); -+ if (header_enc == NULL) -+ flags |= TKT_FLG_INITIAL; -+ -+ /* For TGS requests, indicate if the service is marked ok-as-delegate. */ -+ if (header_enc != NULL && (server->attributes & KRB5_KDB_OK_AS_DELEGATE)) -+ flags |= TKT_FLG_OK_AS_DELEGATE; -+ -+ /* Unset PROXIABLE if it is disallowed. */ -+ if (client != NULL && (client->attributes & KRB5_KDB_DISALLOW_PROXIABLE)) -+ flags &= ~TKT_FLG_PROXIABLE; -+ if (server->attributes & KRB5_KDB_DISALLOW_PROXIABLE) -+ flags &= ~TKT_FLG_PROXIABLE; -+ if (header_enc != NULL && !(header_enc->flags & TKT_FLG_PROXIABLE)) -+ flags &= ~TKT_FLG_PROXIABLE; -+ -+ /* Unset FORWARDABLE if it is disallowed. */ -+ if (client != NULL && (client->attributes & KRB5_KDB_DISALLOW_FORWARDABLE)) -+ flags &= ~TKT_FLG_FORWARDABLE; -+ if (server->attributes & KRB5_KDB_DISALLOW_FORWARDABLE) -+ flags &= ~TKT_FLG_FORWARDABLE; -+ if (header_enc != NULL && !(header_enc->flags & TKT_FLG_FORWARDABLE)) -+ flags &= ~TKT_FLG_FORWARDABLE; -+ -+ /* We don't currently handle issuing anonymous tickets based on -+ * non-anonymous ones. */ -+ if (header_enc != NULL && !(header_enc->flags & TKT_FLG_ANONYMOUS)) -+ flags &= ~TKT_FLG_ANONYMOUS; -+ -+ return flags; - } - - /* Return KRB5KDC_ERR_POLICY if indicators does not contain the required auth -diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h -index 25077cbf5..1314bdd58 100644 ---- a/src/kdc/kdc_util.h -+++ b/src/kdc/kdc_util.h -@@ -85,16 +85,15 @@ validate_as_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry, - krb5_db_entry, krb5_timestamp, - const char **, krb5_pa_data ***); - --int --validate_forwardable(krb5_kdc_req *, krb5_db_entry, -- krb5_db_entry, krb5_timestamp, -- const char **); -- - int - validate_tgs_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry, - krb5_ticket *, krb5_timestamp, - const char **, krb5_pa_data ***); - -+krb5_flags -+get_ticket_flags(krb5_flags reqflags, krb5_db_entry *client, -+ krb5_db_entry *server, krb5_enc_tkt_part *header_enc); -+ - krb5_error_code - check_indicators(krb5_context context, krb5_db_entry *server, - krb5_data *const *indicators); -diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c -index 907fcd330..554345ba5 100644 ---- a/src/kdc/tgs_policy.c -+++ b/src/kdc/tgs_policy.c -@@ -63,9 +63,9 @@ static check_tgs_svc_pol_fn * const svc_pol_fns[] = { - }; - - static const struct tgsflagrule tgsflagrules[] = { -- { (KDC_OPT_FORWARDED | KDC_OPT_FORWARDABLE), TKT_FLG_FORWARDABLE, -+ { KDC_OPT_FORWARDED, TKT_FLG_FORWARDABLE, - "TGT NOT FORWARDABLE", KDC_ERR_BADOPTION }, -- { (KDC_OPT_PROXY | KDC_OPT_PROXIABLE), TKT_FLG_PROXIABLE, -+ { KDC_OPT_PROXY, TKT_FLG_PROXIABLE, - "TGT NOT PROXIABLE", KDC_ERR_BADOPTION }, - { (KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED), TKT_FLG_MAY_POSTDATE, - "TGT NOT POSTDATABLE", KDC_ERR_BADOPTION }, -@@ -98,12 +98,8 @@ check_tgs_opts(krb5_kdc_req *req, krb5_ticket *tkt, const char **status) - } - - static const struct tgsflagrule svcdenyrules[] = { -- { KDC_OPT_FORWARDABLE, KRB5_KDB_DISALLOW_FORWARDABLE, -- "NON-FORWARDABLE TICKET", KDC_ERR_POLICY }, - { KDC_OPT_RENEWABLE, KRB5_KDB_DISALLOW_RENEWABLE, - "NON-RENEWABLE TICKET", KDC_ERR_POLICY }, -- { KDC_OPT_PROXIABLE, KRB5_KDB_DISALLOW_PROXIABLE, -- "NON-PROXIABLE TICKET", KDC_ERR_POLICY }, - { KDC_OPT_ALLOW_POSTDATE, KRB5_KDB_DISALLOW_POSTDATED, - "NON-POSTDATABLE TICKET", KDC_ERR_CANNOT_POSTDATE }, - { KDC_OPT_ENC_TKT_IN_SKEY, KRB5_KDB_DISALLOW_DUP_SKEY, -diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in -index c96c5d6b7..d2a37c616 100644 ---- a/src/tests/Makefile.in -+++ b/src/tests/Makefile.in -@@ -171,6 +171,7 @@ check-pytests: unlockiter - $(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_u2u.py $(PYTESTFLAGS) -+ $(RUNPYTEST) $(srcdir)/t_kdcoptions.py $(PYTESTFLAGS) - - clean: - $(RM) adata etinfo forward gcred hist hooks hrealm icinterleave icred -diff --git a/src/tests/gcred.c b/src/tests/gcred.c -index cb0ae6af5..b14e4fc9a 100644 ---- a/src/tests/gcred.c -+++ b/src/tests/gcred.c -@@ -66,20 +66,32 @@ main(int argc, char **argv) - krb5_principal client, server; - krb5_ccache ccache; - krb5_creds in_creds, *creds; -+ krb5_flags options = 0; - char *name; -+ int c; - - check(krb5_init_context(&ctx)); - -- /* Parse arguments. */ -- assert(argc == 3); -- check(krb5_parse_name(ctx, argv[2], &server)); -- if (strcmp(argv[1], "unknown") == 0) -+ while ((c = getopt(argc, argv, "f")) != -1) { -+ switch (c) { -+ case 'f': -+ options |= KRB5_GC_FORWARDABLE; -+ break; -+ default: -+ abort(); -+ } -+ } -+ argc -= optind; -+ argv += optind; -+ assert(argc == 2); -+ check(krb5_parse_name(ctx, argv[1], &server)); -+ if (strcmp(argv[0], "unknown") == 0) - server->type = KRB5_NT_UNKNOWN; -- else if (strcmp(argv[1], "principal") == 0) -+ else if (strcmp(argv[0], "principal") == 0) - server->type = KRB5_NT_PRINCIPAL; -- else if (strcmp(argv[1], "srv-inst") == 0) -+ else if (strcmp(argv[0], "srv-inst") == 0) - server->type = KRB5_NT_SRV_INST; -- else if (strcmp(argv[1], "srv-hst") == 0) -+ else if (strcmp(argv[0], "srv-hst") == 0) - server->type = KRB5_NT_SRV_HST; - else - abort(); -@@ -89,7 +101,7 @@ main(int argc, char **argv) - memset(&in_creds, 0, sizeof(in_creds)); - in_creds.client = client; - in_creds.server = server; -- check(krb5_get_credentials(ctx, 0, ccache, &in_creds, &creds)); -+ check(krb5_get_credentials(ctx, options, ccache, &in_creds, &creds)); - check(krb5_unparse_name(ctx, creds->server, &name)); - printf("%s\n", name); - -diff --git a/src/tests/t_kdcoptions.py b/src/tests/t_kdcoptions.py -new file mode 100644 -index 000000000..7ec57508c ---- /dev/null -+++ b/src/tests/t_kdcoptions.py -@@ -0,0 +1,100 @@ -+from k5test import * -+import re -+ -+# KDC option test coverage notes: -+# -+# FORWARDABLE here -+# FORWARDED no test -+# PROXIABLE here -+# PROXY no test -+# ALLOW_POSTDATE no test -+# POSTDATED no test -+# RENEWABLE t_renew.py -+# CNAME_IN_ADDL_TKT gssapi/t_s4u.py -+# CANONICALIZE t_kdb.py and various other tests -+# REQUEST_ANONYMOUS t_pkinit.py -+# DISABLE_TRANSITED_CHECK no test -+# RENEWABLE_OK t_renew.py -+# ENC_TKT_IN_SKEY t_u2u.py -+# RENEW t_renew.py -+# VALIDATE no test -+ -+# Run klist -f and return the flags on the ticket for svcprinc. -+def get_flags(realm, svcprinc): -+ grab_flags = False -+ for line in realm.run([klist, '-f']).splitlines(): -+ if grab_flags: -+ return re.findall(r'Flags: ([a-zA-Z]*)', line)[0] -+ grab_flags = line.endswith(svcprinc) -+ -+ -+# Get the flags on the ticket for svcprinc, and check for an expected -+# element and an expected-absent element, either of which can be None. -+def check_flags(realm, svcprinc, expected_flag, expected_noflag): -+ flags = get_flags(realm, svcprinc) -+ if expected_flag is not None and not expected_flag in flags: -+ fail('expected flag ' + expected_flag) -+ if expected_noflag is not None and expected_noflag in flags: -+ fail('did not expect flag ' + expected_noflag) -+ -+ -+# Run kinit with the given flags, and check the flags on the resulting -+# TGT. -+def kinit_check_flags(realm, flags, expected_flag, expected_noflag): -+ realm.kinit(realm.user_princ, password('user'), flags) -+ check_flags(realm, realm.krbtgt_princ, expected_flag, expected_noflag) -+ -+ -+# Run kinit with kflags. Then get credentials for the host principal -+# with gflags, and check the flags on the resulting ticket. -+def gcred_check_flags(realm, kflags, gflags, expected_flag, expected_noflag): -+ realm.kinit(realm.user_princ, password('user'), kflags) -+ realm.run(['./gcred'] + gflags + ['unknown', realm.host_princ]) -+ check_flags(realm, realm.host_princ, expected_flag, expected_noflag) -+ -+ -+realm = K5Realm() -+ -+mark('proxiable (AS)') -+kinit_check_flags(realm, [], None, 'P') -+kinit_check_flags(realm, ['-p'], 'P', None) -+realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.user_princ]) -+kinit_check_flags(realm, ['-p'], None, 'P') -+realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.user_princ]) -+realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.krbtgt_princ]) -+kinit_check_flags(realm, ['-p'], None, 'P') -+realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.krbtgt_princ]) -+ -+mark('proxiable (TGS)') -+gcred_check_flags(realm, [], [], None, 'P') -+gcred_check_flags(realm, ['-p'], [], 'P', None) -+ -+# Not tested: PROXIABLE option set with a non-proxiable TGT (because -+# there is no krb5_get_credentials() flag to request this; would -+# expect a non-proxiable ticket). -+ -+# Not tested: proxiable TGT but PROXIABLE flag not set (because we -+# internally set the PROXIABLE option when using a proxiable TGT; -+# would expect a non-proxiable ticket). -+ -+mark('forwardable (AS)') -+kinit_check_flags(realm, [], None, 'F') -+kinit_check_flags(realm, ['-f'], 'F', None) -+realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.user_princ]) -+kinit_check_flags(realm, ['-f'], None, 'F') -+realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.user_princ]) -+realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.krbtgt_princ]) -+kinit_check_flags(realm, ['-f'], None, 'F') -+realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.krbtgt_princ]) -+ -+mark('forwardable (TGS)') -+realm.kinit(realm.user_princ, password('user')) -+gcred_check_flags(realm, [], [], None, 'F') -+gcred_check_flags(realm, [], ['-f'], None, 'F') -+gcred_check_flags(realm, ['-f'], [], 'F', None) -+ -+# Not tested: forwardable TGT but FORWARDABLE flag not set (because we -+# internally set the FORWARDABLE option when using a forwardable TGT; -+# would expect a non-proxiable ticket). -+ -+success('KDC option tests') diff --git a/Display-unsupported-enctype-names.patch b/Display-unsupported-enctype-names.patch deleted file mode 100644 index 3ee3283..0000000 --- a/Display-unsupported-enctype-names.patch +++ /dev/null @@ -1,79 +0,0 @@ -From c8b24f222719df0c4b9815d26019ad96c551ec81 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 21 May 2019 13:34:39 -0400 -Subject: [PATCH] Display unsupported enctype names - -Add a table of unsupported enctype numbers to enctype_util.c and -consult it in krb5_enctype_to_name(). Treat unsupported enctype -numbers as deprecated in krb5int_c_deprecated_enctype(). In kadmin, -display "UNSUPPORTED:" before invalid enctype names. - -ticket: 8808 -(cherry picked from commit ebbc6e8e99ee9d5d757411200a6a3173171774df) ---- - src/kadmin/cli/kadmin.c | 4 +++- - src/lib/crypto/krb/enctype_util.c | 22 +++++++++++++++++++++- - 2 files changed, 24 insertions(+), 2 deletions(-) - -diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c -index fe4cb493c..b4d1aad93 100644 ---- a/src/kadmin/cli/kadmin.c -+++ b/src/kadmin/cli/kadmin.c -@@ -1461,7 +1461,9 @@ kadmin_getprinc(int argc, char *argv[]) - enctype, sizeof(enctype))) - snprintf(enctype, sizeof(enctype), _(""), - key_data->key_data_type[0]); -- if (krb5int_c_deprecated_enctype(key_data->key_data_type[0])) -+ if (!krb5_c_valid_enctype(key_data->key_data_type[0])) -+ deprecated = "UNSUPPORTED:"; -+ else if (krb5int_c_deprecated_enctype(key_data->key_data_type[0])) - deprecated = "DEPRECATED:"; - printf("Key: vno %d, %s%s", key_data->key_data_kvno, deprecated, - enctype); -diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c -index e394f4e19..1542d4062 100644 ---- a/src/lib/crypto/krb/enctype_util.c -+++ b/src/lib/crypto/krb/enctype_util.c -@@ -36,6 +36,18 @@ - - #include "crypto_int.h" - -+struct { -+ krb5_enctype etype; -+ const char *name; -+} unsupported_etypes[] = { -+ { ENCTYPE_DES_CBC_CRC, "des-cbc-crc" }, -+ { ENCTYPE_DES_CBC_MD4, "des-cbc-md4" }, -+ { ENCTYPE_DES_CBC_MD5, "des-cbc-md5" }, -+ { ENCTYPE_DES_CBC_RAW, "des-cbc-raw" }, -+ { ENCTYPE_DES_HMAC_SHA1, "des-hmac-sha1" }, -+ { ENCTYPE_NULL, NULL } -+}; -+ - krb5_boolean KRB5_CALLCONV - krb5_c_valid_enctype(krb5_enctype etype) - { -@@ -55,7 +67,7 @@ krb5_boolean KRB5_CALLCONV - krb5int_c_deprecated_enctype(krb5_enctype etype) - { - const struct krb5_keytypes *ktp = find_enctype(etype); -- return ktp != NULL && (ktp->flags & ETYPE_DEPRECATED) != 0; -+ return ktp == NULL || (ktp->flags & ETYPE_DEPRECATED) != 0; - } - - krb5_error_code KRB5_CALLCONV -@@ -122,6 +134,14 @@ krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest, - const char *name; - int i; - -+ for (i = 0; unsupported_etypes[i].etype != ENCTYPE_NULL; i++) { -+ if (enctype == unsupported_etypes[i].etype) { -+ if (strlcpy(buffer, unsupported_etypes[i].name, buflen) >= buflen) -+ return ENOMEM; -+ return 0; -+ } -+ } -+ - ktp = find_enctype(enctype); - if (ktp == NULL) - return EINVAL; diff --git a/Do-not-always-canonicalize-enterprise-principals.patch b/Do-not-always-canonicalize-enterprise-principals.patch deleted file mode 100644 index fcaed36..0000000 --- a/Do-not-always-canonicalize-enterprise-principals.patch +++ /dev/null @@ -1,113 +0,0 @@ -From f1890cb3b09789e62c6711d79b032a7af0a09ea8 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 2 Nov 2019 13:32:32 +0100 -Subject: [PATCH] Do not always canonicalize enterprise principals - -When processing an AS request in the KDC, do not assume -KRB5_KDB_FLAG_CANONICALIZE for enterprise client names. This change -allows the KDB module to only canonicalize enterprise client names if -the canonicalize flag was set on the request, as Windows does. The -KDB module may check the principal type and apply canonicalization as -appropriate. - -[ghudson@mit.edu: edited comments; rewrote commit message] - -ticket: 8858 (new) -(cherry picked from commit 3f5955631a2056f8ec4d1ce73d9681fa7da061c2) ---- - src/include/kdb.h | 21 ++++++++++++--------- - src/kdc/do_as_req.c | 9 ++++----- - src/tests/t_kdb.py | 12 ++++++++++++ - 3 files changed, 28 insertions(+), 14 deletions(-) - -diff --git a/src/include/kdb.h b/src/include/kdb.h -index 7749cfc99..1dd37cdab 100644 ---- a/src/include/kdb.h -+++ b/src/include/kdb.h -@@ -1023,15 +1023,18 @@ typedef struct _kdb_vftabl { - * in-realm alias, fill in a different value for entries->princ than the - * one requested. - * -- * A module can return out-of-realm referrals if KRB5_KDB_FLAG_CANONICALIZE -- * is set. For AS request clients (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is -- * also set), the module should do so by simply filling in an out-of-realm -- * name in entries->princ and setting all other fields to NULL. Otherwise, -- * the module should return the entry for the cross-realm TGS of the -- * referred-to realm. For TGS referals, the module can also include -- * tl-data of type KRB5_TL_SERVER_REFERRAL containing ASN.1-encoded Windows -- * referral data as documented in draft-ietf-krb-wg-kerberos-referrals-11 -- * appendix A; this will be returned to the client as encrypted padata. -+ * A module can return a referral to another realm if -+ * KRB5_KDB_FLAG_CANONICALIZE is set, or if -+ * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is set and search_for->type is -+ * KRB5_NT_ENTERPRISE_PRINCIPAL. If KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is -+ * set, the module should return a referral by simply filling in an -+ * out-of-realm name in (*entry)->princ and setting all other fields to -+ * NULL. Otherwise, the module should return the entry for the cross-realm -+ * TGS of the referred-to realm. For TGS referals, the module can also -+ * include tl-data of type KRB5_TL_SERVER_REFERRAL containing ASN.1-encoded -+ * Windows referral data as documented in -+ * draft-ietf-krb-wg-kerberos-referrals-11 appendix A; this will be -+ * returned to the client as encrypted padata. - */ - krb5_error_code (*get_principal)(krb5_context kcontext, - krb5_const_principal search_for, -diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c -index 8a96c12a9..02c0a8a1f 100644 ---- a/src/kdc/do_as_req.c -+++ b/src/kdc/do_as_req.c -@@ -585,15 +585,14 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, - * of cross realm TGS entries. - */ - setflag(state->c_flags, KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY); -- /* -- * Note that according to the referrals draft we should -- * always canonicalize enterprise principal names. -- */ -+ /* Enterprise principals are implicitly alias-ok. */ - if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE) || - state->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { -- setflag(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE); - setflag(state->c_flags, KRB5_KDB_FLAG_ALIAS_OK); - } -+ if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) { -+ setflag(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE); -+ } - if (include_pac_p(kdc_context, state->request)) { - setflag(state->c_flags, KRB5_KDB_FLAG_INCLUDE_PAC); - } -diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py -index cc5d2fc3c..7271fcbbd 100755 ---- a/src/tests/t_kdb.py -+++ b/src/tests/t_kdb.py -@@ -340,11 +340,14 @@ ldap_modify('dn: krbPrincipalName=canon@KRBTEST.COM,cn=t1,cn=krb5\n' - 'changetype: modify\n' - 'add: krbPrincipalName\n' - 'krbPrincipalName: alias@KRBTEST.COM\n' -+ 'krbPrincipalName: ent@abc@KRBTEST.COM\n' - '-\n' - 'add: krbCanonicalName\n' - 'krbCanonicalName: canon@KRBTEST.COM\n') - realm.run([kadminl, 'getprinc', 'alias'], - expected_msg='Principal: canon@KRBTEST.COM\n') -+realm.run([kadminl, 'getprinc', 'ent\@abc'], -+ expected_msg='Principal: canon@KRBTEST.COM\n') - realm.run([kadminl, 'getprinc', 'canon'], - expected_msg='Principal: canon@KRBTEST.COM\n') - realm.run([kvno, 'alias', 'canon']) -@@ -389,6 +392,15 @@ realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon']) - realm.kinit('canon', password('canon')) - realm.kinit('alias', password('canon'), ['-C']) - -+# Test enterprise alias with and without canonicalization. -+realm.kinit('ent@abc', password('canon'), ['-E', '-C']) -+realm.run([kvno, 'alias']) -+realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM') -+ -+realm.kinit('ent@abc', password('canon'), ['-E']) -+realm.run([kvno, 'alias']) -+realm.klist('ent\@abc@KRBTEST.COM', 'alias@KRBTEST.COM') -+ - # Test client name canonicalization in non-krbtgt AS reply - realm.kinit('alias', password('canon'), ['-C', '-S', 'kadmin/changepw']) - diff --git a/Don-t-error-on-invalid-enctypes-in-keytab.patch b/Don-t-error-on-invalid-enctypes-in-keytab.patch deleted file mode 100644 index 6152aaa..0000000 --- a/Don-t-error-on-invalid-enctypes-in-keytab.patch +++ /dev/null @@ -1,67 +0,0 @@ -From d39897c46818f990eb7752573c309b97d90a983e Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Wed, 10 Jul 2019 17:10:16 -0400 -Subject: [PATCH] Don't error on invalid enctypes in keytab - -krb5_ktfile_get_entry() used krb5_c_enctype_compare() to compare -enctypes, in order to share keys between single-DES enctypes. As -key-sharing between enctypes is no longer done and single-DES support -has been removed, use a simple equality test to match the enctype. -This fixes a bug where krb5_kt_get_entry() would error out if the -keytab contained any entries with invalid enctypes (include single-DES -entries, after commit fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8) even -if a matching entry is found. - -[ghudson@mit.edu: rewrote commit message] - -ticket: 8808 -(cherry picked from commit 38be1a0a31a6104cdf8c8d72828905775f6d6636) ---- - src/lib/krb5/keytab/kt_file.c | 27 +++++---------------------- - 1 file changed, 5 insertions(+), 22 deletions(-) - -diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c -index 21c80d419..df2530a45 100644 ---- a/src/lib/krb5/keytab/kt_file.c -+++ b/src/lib/krb5/keytab/kt_file.c -@@ -289,7 +289,6 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, - krb5_keytab_entry cur_entry, new_entry; - krb5_error_code kerror = 0; - int found_wrong_kvno = 0; -- krb5_boolean similar; - int was_open; - char *princname; - -@@ -336,27 +335,11 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, - continue; - } - -- /* if the enctype is not ignored and doesn't match, free new_entry -- and continue to the next */ -- -- if (enctype != IGNORE_ENCTYPE) { -- if ((kerror = krb5_c_enctype_compare(context, enctype, -- new_entry.key.enctype, -- &similar))) { -- krb5_kt_free_entry(context, &new_entry); -- break; -- } -- -- if (!similar) { -- krb5_kt_free_entry(context, &new_entry); -- continue; -- } -- /* -- * Coerce the enctype of the output keyblock in case we -- * got an inexact match on the enctype. -- */ -- new_entry.key.enctype = enctype; -- -+ /* If the enctype is not ignored and doesn't match, free new_entry and -+ continue to the next. */ -+ if (enctype != IGNORE_ENCTYPE && enctype != new_entry.key.enctype) { -+ krb5_kt_free_entry(context, &new_entry); -+ continue; - } - - if (kvno == IGNORE_VNO || new_entry.vno == IGNORE_VNO) { diff --git a/Don-t-warn-in-kadmin-when-no-policy-is-specified.patch b/Don-t-warn-in-kadmin-when-no-policy-is-specified.patch deleted file mode 100644 index 220c59f..0000000 --- a/Don-t-warn-in-kadmin-when-no-policy-is-specified.patch +++ /dev/null @@ -1,160 +0,0 @@ -From aec16ed11477f08f477f915fb8119271d688711c Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 19 Dec 2019 17:49:05 -0500 -Subject: [PATCH] Don't warn in kadmin when no policy is specified - -Not having policy defined is a normal occurrence. While it's a useful -message to log in case it's unexpected, the current form is -unnecessarily alarmist. - -ticket: 8857 (new) -(cherry picked from commit 2ca842d5cbd5981ab5fa50e418359763c9f1a6d5) ---- - doc/admin/admin_commands/kadmin_local.rst | 2 +- - doc/admin/database.rst | 4 ++-- - doc/admin/install_kdc.rst | 6 +++--- - src/kadmin/cli/kadmin.c | 4 ++-- - src/man/kadmin.man | 2 +- - src/po/de.po | 8 ++++---- - src/po/mit-krb5.pot | 4 ++-- - 7 files changed, 15 insertions(+), 15 deletions(-) - -diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst -index 71aa894f6..fafa61365 100644 ---- a/doc/admin/admin_commands/kadmin_local.rst -+++ b/doc/admin/admin_commands/kadmin_local.rst -@@ -419,7 +419,7 @@ Options: - Example:: - - kadmin: addprinc jennifer -- WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; -+ No policy specified for "jennifer@ATHENA.MIT.EDU"; - defaulting to no policy. - Enter password for principal jennifer@ATHENA.MIT.EDU: - Re-enter password for principal jennifer@ATHENA.MIT.EDU: -diff --git a/doc/admin/database.rst b/doc/admin/database.rst -index cea60b009..8505fe1ec 100644 ---- a/doc/admin/database.rst -+++ b/doc/admin/database.rst -@@ -103,7 +103,7 @@ If you want to create a principal which is contained by a LDAP object, - all you need to do is:: - - kadmin: addprinc -x dn=cn=jennifer,dc=example,dc=com jennifer -- WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; -+ No policy specified for "jennifer@ATHENA.MIT.EDU"; - defaulting to no policy. - Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password. - Re-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again. -@@ -114,7 +114,7 @@ If you want to create a principal under a specific LDAP container and - link to an existing LDAP object, all you need to do is:: - - kadmin: addprinc -x containerdn=dc=example,dc=com -x linkdn=cn=david,dc=example,dc=com david -- WARNING: no policy specified for "david@ATHENA.MIT.EDU"; -+ No policy specified for "david@ATHENA.MIT.EDU"; - defaulting to no policy. - Enter password for principal david@ATHENA.MIT.EDU: <= Type the password. - Re-enter password for principal david@ATHENA.MIT.EDU: <=Type it again. -diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst -index 3bec59f96..157c6059e 100644 ---- a/doc/admin/install_kdc.rst -+++ b/doc/admin/install_kdc.rst -@@ -239,7 +239,7 @@ is created:: - - kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU - -- WARNING: no policy specified for "admin/admin@ATHENA.MIT.EDU"; -+ No policy specified for "admin/admin@ATHENA.MIT.EDU"; - assigning "default". - Enter password for principal admin/admin@ATHENA.MIT.EDU: <= Enter a password. - Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <= Type it again. -@@ -316,11 +316,11 @@ following:: - - shell% kadmin - kadmin: addprinc -randkey host/kerberos.mit.edu -- NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default" -+ No policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default" - Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created. - - kadmin: addprinc -randkey host/kerberos-1.mit.edu -- NOTICE: no policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU"; assigning "default" -+ No policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU"; assigning "default" - Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created. - - It is not strictly necessary to have the master KDC server in the -diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c -index b4d1aad93..a6e858d82 100644 ---- a/src/kadmin/cli/kadmin.c -+++ b/src/kadmin/cli/kadmin.c -@@ -1229,13 +1229,13 @@ kadmin_addprinc(int argc, char *argv[]) - /* If the policy "default" exists, assign it. */ - if (policy_exists("default")) { - if (!script_mode) { -- fprintf(stderr, _("NOTICE: no policy specified for %s; " -+ fprintf(stderr, _("No policy specified for %s; " - "assigning \"default\"\n"), canon); - } - princ.policy = "default"; - mask |= KADM5_POLICY; - } else if (!script_mode) { -- fprintf(stderr, _("WARNING: no policy specified for %s; " -+ fprintf(stderr, _("No policy specified for %s; " - "defaulting to no policy\n"), canon); - } - } -diff --git a/src/man/kadmin.man b/src/man/kadmin.man -index 44859a378..b514fe279 100644 ---- a/src/man/kadmin.man -+++ b/src/man/kadmin.man -@@ -458,7 +458,7 @@ Example: - .nf - .ft C - kadmin: addprinc jennifer --WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; -+No policy specified for "jennifer@ATHENA.MIT.EDU"; - defaulting to no policy. - Enter password for principal jennifer@ATHENA.MIT.EDU: - Re\-enter password for principal jennifer@ATHENA.MIT.EDU: -diff --git a/src/po/de.po b/src/po/de.po -index 40e31da90..5d78bdded 100644 ---- a/src/po/de.po -+++ b/src/po/de.po -@@ -1690,16 +1690,16 @@ msgstr "WARNUNG: Richtlinie »%s« existiert nicht.\n" - - #: ../../src/kadmin/cli/kadmin.c:1230 - #, c-format --msgid "NOTICE: no policy specified for %s; assigning \"default\"\n" -+msgid "No policy specified for %s; assigning \"default\"\n" - msgstr "" --"HINWEIS: Für %s wurde keine Richtlinie angegeben, es wird »default« " -+"Für %s wurde keine Richtlinie angegeben, es wird »default« " - "zugewiesen\n" - - #: ../../src/kadmin/cli/kadmin.c:1235 - #, c-format --msgid "WARNING: no policy specified for %s; defaulting to no policy\n" -+msgid "No policy specified for %s; defaulting to no policy\n" - msgstr "" --"WARNUNG: Für %s wurde keine Richtlinie angegeben, es wird die Vorgabe " -+"Für %s wurde keine Richtlinie angegeben, es wird die Vorgabe " - "»keine\n" - "Richtlinie« verwandt.\n" - -diff --git a/src/po/mit-krb5.pot b/src/po/mit-krb5.pot -index 8cfbe9f3c..de1998d2f 100644 ---- a/src/po/mit-krb5.pot -+++ b/src/po/mit-krb5.pot -@@ -1645,12 +1645,12 @@ msgstr "" - - #: ../../src/kadmin/cli/kadmin.c:1228 - #, c-format --msgid "NOTICE: no policy specified for %s; assigning \"default\"\n" -+msgid "No policy specified for %s; assigning \"default\"\n" - msgstr "" - - #: ../../src/kadmin/cli/kadmin.c:1234 - #, c-format --msgid "WARNING: no policy specified for %s; defaulting to no policy\n" -+msgid "No policy specified for %s; defaulting to no policy\n" - msgstr "" - - #: ../../src/kadmin/cli/kadmin.c:1276 diff --git a/Filter-enctypes-in-gss_set_allowable_enctypes.patch b/Filter-enctypes-in-gss_set_allowable_enctypes.patch deleted file mode 100644 index 182071c..0000000 --- a/Filter-enctypes-in-gss_set_allowable_enctypes.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 073c20a214df8b416b8d848412256c57feb43ef0 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 16 Jul 2019 00:15:42 -0400 -Subject: [PATCH] Filter enctypes in gss_set_allowable_enctypes() - -Instead of erroring out when any invalid enctypes are present in the -caller's list, filter out the invalid ones and only error if no -enctypes remain. - -ticket: 8819 -(cherry picked from commit 37ab7ea128a4c2aa2dad65ab9006baded5335bc7) ---- - src/lib/gssapi/krb5/set_allowable_enctypes.c | 29 ++++++++++---------- - 1 file changed, 14 insertions(+), 15 deletions(-) - -diff --git a/src/lib/gssapi/krb5/set_allowable_enctypes.c b/src/lib/gssapi/krb5/set_allowable_enctypes.c -index d9fd279ed..a74b161cb 100644 ---- a/src/lib/gssapi/krb5/set_allowable_enctypes.c -+++ b/src/lib/gssapi/krb5/set_allowable_enctypes.c -@@ -66,7 +66,7 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, - const gss_OID desired_oid, - const gss_buffer_t value) - { -- unsigned int i; -+ unsigned int i, j; - krb5_enctype * new_ktypes; - OM_uint32 major_status; - krb5_gss_cred_id_t cred; -@@ -83,14 +83,7 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, - /* verify and valildate cred handle */ - cred = (krb5_gss_cred_id_t) *cred_handle; - -- if (req->ktypes) { -- for (i = 0; i < req->num_ktypes && req->ktypes[i]; i++) { -- if (!krb5_c_valid_enctype(req->ktypes[i])) { -- kerr = KRB5_PROG_ETYPE_NOSUPP; -- goto error_out; -- } -- } -- } else { -+ if (req->ktypes == NULL) { - k5_mutex_lock(&cred->lock); - if (cred->req_enctypes) - free(cred->req_enctypes); -@@ -99,13 +92,19 @@ gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, - return GSS_S_COMPLETE; - } - -- /* Copy the requested ktypes into the cred structure */ -- if ((new_ktypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * (i + 1)))) { -- memcpy(new_ktypes, req->ktypes, sizeof(krb5_enctype) * i); -- new_ktypes[i] = 0; /* "null-terminate" the list */ -+ /* Copy the requested enctypes into the cred structure. Filter out the -+ * ones we don't consider valid. Error out if no enctypes are valid. */ -+ new_ktypes = k5calloc(req->num_ktypes + 1, sizeof(*new_ktypes), &kerr); -+ if (new_ktypes == NULL) -+ goto error_out; -+ for (i = 0, j = 0; i < req->num_ktypes && req->ktypes[i]; i++) { -+ if (krb5_c_valid_enctype(req->ktypes[i])) -+ new_ktypes[j++] = req->ktypes[i]; - } -- else { -- kerr = ENOMEM; -+ new_ktypes[j] = 0; -+ if (j == 0) { -+ free(new_ktypes); -+ kerr = KRB5_PROG_ETYPE_NOSUPP; - goto error_out; - } - k5_mutex_lock(&cred->lock); diff --git a/Fix-Coverity-defects-in-soft-pkcs11-test-code.patch b/Fix-Coverity-defects-in-soft-pkcs11-test-code.patch deleted file mode 100644 index a8d5901..0000000 --- a/Fix-Coverity-defects-in-soft-pkcs11-test-code.patch +++ /dev/null @@ -1,206 +0,0 @@ -From 14bc517f1fbd0bc7b3a6137871c167c595747a3e Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Sat, 20 Jul 2019 00:51:52 -0400 -Subject: [PATCH] Fix Coverity defects in soft-pkcs11 test code - -Nothing in the code removes objects from soft_token.object.obs, so -simplify add_st_object() not to search for an empty slot. Avoid using -random() by using a counter for session handles and just the array -slot number for object handles. Add a helper get_rcfilename() to -facilitate checking the result of asprintf(). Properly initialize ap -in sprintf_fill(). Close the file handle in read_conf_file(). - -(cherry picked from commit b4831515b2f3b6fd7d7fd4bff4558c10c710891d) ---- - src/tests/softpkcs11/main.c | 102 +++++++++++++++++++----------------- - 1 file changed, 53 insertions(+), 49 deletions(-) - -diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c -index 5255323d3..2d1448ca2 100644 ---- a/src/tests/softpkcs11/main.c -+++ b/src/tests/softpkcs11/main.c -@@ -78,6 +78,7 @@ compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e, - (BL) = i2d_##T((S), &p); \ - if ((BL) <= 0) { \ - free((B)); \ -+ (B) = NULL; \ - (R) = EINVAL; \ - } \ - } \ -@@ -149,6 +150,7 @@ static struct soft_token { - } state[10]; - #define MAX_NUM_SESSION (sizeof(soft_token.state)/sizeof(soft_token.state[0])) - FILE *logfile; -+ CK_SESSION_HANDLE next_session_handle; - } soft_token; - - static void -@@ -179,6 +181,7 @@ snprintf_fill(char *str, int size, char fillchar, const char *fmt, ...) - { - int len; - va_list ap; -+ va_start(ap, fmt); - len = vsnprintf(str, size, fmt, ap); - va_end(ap); - if (len < 0 || len > size) -@@ -344,7 +347,13 @@ static struct st_object * - add_st_object(void) - { - struct st_object *o, **objs; -- int i; -+ -+ objs = realloc(soft_token.object.objs, -+ (soft_token.object.num_objs + 1) * -+ sizeof(soft_token.object.objs[0])); -+ if (objs == NULL) -+ return NULL; -+ soft_token.object.objs = objs; - - o = malloc(sizeof(*o)); - if (o == NULL) -@@ -352,26 +361,9 @@ add_st_object(void) - memset(o, 0, sizeof(*o)); - o->attrs = NULL; - o->num_attributes = 0; -+ o->object_handle = soft_token.object.num_objs; - -- for (i = 0; i < soft_token.object.num_objs; i++) { -- if (soft_token.object.objs == NULL) { -- soft_token.object.objs[i] = o; -- break; -- } -- } -- if (i == soft_token.object.num_objs) { -- objs = realloc(soft_token.object.objs, -- (soft_token.object.num_objs + 1) * sizeof(soft_token.object.objs[0])); -- if (objs == NULL) { -- free(o); -- return NULL; -- } -- soft_token.object.objs = objs; -- soft_token.object.objs[soft_token.object.num_objs++] = o; -- } -- soft_token.object.objs[i]->object_handle = -- (random() & (~OBJECT_ID_MASK)) | i; -- -+ soft_token.object.objs[soft_token.object.num_objs++] = o; - return o; - } - -@@ -797,6 +789,8 @@ read_conf_file(const char *fn) - - add_certificate(label, cert, key, id, anchor); - } -+ -+ fclose(f); - } - - static CK_RV -@@ -806,19 +800,47 @@ func_not_supported(void) - return CKR_FUNCTION_NOT_SUPPORTED; - } - -+static char * -+get_rcfilename() -+{ -+ struct passwd *pw; -+ const char *home = NULL; -+ char *fn; -+ -+ if (getuid() == geteuid()) { -+ fn = getenv("SOFTPKCS11RC"); -+ if (fn != NULL) -+ return strdup(fn); -+ -+ home = getenv("HOME"); -+ } -+ -+ if (home == NULL) { -+ pw = getpwuid(getuid()); -+ if (pw != NULL) -+ home = pw->pw_dir; -+ } -+ -+ if (home == NULL) -+ return strdup("/etc/soft-token.rc"); -+ -+ if (asprintf(&fn, "%s/.soft-token.rc", home) < 0) -+ return NULL; -+ return fn; -+} -+ - CK_RV - C_Initialize(CK_VOID_PTR a) - { - CK_C_INITIALIZE_ARGS_PTR args = a; - size_t i; -+ char *fn; - - st_logf("Initialize\n"); - - OpenSSL_add_all_algorithms(); - ERR_load_crypto_strings(); - -- srandom(getpid() ^ time(NULL)); -- - for (i = 0; i < MAX_NUM_SESSION; i++) { - soft_token.state[i].session_handle = CK_INVALID_HANDLE; - soft_token.state[i].find.attributes = NULL; -@@ -850,31 +872,13 @@ C_Initialize(CK_VOID_PTR a) - st_logf("\tFlags\t%04x\n", (unsigned int)args->flags); - } - -- { -- char *fn = NULL, *home = NULL; -- -- if (getuid() == geteuid()) { -- fn = getenv("SOFTPKCS11RC"); -- if (fn) -- fn = strdup(fn); -- home = getenv("HOME"); -- } -- if (fn == NULL && home == NULL) { -- struct passwd *pw = getpwuid(getuid()); -- if(pw != NULL) -- home = pw->pw_dir; -- } -- if (fn == NULL) { -- if (home) -- asprintf(&fn, "%s/.soft-token.rc", home); -- else -- fn = strdup("/etc/soft-token.rc"); -- } -- -- read_conf_file(fn); -- free(fn); -- } -+ soft_token.next_session_handle = 0; - -+ fn = get_rcfilename(); -+ if (fn == NULL) -+ return CKR_DEVICE_MEMORY; -+ read_conf_file(fn); -+ free(fn); - return CKR_OK; - } - -@@ -1082,8 +1086,7 @@ C_OpenSession(CK_SLOT_ID slotID, - - soft_token.open_sessions++; - -- soft_token.state[i].session_handle = -- (CK_SESSION_HANDLE)(random() & 0xfffff); -+ soft_token.state[i].session_handle = soft_token.next_session_handle++; - *phSession = soft_token.state[i].session_handle; - - return CKR_OK; -@@ -1152,7 +1155,8 @@ C_Login(CK_SESSION_HANDLE hSession, - VERIFY_SESSION_HANDLE(hSession, NULL); - - if (pPin != NULL_PTR) { -- asprintf(&pin, "%.*s", (int)ulPinLen, pPin); -+ if (asprintf(&pin, "%.*s", (int)ulPinLen, pPin) < 0) -+ return CKR_DEVICE_MEMORY; - st_logf("type: %d password: %s\n", (int)userType, pin); - } - diff --git a/Fix-KDC-crash-when-logging-PKINIT-enctypes.patch b/Fix-KDC-crash-when-logging-PKINIT-enctypes.patch deleted file mode 100644 index 56bcd85..0000000 --- a/Fix-KDC-crash-when-logging-PKINIT-enctypes.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 2f939727e531f04a24b687b9807b2e23599a2e4f Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Wed, 25 Sep 2019 12:57:56 -0400 -Subject: [PATCH] Fix KDC crash when logging PKINIT enctypes - -Commit a649279727490687d54becad91fde8cf7429d951 introduced a KDC crash -bug due to transposed strlcpy() arguments. Fix the argument order. - -This bug does not affect any MIT krb5 release, but affects the Fedora -krb5 packages due to backports. CVE-2019-14844 has been issued as a -result. - -ticket: 8772 -(cherry picked from commit 275c9a1aad36a1a7b56042f1a2c21c33e7d16eaf) ---- - src/kdc/kdc_util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 23ad6c584..698f18c1c 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -1080,7 +1080,7 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) - else - return krb5_enctype_to_name(ktype, FALSE, buf, buflen); - -- if (strlcpy(name, buf, buflen) >= buflen) -+ if (strlcpy(buf, name, buflen) >= buflen) - return ENOMEM; - return 0; - } diff --git a/Fix-LDAP-policy-enforcement-of-pw_expiration.patch b/Fix-LDAP-policy-enforcement-of-pw_expiration.patch deleted file mode 100644 index 45b0484..0000000 --- a/Fix-LDAP-policy-enforcement-of-pw_expiration.patch +++ /dev/null @@ -1,302 +0,0 @@ -From d62cb044abe57eda1216f9ab97f50bd178f1d495 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 17 Dec 2019 17:37:41 -0500 -Subject: [PATCH] Fix LDAP policy enforcement of pw_expiration - -In the LDAP backend, the change mask is used to determine what LDAP -attributes to update. As a result, password expiration was not set -from policy when running during addprinc, among other issues. -However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration -would be applied regardless, which meant that (for instance) changing -the password would cause the password application to be applied. - -Remove the check for KADM5_PRINCIPAL, and fix the mask to contain -KADM5_PW_EXPIRATION where appropriate. Add a regression test to -t_kdb.py. - -[ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey -since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and -commit message] - -ticket: 8861 (new) -tags: pullup -target_version: 1.17-next - -(cherry picked from commit 6b004dd5739bded71be4290c11e7ac3a816c7e09) ---- - src/lib/kadm5/srv/svr_principal.c | 92 +++++++++---------- - .../kdb/ldap/libkdb_ldap/ldap_principal2.c | 13 --- - src/tests/t_kdb.py | 17 ++++ - 3 files changed, 60 insertions(+), 62 deletions(-) - -diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c -index a1ecdbfc4..35bbf1218 100644 ---- a/src/lib/kadm5/srv/svr_principal.c -+++ b/src/lib/kadm5/srv/svr_principal.c -@@ -356,6 +356,11 @@ kadm5_create_principal_3(void *server_handle, - kdb = calloc(1, sizeof(*kdb)); - if (kdb == NULL) - return ENOMEM; -+ -+ /* In all cases the principal entry is new and key data is set; let the -+ * database provider know. */ -+ kdb->mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL; -+ - memset(&adb, 0, sizeof(osa_princ_ent_rec)); - - /* -@@ -405,14 +410,12 @@ kadm5_create_principal_3(void *server_handle, - kdb->expiration = handle->params.expiration; - - kdb->pw_expiration = 0; -- if (have_polent) { -- if(polent.pw_max_life) -- kdb->pw_expiration = ts_incr(now, polent.pw_max_life); -- else -- kdb->pw_expiration = 0; -- } -- if ((mask & KADM5_PW_EXPIRATION)) -+ if (mask & KADM5_PW_EXPIRATION) { - kdb->pw_expiration = entry->pw_expiration; -+ } else if (have_polent && polent.pw_max_life) { -+ kdb->mask |= KADM5_PW_EXPIRATION; -+ kdb->pw_expiration = ts_incr(now, polent.pw_max_life); -+ } - - kdb->last_success = 0; - kdb->last_failed = 0; -@@ -503,9 +506,6 @@ kadm5_create_principal_3(void *server_handle, - adb.policy = entry->policy; - } - -- /* In all cases key and the principal data is set, let the database provider know */ -- kdb->mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL ; -- - /* store the new db entry */ - ret = kdb_put_entry(handle, kdb, &adb); - -@@ -601,6 +601,9 @@ kadm5_modify_principal(void *server_handle, - if (ret) - return(ret); - -+ /* Let the mask propagate to the database provider. */ -+ kdb->mask = mask; -+ - /* - * This is pretty much the same as create ... - */ -@@ -616,11 +619,15 @@ kadm5_modify_principal(void *server_handle, - free(adb.policy); - adb.policy = strdup(entry->policy); - } -- if (have_pol) { -+ -+ if (mask & KADM5_PW_EXPIRATION) { -+ kdb->pw_expiration = entry->pw_expiration; -+ } else if (have_pol) { - /* set pw_max_life based on new policy */ -+ kdb->mask |= KADM5_PW_EXPIRATION; - if (pol.pw_max_life) { - ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, -- &(kdb->pw_expiration)); -+ &kdb->pw_expiration); - if (ret) - goto done; - kdb->pw_expiration = ts_incr(kdb->pw_expiration, pol.pw_max_life); -@@ -642,8 +649,6 @@ kadm5_modify_principal(void *server_handle, - kdb->max_life = entry->max_life; - if ((mask & KADM5_PRINC_EXPIRE_TIME)) - kdb->expiration = entry->princ_expire_time; -- if (mask & KADM5_PW_EXPIRATION) -- kdb->pw_expiration = entry->pw_expiration; - if (mask & KADM5_MAX_RLIFE) - kdb->max_renewable_life = entry->max_renewable_life; - -@@ -682,9 +687,6 @@ kadm5_modify_principal(void *server_handle, - kdb->fail_auth_count = 0; - } - -- /* let the mask propagate to the database provider */ -- kdb->mask = mask; -- - ret = k5_kadm5_hook_modify(handle->context, handle->hook_handles, - KADM5_HOOK_STAGE_PRECOMMIT, entry, mask); - if (ret) -@@ -1362,6 +1364,11 @@ kadm5_chpass_principal_3(void *server_handle, - if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) - return(ret); - -+ /* We will always be changing the key data, attributes, auth failure count, -+ * and password expiration time. */ -+ kdb->mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | KADM5_FAIL_AUTH_COUNT | -+ KADM5_PW_EXPIRATION; -+ - ret = apply_keysalt_policy(handle, adb.policy, n_ks_tuple, ks_tuple, - &new_n_ks_tuple, &new_ks_tuple); - if (ret) -@@ -1407,6 +1414,7 @@ kadm5_chpass_principal_3(void *server_handle, - if (ret) - goto done; - -+ kdb->pw_expiration = 0; - if ((adb.aux_attributes & KADM5_POLICY)) { - /* the policy was loaded before */ - -@@ -1439,10 +1447,6 @@ kadm5_chpass_principal_3(void *server_handle, - - if (pol.pw_max_life) - kdb->pw_expiration = ts_incr(now, pol.pw_max_life); -- else -- kdb->pw_expiration = 0; -- } else { -- kdb->pw_expiration = 0; - } - - #ifdef USE_PASSWORD_SERVER -@@ -1481,11 +1485,6 @@ kadm5_chpass_principal_3(void *server_handle, - /* unlock principal on this KDC */ - kdb->fail_auth_count = 0; - -- /* key data and attributes changed, let the database provider know */ -- kdb->mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | -- KADM5_FAIL_AUTH_COUNT; -- /* | KADM5_CPW_FUNCTION */ -- - if (hist_added) - kdb->mask |= KADM5_KEY_HIST; - -@@ -1560,6 +1559,11 @@ kadm5_randkey_principal_3(void *server_handle, - if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) - return(ret); - -+ /* We will always be changing the key data, attributes, auth failure count, -+ * and password expiration time. */ -+ kdb->mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | KADM5_FAIL_AUTH_COUNT | -+ KADM5_PW_EXPIRATION; -+ - ret = apply_keysalt_policy(handle, adb.policy, n_ks_tuple, ks_tuple, - &new_n_ks_tuple, &new_ks_tuple); - if (ret) -@@ -1599,14 +1603,10 @@ kadm5_randkey_principal_3(void *server_handle, - if (ret) - goto done; - } -- if (have_pol) { -- if (pol.pw_max_life) -- kdb->pw_expiration = ts_incr(now, pol.pw_max_life); -- else -- kdb->pw_expiration = 0; -- } else { -- kdb->pw_expiration = 0; -- } -+ -+ kdb->pw_expiration = 0; -+ if (have_pol && pol.pw_max_life) -+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life); - - ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now); - if (ret) -@@ -1624,10 +1624,6 @@ kadm5_randkey_principal_3(void *server_handle, - goto done; - } - -- /* key data changed, let the database provider know */ -- kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT; -- /* | KADM5_RANDKEY_USED */; -- - ret = k5_kadm5_hook_chpass(handle->context, handle->hook_handles, - KADM5_HOOK_STAGE_PRECOMMIT, principal, keepold, - new_n_ks_tuple, new_ks_tuple, NULL); -@@ -1763,6 +1759,11 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, - if (ret) - return ret; - -+ /* We will always be changing the key data, attributes, auth failure count, -+ * and password expiration time. */ -+ kdb->mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | KADM5_FAIL_AUTH_COUNT | -+ KADM5_PW_EXPIRATION; -+ - if (kvno == 0) { - /* Pick the next kvno. */ - for (i = 0; i < kdb->n_key_data; i++) { -@@ -1864,14 +1865,10 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, - if (ret) - goto done; - } -- if (have_pol) { -- if (pol.pw_max_life) -- kdb->pw_expiration = ts_incr(now, pol.pw_max_life); -- else -- kdb->pw_expiration = 0; -- } else { -- kdb->pw_expiration = 0; -- } -+ -+ kdb->pw_expiration = 0; -+ if (have_pol && pol.pw_max_life) -+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life); - - ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now); - if (ret) -@@ -1880,9 +1877,6 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, - /* Unlock principal on this KDC. */ - kdb->fail_auth_count = 0; - -- /* key data changed, let the database provider know */ -- kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT; -- - ret = kdb_put_entry(handle, kdb, &adb); - if (ret) - goto done; -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -index ee9c02814..fa0a2c683 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c -@@ -1233,19 +1233,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, - goto cleanup; - } - -- if (!(entry->mask & KADM5_PRINCIPAL)) { -- memset(strval, 0, sizeof(strval)); -- if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL) -- goto cleanup; -- if ((st=krb5_add_str_mem_ldap_mod(&mods, -- "krbpasswordexpiration", -- LDAP_MOD_REPLACE, strval)) != 0) { -- free (strval[0]); -- goto cleanup; -- } -- free (strval[0]); -- } -- - /* Update last password change whenever a new key is set */ - { - krb5_timestamp last_pw_changed; -diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py -index 7271fcbbd..d18f672c1 100755 ---- a/src/tests/t_kdb.py -+++ b/src/tests/t_kdb.py -@@ -494,6 +494,23 @@ else: - realm.run([kadminl, 'modprinc', '-pwexpire', '2040-02-03', 'user']) - realm.run([kadminl, 'getprinc', 'user'], expected_msg=' 2040\n') - -+# Regression test for #8861 (pw_expiration policy enforcement). -+mark('pw_expiration propogation') -+# Create a policy with a max life and verify its application. -+realm.run([kadminl, 'addpol', '-maxlife', '1s', 'pw_e']) -+realm.run([kadminl, 'addprinc', '-policy', 'pw_e', '-pw', 'password', -+ 'pwuser']) -+out = realm.run([kadminl, 'getprinc', 'pwuser'], -+ expected_msg='Password expiration date: ') -+if 'Password expiration date: [never]' in out: -+ fail('pw_expiration not applied at principal creation') -+# Unset the policy max life and verify its application during password -+# change. -+realm.run([kadminl, 'modpol', '-maxlife', '0', 'pw_e']) -+realm.run([kadminl, 'cpw', '-pw', 'password_', 'pwuser']) -+realm.run([kadminl, 'getprinc', 'pwuser'], -+ expected_msg='Password expiration date: [never]') -+ - realm.stop() - - # Briefly test dump and load. diff --git a/Fix-config-realm-change-logic-in-FILE-remove_cred.patch b/Fix-config-realm-change-logic-in-FILE-remove_cred.patch deleted file mode 100644 index c662158..0000000 --- a/Fix-config-realm-change-logic-in-FILE-remove_cred.patch +++ /dev/null @@ -1,29 +0,0 @@ -From bde05bf227939691855c025ce3c79cda07093fa7 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 16 Apr 2019 10:47:35 -0400 -Subject: [PATCH] Fix config realm change logic in FILE remove_cred - -Use data_eq_string() to check the server realm, and do not check if -cred->server is NULL since it is not expected to be (and -k5_marshal_cred() would have already crashed if it were). - -ticket: 8792 -(cherry picked from commit e5367fcddd53dc4db0c1fd2279e91eda3791960a) ---- - src/lib/krb5/ccache/cc_file.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c -index 09da38fa9..a3f67766e 100644 ---- a/src/lib/krb5/ccache/cc_file.c -+++ b/src/lib/krb5/ccache/cc_file.c -@@ -1058,8 +1058,7 @@ delete_cred(krb5_context context, krb5_ccache cache, krb5_cc_cursor *cursor, - - /* For config entries, also change the realm so that other implementations - * won't match them. */ -- if (cred->server != NULL && cred->server->realm.length > 0 && -- strcmp(cred->server->realm.data, "X-CACHECONF:") == 0) -+ if (data_eq_string(cred->server->realm, "X-CACHECONF:")) - memcpy(cred->server->realm.data, "X-RMED-CONF:", 12); - - k5_marshal_cred(&overwrite, fcursor->version, cred); diff --git a/Fix-handling-of-invalid-CAMMAC-service-verifier.patch b/Fix-handling-of-invalid-CAMMAC-service-verifier.patch deleted file mode 100644 index bc285c2..0000000 --- a/Fix-handling-of-invalid-CAMMAC-service-verifier.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 87d0a1364b9ddb4b9ed8dfaee3022172bfb879ba Mon Sep 17 00:00:00 2001 -From: Jeffrey Arbuckle -Date: Sat, 21 Dec 2019 22:59:20 -0500 -Subject: [PATCH] Fix handling of invalid CAMMAC service verifier - -In extract_cammacs(), avoid a null dereference if the CAMMAC service -verifier is invalid or the CAMMAC is empty. - -ticket: 8856 -tags: pullup -target_version: 1.17-next - -(cherry picked from commit 8451ff6ed57361de585a35f35a39c54dc48172c7) ---- - src/lib/krb5/krb/authdata.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c -index 3e7dfbe49..d3096e5a2 100644 ---- a/src/lib/krb5/krb/authdata.c -+++ b/src/lib/krb5/krb/authdata.c -@@ -557,6 +557,8 @@ extract_cammacs(krb5_context kcontext, krb5_authdata **cammacs, - if (ret && ret != KRB5KRB_AP_ERR_BAD_INTEGRITY) - goto cleanup; - ret = 0; -+ if (elements == NULL) -+ continue; - - /* Add the verified elements to list and free the container array. */ - for (n_elements = 0; elements[n_elements] != NULL; n_elements++); diff --git a/Fix-memory-leaks-in-soft-pkcs11-code.patch b/Fix-memory-leaks-in-soft-pkcs11-code.patch deleted file mode 100644 index acc2938..0000000 --- a/Fix-memory-leaks-in-soft-pkcs11-code.patch +++ /dev/null @@ -1,122 +0,0 @@ -From b0acd2918e673a60a88cfed9fe7da08fb7fc4987 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Mon, 5 Aug 2019 01:53:51 -0400 -Subject: [PATCH] Fix memory leaks in soft-pkcs11 code - -Fix leaks detected by asan in t_pkinit.py. Add a helper to free a -struct st_object and free objects in C_Finalize(). Duplicate the X509 -cert in add_certificate() instead of creating aliases so it can be -properly freed. Start the session handle counter at 1 so that -C_Finalize() won't confuse the first session handle with -CK_INVALID_HANDLE (defined to 0 in pkinit.h) and will properly clean -the session object. - -(cherry picked from commit 15bcaf8bcb4af25ff89820ad3bf23ad5a324e863) ---- - src/tests/softpkcs11/main.c | 44 +++++++++++++++++++++++++++++++++---- - 1 file changed, 40 insertions(+), 4 deletions(-) - -diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c -index 2d1448ca2..a4c3ae78e 100644 ---- a/src/tests/softpkcs11/main.c -+++ b/src/tests/softpkcs11/main.c -@@ -109,7 +109,7 @@ struct st_object { - X509 *cert; - EVP_PKEY *public_key; - struct { -- const char *file; -+ char *file; - EVP_PKEY *key; - X509 *cert; - } private_key; -@@ -343,6 +343,26 @@ print_attributes(const CK_ATTRIBUTE *attributes, - } - } - -+static void -+free_st_object(struct st_object *o) -+{ -+ int i; -+ -+ for (i = 0; i < o->num_attributes; i++) -+ free(o->attrs[i].attribute.pValue); -+ free(o->attrs); -+ if (o->type == STO_T_CERTIFICATE) { -+ X509_free(o->u.cert); -+ } else if (o->type == STO_T_PRIVATE_KEY) { -+ free(o->u.private_key.file); -+ EVP_PKEY_free(o->u.private_key.key); -+ X509_free(o->u.private_key.cert); -+ } else if (o->type == STO_T_PUBLIC_KEY) { -+ EVP_PKEY_free(o->u.public_key); -+ } -+ free(o); -+} -+ - static struct st_object * - add_st_object(void) - { -@@ -518,7 +538,11 @@ add_certificate(char *label, - goto out; - } - o->type = STO_T_CERTIFICATE; -- o->u.cert = cert; -+ o->u.cert = X509_dup(cert); -+ if (o->u.cert == NULL) { -+ ret = CKR_DEVICE_MEMORY; -+ goto out; -+ } - public_key = X509_get_pubkey(o->u.cert); - - switch (EVP_PKEY_base_id(public_key)) { -@@ -602,7 +626,11 @@ add_certificate(char *label, - o->u.private_key.file = strdup(private_key_file); - o->u.private_key.key = NULL; - -- o->u.private_key.cert = cert; -+ o->u.private_key.cert = X509_dup(cert); -+ if (o->u.private_key.cert == NULL) { -+ ret = CKR_DEVICE_MEMORY; -+ goto out; -+ } - - c = CKO_PRIVATE_KEY; - add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c)); -@@ -676,6 +704,7 @@ add_certificate(char *label, - free(serial_data); - free(issuer_data); - free(subject_data); -+ X509_free(cert); - - return ret; - } -@@ -872,7 +901,7 @@ C_Initialize(CK_VOID_PTR a) - st_logf("\tFlags\t%04x\n", (unsigned int)args->flags); - } - -- soft_token.next_session_handle = 0; -+ soft_token.next_session_handle = 1; - - fn = get_rcfilename(); - if (fn == NULL) -@@ -886,6 +915,7 @@ CK_RV - C_Finalize(CK_VOID_PTR args) - { - size_t i; -+ int j; - - st_logf("Finalize\n"); - -@@ -897,6 +927,12 @@ C_Finalize(CK_VOID_PTR args) - } - } - -+ for (j = 0; j < soft_token.object.num_objs; j++) -+ free_st_object(soft_token.object.objs[j]); -+ free(soft_token.object.objs); -+ soft_token.object.objs = NULL; -+ soft_token.object.num_objs = 0; -+ - return CKR_OK; - } - diff --git a/Fix-minor-errors-in-softpkcs11.patch b/Fix-minor-errors-in-softpkcs11.patch deleted file mode 100644 index 963faec..0000000 --- a/Fix-minor-errors-in-softpkcs11.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 343068058951e343179156e895c7483ab8194236 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 8 Nov 2019 14:28:56 -0500 -Subject: [PATCH] Fix minor errors in softpkcs11 - -Fix a printf type mismatch in attributes_match() reported by Coverity, -and a possible uninitizlied use of key_type in add_certificate() -reported by clang. - -[ghudson@mit.edu: squashed commits and rewrote commit message] - -(cherry picked from commit 560e48fee9a192ed4eb1b6cbd62c119087b53948) ---- - src/tests/softpkcs11/main.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c -index a4c3ae78e..1cccdfb43 100644 ---- a/src/tests/softpkcs11/main.c -+++ b/src/tests/softpkcs11/main.c -@@ -261,7 +261,7 @@ attributes_match(const struct st_object *obj, - } - } - if (match == 0) { -- st_logf("type %d attribute have no match\n", attributes[i].type); -+ st_logf("type %lu attribute have no match\n", attributes[i].type); - return 0; - } - } -@@ -553,8 +553,9 @@ add_certificate(char *label, - key_type = CKK_DSA; - break; - default: -- /* XXX */ -- break; -+ st_logf("invalid key_type\n"); -+ ret = CKR_GENERAL_ERROR; -+ goto out; - } - - c = CKO_CERTIFICATE; diff --git a/Fix-potential-close-1-in-cc_file.c.patch b/Fix-potential-close-1-in-cc_file.c.patch deleted file mode 100644 index 5e7136c..0000000 --- a/Fix-potential-close-1-in-cc_file.c.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 20e18b31bac004c13b7f2b5b1e67e80730481aea Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 18 Apr 2019 13:39:37 -0400 -Subject: [PATCH] Fix potential close(-1) in cc_file.c - -As part of error handling in d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5, -an error path in delete_cred() may result in close(-1). While this -shouldn't be a prolblem in practice (just returning EBADF), it does -upset Coverity. - -ticket: 8792 -(cherry picked from commit 5ccfbaf2f0c8871d2f0ea87ad4b21cc33392ca2c) ---- - src/lib/krb5/ccache/cc_file.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c -index a3f67766e..bf58c1d45 100644 ---- a/src/lib/krb5/ccache/cc_file.c -+++ b/src/lib/krb5/ccache/cc_file.c -@@ -1122,7 +1122,8 @@ delete_cred(krb5_context context, krb5_ccache cache, krb5_cc_cursor *cursor, - } - - cleanup: -- close(fd); -+ if (fd >= 0) -+ close(fd); - zapfree(on_disk, expected.len); - k5_buf_free(&expected); - k5_buf_free(&overwrite); diff --git a/Fix-xdr_bytes-strict-aliasing-violations.patch b/Fix-xdr_bytes-strict-aliasing-violations.patch deleted file mode 100644 index 34082c0..0000000 --- a/Fix-xdr_bytes-strict-aliasing-violations.patch +++ /dev/null @@ -1,138 +0,0 @@ -From e48e04d955c809c6f7b4f9052294d407f0d93daa Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 10 Dec 2019 12:06:05 -0500 -Subject: [PATCH] Fix xdr_bytes() strict-aliasing violations - -When xdr_bytes() is used for a gss_buffer_desc object, a temporary -character pointer must be used for the data value to avoid a strict -aliasing violation. - -When xdr_bytes() is used for a krb5_keyblock object, a temporary -character pointer must also be used, even though the data pointer is -of type unsigned char *, to avoid a clang warning on macOS due to the -"#pragma pack" declaration in krb5.h. - -(cherry picked from commit 21b39d0196e3e0bb6b1bfbf5d60a0596cfc82e27) ---- - src/lib/kadm5/kadm_rpc_xdr.c | 8 +++++--- - src/lib/rpc/auth_gssapi_misc.c | 21 +++++++++++++-------- - src/lib/rpc/authgss_prot.c | 5 ++++- - 3 files changed, 22 insertions(+), 12 deletions(-) - -diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c -index f22ea7f1f..8383e4e23 100644 ---- a/src/lib/kadm5/kadm_rpc_xdr.c -+++ b/src/lib/kadm5/kadm_rpc_xdr.c -@@ -1125,14 +1125,16 @@ xdr_krb5_salttype(XDR *xdrs, krb5_int32 *objp) - bool_t - xdr_krb5_keyblock(XDR *xdrs, krb5_keyblock *objp) - { -+ char *cp; -+ - /* XXX This only works because free_keyblock assumes ->contents - is allocated by malloc() */ -- - if(!xdr_krb5_enctype(xdrs, &objp->enctype)) - return FALSE; -- if(!xdr_bytes(xdrs, (char **) &objp->contents, (unsigned int *) -- &objp->length, ~0)) -+ cp = (char *)objp->contents; -+ if(!xdr_bytes(xdrs, &cp, &objp->length, ~0)) - return FALSE; -+ objp->contents = (uint8_t *)cp; - return TRUE; - } - -diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c -index a05ea19eb..a60eb7f7c 100644 ---- a/src/lib/rpc/auth_gssapi_misc.c -+++ b/src/lib/rpc/auth_gssapi_misc.c -@@ -45,9 +45,11 @@ bool_t xdr_gss_buf( - bool_t result; - /* Fix type mismatches between APIs. */ - unsigned int length = buf->length; -- result = xdr_bytes(xdrs, (char **) &buf->value, &length, -+ char *cp = buf->value; -+ result = xdr_bytes(xdrs, &cp, &length, - (xdrs->x_op == XDR_DECODE && buf->value == NULL) - ? (unsigned int) -1 : (unsigned int) buf->length); -+ buf->value = cp; - buf->length = length; - return result; - } -@@ -204,6 +206,7 @@ bool_t auth_gssapi_wrap_data( - XDR temp_xdrs; - int conf_state; - unsigned int length; -+ char *cp; - - PRINTF(("gssapi_wrap_data: starting\n")); - -@@ -243,13 +246,13 @@ bool_t auth_gssapi_wrap_data( - - /* write the token */ - length = out_buf.length; -- if (! xdr_bytes(out_xdrs, (char **) &out_buf.value, -- (unsigned int *) &length, -- out_buf.length)) { -+ cp = out_buf.value; -+ if (! xdr_bytes(out_xdrs, &cp, &length, out_buf.length)) { - PRINTF(("gssapi_wrap_data: serializing encrypted data failed\n")); - XDR_DESTROY(&temp_xdrs); - return FALSE; - } -+ out_buf.value = cp; - - *major = gss_release_buffer(minor, &out_buf); - -@@ -272,6 +275,7 @@ bool_t auth_gssapi_unwrap_data( - uint32_t verf_seq_num; - int conf, qop; - unsigned int length; -+ char *cp; - - PRINTF(("gssapi_unwrap_data: starting\n")); - -@@ -280,14 +284,15 @@ bool_t auth_gssapi_unwrap_data( - - in_buf.value = NULL; - out_buf.value = NULL; -- if (! xdr_bytes(in_xdrs, (char **) &in_buf.value, -- &length, (unsigned int) -1)) { -+ cp = in_buf.value; -+ if (! xdr_bytes(in_xdrs, &cp, &length, (unsigned int) -1)) { - PRINTF(("gssapi_unwrap_data: deserializing encrypted data failed\n")); - temp_xdrs.x_op = XDR_FREE; -- (void)xdr_bytes(&temp_xdrs, (char **) &in_buf.value, &length, -- (unsigned int) -1); -+ (void)xdr_bytes(&temp_xdrs, &cp, &length, (unsigned int) -1); -+ in_buf.value = NULL; - return FALSE; - } -+ in_buf.value = cp; - in_buf.length = length; - - *major = gss_unseal(minor, context, &in_buf, &out_buf, &conf, -diff --git a/src/lib/rpc/authgss_prot.c b/src/lib/rpc/authgss_prot.c -index a5a587f90..9a48277b3 100644 ---- a/src/lib/rpc/authgss_prot.c -+++ b/src/lib/rpc/authgss_prot.c -@@ -50,6 +50,7 @@ xdr_rpc_gss_buf(XDR *xdrs, gss_buffer_t buf, u_int maxsize) - { - bool_t xdr_stat; - u_int tmplen; -+ char *cp; - - if (xdrs->x_op != XDR_DECODE) { - if (buf->length > UINT_MAX) -@@ -57,7 +58,9 @@ xdr_rpc_gss_buf(XDR *xdrs, gss_buffer_t buf, u_int maxsize) - else - tmplen = buf->length; - } -- xdr_stat = xdr_bytes(xdrs, (char **)&buf->value, &tmplen, maxsize); -+ cp = buf->value; -+ xdr_stat = xdr_bytes(xdrs, &cp, &tmplen, maxsize); -+ buf->value = cp; - - if (xdr_stat && xdrs->x_op == XDR_DECODE) - buf->length = tmplen; diff --git a/Implement-krb5_cc_remove_cred-for-remaining-types.patch b/Implement-krb5_cc_remove_cred-for-remaining-types.patch deleted file mode 100644 index 65ddcf7..0000000 --- a/Implement-krb5_cc_remove_cred-for-remaining-types.patch +++ /dev/null @@ -1,599 +0,0 @@ -From adeba65ff738184656bb9589e1e3ffb079d3adf0 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 1 Apr 2019 14:28:48 -0400 -Subject: [PATCH] Implement krb5_cc_remove_cred for remaining types - -Previously, only KCM and MSLA implemented credential removal. Add -support for FILE (and therefore DIR), MEMORY, and KEYRING. - -The FILE logic is similar Heimdal's implementation, with additional -logic for skipping removed creds during iteration. In addition to -setting endtime to 0 and changing the realm for config entries as -Heimdal does, we set authtime to -1 to make deleted entries -distinguishable from gssproxy encrypted creds and config entries. - -For MEMORY, leave behind empty list elements when removing a cred will -leave behind an empty list element, in case an iterator holds a -pointer to that element. - -[ghudson@mit.edu: edited commit message; made minor style and comment -changes; fixed memory leaks detected by asan] - -ticket: 8792 (new) -(cherry picked from commit d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5) ---- - src/lib/krb5/ccache/cc_file.c | 177 ++++++++++++++++++++++++++++--- - src/lib/krb5/ccache/cc_keyring.c | 89 +++++++++++----- - src/lib/krb5/ccache/cc_memory.c | 36 +++++-- - src/lib/krb5/ccache/t_cc.c | 129 +++++++++++++++++++++- - 4 files changed, 381 insertions(+), 50 deletions(-) - -diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c -index 9263a0054..09da38fa9 100644 ---- a/src/lib/krb5/ccache/cc_file.c -+++ b/src/lib/krb5/ccache/cc_file.c -@@ -744,6 +744,14 @@ cleanup: - return set_errmsg_filename(context, ret, data->filename); - } - -+/* Return true if cred is a removed entry (assuming that no legitimate cred -+ * entries will have authtime=-1 and endtime=0). */ -+static inline krb5_boolean -+cred_removed(krb5_creds *c) -+{ -+ return c->times.endtime == 0 && c->times.authtime == -1; -+} -+ - /* Get the next credential from the cache file. */ - static krb5_error_code KRB5_CALLCONV - fcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, -@@ -765,19 +773,30 @@ fcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, - goto cleanup; - file_locked = TRUE; - -- /* Load a marshalled cred into memory. */ -- ret = get_size(context, fcursor->fp, &maxsize); -- if (ret) -- goto cleanup; -- ret = load_cred(context, fcursor->fp, fcursor->version, maxsize, &buf); -- if (ret) -- goto cleanup; -- ret = k5_buf_status(&buf); -- if (ret) -- goto cleanup; -+ for (;;) { -+ /* Load a marshalled cred into memory. */ -+ ret = get_size(context, fcursor->fp, &maxsize); -+ if (ret) -+ goto cleanup; -+ ret = load_cred(context, fcursor->fp, fcursor->version, maxsize, &buf); -+ if (ret) -+ goto cleanup; -+ ret = k5_buf_status(&buf); -+ if (ret) -+ goto cleanup; - -- /* Unmarshal it from buf into creds. */ -- ret = k5_unmarshal_cred(buf.data, buf.len, fcursor->version, creds); -+ /* Unmarshal it from buf into creds. */ -+ ret = k5_unmarshal_cred(buf.data, buf.len, fcursor->version, creds); -+ if (ret) -+ goto cleanup; -+ -+ /* Keep going if this entry has been removed; otherwise stop. */ -+ if (!cred_removed(creds)) -+ break; -+ -+ k5_buf_truncate(&buf, 0); -+ krb5_free_cred_contents(context, creds); -+ } - - cleanup: - if (file_locked) -@@ -1002,12 +1021,142 @@ cleanup: - return set_errmsg_filename(context, ret ? ret : ret2, data->filename); - } - --/* Non-functional stub for removing a cred from the cache file. */ -+/* -+ * Overwrite cred in the ccache file with an entry that should not match any -+ * reasonable search. Deletion is not guaranteed. This method is originally -+ * from Heimdal, with the addition of setting authtime to -1. -+ */ -+static krb5_error_code -+delete_cred(krb5_context context, krb5_ccache cache, krb5_cc_cursor *cursor, -+ krb5_creds *cred) -+{ -+ krb5_error_code ret; -+ krb5_fcc_cursor *fcursor = *cursor; -+ fcc_data *data = cache->data; -+ struct k5buf expected = EMPTY_K5BUF, overwrite = EMPTY_K5BUF; -+ int fd = -1; -+ uint8_t *on_disk = NULL; -+ ssize_t rwret; -+ off_t start_offset; -+ -+ k5_buf_init_dynamic_zap(&expected); -+ k5_buf_init_dynamic_zap(&overwrite); -+ -+ /* Re-marshal cred to get its byte representation in the file. */ -+ k5_marshal_cred(&expected, fcursor->version, cred); -+ ret = k5_buf_status(&expected); -+ if (ret) -+ goto cleanup; -+ -+ /* -+ * Mark the cred expired so that it will be skipped over by any future -+ * match checks. Heimdal only sets endtime, but we also set authtime to -+ * distinguish from gssproxy's creds. -+ */ -+ cred->times.endtime = 0; -+ cred->times.authtime = -1; -+ -+ /* For config entries, also change the realm so that other implementations -+ * won't match them. */ -+ if (cred->server != NULL && cred->server->realm.length > 0 && -+ strcmp(cred->server->realm.data, "X-CACHECONF:") == 0) -+ memcpy(cred->server->realm.data, "X-RMED-CONF:", 12); -+ -+ k5_marshal_cred(&overwrite, fcursor->version, cred); -+ ret = k5_buf_status(&overwrite); -+ if (ret) -+ goto cleanup; -+ -+ if (expected.len != overwrite.len) { -+ ret = KRB5_CC_FORMAT; -+ goto cleanup; -+ } -+ -+ /* Get a non-O_APPEND handle to the raw file. */ -+ fd = open(data->filename, O_RDWR | O_BINARY | O_CLOEXEC); -+ if (fd == -1) { -+ ret = interpret_errno(context, errno); -+ goto cleanup; -+ } -+ -+ start_offset = ftell(fcursor->fp); -+ if (start_offset == -1) { -+ ret = interpret_errno(context, errno); -+ goto cleanup; -+ } -+ start_offset -= expected.len; -+ -+ /* Read the bytes at the entry to be overwritten. */ -+ if (lseek(fd, start_offset, SEEK_SET) == -1) { -+ ret = interpret_errno(context, errno); -+ goto cleanup; -+ } -+ on_disk = k5alloc(expected.len, &ret); -+ if (ret != 0) -+ goto cleanup; -+ rwret = read(fd, on_disk, expected.len); -+ if (rwret < 0) { -+ ret = interpret_errno(context, errno); -+ goto cleanup; -+ } else if ((size_t)rwret != expected.len) { -+ ret = KRB5_CC_FORMAT; -+ goto cleanup; -+ } -+ -+ /* -+ * If the bytes have changed, either someone else removed the same cred or -+ * the cache was reinitialized. Either way the cred is no longer present, -+ * so return successfully. -+ */ -+ if (memcmp(on_disk, expected.data, expected.len) != 0) -+ goto cleanup; -+ -+ /* Write out the altered entry. */ -+ if (lseek(fd, start_offset, SEEK_SET) == -1) { -+ ret = interpret_errno(context, errno); -+ goto cleanup; -+ } -+ rwret = write(fd, overwrite.data, overwrite.len); -+ if (rwret < 0) { -+ ret = interpret_errno(context, errno); -+ goto cleanup; -+ } -+ -+cleanup: -+ close(fd); -+ zapfree(on_disk, expected.len); -+ k5_buf_free(&expected); -+ k5_buf_free(&overwrite); -+ return ret; -+} -+ -+/* Remove the given creds from the ccache file. */ - static krb5_error_code KRB5_CALLCONV - fcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, - krb5_creds *creds) - { -- return KRB5_CC_NOSUPP; -+ krb5_error_code ret; -+ krb5_cc_cursor cursor; -+ krb5_creds cur; -+ -+ ret = krb5_cc_start_seq_get(context, cache, &cursor); -+ if (ret) -+ return ret; -+ -+ for (;;) { -+ ret = krb5_cc_next_cred(context, cache, &cursor, &cur); -+ if (ret) -+ break; -+ -+ if (krb5int_cc_creds_match_request(context, flags, creds, &cur)) -+ ret = delete_cred(context, cache, &cursor, &cur); -+ krb5_free_cred_contents(context, &cur); -+ if (ret) -+ break; -+ } -+ -+ krb5_cc_end_seq_get(context, cache, &cursor); -+ return (ret == KRB5_CC_END) ? 0 : ret; - } - - static krb5_error_code KRB5_CALLCONV -diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c -index 8419f6ebf..98723fe2e 100644 ---- a/src/lib/krb5/ccache/cc_keyring.c -+++ b/src/lib/krb5/ccache/cc_keyring.c -@@ -1032,40 +1032,44 @@ krcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, - - memset(creds, 0, sizeof(krb5_creds)); - -- /* The cursor has the entire list of keys. (Note that we don't support -- * remove_cred.) */ -+ /* The cursor has the entire list of keys. */ - krcursor = *cursor; - if (krcursor == NULL) - return KRB5_CC_END; - -- /* If we're pointing past the end of the keys array, there are no more. */ -- if (krcursor->currkey >= krcursor->numkeys) -- return KRB5_CC_END; -+ while (krcursor->currkey < krcursor->numkeys) { -+ /* If we're pointing at the entry with the principal, or at the key -+ * with the time offsets, skip it. */ -+ if (krcursor->keys[krcursor->currkey] == krcursor->princ_id || -+ krcursor->keys[krcursor->currkey] == krcursor->offsets_id) { -+ krcursor->currkey++; -+ continue; -+ } - -- /* If we're pointing at the entry with the principal, or at the key -- * with the time offsets, skip it. */ -- while (krcursor->keys[krcursor->currkey] == krcursor->princ_id || -- krcursor->keys[krcursor->currkey] == krcursor->offsets_id) { -+ /* Read the key; the right size buffer will be allocated and -+ * returned. */ -+ psize = keyctl_read_alloc(krcursor->keys[krcursor->currkey], -+ &payload); -+ if (psize != -1) { -+ krcursor->currkey++; -+ -+ /* Unmarshal the cred using the file ccache version 4 format. */ -+ ret = k5_unmarshal_cred(payload, psize, 4, creds); -+ free(payload); -+ return ret; -+ } else if (errno != ENOKEY && errno != EACCES) { -+ DEBUG_PRINT(("Error reading key %d: %s\n", -+ krcursor->keys[krcursor->currkey], strerror(errno))); -+ return KRB5_FCC_NOFILE; -+ } -+ -+ /* The current key was unlinked, probably by a remove_cred call; move -+ * on to the next one. */ - krcursor->currkey++; -- /* Check if we have now reached the end */ -- if (krcursor->currkey >= krcursor->numkeys) -- return KRB5_CC_END; - } - -- /* Read the key; the right size buffer will be allocated and returned. */ -- psize = keyctl_read_alloc(krcursor->keys[krcursor->currkey], &payload); -- if (psize == -1) { -- DEBUG_PRINT(("Error reading key %d: %s\n", -- krcursor->keys[krcursor->currkey], -- strerror(errno))); -- return KRB5_FCC_NOFILE; -- } -- krcursor->currkey++; -- -- /* Unmarshal the credential using the file ccache version 4 format. */ -- ret = k5_unmarshal_cred(payload, psize, 4, creds); -- free(payload); -- return ret; -+ /* No more keys in keyring. */ -+ return KRB5_CC_END; - } - - /* Release an iteration cursor. */ -@@ -1248,12 +1252,41 @@ krcc_retrieve(krb5_context context, krb5_ccache id, - creds); - } - --/* Non-functional stub for removing a cred from the cache keyring. */ -+/* Remove a credential from the cache keyring. */ - static krb5_error_code KRB5_CALLCONV - krcc_remove_cred(krb5_context context, krb5_ccache cache, - krb5_flags flags, krb5_creds *creds) - { -- return KRB5_CC_NOSUPP; -+ krb5_error_code ret; -+ krcc_data *data = cache->data; -+ krb5_cc_cursor cursor; -+ krb5_creds c; -+ krcc_cursor krcursor; -+ key_serial_t key; -+ krb5_boolean match; -+ -+ ret = krcc_start_seq_get(context, cache, &cursor); -+ if (ret) -+ return ret; -+ -+ for (;;) { -+ ret = krcc_next_cred(context, cache, &cursor, &c); -+ if (ret) -+ break; -+ match = krb5int_cc_creds_match_request(context, flags, creds, &c); -+ krb5_free_cred_contents(context, &c); -+ if (match) { -+ krcursor = cursor; -+ key = krcursor->keys[krcursor->currkey - 1]; -+ if (keyctl_unlink(key, data->cache_id) == -1) { -+ ret = errno; -+ break; -+ } -+ } -+ } -+ -+ krcc_end_seq_get(context, cache, &cursor); -+ return (ret == KRB5_CC_END) ? 0 : ret; - } - - /* Set flags on the cache. (We don't care about any flags.) */ -diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c -index 114ef6913..edf6fcc26 100644 ---- a/src/lib/krb5/ccache/cc_memory.c -+++ b/src/lib/krb5/ccache/cc_memory.c -@@ -405,14 +405,23 @@ krb5_mcc_next_cred(krb5_context context, krb5_ccache id, - */ - k5_cc_mutex_lock(context, &d->lock); - if (mcursor->generation != d->generation) { -- k5_cc_mutex_unlock(context, &d->lock); -- return KRB5_CC_END; -+ retval = KRB5_CC_END; -+ goto done; -+ } -+ -+ /* Skip over removed creds. */ -+ while (mcursor->next_link != NULL && mcursor->next_link->creds == NULL) -+ mcursor->next_link = mcursor->next_link->next; -+ if (mcursor->next_link == NULL) { -+ retval = KRB5_CC_END; -+ goto done; - } - - retval = k5_copy_creds_contents(context, mcursor->next_link->creds, creds); - if (retval == 0) - mcursor->next_link = mcursor->next_link->next; - -+done: - k5_cc_mutex_unlock(context, &d->lock); - return retval; - } -@@ -592,16 +601,31 @@ krb5_mcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, - } - - /* -- * Non-functional stub implementation for krb5_mcc_remove -+ * Modifies: -+ * the memory cache - * -- * Errors: -- * KRB5_CC_NOSUPP - not implemented -+ * Effects: -+ * Remove the given creds from the ccache. - */ - static krb5_error_code KRB5_CALLCONV - krb5_mcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, - krb5_creds *creds) - { -- return KRB5_CC_NOSUPP; -+ krb5_mcc_data *data = (krb5_mcc_data *)cache->data; -+ krb5_mcc_link *l; -+ -+ k5_cc_mutex_lock(context, &data->lock); -+ -+ for (l = data->link; l != NULL; l = l->next) { -+ if (l->creds != NULL && -+ krb5int_cc_creds_match_request(context, flags, creds, l->creds)) { -+ krb5_free_creds(context, l->creds); -+ l->creds = NULL; -+ } -+ } -+ -+ k5_cc_mutex_unlock(context, &data->lock); -+ return 0; - } - - -diff --git a/src/lib/krb5/ccache/t_cc.c b/src/lib/krb5/ccache/t_cc.c -index cd4569c4c..954f2f465 100644 ---- a/src/lib/krb5/ccache/t_cc.c -+++ b/src/lib/krb5/ccache/t_cc.c -@@ -36,7 +36,7 @@ - - #define KRB5_OK 0 - --krb5_creds test_creds; -+krb5_creds test_creds, test_creds2; - - int debug=0; - -@@ -144,6 +144,10 @@ init_test_cred(krb5_context context) - a->length = 2; - test_creds.authdata[1] = a; - -+ memcpy(&test_creds2, &test_creds, sizeof(test_creds)); -+ kret = krb5_build_principal(context, &test_creds2.server, sizeof(REALM), -+ REALM, "server-comp1", "server-comp3", NULL); -+ - cleanup: - if(kret) { - if (test_creds.client) { -@@ -170,6 +174,7 @@ free_test_cred(krb5_context context) - krb5_free_principal(context, test_creds.client); - - krb5_free_principal(context, test_creds.server); -+ krb5_free_principal(context, test_creds2.server); - - if(test_creds.authdata) { - krb5_free_authdata(context, test_creds.authdata); -@@ -199,6 +204,44 @@ free_test_cred(krb5_context context) - #define CHECK_FAIL(experr, kret, msg) \ - if (experr != kret) { CHECK(kret, msg);} - -+static void -+check_num_entries(krb5_context context, krb5_ccache cache, int expected, -+ unsigned linenum) -+{ -+ krb5_error_code ret; -+ krb5_cc_cursor cursor; -+ krb5_creds creds; -+ int count = 0; -+ -+ ret = krb5_cc_start_seq_get(context, cache, &cursor); -+ if (ret != 0) { -+ com_err("", ret, "(on line %d) - krb5_cc_start_seq_get", linenum); -+ fflush(stderr); -+ exit(1); -+ } -+ -+ while (1) { -+ ret = krb5_cc_next_cred(context, cache, &cursor, &creds); -+ if (ret) -+ break; -+ -+ count++; -+ krb5_free_cred_contents(context, &creds); -+ } -+ krb5_cc_end_seq_get(context, cache, &cursor); -+ if (ret != KRB5_CC_END) { -+ CHECK(ret, "counting entries in ccache"); -+ } -+ -+ if (count != expected) { -+ com_err("", KRB5_FCC_INTERNAL, -+ "(on line %d) - count didn't match (expected %d, got %d)", -+ linenum, expected, count); -+ fflush(stderr); -+ exit(1); -+ } -+} -+ - static void - cc_test(krb5_context context, const char *name, krb5_flags flags) - { -@@ -207,6 +250,7 @@ cc_test(krb5_context context, const char *name, krb5_flags flags) - krb5_error_code kret; - krb5_cc_cursor cursor; - krb5_principal tmp; -+ krb5_flags matchflags = KRB5_TC_MATCH_IS_SKEY; - - const char *c_name; - char newcache[300]; -@@ -311,9 +355,90 @@ cc_test(krb5_context context, const char *name, krb5_flags flags) - kret = krb5_cc_destroy(context, id2); - CHECK(kret, "destroy id2"); - -+ /* ----------------------------------------------------- */ -+ /* Test credential removal */ -+ kret = krb5_cc_resolve(context, name, &id); -+ CHECK(kret, "resolving for remove"); -+ -+ kret = krb5_cc_initialize(context, id, test_creds.client); -+ CHECK(kret, "initialize for remove"); -+ check_num_entries(context, id, 0, __LINE__); -+ -+ kret = krb5_cc_store_cred(context, id, &test_creds); -+ CHECK(kret, "store for remove (first pass)"); -+ check_num_entries(context, id, 1, __LINE__); /* 1 */ -+ -+ kret = krb5_cc_remove_cred(context, id, matchflags, &test_creds); -+ CHECK(kret, "removing credential (first pass)"); -+ check_num_entries(context, id, 0, __LINE__); /* empty */ -+ -+ kret = krb5_cc_store_cred(context, id, &test_creds); -+ CHECK(kret, "first store for remove (second pass)"); -+ check_num_entries(context, id, 1, __LINE__); /* 1 */ -+ -+ kret = krb5_cc_store_cred(context, id, &test_creds2); -+ CHECK(kret, "second store for remove (second pass)"); -+ check_num_entries(context, id, 2, __LINE__); /* 1, 2 */ -+ -+ kret = krb5_cc_remove_cred(context, id, matchflags, &test_creds2); -+ CHECK(kret, "first remove (second pass)"); -+ check_num_entries(context, id, 1, __LINE__); /* 1 */ -+ -+ kret = krb5_cc_store_cred(context, id, &test_creds2); -+ CHECK(kret, "third store for remove (second pass)"); -+ check_num_entries(context, id, 2, __LINE__); /* 1, 2 */ -+ -+ kret = krb5_cc_remove_cred(context, id, matchflags, &test_creds); -+ CHECK(kret, "second remove (second pass)"); -+ check_num_entries(context, id, 1, __LINE__); /* 2 */ -+ -+ kret = krb5_cc_remove_cred(context, id, matchflags, &test_creds2); -+ CHECK(kret, "third remove (second pass)"); -+ check_num_entries(context, id, 0, __LINE__); /* empty */ -+ -+ kret = krb5_cc_destroy(context, id); -+ CHECK(kret, "destruction for remove"); -+ -+ /* Test removal with iteration. */ -+ kret = krb5_cc_resolve(context, name, &id); -+ CHECK(kret, "resolving for remove-iter"); -+ -+ kret = krb5_cc_initialize(context, id, test_creds.client); -+ CHECK(kret, "initialize for remove-iter"); -+ -+ kret = krb5_cc_store_cred(context, id, &test_creds); -+ CHECK(kret, "first store for remove-iter"); -+ -+ kret = krb5_cc_store_cred(context, id, &test_creds2); -+ CHECK(kret, "second store for remove-iter"); -+ -+ kret = krb5_cc_start_seq_get(context, id, &cursor); -+ CHECK(kret, "start_seq_get for remove-iter"); -+ -+ kret = krb5_cc_remove_cred(context, id, matchflags, &test_creds); -+ CHECK(kret, "remove for remove-iter"); -+ -+ while (1) { -+ /* The removed credential may or may not be present in the cache - -+ * either behavior is technically correct. */ -+ kret = krb5_cc_next_cred(context, id, &cursor, &creds); -+ if (kret == KRB5_CC_END) -+ break; -+ CHECK(kret, "next_cred for remove-iter: %s"); -+ -+ CHECK(creds.times.endtime == 0, "no-lifetime cred"); -+ -+ krb5_free_cred_contents(context, &creds); -+ } -+ -+ kret = krb5_cc_end_seq_get(context, id, &cursor); -+ CHECK(kret, "end_seq_get for remove-iter"); -+ -+ kret = krb5_cc_destroy(context, id); -+ CHECK(kret, "destruction for remove-iter"); -+ - free(save_type); - free_test_cred(context); -- - } - - /* diff --git a/Improve-error-messages-from-kadmin-change_password.patch b/Improve-error-messages-from-kadmin-change_password.patch deleted file mode 100644 index aff1567..0000000 --- a/Improve-error-messages-from-kadmin-change_password.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 69a09fc7c76f443f08c437043d689669d39f46ca Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 6 May 2019 13:13:16 -0400 -Subject: [PATCH] Improve error messages from kadmin change_password - -The checks for missing option arguments were dead code, because the -loop condition requires at least two remaining arguments. Instead -check for at least one argument with a leading "-", and check for too -many or too few arguments after the loop. Add an initial message for -unrecognized options. - -[ghudson@mit.edu: adjusted logic to improve mesages in more cases] - -(cherry picked from commit 13ba54002d362ebb09be464b4e7ec75050d1348f) ---- - src/kadmin/cli/kadmin.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c -index cc74921bf..fe4cb493c 100644 ---- a/src/kadmin/cli/kadmin.c -+++ b/src/kadmin/cli/kadmin.c -@@ -797,11 +797,11 @@ kadmin_cpw(int argc, char *argv[]) - char **db_args = NULL; - int db_args_size = 0; - -- if (argc < 2) { -+ if (argc < 1) { - cpw_usage(NULL); - return; - } -- for (argv++, argc--; argc > 1; argc--, argv++) { -+ for (argv++, argc--; argc > 0 && **argv == '-'; argc--, argv++) { - if (!strcmp("-x", *argv)) { - argc--; - if (argc < 1) { -@@ -841,12 +841,16 @@ kadmin_cpw(int argc, char *argv[]) - goto cleanup; - } - } else { -+ com_err("change_password", 0, _("unrecognized option %s"), *argv); - cpw_usage(NULL); - goto cleanup; - } - } -- if (*argv == NULL) { -- com_err("change_password", 0, _("missing principal name")); -+ if (argc != 1) { -+ if (argc < 1) -+ com_err("change_password", 0, _("missing principal name")); -+ else -+ com_err("change_password", 0, _("too many arguments")); - cpw_usage(NULL); - goto cleanup; - } diff --git a/In-kpropd-debug-log-proper-ticket-enctype-names.patch b/In-kpropd-debug-log-proper-ticket-enctype-names.patch deleted file mode 100644 index dec823a..0000000 --- a/In-kpropd-debug-log-proper-ticket-enctype-names.patch +++ /dev/null @@ -1,28 +0,0 @@ -From bcd727fc66e9213e7b6ea4d22f781812033789ba Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 15 Jan 2019 13:41:16 -0500 -Subject: [PATCH] In kpropd, debug-log proper ticket enctype names - -This change replaces the last call of krb5_enctype_to_string() in our -sources with krb5_enctype_to_name(), ensuring that we log consistently -to users using readily discoverable strings. - -(cherry picked from commit 30e12a2ecdf7e2a034a91626a03b5c9909e4c68d) ---- - src/kprop/kpropd.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c -index 4cc035dc6..0c7bffa24 100644 ---- a/src/kprop/kpropd.c -+++ b/src/kprop/kpropd.c -@@ -1279,7 +1279,8 @@ kerberos_authenticate(krb5_context context, int fd, krb5_principal *clientp, - exit(1); - } - -- retval = krb5_enctype_to_string(*etype, etypebuf, sizeof(etypebuf)); -+ retval = krb5_enctype_to_name(*etype, FALSE, etypebuf, -+ sizeof(etypebuf)); - if (retval) { - com_err(progname, retval, _("while unparsing ticket etype")); - exit(1); diff --git a/In-rd_req_dec-always-log-non-permitted-enctypes.patch b/In-rd_req_dec-always-log-non-permitted-enctypes.patch deleted file mode 100644 index 148deb0..0000000 --- a/In-rd_req_dec-always-log-non-permitted-enctypes.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 7710ba9b6d48ae82a2b2559131c6a8da802a4c0d Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 14 Jan 2019 17:14:42 -0500 -Subject: [PATCH] In rd_req_dec, always log non-permitted enctypes - -The buffer specified in negotiate_etype() is too small for use with -the AES enctypes when used with krb5_enctype_to_string(), so switch to -using krb5_enctype_to_name(). - -(cherry picked from commit bf75ebf583a51bf00005a96d17924818d19377be) ---- - src/lib/krb5/krb/rd_req_dec.c | 5 ++--- - src/tests/gssapi/t_enctypes.py | 5 +++-- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c -index 4cd429a11..e75192fee 100644 ---- a/src/lib/krb5/krb/rd_req_dec.c -+++ b/src/lib/krb5/krb/rd_req_dec.c -@@ -864,9 +864,8 @@ negotiate_etype(krb5_context context, - if (permitted == FALSE) { - char enctype_name[30]; - -- if (krb5_enctype_to_string(desired_etypes[i], -- enctype_name, -- sizeof(enctype_name)) == 0) -+ if (krb5_enctype_to_name(desired_etypes[i], FALSE, enctype_name, -+ sizeof(enctype_name)) == 0) - k5_setmsg(context, KRB5_NOPERM_ETYPE, - _("Encryption type %s not permitted"), enctype_name); - return KRB5_NOPERM_ETYPE; -diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py -index ee43ff028..5d9f80e04 100755 ---- a/src/tests/gssapi/t_enctypes.py -+++ b/src/tests/gssapi/t_enctypes.py -@@ -85,7 +85,8 @@ test('both aes128', 'aes128-cts', 'aes128-cts', - # If only the acceptor constrains the permitted session enctypes to - # aes128, subkey negotiation fails because the acceptor considers the - # aes256 session key to be non-permitted. --test_err('acc aes128', None, 'aes128-cts', 'Encryption type not permitted') -+test_err('acc aes128', None, 'aes128-cts', -+ 'Encryption type aes256-cts-hmac-sha1-96 not permitted') - - # If the initiator constrains the permitted session enctypes to des3, - # no acceptor subkey will be generated because we can't upgrade to a -@@ -128,7 +129,7 @@ test('upgrade init des3+rc4', 'des3 rc4', None, - # is only for the sake of the kernel, since we could upgrade to an - # aes128 subkey, but it's the current semantics.) - test_err('upgrade acc aes128', None, 'aes128-cts', -- 'Encryption type ArcFour with HMAC/md5 not permitted') -+ 'Encryption type arcfour-hmac not permitted') - - # If the acceptor permits rc4 but prefers aes128, it will negotiate an - # upgrade to aes128. diff --git a/Initialize-some-data-structure-magic-fields.patch b/Initialize-some-data-structure-magic-fields.patch deleted file mode 100644 index e392f10..0000000 --- a/Initialize-some-data-structure-magic-fields.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 3f8434553e5bc3551c7be651de196caf98647cf3 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 2 May 2019 13:36:38 -0400 -Subject: [PATCH] Initialize some data structure magic fields - -Static analyzers may complain if they see a data structure copied with -an uninitialized field, even if the copy target won't use the field. -Add magic field initializers in three such places. - -[ghudson@mit.edu: rewrote commit message] - -(cherry picked from commit 551e88e76e537e45f6c80eadaefeb790994f83f9) ---- - src/lib/gssapi/krb5/util_cksum.c | 1 + - src/lib/krb5/krb/authdata.c | 8 ++------ - 2 files changed, 3 insertions(+), 6 deletions(-) - -diff --git a/src/lib/gssapi/krb5/util_cksum.c b/src/lib/gssapi/krb5/util_cksum.c -index cfd585ec7..a1770774e 100644 ---- a/src/lib/gssapi/krb5/util_cksum.c -+++ b/src/lib/gssapi/krb5/util_cksum.c -@@ -48,6 +48,7 @@ kg_checksum_channel_bindings(context, cb, cksum) - - cksum->checksum_type = CKSUMTYPE_RSA_MD5; - cksum->length = sumlen; -+ cksum->magic = KV5M_CHECKSUM; - - /* generate a buffer full of zeros if no cb specified */ - -diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c -index 7fbcfab68..3e7dfbe49 100644 ---- a/src/lib/krb5/krb/authdata.c -+++ b/src/lib/krb5/krb/authdata.c -@@ -976,9 +976,7 @@ krb5_authdata_export_internal(krb5_context kcontext, - - *ptr = NULL; - -- name.length = strlen(module_name); -- name.data = (char *)module_name; -- -+ name = make_data((char *)module_name, strlen(module_name)); - module = k5_ad_find_module(kcontext, context, AD_USAGE_MASK, &name); - if (module == NULL) - return ENOENT; -@@ -1005,9 +1003,7 @@ krb5_authdata_free_internal(krb5_context kcontext, - krb5_data name; - struct _krb5_authdata_context_module *module; - -- name.length = strlen(module_name); -- name.data = (char *)module_name; -- -+ name = make_data((char *)module_name, strlen(module_name)); - module = k5_ad_find_module(kcontext, context, AD_USAGE_MASK, &name); - if (module == NULL) - return ENOENT; diff --git a/Log-unknown-enctypes-as-unsupported-in-KDC.patch b/Log-unknown-enctypes-as-unsupported-in-KDC.patch deleted file mode 100644 index e742826..0000000 --- a/Log-unknown-enctypes-as-unsupported-in-KDC.patch +++ /dev/null @@ -1,52 +0,0 @@ -From f4681ed7ec9f22fdbacc5c58a9f12ef567601267 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Fri, 27 Sep 2019 16:55:37 -0400 -Subject: [PATCH] Log unknown enctypes as unsupported in KDC - -Commit 8d8e68283b599e680f9fe45eff8af397e827bd6c logs both invalid and -deprecated enctypes as "DEPRECATED:". An invalid enctype might be too -old or marginal to be supported (like single-DES) or too new to be -recognized. For clarity, prefix invalid enctypes with "UNSUPPORTED:" -instead. - -ticket: 8773 -(cherry picked from commit 5ee99b0007f480f01f86340d1c30da51cc80da96) ---- - src/kdc/kdc_util.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 698f18c1c..8700ec02c 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -1048,20 +1048,22 @@ void limit_string(char *name) - static krb5_error_code - enctype_name(krb5_enctype ktype, char *buf, size_t buflen) - { -- char *name; -+ const char *name, *prefix = ""; - size_t len; - - if (buflen == 0) - return EINVAL; - *buf = '\0'; /* ensure these are always valid C-strings */ - -- if (krb5int_c_deprecated_enctype(ktype)) { -- len = strlcpy(buf, "DEPRECATED:", buflen); -- if (len >= buflen) -- return ENOMEM; -- buflen -= len; -- buf += len; -- } -+ if (!krb5_c_valid_enctype(ktype)) -+ prefix = "UNSUPPORTED:"; -+ else if (krb5int_c_deprecated_enctype(ktype)) -+ prefix = "DEPRECATED:"; -+ len = strlcpy(buf, prefix, buflen); -+ if (len >= buflen) -+ return ENOMEM; -+ buflen -= len; -+ buf += len; - - /* rfc4556 recommends that clients wishing to indicate support for these - * pkinit algorithms include them in the etype field of the AS-REQ. */ diff --git a/Make-etype-names-in-KDC-logs-human-readable.patch b/Make-etype-names-in-KDC-logs-human-readable.patch deleted file mode 100644 index 451e554..0000000 --- a/Make-etype-names-in-KDC-logs-human-readable.patch +++ /dev/null @@ -1,296 +0,0 @@ -From 87e5a350db1c18a92427a2a7645cc53d5813672d Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 8 Jan 2019 17:42:35 -0500 -Subject: [PATCH] Make etype names in KDC logs human-readable - -Introduce enctype_name() as a wrapper over krb5_enctype_to_name for -converting between registered constants and names. Adjust signatures -and rewrite ktypes2str() and rep_etypes2str() to operate on dynamic -buffers. - -ticket: 8772 (new) -(cherry picked from commit a649279727490687d54becad91fde8cf7429d951) ---- - src/kdc/kdc_log.c | 42 +++++++-------- - src/kdc/kdc_util.c | 131 +++++++++++++++++++++++---------------------- - src/kdc/kdc_util.h | 6 +-- - 3 files changed, 90 insertions(+), 89 deletions(-) - -diff --git a/src/kdc/kdc_log.c b/src/kdc/kdc_log.c -index 4eec50373..b160ba21a 100644 ---- a/src/kdc/kdc_log.c -+++ b/src/kdc/kdc_log.c -@@ -65,7 +65,7 @@ log_as_req(krb5_context context, - { - const char *fromstring = 0; - char fromstringbuf[70]; -- char ktypestr[128]; -+ char *ktypestr = NULL; - const char *cname2 = cname ? cname : ""; - const char *sname2 = sname ? sname : ""; - -@@ -74,26 +74,29 @@ log_as_req(krb5_context context, - fromstringbuf, sizeof(fromstringbuf)); - if (!fromstring) - fromstring = ""; -- ktypes2str(ktypestr, sizeof(ktypestr), -- request->nktypes, request->ktype); -+ -+ ktypestr = ktypes2str(request->ktype, request->nktypes); - - if (status == NULL) { - /* success */ -- char rep_etypestr[128]; -- rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply); -+ char *rep_etypestr = rep_etypes2str(reply); - krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %u, %s, " - "%s for %s"), -- ktypestr, fromstring, (unsigned int)authtime, -- rep_etypestr, cname2, sname2); -+ ktypestr ? ktypestr : "", fromstring, -+ (unsigned int)authtime, -+ rep_etypestr ? rep_etypestr : "", cname2, sname2); -+ free(rep_etypestr); - } else { - /* fail */ - krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: %s: %s for %s%s%s"), -- ktypestr, fromstring, status, -- cname2, sname2, emsg ? ", " : "", emsg ? emsg : ""); -+ ktypestr ? ktypestr : "", fromstring, status, cname2, -+ sname2, emsg ? ", " : "", emsg ? emsg : ""); - } - krb5_db_audit_as_req(context, request, - local_addr->address, remote_addr->address, - client, server, authtime, errcode); -+ -+ free(ktypestr); - } - - /* -@@ -122,10 +125,9 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from, - unsigned int c_flags, - const char *status, krb5_error_code errcode, const char *emsg) - { -- char ktypestr[128]; -+ char *ktypestr = NULL, *rep_etypestr = NULL; - const char *fromstring = 0; - char fromstringbuf[70]; -- char rep_etypestr[128]; - char *cname = NULL, *sname = NULL, *altcname = NULL; - char *logcname = NULL, *logsname = NULL, *logaltcname = NULL; - -@@ -134,11 +136,6 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from, - fromstringbuf, sizeof(fromstringbuf)); - if (!fromstring) - fromstring = ""; -- ktypes2str(ktypestr, sizeof(ktypestr), request->nktypes, request->ktype); -- if (!errcode) -- rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply); -- else -- rep_etypestr[0] = 0; - - unparse_and_limit(ctx, cprinc, &cname); - logcname = (cname != NULL) ? cname : ""; -@@ -151,10 +148,14 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from, - name (useful), and doesn't log ktypestr (probably not - important). */ - if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) { -+ ktypestr = ktypes2str(request->ktype, request->nktypes); -+ rep_etypestr = rep_etypes2str(reply); - krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %u, %s%s " - "%s for %s%s%s"), -- ktypestr, fromstring, status, (unsigned int)authtime, -- rep_etypestr, !errcode ? "," : "", logcname, logsname, -+ ktypestr ? ktypestr : "", fromstring, status, -+ (unsigned int)authtime, -+ rep_etypestr ? rep_etypestr : "", -+ !errcode ? "," : "", logcname, logsname, - errcode ? ", " : "", errcode ? emsg : ""); - if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) - krb5_klog_syslog(LOG_INFO, -@@ -171,9 +172,8 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from, - fromstring, status, (unsigned int)authtime, - logcname, logsname, logaltcname); - -- /* OpenSolaris: audit_krb5kdc_tgs_req(...) or -- audit_krb5kdc_tgs_req_2ndtktmm(...) */ -- -+ free(rep_etypestr); -+ free(ktypestr); - krb5_free_unparsed_name(ctx, cname); - krb5_free_unparsed_name(ctx, sname); - krb5_free_unparsed_name(ctx, altcname); -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 0155c28c6..f5c581c82 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -1043,84 +1043,87 @@ void limit_string(char *name) - return; - } - --/* -- * L10_2 = log10(2**x), rounded up; log10(2) ~= 0.301. -- */ --#define L10_2(x) ((int)(((x * 301) + 999) / 1000)) -- --/* -- * Max length of sprintf("%ld") for an int of type T; includes leading -- * minus sign and terminating NUL. -- */ --#define D_LEN(t) (L10_2(sizeof(t) * CHAR_BIT) + 2) -- --void --ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype) -+/* Wrapper of krb5_enctype_to_name() to include the PKINIT types. */ -+static krb5_error_code -+enctype_name(krb5_enctype ktype, char *buf, size_t buflen) - { -- int i; -- char stmp[D_LEN(krb5_enctype) + 1]; -- char *p; -+ char *name; - -- if (nktypes < 0 -- || len < (sizeof(" etypes {...}") + D_LEN(int))) { -- *s = '\0'; -- return; -- } -+ if (buflen == 0) -+ return EINVAL; -+ *buf = '\0'; /* ensure these are always valid C-strings */ - -- snprintf(s, len, "%d etypes {", nktypes); -- for (i = 0; i < nktypes; i++) { -- snprintf(stmp, sizeof(stmp), "%s%ld", i ? " " : "", (long)ktype[i]); -- if (strlen(s) + strlen(stmp) + sizeof("}") > len) -- break; -- strlcat(s, stmp, len); -- } -- if (i < nktypes) { -- /* -- * We broke out of the loop. Try to truncate the list. -- */ -- p = s + strlen(s); -- while (p - s + sizeof("...}") > len) { -- while (p > s && *p != ' ' && *p != '{') -- *p-- = '\0'; -- if (p > s && *p == ' ') { -- *p-- = '\0'; -- continue; -- } -- } -- strlcat(s, "...", len); -- } -- strlcat(s, "}", len); -- return; -+ /* rfc4556 recommends that clients wishing to indicate support for these -+ * pkinit algorithms include them in the etype field of the AS-REQ. */ -+ if (ktype == ENCTYPE_DSA_SHA1_CMS) -+ name = "id-dsa-with-sha1-CmsOID"; -+ else if (ktype == ENCTYPE_MD5_RSA_CMS) -+ name = "md5WithRSAEncryption-CmsOID"; -+ else if (ktype == ENCTYPE_SHA1_RSA_CMS) -+ name = "sha-1WithRSAEncryption-CmsOID"; -+ else if (ktype == ENCTYPE_RC2_CBC_ENV) -+ name = "rc2-cbc-EnvOID"; -+ else if (ktype == ENCTYPE_RSA_ENV) -+ name = "rsaEncryption-EnvOID"; -+ else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV) -+ name = "id-RSAES-OAEP-EnvOID"; -+ else if (ktype == ENCTYPE_DES3_CBC_ENV) -+ name = "des-ede3-cbc-EnvOID"; -+ else -+ return krb5_enctype_to_name(ktype, FALSE, buf, buflen); -+ -+ if (strlcpy(name, buf, buflen) >= buflen) -+ return ENOMEM; -+ return 0; - } - --void --rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep) -+char * -+ktypes2str(krb5_enctype *ktype, int nktypes) - { -- char stmp[sizeof("ses=") + D_LEN(krb5_enctype)]; -+ struct k5buf buf; -+ int i; -+ char name[64]; - -- if (len < (3 * D_LEN(krb5_enctype) -- + sizeof("etypes {rep= tkt= ses=}"))) { -- *s = '\0'; -- return; -+ if (nktypes < 0) -+ return NULL; -+ -+ k5_buf_init_dynamic(&buf); -+ k5_buf_add_fmt(&buf, "%d etypes {", nktypes); -+ for (i = 0; i < nktypes; i++) { -+ enctype_name(ktype[i], name, sizeof(name)); -+ k5_buf_add_fmt(&buf, "%s%s(%ld)", i ? ", " : "", name, (long)ktype[i]); - } -+ k5_buf_add(&buf, "}"); -+ return buf.data; -+} - -- snprintf(s, len, "etypes {rep=%ld", (long)rep->enc_part.enctype); -+char * -+rep_etypes2str(krb5_kdc_rep *rep) -+{ -+ struct k5buf buf; -+ char name[64]; -+ krb5_enctype etype; -+ -+ k5_buf_init_dynamic(&buf); -+ k5_buf_add(&buf, "etypes {rep="); -+ enctype_name(rep->enc_part.enctype, name, sizeof(name)); -+ k5_buf_add_fmt(&buf, "%s(%ld)", name, (long)rep->enc_part.enctype); - - if (rep->ticket != NULL) { -- snprintf(stmp, sizeof(stmp), -- " tkt=%ld", (long)rep->ticket->enc_part.enctype); -- strlcat(s, stmp, len); -+ etype = rep->ticket->enc_part.enctype; -+ enctype_name(etype, name, sizeof(name)); -+ k5_buf_add_fmt(&buf, ", tkt=%s(%ld)", name, (long)etype); - } - -- if (rep->ticket != NULL -- && rep->ticket->enc_part2 != NULL -- && rep->ticket->enc_part2->session != NULL) { -- snprintf(stmp, sizeof(stmp), " ses=%ld", -- (long)rep->ticket->enc_part2->session->enctype); -- strlcat(s, stmp, len); -+ if (rep->ticket != NULL && rep->ticket->enc_part2 != NULL && -+ rep->ticket->enc_part2->session != NULL) { -+ etype = rep->ticket->enc_part2->session->enctype; -+ enctype_name(etype, name, sizeof(name)); -+ k5_buf_add_fmt(&buf, ", ses=%s(%ld)", name, (long)etype); - } -- strlcat(s, "}", len); -- return; -+ -+ k5_buf_add(&buf, "}"); -+ return buf.data; - } - - static krb5_error_code -diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h -index 6ec645fc3..25077cbf5 100644 ---- a/src/kdc/kdc_util.h -+++ b/src/kdc/kdc_util.h -@@ -110,11 +110,9 @@ select_session_keytype (kdc_realm_t *kdc_active_realm, - - void limit_string (char *name); - --void --ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype); -+char *ktypes2str(krb5_enctype *ktype, int nktypes); - --void --rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep); -+char *rep_etypes2str(krb5_kdc_rep *rep); - - /* authind.c */ - krb5_boolean diff --git a/Mark-deprecated-enctypes-when-used.patch b/Mark-deprecated-enctypes-when-used.patch deleted file mode 100644 index 9f520d7..0000000 --- a/Mark-deprecated-enctypes-when-used.patch +++ /dev/null @@ -1,250 +0,0 @@ -From 8e3b86c1e7bdd12c649127a8a44e5a269b5b4453 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 10 Jan 2019 16:34:54 -0500 -Subject: [PATCH] Mark deprecated enctypes when used - -Preface ETYPE_DEPRECATED enctypes with "DEPRECATED:" in klist output, -KDC logs, and kadmin interactions. Also complain in krb5kdc when the -stash file has a deprecated enctype or a deprecated enctype is -requested with -k. - -ticket: 8773 (new) -(cherry picked from commit 8d8e68283b599e680f9fe45eff8af397e827bd6c) ---- - src/clients/klist/klist.c | 14 ++++++++++---- - src/kadmin/cli/kadmin.c | 6 +++++- - src/kdc/kdc_util.c | 9 +++++++++ - src/kdc/main.c | 19 +++++++++++++++++++ - src/tests/gssapi/t_enctypes.py | 15 +++++++++------ - src/tests/t_keyrollover.py | 8 +++++--- - src/tests/t_sesskeynego.py | 4 ++-- - 7 files changed, 59 insertions(+), 16 deletions(-) - -diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c -index 70adb54e8..8c307151a 100644 ---- a/src/clients/klist/klist.c -+++ b/src/clients/klist/klist.c -@@ -571,11 +571,17 @@ static char * - etype_string(krb5_enctype enctype) - { - static char buf[100]; -- krb5_error_code ret; -+ char *bp = buf; -+ size_t deplen, buflen = sizeof(buf); - -- ret = krb5_enctype_to_name(enctype, FALSE, buf, sizeof(buf)); -- if (ret) -- snprintf(buf, sizeof(buf), "etype %d", enctype); -+ if (krb5int_c_deprecated_enctype(enctype)) { -+ deplen = strlcpy(bp, "DEPRECATED:", buflen); -+ buflen -= deplen; -+ bp += deplen; -+ } -+ -+ if (krb5_enctype_to_name(enctype, FALSE, bp, buflen)) -+ snprintf(bp, buflen, "etype %d", enctype); - return buf; - } - -diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c -index ed581ee79..cc74921bf 100644 ---- a/src/kadmin/cli/kadmin.c -+++ b/src/kadmin/cli/kadmin.c -@@ -1451,12 +1451,16 @@ kadmin_getprinc(int argc, char *argv[]) - for (i = 0; i < dprinc.n_key_data; i++) { - krb5_key_data *key_data = &dprinc.key_data[i]; - char enctype[BUFSIZ], salttype[BUFSIZ]; -+ char *deprecated = ""; - - if (krb5_enctype_to_name(key_data->key_data_type[0], FALSE, - enctype, sizeof(enctype))) - snprintf(enctype, sizeof(enctype), _(""), - key_data->key_data_type[0]); -- printf("Key: vno %d, %s", key_data->key_data_kvno, enctype); -+ if (krb5int_c_deprecated_enctype(key_data->key_data_type[0])) -+ deprecated = "DEPRECATED:"; -+ printf("Key: vno %d, %s%s", key_data->key_data_kvno, deprecated, -+ enctype); - if (key_data->key_data_ver > 1 && - key_data->key_data_type[1] != KRB5_KDB_SALTTYPE_NORMAL) { - if (krb5_salttype_to_string(key_data->key_data_type[1], -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index f5c581c82..96c88edc1 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -1048,11 +1048,20 @@ static krb5_error_code - enctype_name(krb5_enctype ktype, char *buf, size_t buflen) - { - char *name; -+ size_t len; - - if (buflen == 0) - return EINVAL; - *buf = '\0'; /* ensure these are always valid C-strings */ - -+ if (krb5int_c_deprecated_enctype(ktype)) { -+ len = strlcpy(buf, "DEPRECATED:", buflen); -+ if (len >= buflen) -+ return ENOMEM; -+ buflen -= len; -+ buf += len; -+ } -+ - /* rfc4556 recommends that clients wishing to indicate support for these - * pkinit algorithms include them in the etype field of the AS-REQ. */ - if (ktype == ENCTYPE_DSA_SHA1_CMS) -diff --git a/src/kdc/main.c b/src/kdc/main.c -index 663fd6303..60092a0df 100644 ---- a/src/kdc/main.c -+++ b/src/kdc/main.c -@@ -210,12 +210,23 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm, - char *svalue = NULL; - const char *hierarchy[4]; - krb5_kvno mkvno = IGNORE_VNO; -+ char ename[32]; - - memset(rdp, 0, sizeof(kdc_realm_t)); - if (!realm) { - kret = EINVAL; - goto whoops; - } -+ -+ if (def_enctype != ENCTYPE_UNKNOWN && -+ krb5int_c_deprecated_enctype(def_enctype)) { -+ if (krb5_enctype_to_name(def_enctype, FALSE, ename, sizeof(ename))) -+ ename[0] = '\0'; -+ fprintf(stderr, -+ _("Requested master password enctype %s in %s is DEPRECATED!"), -+ ename, realm); -+ } -+ - hierarchy[0] = KRB5_CONF_REALMS; - hierarchy[1] = realm; - hierarchy[3] = NULL; -@@ -370,6 +381,14 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm, - goto whoops; - } - -+ if (krb5int_c_deprecated_enctype(rdp->realm_mkey.enctype)) { -+ if (krb5_enctype_to_name(rdp->realm_mkey.enctype, FALSE, ename, -+ sizeof(ename))) -+ ename[0] = '\0'; -+ fprintf(stderr, _("Stash file %s uses DEPRECATED enctype %s!"), -+ rdp->realm_stash, ename); -+ } -+ - if ((kret = krb5_db_fetch_mkey_list(rdp->realm_context, rdp->realm_mprinc, - &rdp->realm_mkey))) { - kdc_err(rdp->realm_context, kret, -diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py -index 5d9f80e04..ca3d32d21 100755 ---- a/src/tests/gssapi/t_enctypes.py -+++ b/src/tests/gssapi/t_enctypes.py -@@ -9,8 +9,11 @@ from k5test import * - aes256 = 'aes256-cts-hmac-sha1-96' - aes128 = 'aes128-cts-hmac-sha1-96' - des3 = 'des3-cbc-sha1' -+d_des3 = 'DEPRECATED:des3-cbc-sha1' - des3raw = 'des3-cbc-raw' -+d_des3raw = 'DEPRECATED:des3-cbc-raw' - rc4 = 'arcfour-hmac' -+d_rc4 = 'DEPRECATED:arcfour-hmac' - - # These tests make assumptions about the default enctype lists, so set - # them explicitly rather than relying on the library defaults. -@@ -92,7 +95,7 @@ test_err('acc aes128', None, 'aes128-cts', - # no acceptor subkey will be generated because we can't upgrade to a - # CFX enctype. - test('init des3', 'des3', None, -- tktenc=aes256, tktsession=des3, -+ tktenc=aes256, tktsession=d_des3, - proto='rfc1964', isubkey=des3raw, asubkey=None) - - # Force the ticket session key to be rc4, so we can test some subkey -@@ -103,7 +106,7 @@ realm.run([kadminl, 'setstr', realm.host_princ, 'session_enctypes', 'rc4']) - # [aes256 aes128 des3] and the acceptor should upgrade to an aes256 - # subkey. - test('upgrade noargs', None, None, -- tktenc=aes256, tktsession=rc4, -+ tktenc=aes256, tktsession=d_rc4, - proto='cfx', isubkey=rc4, asubkey=aes256) - - # If the initiator won't permit rc4 as a session key, it won't be able -@@ -113,14 +116,14 @@ test_err('upgrade init aes', 'aes', None, 'no support for encryption type') - # If the initiator permits rc4 but prefers aes128, it will send an - # upgrade list of [aes128] and the acceptor will upgrade to aes128. - test('upgrade init aes128+rc4', 'aes128-cts rc4', None, -- tktenc=aes256, tktsession=rc4, -+ tktenc=aes256, tktsession=d_rc4, - proto='cfx', isubkey=rc4, asubkey=aes128) - - # If the initiator permits rc4 but prefers des3, it will send an - # upgrade list of [des3], but the acceptor won't generate a subkey - # because des3 isn't a CFX enctype. - test('upgrade init des3+rc4', 'des3 rc4', None, -- tktenc=aes256, tktsession=rc4, -+ tktenc=aes256, tktsession=d_rc4, - proto='rfc1964', isubkey=rc4, asubkey=None) - - # If the acceptor permits only aes128, subkey negotiation will fail -@@ -134,14 +137,14 @@ test_err('upgrade acc aes128', None, 'aes128-cts', - # If the acceptor permits rc4 but prefers aes128, it will negotiate an - # upgrade to aes128. - test('upgrade acc aes128 rc4', None, 'aes128-cts rc4', -- tktenc=aes256, tktsession=rc4, -+ tktenc=aes256, tktsession=d_rc4, - proto='cfx', isubkey=rc4, asubkey=aes128) - - # In this test, the initiator and acceptor each prefer an AES enctype - # to rc4, but they can't agree on which one, so no subkey is - # generated. - test('upgrade mismatch', 'aes128-cts rc4', 'aes256-cts rc4', -- tktenc=aes256, tktsession=rc4, -+ tktenc=aes256, tktsession=d_rc4, - proto='rfc1964', isubkey=rc4, asubkey=None) - - success('gss_krb5_set_allowable_enctypes tests') -diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py -index 7c8d828f0..4af6804f2 100755 ---- a/src/tests/t_keyrollover.py -+++ b/src/tests/t_keyrollover.py -@@ -22,8 +22,9 @@ realm.run([kvno, princ1]) - realm.run([kadminl, 'purgekeys', realm.krbtgt_princ]) - # Make sure an old TGT fails after purging old TGS key. - realm.run([kvno, princ2], expected_code=1) --msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \ -- (realm.realm, realm.realm) -+ddes = "DEPRECATED:des-cbc-crc" -+msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \ -+ (realm.realm, realm.realm, ddes, ddes) - realm.run([klist, '-e'], expected_msg=msg) - - # Check that new key actually works. -@@ -48,7 +49,8 @@ realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes256-cts', - realm.krbtgt_princ]) - realm.run([kadminl, 'modprinc', '-kvno', '1', realm.krbtgt_princ]) - out = realm.run([kadminl, 'getprinc', realm.krbtgt_princ]) --if 'vno 1, aes256' not in out or 'vno 1, des3' not in out: -+if 'vno 1, aes256-cts' not in out or \ -+ 'vno 1, DEPRECATED:des3-cbc-sha1' not in out: - fail('keyrollover: setup for TGS enctype test failed') - # Now present the DES3 ticket to the KDC and make sure it's rejected. - realm.run([kvno, realm.host_princ], expected_code=1) -diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py -index 448092387..da02f224a 100755 ---- a/src/tests/t_sesskeynego.py -+++ b/src/tests/t_sesskeynego.py -@@ -62,11 +62,11 @@ test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') - # 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term. - realm.run([kadminl, 'setstr', 'server', 'session_enctypes', - 'rc4-hmac,aes128-cts,aes256-cts']) --test_kvno(realm, 'arcfour-hmac', 'aes256-cts-hmac-sha1-96') -+test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') - - # 3c: Test des-cbc-crc default assumption. - realm.run([kadminl, 'delstr', 'server', 'session_enctypes']) --test_kvno(realm, 'des-cbc-crc', 'aes256-cts-hmac-sha1-96') -+test_kvno(realm, 'DEPRECATED:des-cbc-crc', 'aes256-cts-hmac-sha1-96') - realm.stop() - - # Last go: test that we can disable the des-cbc-crc assumption diff --git a/Mark-the-doc-kadm5-tex-files-as-historic.patch b/Mark-the-doc-kadm5-tex-files-as-historic.patch deleted file mode 100644 index 8ff592d..0000000 --- a/Mark-the-doc-kadm5-tex-files-as-historic.patch +++ /dev/null @@ -1,139 +0,0 @@ -From d8a20291fca962dfc88e396f2a60e41ede62be46 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 11 Apr 2019 18:33:04 -0400 -Subject: [PATCH] Mark the doc/kadm5 tex files as historic - -Remove rcsid.sty and the uses of the \rcsId macro as git does not -perform the keyword expansion necessary to make it work. Add comments -indicating the historic status of the kadm5 documentation. - -[ghudson@mit.edu: fix the tex files instead of marking them as -non-building] - -(cherry picked from commit e6047bdd6dec0d104417f9a1318bbafe022b81c1) ---- - doc/kadm5/adb-unit-test.tex | 7 ++++--- - doc/kadm5/api-funcspec.tex | 9 +++++---- - doc/kadm5/api-server-design.tex | 9 +++++---- - doc/kadm5/api-unit-test.tex | 7 ++++--- - doc/kadm5/rcsid.sty | 5 ----- - 5 files changed, 18 insertions(+), 19 deletions(-) - delete mode 100644 doc/kadm5/rcsid.sty - -diff --git a/doc/kadm5/adb-unit-test.tex b/doc/kadm5/adb-unit-test.tex -index d401342df..987af1a5e 100644 ---- a/doc/kadm5/adb-unit-test.tex -+++ b/doc/kadm5/adb-unit-test.tex -@@ -1,6 +1,7 @@ --\documentstyle[times,fullpage,rcsid]{article} -+% This document is included for historical purposes only, and does not -+% apply to krb5 today. - --\rcs$Id$ -+\documentstyle[times,fullpage]{article} - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - %% Make _ actually generate an _, and allow line-breaking after it. -@@ -39,7 +40,7 @@ - %\newcommand{\Priority}[1]{} - - \title{OpenV*Secure Admin Database API\\ --Unit Test Description\footnote{\rcsId}} -+Unit Test Description} - \author{Jonathan I. Kamens} - - \begin{document} -diff --git a/doc/kadm5/api-funcspec.tex b/doc/kadm5/api-funcspec.tex -index c13090a51..76d2bb5d0 100644 ---- a/doc/kadm5/api-funcspec.tex -+++ b/doc/kadm5/api-funcspec.tex -@@ -1,4 +1,7 @@ --\documentstyle[12pt,fullpage,rcsid]{article} -+% This document is included for historical purposes only, and does not -+% apply to krb5 today. -+ -+\documentstyle[12pt,fullpage]{article} - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - %% Make _ actually generate an _, and allow line-breaking after it. -@@ -7,15 +10,13 @@ - \def_{\underscore\penalty75\relax} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - --\rcs$Id$ -- - \setlength{\parskip}{.7\baselineskip} - \setlength{\parindent}{0pt} - - \def\v#1{\verb+#1+} - - \title{Kerberos Administration System \\ -- KADM5 API Functional Specifications\thanks{\rcsId}} -+ KADM5 API Functional Specifications} - \author{Barry Jaspan} - - \begin{document} -diff --git a/doc/kadm5/api-server-design.tex b/doc/kadm5/api-server-design.tex -index 228e83113..94e05b877 100644 ---- a/doc/kadm5/api-server-design.tex -+++ b/doc/kadm5/api-server-design.tex -@@ -1,4 +1,7 @@ --\documentstyle[12pt,fullpage,rcsid]{article} -+% This document is included for historical purposes only, and does not -+% apply to krb5 today. -+ -+\documentstyle[12pt,fullpage]{article} - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - %% Make _ actually generate an _, and allow line-breaking after it. -@@ -7,15 +10,13 @@ - \def_{\underscore\penalty75\relax} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - --\rcs$Id$ -- - \setlength{\parskip}{.7\baselineskip} - \setlength{\parindent}{0pt} - - \def\v#1{\verb+#1+} - \def\k#1{K$_#1$} - --\title{KADM5 Library and Server \\ Implementation Design\thanks{\rcsId}} -+\title{KADM5 Library and Server \\ Implementation Design} - \author{Barry Jaspan} - - \begin{document} -diff --git a/doc/kadm5/api-unit-test.tex b/doc/kadm5/api-unit-test.tex -index 3e0eb503e..bfd6280bb 100644 ---- a/doc/kadm5/api-unit-test.tex -+++ b/doc/kadm5/api-unit-test.tex -@@ -1,6 +1,7 @@ --\documentstyle[times,fullpage,rcsid]{article} -+% This document is included for historical purposes only, and does not -+% apply to krb5 today. - --\rcs$Id$ -+\documentstyle[times,fullpage]{article} - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - %% Make _ actually generate an _, and allow line-breaking after it. -@@ -41,7 +42,7 @@ - %\newcommand{\Priority}[1]{} - - \title{KADM5 Admin API\\ --Unit Test Description\footnote{\rcsId}} -+Unit Test Description} - \author{Jonathan I. Kamens} - - \begin{document} -diff --git a/doc/kadm5/rcsid.sty b/doc/kadm5/rcsid.sty -deleted file mode 100644 -index 3ad7826ff..000000000 ---- a/doc/kadm5/rcsid.sty -+++ /dev/null -@@ -1,5 +0,0 @@ --\def\rcs$#1: #2${\expandafter\def\csname rcs#1\endcsname{#2}} -- --% example usage: --% \rcs$Version$ --% Version \rcsVersion diff --git a/Modernize-example-enctypes-in-documentation.patch b/Modernize-example-enctypes-in-documentation.patch deleted file mode 100644 index 78ee5e6..0000000 --- a/Modernize-example-enctypes-in-documentation.patch +++ /dev/null @@ -1,232 +0,0 @@ -From b90cdec363eae38cb2ea40d40668e3fbc83edeb8 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 11 Apr 2019 18:25:41 -0400 -Subject: [PATCH] Modernize example enctypes in documentation - -ticket: 8805 (new) -(cherry picked from commit ccb4a3e4b35fa9ea63af0e98a42eba4aadb099e2) -[rharwood@redhat.com: release version conflict in man pages] ---- - doc/admin/admin_commands/kadmin_local.rst | 8 ++++---- - doc/admin/admin_commands/kdb5_util.rst | 10 +++++----- - doc/admin/database.rst | 2 +- - doc/admin/install_appl_srv.rst | 19 +++++++------------ - doc/admin/install_kdc.rst | 2 +- - src/man/kadmin.man | 10 +++++----- - src/man/kdb5_util.man | 10 +++++----- - .../kdb/ldap/libkdb_ldap/kerberos.ldif | 4 ++-- - .../kdb/ldap/libkdb_ldap/kerberos.schema | 4 ++-- - 9 files changed, 32 insertions(+), 37 deletions(-) - -diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst -index 150da1fad..71aa894f6 100644 ---- a/doc/admin/admin_commands/kadmin_local.rst -+++ b/doc/admin/admin_commands/kadmin_local.rst -@@ -569,16 +569,16 @@ Examples:: - Principal: tlyu/admin@BLEEP.COM - Expiration date: [never] - Last password change: Mon Aug 12 14:16:47 EDT 1996 -- Password expiration date: [none] -+ Password expiration date: [never] - Maximum ticket life: 0 days 10:00:00 - Maximum renewable life: 7 days 00:00:00 - Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) - Last successful authentication: [never] - Last failed authentication: [never] - Failed password attempts: 0 -- Number of keys: 2 -- Key: vno 1, des-cbc-crc -- Key: vno 1, des-cbc-crc:v4 -+ Number of keys: 1 -+ Key: vno 1, aes256-cts-hmac-sha384-192 -+ MKey: vno 1 - Attributes: - Policy: [none] - -diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst -index 7dd54f797..444c58bcd 100644 ---- a/doc/admin/admin_commands/kdb5_util.rst -+++ b/doc/admin/admin_commands/kdb5_util.rst -@@ -476,17 +476,17 @@ Examples:: - $ kdb5_util tabdump -o keyinfo.txt keyinfo - $ cat keyinfo.txt - name keyindex kvno enctype salttype salt -+ K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1 - foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 - bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 -- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 - $ sqlite3 - sqlite> .mode tabs - sqlite> .import keyinfo.txt keyinfo -- sqlite> select * from keyinfo where enctype like 'des-cbc-%'; -- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 -+ sqlite> select * from keyinfo where enctype like 'aes256-%'; -+ K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 - sqlite> .quit -- $ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt -- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 -+ $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt -+ K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 - - - ENVIRONMENT -diff --git a/doc/admin/database.rst b/doc/admin/database.rst -index 33895b857..cea60b009 100644 ---- a/doc/admin/database.rst -+++ b/doc/admin/database.rst -@@ -483,7 +483,7 @@ availability. To roll over the master key, follow these steps: - - $ kdb5_util list_mkeys - Master keys for Principal: K/M@KRBTEST.COM -- KVNO: 1, Enctype: des-cbc-crc, Active on: Wed Dec 31 19:00:00 EST 1969 * -+ KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 * - - #. On the master KDC, run ``kdb5_util use_mkey 1`` to ensure that a - master key activation list is present in the database. This step -diff --git a/doc/admin/install_appl_srv.rst b/doc/admin/install_appl_srv.rst -index 6bae7248f..6b2d8e471 100644 ---- a/doc/admin/install_appl_srv.rst -+++ b/doc/admin/install_appl_srv.rst -@@ -44,18 +44,13 @@ pop, the administrator ``joeadmin`` would issue the command (on - ``trillium.mit.edu``):: - - trillium% kadmin -- kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu -- pop/trillium.mit.edu -- kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with -- kvno 3, encryption type DES-CBC-CRC added to keytab -- FILE:/etc/krb5.keytab. -- kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with -- kvno 3, encryption type DES-CBC-CRC added to keytab -- FILE:/etc/krb5.keytab. -- kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with -- kvno 3, encryption type DES-CBC-CRC added to keytab -- FILE:/etc/krb5.keytab. -- kadmin5: quit -+ Authenticating as principal root/admin@ATHENA.MIT.EDU with password. -+ Password for root/admin@ATHENA.MIT.EDU: -+ kadmin: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu -+ Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. -+ kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. -+ kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. -+ kadmin: quit - trillium% - - If you generate the keytab file on another host, you need to get a -diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst -index 5d1e70ede..3bec59f96 100644 ---- a/doc/admin/install_kdc.rst -+++ b/doc/admin/install_kdc.rst -@@ -340,7 +340,7 @@ To extract a keytab directly on a replica KDC called - Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. - Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption -- type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. -+ type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. - Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. - -diff --git a/src/man/kadmin.man b/src/man/kadmin.man -index 3c4f013fb..44859a378 100644 ---- a/src/man/kadmin.man -+++ b/src/man/kadmin.man -@@ -1,6 +1,6 @@ - .\" Man page generated from reStructuredText. - . --.TH "KADMIN" "1" " " "1.17.1" "MIT Kerberos" -+.TH "KADMIN" "1" " " "1.18" "MIT Kerberos" - .SH NAME - kadmin \- Kerberos V5 database administration program - . -@@ -610,16 +610,16 @@ kadmin: getprinc tlyu/admin - Principal: tlyu/admin@BLEEP.COM - Expiration date: [never] - Last password change: Mon Aug 12 14:16:47 EDT 1996 --Password expiration date: [none] -+Password expiration date: [never] - Maximum ticket life: 0 days 10:00:00 - Maximum renewable life: 7 days 00:00:00 - Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) - Last successful authentication: [never] - Last failed authentication: [never] - Failed password attempts: 0 --Number of keys: 2 --Key: vno 1, des\-cbc\-crc --Key: vno 1, des\-cbc\-crc:v4 -+Number of keys: 1 -+Key: vno 1, aes256\-cts\-hmac\-sha384\-192 -+MKey: vno 1 - Attributes: - Policy: [none] - -diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man -index 9a36ef0df..46772a236 100644 ---- a/src/man/kdb5_util.man -+++ b/src/man/kdb5_util.man -@@ -529,17 +529,17 @@ Examples: - $ kdb5_util tabdump \-o keyinfo.txt keyinfo - $ cat keyinfo.txt - name keyindex kvno enctype salttype salt -+K/M@EXAMPLE.COM 0 1 aes256\-cts\-hmac\-sha384\-192 normal \-1 - foo@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1 - bar@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1 --bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 - $ sqlite3 - sqlite> .mode tabs - sqlite> .import keyinfo.txt keyinfo --sqlite> select * from keyinfo where enctype like \(aqdes\-cbc\-%\(aq; --bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 -+sqlite> select * from keyinfo where enctype like \(aqaes256\-%\(aq; -+K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1 - sqlite> .quit --$ awk \-F\(aq\et\(aq \(aq$4 ~ /des\-cbc\-/ { print }\(aq keyinfo.txt --bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 -+$ awk \-F\(aq\et\(aq \(aq$4 ~ /aes256\-/ { print }\(aq keyinfo.txt -+K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1 - .ft P - .fi - .UNINDENT -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif -index 13db48609..4224f0850 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif -+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif -@@ -512,7 +512,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.41.1 - - ##### Holds the default encryption/salt type combinations of principals for - ##### the Realm. Stores in the form of key:salt strings. --##### Example: des-cbc-crc:normal -+##### Example: aes256-cts-hmac-sha384-192:normal - - dn: cn=schema - changetype: modify -@@ -533,7 +533,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.42.1 - ##### ONLYREALM - ##### SPECIAL - ##### AFS3 --##### Example: des-cbc-crc:normal -+##### Example: aes256-cts-hmac-sha384-192:normal - ##### - ##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes - ##### attributes. -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema -index 52036a178..171f66927 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema -+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema -@@ -410,7 +410,7 @@ attributetype ( 2.16.840.1.113719.1.301.4.41.1 - ##### Holds the default encryption/salt type combinations of principals for - ##### the Realm. Stores in the form of key:salt strings. This will be - ##### subset of the supported encryption/salt types. --##### Example: des-cbc-crc:normal -+##### Example: aes256-cts-hmac-sha384-192:normal - - attributetype ( 2.16.840.1.113719.1.301.4.42.1 - NAME 'krbDefaultEncSaltTypes' -@@ -428,7 +428,7 @@ attributetype ( 2.16.840.1.113719.1.301.4.42.1 - ##### ONLYREALM - ##### SPECIAL - ##### AFS3 --##### Example: des-cbc-crc:normal -+##### Example: aes256-cts-hmac-sha384-192:normal - - attributetype ( 2.16.840.1.113719.1.301.4.43.1 - NAME 'krbSupportedEncSaltTypes' diff --git a/Modernize-exit-path-in-gss_krb5int_copy_ccache.patch b/Modernize-exit-path-in-gss_krb5int_copy_ccache.patch deleted file mode 100644 index 9914759..0000000 --- a/Modernize-exit-path-in-gss_krb5int_copy_ccache.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 762241d6dbcb7b90ecf6a7352553465c30fcab74 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 2 May 2019 14:32:33 -0400 -Subject: [PATCH] Modernize exit path in gss_krb5int_copy_ccache() - -Move to a single lock / single unlock paradigm, and eliminate some -dead code in the old error handling. - -(cherry picked from commit 1b89e3d8e949f52901bce74c9afc7a1a64099520) ---- - src/lib/gssapi/krb5/copy_ccache.c | 31 ++++++++++++------------------- - 1 file changed, 12 insertions(+), 19 deletions(-) - -diff --git a/src/lib/gssapi/krb5/copy_ccache.c b/src/lib/gssapi/krb5/copy_ccache.c -index 027ed4847..2b2806e70 100644 ---- a/src/lib/gssapi/krb5/copy_ccache.c -+++ b/src/lib/gssapi/krb5/copy_ccache.c -@@ -9,7 +9,7 @@ gss_krb5int_copy_ccache(OM_uint32 *minor_status, - { - krb5_gss_cred_id_t k5creds; - krb5_error_code code; -- krb5_context context; -+ krb5_context context = NULL; - krb5_ccache out_ccache; - - assert(value->length == sizeof(out_ccache)); -@@ -23,30 +23,23 @@ gss_krb5int_copy_ccache(OM_uint32 *minor_status, - k5creds = (krb5_gss_cred_id_t) *cred_handle; - k5_mutex_lock(&k5creds->lock); - if (k5creds->usage == GSS_C_ACCEPT) { -- k5_mutex_unlock(&k5creds->lock); -- *minor_status = (OM_uint32) G_BAD_USAGE; -- return(GSS_S_FAILURE); -+ code = G_BAD_USAGE; -+ goto cleanup; - } - - code = krb5_gss_init_context(&context); -- if (code) { -- k5_mutex_unlock(&k5creds->lock); -- *minor_status = code; -- return GSS_S_FAILURE; -- } -+ if (code) -+ goto cleanup; - - code = krb5_cc_copy_creds(context, k5creds->ccache, out_ccache); -- if (code) { -- k5_mutex_unlock(&k5creds->lock); -- *minor_status = code; -- save_error_info(*minor_status, context); -- krb5_free_context(context); -- return(GSS_S_FAILURE); -- } -+ -+cleanup: - k5_mutex_unlock(&k5creds->lock); - *minor_status = code; -- if (code) -- save_error_info(*minor_status, context); -- krb5_free_context(context); -+ if (context != NULL) { -+ if (code) -+ save_error_info(*minor_status, context); -+ krb5_free_context(context); -+ } - return code ? GSS_S_FAILURE : GSS_S_COMPLETE; - } diff --git a/Properly-size-ifdef-in-k5_cccol_lock.patch b/Properly-size-ifdef-in-k5_cccol_lock.patch deleted file mode 100644 index 1afa100..0000000 --- a/Properly-size-ifdef-in-k5_cccol_lock.patch +++ /dev/null @@ -1,33 +0,0 @@ -From c1b4612565658d64940ba4760e0b47afd21e718f Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 14 Feb 2019 11:50:35 -0500 -Subject: [PATCH] Properly size #ifdef in k5_cccol_lock() - -The cleanup code only could get executed in the USE_CCAPI_V3 case, so -move it inside that block. Reported by Coverity. - -(cherry picked from commit 444a15f9cf82b9a6c1bca3f20307f82fee91c228) ---- - src/lib/krb5/ccache/ccbase.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lib/krb5/ccache/ccbase.c b/src/lib/krb5/ccache/ccbase.c -index 8198f2b9b..2702bef69 100644 ---- a/src/lib/krb5/ccache/ccbase.c -+++ b/src/lib/krb5/ccache/ccbase.c -@@ -511,7 +511,6 @@ krb5_cccol_lock(krb5_context context) - #endif - #ifdef USE_CCAPI_V3 - ret = krb5_stdccv3_context_lock(context); --#endif - if (ret) { - k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); -@@ -519,6 +518,7 @@ krb5_cccol_lock(krb5_context context) - k5_cc_mutex_unlock(context, &cccol_lock); - return ret; - } -+#endif - k5_mutex_unlock(&cc_typelist_lock); - return ret; - } diff --git a/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch b/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch deleted file mode 100644 index 09280f0..0000000 --- a/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch +++ /dev/null @@ -1,1604 +0,0 @@ -From 34aa9b5889a48f05b4dec33d40e72e97390118a5 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 4 Apr 2019 14:37:38 -0400 -Subject: [PATCH] Remove Kerberos v4 support vestiges from ccapi - -(cherry picked from commit 51395dc956ce9eef27c0d6843561d3d3828b03cd) ---- - src/ccapi/common/cci_cred_union.c | 280 +------------------------ - src/ccapi/lib/ccapi_v2.c | 34 +-- - src/ccapi/lib/win/OldCC/ccapi.h | 20 -- - src/ccapi/server/ccs_ccache.c | 69 +----- - src/ccapi/test/test_ccapi_ccache.c | 223 +++----------------- - src/ccapi/test/test_ccapi_constants.c | 2 - - src/ccapi/test/test_ccapi_context.c | 3 - - src/ccapi/test/test_ccapi_v2.c | 89 -------- - src/include/CredentialsCache.h | 156 ++++---------- - src/include/CredentialsCache2.h | 26 +-- - src/lib/krb5/ccache/ccapi/stdcc.c | 2 - - src/lib/krb5/ccache/ccapi/stdcc_util.c | 8 +- - src/windows/kfwlogon/kfwlogon.h | 2 +- - src/windows/leashdll/leash-int.h | 2 +- - src/windows/lib/cacheapi.h | 53 +---- - 15 files changed, 98 insertions(+), 871 deletions(-) - -diff --git a/src/ccapi/common/cci_cred_union.c b/src/ccapi/common/cci_cred_union.c -index 4c8981610..424a93dab 100644 ---- a/src/ccapi/common/cci_cred_union.c -+++ b/src/ccapi/common/cci_cred_union.c -@@ -25,181 +25,6 @@ - - #include "cci_common.h" - --#ifdef TARGET_OS_MAC --#pragma mark - --#endif -- --/* ------------------------------------------------------------------------ */ -- --static cc_uint32 cci_credentials_v4_release (cc_credentials_v4_t *io_v4creds) --{ -- cc_int32 err = ccNoError; -- -- if (!io_v4creds) { err = ccErrBadParam; } -- -- if (!err) { -- memset (io_v4creds, 0, sizeof (*io_v4creds)); -- free (io_v4creds); -- } -- -- return err; --} -- --/* ------------------------------------------------------------------------ */ -- --static cc_uint32 cci_credentials_v4_read (cc_credentials_v4_t **out_v4creds, -- k5_ipc_stream io_stream) --{ -- cc_int32 err = ccNoError; -- cc_credentials_v4_t *v4creds = NULL; -- -- if (!io_stream ) { err = cci_check_error (ccErrBadParam); } -- if (!out_v4creds) { err = cci_check_error (ccErrBadParam); } -- -- if (!err) { -- v4creds = malloc (sizeof (*v4creds)); -- if (!v4creds) { err = cci_check_error (ccErrNoMem); } -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read_uint32 (io_stream, &v4creds->version); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read (io_stream, v4creds->principal, cc_v4_name_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read (io_stream, v4creds->principal_instance, cc_v4_instance_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read (io_stream, v4creds->service, cc_v4_name_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read (io_stream, v4creds->service_instance, cc_v4_instance_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read (io_stream, v4creds->realm, cc_v4_realm_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read (io_stream, v4creds->session_key, cc_v4_key_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->kvno); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->string_to_key_type); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read_time (io_stream, &v4creds->issue_date); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->lifetime); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read_uint32 (io_stream, &v4creds->address); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->ticket_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_read (io_stream, v4creds->ticket, cc_v4_ticket_size); -- } -- -- if (!err) { -- *out_v4creds = v4creds; -- v4creds = NULL; -- } -- -- free (v4creds); -- -- return cci_check_error (err); --} -- --/* ------------------------------------------------------------------------ */ -- --static cc_uint32 cci_credentials_v4_write (cc_credentials_v4_t *in_v4creds, -- k5_ipc_stream io_stream) --{ -- cc_int32 err = ccNoError; -- -- if (!io_stream ) { err = cci_check_error (ccErrBadParam); } -- if (!in_v4creds) { err = cci_check_error (ccErrBadParam); } -- -- if (!err) { -- err = krb5int_ipc_stream_write_uint32 (io_stream, in_v4creds->version); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_write (io_stream, in_v4creds->principal, cc_v4_name_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_write (io_stream, in_v4creds->principal_instance, cc_v4_instance_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_write (io_stream, in_v4creds->service, cc_v4_name_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_write (io_stream, in_v4creds->service_instance, cc_v4_instance_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_write (io_stream, in_v4creds->realm, cc_v4_realm_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_write (io_stream, in_v4creds->session_key, cc_v4_key_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->kvno); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->string_to_key_type); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_write_time (io_stream, in_v4creds->issue_date); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->lifetime); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_write_uint32 (io_stream, in_v4creds->address); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->ticket_size); -- } -- -- if (!err) { -- err = krb5int_ipc_stream_write (io_stream, in_v4creds->ticket, cc_v4_ticket_size); -- } -- -- return cci_check_error (err); --} -- --#ifdef TARGET_OS_MAC --#pragma mark - --#endif -- - /* ------------------------------------------------------------------------ */ - - static cc_uint32 cci_cc_data_contents_release (cc_data *io_ccdata) -@@ -600,9 +425,7 @@ cc_uint32 cci_credentials_union_release (cc_credentials_union *io_cred_union) - if (!io_cred_union) { err = ccErrBadParam; } - - if (!err) { -- if (io_cred_union->version == cc_credentials_v4) { -- cci_credentials_v4_release (io_cred_union->credentials.credentials_v4); -- } else if (io_cred_union->version == cc_credentials_v5) { -+ if (io_cred_union->version == cc_credentials_v5) { - cci_credentials_v5_release (io_cred_union->credentials.credentials_v5); - } - free (io_cred_union); -@@ -632,11 +455,7 @@ cc_uint32 cci_credentials_union_read (cc_credentials_union **out_credentials_uni - } - - if (!err) { -- if (credentials_union->version == cc_credentials_v4) { -- err = cci_credentials_v4_read (&credentials_union->credentials.credentials_v4, -- io_stream); -- -- } else if (credentials_union->version == cc_credentials_v5) { -+ if (credentials_union->version == cc_credentials_v5) { - err = cci_credentials_v5_read (&credentials_union->credentials.credentials_v5, - io_stream); - -@@ -671,11 +490,7 @@ cc_uint32 cci_credentials_union_write (const cc_credentials_union *in_credential - } - - if (!err) { -- if (in_credentials_union->version == cc_credentials_v4) { -- err = cci_credentials_v4_write (in_credentials_union->credentials.credentials_v4, -- io_stream); -- -- } else if (in_credentials_union->version == cc_credentials_v5) { -+ if (in_credentials_union->version == cc_credentials_v5) { - err = cci_credentials_v5_write (in_credentials_union->credentials.credentials_v5, - io_stream); - -@@ -714,11 +529,7 @@ cc_uint32 cci_cred_union_release (cred_union *io_cred_union) - if (!io_cred_union) { err = ccErrBadParam; } - - if (!err) { -- if (io_cred_union->cred_type == CC_CRED_V4) { -- memset (io_cred_union->cred.pV4Cred, 0, sizeof (cc_credentials_v4_compat)); -- free (io_cred_union->cred.pV4Cred); -- -- } else if (io_cred_union->cred_type == CC_CRED_V5) { -+ if (io_cred_union->cred_type == CC_CRED_V5) { - free (io_cred_union->cred.pV5Cred->client); - free (io_cred_union->cred.pV5Cred->server); - cci_cc_data_contents_release (&io_cred_union->cred.pV5Cred->keyblock); -@@ -829,36 +640,7 @@ cc_uint32 cci_credentials_union_to_cred_union (const cc_credentials_union *in_c - } - - if (!err) { -- if (in_credentials_union->version == cc_credentials_v4) { -- cc_credentials_v4_compat *compat_v4creds = NULL; -- -- compat_v4creds = malloc (sizeof (*compat_v4creds)); -- if (!compat_v4creds) { err = cci_check_error (ccErrNoMem); } -- -- if (!err) { -- cc_credentials_v4_t *v4creds = in_credentials_union->credentials.credentials_v4; -- -- compat_cred_union->cred_type = CC_CRED_V4; -- compat_cred_union->cred.pV4Cred = compat_v4creds; -- -- compat_v4creds->kversion = v4creds->version; -- strncpy (compat_v4creds->principal, v4creds->principal, KRB_NAME_SZ+1); -- strncpy (compat_v4creds->principal_instance, v4creds->principal_instance, KRB_INSTANCE_SZ+1); -- strncpy (compat_v4creds->service, v4creds->service, KRB_NAME_SZ+1); -- strncpy (compat_v4creds->service_instance, v4creds->service_instance, KRB_INSTANCE_SZ+1); -- strncpy (compat_v4creds->realm, v4creds->realm, KRB_REALM_SZ+1); -- memcpy (compat_v4creds->session_key, v4creds->session_key, 8); -- compat_v4creds->kvno = v4creds->kvno; -- compat_v4creds->str_to_key = v4creds->string_to_key_type; -- compat_v4creds->issue_date = v4creds->issue_date; -- compat_v4creds->lifetime = v4creds->lifetime; -- compat_v4creds->address = v4creds->address; -- compat_v4creds->ticket_sz = v4creds->ticket_size; -- memcpy (compat_v4creds->ticket, v4creds->ticket, MAX_V4_CRED_LEN); -- compat_v4creds->oops = 0; -- } -- -- } else if (in_credentials_union->version == cc_credentials_v5) { -+ if (in_credentials_union->version == cc_credentials_v5) { - cc_credentials_v5_t *v5creds = in_credentials_union->credentials.credentials_v5; - cc_credentials_v5_compat *compat_v5creds = NULL; - -@@ -951,36 +733,7 @@ cc_uint32 cci_cred_union_to_credentials_union (const cred_union *in_cred_un - } - - if (!err) { -- if (in_cred_union->cred_type == CC_CRED_V4) { -- cc_credentials_v4_compat *compat_v4creds = in_cred_union->cred.pV4Cred; -- cc_credentials_v4_t *v4creds = NULL; -- -- if (!err) { -- v4creds = malloc (sizeof (*v4creds)); -- if (!v4creds) { err = cci_check_error (ccErrNoMem); } -- } -- -- if (!err) { -- creds_union->version = cc_credentials_v4; -- creds_union->credentials.credentials_v4 = v4creds; -- -- v4creds->version = compat_v4creds->kversion; -- strncpy (v4creds->principal, compat_v4creds->principal, KRB_NAME_SZ); -- strncpy (v4creds->principal_instance, compat_v4creds->principal_instance, KRB_INSTANCE_SZ); -- strncpy (v4creds->service, compat_v4creds->service, KRB_NAME_SZ); -- strncpy (v4creds->service_instance, compat_v4creds->service_instance, KRB_INSTANCE_SZ); -- strncpy (v4creds->realm, compat_v4creds->realm, KRB_REALM_SZ); -- memcpy (v4creds->session_key, compat_v4creds->session_key, 8); -- v4creds->kvno = compat_v4creds->kvno; -- v4creds->string_to_key_type = compat_v4creds->str_to_key; -- v4creds->issue_date = compat_v4creds->issue_date; -- v4creds->lifetime = compat_v4creds->lifetime; -- v4creds->address = compat_v4creds->address; -- v4creds->ticket_size = compat_v4creds->ticket_sz; -- memcpy (v4creds->ticket, compat_v4creds->ticket, MAX_V4_CRED_LEN); -- } -- -- } else if (in_cred_union->cred_type == CC_CRED_V5) { -+ if (in_cred_union->cred_type == CC_CRED_V5) { - cc_credentials_v5_compat *compat_v5creds = in_cred_union->cred.pV5Cred; - cc_credentials_v5_t *v5creds = NULL; - -@@ -1072,26 +825,7 @@ cc_uint32 cci_cred_union_compare_to_credentials_union (const cred_union - if (!out_equal ) { err = cci_check_error (ccErrBadParam); } - - if (!err) { -- if (in_cred_union_compat->cred_type == CC_CRED_V4 && -- in_credentials_union->version == cc_credentials_v4) { -- cc_credentials_v4_compat *old_creds_v4 = in_cred_union_compat->cred.pV4Cred; -- cc_credentials_v4_t *new_creds_v4 = in_credentials_union->credentials.credentials_v4; -- -- if (old_creds_v4 && new_creds_v4 && -- !strcmp (old_creds_v4->principal, -- new_creds_v4->principal) && -- !strcmp (old_creds_v4->principal_instance, -- new_creds_v4->principal_instance) && -- !strcmp (old_creds_v4->service, -- new_creds_v4->service) && -- !strcmp (old_creds_v4->service_instance, -- new_creds_v4->service_instance) && -- !strcmp (old_creds_v4->realm, new_creds_v4->realm) && -- (old_creds_v4->issue_date == (long) new_creds_v4->issue_date)) { -- equal = 1; -- } -- -- } else if (in_cred_union_compat->cred_type == CC_CRED_V5 && -+ if (in_cred_union_compat->cred_type == CC_CRED_V5 && - in_credentials_union->version == cc_credentials_v5) { - cc_credentials_v5_compat *old_creds_v5 = in_cred_union_compat->cred.pV5Cred; - cc_credentials_v5_t *new_creds_v5 = in_credentials_union->credentials.credentials_v5; -diff --git a/src/ccapi/lib/ccapi_v2.c b/src/ccapi/lib/ccapi_v2.c -index 8a831d796..ae9b790b0 100644 ---- a/src/ccapi/lib/ccapi_v2.c -+++ b/src/ccapi/lib/ccapi_v2.c -@@ -44,10 +44,7 @@ static cc_int32 cci_remap_version (cc_int32 in_v2_version, - if (!out_v3_version) { err = cci_check_error (ccErrBadParam); } - - if (!err) { -- if (in_v2_version == CC_CRED_V4) { -- *out_v3_version = cc_credentials_v4; -- -- } else if (in_v2_version == CC_CRED_V5) { -+ if (in_v2_version == CC_CRED_V5) { - *out_v3_version = cc_credentials_v5; - - } else { -@@ -450,10 +447,7 @@ cc_result cc_get_cred_version (apiCB *in_context, - } - - if (!err) { -- if (compat_version == cc_credentials_v4) { -- *out_version = CC_CRED_V4; -- -- } else if (compat_version == cc_credentials_v5) { -+ if (compat_version == cc_credentials_v5) { - *out_version = CC_CRED_V5; - - } else { -@@ -642,10 +636,6 @@ cc_result cc_seq_fetch_NCs_next (apiCB *in_context, - if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } - if (!in_iterator) { err = cci_check_error (ccErrBadParam); } - -- /* CCache iterators need to return some ccaches twice (when v3 ccache has -- * two kinds of credentials). To do that, we return such ccaches twice -- * v4 first, then v5. */ -- - if (!err) { - err = cci_ccache_iterator_get_saved_ccache_name (iterator, - &saved_ccache_name); -@@ -674,25 +664,7 @@ cc_result cc_seq_fetch_NCs_next (apiCB *in_context, - } - - if (!err) { -- if (version == cc_credentials_v4_v5) { -- cc_string_t name = NULL; -- -- err = cci_ccache_set_compat_version (ccache, cc_credentials_v4); -- -- if (!err) { -- err = ccapi_ccache_get_name (ccache, &name); -- } -- -- if (!err) { -- err = cci_ccache_iterator_set_saved_ccache_name (iterator, -- name->data); -- } -- -- if (name) { ccapi_string_release (name); } -- -- } else { -- err = cci_ccache_set_compat_version (ccache, version); -- } -+ err = cci_ccache_set_compat_version (ccache, version); - } - } - } -diff --git a/src/ccapi/lib/win/OldCC/ccapi.h b/src/ccapi/lib/win/OldCC/ccapi.h -index 82512771a..4d6f3faaf 100644 ---- a/src/ccapi/lib/win/OldCC/ccapi.h -+++ b/src/ccapi/lib/win/OldCC/ccapi.h -@@ -80,7 +80,6 @@ enum __MIDL_ccapi_0003 - { KRB_NAME_SZ = 40, - KRB_INSTANCE_SZ = 40, - KRB_REALM_SZ = 40, -- MAX_V4_CRED_LEN = 1250 - } ; - typedef struct _NC_INFO - { -@@ -95,24 +94,6 @@ typedef struct _NC_INFO_LIST - /* [size_is] */ NC_INFO *info; - } NC_INFO_LIST; - --typedef struct _V4_CRED -- { -- CC_UCHAR kversion; -- CC_CHAR principal[ 41 ]; -- CC_CHAR principal_instance[ 41 ]; -- CC_CHAR service[ 41 ]; -- CC_CHAR service_instance[ 41 ]; -- CC_CHAR realm[ 41 ]; -- CC_UCHAR session_key[ 8 ]; -- CC_INT32 kvno; -- CC_INT32 str_to_key; -- CC_INT32 issue_date; -- CC_INT32 lifetime; -- CC_UINT32 address; -- CC_INT32 ticket_sz; -- CC_UCHAR ticket[ 1250 ]; -- } V4_CRED; -- - typedef struct _CC_DATA - { - CC_UINT32 type; -@@ -145,7 +126,6 @@ typedef struct _V5_CRED - - typedef /* [switch_type] */ union _CRED_PTR_UNION - { -- /* [case()] */ V4_CRED *pV4Cred; - /* [case()] */ V5_CRED *pV5Cred; - } CRED_PTR_UNION; - -diff --git a/src/ccapi/server/ccs_ccache.c b/src/ccapi/server/ccs_ccache.c -index 65c59e4be..645380a7b 100644 ---- a/src/ccapi/server/ccs_ccache.c -+++ b/src/ccapi/server/ccs_ccache.c -@@ -31,19 +31,16 @@ struct ccs_ccache_d { - ccs_lock_state_t lock_state; - cc_uint32 creds_version; - char *name; -- char *v4_principal; - char *v5_principal; - cc_time_t last_default_time; - cc_time_t last_changed_time; -- cc_uint32 kdc_time_offset_v4_valid; -- cc_time_t kdc_time_offset_v4; - cc_uint32 kdc_time_offset_v5_valid; - cc_time_t kdc_time_offset_v5; - ccs_credentials_list_t credentials; - ccs_callback_array_t change_callbacks; - }; - --struct ccs_ccache_d ccs_ccache_initializer = { NULL, NULL, 0, NULL, NULL, NULL, 0, 0, 0, 0, 0, 0, NULL, NULL }; -+struct ccs_ccache_d ccs_ccache_initializer = { NULL, NULL, 0, NULL, NULL, 0, 0, 0, 0, NULL, NULL }; - - /* ------------------------------------------------------------------------ */ - -@@ -88,11 +85,7 @@ cc_int32 ccs_ccache_new (ccs_ccache_t *out_ccache, - if (!err) { - ccache->creds_version = in_creds_version; - -- if (ccache->creds_version == cc_credentials_v4) { -- ccache->v4_principal = strdup (in_principal); -- if (!ccache->v4_principal) { err = cci_check_error (ccErrNoMem); } -- -- } else if (ccache->creds_version == cc_credentials_v5) { -+ if (ccache->creds_version == cc_credentials_v5) { - ccache->v5_principal = strdup (in_principal); - if (!ccache->v5_principal) { err = cci_check_error (ccErrNoMem); } - -@@ -147,7 +140,6 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, - const char *in_principal) - { - cc_int32 err = ccNoError; -- char *v4_principal = NULL; - char *v5_principal = NULL; - ccs_credentials_list_t credentials = NULL; - -@@ -158,11 +150,7 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, - if (!err) { - io_ccache->creds_version = in_creds_version; - -- if (io_ccache->creds_version == cc_credentials_v4) { -- v4_principal = strdup (in_principal); -- if (!v4_principal) { err = cci_check_error (ccErrNoMem); } -- -- } else if (io_ccache->creds_version == cc_credentials_v5) { -+ if (io_ccache->creds_version == cc_credentials_v5) { - v5_principal = strdup (in_principal); - if (!v5_principal) { err = cci_check_error (ccErrNoMem); } - -@@ -176,15 +164,9 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, - } - - if (!err) { -- io_ccache->kdc_time_offset_v4 = 0; -- io_ccache->kdc_time_offset_v4_valid = 0; - io_ccache->kdc_time_offset_v5 = 0; - io_ccache->kdc_time_offset_v5_valid = 0; - -- if (io_ccache->v4_principal) { free (io_ccache->v4_principal); } -- io_ccache->v4_principal = v4_principal; -- v4_principal = NULL; /* take ownership */ -- - if (io_ccache->v5_principal) { free (io_ccache->v5_principal); } - io_ccache->v5_principal = v5_principal; - v5_principal = NULL; /* take ownership */ -@@ -196,7 +178,6 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, - err = ccs_ccache_changed (io_ccache, io_cache_collection); - } - -- free (v4_principal); - free (v5_principal); - ccs_credentials_list_release (credentials); - -@@ -250,7 +231,6 @@ cc_int32 ccs_ccache_release (ccs_ccache_t io_ccache) - cci_identifier_release (io_ccache->identifier); - ccs_lock_state_release (io_ccache->lock_state); - free (io_ccache->name); -- free (io_ccache->v4_principal); - free (io_ccache->v5_principal); - ccs_credentials_list_release (io_ccache->credentials); - ccs_callback_array_release (io_ccache->change_callbacks); -@@ -607,15 +587,8 @@ static cc_int32 ccs_ccache_get_principal (ccs_ccache_t io_ccache, - err = krb5int_ipc_stream_read_uint32 (in_request_data, &version); - } - -- if (!err && version == cc_credentials_v4_v5) { -- err = cci_check_error (ccErrBadCredentialsVersion); -- } -- - if (!err) { -- if (version == cc_credentials_v4) { -- err = krb5int_ipc_stream_write_string (io_reply_data, io_ccache->v4_principal); -- -- } else if (version == cc_credentials_v5) { -+ if (version == cc_credentials_v5) { - err = krb5int_ipc_stream_write_string (io_reply_data, io_ccache->v5_principal); - - } else { -@@ -652,16 +625,7 @@ static cc_int32 ccs_ccache_set_principal (ccs_ccache_t io_ccache, - - if (!err) { - /* reset KDC time offsets because they are per-KDC */ -- if (version == cc_credentials_v4) { -- io_ccache->kdc_time_offset_v4 = 0; -- io_ccache->kdc_time_offset_v4_valid = 0; -- -- if (io_ccache->v4_principal) { free (io_ccache->v4_principal); } -- io_ccache->v4_principal = principal; -- principal = NULL; /* take ownership */ -- -- -- } else if (version == cc_credentials_v5) { -+ if (version == cc_credentials_v5) { - io_ccache->kdc_time_offset_v5 = 0; - io_ccache->kdc_time_offset_v5_valid = 0; - -@@ -998,14 +962,7 @@ static cc_int32 ccs_ccache_get_kdc_time_offset (ccs_ccache_t io_ccache - } - - if (!err) { -- if (cred_vers == cc_credentials_v4) { -- if (io_ccache->kdc_time_offset_v4_valid) { -- err = krb5int_ipc_stream_write_time (io_reply_data, io_ccache->kdc_time_offset_v4); -- } else { -- err = cci_check_error (ccErrTimeOffsetNotSet); -- } -- -- } else if (cred_vers == cc_credentials_v5) { -+ if (cred_vers == cc_credentials_v5) { - if (io_ccache->kdc_time_offset_v5_valid) { - err = krb5int_ipc_stream_write_time (io_reply_data, io_ccache->kdc_time_offset_v5); - } else { -@@ -1040,13 +997,7 @@ static cc_int32 ccs_ccache_set_kdc_time_offset (ccs_ccache_t io_ccache - } - - if (!err) { -- if (cred_vers == cc_credentials_v4) { -- err = krb5int_ipc_stream_read_time (in_request_data, &io_ccache->kdc_time_offset_v4); -- -- if (!err) { -- io_ccache->kdc_time_offset_v4_valid = 1; -- } -- } else if (cred_vers == cc_credentials_v5) { -+ if (cred_vers == cc_credentials_v5) { - err = krb5int_ipc_stream_read_time (in_request_data, &io_ccache->kdc_time_offset_v5); - - if (!err) { -@@ -1084,11 +1035,7 @@ static cc_int32 ccs_ccache_clear_kdc_time_offset (ccs_ccache_t io_ccac - } - - if (!err) { -- if (cred_vers == cc_credentials_v4) { -- io_ccache->kdc_time_offset_v4 = 0; -- io_ccache->kdc_time_offset_v4_valid = 0; -- -- } else if (cred_vers == cc_credentials_v5) { -+ if (cred_vers == cc_credentials_v5) { - io_ccache->kdc_time_offset_v5 = 0; - io_ccache->kdc_time_offset_v5_valid = 0; - -diff --git a/src/ccapi/test/test_ccapi_ccache.c b/src/ccapi/test/test_ccapi_ccache.c -index a0fd84af1..fe63e6710 100644 ---- a/src/ccapi/test/test_ccapi_ccache.c -+++ b/src/ccapi/test/test_ccapi_ccache.c -@@ -303,18 +303,6 @@ int check_cc_ccache_get_credentials_version(void) { - failure_count++; - } - -- // try it with added v4 creds -- if (!err) { -- err = cc_ccache_set_principal(ccache, cc_credentials_v4, "foo@BAR.ORG"); -- } -- if (!err) { -- check_once_cc_ccache_get_credentials_version(ccache, cc_credentials_v4_v5, ccNoError, "v5 with v4 creds added"); -- } -- else { -- log_error("cc_ccache_set_principal failed, can't complete test"); -- failure_count++; -- } -- - if (ccache) { - cc_ccache_destroy(ccache); - ccache = NULL; -@@ -322,35 +310,6 @@ int check_cc_ccache_get_credentials_version(void) { - - err = ccNoError; - -- // try one created with v4 creds -- if (!err) { -- err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAR.ORG", &ccache); -- } -- if (!err) { -- check_once_cc_ccache_get_credentials_version(ccache, cc_credentials_v4, ccNoError, "v4 creds"); -- } -- else { -- log_error("cc_context_create_new_ccache failed, can't complete test"); -- failure_count++; -- } -- -- // try it with added v5 creds -- if (!err) { -- err = cc_ccache_set_principal(ccache, cc_credentials_v5, "foo@BAR.ORG"); -- } -- if (!err) { -- check_once_cc_ccache_get_credentials_version(ccache, cc_credentials_v4_v5, ccNoError, "v4 with v5 creds added"); -- } -- else { -- log_error("cc_ccache_set_principal failed, can't complete test"); -- failure_count++; -- } -- -- if (ccache) { -- cc_ccache_destroy(ccache); -- ccache = NULL; -- } -- - if (context) { cc_context_release(context); } - - #endif /* cc_ccache_get_credentials_version */ -@@ -582,31 +541,13 @@ int check_cc_ccache_get_principal(void) { - log_error("cc_context_create_new_ccache failed, can't complete test"); - failure_count++; - } -- if (ccache) { -- cc_ccache_release(ccache); -- ccache = NULL; -- } - -- // try with krb4 principal -- if (!err) { -- err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo.BAR@BAZ.ORG", &ccache); -- } -- if (!err) { -- check_once_cc_ccache_get_principal(ccache, cc_credentials_v4, "foo.BAR@BAZ.ORG", ccNoError, "trying to get krb4 princ for krb4 ccache"); -- } -- else { -- log_error("cc_context_create_new_ccache failed, can't complete test"); -- failure_count++; -- } -- -- // try with bad param -- if (!err) { -- // cc_ccache_t doesn't have any concept of the difference between a v4 and v5 principal -- check_once_cc_ccache_get_principal(ccache, cc_credentials_v4_v5, "foo.BAR@BAZ.ORG", -- ccErrBadCredentialsVersion, -- "passing cc_credentials_v4_v5 (shouldn't be allowed)"); -- check_once_cc_ccache_get_principal(ccache, cc_credentials_v5, NULL, ccErrBadParam, "passed null out param"); -- } -+ // try with bad param -+ if (!err) { -+ check_once_cc_ccache_get_principal(ccache, cc_credentials_v5, -+ NULL, ccErrBadParam, -+ "passed null out param"); -+ } - - if (ccache) { - cc_ccache_release(ccache); -@@ -643,99 +584,33 @@ int check_cc_ccache_set_principal(void) { - err = destroy_all_ccaches(context); - } - -- // bad params -- if (!err) { -- err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache); -- } -- if (!err) { -- check_once_cc_ccache_set_principal(ccache, cc_credentials_v4_v5, "foo/BAZ@BAR.ORG", ccErrBadCredentialsVersion, "cc_credentials_v4_v5 (not allowed)"); -- check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, NULL, ccErrBadParam, "NULL principal"); -- } -- else { -- log_error("cc_context_create_new_ccache failed, can't complete test"); -- failure_count++; -- } -- if (ccache) { -- cc_ccache_destroy(ccache); -- ccache = NULL; -- } -+ // replace v5 only ccache's principal -+ if (!err) { -+ err = cc_context_create_new_ccache(context, cc_credentials_v5, -+ "foo@BAZ.ORG", &ccache); -+ } -+ if (!err) { -+ check_once_cc_ccache_set_principal( -+ ccache, cc_credentials_v5, "foo/BAZ@BAR.ORG", ccNoError, -+ "replace v5 only ccache's principal (empty ccache)"); -+ } -+ else { -+ log_error( -+ "cc_context_create_new_ccache failed, can't complete test"); -+ failure_count++; -+ } - -+ // bad params -+ if (!err) { -+ check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, -+ NULL, ccErrBadParam, -+ "NULL principal"); -+ } - -- // empty ccache -- -- // replace v5 only ccache's principal -- if (!err) { -- err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache); -- } -- if (!err) { -- check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, "foo/BAZ@BAR.ORG", ccNoError, "replace v5 only ccache's principal (empty ccache)"); -- } -- else { -- log_error("cc_context_create_new_ccache failed, can't complete test"); -- failure_count++; -- } -- if (ccache) { -- cc_ccache_destroy(ccache); -- ccache = NULL; -- } -- -- // add v4 principal to v5 only ccache -- if (!err) { -- err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache); -- } -- if (!err) { -- check_once_cc_ccache_set_principal(ccache, cc_credentials_v4, "foo.BAZ@BAR.ORG", ccNoError, "add v4 principal to v5 only ccache (empty ccache)"); -- } -- else { -- log_error("cc_context_create_new_ccache failed, can't complete test"); -- failure_count++; -- } -- if (ccache) { -- cc_ccache_destroy(ccache); -- ccache = NULL; -- } -- -- // replace v4 only ccache's principal -- if (!err) { -- err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAZ.ORG", &ccache); -- } -- if (!err) { -- check_once_cc_ccache_set_principal(ccache, cc_credentials_v4, "foo.BAZ@BAR.ORG", ccNoError, "replace v4 only ccache's principal (empty ccache)"); -- } -- else { -- log_error("cc_context_create_new_ccache failed, can't complete test"); -- failure_count++; -- } -- if (ccache) { -- cc_ccache_destroy(ccache); -- ccache = NULL; -- } -- -- // add v5 principal to v4 only ccache -- if (!err) { -- err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAZ.ORG", &ccache); -- } -- if (!err) { -- check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, "foo/BAZ@BAR.ORG", ccNoError, "add v5 principal to v4 only ccache (empty ccache)"); -- } -- else { -- log_error("cc_context_create_new_ccache failed, can't complete test"); -- failure_count++; -- } -- if (ccache) { -- cc_ccache_destroy(ccache); -- ccache = NULL; -- } -- -- // with credentials -- -- // replace v5 only ccache's principal -- -- // add v4 principal to v5 only ccache -- -- // replace v4 only ccache's principal -- -- // add v5 principal to v4 only ccache -+ if (ccache) { -+ cc_ccache_destroy(ccache); -+ ccache = NULL; -+ } - - if (context) { - err = destroy_all_ccaches(context); -@@ -847,21 +722,6 @@ int check_cc_ccache_store_credentials(void) { - - if (&creds_union) { release_v5_creds_union(&creds_union); } - -- // bad creds version -- if (!err) { -- err = new_v5_creds_union(&creds_union, "BAR.ORG"); -- } -- -- if (!err) { -- creds_union.version = cc_credentials_v4_v5; -- check_once_cc_ccache_store_credentials(ccache, &creds_union, ccErrBadCredentialsVersion, "v4_v5 creds (invalid) into a ccache with only v5 princ"); -- creds_union.version = cc_credentials_v4; -- check_once_cc_ccache_store_credentials(ccache, &creds_union, ccErrBadCredentialsVersion, "v4 creds into a ccache with only v5 princ"); -- creds_union.version = cc_credentials_v5; -- } -- -- if (&creds_union) { release_v5_creds_union(&creds_union); } -- - // non-existent ccache - if (ccache) { - err = cc_ccache_get_name(ccache, &name); -@@ -1809,21 +1669,10 @@ int check_cc_ccache_get_kdc_time_offset(void) { - err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, time_offset); - } - if (!err) { -- check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, &time_offset, ccNoError, "offset set for v5 but not v4"); -+ check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, &time_offset, ccNoError, "offset set for v5"); - } -- if (!err) { -- check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4, &time_offset, ccErrTimeOffsetNotSet, "asking for v4 offset when only v5 is set"); -- } -- if (!err) { -- err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, time_offset); -- } -- if (!err) { -- check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4, &time_offset, ccNoError, "asking for v4 offset when v4 and v5 are set"); -- } -- - - check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, NULL, ccErrBadParam, "NULL time_offset out param"); -- check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4_v5, &time_offset, ccErrBadCredentialsVersion, "v4_v5 creds_vers in param (invalid)"); - - if (ccache) { cc_ccache_release(ccache); } - -@@ -1900,9 +1749,6 @@ int check_cc_ccache_set_kdc_time_offset(void) { - } - - check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, 0, ccNoError, "first time setting offset (v5)"); -- check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, 0, ccNoError, "first time setting offset (v4)"); -- -- check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4_v5, 0, ccErrBadCredentialsVersion, "invalid creds_vers (v4_v5)"); - - if (ccache) { cc_ccache_release(ccache); } - -@@ -1978,15 +1824,10 @@ int check_cc_ccache_clear_kdc_time_offset(void) { - } - - check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v5, ccNoError, "clearing an offset that was never set (v5)"); -- check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4, ccNoError, "clearing an offset that was never set (v4)"); - - err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, 0); -- err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, 0); - - check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v5, ccNoError, "clearing v5"); -- check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4, ccNoError, "clearing v4"); -- -- check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4_v5, ccErrBadCredentialsVersion, "bad in param creds vers (v4_v5)"); - - if (ccache) { cc_ccache_release(ccache); } - -diff --git a/src/ccapi/test/test_ccapi_constants.c b/src/ccapi/test/test_ccapi_constants.c -index 9f2aecbc2..57377262e 100644 ---- a/src/ccapi/test/test_ccapi_constants.c -+++ b/src/ccapi/test/test_ccapi_constants.c -@@ -46,9 +46,7 @@ int check_constants(void) { - - /* Credentials versions */ - -- check_int(cc_credentials_v4, 1); - check_int(cc_credentials_v5, 2); -- check_int(cc_credentials_v4_v5, (cc_credentials_v4 | cc_credentials_v5)); - - /* Lock types */ - -diff --git a/src/ccapi/test/test_ccapi_context.c b/src/ccapi/test/test_ccapi_context.c -index 09feebee5..2dc348ea0 100644 ---- a/src/ccapi/test/test_ccapi_context.c -+++ b/src/ccapi/test/test_ccapi_context.c -@@ -583,7 +583,6 @@ int check_cc_context_create_ccache(void) { - - // try bad parameters - err = check_once_cc_context_create_ccache(context, NULL, cc_credentials_v5, "foo@BAR.ORG", &ccache, ccErrBadParam, "NULL name"); // NULL name -- err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers - err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal - err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache - } -@@ -681,7 +680,6 @@ int check_cc_context_create_default_ccache(void) { - } - - // try bad parameters -- err = check_once_cc_context_create_default_ccache(context, cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers - err = check_once_cc_context_create_default_ccache(context, cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal - err = check_once_cc_context_create_default_ccache(context, cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache - } -@@ -773,7 +771,6 @@ int check_cc_context_create_new_ccache(void) { - if (ccache) { cc_ccache_release(ccache); } - - // try bad parameters -- err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers - err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal - err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache - } -diff --git a/src/ccapi/test/test_ccapi_v2.c b/src/ccapi/test/test_ccapi_v2.c -index e0205ce46..c71bb45a8 100644 ---- a/src/ccapi/test/test_ccapi_v2.c -+++ b/src/ccapi/test/test_ccapi_v2.c -@@ -45,20 +45,6 @@ static int compare_v5_creds_unions_compat(const cred_union *a, const cred_union - a->cred.pV5Cred->starttime == b->cred.pV5Cred->starttime) { - retval = 0; - } -- } else if (a->cred_type == CC_CRED_V4) { -- if (!strcmp (a->cred.pV4Cred->principal, -- b->cred.pV4Cred->principal) && -- !strcmp (a->cred.pV4Cred->principal_instance, -- b->cred.pV4Cred->principal_instance) && -- !strcmp (a->cred.pV4Cred->service, -- b->cred.pV4Cred->service) && -- !strcmp (a->cred.pV4Cred->service_instance, -- b->cred.pV4Cred->service_instance) && -- !strcmp (a->cred.pV4Cred->realm, -- b->cred.pV4Cred->realm) && -- a->cred.pV4Cred->issue_date == b->cred.pV4Cred->issue_date) { -- retval = 0; -- } - } - } - -@@ -361,10 +347,6 @@ int check_cc_open(void) { - err = check_once_cc_open(context, name, CC_CRED_V5, &ccache, CC_NOERROR, NULL); - } - -- // check version -- if (!err) { -- err = check_once_cc_open(context, name, CC_CRED_V4, &ccache, CC_ERR_CRED_VERSION, NULL); -- } - // try bad parameters - err = check_once_cc_open(context, NULL, CC_CRED_V5, &ccache, CC_BAD_PARM, NULL); - err = check_once_cc_open(context, name, CC_CRED_V5, NULL, CC_BAD_PARM, NULL); -@@ -681,17 +663,6 @@ int check_cc_get_cred_version(void) { - - err = CC_NOERROR; - -- // try one created with v4 creds -- if (!err) { -- err = cc_create(context, name, "foo@BAR.ORG", CC_CRED_V4, 0, &ccache); -- } -- if (!err) { -- check_once_cc_get_cred_version(context, ccache, CC_CRED_V4, CC_NOERROR, "v4 creds"); -- } -- else { -- log_error("cc_context_create_new_ccache failed, can't complete test"); -- failure_count++; -- } - if (ccache) { - cc_destroy(context, &ccache); - ccache = NULL; -@@ -840,7 +811,6 @@ int check_cc_get_principal(void) { - apiCB *context = NULL; - ccache_p *ccache = NULL; - char *name_v5 = "TEST_CC_GET_PRINCIPAL_V5"; -- char *name_v4 = "TEST_CC_GET_PRINCIPAL_V4"; - - BEGIN_TEST("cc_get_principal"); - -@@ -866,18 +836,6 @@ int check_cc_get_principal(void) { - ccache = NULL; - } - -- // try with krb4 principal -- if (!err) { -- err = cc_create(context, name_v4, "foo.BAR@BAZ.ORG", CC_CRED_V4, 0, &ccache); -- } -- if (!err) { -- check_once_cc_get_principal(context, ccache, "foo.BAR@BAZ.ORG", CC_NOERROR, "trying to get krb4 princ for krb4 ccache"); -- } -- else { -- log_error("cc_create failed, can't complete test"); -- failure_count++; -- } -- - // try with bad param - if (!err) { - check_once_cc_get_principal(context, ccache, NULL, CC_BAD_PARM, "passed null out param"); -@@ -945,7 +903,6 @@ int check_cc_set_principal(void) { - apiCB *context = NULL; - ccache_p *ccache = NULL; - char *name_v5 = "TEST_CC_GET_PRINCIPAL_V5"; -- char *name_v4 = "TEST_CC_GET_PRINCIPAL_V4"; - - BEGIN_TEST("cc_set_principal"); - -@@ -972,37 +929,6 @@ int check_cc_set_principal(void) { - ccache = NULL; - } - -- // empty ccache -- -- // replace v5 ccache's principal -- if (!err) { -- err = cc_create(context, name_v5, "foo@BAZ.ORG", CC_CRED_V5, 0, &ccache); -- } -- if (!err) { -- check_once_cc_set_principal(context, ccache, CC_CRED_V5, "foo/BAZ@BAR.ORG", CC_NOERROR, "replace v5 only ccache's principal (empty ccache)"); -- check_once_cc_set_principal(context, ccache, CC_CRED_V4, "foo.BAZ@BAR.ORG", CC_ERR_CRED_VERSION, "replace v5 principal with v4"); -- } -- else { -- log_error("cc_create failed, can't complete test"); -- failure_count++; -- } -- if (ccache) { -- cc_destroy(context, &ccache); -- ccache = NULL; -- } -- -- // replace v4 ccache's principal -- if (!err) { -- err = cc_create(context, name_v4, "foo@BAZ.ORG", CC_CRED_V4, 0, &ccache); -- } -- if (!err) { -- check_once_cc_set_principal(context, ccache, CC_CRED_V4, "foo.BAZ@BAR.ORG", CC_NOERROR, "replace v4 only ccache's principal (empty ccache)"); -- check_once_cc_set_principal(context, ccache, CC_CRED_V5, "foo/BAZ@BAR.ORG", CC_ERR_CRED_VERSION, "replace v4 principal with v5"); -- } -- else { -- log_error("cc_create failed, can't complete test"); -- failure_count++; -- } - if (ccache) { - cc_destroy(context, &ccache); - ccache = NULL; -@@ -1102,21 +1028,6 @@ int check_cc_store(void) { - } - } - -- // bad creds version -- if (!err) { -- err = new_v5_creds_union_compat(&creds_union, "BAR.ORG"); -- -- if (!err) { -- creds_union.cred_type = CC_CRED_MAX; -- check_once_cc_store(context, ccache, creds_union, CC_ERR_CRED_VERSION, "CC_CRED_MAX (invalid) into a ccache with only v5 princ"); -- creds_union.cred_type = CC_CRED_V4; -- check_once_cc_store(context, ccache, creds_union, CC_ERR_CRED_VERSION, "v4 creds into a v5 ccache"); -- creds_union.cred_type = CC_CRED_V5; -- -- release_v5_creds_union_compat(&creds_union); -- } -- } -- - // non-existent ccache - if (ccache) { - err = cc_get_name(context, ccache, &name); -diff --git a/src/include/CredentialsCache.h b/src/include/CredentialsCache.h -index 54f71a1a0..c18159639 100644 ---- a/src/include/CredentialsCache.h -+++ b/src/include/CredentialsCache.h -@@ -104,19 +104,19 @@ extern "C" { - * \section introduction Introduction - * - * This is the specification for an API which provides Credentials Cache -- * services for both Kerberos v5 and v4. The idea behind this API is that -- * multiple Kerberos implementations can share a single collection of -- * credentials caches, mediated by this API specification. On the Mac OS -- * and Microsoft Windows platforms this will allow single-login, even when -- * more than one Kerberos shared library is in use on a particular system. -+ * services for Kerberos v5 (and previously v4). The idea behind this API is -+ * that multiple Kerberos implementations can share a single collection of -+ * credentials caches, mediated by this API specification. On the Mac OS and -+ * Microsoft Windows platforms this will allow single-login, even when more -+ * than one Kerberos shared library is in use on a particular system. - * - * Abstractly, a credentials cache collection contains one or more credentials - * caches, or ccaches. A ccache is uniquely identified by its name, which is - * a string internal to the API and not intended to be presented to users. - * The user presentable identifier of a ccache is its principal. - * -- * Unlike the previous versions of the API, version 3 of the API stores both -- * Kerberos v4 and v5 credentials in the same ccache. -+ * Unlike the previous versions of the API, version 3 of the API could store -+ * credentials for multiple Kerberos versions in the same ccache. - * - * At any given time, one ccache is the "default" ccache. The exact meaning - * of a default ccache is OS-specific; refer to implementation requirements -@@ -305,10 +305,9 @@ enum { - /*! - * Credentials versions - * -- * These constants are used in several places in the API to discern -- * between Kerberos v4 and Kerberos v5. Not all values are valid -- * inputs and outputs for all functions; function specifications -- * below detail the allowed values. -+ * These constants are used in several places in the API to discern Kerberos -+ * versions. Not all values are valid inputs and outputs for all functions; -+ * function specifications below detail the allowed values. - * - * Kerberos version constants will always be a bit-field, and can be - * tested as such; for example the following test will tell you if -@@ -317,9 +316,9 @@ enum { - * if ((ccacheVersion & cc_credentials_v5) != 0) - */ - enum cc_credential_versions { -- cc_credentials_v4 = 1, -+ /* cc_credentials_v4 = 1, */ - cc_credentials_v5 = 2, -- cc_credentials_v4_v5 = 3 -+ /* cc_credentials_v4_v5 = 3 */ - }; - - /*! -@@ -353,29 +352,6 @@ enum cc_lock_modes { - cc_lock_block = 1 - }; - --/*! -- * Sizes of fields in cc_credentials_v4_t. -- */ --enum { -- /* Make sure all of these are multiples of four (for alignment sanity) */ -- cc_v4_name_size = 40, -- cc_v4_instance_size = 40, -- cc_v4_realm_size = 40, -- cc_v4_ticket_size = 1254, -- cc_v4_key_size = 8 --}; -- --/*! -- * String to key type (Kerberos v4 only) -- */ --enum cc_string_to_key_type { -- cc_v4_stk_afs = 0, -- cc_v4_stk_des = 1, -- cc_v4_stk_columbia_special = 2, -- cc_v4_stk_krb5 = 3, -- cc_v4_stk_unknown = 4 --}; -- - /*!@}*/ - - /*! -@@ -482,15 +458,13 @@ typedef cc_ccache_iterator_d *cc_ccache_iterator_t; - * \defgroup cc_credentials_reference cc_credentials_t Overview - * @{ - * -- * The cc_credentials_t type is used to store a single set of -- * credentials for either Kerberos v4 or Kerberos v5. In addition -- * to its only function, release(), it contains a pointer to a -- * cc_credentials_union structure. A cc_credentials_union -+ * The cc_credentials_t type is used to store a single set of credentials for -+ * Kerberos v5. In addition to its only function, release(), it contains a -+ * pointer to a cc_credentials_union structure. A cc_credentials_union - * structure contains an integer of the enumerator type -- * cc_credentials_version, which is either #cc_credentials_v4 or -- * #cc_credentials_v5, and a pointer union, which contains either a -- * cc_credentials_v4_t pointer or a cc_credentials_v5_t pointer, -- * depending on the value in version. -+ * cc_credentials_version, which is #cc_credentials_v5, and a pointer union, -+ * which contains a cc_credentials_v5_t pointer, depending on the value in -+ * version. - * - * Variables of the type cc_credentials_t are allocated by the CCAPI - * implementation, and should be released with their release() -@@ -501,43 +475,6 @@ typedef cc_ccache_iterator_d *cc_ccache_iterator_t; - * For API functions see \ref cc_credentials_f. - */ - --/*! -- * If a cc_credentials_t variable is used to store Kerberos v4 -- * credentials, then credentials.credentials_v4 points to a v4 -- * credentials structure. This structure is similar to a -- * krb4 API CREDENTIALS structure. -- */ --struct cc_credentials_v4_t { -- cc_uint32 version; -- /*! A properly quoted string representation of the first component of the client principal */ -- char principal [cc_v4_name_size]; -- /*! A properly quoted string representation of the second component of the client principal */ -- char principal_instance [cc_v4_instance_size]; -- /*! A properly quoted string representation of the first component of the service principal */ -- char service [cc_v4_name_size]; -- /*! A properly quoted string representation of the second component of the service principal */ -- char service_instance [cc_v4_instance_size]; -- /*! A properly quoted string representation of the realm */ -- char realm [cc_v4_realm_size]; -- /*! Ticket session key */ -- unsigned char session_key [cc_v4_key_size]; -- /*! Key version number */ -- cc_int32 kvno; -- /*! String to key type used. See cc_string_to_key_type for valid values */ -- cc_int32 string_to_key_type; -- /*! Time when the ticket was issued */ -- cc_time_t issue_date; -- /*! Ticket lifetime in 5 minute units */ -- cc_int32 lifetime; -- /*! IPv4 address of the client the ticket was issued for */ -- cc_uint32 address; -- /*! Ticket size (no greater than cc_v4_ticket_size) */ -- cc_int32 ticket_size; -- /*! Ticket data */ -- unsigned char ticket [cc_v4_ticket_size]; --}; --typedef struct cc_credentials_v4_t cc_credentials_v4_t; -- - /*! - * The CCAPI data structure. This structure is similar to a krb5_data structure. - * In a v5 credentials structure, cc_data structures are used -@@ -602,8 +539,6 @@ struct cc_credentials_union { - cc_uint32 version; - /*! The credentials. */ - union { -- /*! If \a version is #cc_credentials_v4, a pointer to a cc_credentials_v4_t. */ -- cc_credentials_v4_t* credentials_v4; - /*! If \a version is #cc_credentials_v5, a pointer to a cc_credentials_v5_t. */ - cc_credentials_v5_t* credentials_v5; - } credentials; -@@ -781,13 +716,11 @@ struct cc_context_f { - * \return On success, #ccNoError. On failure, an error code representing the failure. - * \brief \b cc_context_create_ccache(): Create a new ccache. - * -- * Create a new credentials cache. The ccache is uniquely identified by its name. -- * The principal given is also associated with the ccache and the credentials -- * version specified. A NULL name is not allowed (and ccErrBadName is returned -- * if one is passed in). Only cc_credentials_v4 and cc_credentials_v5 are valid -- * input values for cred_vers. If you want to create a new ccache that will hold -- * both versions of credentials, call cc_context_create_ccache() with one version, -- * and then cc_ccache_set_principal() with the other version. -+ * Create a new credentials cache. The ccache is uniquely identified by -+ * its name. The principal given is also associated with the ccache and -+ * the credentials version specified. A NULL name is not allowed (and -+ * ccErrBadName is returned if one is passed in). Only cc_credentials_v5 -+ * can be an input value for cred_vers. - * - * If you want to create a new ccache (with a unique name), you should use - * cc_context_create_new_ccache() instead. If you want to create or reinitialize -@@ -814,10 +747,9 @@ struct cc_context_f { - * cc_context_get_default_ccache_name()); see the description of - * cc_context_get_default_ccache_name() for details. - * -- * The principal should be a C string containing an unparsed Kerberos principal -- * in the format of the appropriate Kerberos version, i.e. \verbatim foo.bar/@BAZ -- * \endverbatim for Kerberos v4 and \verbatim foo/bar/@BAZ \endverbatim -- * for Kerberos v5. -+ * The principal should be a C string containing an unparsed Kerberos -+ * principal in the format of the appropriate Kerberos version, -+ * i.e. \verbatim foo/bar/@BAZ \endverbatim for Kerberos v5. - */ - cc_int32 (*create_ccache) (cc_context_t in_context, - const char *in_name, -@@ -1014,14 +946,11 @@ struct cc_ccache_f { - * \return On success, #ccNoError. On failure, an error code representing the failure. - * \brief \b cc_ccache_get_credentials_version(): Get the credentials version of a ccache. - * -- * cc_ccache_get_credentials_version() returns one value of the enumerated type -- * cc_credentials_vers. The possible return values are #cc_credentials_v4 -- * (if ccache's v4 principal has been set), #cc_credentials_v5 -- * (if ccache's v5 principal has been set), or #cc_credentials_v4_v5 -- * (if both ccache's v4 and v5 principals have been set). A ccache's -- * principal is set with one of cc_context_create_ccache(), -- * cc_context_create_new_ccache(), cc_context_create_default_ccache(), or -- * cc_ccache_set_principal(). -+ * cc_ccache_get_credentials_version() returns one value of the enumerated -+ * type cc_credentials_vers. The return value is #cc_credentials_v5 (if -+ * ccache's v5 principal has been set). A ccache's principal is set with -+ * one of cc_context_create_ccache(), cc_context_create_new_ccache(), -+ * cc_context_create_default_ccache(), or cc_ccache_set_principal(). - */ - cc_int32 (*get_credentials_version) (cc_ccache_t in_ccache, - cc_uint32 *out_credentials_version); -@@ -1046,10 +975,7 @@ struct cc_ccache_f { - * - * Return the principal for the ccache that was set via cc_context_create_ccache(), - * cc_context_create_default_ccache(), cc_context_create_new_ccache(), or -- * cc_ccache_set_principal(). Principals for v4 and v5 are separate, but -- * should be kept synchronized for each ccache; they can be retrieved by -- * passing cc_credentials_v4 or cc_credentials_v5 in cred_vers. Passing -- * cc_credentials_v4_v5 will result in the error ccErrBadCredentialsVersion. -+ * cc_ccache_set_principal(). - */ - cc_int32 (*get_principal) (cc_ccache_t in_ccache, - cc_uint32 in_credentials_version, -@@ -1063,10 +989,7 @@ struct cc_ccache_f { - * \return On success, #ccNoError. On failure, an error code representing the failure. - * \brief \b cc_ccache_set_principal(): Set the principal of a ccache. - * -- * Set the a principal for ccache. The v4 and v5 principals can be set -- * independently, but they should always be kept equal, up to differences in -- * string representation between v4 and v5. Passing cc_credentials_v4_v5 in -- * cred_vers will result in the error ccErrBadCredentialsVersion. -+ * Set the a principal for ccache. - */ - cc_int32 (*set_principal) (cc_ccache_t io_ccache, - cc_uint32 in_credentials_version, -@@ -1083,12 +1006,13 @@ struct cc_ccache_f { - * See the description of the credentials types for the meaning of - * cc_credentials_union fields. - * -- * Before credentials of a specific credential type can be stored in a ccache, -- * the corresponding principal version has to be set. For example, before you can -- * store Kerberos v4 credentials in a ccache, the Kerberos v4 principal has to be set -- * either by cc_context_create_ccache(), cc_context_create_default_ccache(), -- * cc_context_create_new_ccache(), or cc_ccache_set_principal(); likewise for -- * Kerberos v5. Otherwise, ccErrBadCredentialsVersion is returned. -+ * Before credentials of a specific credential type can be stored in a -+ * ccache, the corresponding principal version has to be set. That is, -+ * before you can store Kerberos v5 credentials in a ccache, the Kerberos -+ * v5 principal has to be set either by cc_context_create_ccache(), -+ * cc_context_create_default_ccache(), cc_context_create_new_ccache(), or -+ * cc_ccache_set_principal(); otherwise, ccErrBadCredentialsVersion is -+ * returned. - */ - cc_int32 (*store_credentials) (cc_ccache_t io_ccache, - const cc_credentials_union *in_credentials_union); -diff --git a/src/include/CredentialsCache2.h b/src/include/CredentialsCache2.h -index b3b48996d..9e5a346ac 100644 ---- a/src/include/CredentialsCache2.h -+++ b/src/include/CredentialsCache2.h -@@ -85,36 +85,13 @@ typedef struct cc_credentials_v5_compat { - cc_data_compat** authdata; - } cc_credentials_v5_compat; - --enum { -- MAX_V4_CRED_LEN = 1250 --}; -- - enum { - KRB_NAME_SZ = 40, - KRB_INSTANCE_SZ = 40, - KRB_REALM_SZ = 40 - }; - --typedef struct cc_credentials_v4_compat { -- unsigned char kversion; -- char principal[KRB_NAME_SZ+1]; -- char principal_instance[KRB_INSTANCE_SZ+1]; -- char service[KRB_NAME_SZ+1]; -- char service_instance[KRB_INSTANCE_SZ+1]; -- char realm[KRB_REALM_SZ+1]; -- unsigned char session_key[8]; -- cc_int32 kvno; -- cc_int32 str_to_key; -- long issue_date; -- cc_int32 lifetime; -- cc_uint32 address; -- cc_int32 ticket_sz; -- unsigned char ticket[MAX_V4_CRED_LEN]; -- unsigned long oops; --} cc_credentials_v4_compat; -- - typedef union cred_ptr_union_compat { -- cc_credentials_v4_compat* pV4Cred; - cc_credentials_v5_compat* pV5Cred; - } cred_ptr_union_compat; - -@@ -135,7 +112,6 @@ typedef struct infoNC infoNC; - - /* Some old type names */ - --typedef cc_credentials_v4_compat V4Cred_type; - typedef cc_credentials_v5_compat cc_creds; - struct ccache_cit; - typedef struct ccache_cit ccache_cit; -@@ -166,7 +142,7 @@ enum { - - enum { - CC_CRED_UNKNOWN, -- CC_CRED_V4, -+ /* CC_CRED_V4, */ - CC_CRED_V5, - CC_CRED_MAX - }; -diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c -index db69eebb4..cac61e45c 100644 ---- a/src/lib/krb5/ccache/ccapi/stdcc.c -+++ b/src/lib/krb5/ccache/ccapi/stdcc.c -@@ -589,7 +589,6 @@ krb5_stdccv3_next_cred (krb5_context context, - err = stdccv3_setup (context, ccapi_data); - } - -- /* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */ - while (!err) { - err = cc_credentials_iterator_next (iterator, &credentials); - -@@ -836,7 +835,6 @@ krb5_stdccv3_remove (krb5_context context, - &iterator); - } - -- /* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */ - while (!err && !found) { - cc_credentials_t credentials = NULL; - -diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.c b/src/lib/krb5/ccache/ccapi/stdcc_util.c -index 62d847c18..1f2a3865c 100644 ---- a/src/lib/krb5/ccache/ccapi/stdcc_util.c -+++ b/src/lib/krb5/ccache/ccapi/stdcc_util.c -@@ -521,9 +521,6 @@ cred_union_release (cc_credentials_union *in_cred_union) - - free (cv5); - -- } else if (in_cred_union->version == cc_credentials_v4 && -- in_cred_union->credentials.credentials_v4) { -- free (in_cred_union->credentials.credentials_v4); - } - free ((cc_credentials_union *) in_cred_union); - } -@@ -892,10 +889,7 @@ static void deep_free_cc_v5_creds (cc_creds* creds) - - static void deep_free_cc_creds (cred_union creds) - { -- if (creds.cred_type == CC_CRED_V4) { -- /* we shouldn't get this, of course */ -- free (creds.cred.pV4Cred); -- } else if (creds.cred_type == CC_CRED_V5) { -+ if (creds.cred_type == CC_CRED_V5) { - deep_free_cc_v5_creds (creds.cred.pV5Cred); - } - } -diff --git a/src/windows/kfwlogon/kfwlogon.h b/src/windows/kfwlogon/kfwlogon.h -index b2674573e..622d5665c 100644 ---- a/src/windows/kfwlogon/kfwlogon.h -+++ b/src/windows/kfwlogon/kfwlogon.h -@@ -94,7 +94,7 @@ typedef int cc_int32; - - enum { - CC_CRED_VUNKNOWN = 0, // For validation -- CC_CRED_V4 = 1, -+ /* CC_CRED_V4 = 1, */ - CC_CRED_V5 = 2, - CC_CRED_VMAX = 3 // For validation - }; -diff --git a/src/windows/leashdll/leash-int.h b/src/windows/leashdll/leash-int.h -index cb40c607c..bf6f6a08d 100644 ---- a/src/windows/leashdll/leash-int.h -+++ b/src/windows/leashdll/leash-int.h -@@ -182,7 +182,7 @@ typedef int cc_int32; - - enum { - CC_CRED_VUNKNOWN = 0, // For validation -- CC_CRED_V4 = 1, -+ /* CC_CRED_V4 = 1, */ - CC_CRED_V5 = 2, - CC_CRED_VMAX = 3 // For validation - }; -diff --git a/src/windows/lib/cacheapi.h b/src/windows/lib/cacheapi.h -index b30857810..9aab4a098 100644 ---- a/src/windows/lib/cacheapi.h -+++ b/src/windows/lib/cacheapi.h -@@ -126,52 +126,8 @@ typedef struct _cc_creds { - cc_data ** authdata; - } cc_creds; - --// begin V4 stuff --// use an enumerated type so all callers infer the same meaning --// these values are what krbv4win uses internally. --#define STK_AFS 0 --#define STK_DES 1 -- --// K4 uses a MAX_KTXT_LEN of 1250 to hold a ticket --// K95 uses 256 --// To be safe I'll use the larger number, but a factor of 5!!! --#define MAX_V4_CRED_LEN 1250 -- --// V4 Credentials -- --enum { -- KRB_NAME_SZ = 40, -- KRB_INSTANCE_SZ = 40, -- KRB_REALM_SZ = 40 --}; -- --typedef struct cc_V4credential { -- unsigned char kversion; -- char principal[KRB_NAME_SZ + 1]; -- char principal_instance[KRB_INSTANCE_SZ + 1]; -- char service[KRB_NAME_SZ + 1]; -- char service_instance[KRB_INSTANCE_SZ + 1]; -- char realm[KRB_REALM_SZ + 1]; -- unsigned char session_key[8]; -- cc_int32 kvno; // k95 used BYTE skvno -- cc_int32 str_to_key; // k4 infers dynamically, k95 stores -- long issue_date; // k95 called this issue_time -- cc_int32 lifetime; // k95 used LONG expiration_time -- cc_uint32 address; // IP Address of local host -- cc_int32 ticket_sz; // k95 used BYTE, k4 ktext uses int to hold up to 1250 -- unsigned char ticket[MAX_V4_CRED_LEN]; -- unsigned long oops; // zero to catch runaways --} V4Cred_type; -- --enum { -- CC_CRED_VUNKNOWN = 0, // For validation -- CC_CRED_V4 = 1, -- CC_CRED_V5 = 2, -- CC_CRED_VMAX = 3 // For validation --}; - - typedef union cred_ptr_union_type { -- V4Cred_type* pV4Cred; - cc_creds* pV5Cred; - } cred_ptr_union; - -@@ -223,16 +179,15 @@ cc_get_change_time( - ** create, open, close, destroy, get_principal, get_cred_version, & - ** lock_request - ** --** Multiple NCs are allowed within the main cache. Each has a Name --** and kerberos version # (V4 or V5). Caller gets "ccache_ptr"s for --** NCs. -+** Multiple NCs are allowed within the main cache. Each has a Name and -+** kerberos version # (V5). Caller gets "ccache_ptr"s for NCs. - */ - CCACHE_API - cc_create( - apiCB* cc_ctx, // > DLL's primary control structure - const char* name, // > name of cache to be [destroyed if exists, then] created - const char* principal, -- cc_int32 vers, // > ticket version (CC_CRED_V4 or CC_CRED_V5) -+ cc_int32 vers, // > ticket version (CC_CRED_V5) - cc_uint32 cc_flags, // > options - ccache_p** ccache_ptr // < NC control structure - ); -@@ -241,7 +196,7 @@ CCACHE_API - cc_open( - apiCB* cc_ctx, // > DLL's primary control structure - const char* name, // > name of pre-created cache -- cc_int32 vers, // > ticket version (CC_CRED_V4 or CC_CRED_V5) -+ cc_int32 vers, // > ticket version (CC_CRED_V5) - cc_uint32 cc_flags, // > options - ccache_p** ccache_ptr // < NC control structure - ); diff --git a/Remove-PKINIT-draft-9-ASN.1-code-and-types.patch b/Remove-PKINIT-draft-9-ASN.1-code-and-types.patch deleted file mode 100644 index b759047..0000000 --- a/Remove-PKINIT-draft-9-ASN.1-code-and-types.patch +++ /dev/null @@ -1,967 +0,0 @@ -From 044e7ea922800bfc17ba816780803b1d67622b7b Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 18 Jun 2019 11:40:48 -0400 -Subject: [PATCH] Remove PKINIT draft 9 ASN.1 code and types - -ticket: 8817 -(cherry picked from commit c82e21d8836d4cb4c6ac7047752c9f600cb1ce33) ---- - src/include/k5-int-pkinit.h | 74 -------------------------- - src/include/k5-int.h | 30 +---------- - src/lib/krb5/asn.1/asn1_k_encode.c | 81 ---------------------------- - src/lib/krb5/os/accessor.c | 7 --- - src/tests/asn.1/krb5_decode_test.c | 41 -------------- - src/tests/asn.1/krb5_encode_test.c | 40 -------------- - src/tests/asn.1/ktest.c | 85 ------------------------------ - src/tests/asn.1/ktest.h | 11 ---- - src/tests/asn.1/ktest_equal.c | 51 ------------------ - src/tests/asn.1/ktest_equal.h | 3 -- - src/tests/asn.1/pkinit_encode.out | 5 -- - src/tests/asn.1/pkinit_trval.out | 47 ----------------- - 12 files changed, 1 insertion(+), 474 deletions(-) - -diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h -index 4622a629e..c23cfd304 100644 ---- a/src/include/k5-int-pkinit.h -+++ b/src/include/k5-int-pkinit.h -@@ -45,14 +45,6 @@ typedef struct _krb5_pk_authenticator { - krb5_data *freshnessToken; - } krb5_pk_authenticator; - --/* PKAuthenticator draft9 */ --typedef struct _krb5_pk_authenticator_draft9 { -- krb5_principal kdcName; -- krb5_int32 cusec; /* (0..999999) */ -- krb5_timestamp ctime; -- krb5_int32 nonce; /* (0..4294967295) */ --} krb5_pk_authenticator_draft9; -- - /* AlgorithmIdentifier */ - typedef struct _krb5_algorithm_identifier { - krb5_data algorithm; /* OID */ -@@ -74,12 +66,6 @@ typedef struct _krb5_auth_pack { - krb5_data **supportedKDFs; /* OIDs of KDFs; OPTIONAL */ - } krb5_auth_pack; - --/* AuthPack draft9 */ --typedef struct _krb5_auth_pack_draft9 { -- krb5_pk_authenticator_draft9 pkAuthenticator; -- krb5_subject_pk_info *clientPublicValue; /* Optional */ --} krb5_auth_pack_draft9; -- - /* ExternalPrincipalIdentifier */ - typedef struct _krb5_external_principal_identifier { - krb5_data subjectName; /* Optional */ -@@ -87,14 +73,6 @@ typedef struct _krb5_external_principal_identifier { - krb5_data subjectKeyIdentifier; /* Optional */ - } krb5_external_principal_identifier; - --/* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ --/* This has four fields, but we only care about the first and third for -- * encoding, and the only about the first for decoding. */ --typedef struct _krb5_pa_pk_as_req_draft9 { -- krb5_data signedAuthPack; -- krb5_data kdcCert; /* Optional */ --} krb5_pa_pk_as_req_draft9; -- - /* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */ - typedef struct _krb5_pa_pk_as_req { - krb5_data signedAuthPack; -@@ -116,37 +94,12 @@ typedef struct _krb5_kdc_dh_key_info { - krb5_timestamp dhKeyExpiration; /* Optional */ - } krb5_kdc_dh_key_info; - --/* KDCDHKeyInfo draft9*/ --typedef struct _krb5_kdc_dh_key_info_draft9 { -- krb5_data subjectPublicKey; /* BIT STRING */ -- krb5_int32 nonce; /* (0..4294967295) */ --} krb5_kdc_dh_key_info_draft9; -- - /* ReplyKeyPack */ - typedef struct _krb5_reply_key_pack { - krb5_keyblock replyKey; - krb5_checksum asChecksum; - } krb5_reply_key_pack; - --/* ReplyKeyPack */ --typedef struct _krb5_reply_key_pack_draft9 { -- krb5_keyblock replyKey; -- krb5_int32 nonce; --} krb5_reply_key_pack_draft9; -- --/* PA-PK-AS-REP (Draft 9 -- PA TYPE 15) */ --typedef struct _krb5_pa_pk_as_rep_draft9 { -- enum krb5_pa_pk_as_rep_draft9_selection { -- choice_pa_pk_as_rep_draft9_UNKNOWN = -1, -- choice_pa_pk_as_rep_draft9_dhSignedData = 0, -- choice_pa_pk_as_rep_draft9_encKeyPack = 1 -- } choice; -- union krb5_pa_pk_as_rep_draft9_choices { -- krb5_data dhSignedData; -- krb5_data encKeyPack; -- } u; --} krb5_pa_pk_as_rep_draft9; -- - /* PA-PK-AS-REP (rfc4556 -- PA TYPE 17) */ - typedef struct _krb5_pa_pk_as_rep { - enum krb5_pa_pk_as_rep_selection { -@@ -186,34 +139,18 @@ typedef struct _krb5_pkinit_supp_pub_info { - krb5_error_code - encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code); - --krb5_error_code --encode_krb5_pa_pk_as_req_draft9(const krb5_pa_pk_as_req_draft9 *rep, -- krb5_data **code); -- - krb5_error_code - encode_krb5_pa_pk_as_rep(const krb5_pa_pk_as_rep *rep, krb5_data **code); - --krb5_error_code --encode_krb5_pa_pk_as_rep_draft9(const krb5_pa_pk_as_rep_draft9 *rep, -- krb5_data **code); -- - krb5_error_code - encode_krb5_auth_pack(const krb5_auth_pack *rep, krb5_data **code); - --krb5_error_code --encode_krb5_auth_pack_draft9(const krb5_auth_pack_draft9 *rep, -- krb5_data **code); -- - krb5_error_code - encode_krb5_kdc_dh_key_info(const krb5_kdc_dh_key_info *rep, krb5_data **code); - - krb5_error_code - encode_krb5_reply_key_pack(const krb5_reply_key_pack *, krb5_data **code); - --krb5_error_code --encode_krb5_reply_key_pack_draft9(const krb5_reply_key_pack_draft9 *, -- krb5_data **code); -- - krb5_error_code - encode_krb5_td_trusted_certifiers(krb5_external_principal_identifier *const *, - krb5_data **code); -@@ -237,19 +174,12 @@ encode_krb5_pkinit_supp_pub_info(const krb5_pkinit_supp_pub_info *, - krb5_error_code - decode_krb5_pa_pk_as_req(const krb5_data *, krb5_pa_pk_as_req **); - --krb5_error_code --decode_krb5_pa_pk_as_req_draft9(const krb5_data *, -- krb5_pa_pk_as_req_draft9 **); -- - krb5_error_code - decode_krb5_pa_pk_as_rep(const krb5_data *, krb5_pa_pk_as_rep **); - - krb5_error_code - decode_krb5_auth_pack(const krb5_data *, krb5_auth_pack **); - --krb5_error_code --decode_krb5_auth_pack_draft9(const krb5_data *, krb5_auth_pack_draft9 **); -- - krb5_error_code - decode_krb5_kdc_dh_key_info(const krb5_data *, krb5_kdc_dh_key_info **); - -@@ -259,10 +189,6 @@ decode_krb5_principal_name(const krb5_data *, krb5_principal_data **); - krb5_error_code - decode_krb5_reply_key_pack(const krb5_data *, krb5_reply_key_pack **); - --krb5_error_code --decode_krb5_reply_key_pack_draft9(const krb5_data *, -- krb5_reply_key_pack_draft9 **); -- - krb5_error_code - decode_krb5_td_trusted_certifiers(const krb5_data *, - krb5_external_principal_identifier ***); -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 0857fd1cc..cb328785d 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -1836,7 +1836,7 @@ krb5int_random_string(krb5_context, char *string, unsigned int length); - /* To keep happy libraries which are (for now) accessing internal stuff */ - - /* Make sure to increment by one when changing the struct */ --#define KRB5INT_ACCESS_STRUCT_VERSION 22 -+#define KRB5INT_ACCESS_STRUCT_VERSION 23 - - typedef struct _krb5int_access { - krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context, -@@ -1865,10 +1865,6 @@ typedef struct _krb5int_access { - krb5_error_code - (*encode_krb5_auth_pack)(const krb5_auth_pack *rep, krb5_data **code); - -- krb5_error_code -- (*encode_krb5_auth_pack_draft9)(const krb5_auth_pack_draft9 *rep, -- krb5_data **code); -- - krb5_error_code - (*encode_krb5_kdc_dh_key_info)(const krb5_kdc_dh_key_info *rep, - krb5_data **code); -@@ -1877,26 +1873,14 @@ typedef struct _krb5int_access { - (*encode_krb5_pa_pk_as_rep)(const krb5_pa_pk_as_rep *rep, - krb5_data **code); - -- krb5_error_code -- (*encode_krb5_pa_pk_as_rep_draft9)(const krb5_pa_pk_as_rep_draft9 *rep, -- krb5_data **code); -- - krb5_error_code - (*encode_krb5_pa_pk_as_req)(const krb5_pa_pk_as_req *rep, - krb5_data **code); - -- krb5_error_code -- (*encode_krb5_pa_pk_as_req_draft9)(const krb5_pa_pk_as_req_draft9 *rep, -- krb5_data **code); -- - krb5_error_code - (*encode_krb5_reply_key_pack)(const krb5_reply_key_pack *, - krb5_data **code); - -- krb5_error_code -- (*encode_krb5_reply_key_pack_draft9)(const krb5_reply_key_pack_draft9 *, -- krb5_data **code); -- - krb5_error_code - (*encode_krb5_td_dh_parameters)(krb5_algorithm_identifier *const *, - krb5_data **code); -@@ -1908,17 +1892,9 @@ typedef struct _krb5int_access { - krb5_error_code - (*decode_krb5_auth_pack)(const krb5_data *, krb5_auth_pack **); - -- krb5_error_code -- (*decode_krb5_auth_pack_draft9)(const krb5_data *, -- krb5_auth_pack_draft9 **); -- - krb5_error_code - (*decode_krb5_pa_pk_as_req)(const krb5_data *, krb5_pa_pk_as_req **); - -- krb5_error_code -- (*decode_krb5_pa_pk_as_req_draft9)(const krb5_data *, -- krb5_pa_pk_as_req_draft9 **); -- - krb5_error_code - (*decode_krb5_pa_pk_as_rep)(const krb5_data *, krb5_pa_pk_as_rep **); - -@@ -1931,10 +1907,6 @@ typedef struct _krb5int_access { - krb5_error_code - (*decode_krb5_reply_key_pack)(const krb5_data *, krb5_reply_key_pack **); - -- krb5_error_code -- (*decode_krb5_reply_key_pack_draft9)(const krb5_data *, -- krb5_reply_key_pack_draft9 **); -- - krb5_error_code - (*decode_krb5_td_dh_parameters)(const krb5_data *, - krb5_algorithm_identifier ***); -diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c -index 81a34bac9..a026ab390 100644 ---- a/src/lib/krb5/asn.1/asn1_k_encode.c -+++ b/src/lib/krb5/asn.1/asn1_k_encode.c -@@ -1446,19 +1446,6 @@ static const struct atype_info *pk_authenticator_fields[] = { - }; - DEFSEQTYPE(pk_authenticator, krb5_pk_authenticator, pk_authenticator_fields); - --DEFFIELD(pkauth9_0, krb5_pk_authenticator_draft9, kdcName, 0, principal); --DEFFIELD(pkauth9_1, krb5_pk_authenticator_draft9, kdcName, 1, -- realm_of_principal); --DEFFIELD(pkauth9_2, krb5_pk_authenticator_draft9, cusec, 2, int32); --DEFFIELD(pkauth9_3, krb5_pk_authenticator_draft9, ctime, 3, kerberos_time); --DEFFIELD(pkauth9_4, krb5_pk_authenticator_draft9, nonce, 4, int32); --static const struct atype_info *pk_authenticator_draft9_fields[] = { -- &k5_atype_pkauth9_0, &k5_atype_pkauth9_1, &k5_atype_pkauth9_2, -- &k5_atype_pkauth9_3, &k5_atype_pkauth9_4 --}; --DEFSEQTYPE(pk_authenticator_draft9, krb5_pk_authenticator_draft9, -- pk_authenticator_draft9_fields); -- - DEFCOUNTEDSTRINGTYPE(s_bitstring, char *, unsigned int, - k5_asn1_encode_bitstring, k5_asn1_decode_bitstring, - ASN1_BITSTRING); -@@ -1488,15 +1475,6 @@ static const struct atype_info *auth_pack_fields[] = { - }; - DEFSEQTYPE(auth_pack, krb5_auth_pack, auth_pack_fields); - --DEFFIELD(auth_pack9_0, krb5_auth_pack_draft9, pkAuthenticator, 0, -- pk_authenticator_draft9); --DEFFIELD(auth_pack9_1, krb5_auth_pack_draft9, clientPublicValue, 1, -- opt_subject_pk_info_ptr); --static const struct atype_info *auth_pack_draft9_fields[] = { -- &k5_atype_auth_pack9_0, &k5_atype_auth_pack9_1 --}; --DEFSEQTYPE(auth_pack_draft9, krb5_auth_pack_draft9, auth_pack_draft9_fields); -- - DEFFIELD_IMPLICIT(extprinc_0, krb5_external_principal_identifier, - subjectName, 0, opt_ostring_data); - DEFFIELD_IMPLICIT(extprinc_1, krb5_external_principal_identifier, -@@ -1529,29 +1507,6 @@ static const struct atype_info *pa_pk_as_req_fields[] = { - }; - DEFSEQTYPE(pa_pk_as_req, krb5_pa_pk_as_req, pa_pk_as_req_fields); - --/* -- * In draft-ietf-cat-kerberos-pk-init-09, this sequence has four fields, but we -- * only ever use the first and third. The fields are specified as explicitly -- * tagged, but our historical behavior is to pretend that they are wrapped in -- * IMPLICIT OCTET STRING (i.e., generate primitive context tags), and we don't -- * want to change that without interop testing. -- */ --DEFFIELD_IMPLICIT(pa_pk_as_req9_0, krb5_pa_pk_as_req_draft9, signedAuthPack, 0, -- ostring_data); --DEFFIELD_IMPLICIT(pa_pk_as_req9_2, krb5_pa_pk_as_req_draft9, kdcCert, 2, -- opt_ostring_data); --static const struct atype_info *pa_pk_as_req_draft9_fields[] = { -- &k5_atype_pa_pk_as_req9_0, &k5_atype_pa_pk_as_req9_2 --}; --DEFSEQTYPE(pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9, -- pa_pk_as_req_draft9_fields); --/* For decoding, we only care about the first field; we can ignore the rest. */ --static const struct atype_info *pa_pk_as_req_draft9_decode_fields[] = { -- &k5_atype_pa_pk_as_req9_0 --}; --DEFSEQTYPE(pa_pk_as_req_draft9_decode, krb5_pa_pk_as_req_draft9, -- pa_pk_as_req_draft9_decode_fields); -- - DEFFIELD_IMPLICIT(dh_rep_info_0, krb5_dh_rep_info, dhSignedData, 0, - ostring_data); - DEFFIELD(dh_rep_info_1, krb5_dh_rep_info, serverDHNonce, 1, opt_ostring_data); -@@ -1577,14 +1532,6 @@ static const struct atype_info *reply_key_pack_fields[] = { - }; - DEFSEQTYPE(reply_key_pack, krb5_reply_key_pack, reply_key_pack_fields); - --DEFFIELD(key_pack9_0, krb5_reply_key_pack_draft9, replyKey, 0, encryption_key); --DEFFIELD(key_pack9_1, krb5_reply_key_pack_draft9, nonce, 1, int32); --static const struct atype_info *reply_key_pack_draft9_fields[] = { -- &k5_atype_key_pack9_0, &k5_atype_key_pack9_1 --}; --DEFSEQTYPE(reply_key_pack_draft9, krb5_reply_key_pack_draft9, -- reply_key_pack_draft9_fields); -- - DEFCTAGGEDTYPE(pa_pk_as_rep_0, 0, dh_rep_info); - DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep_1, 1, ostring_data); - static const struct atype_info *pa_pk_as_rep_alternatives[] = { -@@ -1595,44 +1542,16 @@ DEFCHOICETYPE(pa_pk_as_rep_choice, union krb5_pa_pk_as_rep_choices, - DEFCOUNTEDTYPE_SIGNED(pa_pk_as_rep, krb5_pa_pk_as_rep, u, choice, - pa_pk_as_rep_choice); - --/* -- * draft-ietf-cat-kerberos-pk-init-09 specifies these alternatives as -- * explicitly tagged SignedData and EnvelopedData respectively, which means -- * they should have constructed context tags. However, our historical behavior -- * is to use primitive context tags, and we don't want to change that behavior -- * without interop testing. We have the encodings for each alternative in a -- * krb5_data object; pretend that they are wrapped in IMPLICIT OCTET STRING in -- * order to wrap them in primitive [0] and [1] tags. -- */ --DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep9_0, 0, ostring_data); --DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep9_1, 1, ostring_data); --static const struct atype_info *pa_pk_as_rep_draft9_alternatives[] = { -- &k5_atype_pa_pk_as_rep9_0, &k5_atype_pa_pk_as_rep9_1 --}; --DEFCHOICETYPE(pa_pk_as_rep_draft9_choice, -- union krb5_pa_pk_as_rep_draft9_choices, -- enum krb5_pa_pk_as_rep_draft9_selection, -- pa_pk_as_rep_draft9_alternatives); --DEFCOUNTEDTYPE_SIGNED(pa_pk_as_rep_draft9, krb5_pa_pk_as_rep_draft9, u, choice, -- pa_pk_as_rep_draft9_choice); -- - MAKE_ENCODER(encode_krb5_pa_pk_as_req, pa_pk_as_req); - MAKE_DECODER(decode_krb5_pa_pk_as_req, pa_pk_as_req); --MAKE_ENCODER(encode_krb5_pa_pk_as_req_draft9, pa_pk_as_req_draft9); --MAKE_DECODER(decode_krb5_pa_pk_as_req_draft9, pa_pk_as_req_draft9_decode); - MAKE_ENCODER(encode_krb5_pa_pk_as_rep, pa_pk_as_rep); - MAKE_DECODER(decode_krb5_pa_pk_as_rep, pa_pk_as_rep); --MAKE_ENCODER(encode_krb5_pa_pk_as_rep_draft9, pa_pk_as_rep_draft9); - MAKE_ENCODER(encode_krb5_auth_pack, auth_pack); - MAKE_DECODER(decode_krb5_auth_pack, auth_pack); --MAKE_ENCODER(encode_krb5_auth_pack_draft9, auth_pack_draft9); --MAKE_DECODER(decode_krb5_auth_pack_draft9, auth_pack_draft9); - MAKE_ENCODER(encode_krb5_kdc_dh_key_info, kdc_dh_key_info); - MAKE_DECODER(decode_krb5_kdc_dh_key_info, kdc_dh_key_info); - MAKE_ENCODER(encode_krb5_reply_key_pack, reply_key_pack); - MAKE_DECODER(decode_krb5_reply_key_pack, reply_key_pack); --MAKE_ENCODER(encode_krb5_reply_key_pack_draft9, reply_key_pack_draft9); --MAKE_DECODER(decode_krb5_reply_key_pack_draft9, reply_key_pack_draft9); - MAKE_ENCODER(encode_krb5_td_trusted_certifiers, - seqof_external_principal_identifier); - MAKE_DECODER(decode_krb5_td_trusted_certifiers, -diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c -index d77f8c6b7..12a39a2ab 100644 ---- a/src/lib/krb5/os/accessor.c -+++ b/src/lib/krb5/os/accessor.c -@@ -80,25 +80,18 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version) - #define SC(FIELD, VAL) S(FIELD, 0) - #endif - SC (encode_krb5_pa_pk_as_req, encode_krb5_pa_pk_as_req), -- SC (encode_krb5_pa_pk_as_req_draft9, encode_krb5_pa_pk_as_req_draft9), - SC (encode_krb5_pa_pk_as_rep, encode_krb5_pa_pk_as_rep), -- SC (encode_krb5_pa_pk_as_rep_draft9, encode_krb5_pa_pk_as_rep_draft9), - SC (encode_krb5_auth_pack, encode_krb5_auth_pack), -- SC (encode_krb5_auth_pack_draft9, encode_krb5_auth_pack_draft9), - SC (encode_krb5_kdc_dh_key_info, encode_krb5_kdc_dh_key_info), - SC (encode_krb5_reply_key_pack, encode_krb5_reply_key_pack), -- SC (encode_krb5_reply_key_pack_draft9, encode_krb5_reply_key_pack_draft9), - SC (encode_krb5_td_trusted_certifiers, encode_krb5_td_trusted_certifiers), - SC (encode_krb5_td_dh_parameters, encode_krb5_td_dh_parameters), - SC (decode_krb5_pa_pk_as_req, decode_krb5_pa_pk_as_req), -- SC (decode_krb5_pa_pk_as_req_draft9, decode_krb5_pa_pk_as_req_draft9), - SC (decode_krb5_pa_pk_as_rep, decode_krb5_pa_pk_as_rep), - SC (decode_krb5_auth_pack, decode_krb5_auth_pack), -- SC (decode_krb5_auth_pack_draft9, decode_krb5_auth_pack_draft9), - SC (decode_krb5_kdc_dh_key_info, decode_krb5_kdc_dh_key_info), - SC (decode_krb5_principal_name, decode_krb5_principal_name), - SC (decode_krb5_reply_key_pack, decode_krb5_reply_key_pack), -- SC (decode_krb5_reply_key_pack_draft9, decode_krb5_reply_key_pack_draft9), - SC (decode_krb5_td_trusted_certifiers, decode_krb5_td_trusted_certifiers), - SC (decode_krb5_td_dh_parameters, decode_krb5_td_dh_parameters), - SC (encode_krb5_kdc_req_body, encode_krb5_kdc_req_body), -diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c -index cbd99ba63..7a116b40d 100644 ---- a/src/tests/asn.1/krb5_decode_test.c -+++ b/src/tests/asn.1/krb5_decode_test.c -@@ -42,8 +42,6 @@ void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val); - #ifndef DISABLE_PKINIT - static int equal_principal(krb5_principal *ref, krb5_principal var); - static void ktest_free_auth_pack(krb5_context context, krb5_auth_pack *val); --static void ktest_free_auth_pack_draft9(krb5_context context, -- krb5_auth_pack_draft9 *val); - static void ktest_free_kdc_dh_key_info(krb5_context context, - krb5_kdc_dh_key_info *val); - static void ktest_free_pa_pk_as_req(krb5_context context, -@@ -52,8 +50,6 @@ static void ktest_free_pa_pk_as_rep(krb5_context context, - krb5_pa_pk_as_rep *val); - static void ktest_free_reply_key_pack(krb5_context context, - krb5_reply_key_pack *val); --static void ktest_free_reply_key_pack_draft9(krb5_context context, -- krb5_reply_key_pack_draft9 *val); - #endif - static void ktest_free_kkdcp_message(krb5_context context, - krb5_kkdcp_message *val); -@@ -1183,16 +1179,6 @@ int main(argc, argv) - ktest_empty_auth_pack(&ref); - } - -- /****************************************************************/ -- /* decode_krb5_auth_pack_draft9 */ -- { -- setup(krb5_auth_pack_draft9,ktest_make_sample_auth_pack_draft9); -- decode_run("krb5_auth_pack_draft9","","30 75 A0 4F 30 4D A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 05 02 03 01 E2 40 A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 03 02 01 2A A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61", -- acc.decode_krb5_auth_pack_draft9, -- ktest_equal_auth_pack_draft9,ktest_free_auth_pack_draft9); -- ktest_empty_auth_pack_draft9(&ref); -- } -- - /****************************************************************/ - /* decode_krb5_kdc_dh_key_info */ - { -@@ -1213,16 +1199,6 @@ int main(argc, argv) - ktest_empty_reply_key_pack(&ref); - } - -- /****************************************************************/ -- /* decode_krb5_reply_key_pack_draft9 */ -- { -- setup(krb5_reply_key_pack_draft9,ktest_make_sample_reply_key_pack_draft9); -- decode_run("krb5_reply_key_pack_draft9","","30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A", -- acc.decode_krb5_reply_key_pack_draft9, -- ktest_equal_reply_key_pack_draft9,ktest_free_reply_key_pack_draft9); -- ktest_empty_reply_key_pack_draft9(&ref); -- } -- - /****************************************************************/ - /* decode_krb5_principal_name */ - /* We have no encoder for this type (KerberosName from RFC 4556); the -@@ -1279,14 +1255,6 @@ ktest_free_auth_pack(krb5_context context, krb5_auth_pack *val) - free(val); - } - --static void --ktest_free_auth_pack_draft9(krb5_context context, krb5_auth_pack_draft9 *val) --{ -- if (val) -- ktest_empty_auth_pack_draft9(val); -- free(val); --} -- - static void - ktest_free_kdc_dh_key_info(krb5_context context, krb5_kdc_dh_key_info *val) - { -@@ -1319,15 +1287,6 @@ ktest_free_reply_key_pack(krb5_context context, krb5_reply_key_pack *val) - free(val); - } - --static void --ktest_free_reply_key_pack_draft9(krb5_context context, -- krb5_reply_key_pack_draft9 *val) --{ -- if (val) -- ktest_empty_reply_key_pack_draft9(val); -- free(val); --} -- - #endif /* not DISABLE_PKINIT */ - - static void -diff --git a/src/tests/asn.1/krb5_encode_test.c b/src/tests/asn.1/krb5_encode_test.c -index 3efbfb4c0..72c013468 100644 ---- a/src/tests/asn.1/krb5_encode_test.c -+++ b/src/tests/asn.1/krb5_encode_test.c -@@ -798,15 +798,6 @@ main(argc, argv) - ktest_empty_pa_pk_as_req(&req); - } - /****************************************************************/ -- /* encode_krb5_pa_pk_as_req_draft9 */ -- { -- krb5_pa_pk_as_req_draft9 req; -- ktest_make_sample_pa_pk_as_req_draft9(&req); -- encode_run(req, "pa_pk_as_req_draft9", "", -- acc.encode_krb5_pa_pk_as_req_draft9); -- ktest_empty_pa_pk_as_req_draft9(&req); -- } -- /****************************************************************/ - /* encode_krb5_pa_pk_as_rep */ - { - krb5_pa_pk_as_rep rep; -@@ -820,19 +811,6 @@ main(argc, argv) - ktest_empty_pa_pk_as_rep(&rep); - } - /****************************************************************/ -- /* encode_krb5_pa_pk_as_rep_draft9 */ -- { -- krb5_pa_pk_as_rep_draft9 rep; -- ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData(&rep); -- encode_run(rep, "pa_pk_as_rep_draft9", "(dhSignedData)", -- acc.encode_krb5_pa_pk_as_rep_draft9); -- ktest_empty_pa_pk_as_rep_draft9(&rep); -- ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack(&rep); -- encode_run(rep, "pa_pk_as_rep_draft9", "(encKeyPack)", -- acc.encode_krb5_pa_pk_as_rep_draft9); -- ktest_empty_pa_pk_as_rep_draft9(&rep); -- } -- /****************************************************************/ - /* encode_krb5_auth_pack */ - { - krb5_auth_pack pack; -@@ -841,15 +819,6 @@ main(argc, argv) - ktest_empty_auth_pack(&pack); - } - /****************************************************************/ -- /* encode_krb5_auth_pack_draft9_draft9 */ -- { -- krb5_auth_pack_draft9 pack; -- ktest_make_sample_auth_pack_draft9(&pack); -- encode_run(pack, "auth_pack_draft9", "", -- acc.encode_krb5_auth_pack_draft9); -- ktest_empty_auth_pack_draft9(&pack); -- } -- /****************************************************************/ - /* encode_krb5_kdc_dh_key_info */ - { - krb5_kdc_dh_key_info ki; -@@ -866,15 +835,6 @@ main(argc, argv) - ktest_empty_reply_key_pack(&pack); - } - /****************************************************************/ -- /* encode_krb5_reply_key_pack_draft9 */ -- { -- krb5_reply_key_pack_draft9 pack; -- ktest_make_sample_reply_key_pack_draft9(&pack); -- encode_run(pack, "reply_key_pack_draft9", "", -- acc.encode_krb5_reply_key_pack_draft9); -- ktest_empty_reply_key_pack_draft9(&pack); -- } -- /****************************************************************/ - /* encode_krb5_sp80056a_other_info */ - { - krb5_sp80056a_other_info info; -diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c -index 258377299..7bb698732 100644 ---- a/src/tests/asn.1/ktest.c -+++ b/src/tests/asn.1/ktest.c -@@ -729,15 +729,6 @@ ktest_make_sample_pk_authenticator(krb5_pk_authenticator *p) - ktest_make_sample_data(p->freshnessToken); - } - --static void --ktest_make_sample_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *p) --{ -- ktest_make_sample_principal(&p->kdcName); -- p->cusec = SAMPLE_USEC; -- p->ctime = SAMPLE_TIME; -- p->nonce = SAMPLE_NONCE; --} -- - static void - ktest_make_sample_oid(krb5_data *p) - { -@@ -788,13 +779,6 @@ ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p) - ktest_make_sample_data(&p->kdcPkId); - } - --void --ktest_make_sample_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p) --{ -- ktest_make_sample_data(&p->signedAuthPack); -- ktest_make_sample_data(&p->kdcCert); --} -- - static void - ktest_make_sample_dh_rep_info(krb5_dh_rep_info *p) - { -@@ -818,20 +802,6 @@ ktest_make_sample_pa_pk_as_rep_encKeyPack(krb5_pa_pk_as_rep *p) - ktest_make_sample_data(&p->u.encKeyPack); - } - --void --ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData(krb5_pa_pk_as_rep_draft9 *p) --{ -- p->choice = choice_pa_pk_as_rep_draft9_dhSignedData; -- ktest_make_sample_data(&p->u.dhSignedData); --} -- --void --ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack(krb5_pa_pk_as_rep_draft9 *p) --{ -- p->choice = choice_pa_pk_as_rep_draft9_encKeyPack; -- ktest_make_sample_data(&p->u.encKeyPack); --} -- - void - ktest_make_sample_auth_pack(krb5_auth_pack *p) - { -@@ -851,14 +821,6 @@ ktest_make_sample_auth_pack(krb5_auth_pack *p) - p->supportedKDFs[1] = NULL; - } - --void --ktest_make_sample_auth_pack_draft9(krb5_auth_pack_draft9 *p) --{ -- ktest_make_sample_pk_authenticator_draft9(&p->pkAuthenticator); -- p->clientPublicValue = ealloc(sizeof(krb5_subject_pk_info)); -- ktest_make_sample_subject_pk_info(p->clientPublicValue); --} -- - void - ktest_make_sample_kdc_dh_key_info(krb5_kdc_dh_key_info *p) - { -@@ -874,13 +836,6 @@ ktest_make_sample_reply_key_pack(krb5_reply_key_pack *p) - ktest_make_sample_checksum(&p->asChecksum); - } - --void --ktest_make_sample_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p) --{ -- ktest_make_sample_keyblock(&p->replyKey); -- p->nonce = SAMPLE_NONCE; --} -- - void - ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p) - { -@@ -1717,12 +1672,6 @@ ktest_empty_pk_authenticator(krb5_pk_authenticator *p) - p->freshnessToken = NULL; - } - --static void --ktest_empty_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *p) --{ -- ktest_destroy_principal(&p->kdcName); --} -- - static void - ktest_empty_subject_pk_info(krb5_subject_pk_info *p) - { -@@ -1754,13 +1703,6 @@ ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p) - ktest_empty_data(&p->kdcPkId); - } - --void --ktest_empty_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p) --{ -- ktest_empty_data(&p->signedAuthPack); -- ktest_empty_data(&p->kdcCert); --} -- - static void - ktest_empty_dh_rep_info(krb5_dh_rep_info *p) - { -@@ -1779,16 +1721,6 @@ ktest_empty_pa_pk_as_rep(krb5_pa_pk_as_rep *p) - p->choice = choice_pa_pk_as_rep_UNKNOWN; - } - --void --ktest_empty_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 *p) --{ -- if (p->choice == choice_pa_pk_as_rep_draft9_dhSignedData) -- ktest_empty_data(&p->u.dhSignedData); -- else if (p->choice == choice_pa_pk_as_rep_draft9_encKeyPack) -- ktest_empty_data(&p->u.encKeyPack); -- p->choice = choice_pa_pk_as_rep_draft9_UNKNOWN; --} -- - void - ktest_empty_auth_pack(krb5_auth_pack *p) - { -@@ -1820,17 +1752,6 @@ ktest_empty_auth_pack(krb5_auth_pack *p) - } - } - --void --ktest_empty_auth_pack_draft9(krb5_auth_pack_draft9 *p) --{ -- ktest_empty_pk_authenticator_draft9(&p->pkAuthenticator); -- if (p->clientPublicValue != NULL) { -- ktest_empty_subject_pk_info(p->clientPublicValue); -- free(p->clientPublicValue); -- p->clientPublicValue = NULL; -- } --} -- - void - ktest_empty_kdc_dh_key_info(krb5_kdc_dh_key_info *p) - { -@@ -1844,12 +1765,6 @@ ktest_empty_reply_key_pack(krb5_reply_key_pack *p) - ktest_empty_checksum(&p->asChecksum); - } - --void --ktest_empty_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p) --{ -- ktest_empty_keyblock(&p->replyKey); --} -- - void ktest_empty_sp80056a_other_info(krb5_sp80056a_other_info *p) - { - ktest_empty_algorithm_identifier(&p->algorithm_identifier); -diff --git a/src/tests/asn.1/ktest.h b/src/tests/asn.1/ktest.h -index 1413cfae1..d9cc90a5c 100644 ---- a/src/tests/asn.1/ktest.h -+++ b/src/tests/asn.1/ktest.h -@@ -101,18 +101,11 @@ void ktest_make_maximal_pa_otp_req(krb5_pa_otp_req *p); - - #ifndef DISABLE_PKINIT - void ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p); --void ktest_make_sample_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p); - void ktest_make_sample_pa_pk_as_rep_dhInfo(krb5_pa_pk_as_rep *p); - void ktest_make_sample_pa_pk_as_rep_encKeyPack(krb5_pa_pk_as_rep *p); --void ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData( -- krb5_pa_pk_as_rep_draft9 *p); --void ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack( -- krb5_pa_pk_as_rep_draft9 *p); - void ktest_make_sample_auth_pack(krb5_auth_pack *p); --void ktest_make_sample_auth_pack_draft9(krb5_auth_pack_draft9 *p); - void ktest_make_sample_kdc_dh_key_info(krb5_kdc_dh_key_info *p); - void ktest_make_sample_reply_key_pack(krb5_reply_key_pack *p); --void ktest_make_sample_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p); - void ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p); - void ktest_make_sample_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p); - #endif -@@ -197,14 +190,10 @@ void ktest_empty_pa_otp_req(krb5_pa_otp_req *p); - - #ifndef DISABLE_PKINIT - void ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p); --void ktest_empty_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p); - void ktest_empty_pa_pk_as_rep(krb5_pa_pk_as_rep *p); --void ktest_empty_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 *p); - void ktest_empty_auth_pack(krb5_auth_pack *p); --void ktest_empty_auth_pack_draft9(krb5_auth_pack_draft9 *p); - void ktest_empty_kdc_dh_key_info(krb5_kdc_dh_key_info *p); - void ktest_empty_reply_key_pack(krb5_reply_key_pack *p); --void ktest_empty_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p); - void ktest_empty_sp80056a_other_info(krb5_sp80056a_other_info *p); - void ktest_empty_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p); - #endif -diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c -index 714cc4398..8a3911cdc 100644 ---- a/src/tests/asn.1/ktest_equal.c -+++ b/src/tests/asn.1/ktest_equal.c -@@ -876,20 +876,6 @@ ktest_equal_pk_authenticator(krb5_pk_authenticator *ref, - return p; - } - --static int --ktest_equal_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *ref, -- krb5_pk_authenticator_draft9 *var) --{ -- int p = TRUE; -- if (ref == var) return TRUE; -- else if (ref == NULL || var == NULL) return FALSE; -- p = p && ptr_equal(kdcName, ktest_equal_principal_data); -- p = p && scalar_equal(cusec); -- p = p && scalar_equal(ctime); -- p = p && scalar_equal(nonce); -- return p; --} -- - static int - ktest_equal_subject_pk_info(krb5_subject_pk_info *ref, - krb5_subject_pk_info *var) -@@ -937,18 +923,6 @@ ktest_equal_pa_pk_as_req(krb5_pa_pk_as_req *ref, krb5_pa_pk_as_req *var) - return p; - } - --int --ktest_equal_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *ref, -- krb5_pa_pk_as_req_draft9 *var) --{ -- int p = TRUE; -- if (ref == var) return TRUE; -- else if (ref == NULL || var == NULL) return FALSE; -- p = p && equal_str(signedAuthPack); -- p = p && equal_str(kdcCert); -- return p; --} -- - static int - ktest_equal_dh_rep_info(krb5_dh_rep_info *ref, krb5_dh_rep_info *var) - { -@@ -996,19 +970,6 @@ ktest_equal_auth_pack(krb5_auth_pack *ref, krb5_auth_pack *var) - return p; - } - --int --ktest_equal_auth_pack_draft9(krb5_auth_pack_draft9 *ref, -- krb5_auth_pack_draft9 *var) --{ -- int p = TRUE; -- if (ref == var) return TRUE; -- else if (ref == NULL || var == NULL) return FALSE; -- p = p && struct_equal(pkAuthenticator, -- ktest_equal_pk_authenticator_draft9); -- p = p && ptr_equal(clientPublicValue, ktest_equal_subject_pk_info); -- return p; --} -- - int - ktest_equal_kdc_dh_key_info(krb5_kdc_dh_key_info *ref, - krb5_kdc_dh_key_info *var) -@@ -1033,18 +994,6 @@ ktest_equal_reply_key_pack(krb5_reply_key_pack *ref, krb5_reply_key_pack *var) - return p; - } - --int --ktest_equal_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *ref, -- krb5_reply_key_pack_draft9 *var) --{ -- int p = TRUE; -- if (ref == var) return TRUE; -- else if (ref == NULL || var == NULL) return FALSE; -- p = p && struct_equal(replyKey, ktest_equal_keyblock); -- p = p && scalar_equal(nonce); -- return p; --} -- - #endif /* not DISABLE_PKINIT */ - - int -diff --git a/src/tests/asn.1/ktest_equal.h b/src/tests/asn.1/ktest_equal.h -index cfa82ac6e..80a0d781a 100644 ---- a/src/tests/asn.1/ktest_equal.h -+++ b/src/tests/asn.1/ktest_equal.h -@@ -139,13 +139,10 @@ int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref, - - #ifndef DISABLE_PKINIT - generic(ktest_equal_pa_pk_as_req, krb5_pa_pk_as_req); --generic(ktest_equal_pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9); - generic(ktest_equal_pa_pk_as_rep, krb5_pa_pk_as_rep); - generic(ktest_equal_auth_pack, krb5_auth_pack); --generic(ktest_equal_auth_pack_draft9, krb5_auth_pack_draft9); - generic(ktest_equal_kdc_dh_key_info, krb5_kdc_dh_key_info); - generic(ktest_equal_reply_key_pack, krb5_reply_key_pack); --generic(ktest_equal_reply_key_pack_draft9, krb5_reply_key_pack_draft9); - #endif /* not DISABLE_PKINIT */ - - int ktest_equal_kkdcp_message(krb5_kkdcp_message *ref, -diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out -index 55a60bbef..9bd08e159 100644 ---- a/src/tests/asn.1/pkinit_encode.out -+++ b/src/tests/asn.1/pkinit_encode.out -@@ -1,13 +1,8 @@ - encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 --encode_krb5_pa_pk_as_req_draft9: 30 14 80 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 - encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61 - encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61 --encode_krb5_pa_pk_as_rep_draft9(dhSignedData): 80 08 6B 72 62 35 64 61 74 61 --encode_krb5_pa_pk_as_rep_draft9(encKeyPack): 81 08 6B 72 62 35 64 61 74 61 - encode_krb5_auth_pack: 30 81 9F A0 35 30 33 A0 05 02 03 01 E2 40 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 06 04 04 31 32 33 34 A4 0A 04 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61 A2 24 30 22 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 10 30 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61 --encode_krb5_auth_pack_draft9: 30 75 A0 4F 30 4D A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 05 02 03 01 E2 40 A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 03 02 01 2A A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61 - encode_krb5_kdc_dh_key_info: 30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A - encode_krb5_reply_key_pack: 30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 --encode_krb5_reply_key_pack_draft9: 30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A - encode_krb5_sp80056a_other_info: 30 81 81 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A0 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 0A 04 08 6B 72 62 35 64 61 74 61 - encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 14 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61 -diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out -index 9557188a8..3675fba38 100644 ---- a/src/tests/asn.1/pkinit_trval.out -+++ b/src/tests/asn.1/pkinit_trval.out -@@ -15,14 +15,6 @@ encode_krb5_pa_pk_as_req: - . [2] <8> - 6b 72 62 35 64 61 74 61 krb5data - --encode_krb5_pa_pk_as_req_draft9: -- --[Sequence/Sequence Of] --. [0] <8> -- 6b 72 62 35 64 61 74 61 krb5data --. [2] <8> -- 6b 72 62 35 64 61 74 61 krb5data -- - encode_krb5_pa_pk_as_rep(dhInfo): - - [CONT 0] -@@ -36,16 +28,6 @@ encode_krb5_pa_pk_as_rep(dhInfo): - - encode_krb5_pa_pk_as_rep(encKeyPack): - --[CONT 1] <8> -- 6b 72 62 35 64 61 74 61 krb5data -- --encode_krb5_pa_pk_as_rep_draft9(dhSignedData): -- --[CONT 0] <8> -- 6b 72 62 35 64 61 74 61 krb5data -- --encode_krb5_pa_pk_as_rep_draft9(encKeyPack): -- - [CONT 1] <8> - 6b 72 62 35 64 61 74 61 krb5data - -@@ -79,27 +61,6 @@ encode_krb5_auth_pack: - . . . [0] [Object Identifier] <8> - 6b 72 62 35 64 61 74 61 krb5data - --encode_krb5_auth_pack_draft9: -- --[Sequence/Sequence Of] --. [0] [Sequence/Sequence Of] --. . [0] [Sequence/Sequence Of] --. . . [0] [Integer] 1 --. . . [1] [Sequence/Sequence Of] --. . . . [General string] "hftsai" --. . . . [General string] "extra" --. . [1] [General string] "ATHENA.MIT.EDU" --. . [2] [Integer] 123456 --. . [3] [Generalized Time] "19940610060317Z" --. . [4] [Integer] 42 --. [1] [Sequence/Sequence Of] --. . [Sequence/Sequence Of] --. . . [Object Identifier] <9> -- 2a 86 48 86 f7 12 01 02 02 *.H...... --. . . [Octet String] "params" --. . [Bit String] <9> -- 00 6b 72 62 35 64 61 74 61 .krb5data -- - encode_krb5_kdc_dh_key_info: - - [Sequence/Sequence Of] -@@ -118,14 +79,6 @@ encode_krb5_reply_key_pack: - . . [0] [Integer] 1 - . . [1] [Octet String] "1234" - --encode_krb5_reply_key_pack_draft9: -- --[Sequence/Sequence Of] --. [0] [Sequence/Sequence Of] --. . [0] [Integer] 1 --. . [1] [Octet String] "12345678" --. [1] [Integer] 42 -- - encode_krb5_sp80056a_other_info: - - [Sequence/Sequence Of] diff --git a/Remove-PKINIT-draft-9-support.patch b/Remove-PKINIT-draft-9-support.patch deleted file mode 100644 index c5b45f2..0000000 --- a/Remove-PKINIT-draft-9-support.patch +++ /dev/null @@ -1,1712 +0,0 @@ -From b13b0e48470e03203afd4133e4be9c6471e2acb4 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 18 Jun 2019 13:06:44 -0400 -Subject: [PATCH] Remove PKINIT draft 9 support - -PKINIT draft 9 support is required to interoperate with Windows 2000, -Windows XP, and Windows Server 2003, all of which are well beyond -end-of-life. Remove it. - -ticket: 8817 (new) -(cherry picked from commit bb82690be39a033669388154964486e213d84e76) ---- - src/plugins/preauth/pkinit/pkinit.h | 9 - - src/plugins/preauth/pkinit/pkinit_accessor.c | 12 - - src/plugins/preauth/pkinit/pkinit_accessor.h | 6 - - src/plugins/preauth/pkinit/pkinit_clnt.c | 231 +++----- - src/plugins/preauth/pkinit/pkinit_crypto.h | 1 - - .../preauth/pkinit/pkinit_crypto_openssl.c | 219 ++----- - src/plugins/preauth/pkinit/pkinit_lib.c | 65 --- - src/plugins/preauth/pkinit/pkinit_srv.c | 543 ++++++------------ - src/plugins/preauth/pkinit/pkinit_trace.h | 4 - - src/tests/t_pkinit.py | 6 +- - 10 files changed, 282 insertions(+), 814 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h -index fe2ec0d31..b437fd53f 100644 ---- a/src/plugins/preauth/pkinit/pkinit.h -+++ b/src/plugins/preauth/pkinit/pkinit.h -@@ -213,7 +213,6 @@ struct _pkinit_req_context { - pkinit_identity_opts *idopts; - int do_identity_matching; - krb5_preauthtype pa_type; -- int rfc4556_kdc; - int rfc6112_kdc; - int identity_initialized; - int identity_prompted; -@@ -244,7 +243,6 @@ struct _pkinit_kdc_req_context { - int magic; - pkinit_req_crypto_context cryptoctx; - krb5_auth_pack *rcv_auth_pack; -- krb5_auth_pack_draft9 *rcv_auth_pack9; - krb5_preauthtype pa_type; - }; - typedef struct _pkinit_kdc_req_context *pkinit_kdc_req_context; -@@ -329,22 +327,15 @@ void pkinit_free_deferred_ids(pkinit_deferred_id *identities); - * initialization and free functions - */ - void init_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in); --void init_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in); - void init_krb5_reply_key_pack(krb5_reply_key_pack **in); --void init_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in); - - void init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in); --void init_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in); - void init_krb5_subject_pk_info(krb5_subject_pk_info **in); - - void free_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in); --void free_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in); - void free_krb5_reply_key_pack(krb5_reply_key_pack **in); --void free_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in); - void free_krb5_auth_pack(krb5_auth_pack **in); --void free_krb5_auth_pack_draft9(krb5_context, krb5_auth_pack_draft9 **in); - void free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in); --void free_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in); - void free_krb5_external_principal_identifier(krb5_external_principal_identifier ***in); - void free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in); - void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in); -diff --git a/src/plugins/preauth/pkinit/pkinit_accessor.c b/src/plugins/preauth/pkinit/pkinit_accessor.c -index 6bae94969..0908f1b9b 100644 ---- a/src/plugins/preauth/pkinit/pkinit_accessor.c -+++ b/src/plugins/preauth/pkinit/pkinit_accessor.c -@@ -41,22 +41,15 @@ - krb5_error_code (*k5int_decode_##type)(const krb5_data *, type ***) - - DEF_FUNC_PTRS(krb5_auth_pack); --DEF_FUNC_PTRS(krb5_auth_pack_draft9); - DEF_FUNC_PTRS(krb5_kdc_dh_key_info); - DEF_FUNC_PTRS(krb5_pa_pk_as_rep); - DEF_FUNC_PTRS(krb5_pa_pk_as_req); --DEF_FUNC_PTRS(krb5_pa_pk_as_req_draft9); - DEF_FUNC_PTRS(krb5_reply_key_pack); --DEF_FUNC_PTRS(krb5_reply_key_pack_draft9); - - /* special cases... */ - krb5_error_code - (*k5int_decode_krb5_principal_name)(const krb5_data *, krb5_principal_data **); - --krb5_error_code --(*k5int_encode_krb5_pa_pk_as_rep_draft9)(const krb5_pa_pk_as_rep_draft9 *, -- krb5_data **code); -- - krb5_error_code - (*k5int_encode_krb5_td_dh_parameters)(krb5_algorithm_identifier *const *, - krb5_data **code); -@@ -101,21 +94,16 @@ pkinit_accessor_init(void) - k5int_decode_##type = k5int.decode_##type; - - SET_PTRS(krb5_auth_pack); -- SET_PTRS(krb5_auth_pack_draft9); - SET_PTRS(krb5_kdc_dh_key_info); - SET_PTRS(krb5_pa_pk_as_rep); - SET_PTRS(krb5_pa_pk_as_req); -- SET_PTRS(krb5_pa_pk_as_req_draft9); - SET_PTRS(krb5_reply_key_pack); -- SET_PTRS(krb5_reply_key_pack_draft9); - SET_PTRS(krb5_td_dh_parameters); - SET_PTRS(krb5_td_trusted_certifiers); - - /* special cases... */ - k5int_decode_krb5_principal_name = k5int.decode_krb5_principal_name; - k5int_encode_krb5_kdc_req_body = k5int.encode_krb5_kdc_req_body; -- k5int_encode_krb5_pa_pk_as_rep_draft9 = \ -- k5int.encode_krb5_pa_pk_as_rep_draft9; - k5int_krb5_free_kdc_req = k5int.free_kdc_req; - k5int_set_prompt_types = k5int.set_prompt_types; - return 0; -diff --git a/src/plugins/preauth/pkinit/pkinit_accessor.h b/src/plugins/preauth/pkinit/pkinit_accessor.h -index dcee3db53..e510ab624 100644 ---- a/src/plugins/preauth/pkinit/pkinit_accessor.h -+++ b/src/plugins/preauth/pkinit/pkinit_accessor.h -@@ -45,21 +45,15 @@ extern krb5_error_code (*k5int_encode_##type)(const type **, krb5_data **); \ - extern krb5_error_code (*k5int_decode_##type)(const krb5_data *, type ***) - - DEF_EXT_FUNC_PTRS(krb5_auth_pack); --DEF_EXT_FUNC_PTRS(krb5_auth_pack_draft9); - DEF_EXT_FUNC_PTRS(krb5_kdc_dh_key_info); - DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_rep); - DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_req); --DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_req_draft9); - DEF_EXT_FUNC_PTRS(krb5_reply_key_pack); --DEF_EXT_FUNC_PTRS(krb5_reply_key_pack_draft9); - - /* special cases... */ - extern krb5_error_code (*k5int_decode_krb5_principal_name) - (const krb5_data *, krb5_principal_data **); - --extern krb5_error_code (*k5int_encode_krb5_pa_pk_as_rep_draft9) -- (const krb5_pa_pk_as_rep_draft9 *, krb5_data **code); -- - extern krb5_error_code (*k5int_encode_krb5_td_dh_parameters) - (krb5_algorithm_identifier *const *, krb5_data **code); - extern krb5_error_code (*k5int_decode_krb5_td_dh_parameters) -diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c -index 58400d555..1a642139a 100644 ---- a/src/plugins/preauth/pkinit/pkinit_clnt.c -+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c -@@ -148,11 +148,7 @@ pa_pkinit_gen_req(krb5_context context, - goto cleanup; - } - -- /* -- * The most we'll return is two pa_data, normally just one. -- * We need to make room for the NULL terminator. -- */ -- return_pa_data = k5calloc(3, sizeof(*return_pa_data), &retval); -+ return_pa_data = k5calloc(2, sizeof(*return_pa_data), &retval); - if (return_pa_data == NULL) - goto cleanup; - -@@ -162,21 +158,11 @@ pa_pkinit_gen_req(krb5_context context, - - return_pa_data[0]->magic = KV5M_PA_DATA; - -- if (pa_type == KRB5_PADATA_PK_AS_REQ_OLD) -- return_pa_data[0]->pa_type = KRB5_PADATA_PK_AS_REP_OLD; -- else -- return_pa_data[0]->pa_type = pa_type; -+ return_pa_data[0]->pa_type = pa_type; - return_pa_data[0]->length = out_data->length; - return_pa_data[0]->contents = (krb5_octet *) out_data->data; - *out_data = empty_data(); - -- if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD) { -- return_pa_data[1] = k5alloc(sizeof(*return_pa_data[1]), &retval); -- if (return_pa_data[1] == NULL) -- goto cleanup; -- return_pa_data[1]->pa_type = KRB5_PADATA_AS_CHECKSUM; -- } -- - *out_padata = return_pa_data; - return_pa_data = NULL; - cb->disable_fallback(context, rock); -@@ -206,8 +192,6 @@ pkinit_as_req_create(krb5_context context, - krb5_data *coded_auth_pack = NULL; - krb5_auth_pack auth_pack; - krb5_pa_pk_as_req *req = NULL; -- krb5_auth_pack_draft9 auth_pack9; -- krb5_pa_pk_as_req_draft9 *req9 = NULL; - krb5_algorithm_identifier **cmstypes = NULL; - int protocol = reqctx->opts->dh_or_rsa; - unsigned char *dh_params = NULL, *dh_pubkey = NULL; -@@ -216,42 +200,25 @@ pkinit_as_req_create(krb5_context context, - pkiDebug("pkinit_as_req_create pa_type = %d\n", reqctx->pa_type); - - /* Create the authpack */ -- switch((int)reqctx->pa_type) { -- case KRB5_PADATA_PK_AS_REQ_OLD: -- protocol = RSA_PROTOCOL; -- memset(&auth_pack9, 0, sizeof(auth_pack9)); -- auth_pack9.pkAuthenticator.ctime = ctsec; -- auth_pack9.pkAuthenticator.cusec = cusec; -- auth_pack9.pkAuthenticator.nonce = nonce; -- auth_pack9.pkAuthenticator.kdcName = server; -- break; -- case KRB5_PADATA_PK_AS_REQ: -- memset(&info, 0, sizeof(info)); -- memset(&auth_pack, 0, sizeof(auth_pack)); -- auth_pack.pkAuthenticator.ctime = ctsec; -- auth_pack.pkAuthenticator.cusec = cusec; -- auth_pack.pkAuthenticator.nonce = nonce; -- auth_pack.pkAuthenticator.paChecksum = *cksum; -- if (!reqctx->opts->disable_freshness) -- auth_pack.pkAuthenticator.freshnessToken = reqctx->freshness_token; -- auth_pack.clientDHNonce.length = 0; -- auth_pack.clientPublicValue = &info; -- auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids; -+ memset(&info, 0, sizeof(info)); -+ memset(&auth_pack, 0, sizeof(auth_pack)); -+ auth_pack.pkAuthenticator.ctime = ctsec; -+ auth_pack.pkAuthenticator.cusec = cusec; -+ auth_pack.pkAuthenticator.nonce = nonce; -+ auth_pack.pkAuthenticator.paChecksum = *cksum; -+ if (!reqctx->opts->disable_freshness) -+ auth_pack.pkAuthenticator.freshnessToken = reqctx->freshness_token; -+ auth_pack.clientDHNonce.length = 0; -+ auth_pack.clientPublicValue = &info; -+ auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids; - -- /* add List of CMS algorithms */ -- retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx, -- reqctx->cryptoctx, -- reqctx->idctx, &cmstypes); -- auth_pack.supportedCMSTypes = cmstypes; -- if (retval) -- goto cleanup; -- break; -- default: -- pkiDebug("as_req: unrecognized pa_type = %d\n", -- (int)reqctx->pa_type); -- retval = -1; -+ /* add List of CMS algorithms */ -+ retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx, -+ reqctx->cryptoctx, -+ reqctx->idctx, &cmstypes); -+ auth_pack.supportedCMSTypes = cmstypes; -+ if (retval) - goto cleanup; -- } - - switch(protocol) { - case DH_PROTOCOL: -@@ -274,14 +241,7 @@ pkinit_as_req_create(krb5_context context, - case RSA_PROTOCOL: - TRACE_PKINIT_CLIENT_REQ_RSA(context); - pkiDebug("as_req: RSA key transport algorithm\n"); -- switch((int)reqctx->pa_type) { -- case KRB5_PADATA_PK_AS_REQ_OLD: -- auth_pack9.clientPublicValue = NULL; -- break; -- case KRB5_PADATA_PK_AS_REQ: -- auth_pack.clientPublicValue = NULL; -- break; -- } -+ auth_pack.clientPublicValue = NULL; - break; - default: - pkiDebug("as_req: unknown key transport protocol %d\n", -@@ -290,16 +250,7 @@ pkinit_as_req_create(krb5_context context, - goto cleanup; - } - -- /* Encode the authpack */ -- switch((int)reqctx->pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- retval = k5int_encode_krb5_auth_pack(&auth_pack, &coded_auth_pack); -- break; -- case KRB5_PADATA_PK_AS_REQ_OLD: -- retval = k5int_encode_krb5_auth_pack_draft9(&auth_pack9, -- &coded_auth_pack); -- break; -- } -+ retval = k5int_encode_krb5_auth_pack(&auth_pack, &coded_auth_pack); - if (retval) { - pkiDebug("failed to encode the AuthPack %d\n", retval); - goto cleanup; -@@ -311,60 +262,39 @@ pkinit_as_req_create(krb5_context context, - #endif - - /* create PKCS7 object from authpack */ -- switch((int)reqctx->pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- init_krb5_pa_pk_as_req(&req); -- if (req == NULL) { -- retval = ENOMEM; -- goto cleanup; -- } -- if (use_content_info(context, reqctx, client)) { -- retval = cms_contentinfo_create(context, plgctx->cryptoctx, -- reqctx->cryptoctx, reqctx->idctx, -- CMS_SIGN_CLIENT, -- (unsigned char *) -- coded_auth_pack->data, -- coded_auth_pack->length, -- (unsigned char **) -- &req->signedAuthPack.data, -- &req->signedAuthPack.length); -- } else { -- retval = cms_signeddata_create(context, plgctx->cryptoctx, -- reqctx->cryptoctx, reqctx->idctx, -- CMS_SIGN_CLIENT, 1, -- (unsigned char *) -- coded_auth_pack->data, -- coded_auth_pack->length, -- (unsigned char **) -- &req->signedAuthPack.data, -- &req->signedAuthPack.length); -- } --#ifdef DEBUG_ASN1 -- print_buffer_bin((unsigned char *)req->signedAuthPack.data, -- req->signedAuthPack.length, -- "/tmp/client_signed_data"); --#endif -- break; -- case KRB5_PADATA_PK_AS_REQ_OLD: -- init_krb5_pa_pk_as_req_draft9(&req9); -- if (req9 == NULL) { -- retval = ENOMEM; -- goto cleanup; -- } -+ init_krb5_pa_pk_as_req(&req); -+ if (req == NULL) { -+ retval = ENOMEM; -+ goto cleanup; -+ } -+ if (use_content_info(context, reqctx, client)) { -+ retval = cms_contentinfo_create(context, plgctx->cryptoctx, -+ reqctx->cryptoctx, reqctx->idctx, -+ CMS_SIGN_CLIENT, -+ (unsigned char *) -+ coded_auth_pack->data, -+ coded_auth_pack->length, -+ (unsigned char **) -+ &req->signedAuthPack.data, -+ &req->signedAuthPack.length); -+ } else { - retval = cms_signeddata_create(context, plgctx->cryptoctx, -- reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_DRAFT9, 1, -- (unsigned char *)coded_auth_pack->data, -+ reqctx->cryptoctx, reqctx->idctx, -+ CMS_SIGN_CLIENT, 1, -+ (unsigned char *) -+ coded_auth_pack->data, - coded_auth_pack->length, - (unsigned char **) -- &req9->signedAuthPack.data, -- &req9->signedAuthPack.length); -- break; --#ifdef DEBUG_ASN1 -- print_buffer_bin((unsigned char *)req9->signedAuthPack.data, -- req9->signedAuthPack.length, -- "/tmp/client_signed_data_draft9"); --#endif -+ &req->signedAuthPack.data, -+ &req->signedAuthPack.length); - } -+ -+#ifdef DEBUG_ASN1 -+ print_buffer_bin((unsigned char *)req->signedAuthPack.data, -+ req->signedAuthPack.length, -+ "/tmp/client_signed_data"); -+#endif -+ - krb5_free_data(context, coded_auth_pack); - if (retval) { - pkiDebug("failed to create pkcs7 signed data\n"); -@@ -372,33 +302,21 @@ pkinit_as_req_create(krb5_context context, - } - - /* create a list of trusted CAs */ -- switch((int)reqctx->pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- retval = create_krb5_trustedCertifiers(context, plgctx->cryptoctx, -- reqctx->cryptoctx, reqctx->idctx, &req->trustedCertifiers); -- if (retval) -- goto cleanup; -- retval = create_issuerAndSerial(context, plgctx->cryptoctx, -- reqctx->cryptoctx, reqctx->idctx, -- (unsigned char **)&req->kdcPkId.data, -- &req->kdcPkId.length); -- if (retval) -- goto cleanup; -+ retval = create_krb5_trustedCertifiers(context, plgctx->cryptoctx, -+ reqctx->cryptoctx, reqctx->idctx, -+ &req->trustedCertifiers); -+ if (retval) -+ goto cleanup; -+ retval = create_issuerAndSerial(context, plgctx->cryptoctx, -+ reqctx->cryptoctx, reqctx->idctx, -+ (unsigned char **)&req->kdcPkId.data, -+ &req->kdcPkId.length); -+ if (retval) -+ goto cleanup; -+ -+ /* Encode the as-req */ -+ retval = k5int_encode_krb5_pa_pk_as_req(req, as_req); - -- /* Encode the as-req */ -- retval = k5int_encode_krb5_pa_pk_as_req(req, as_req); -- break; -- case KRB5_PADATA_PK_AS_REQ_OLD: -- retval = create_issuerAndSerial(context, plgctx->cryptoctx, -- reqctx->cryptoctx, reqctx->idctx, -- (unsigned char **)&req9->kdcCert.data, -- &req9->kdcCert.length); -- if (retval) -- goto cleanup; -- /* Encode the as-req */ -- retval = k5int_encode_krb5_pa_pk_as_req_draft9(req9, as_req); -- break; -- } - #ifdef DEBUG_ASN1 - if (!retval) - print_buffer_bin((unsigned char *)(*as_req)->data, (*as_req)->length, -@@ -410,7 +328,6 @@ cleanup: - free(dh_params); - free(dh_pubkey); - free_krb5_pa_pk_as_req(&req); -- free_krb5_pa_pk_as_req_draft9(&req9); - - pkiDebug("pkinit_as_req_create retval=%d\n", (int) retval); - -@@ -1165,31 +1082,13 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata, - d = make_data(in_padata->contents, in_padata->length); - return krb5_copy_data(context, &d, &reqctx->freshness_token); - case KRB5_PADATA_PK_AS_REQ: -- reqctx->rfc4556_kdc = 1; - pkiDebug("processing KRB5_PADATA_PK_AS_REQ\n"); - processing_request = 1; - break; - - case KRB5_PADATA_PK_AS_REP: -- reqctx->rfc4556_kdc = 1; - pkiDebug("processing KRB5_PADATA_PK_AS_REP\n"); - break; -- case KRB5_PADATA_PK_AS_REP_OLD: -- case KRB5_PADATA_PK_AS_REQ_OLD: -- /* Don't fall back to draft9 code if the KDC supports RFC 4556. */ -- if (reqctx->rfc4556_kdc) { -- TRACE_PKINIT_CLIENT_NO_DRAFT9(context); -- return KRB5KDC_ERR_PREAUTH_FAILED; -- } -- if (in_padata->length == 0) { -- pkiDebug("processing KRB5_PADATA_PK_AS_REQ_OLD\n"); -- in_padata->pa_type = KRB5_PADATA_PK_AS_REQ_OLD; -- processing_request = 1; -- } else { -- pkiDebug("processing KRB5_PADATA_PK_AS_REP_OLD\n"); -- in_padata->pa_type = KRB5_PADATA_PK_AS_REP_OLD; -- } -- break; - default: - pkiDebug("unrecognized patype = %d for PKINIT\n", - in_padata->pa_type); -@@ -1363,8 +1262,6 @@ pkinit_client_get_flags(krb5_context kcontext, krb5_preauthtype patype) - static krb5_preauthtype supported_client_pa_types[] = { - KRB5_PADATA_PK_AS_REP, - KRB5_PADATA_PK_AS_REQ, -- KRB5_PADATA_PK_AS_REP_OLD, -- KRB5_PADATA_PK_AS_REQ_OLD, - KRB5_PADATA_PKINIT_KX, - KRB5_PADATA_AS_FRESHNESS, - 0 -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h -index 0acb731cd..8064a07d0 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto.h -+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h -@@ -46,7 +46,6 @@ - */ - enum cms_msg_types { - CMS_SIGN_CLIENT, -- CMS_SIGN_DRAFT9, - CMS_SIGN_SERVER, - CMS_ENVEL_SERVER - }; -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 8aa2c5257..8c7fd0cca 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -1050,17 +1050,11 @@ create_contentinfo(krb5_context context, ASN1_OBJECT *oid, - if (p7->type == NULL) - goto oom; - -- if (OBJ_obj2nid(oid) == NID_pkcs7_data) { -- /* Draft 9 uses id-pkcs7-data for signed data. For this type OpenSSL -- * expects an octet string in d.data. */ -- p7->d.data = ostr; -- } else { -- p7->d.other = ASN1_TYPE_new(); -- if (p7->d.other == NULL) -- goto oom; -- p7->d.other->type = V_ASN1_OCTET_STRING; -- p7->d.other->value.octet_string = ostr; -- } -+ p7->d.other = ASN1_TYPE_new(); -+ if (p7->d.other == NULL) -+ goto oom; -+ p7->d.other->type = V_ASN1_OCTET_STRING; -+ p7->d.other->value.octet_string = ostr; - - *p7_out = p7; - return 0; -@@ -1249,43 +1243,37 @@ cms_signeddata_create(krb5_context context, - goto cleanup; - p7si->digest_enc_alg->parameter->type = V_ASN1_NULL; - -- if (cms_msg_type == CMS_SIGN_DRAFT9){ -- /* don't include signed attributes for pa-type 15 request */ -- abuf = data; -- alen = data_len; -- } else { -- /* add signed attributes */ -- /* compute sha1 digest over the EncapsulatedContentInfo */ -- ctx = EVP_MD_CTX_new(); -- if (ctx == NULL) -- goto cleanup; -- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); -- EVP_DigestUpdate(ctx, data, data_len); -- md_tmp = EVP_MD_CTX_md(ctx); -- EVP_DigestFinal_ex(ctx, md_data, &md_len); -- EVP_MD_CTX_free(ctx); -+ /* add signed attributes */ -+ /* compute sha1 digest over the EncapsulatedContentInfo */ -+ ctx = EVP_MD_CTX_new(); -+ if (ctx == NULL) -+ goto cleanup; -+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); -+ EVP_DigestUpdate(ctx, data, data_len); -+ md_tmp = EVP_MD_CTX_md(ctx); -+ EVP_DigestFinal_ex(ctx, md_data, &md_len); -+ EVP_MD_CTX_free(ctx); - -- /* create a message digest attr */ -- digest_attr = ASN1_OCTET_STRING_new(); -- ASN1_OCTET_STRING_set(digest_attr, md_data, (int)md_len); -- PKCS7_add_signed_attribute(p7si, NID_pkcs9_messageDigest, -- V_ASN1_OCTET_STRING, (char *) digest_attr); -+ /* create a message digest attr */ -+ digest_attr = ASN1_OCTET_STRING_new(); -+ ASN1_OCTET_STRING_set(digest_attr, md_data, (int)md_len); -+ PKCS7_add_signed_attribute(p7si, NID_pkcs9_messageDigest, -+ V_ASN1_OCTET_STRING, (char *)digest_attr); - -- /* create a content-type attr */ -- oid_copy = OBJ_dup(oid); -- if (oid_copy == NULL) -- goto cleanup2; -- PKCS7_add_signed_attribute(p7si, NID_pkcs9_contentType, -- V_ASN1_OBJECT, oid_copy); -+ /* create a content-type attr */ -+ oid_copy = OBJ_dup(oid); -+ if (oid_copy == NULL) -+ goto cleanup2; -+ PKCS7_add_signed_attribute(p7si, NID_pkcs9_contentType, -+ V_ASN1_OBJECT, oid_copy); - -- /* create the signature over signed attributes. get DER encoded value */ -- /* This is the place where smartcard signature needs to be calculated */ -- sk = p7si->auth_attr; -- alen = ASN1_item_i2d((ASN1_VALUE *) sk, &abuf, -- ASN1_ITEM_rptr(PKCS7_ATTR_SIGN)); -- if (abuf == NULL) -- goto cleanup2; -- } /* signed attributes */ -+ /* create the signature over signed attributes. get DER encoded value */ -+ /* This is the place where smartcard signature needs to be calculated */ -+ sk = p7si->auth_attr; -+ alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, -+ ASN1_ITEM_rptr(PKCS7_ATTR_SIGN)); -+ if (abuf == NULL) -+ goto cleanup2; - - #ifndef WITHOUT_PKCS11 - /* Some tokens can only do RSAEncryption without sha1 hash */ -@@ -1301,11 +1289,7 @@ cms_signeddata_create(krb5_context context, - ctx = EVP_MD_CTX_new(); - if (ctx == NULL) - goto cleanup; -- /* if this is not draft9 request, include digest signed attribute */ -- if (cms_msg_type != CMS_SIGN_DRAFT9) -- EVP_DigestInit_ex(ctx, md_tmp, NULL); -- else -- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); -+ EVP_DigestInit_ex(ctx, md_tmp, NULL); - EVP_DigestUpdate(ctx, abuf, alen); - EVP_DigestFinal_ex(ctx, md_data2, &md_len2); - EVP_MD_CTX_free(ctx); -@@ -1349,8 +1333,7 @@ cms_signeddata_create(krb5_context context, - #ifdef DEBUG_SIG - print_buffer(sig, sig_len); - #endif -- if (cms_msg_type != CMS_SIGN_DRAFT9 ) -- free(abuf); -+ free(abuf); - if (retval) - goto cleanup2; - -@@ -1393,19 +1376,13 @@ cms_signeddata_create(krb5_context context, - print_buffer_bin(*signed_data, *signed_data_len, - "/tmp/client_pkcs7_signeddata"); - } else { -- if (cms_msg_type == CMS_SIGN_SERVER) { -- print_buffer_bin(*signed_data, *signed_data_len, -- "/tmp/kdc_pkcs7_signeddata"); -- } else { -- print_buffer_bin(*signed_data, *signed_data_len, -- "/tmp/draft9_pkcs7_signeddata"); -- } -+ print_buffer_bin(*signed_data, *signed_data_len, -+ "/tmp/kdc_pkcs7_signeddata"); - } - #endif - - cleanup2: - if (p7si) { -- if (cms_msg_type != CMS_SIGN_DRAFT9) - #ifndef WITHOUT_PKCS11 - if (id_cryptoctx->pkcs11_method == 1 && - id_cryptoctx->mech == CKM_RSA_PKCS) { -@@ -1692,15 +1669,13 @@ cms_signeddata_verify(krb5_context context, - #endif - } else { - /* retrieve verified certificate chain */ -- if (cms_msg_type == CMS_SIGN_CLIENT || cms_msg_type == CMS_SIGN_DRAFT9) -+ if (cms_msg_type == CMS_SIGN_CLIENT) - verified_chain = X509_STORE_CTX_get1_chain(cert_ctx); - } - X509_STORE_CTX_free(cert_ctx); - if (i <= 0) - goto cleanup; - out = BIO_new(BIO_s_mem()); -- if (cms_msg_type == CMS_SIGN_DRAFT9) -- flags |= CMS_NOATTR; - if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) { - unsigned long err = ERR_peek_error(); - switch(ERR_GET_REASON(err)) { -@@ -1717,21 +1692,6 @@ cms_signeddata_verify(krb5_context context, - } /* message was signed */ - if (!OBJ_cmp(etype, oid)) - valid_oid = 1; -- else if (cms_msg_type == CMS_SIGN_DRAFT9) { -- /* -- * Various implementations of the pa-type 15 request use -- * different OIDS. We check that the returned object -- * has any of the acceptable OIDs -- */ -- ASN1_OBJECT *client_oid = NULL, *server_oid = NULL, *rsa_oid = NULL; -- client_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_CLIENT); -- server_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_SERVER); -- rsa_oid = pkinit_pkcs7type2oid(plgctx, CMS_ENVEL_SERVER); -- if (!OBJ_cmp(etype, client_oid) || -- !OBJ_cmp(etype, server_oid) || -- !OBJ_cmp(etype, rsa_oid)) -- valid_oid = 1; -- } - - if (valid_oid) - pkiDebug("CMS Verification successful\n"); -@@ -1761,7 +1721,7 @@ cms_signeddata_verify(krb5_context context, - reqctx->received_cert = X509_dup(x); - - /* generate authorization data */ -- if (cms_msg_type == CMS_SIGN_CLIENT || cms_msg_type == CMS_SIGN_DRAFT9) { -+ if (cms_msg_type == CMS_SIGN_CLIENT) { - - if (authz_data == NULL || authz_data_len == NULL) - goto out; -@@ -1841,24 +1801,11 @@ cms_envelopeddata_create(krb5_context context, - int signed_data_len = 0, enc_data_len = 0, flags = PKCS7_BINARY; - STACK_OF(X509) *encerts = NULL; - const EVP_CIPHER *cipher = NULL; -- int cms_msg_type; -- -- /* create the PKCS7 SignedData portion of the PKCS7 EnvelopedData */ -- switch ((int)pa_type) { -- case KRB5_PADATA_PK_AS_REQ_OLD: -- case KRB5_PADATA_PK_AS_REP_OLD: -- cms_msg_type = CMS_SIGN_DRAFT9; -- break; -- case KRB5_PADATA_PK_AS_REQ: -- cms_msg_type = CMS_ENVEL_SERVER; -- break; -- default: -- goto cleanup; -- } - - retval = cms_signeddata_create(context, plgctx, reqctx, idctx, -- cms_msg_type, include_certchain, key_pack, key_pack_len, -- &signed_data, (unsigned int *)&signed_data_len); -+ CMS_ENVEL_SERVER, include_certchain, -+ key_pack, key_pack_len, &signed_data, -+ (unsigned int *)&signed_data_len); - if (retval) { - pkiDebug("failed to create pkcs7 signed data\n"); - goto cleanup; -@@ -1874,26 +1821,11 @@ cms_envelopeddata_create(krb5_context context, - - cipher = EVP_des_ede3_cbc(); - in = BIO_new(BIO_s_mem()); -- switch (pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- prepare_enc_data(signed_data, signed_data_len, &enc_data, -- &enc_data_len); -- retval = BIO_write(in, enc_data, enc_data_len); -- if (retval != enc_data_len) { -- pkiDebug("BIO_write only wrote %d\n", retval); -- goto cleanup; -- } -- break; -- case KRB5_PADATA_PK_AS_REP_OLD: -- case KRB5_PADATA_PK_AS_REQ_OLD: -- retval = BIO_write(in, signed_data, signed_data_len); -- if (retval != signed_data_len) { -- pkiDebug("BIO_write only wrote %d\n", retval); -- goto cleanup; -- } -- break; -- default: -- retval = -1; -+ prepare_enc_data(signed_data, signed_data_len, &enc_data, -+ &enc_data_len); -+ retval = BIO_write(in, enc_data, enc_data_len); -+ if (retval != enc_data_len) { -+ pkiDebug("BIO_write only wrote %d\n", retval); - goto cleanup; - } - -@@ -1902,20 +1834,7 @@ cms_envelopeddata_create(krb5_context context, - retval = oerr(context, 0, _("Failed to encrypt PKCS7 object")); - goto cleanup; - } -- switch (pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- p7->d.enveloped->enc_data->content_type = -- OBJ_nid2obj(NID_pkcs7_signed); -- break; -- case KRB5_PADATA_PK_AS_REP_OLD: -- case KRB5_PADATA_PK_AS_REQ_OLD: -- p7->d.enveloped->enc_data->content_type = -- OBJ_nid2obj(NID_pkcs7_data); -- break; -- break; -- break; -- break; -- } -+ p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_signed); - - *out_len = i2d_PKCS7(p7, NULL); - if (!*out_len || (p = *out = malloc(*out_len)) == NULL) { -@@ -1963,7 +1882,6 @@ cms_envelopeddata_verify(krb5_context context, - const unsigned char *p = enveloped_data; - unsigned int tmp_buf_len = 0, tmp_buf2_len = 0, vfy_buf_len = 0; - unsigned char *tmp_buf = NULL, *tmp_buf2 = NULL, *vfy_buf = NULL; -- int msg_type = 0; - - #ifdef DEBUG_ASN1 - print_buffer_bin(enveloped_data, enveloped_data_len, -@@ -1995,46 +1913,21 @@ cms_envelopeddata_verify(krb5_context context, - print_buffer_bin(tmp_buf, tmp_buf_len, "/tmp/client_enc_keypack"); - #endif - /* verify PKCS7 SignedData message */ -- switch (pa_type) { -- case KRB5_PADATA_PK_AS_REP: -- msg_type = CMS_ENVEL_SERVER; -- -- break; -- case KRB5_PADATA_PK_AS_REP_OLD: -- msg_type = CMS_SIGN_DRAFT9; -- break; -- default: -- pkiDebug("%s: unrecognized pa_type = %d\n", __FUNCTION__, pa_type); -- retval = KRB5KDC_ERR_PREAUTH_FAILED; -+ /* Wrap the signed data to make decoding easier in the verify routine. */ -+ retval = wrap_signeddata(tmp_buf, tmp_buf_len, &tmp_buf2, &tmp_buf2_len); -+ if (retval) { -+ pkiDebug("failed to encode signeddata\n"); - goto cleanup; - } -- /* -- * If this is the RFC style, wrap the signed data to make -- * decoding easier in the verify routine. -- * For draft9-compatible, we don't do anything because it -- * is already wrapped. -- */ -- if (msg_type == CMS_ENVEL_SERVER) { -- retval = wrap_signeddata(tmp_buf, tmp_buf_len, -- &tmp_buf2, &tmp_buf2_len); -- if (retval) { -- pkiDebug("failed to encode signeddata\n"); -- goto cleanup; -- } -- vfy_buf = tmp_buf2; -- vfy_buf_len = tmp_buf2_len; -- -- } else { -- vfy_buf = tmp_buf; -- vfy_buf_len = tmp_buf_len; -- } -+ vfy_buf = tmp_buf2; -+ vfy_buf_len = tmp_buf2_len; - - #ifdef DEBUG_ASN1 - print_buffer_bin(vfy_buf, vfy_buf_len, "/tmp/client_enc_keypack2"); - #endif - - retval = cms_signeddata_verify(context, plg_cryptoctx, req_cryptoctx, -- id_cryptoctx, msg_type, -+ id_cryptoctx, CMS_ENVEL_SERVER, - require_crl_checking, - vfy_buf, vfy_buf_len, - data, data_len, NULL, NULL, NULL); -@@ -3580,8 +3473,6 @@ pkinit_pkcs7type2oid(pkinit_plg_crypto_context cryptoctx, int pkcs7_type) - switch (pkcs7_type) { - case CMS_SIGN_CLIENT: - return cryptoctx->id_pkinit_authData; -- case CMS_SIGN_DRAFT9: -- return OBJ_nid2obj(NID_pkcs7_data); - case CMS_SIGN_SERVER: - return cryptoctx->id_pkinit_DHKeyData; - case CMS_ENVEL_SERVER: -diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c -index d5858c424..bb2916bd5 100644 ---- a/src/plugins/preauth/pkinit/pkinit_lib.c -+++ b/src/plugins/preauth/pkinit/pkinit_lib.c -@@ -110,15 +110,6 @@ free_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in) - free(*in); - } - --void --free_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in) --{ -- if (*in == NULL) return; -- free((*in)->signedAuthPack.data); -- free((*in)->kdcCert.data); -- free(*in); --} -- - void - free_krb5_reply_key_pack(krb5_reply_key_pack **in) - { -@@ -128,14 +119,6 @@ free_krb5_reply_key_pack(krb5_reply_key_pack **in) - free(*in); - } - --void --free_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in) --{ -- if (*in == NULL) return; -- free((*in)->replyKey.contents); -- free(*in); --} -- - void - free_krb5_auth_pack(krb5_auth_pack **in) - { -@@ -160,15 +143,6 @@ free_krb5_auth_pack(krb5_auth_pack **in) - free(*in); - } - --void --free_krb5_auth_pack_draft9(krb5_context context, -- krb5_auth_pack_draft9 **in) --{ -- if ((*in) == NULL) return; -- krb5_free_principal(context, (*in)->pkAuthenticator.kdcName); -- free(*in); --} -- - void - free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in) - { -@@ -187,14 +161,6 @@ free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in) - free(*in); - } - --void --free_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in) --{ -- if (*in == NULL) return; -- free((*in)->u.encKeyPack.data); -- free(*in); --} -- - void - free_krb5_external_principal_identifier(krb5_external_principal_identifier ***in) - { -@@ -261,17 +227,6 @@ init_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in) - (*in)->kdcPkId.length = 0; - } - --void --init_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in) --{ -- (*in) = malloc(sizeof(krb5_pa_pk_as_req_draft9)); -- if ((*in) == NULL) return; -- (*in)->signedAuthPack.data = NULL; -- (*in)->signedAuthPack.length = 0; -- (*in)->kdcCert.data = NULL; -- (*in)->kdcCert.length = 0; --} -- - void - init_krb5_reply_key_pack(krb5_reply_key_pack **in) - { -@@ -283,15 +238,6 @@ init_krb5_reply_key_pack(krb5_reply_key_pack **in) - (*in)->asChecksum.length = 0; - } - --void --init_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in) --{ -- (*in) = malloc(sizeof(krb5_reply_key_pack_draft9)); -- if ((*in) == NULL) return; -- (*in)->replyKey.contents = NULL; -- (*in)->replyKey.length = 0; --} -- - void - init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in) - { -@@ -306,17 +252,6 @@ init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in) - (*in)->u.dh_Info.kdfID = NULL; - } - --void --init_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in) --{ -- (*in) = malloc(sizeof(krb5_pa_pk_as_rep_draft9)); -- if ((*in) == NULL) return; -- (*in)->u.dhSignedData.length = 0; -- (*in)->u.dhSignedData.data = NULL; -- (*in)->u.encKeyPack.length = 0; -- (*in)->u.encKeyPack.data = NULL; --} -- - void - init_krb5_subject_pk_info(krb5_subject_pk_info **in) - { -diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c -index 6aa646cc6..c44be9c74 100644 ---- a/src/plugins/preauth/pkinit/pkinit_srv.c -+++ b/src/plugins/preauth/pkinit/pkinit_srv.c -@@ -421,9 +421,7 @@ pkinit_server_verify_padata(krb5_context context, - krb5_error_code retval = 0; - krb5_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL}; - krb5_pa_pk_as_req *reqp = NULL; -- krb5_pa_pk_as_req_draft9 *reqp9 = NULL; - krb5_auth_pack *auth_pack = NULL; -- krb5_auth_pack_draft9 *auth_pack9 = NULL; - pkinit_kdc_context plgctx = NULL; - pkinit_kdc_req_context reqctx = NULL; - krb5_checksum cksum = {0, 0, 0, NULL}; -@@ -464,58 +462,32 @@ pkinit_server_verify_padata(krb5_context context, - - PADATA_TO_KRB5DATA(data, &k5data); - -- switch ((int)data->pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- TRACE_PKINIT_SERVER_PADATA_VERIFY(context); -- retval = k5int_decode_krb5_pa_pk_as_req(&k5data, &reqp); -- if (retval) { -- pkiDebug("decode_krb5_pa_pk_as_req failed\n"); -- goto cleanup; -- } --#ifdef DEBUG_ASN1 -- print_buffer_bin(reqp->signedAuthPack.data, -- reqp->signedAuthPack.length, -- "/tmp/kdc_signed_data"); --#endif -- retval = cms_signeddata_verify(context, plgctx->cryptoctx, -- reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_CLIENT, -- plgctx->opts->require_crl_checking, -- (unsigned char *) -- reqp->signedAuthPack.data, reqp->signedAuthPack.length, -- (unsigned char **)&authp_data.data, -- &authp_data.length, -- (unsigned char **)&krb5_authz.data, -- &krb5_authz.length, &is_signed); -- break; -- case KRB5_PADATA_PK_AS_REP_OLD: -- case KRB5_PADATA_PK_AS_REQ_OLD: -- TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(context); -- retval = k5int_decode_krb5_pa_pk_as_req_draft9(&k5data, &reqp9); -- if (retval) { -- pkiDebug("decode_krb5_pa_pk_as_req_draft9 failed\n"); -- goto cleanup; -- } --#ifdef DEBUG_ASN1 -- print_buffer_bin(reqp9->signedAuthPack.data, -- reqp9->signedAuthPack.length, -- "/tmp/kdc_signed_data_draft9"); --#endif -- -- retval = cms_signeddata_verify(context, plgctx->cryptoctx, -- reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9, -- plgctx->opts->require_crl_checking, -- (unsigned char *) -- reqp9->signedAuthPack.data, reqp9->signedAuthPack.length, -- (unsigned char **)&authp_data.data, -- &authp_data.length, -- (unsigned char **)&krb5_authz.data, -- &krb5_authz.length, NULL); -- break; -- default: -+ if (data->pa_type != KRB5_PADATA_PK_AS_REQ) { - pkiDebug("unrecognized pa_type = %d\n", data->pa_type); - retval = EINVAL; - goto cleanup; - } -+ -+ TRACE_PKINIT_SERVER_PADATA_VERIFY(context); -+ retval = k5int_decode_krb5_pa_pk_as_req(&k5data, &reqp); -+ if (retval) { -+ pkiDebug("decode_krb5_pa_pk_as_req failed\n"); -+ goto cleanup; -+ } -+#ifdef DEBUG_ASN1 -+ print_buffer_bin(reqp->signedAuthPack.data, reqp->signedAuthPack.length, -+ "/tmp/kdc_signed_data"); -+#endif -+ retval = cms_signeddata_verify(context, plgctx->cryptoctx, -+ reqctx->cryptoctx, plgctx->idctx, -+ CMS_SIGN_CLIENT, -+ plgctx->opts->require_crl_checking, -+ (unsigned char *)reqp->signedAuthPack.data, -+ reqp->signedAuthPack.length, -+ (unsigned char **)&authp_data.data, -+ &authp_data.length, -+ (unsigned char **)&krb5_authz.data, -+ &krb5_authz.length, &is_signed); - if (retval) { - TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(context); - goto cleanup; -@@ -541,118 +513,88 @@ pkinit_server_verify_padata(krb5_context context, - #endif - - OCTETDATA_TO_KRB5DATA(&authp_data, &k5data); -- switch ((int)data->pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- retval = k5int_decode_krb5_auth_pack(&k5data, &auth_pack); -+ retval = k5int_decode_krb5_auth_pack(&k5data, &auth_pack); -+ if (retval) { -+ pkiDebug("failed to decode krb5_auth_pack\n"); -+ goto cleanup; -+ } -+ -+ retval = krb5_check_clockskew(context, auth_pack->pkAuthenticator.ctime); -+ if (retval) -+ goto cleanup; -+ -+ /* check dh parameters */ -+ if (auth_pack->clientPublicValue != NULL) { -+ retval = server_check_dh(context, plgctx->cryptoctx, -+ reqctx->cryptoctx, plgctx->idctx, -+ &auth_pack->clientPublicValue->algorithm.parameters, -+ plgctx->opts->dh_min_bits); - if (retval) { -- pkiDebug("failed to decode krb5_auth_pack\n"); -+ pkiDebug("bad dh parameters\n"); - goto cleanup; - } -- -- retval = krb5_check_clockskew(context, -- auth_pack->pkAuthenticator.ctime); -- if (retval) -- goto cleanup; -- -- /* check dh parameters */ -- if (auth_pack->clientPublicValue != NULL) { -- retval = server_check_dh(context, plgctx->cryptoctx, -- reqctx->cryptoctx, plgctx->idctx, -- &auth_pack->clientPublicValue->algorithm.parameters, -- plgctx->opts->dh_min_bits); -- -- if (retval) { -- pkiDebug("bad dh parameters\n"); -- goto cleanup; -- } -- } else if (!is_signed) { -- /*Anonymous pkinit requires DH*/ -- retval = KRB5KDC_ERR_PREAUTH_FAILED; -- krb5_set_error_message(context, retval, -- _("Anonymous pkinit without DH public " -- "value not supported.")); -- goto cleanup; -- } -- der_req = cb->request_body(context, rock); -- retval = krb5_c_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, -- 0, der_req, &cksum); -- if (retval) { -- pkiDebug("unable to calculate AS REQ checksum\n"); -- goto cleanup; -- } -- if (cksum.length != auth_pack->pkAuthenticator.paChecksum.length || -- k5_bcmp(cksum.contents, -- auth_pack->pkAuthenticator.paChecksum.contents, -- cksum.length) != 0) { -- pkiDebug("failed to match the checksum\n"); -+ } else if (!is_signed) { -+ /*Anonymous pkinit requires DH*/ -+ retval = KRB5KDC_ERR_PREAUTH_FAILED; -+ krb5_set_error_message(context, retval, -+ _("Anonymous pkinit without DH public " -+ "value not supported.")); -+ goto cleanup; -+ } -+ der_req = cb->request_body(context, rock); -+ retval = krb5_c_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, 0, -+ der_req, &cksum); -+ if (retval) { -+ pkiDebug("unable to calculate AS REQ checksum\n"); -+ goto cleanup; -+ } -+ if (cksum.length != auth_pack->pkAuthenticator.paChecksum.length || -+ k5_bcmp(cksum.contents, auth_pack->pkAuthenticator.paChecksum.contents, -+ cksum.length) != 0) { -+ pkiDebug("failed to match the checksum\n"); - #ifdef DEBUG_CKSUM -- pkiDebug("calculating checksum on buf size (%d)\n", -- req_pkt->length); -- print_buffer(req_pkt->data, req_pkt->length); -- pkiDebug("received checksum type=%d size=%d ", -- auth_pack->pkAuthenticator.paChecksum.checksum_type, -+ pkiDebug("calculating checksum on buf size (%d)\n", req_pkt->length); -+ print_buffer(req_pkt->data, req_pkt->length); -+ pkiDebug("received checksum type=%d size=%d ", -+ auth_pack->pkAuthenticator.paChecksum.checksum_type, -+ auth_pack->pkAuthenticator.paChecksum.length); -+ print_buffer(auth_pack->pkAuthenticator.paChecksum.contents, - auth_pack->pkAuthenticator.paChecksum.length); -- print_buffer(auth_pack->pkAuthenticator.paChecksum.contents, -- auth_pack->pkAuthenticator.paChecksum.length); -- pkiDebug("expected checksum type=%d size=%d ", -- cksum.checksum_type, cksum.length); -- print_buffer(cksum.contents, cksum.length); -+ pkiDebug("expected checksum type=%d size=%d ", -+ cksum.checksum_type, cksum.length); -+ print_buffer(cksum.contents, cksum.length); - #endif - -- retval = KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; -- goto cleanup; -- } -- -- ftoken = auth_pack->pkAuthenticator.freshnessToken; -- if (ftoken != NULL) { -- retval = cb->check_freshness_token(context, rock, ftoken); -- if (retval) -- goto cleanup; -- valid_freshness_token = TRUE; -- } -- -- /* check if kdcPkId present and match KDC's subjectIdentifier */ -- if (reqp->kdcPkId.data != NULL) { -- int valid_kdcPkId = 0; -- retval = pkinit_check_kdc_pkid(context, plgctx->cryptoctx, -- reqctx->cryptoctx, plgctx->idctx, -- (unsigned char *)reqp->kdcPkId.data, -- reqp->kdcPkId.length, &valid_kdcPkId); -- if (retval) -- goto cleanup; -- if (!valid_kdcPkId) -- pkiDebug("kdcPkId in AS_REQ does not match KDC's cert" -- "RFC says to ignore and proceed\n"); -- -- } -- /* remember the decoded auth_pack for verify_padata routine */ -- reqctx->rcv_auth_pack = auth_pack; -- auth_pack = NULL; -- break; -- case KRB5_PADATA_PK_AS_REP_OLD: -- case KRB5_PADATA_PK_AS_REQ_OLD: -- retval = k5int_decode_krb5_auth_pack_draft9(&k5data, &auth_pack9); -- if (retval) { -- pkiDebug("failed to decode krb5_auth_pack_draft9\n"); -- goto cleanup; -- } -- if (auth_pack9->clientPublicValue != NULL) { -- retval = server_check_dh(context, plgctx->cryptoctx, -- reqctx->cryptoctx, plgctx->idctx, -- &auth_pack9->clientPublicValue->algorithm.parameters, -- plgctx->opts->dh_min_bits); -- -- if (retval) { -- pkiDebug("bad dh parameters\n"); -- goto cleanup; -- } -- } -- /* remember the decoded auth_pack for verify_padata routine */ -- reqctx->rcv_auth_pack9 = auth_pack9; -- auth_pack9 = NULL; -- break; -+ retval = KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; -+ goto cleanup; - } - -+ ftoken = auth_pack->pkAuthenticator.freshnessToken; -+ if (ftoken != NULL) { -+ retval = cb->check_freshness_token(context, rock, ftoken); -+ if (retval) -+ goto cleanup; -+ valid_freshness_token = TRUE; -+ } -+ -+ /* check if kdcPkId present and match KDC's subjectIdentifier */ -+ if (reqp->kdcPkId.data != NULL) { -+ int valid_kdcPkId = 0; -+ retval = pkinit_check_kdc_pkid(context, plgctx->cryptoctx, -+ reqctx->cryptoctx, plgctx->idctx, -+ (unsigned char *)reqp->kdcPkId.data, -+ reqp->kdcPkId.length, &valid_kdcPkId); -+ if (retval) -+ goto cleanup; -+ if (!valid_kdcPkId) { -+ pkiDebug("kdcPkId in AS_REQ does not match KDC's cert; " -+ "RFC says to ignore and proceed\n"); -+ } -+ } -+ /* remember the decoded auth_pack for verify_padata routine */ -+ reqctx->rcv_auth_pack = auth_pack; -+ auth_pack = NULL; -+ - if (is_signed) { - retval = check_log_freshness(context, plgctx, request, - valid_freshness_token); -@@ -682,21 +624,13 @@ cleanup: - pkiDebug("pkinit_create_edata failed\n"); - } - -- switch ((int)data->pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- free_krb5_pa_pk_as_req(&reqp); -- free(cksum.contents); -- break; -- case KRB5_PADATA_PK_AS_REP_OLD: -- case KRB5_PADATA_PK_AS_REQ_OLD: -- free_krb5_pa_pk_as_req_draft9(&reqp9); -- } -+ free_krb5_pa_pk_as_req(&reqp); -+ free(cksum.contents); - free(authp_data.data); - free(krb5_authz.data); - if (reqctx != NULL) - pkinit_fini_kdc_req_context(context, reqctx); - free_krb5_auth_pack(&auth_pack); -- free_krb5_auth_pack_draft9(context, &auth_pack9); - - (*respond)(arg, retval, modreq, e_data, NULL); - } -@@ -817,7 +751,6 @@ pkinit_server_return_padata(krb5_context context, - krb5_error_code retval = 0; - krb5_data scratch = {0, 0, NULL}; - krb5_pa_pk_as_req *reqp = NULL; -- krb5_pa_pk_as_req_draft9 *reqp9 = NULL; - int i = 0; - - unsigned char *subjectPublicKey = NULL; -@@ -828,21 +761,17 @@ pkinit_server_return_padata(krb5_context context, - krb5_kdc_dh_key_info dhkey_info; - krb5_data *encoded_dhkey_info = NULL; - krb5_pa_pk_as_rep *rep = NULL; -- krb5_pa_pk_as_rep_draft9 *rep9 = NULL; - krb5_data *out_data = NULL; - krb5_data secret; - - krb5_enctype enctype = -1; - - krb5_reply_key_pack *key_pack = NULL; -- krb5_reply_key_pack_draft9 *key_pack9 = NULL; - krb5_data *encoded_key_pack = NULL; - - pkinit_kdc_context plgctx; - pkinit_kdc_req_context reqctx; - -- int fixed_keypack = 0; -- - *send_pa = NULL; - if (padata->pa_type == KRB5_PADATA_PKINIT_KX) { - return return_pkinit_kx(context, request, reply, -@@ -886,29 +815,13 @@ pkinit_server_return_padata(krb5_context context, - goto cleanup; - } - -- switch((int)reqctx->pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- init_krb5_pa_pk_as_rep(&rep); -- if (rep == NULL) { -- retval = ENOMEM; -- goto cleanup; -- } -- /* let's assume it's RSA. we'll reset it to DH if needed */ -- rep->choice = choice_pa_pk_as_rep_encKeyPack; -- break; -- case KRB5_PADATA_PK_AS_REP_OLD: -- case KRB5_PADATA_PK_AS_REQ_OLD: -- init_krb5_pa_pk_as_rep_draft9(&rep9); -- if (rep9 == NULL) { -- retval = ENOMEM; -- goto cleanup; -- } -- rep9->choice = choice_pa_pk_as_rep_draft9_encKeyPack; -- break; -- default: -- retval = KRB5KDC_ERR_PREAUTH_FAILED; -+ init_krb5_pa_pk_as_rep(&rep); -+ if (rep == NULL) { -+ retval = ENOMEM; - goto cleanup; - } -+ /* let's assume it's RSA. we'll reset it to DH if needed */ -+ rep->choice = choice_pa_pk_as_rep_encKeyPack; - - if (reqctx->rcv_auth_pack != NULL && - reqctx->rcv_auth_pack->clientPublicValue != NULL) { -@@ -917,18 +830,7 @@ pkinit_server_return_padata(krb5_context context, - subjectPublicKey_len = - reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.length; - rep->choice = choice_pa_pk_as_rep_dhInfo; -- } else if (reqctx->rcv_auth_pack9 != NULL && -- reqctx->rcv_auth_pack9->clientPublicValue != NULL) { -- subjectPublicKey = (unsigned char *) -- reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.data; -- subjectPublicKey_len = -- reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.length; -- rep9->choice = choice_pa_pk_as_rep_draft9_dhSignedData; -- } - -- /* if this DH, then process finish computing DH key */ -- if (rep != NULL && (rep->choice == choice_pa_pk_as_rep_dhInfo || -- rep->choice == choice_pa_pk_as_rep_draft9_dhSignedData)) { - pkiDebug("received DH key delivery AS REQ\n"); - retval = server_process_dh(context, plgctx->cryptoctx, - reqctx->cryptoctx, plgctx->idctx, subjectPublicKey, -@@ -938,10 +840,6 @@ pkinit_server_return_padata(krb5_context context, - pkiDebug("failed to process/create dh paramters\n"); - goto cleanup; - } -- } -- if ((rep9 != NULL && -- rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || -- (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { - - /* - * This is DH, so don't generate the key until after we -@@ -966,36 +864,18 @@ pkinit_server_return_padata(krb5_context context, - "/tmp/kdc_dh_key_info"); - #endif - -- switch ((int)padata->pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- retval = cms_signeddata_create(context, plgctx->cryptoctx, -- reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_SERVER, 1, -- (unsigned char *) -- encoded_dhkey_info->data, -- encoded_dhkey_info->length, -- (unsigned char **) -- &rep->u.dh_Info.dhSignedData.data, -- &rep->u.dh_Info.dhSignedData.length); -- if (retval) { -- pkiDebug("failed to create pkcs7 signed data\n"); -- goto cleanup; -- } -- break; -- case KRB5_PADATA_PK_AS_REP_OLD: -- case KRB5_PADATA_PK_AS_REQ_OLD: -- retval = cms_signeddata_create(context, plgctx->cryptoctx, -- reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9, 1, -- (unsigned char *) -- encoded_dhkey_info->data, -- encoded_dhkey_info->length, -- (unsigned char **) -- &rep9->u.dhSignedData.data, -- &rep9->u.dhSignedData.length); -- if (retval) { -- pkiDebug("failed to create pkcs7 signed data\n"); -- goto cleanup; -- } -- break; -+ retval = cms_signeddata_create(context, plgctx->cryptoctx, -+ reqctx->cryptoctx, plgctx->idctx, -+ CMS_SIGN_SERVER, 1, -+ (unsigned char *) -+ encoded_dhkey_info->data, -+ encoded_dhkey_info->length, -+ (unsigned char **) -+ &rep->u.dh_Info.dhSignedData.data, -+ &rep->u.dh_Info.dhSignedData.length); -+ if (retval) { -+ pkiDebug("failed to create pkcs7 signed data\n"); -+ goto cleanup; - } - - } else { -@@ -1007,102 +887,49 @@ pkinit_server_return_padata(krb5_context context, - goto cleanup; - } - -- /* check if PA_TYPE of KRB5_PADATA_AS_CHECKSUM (132) is present which -- * means the client is requesting that a checksum is send back instead -- * of the nonce. -- */ -- for (i = 0; request->padata[i] != NULL; i++) { -- pkiDebug("%s: Checking pa_type 0x%08x\n", -- __FUNCTION__, request->padata[i]->pa_type); -- if (request->padata[i]->pa_type == KRB5_PADATA_AS_CHECKSUM) -- fixed_keypack = 1; -+ init_krb5_reply_key_pack(&key_pack); -+ if (key_pack == NULL) { -+ retval = ENOMEM; -+ goto cleanup; - } -- pkiDebug("%s: return checksum instead of nonce = %d\n", -- __FUNCTION__, fixed_keypack); - -- /* if this is an RFC reply or draft9 client requested a checksum -- * in the reply instead of the nonce, create an RFC-style keypack -- */ -- if ((int)padata->pa_type == KRB5_PADATA_PK_AS_REQ || fixed_keypack) { -- init_krb5_reply_key_pack(&key_pack); -- if (key_pack == NULL) { -- retval = ENOMEM; -- goto cleanup; -- } -- -- retval = krb5_c_make_checksum(context, 0, -- encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, -- req_pkt, &key_pack->asChecksum); -- if (retval) { -- pkiDebug("unable to calculate AS REQ checksum\n"); -- goto cleanup; -- } -+ retval = krb5_c_make_checksum(context, 0, encrypting_key, -+ KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, -+ req_pkt, &key_pack->asChecksum); -+ if (retval) { -+ pkiDebug("unable to calculate AS REQ checksum\n"); -+ goto cleanup; -+ } - #ifdef DEBUG_CKSUM -- pkiDebug("calculating checksum on buf size = %d\n", req_pkt->length); -- print_buffer(req_pkt->data, req_pkt->length); -- pkiDebug("checksum size = %d\n", key_pack->asChecksum.length); -- print_buffer(key_pack->asChecksum.contents, -- key_pack->asChecksum.length); -- pkiDebug("encrypting key (%d)\n", encrypting_key->length); -- print_buffer(encrypting_key->contents, encrypting_key->length); -+ pkiDebug("calculating checksum on buf size = %d\n", req_pkt->length); -+ print_buffer(req_pkt->data, req_pkt->length); -+ pkiDebug("checksum size = %d\n", key_pack->asChecksum.length); -+ print_buffer(key_pack->asChecksum.contents, -+ key_pack->asChecksum.length); -+ pkiDebug("encrypting key (%d)\n", encrypting_key->length); -+ print_buffer(encrypting_key->contents, encrypting_key->length); - #endif - -- krb5_copy_keyblock_contents(context, encrypting_key, -- &key_pack->replyKey); -+ krb5_copy_keyblock_contents(context, encrypting_key, -+ &key_pack->replyKey); - -- retval = k5int_encode_krb5_reply_key_pack(key_pack, -- &encoded_key_pack); -- if (retval) { -- pkiDebug("failed to encode reply_key_pack\n"); -- goto cleanup; -- } -+ retval = k5int_encode_krb5_reply_key_pack(key_pack, -+ &encoded_key_pack); -+ if (retval) { -+ pkiDebug("failed to encode reply_key_pack\n"); -+ goto cleanup; - } - -- switch ((int)padata->pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- rep->choice = choice_pa_pk_as_rep_encKeyPack; -- retval = cms_envelopeddata_create(context, plgctx->cryptoctx, -- reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1, -- (unsigned char *) -- encoded_key_pack->data, -- encoded_key_pack->length, -- (unsigned char **) -- &rep->u.encKeyPack.data, -- &rep->u.encKeyPack.length); -- break; -- case KRB5_PADATA_PK_AS_REP_OLD: -- case KRB5_PADATA_PK_AS_REQ_OLD: -- /* if the request is from the broken draft9 client that -- * expects back a nonce, create it now -- */ -- if (!fixed_keypack) { -- init_krb5_reply_key_pack_draft9(&key_pack9); -- if (key_pack9 == NULL) { -- retval = ENOMEM; -- goto cleanup; -- } -- key_pack9->nonce = reqctx->rcv_auth_pack9->pkAuthenticator.nonce; -- krb5_copy_keyblock_contents(context, encrypting_key, -- &key_pack9->replyKey); -- -- retval = k5int_encode_krb5_reply_key_pack_draft9(key_pack9, -- &encoded_key_pack); -- if (retval) { -- pkiDebug("failed to encode reply_key_pack\n"); -- goto cleanup; -- } -- } -- -- rep9->choice = choice_pa_pk_as_rep_draft9_encKeyPack; -- retval = cms_envelopeddata_create(context, plgctx->cryptoctx, -- reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1, -- (unsigned char *) -- encoded_key_pack->data, -- encoded_key_pack->length, -- (unsigned char **) -- &rep9->u.encKeyPack.data, &rep9->u.encKeyPack.length); -- break; -- } -+ rep->choice = choice_pa_pk_as_rep_encKeyPack; -+ retval = cms_envelopeddata_create(context, plgctx->cryptoctx, -+ reqctx->cryptoctx, plgctx->idctx, -+ padata->pa_type, 1, -+ (unsigned char *) -+ encoded_key_pack->data, -+ encoded_key_pack->length, -+ (unsigned char **) -+ &rep->u.encKeyPack.data, -+ &rep->u.encKeyPack.length); - if (retval) { - pkiDebug("failed to create pkcs7 enveloped data: %s\n", - error_message(retval)); -@@ -1112,23 +939,12 @@ pkinit_server_return_padata(krb5_context context, - print_buffer_bin((unsigned char *)encoded_key_pack->data, - encoded_key_pack->length, - "/tmp/kdc_key_pack"); -- switch ((int)padata->pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- print_buffer_bin(rep->u.encKeyPack.data, -- rep->u.encKeyPack.length, -- "/tmp/kdc_enc_key_pack"); -- break; -- case KRB5_PADATA_PK_AS_REP_OLD: -- case KRB5_PADATA_PK_AS_REQ_OLD: -- print_buffer_bin(rep9->u.encKeyPack.data, -- rep9->u.encKeyPack.length, -- "/tmp/kdc_enc_key_pack"); -- break; -- } -+ print_buffer_bin(rep->u.encKeyPack.data, rep->u.encKeyPack.length, -+ "/tmp/kdc_enc_key_pack"); - #endif - } - -- if ((rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo) && -+ if (rep->choice == choice_pa_pk_as_rep_dhInfo && - ((reqctx->rcv_auth_pack != NULL && - reqctx->rcv_auth_pack->supportedKDFs != NULL))) { - -@@ -1147,15 +963,7 @@ pkinit_server_return_padata(krb5_context context, - } - } - -- switch ((int)padata->pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- retval = k5int_encode_krb5_pa_pk_as_rep(rep, &out_data); -- break; -- case KRB5_PADATA_PK_AS_REP_OLD: -- case KRB5_PADATA_PK_AS_REQ_OLD: -- retval = k5int_encode_krb5_pa_pk_as_rep_draft9(rep9, &out_data); -- break; -- } -+ retval = k5int_encode_krb5_pa_pk_as_rep(rep, &out_data); - if (retval) { - pkiDebug("failed to encode AS_REP\n"); - goto cleanup; -@@ -1167,13 +975,11 @@ pkinit_server_return_padata(krb5_context context, - #endif - - /* If this is DH, we haven't computed the key yet, so do it now. */ -- if ((rep9 != NULL && -- rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || -- (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { -+ if (rep->choice == choice_pa_pk_as_rep_dhInfo) { - -- /* If we're not doing draft 9, and mutually supported KDFs were found, -- * use the algorithm agility KDF. */ -- if (rep != NULL && rep->u.dh_Info.kdfID) { -+ /* If mutually supported KDFs were found, use the algorithm agility -+ * KDF. */ -+ if (rep->u.dh_Info.kdfID) { - secret.data = (char *)server_key; - secret.length = server_key_len; - -@@ -1209,15 +1015,7 @@ pkinit_server_return_padata(krb5_context context, - goto cleanup; - } - (*send_pa)->magic = KV5M_PA_DATA; -- switch ((int)padata->pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- (*send_pa)->pa_type = KRB5_PADATA_PK_AS_REP; -- break; -- case KRB5_PADATA_PK_AS_REQ_OLD: -- case KRB5_PADATA_PK_AS_REP_OLD: -- (*send_pa)->pa_type = KRB5_PADATA_PK_AS_REP_OLD; -- break; -- } -+ (*send_pa)->pa_type = KRB5_PADATA_PK_AS_REP; - (*send_pa)->length = out_data->length; - (*send_pa)->contents = (krb5_octet *) out_data->data; - -@@ -1231,23 +1029,9 @@ cleanup: - krb5_free_data(context, encoded_key_pack); - free(dh_pubkey); - free(server_key); -- -- switch ((int)padata->pa_type) { -- case KRB5_PADATA_PK_AS_REQ: -- free_krb5_pa_pk_as_req(&reqp); -- free_krb5_pa_pk_as_rep(&rep); -- free_krb5_reply_key_pack(&key_pack); -- break; -- case KRB5_PADATA_PK_AS_REP_OLD: -- case KRB5_PADATA_PK_AS_REQ_OLD: -- free_krb5_pa_pk_as_req_draft9(&reqp9); -- free_krb5_pa_pk_as_rep_draft9(&rep9); -- if (!fixed_keypack) -- free_krb5_reply_key_pack_draft9(&key_pack9); -- else -- free_krb5_reply_key_pack(&key_pack); -- break; -- } -+ free_krb5_pa_pk_as_req(&reqp); -+ free_krb5_pa_pk_as_rep(&rep); -+ free_krb5_reply_key_pack(&key_pack); - - if (retval) - pkiDebug("pkinit_verify_padata failure"); -@@ -1265,8 +1049,6 @@ pkinit_server_get_flags(krb5_context kcontext, krb5_preauthtype patype) - - static krb5_preauthtype supported_server_pa_types[] = { - KRB5_PADATA_PK_AS_REQ, -- KRB5_PADATA_PK_AS_REQ_OLD, -- KRB5_PADATA_PK_AS_REP_OLD, - KRB5_PADATA_PKINIT_KX, - 0 - }; -@@ -1796,7 +1578,6 @@ pkinit_init_kdc_req_context(krb5_context context, pkinit_kdc_req_context *ctx) - if (retval) - goto cleanup; - reqctx->rcv_auth_pack = NULL; -- reqctx->rcv_auth_pack9 = NULL; - - pkiDebug("%s: returning reqctx at %p\n", __FUNCTION__, reqctx); - *ctx = reqctx; -@@ -1822,8 +1603,6 @@ pkinit_fini_kdc_req_context(krb5_context context, void *ctx) - pkinit_fini_req_crypto(reqctx->cryptoctx); - if (reqctx->rcv_auth_pack != NULL) - free_krb5_auth_pack(&reqctx->rcv_auth_pack); -- if (reqctx->rcv_auth_pack9 != NULL) -- free_krb5_auth_pack_draft9(context, &reqctx->rcv_auth_pack9); - - free(reqctx); - } -diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h -index 4da735f80..bba3226bd 100644 ---- a/src/plugins/preauth/pkinit/pkinit_trace.h -+++ b/src/plugins/preauth/pkinit/pkinit_trace.h -@@ -49,8 +49,6 @@ - #define TRACE_PKINIT_CLIENT_KDF_OS2K(c, keyblock) \ - TRACE(c, "PKINIT client used octetstring2key to compute reply key " \ - "{keyblock}", keyblock) --#define TRACE_PKINIT_CLIENT_NO_DRAFT9(c) \ -- TRACE(c, "PKINIT client ignoring draft 9 offer from RFC 4556 KDC") - #define TRACE_PKINIT_CLIENT_NO_IDENTITY(c) \ - TRACE(c, "PKINIT client has no configured identity; giving up") - #define TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(c, expected, received) \ -@@ -115,8 +113,6 @@ - TRACE(c, "PKINIT server found no SAN in client cert") - #define TRACE_PKINIT_SERVER_PADATA_VERIFY(c) \ - TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ") --#define TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(c) \ -- TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ_OLD") - #define TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(c) \ - TRACE(c, "PKINIT server failed to verify PA data") - #define TRACE_PKINIT_SERVER_RETURN_PADATA(c) \ -diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py -index 1dadb1b96..93f0f2632 100755 ---- a/src/tests/t_pkinit.py -+++ b/src/tests/t_pkinit.py -@@ -432,11 +432,9 @@ realm.kinit(realm.user_princ, - realm.klist(realm.user_princ) - realm.run([kvno, realm.host_princ]) - --# Supply the wrong PIN, and verify that we ignore the draft9 padata offer --# in the KDC method data after RFC 4556 PKINIT fails. -+# Supply the wrong PIN. - mark('PKCS11 identity, wrong PIN') --expected_trace = ('PKINIT client has no configured identity; giving up', -- 'PKINIT client ignoring draft 9 offer from RFC 4556 KDC') -+expected_trace = ('PKINIT client has no configured identity; giving up',) - realm.kinit(realm.user_princ, - flags=['-X', 'X509_user_identity=%s' % p11_identity], - password='wrong', expected_code=1, expected_trace=expected_trace) diff --git a/Remove-ccapi-related-comments-in-configure.ac.patch b/Remove-ccapi-related-comments-in-configure.ac.patch deleted file mode 100644 index 7aa672b..0000000 --- a/Remove-ccapi-related-comments-in-configure.ac.patch +++ /dev/null @@ -1,34 +0,0 @@ -From ac8df1b0977dd5aedfaeb3d10458aaf18cece29f Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Wed, 3 Apr 2019 16:01:22 -0400 -Subject: [PATCH] Remove ccapi-related comments in configure.ac - -These suggested ccapi is buildable on non-Windows, and empirically it -is not. - -(cherry picked from commit eb48b176bccf3634b9c82f588dce85125a5c4bd8) ---- - src/configure.in | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/src/configure.in b/src/configure.in -index 505dabb02..9d6825b78 100644 ---- a/src/configure.in -+++ b/src/configure.in -@@ -1450,7 +1450,6 @@ V5_AC_OUTPUT_MAKEFILE(. - lib/crypto/crypto_tests - - lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache --dnl lib/krb5/ccache/ccapi - lib/krb5/keytab lib/krb5/krb lib/krb5/rcache lib/krb5/os - lib/krb5/unicode - -@@ -1463,8 +1462,6 @@ dnl lib/krb5/ccache/ccapi - lib/krad - lib/apputils - --dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test -- - kdc kprop config-files build-tools man doc include - - plugins/certauth/test diff --git a/Remove-checksum-type-profile-variables.patch b/Remove-checksum-type-profile-variables.patch deleted file mode 100644 index a2a05c2..0000000 --- a/Remove-checksum-type-profile-variables.patch +++ /dev/null @@ -1,429 +0,0 @@ -From ee07471fa613fb68ddebc28577870e97cb5190cf Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 13 May 2019 14:19:57 -0400 -Subject: [PATCH] Remove checksum type profile variables - -Remove support for the krb5.conf relations ap_req_checksum_type, -kdc_req_checksum_type, and safe_checksum_type. These values were -useful for interoperating with very old KDCs, which should no longer -be deployed. - -Additionally, kdc_req_checksum_type was incorrectly documented as only -applying to single-DES keys; in practice it also worked for RC4. The -other two were not clearly documented, but safe_checksum_type did -allow use of hmac-md5-rc4 for any enctype, and ap_req_checksum_type -did not impose any limitations. - -[ghudson@mit.edu: edited commit message] - -ticket: 8804 (new) -(cherry picked from commit a5a140dc85201faf1ba3a687553058354722a1b4) -[rharwood@redhat.com: release version conflict in man pages] ---- - doc/admin/conf_files/krb5_conf.rst | 37 ------------ - src/include/k5-int.h | 6 -- - src/lib/krb5/krb/auth_con.c | 2 - - src/lib/krb5/krb/init_ctx.c | 13 ----- - src/lib/krb5/krb/send_tgs.c | 19 +------ - src/lib/krb5/krb/ser_ctx.c | 38 +------------ - src/lib/krb5/krb/t_copy_context.c | 6 -- - src/man/krb5.conf.man | 90 ++---------------------------- - 8 files changed, 7 insertions(+), 204 deletions(-) - -diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index d1e1a222d..a3fb5d9f2 100644 ---- a/doc/admin/conf_files/krb5_conf.rst -+++ b/doc/admin/conf_files/krb5_conf.rst -@@ -105,14 +105,6 @@ The libdefaults section may contain any of the following relations: - strong crypto. Users in affected environments should set this tag - to true until their infrastructure adopts stronger ciphers. - --**ap_req_checksum_type** -- An integer which specifies the type of AP-REQ checksum to use in -- authenticators. This variable should be unset so the appropriate -- checksum for the encryption key in use will be used. This can be -- set if backward compatibility requires a specific checksum type. -- See the **kdc_req_checksum_type** configuration option for the -- possible values and their meanings. -- - **canonicalize** - If this flag is set to true, initial ticket requests to the KDC - will request canonicalization of the client principal name, and -@@ -291,26 +283,6 @@ The libdefaults section may contain any of the following relations: - corrective factor is only used by the Kerberos library; it is not - used to change the system clock. The default value is 1. - --**kdc_req_checksum_type** -- An integer which specifies the type of checksum to use for the KDC -- requests, for compatibility with very old KDC implementations. -- This value is only used for DES keys; other keys use the preferred -- checksum type for those keys. -- -- The possible values and their meanings are as follows. -- -- ======== =============================== -- 1 CRC32 -- 2 RSA MD4 -- 3 RSA MD4 DES -- 4 DES CBC -- 7 RSA MD5 -- 8 RSA MD5 DES -- 9 NIST SHA -- 12 HMAC SHA1 DES3 -- -138 Microsoft MD5 HMAC checksum type -- ======== =============================== -- - **noaddresses** - If this flag is true, requests for initial tickets will not be - made with address restrictions set, allowing the tickets to be -@@ -359,15 +331,6 @@ The libdefaults section may contain any of the following relations: - (:ref:`duration` string.) Sets the default renewable lifetime - for initial ticket requests. The default value is 0. - --**safe_checksum_type** -- An integer which specifies the type of checksum to use for the -- KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For -- compatibility with applications linked against DCE version 1.1 or -- earlier Kerberos libraries, use a value of 3 to use the RSA MD4 -- DES instead. This field is ignored when its value is incompatible -- with the session key type. See the **kdc_req_checksum_type** -- configuration option for the possible values and their meanings. -- - **spake_preauth_groups** - A whitespace or comma-separated list of words which specifies the - groups allowed for SPAKE preauthentication. The possible values -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 1e6a739e9..1a78fd7a9 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -182,7 +182,6 @@ typedef unsigned char u_char; - #define KRB5_CONF_ACL_FILE "acl_file" - #define KRB5_CONF_ADMIN_SERVER "admin_server" - #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto" --#define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type" - #define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local" - #define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names" - #define KRB5_CONF_CANONICALIZE "canonicalize" -@@ -241,7 +240,6 @@ typedef unsigned char u_char; - #define KRB5_CONF_KDC_LISTEN "kdc_listen" - #define KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size" - #define KRB5_CONF_KDC_PORTS "kdc_ports" --#define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type" - #define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports" - #define KRB5_CONF_KDC_TCP_LISTEN "kdc_tcp_listen" - #define KRB5_CONF_KDC_TCP_LISTEN_BACKLOG "kdc_tcp_listen_backlog" -@@ -289,7 +287,6 @@ typedef unsigned char u_char; - #define KRB5_CONF_REJECT_BAD_TRANSIT "reject_bad_transit" - #define KRB5_CONF_RENEW_LIFETIME "renew_lifetime" - #define KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT "restrict_anonymous_to_tgt" --#define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type" - #define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes" - #define KRB5_CONF_SPAKE_PREAUTH_INDICATOR "spake_preauth_indicator" - #define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE "spake_preauth_kdc_challenge" -@@ -1185,9 +1182,6 @@ struct _krb5_context { - void *ser_ctx; - /* allowable clock skew */ - krb5_deltat clockskew; -- krb5_cksumtype kdc_req_sumtype; -- krb5_cksumtype default_ap_req_sumtype; -- krb5_cksumtype default_safe_sumtype; - krb5_flags kdc_default_options; - krb5_flags library_options; - krb5_boolean profile_secure; -diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c -index c86a4af63..1dfce631c 100644 ---- a/src/lib/krb5/krb/auth_con.c -+++ b/src/lib/krb5/krb/auth_con.c -@@ -40,8 +40,6 @@ krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context) - (*auth_context)->auth_context_flags = - KRB5_AUTH_CONTEXT_DO_TIME | KRB5_AUTH_CONN_INITIALIZED; - -- (*auth_context)->req_cksumtype = context->default_ap_req_sumtype; -- (*auth_context)->safe_cksumtype = context->default_safe_sumtype; - (*auth_context)->checksum_func = NULL; - (*auth_context)->checksum_func_data = NULL; - (*auth_context)->negotiated_etype = ENCTYPE_NULL; -diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c -index d263d5cc5..37405728c 100644 ---- a/src/lib/krb5/krb/init_ctx.c -+++ b/src/lib/krb5/krb/init_ctx.c -@@ -258,19 +258,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, - get_integer(ctx, KRB5_CONF_CLOCKSKEW, DEFAULT_CLOCKSKEW, &tmp); - ctx->clockskew = tmp; - -- /* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */ -- /* DCE add kdc_req_checksum_type = 2 to krb5.conf */ -- get_integer(ctx, KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, CKSUMTYPE_RSA_MD5, -- &tmp); -- ctx->kdc_req_sumtype = tmp; -- -- get_integer(ctx, KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, &tmp); -- ctx->default_ap_req_sumtype = tmp; -- -- get_integer(ctx, KRB5_CONF_SAFE_CHECKSUM_TYPE, CKSUMTYPE_RSA_MD5_DES, -- &tmp); -- ctx->default_safe_sumtype = tmp; -- - get_integer(ctx, KRB5_CONF_KDC_DEFAULT_OPTIONS, KDC_OPT_RENEWABLE_OK, - &tmp); - ctx->kdc_default_options = tmp; -diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c -index e43a5cc5b..3dda2fdaa 100644 ---- a/src/lib/krb5/krb/send_tgs.c -+++ b/src/lib/krb5/krb/send_tgs.c -@@ -53,7 +53,6 @@ tgs_construct_ap_req(krb5_context context, krb5_data *checksum_data, - krb5_creds *tgt, krb5_keyblock *subkey, - krb5_data **ap_req_asn1_out) - { -- krb5_cksumtype cksumtype; - krb5_error_code ret; - krb5_checksum checksum; - krb5_authenticator authent; -@@ -67,24 +66,8 @@ tgs_construct_ap_req(krb5_context context, krb5_data *checksum_data, - memset(&ap_req, 0, sizeof(ap_req)); - memset(&authent_enc, 0, sizeof(authent_enc)); - -- /* Determine the authenticator checksum type. */ -- switch (tgt->keyblock.enctype) { -- case ENCTYPE_DES_CBC_CRC: -- case ENCTYPE_DES_CBC_MD4: -- case ENCTYPE_DES_CBC_MD5: -- case ENCTYPE_ARCFOUR_HMAC: -- case ENCTYPE_ARCFOUR_HMAC_EXP: -- cksumtype = context->kdc_req_sumtype; -- break; -- default: -- ret = krb5int_c_mandatory_cksumtype(context, tgt->keyblock.enctype, -- &cksumtype); -- if (ret) -- goto cleanup; -- } -- - /* Generate checksum. */ -- ret = krb5_c_make_checksum(context, cksumtype, &tgt->keyblock, -+ ret = krb5_c_make_checksum(context, 0, &tgt->keyblock, - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, checksum_data, - &checksum); - if (ret) -diff --git a/src/lib/krb5/krb/ser_ctx.c b/src/lib/krb5/krb/ser_ctx.c -index a9f50b239..39f656322 100644 ---- a/src/lib/krb5/krb/ser_ctx.c -+++ b/src/lib/krb5/krb/ser_ctx.c -@@ -124,9 +124,6 @@ krb5_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) - * krb5_int32 for n_tgs_etypes*sizeof(krb5_int32) - * nktypes*sizeof(krb5_int32) for tgs_etypes. - * krb5_int32 for clockskew -- * krb5_int32 for kdc_req_sumtype -- * krb5_int32 for ap_req_sumtype -- * krb5_int32 for safe_sumtype - * krb5_int32 for kdc_default_options - * krb5_int32 for library_options - * krb5_int32 for profile_secure -@@ -139,7 +136,7 @@ krb5_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) - kret = EINVAL; - if ((context = (krb5_context) arg)) { - /* Calculate base length */ -- required = (14 * sizeof(krb5_int32) + -+ required = (11 * sizeof(krb5_int32) + - (etypes_len(context->in_tkt_etypes) * sizeof(krb5_int32)) + - (etypes_len(context->tgs_etypes) * sizeof(krb5_int32))); - -@@ -255,24 +252,6 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b - if (kret) - return (kret); - -- /* Now kdc_req_sumtype */ -- kret = krb5_ser_pack_int32((krb5_int32) context->kdc_req_sumtype, -- &bp, &remain); -- if (kret) -- return (kret); -- -- /* Now default ap_req_sumtype */ -- kret = krb5_ser_pack_int32((krb5_int32) context->default_ap_req_sumtype, -- &bp, &remain); -- if (kret) -- return (kret); -- -- /* Now default safe_sumtype */ -- kret = krb5_ser_pack_int32((krb5_int32) context->default_safe_sumtype, -- &bp, &remain); -- if (kret) -- return (kret); -- - /* Now kdc_default_options */ - kret = krb5_ser_pack_int32((krb5_int32) context->kdc_default_options, - &bp, &remain); -@@ -426,21 +405,6 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet * - goto cleanup; - context->clockskew = (krb5_deltat) ibuf; - -- /* kdc_req_sumtype */ -- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) -- goto cleanup; -- context->kdc_req_sumtype = (krb5_cksumtype) ibuf; -- -- /* default ap_req_sumtype */ -- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) -- goto cleanup; -- context->default_ap_req_sumtype = (krb5_cksumtype) ibuf; -- -- /* default_safe_sumtype */ -- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) -- goto cleanup; -- context->default_safe_sumtype = (krb5_cksumtype) ibuf; -- - /* kdc_default_options */ - if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) - goto cleanup; -diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c -index a6e48cd25..22be2198b 100644 ---- a/src/lib/krb5/krb/t_copy_context.c -+++ b/src/lib/krb5/krb/t_copy_context.c -@@ -77,9 +77,6 @@ check_context(krb5_context c, krb5_context r) - check(c->os_context.os_flags == r->os_context.os_flags); - compare_string(c->os_context.default_ccname, r->os_context.default_ccname); - check(c->clockskew == r->clockskew); -- check(c->kdc_req_sumtype == r->kdc_req_sumtype); -- check(c->default_ap_req_sumtype == r->default_ap_req_sumtype); -- check(c->default_safe_sumtype == r->default_safe_sumtype); - check(c->kdc_default_options == r->kdc_default_options); - check(c->library_options == r->library_options); - check(c->profile_secure == r->profile_secure); -@@ -136,9 +133,6 @@ main(int argc, char **argv) - check(krb5_cc_set_default_name(ctx, "defccname") == 0); - check(krb5_set_default_realm(ctx, "defrealm") == 0); - ctx->clockskew = 18; -- ctx->kdc_req_sumtype = CKSUMTYPE_NIST_SHA; -- ctx->default_ap_req_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES128; -- ctx->default_safe_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES256; - ctx->kdc_default_options = KDC_OPT_FORWARDABLE; - ctx->library_options = 0; - ctx->profile_secure = TRUE; -diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man -index 2a7af6aa4..433f38d71 100644 ---- a/src/man/krb5.conf.man -+++ b/src/man/krb5.conf.man -@@ -1,6 +1,6 @@ - .\" Man page generated from reStructuredText. - . --.TH "KRB5.CONF" "5" " " "1.17.1" "MIT Kerberos" -+.TH "KRB5.CONF" "5" " " "1.18" "MIT Kerberos" - .SH NAME - krb5.conf \- Kerberos configuration file - . -@@ -188,14 +188,6 @@ failures in existing Kerberos infrastructures that do not support - strong crypto. Users in affected environments should set this tag - to true until their infrastructure adopts stronger ciphers. - .TP --\fBap_req_checksum_type\fP --An integer which specifies the type of AP\-REQ checksum to use in --authenticators. This variable should be unset so the appropriate --checksum for the encryption key in use will be used. This can be --set if backward compatibility requires a specific checksum type. --See the \fBkdc_req_checksum_type\fP configuration option for the --possible values and their meanings. --.TP - \fBcanonicalize\fP - If this flag is set to true, initial ticket requests to the KDC - will request canonicalization of the client principal name, and -@@ -277,6 +269,10 @@ hostnames for use in service principal names. Setting this flag - to false can improve security by reducing reliance on DNS, but - means that short hostnames will not be canonicalized to - fully\-qualified hostnames. The default value is true. -+.sp -+If this option is set to \fBfallback\fP (new in release 1.18), DNS -+canonicalization will only be performed the server hostname is not -+found with the original name when requesting credentials. - .TP - \fBdns_lookup_kdc\fP - Indicate whether DNS SRV records should be used to locate the KDCs -@@ -370,73 +366,6 @@ requesting service tickets or authenticating to services. This - corrective factor is only used by the Kerberos library; it is not - used to change the system clock. The default value is 1. - .TP --\fBkdc_req_checksum_type\fP --An integer which specifies the type of checksum to use for the KDC --requests, for compatibility with very old KDC implementations. --This value is only used for DES keys; other keys use the preferred --checksum type for those keys. --.sp --The possible values and their meanings are as follows. --.TS --center; --|l|l|. --_ --T{ --1 --T} T{ --CRC32 --T} --_ --T{ --2 --T} T{ --RSA MD4 --T} --_ --T{ --3 --T} T{ --RSA MD4 DES --T} --_ --T{ --4 --T} T{ --DES CBC --T} --_ --T{ --7 --T} T{ --RSA MD5 --T} --_ --T{ --8 --T} T{ --RSA MD5 DES --T} --_ --T{ --9 --T} T{ --NIST SHA --T} --_ --T{ --12 --T} T{ --HMAC SHA1 DES3 --T} --_ --T{ --\-138 --T} T{ --Microsoft MD5 HMAC checksum type --T} --_ --.TE --.TP - \fBnoaddresses\fP - If this flag is true, requests for initial tickets will not be - made with address restrictions set, allowing the tickets to be -@@ -485,15 +414,6 @@ set. The default is not to search domain components. - (duration string.) Sets the default renewable lifetime - for initial ticket requests. The default value is 0. - .TP --\fBsafe_checksum_type\fP --An integer which specifies the type of checksum to use for the --KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For --compatibility with applications linked against DCE version 1.1 or --earlier Kerberos libraries, use a value of 3 to use the RSA MD4 --DES instead. This field is ignored when its value is incompatible --with the session key type. See the \fBkdc_req_checksum_type\fP --configuration option for the possible values and their meanings. --.TP - \fBspake_preauth_groups\fP - A whitespace or comma\-separated list of words which specifies the - groups allowed for SPAKE preauthentication. The possible values diff --git a/Remove-confvalidator-utility.patch b/Remove-confvalidator-utility.patch deleted file mode 100644 index cb7d58d..0000000 --- a/Remove-confvalidator-utility.patch +++ /dev/null @@ -1,430 +0,0 @@ -From 1df6ae50de14c8795af7f7aea7f54eede51fd206 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Wed, 3 Apr 2019 14:58:19 -0400 -Subject: [PATCH] Remove confvalidator utility - -This utility has not been maintained with encryption types and salt -changes, which suggests it is unused. - -(cherry picked from commit 482a366793d9338e9edb504b407d7704a4bb2f8f) ---- - src/util/confvalidator/README | 25 ---- - src/util/confvalidator/confparser.py | 144 ------------------- - src/util/confvalidator/rules.yml | 13 -- - src/util/confvalidator/validator.conf | 2 - - src/util/confvalidator/validator.py | 194 -------------------------- - 5 files changed, 378 deletions(-) - delete mode 100644 src/util/confvalidator/README - delete mode 100644 src/util/confvalidator/confparser.py - delete mode 100644 src/util/confvalidator/rules.yml - delete mode 100644 src/util/confvalidator/validator.conf - delete mode 100644 src/util/confvalidator/validator.py - -diff --git a/src/util/confvalidator/README b/src/util/confvalidator/README -deleted file mode 100644 -index 7bf7a106a..000000000 ---- a/src/util/confvalidator/README -+++ /dev/null -@@ -1,25 +0,0 @@ --validator.py is a command line tool for identifying invalid attributes, values and some formating problems in Kerberos configuration files. --The list of the valid attributes is created based on the “configuration variables” section in k5-int.h and user defined attributes from the rules file. -- --Usage: -- --validator.py path [-d defPath] [-r rulesPath] [-c validatorConfPath] -- --Options: -- --path – the path to the configuration file to validate -- ---d defPath – path to the k5-int.h file. Starting from the 1.7 release this header holds the profile attribute names in the form #define KRB5_CONF_xxx ”ZZZ”. -- ---r rulesPath - path the rules file in yaml format. It may be used to manage the list of the valid attributes and to define the additional validation rules. -- ---c validatorConfPath – the same as -r and -d options, but in validator configuration file format. -- --Example: -- --python validator.py src/config-files/krb5.conf -r rules.yml -d src/include/k5-int.h --or --python validator.py src/config-files/krb5.conf -c validator.conf -- --For more details please refer to the sample files validator.conf and rules.yml -- -diff --git a/src/util/confvalidator/confparser.py b/src/util/confvalidator/confparser.py -deleted file mode 100644 -index 2fea142a5..000000000 ---- a/src/util/confvalidator/confparser.py -+++ /dev/null -@@ -1,144 +0,0 @@ --''' --Created on Jan 31, 2010 -- --@author: tsitkova --''' --import re --import copy --import yaml -- --class ConfParser(object): -- def __init__(self, path): -- self.configuration = self._parse(path) -- -- def walk(self): -- for trio in self._walk(self.configuration): -- yield trio -- -- def _parse(self, path): -- comment_pattern = re.compile(r'(\s*[#].*)') -- section_pattern = re.compile(r'^\s*\[(?P
\w+)\]\s+$') -- empty_pattern = re.compile(r'^\s*$') -- equalsign_pattern = re.compile(r'=') -- -- section = None -- parser_stack = list() -- result = dict() -- value = None -- f = open(path, 'r') -- for (ln,line) in enumerate(f): -- line = comment_pattern.sub('', line) -- line = equalsign_pattern.sub(' = ',line,count=1) -- if empty_pattern.match(line) is not None: -- continue -- m = section_pattern.match(line) -- if m is not None: -- section = m.group('section') -- value = dict() -- result[section] = value -- continue -- if section is None: -- msg = 'Failed to determine section for line #%i' % ln -- raise ValueError(msg) -- try: -- value = self._parseLine(value, line, parser_stack) -- except: -- print 'Error while parsing line %i: %s' % (ln+1, line) -- raise -- f.close() -- -- if len(parser_stack): -- raise 'Parsing error.' -- -- return result -- -- def _parseLine(self, value, content, stack): -- token_pattern = re.compile(r'(?P\S+)(?=\s+)') -- attr = None -- token_stack = list() -- -- for m in token_pattern.finditer(content): -- token = m.group('token') -- if not self._validate(token): -- raise ValueError('Invalid token %s' % token) -- if token == '=': -- if len(token_stack) == 0: -- raise ValueError('Failed to find attribute.') -- elif len(token_stack) == 1: -- attr = token_stack.pop() -- else: -- value[attr] = token_stack[:-1] -- attr = token_stack[-1] -- token_stack = list() -- elif token == '{': -- if attr is None: -- raise ValueError('Failed to find attribute.') -- stack.append((attr,value)) -- value = dict() -- elif token == '}': -- if len(stack) == 0: -- raise ValueError('Failed to parse: unbalanced braces') -- if len(token_stack): -- if attr is None: -- raise ValueError('Missing attribute') -- value[attr] = token_stack -- attr = None -- token_stack = list() -- (attr,parent_value) = stack.pop() -- parent_value[attr] = value -- value = parent_value -- else: -- token_stack.append(token) -- if len(token_stack): -- if attr is None: -- raise ValueError('Missing attribute') -- value[attr] = token_stack -- -- return value -- -- def _validate(self, token): -- result = True -- for s in ['{','}']: -- if s in token and s != token: -- result = False -- -- return result -- -- def _walk(self, parsedData, path='root'): -- dirs = list() -- av = list() -- for (key, value) in parsedData.iteritems(): -- if type(value) == dict: -- new_path = path + '.' + key -- for trio in self._walk(value, new_path): -- yield trio -- dirs.append(key) -- else: -- av.append((key,value)) -- yield (path, dirs, av) -- -- -- --class ConfParserTest(ConfParser): -- def __init__(self): -- self.conf_path = '../tests/krb5.conf' -- super(ConfParserTest, self).__init__(self.conf_path) -- -- def run_tests(self): -- self._test_walk() -- -- def _test_parse(self): -- result = self._parse(self.conf_path) -- print yaml.dump(result) -- -- def _test_walk(self): -- configuration = self._parse(self.conf_path) -- for (path,dirs,av) in self.walk(): -- print path,dirs,av -- -- -- -- --if __name__ == '__main__': -- tester = ConfParserTest() -- tester.run_tests() -diff --git a/src/util/confvalidator/rules.yml b/src/util/confvalidator/rules.yml -deleted file mode 100644 -index c6ccc89fe..000000000 ---- a/src/util/confvalidator/rules.yml -+++ /dev/null -@@ -1,13 +0,0 @@ --# Extend the list of the allowed enctypes and salts as needed --Types: -- supported_enctypes: -- '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1|des3-cbc-raw|des3-cbc-sha1|des3-hmac-sha1|rc4-hmac|arcfour-hmac-md5)(:(normal|v4))?$' -- default_tgs_enctypes: -- '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1|des3-cbc-raw|des3-cbc-sha1|des3-hmac-sha1|rc4-hmac|arcfour-hmac-md5)' -- default_tkt_enctypes: -- '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1|des3-cbc-raw|des3-cbc-sha1|des3-hmac-sha1|rc4-hmac|arcfour-hmac-md5)' -- --# Add all valid profile attributes that are not listed in k5-int.h --Attributes: -- - logging -- - dbmodules -diff --git a/src/util/confvalidator/validator.conf b/src/util/confvalidator/validator.conf -deleted file mode 100644 -index 71e205c3b..000000000 ---- a/src/util/confvalidator/validator.conf -+++ /dev/null -@@ -1,2 +0,0 @@ --RulesPath=./rules.yml --HfilePath=../../include/k5-int.h -diff --git a/src/util/confvalidator/validator.py b/src/util/confvalidator/validator.py -deleted file mode 100644 -index d739bc091..000000000 ---- a/src/util/confvalidator/validator.py -+++ /dev/null -@@ -1,194 +0,0 @@ --''' --Created on Jan 25, 2010 -- --@author: tsitkova --''' --import os --import sys --import re --import yaml --from optparse import OptionParser --from confparser import ConfParser -- --class Rule(object): -- def __init__(self): -- pass -- -- def validate(self,node): -- (path,dirs,avs) = node -- -- --class Validator(object): -- def __init__(self, kerberosPath, confPath=None, rulesPath=None, hfilePath=None): -- self.parser = ConfParser(kerberosPath) -- if confPath is not None: -- content = self._readConfigFile(confPath) -- rulesPath = content['RulesPath'] -- hfilePath = content['HfilePath'] -- if rulesPath is not None and hfilePath is not None: -- self.rules = self._loadRules(rulesPath) -- self.validKeys = SupportedKeys(hfilePath).validKeys.union(self.rules['Attributes']) -- else: -- raise ValueError('Invalid arguments for validator: no path to rules and definition files') -- -- self._attribute_pattern = re.compile(r'^\w+$') -- self._lowercase_pattern = re.compile(r'[a-z]') -- -- def _readConfigFile(self,path): -- f = open(path) -- result = dict() -- for line in f: -- line = line.rstrip() -- fields = line.split('=') -- result[fields[0]] = fields[1] -- -- return result -- -- def _loadRules(self, path): -- f = open(path) -- rules = yaml.load(f) -- f.close() -- -- return rules -- -- def validate(self): -- typeInfo = self.rules['Types'] -- -- for node in self.parser.walk(): -- self._validateTypes(node, typeInfo) -- self._validateAttrubutes(node, self.validKeys) -- # self._validateRealm(node) -- -- -- def _validateTypes(self, node, typeInfo): -- (path, dirs, avs) = node -- for (key, value) in avs: -- valid_type_pattern = typeInfo.get(key) -- if valid_type_pattern is not None: -- for t in value: -- if re.match(valid_type_pattern, t) is None: -- print 'Wrong type %s for attribute %s.%s' % (t,path,key) -- -- def _validateAttrubutes(self, node, validKeys): -- (path, dirs, avs) = node -- attributes = list() -- for attr in dirs: -- if self._attribute_pattern.match(attr) is not None: -- attributes.append(attr) -- for (attr, value) in avs: -- if self._attribute_pattern.match(attr) is not None: -- attributes.append(attr) -- -- for attr in attributes: -- if attr not in validKeys: -- print 'Unrecognized attribute %s at %s' % (attr, path) -- --# def _validateRealm(self, node): --# (path, dirs, avs) = node --# if path == 'root.realms': --# for attr in dirs: --# if self._lowercase_pattern.search(attr) is not None: --# print 'Lower case letter in realm attribute: %s at %s' % (attr, path) -- --class SupportedKeys(object): -- def __init__(self, path): -- self.validKeys = self.getKeysFromHfile(path) -- -- def getKeysFromHfile(self, path): -- pattern = re.compile(r'^[#]define KRB5_CONF_\w+\s+["](\w+)["]') -- f = open(path) -- result = set() -- for l in f: -- l = l.rstrip() -- m = pattern.match(l) -- if m is not None: -- result.add(m.groups()[0]) -- f.close() -- -- return result -- -- --class ValidatorTest(Validator): -- def __init__(self): -- self.kerberosPath = '../tests/kdc1.conf' -- self.rulesPath = '../tests/rules.yml' -- self.hfilePath = '../tests/k5-int.h' -- self.confPath = '../tests/validator.conf' -- -- super(ValidatorTest, self).__init__(self.kerberosPath, -- rulesPath=self.rulesPath, -- hfilePath=self.hfilePath) -- -- def run_tests(self): -- self._test_validate() -- -- def _test__loadRules(self): -- result = self._loadRules(self.rulesPath) -- print result -- -- def _test_validate(self): -- self.validate() -- -- def _test__readConfigFile(self): -- result = self._readConfigFile(self.confPath) -- print result -- --class SupportedKeysTest(SupportedKeys): -- def __init__(self): -- self.path = '../tests/k5-int.h' -- -- def run_tests(self): -- self._test_getKeysFromHFile() -- -- def _test_getKeysFromHFile(self): -- result = set() -- krb5keys = self.getKeysFromHfile(self.path) -- for key in krb5keys: -- print key -- result.update(key) -- print len(krb5keys) -- -- return result -- --def _test(): -- tester = ValidatorTest() -- krb5keys = tester.run_tests() -- --if __name__ == '__main__': -- TEST = False -- if TEST: -- _test() -- sys.exit() -- -- -- usage = "\n\t%prog path [-d defPath] [-r rulesPath] [-c validatorConfPath]" -- description = 'Description: validates kerberos configuration file' -- parser = OptionParser(usage = usage, description = description) -- parser.add_option("-c", dest="confPath", -- help='path to validator config file') -- parser.add_option("-d", dest="hfilePath", -- help='path to h-file with attribute definition') -- parser.add_option("-r", dest="rulesPath", -- help='path to file with validation rules') -- (options, args) = parser.parse_args() -- -- if len(args) != 1 and len(sys.argv) <= 3: -- print '\n%s' % parser.get_usage() -- sys.exit() -- -- validator = None -- if options.confPath is not None: -- validator = Validator(args[0], confPath=options.confPath) -- elif options.hfilePath is not None and options.rulesPath is not None: -- validator = Validator(args[0], hfilePath=options.hfilePath, rulesPath=options.rulesPath) -- else: -- print '\nMust specify either configuration file or paths to rules and definitions files' -- print '%s' % parser.get_usage() -- sys.exit() -- -- validator.validate() -- -- -- -- -- diff --git a/Remove-dead-variable-def_kslist-from-two-files.patch b/Remove-dead-variable-def_kslist-from-two-files.patch deleted file mode 100644 index d9ba0dc..0000000 --- a/Remove-dead-variable-def_kslist-from-two-files.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 5c9dce0ac1b8b6fcb048404e3830fd4619f4f1c5 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 2 May 2019 16:57:51 -0400 -Subject: [PATCH] Remove dead variable def_kslist from two files - -def_kslist was part of kdb5_create.c since its addition (commit -edf8b4d8a6a665c2aa150993cd813ea6c5cf12e1) and has always been -irrelevant since the rblock structure is fully initialized in -kdb5_create(). - -def_klist was copied into kdb5_ldap_realm.c (present in addition at -commit 42d9d6ab320ee3a661fe21472be542acd542d5be). The global rblock -structure (and therefore the initializer) was removed in commit -9c850f8b62784170a5e42315c1a9552ddcf4ca2b, leaving def_kslist -unreferenced. - -Remove def_kslist from both files, and remove the rblock initializer -from kdb5_create.c. - -[ghudson@mit.edu: edited commit message] - -(cherry picked from commit 6309f5e3508cd24151222b2cd095766283e205f2) ---- - src/kadmin/dbutil/kdb5_create.c | 12 +----------- - src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 1 - - 2 files changed, 1 insertion(+), 12 deletions(-) - -diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c -index bc1b9195d..efdb8adb0 100644 ---- a/src/kadmin/dbutil/kdb5_create.c -+++ b/src/kadmin/dbutil/kdb5_create.c -@@ -66,8 +66,6 @@ enum ap_op { - TGT_KEY /* special handling for tgt key */ - }; - --krb5_key_salt_tuple def_kslist = { ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL }; -- - struct realm_info { - krb5_deltat max_life; - krb5_deltat max_rlife; -@@ -76,15 +74,7 @@ struct realm_info { - krb5_keyblock *key; - krb5_int32 nkslist; - krb5_key_salt_tuple *kslist; --} rblock = { /* XXX */ -- KRB5_KDB_MAX_LIFE, -- KRB5_KDB_MAX_RLIFE, -- KRB5_KDB_EXPIRATION, -- KRB5_KDB_DEF_FLAGS, -- (krb5_keyblock *) NULL, -- 1, -- &def_kslist --}; -+} rblock; - - struct iterate_args { - krb5_context ctx; -diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c -index 5a745e21d..c21d19981 100644 ---- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c -+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c -@@ -91,7 +91,6 @@ - extern time_t get_date(char *); /* kadmin/cli/getdate.o */ - - char *yes = "yes\n"; /* \n to compare against result of fgets */ --krb5_key_salt_tuple def_kslist = {ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL}; - - krb5_data tgt_princ_entries[] = { - {0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME}, diff --git a/Remove-doxygen-generated-HTML-output-for-ccapi.patch b/Remove-doxygen-generated-HTML-output-for-ccapi.patch deleted file mode 100644 index 3133482..0000000 --- a/Remove-doxygen-generated-HTML-output-for-ccapi.patch +++ /dev/null @@ -1,7653 +0,0 @@ -From a0c231f79b0b9c02120802cc5549c8576b5156bd Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 4 Apr 2019 14:15:58 -0400 -Subject: [PATCH] Remove doxygen-generated HTML output for ccapi - -(cherry picked from commit d4f90b750d6d81cc001f6b00266c82c1c916bbf4) ---- - doc/ccapi/Doxyfile | 281 ---- - doc/ccapi/ccache-api-v2.html | 1217 --------------- - doc/ccapi/html/doxygen.css | 310 ---- - doc/ccapi/html/doxygen.png | Bin 1281 -> 0 bytes - ...roup__cc__ccache__iterator__reference.html | 96 -- - .../html/group__cc__ccache__reference.html | 96 -- - .../html/group__cc__context__reference.html | 161 -- - ..._cc__credentials__iterator__reference.html | 133 -- - .../group__cc__credentials__reference.html | 197 --- - .../html/group__cc__string__reference.html | 96 -- - .../group__ccapi__constants__reference.html | 407 ----- - .../html/group__ccapi__types__reference.html | 138 -- - doc/ccapi/html/group__helper__macros.html | 1377 ----------------- - doc/ccapi/html/index.html | 85 - - doc/ccapi/html/structcc__ccache__d.html | 43 - - doc/ccapi/html/structcc__ccache__f.html | 722 --------- - .../html/structcc__ccache__iterator__d.html | 43 - - .../html/structcc__ccache__iterator__f.html | 117 -- - doc/ccapi/html/structcc__context__d.html | 43 - - doc/ccapi/html/structcc__context__f.html | 513 ------ - doc/ccapi/html/structcc__credentials__d.html | 67 - - doc/ccapi/html/structcc__credentials__f.html | 85 - - .../structcc__credentials__iterator__d.html | 43 - - .../structcc__credentials__iterator__f.html | 85 - - .../html/structcc__credentials__union.html | 118 -- - .../html/structcc__credentials__v4__t.html | 358 ----- - .../html/structcc__credentials__v5__t.html | 334 ---- - doc/ccapi/html/structcc__data.html | 94 -- - doc/ccapi/html/structcc__string__d.html | 67 - - doc/ccapi/html/structcc__string__f.html | 51 - - 30 files changed, 7377 deletions(-) - delete mode 100644 doc/ccapi/Doxyfile - delete mode 100755 doc/ccapi/ccache-api-v2.html - delete mode 100644 doc/ccapi/html/doxygen.css - delete mode 100644 doc/ccapi/html/doxygen.png - delete mode 100644 doc/ccapi/html/group__cc__ccache__iterator__reference.html - delete mode 100644 doc/ccapi/html/group__cc__ccache__reference.html - delete mode 100644 doc/ccapi/html/group__cc__context__reference.html - delete mode 100644 doc/ccapi/html/group__cc__credentials__iterator__reference.html - delete mode 100644 doc/ccapi/html/group__cc__credentials__reference.html - delete mode 100644 doc/ccapi/html/group__cc__string__reference.html - delete mode 100644 doc/ccapi/html/group__ccapi__constants__reference.html - delete mode 100644 doc/ccapi/html/group__ccapi__types__reference.html - delete mode 100644 doc/ccapi/html/group__helper__macros.html - delete mode 100644 doc/ccapi/html/index.html - delete mode 100644 doc/ccapi/html/structcc__ccache__d.html - delete mode 100644 doc/ccapi/html/structcc__ccache__f.html - delete mode 100644 doc/ccapi/html/structcc__ccache__iterator__d.html - delete mode 100644 doc/ccapi/html/structcc__ccache__iterator__f.html - delete mode 100644 doc/ccapi/html/structcc__context__d.html - delete mode 100644 doc/ccapi/html/structcc__context__f.html - delete mode 100644 doc/ccapi/html/structcc__credentials__d.html - delete mode 100644 doc/ccapi/html/structcc__credentials__f.html - delete mode 100644 doc/ccapi/html/structcc__credentials__iterator__d.html - delete mode 100644 doc/ccapi/html/structcc__credentials__iterator__f.html - delete mode 100644 doc/ccapi/html/structcc__credentials__union.html - delete mode 100644 doc/ccapi/html/structcc__credentials__v4__t.html - delete mode 100644 doc/ccapi/html/structcc__credentials__v5__t.html - delete mode 100644 doc/ccapi/html/structcc__data.html - delete mode 100644 doc/ccapi/html/structcc__string__d.html - delete mode 100644 doc/ccapi/html/structcc__string__f.html - -diff --git a/doc/ccapi/Doxyfile b/doc/ccapi/Doxyfile -deleted file mode 100644 -index 734c29c90..000000000 ---- a/doc/ccapi/Doxyfile -+++ /dev/null -@@ -1,281 +0,0 @@ --# Doxyfile 1.5.3 -- --#--------------------------------------------------------------------------- --# Project related configuration options --#--------------------------------------------------------------------------- --DOXYFILE_ENCODING = UTF-8 --PROJECT_NAME = "Credentials Cache API " --PROJECT_NUMBER = --OUTPUT_DIRECTORY = . --CREATE_SUBDIRS = NO --OUTPUT_LANGUAGE = English --BRIEF_MEMBER_DESC = YES --REPEAT_BRIEF = YES --ABBREVIATE_BRIEF = "The $name class " \ -- "The $name widget " \ -- "The $name file " \ -- is \ -- provides \ -- specifies \ -- contains \ -- represents \ -- a \ -- an \ -- the --ALWAYS_DETAILED_SEC = YES --INLINE_INHERITED_MEMB = NO --FULL_PATH_NAMES = NO --STRIP_FROM_PATH = --STRIP_FROM_INC_PATH = --SHORT_NAMES = NO --JAVADOC_AUTOBRIEF = NO --QT_AUTOBRIEF = NO --MULTILINE_CPP_IS_BRIEF = NO --DETAILS_AT_TOP = YES --INHERIT_DOCS = YES --SEPARATE_MEMBER_PAGES = NO --TAB_SIZE = 8 --ALIASES = --OPTIMIZE_OUTPUT_FOR_C = YES --OPTIMIZE_OUTPUT_JAVA = NO --BUILTIN_STL_SUPPORT = NO --CPP_CLI_SUPPORT = NO --DISTRIBUTE_GROUP_DOC = NO --SUBGROUPING = YES --#--------------------------------------------------------------------------- --# Build related configuration options --#--------------------------------------------------------------------------- --EXTRACT_ALL = YES --EXTRACT_PRIVATE = NO --EXTRACT_STATIC = NO --EXTRACT_LOCAL_CLASSES = NO --EXTRACT_LOCAL_METHODS = NO --EXTRACT_ANON_NSPACES = NO --HIDE_UNDOC_MEMBERS = NO --HIDE_UNDOC_CLASSES = NO --HIDE_FRIEND_COMPOUNDS = NO --HIDE_IN_BODY_DOCS = YES --INTERNAL_DOCS = NO --CASE_SENSE_NAMES = YES --HIDE_SCOPE_NAMES = YES --SHOW_INCLUDE_FILES = NO --INLINE_INFO = YES --SORT_MEMBER_DOCS = NO --SORT_BRIEF_DOCS = NO --SORT_BY_SCOPE_NAME = NO --GENERATE_TODOLIST = YES --GENERATE_TESTLIST = YES --GENERATE_BUGLIST = YES --GENERATE_DEPRECATEDLIST= YES --ENABLED_SECTIONS = --MAX_INITIALIZER_LINES = 30 --SHOW_USED_FILES = NO --SHOW_DIRECTORIES = NO --FILE_VERSION_FILTER = --#--------------------------------------------------------------------------- --# configuration options related to warning and progress messages --#--------------------------------------------------------------------------- --QUIET = NO --WARNINGS = YES --WARN_IF_UNDOCUMENTED = YES --WARN_IF_DOC_ERROR = YES --WARN_NO_PARAMDOC = YES --WARN_FORMAT = "$file:$line: $text " --WARN_LOGFILE = --#--------------------------------------------------------------------------- --# configuration options related to the input files --#--------------------------------------------------------------------------- --INPUT = ../../Sources/include/CredentialsCache.h --INPUT_ENCODING = UTF-8 --FILE_PATTERNS = *.c \ -- *.cc \ -- *.cxx \ -- *.cpp \ -- *.c++ \ -- *.d \ -- *.java \ -- *.ii \ -- *.ixx \ -- *.ipp \ -- *.i++ \ -- *.inl \ -- *.h \ -- *.hh \ -- *.hxx \ -- *.hpp \ -- *.h++ \ -- *.idl \ -- *.odl \ -- *.cs \ -- *.php \ -- *.php3 \ -- *.inc \ -- *.m \ -- *.mm \ -- *.dox \ -- *.py \ -- *.C \ -- *.CC \ -- *.C++ \ -- *.II \ -- *.I++ \ -- *.H \ -- *.HH \ -- *.H++ \ -- *.CS \ -- *.PHP \ -- *.PHP3 \ -- *.M \ -- *.MM \ -- *.PY --RECURSIVE = YES --EXCLUDE = --EXCLUDE_SYMLINKS = NO --EXCLUDE_PATTERNS = --EXCLUDE_SYMBOLS = --EXAMPLE_PATH = --EXAMPLE_PATTERNS = * --EXAMPLE_RECURSIVE = NO --IMAGE_PATH = --INPUT_FILTER = --FILTER_PATTERNS = --FILTER_SOURCE_FILES = NO --#--------------------------------------------------------------------------- --# configuration options related to source browsing --#--------------------------------------------------------------------------- --SOURCE_BROWSER = NO --INLINE_SOURCES = NO --STRIP_CODE_COMMENTS = YES --REFERENCED_BY_RELATION = YES --REFERENCES_RELATION = YES --REFERENCES_LINK_SOURCE = YES --USE_HTAGS = NO --VERBATIM_HEADERS = NO --#--------------------------------------------------------------------------- --# configuration options related to the alphabetical class index --#--------------------------------------------------------------------------- --ALPHABETICAL_INDEX = NO --COLS_IN_ALPHA_INDEX = 5 --IGNORE_PREFIX = --#--------------------------------------------------------------------------- --# configuration options related to the HTML output --#--------------------------------------------------------------------------- --GENERATE_HTML = YES --HTML_OUTPUT = html --HTML_FILE_EXTENSION = .html --HTML_HEADER = --HTML_FOOTER = --HTML_STYLESHEET = --HTML_ALIGN_MEMBERS = NO --GENERATE_HTMLHELP = NO --HTML_DYNAMIC_SECTIONS = NO --CHM_FILE = --HHC_LOCATION = --GENERATE_CHI = NO --BINARY_TOC = NO --TOC_EXPAND = NO --DISABLE_INDEX = YES --ENUM_VALUES_PER_LINE = 4 --GENERATE_TREEVIEW = NO --TREEVIEW_WIDTH = 250 --#--------------------------------------------------------------------------- --# configuration options related to the LaTeX output --#--------------------------------------------------------------------------- --GENERATE_LATEX = NO --LATEX_OUTPUT = latex --LATEX_CMD_NAME = latex --MAKEINDEX_CMD_NAME = makeindex --COMPACT_LATEX = NO --PAPER_TYPE = letter --EXTRA_PACKAGES = --LATEX_HEADER = --PDF_HYPERLINKS = YES --USE_PDFLATEX = YES --LATEX_BATCHMODE = NO --LATEX_HIDE_INDICES = NO --#--------------------------------------------------------------------------- --# configuration options related to the RTF output --#--------------------------------------------------------------------------- --GENERATE_RTF = YES --RTF_OUTPUT = rtf --COMPACT_RTF = YES --RTF_HYPERLINKS = YES --RTF_STYLESHEET_FILE = --RTF_EXTENSIONS_FILE = --#--------------------------------------------------------------------------- --# configuration options related to the man page output --#--------------------------------------------------------------------------- --GENERATE_MAN = NO --MAN_OUTPUT = man --MAN_EXTENSION = .3 --MAN_LINKS = NO --#--------------------------------------------------------------------------- --# configuration options related to the XML output --#--------------------------------------------------------------------------- --GENERATE_XML = NO --XML_OUTPUT = xml --XML_SCHEMA = --XML_DTD = --XML_PROGRAMLISTING = YES --#--------------------------------------------------------------------------- --# configuration options for the AutoGen Definitions output --#--------------------------------------------------------------------------- --GENERATE_AUTOGEN_DEF = NO --#--------------------------------------------------------------------------- --# configuration options related to the Perl module output --#--------------------------------------------------------------------------- --GENERATE_PERLMOD = NO --PERLMOD_LATEX = NO --PERLMOD_PRETTY = YES --PERLMOD_MAKEVAR_PREFIX = --#--------------------------------------------------------------------------- --# Configuration options related to the preprocessor --#--------------------------------------------------------------------------- --ENABLE_PREPROCESSING = YES --MACRO_EXPANSION = NO --EXPAND_ONLY_PREDEF = NO --SEARCH_INCLUDES = NO --INCLUDE_PATH = --INCLUDE_FILE_PATTERNS = --PREDEFINED = --EXPAND_AS_DEFINED = --SKIP_FUNCTION_MACROS = YES --#--------------------------------------------------------------------------- --# Configuration::additions related to external references --#--------------------------------------------------------------------------- --TAGFILES = --GENERATE_TAGFILE = --ALLEXTERNALS = NO --EXTERNAL_GROUPS = NO --PERL_PATH = /usr/bin/perl --#--------------------------------------------------------------------------- --# Configuration options related to the dot tool --#--------------------------------------------------------------------------- --CLASS_DIAGRAMS = NO --MSCGEN_PATH = /Volumes/Ragna-Blade/Developer/Doxygen/Doxygen.app/Contents/Resources/ --HIDE_UNDOC_RELATIONS = YES --HAVE_DOT = NO --CLASS_GRAPH = YES --COLLABORATION_GRAPH = YES --GROUP_GRAPHS = YES --UML_LOOK = NO --TEMPLATE_RELATIONS = NO --INCLUDE_GRAPH = YES --INCLUDED_BY_GRAPH = YES --CALL_GRAPH = NO --CALLER_GRAPH = NO --GRAPHICAL_HIERARCHY = YES --DIRECTORY_GRAPH = YES --DOT_IMAGE_FORMAT = png --DOT_PATH = --DOTFILE_DIRS = --DOT_GRAPH_MAX_NODES = 50 --MAX_DOT_GRAPH_DEPTH = 1000 --DOT_TRANSPARENT = NO --DOT_MULTI_TARGETS = NO --GENERATE_LEGEND = YES --DOT_CLEANUP = YES --#--------------------------------------------------------------------------- --# Configuration::additions related to the search engine --#--------------------------------------------------------------------------- --SEARCHENGINE = NO -diff --git a/doc/ccapi/ccache-api-v2.html b/doc/ccapi/ccache-api-v2.html -deleted file mode 100755 -index b8d3f06e5..000000000 ---- a/doc/ccapi/ccache-api-v2.html -+++ /dev/null -@@ -1,1217 +0,0 @@ -- -- -- -- Credentials Cache API v2 Specification -- -- --

Credentials Cache API v2 Specification

--

This version of the API is deprecated.
--Please refer to CCAPI version 3 or later for the current API.

-- -- -- --

--

-- -- --

Abstract

-- --

This is the specification for an API which provides Credentials --Cache services for both --Kerberos V5 and V4. --The idea behind this API is that multiple Kerberos implementations --can share a single Credentials Cache, mediated by this API --specification. On the Microsoft Windows platform this will allow --single-signon, even when more than one Kerberos DLL is in use on a --particular system. Ideally, this problem could be solved by --standardizing the Kerberos V5 API library interface. However, the --Kerberos API is complicated enough that this would be hard to --accomplish. Standardizing the interface for credentials cache access --is much simpler. This API has also been adopted in the MIT Kerberos --for the Macintosh implementation. -- --

This specification has been revised to allow storage and --manipulation of both V4 and V5 tickets. A cache contains one or more --"Named Cache"s. It is assumed that V4 and V5 credentials would each --be stored in separate "Named Cache"s and not mixed in a single "Named --Cache". -- --

Below, "NC" refers to "Named Cache".
-- -- -- --

--

-- -- --

Revision History/Notes

-- --

Original version (Draft Version 1)

-- --

1/27/96 by --Theodore Ts'o -- --

Revision 2 (Draft Version 1)

-- --

970628 by Steve Rothwell --for the V4Cache Team (Paul Hill, Jenny Khuon, Jean Luker, Dave --Detlefs, Allan Bjorklund, & Steve Rothwell) -- --

-- --

Revision 3 (Draft Version 1)

-- --

970725 by Steve Rothwell after initial implementation and alpha --release. The term "credentials cache" was previously used to mean --both "the main cache" and individual "named cache"s within the main --cache. I have started using the term "NC" for "named cache" to make --the distinction clearer and to reduce the overloading of the word --"cache". -- --

Changes made for revision 3 of this API:
-- --
    --
  • Added cred version type to cc_create() & cc_open() -- --
  • New functions -- --
      --
    • cc_get_NC_info(), returns NC_info list for all NCs -- --
    • cc_free_NC_info(), frees NC_info list -- --
    • cc_get_cred_version(), returns version type of NC -- --
    • cc_get_name(), returns name of NC -- --
    • cc_free_name(), frees name aquired via cc_get_name() -- --
    • cc_seq_fetch_NCs(), iterate over all NCs --
    -- --
  • New return codes -- --
      --
    • CC_BAD_PARM -- --
    • CC_ERR_CACHE_ATTACH -- --
    • CC_ERR_CACHE_RELEASE -- --
    • CC_ERR_CACHE_FULL -- --
    • CC_ERR_CRED_VERSION --
    -- --
  • Modified functions -- --
      --
    • cc_create(), cc_open(), pass version type of NC -- --
    • cc_store(), cc_remove(), cc_ --
    -- --
  • New & Modified typedefs & data structures -- --
      --
    • cc_cred_vers { CC_CRED_VUNKNOWN, CC_CRED_V4, CC_CRED_V5 } -- --
    • cred_ptr_union : contains pointer to credentials (either V4 -- or V5) -- --
    • cred_union : contains version type and cred_ptr_union -- --
    • modified V4Cred_type -- --
    • enum StringToKey_Type { STK_AFS or STK_DES } -- --
    • copies of the maximum V4 string size indicators -- KRB_PRINCIPAL_SZ, KRB_SERVICE_SZ, KRB_INSTANCE_SZ, -- KRB_REALM_SZ, ADDR_SZ --
    --
-- --

Revision 4 (Draft Version 1)

-- --

970908 by Steve Rothwell to incorporate changes initiated by Ted --Tso. Further changes are expected in the comments for cc_create() and --cc_get_change_time(). -- --

Revision 4a (Final Version 1)

-- --

980603 by Scott McGuire to --correct typographical errors, HTML errors, and minor clarifications. --Final API Version 1 spec. -- --

Revision 5 (Draft Version 2)

-- --

990201 by Scott McGuire. -- --

    --
  • Increased API version number to 2. -- --
  • Added enum's defining version numbers. -- --
  • Changes to cc_initialize() to specify how to deal with -- different API version numbers. -- --
  • Added description of cc_int32 and cc_uint32 types. -- --
  • Change some cc_int32's to cc_uint32's. -- --
  • Changed way cc_create() will behave when called on an existing -- cache. -- --
  • Replaced cc_seq_fetch_NCs() with cc_seq_fetch_NCs_begin(), -- cc_seq_fetch_NCs_next(), and cc_seq_fetch_NCs_end(); -- --
  • Replaced cc_seq_fetch_creds() with cc_seq_fetch_creds_begin(), -- cc_seq_fetch_creds_next(), and cc_seq_fetch_creds_end(); -- --
  • Replaced enum type references in structs and function -- paramenters with cc_int32 references; -- --
  • Replaced int type references in function parameters with -- cc_int32; -- --
  • Added return type of cc_int32 to all functions; -- --
  • Removed #ifdef from cred_union structure; -- --
  • Constant definitions and changes to V4Cred_type structure; -- --
  • Removed incorrect const ccache_p * parameters from cc_store() -- and cc_remove_cred(); -- --
  • Added CC_NOERROR and CC_BAD_PARM as possible return codes from -- all functions (except no CC_BAD_PARM from cc_shutdown() ); -- --
  • Added CC_ERR_CRED_VERSION as possible return code from -- cc_open() and cc_create(); -- --
  • Moved infoNC structure definition up to be with rest of -- structure definitions; -- --
  • Changed "struct _infoNC" to "infoNC" in parameter type -- references. -- --
  • cc_free_principal() and cc_free_name() now take char ** -- instead of char * for final parameter. (This change was made -- between rev 4a and rev 5, but I'm re-emphasizing it here.) -- --
  • Added Implementation Notes section with requirement that all -- functions must be atomic and name requirements for Windows DLL's. -- --
  • Renamed "the proposed changes to this API are" section to -- "Ideas for Future Versions" -- but removed all items but one -- because they'd all been done. -- --
  • Removed most of the notes about differences with the Win NT/95 -- implementation of the API -- the differences have been reconciled. -- --
  • Removed unnecessary and inconsistent italicizing. --
-- --

Revsion 5a (Final Version 2)

-- --

990723 by Scott McGuire. -- --

    --
  • cc_create(): Removed text about "expected" form of name. -- Removed note about "the alpha version does not do this." -- --
  • cc_destroy(): Clarified that you do not need to call -- cc_close() on the cache_pointer after calling this function. -- --
  • Removed note about Windows cc_get_instance() and -- cc_set_instance() functions, they are no longer part of the -- Windows code! --
-- --

Ideas for Future Versions

-- --
    --
  • Define Get/Set functions for all components of _cc_creds? -- (This will allow future changes to the data structure to be -- transparent to the caller. This also makes backward compatibility -- much easier to maintain.) --
-- --


-- -- --

-- -- --

Type definitions

-- --
// enums for API versions used in cc_initialize()
--enum {
--   CC_API_VER_1 = 1,
--   CC_API_VER_2 = 2
--};
-- 
--
--// cc_int32 and cc_uint32 are not exactly defined in this API due
--// to a lack of standard 32-bit integer size between platforms
--// (although there is the C9X standard).
--// However, we will place the following constraints:
--//
--// cc_int32 is a signed integer that is at least 32 bits wide.
--// cc_uint32 is an unsigned integer that is at least 32 bits wide
-- 
--
--typedef cc_int32 cc_time_t;  //see notes below
--
--typedef cc_uint32 cc_nc_flags;
-- 
-- 
--
--typedef struct opaque_dll_control_block_type* apiCB;
--typedef struct opaque_ccache_pointer_type* ccache_p;
--typedef struct opaque_credential_iterator_type* ccache_cit;
-- 
--// These really are intended to be opaque. All implementations of the cache API must have
--// them but what they are is implementation specific. In the case of SGR's implementation,
--// the cc_ctx returned available after a call to cc_initialize, is a CCache_ctx class object. The 
--// code that normally calls the cc_initialize function is straight C, which means the calling
--// application doesn't have a chance in hell of manipulating this directly. The API is designed
--// so that it does not have to. It does have to pass the pointer to the class around, one reason 
--// being so that the destructor can eventually be called.
-- 
-- 
--
--typedef struct _cc_data {
--    cc_uint32            type;
--    cc_uint32            length;
--    unsigned char*      data;
--} cc_data;
-- 
--
--typedef struct _cc_creds {
--    char*       client; /* client's principal identifier */
--    char*       server; /* server's principal identifier */
--    cc_data     keyblock;       /* session encryption key info */
--    cc_time_t   authtime;
--    cc_time_t   starttime;
--    cc_time_t   endtime;
--    cc_time_t   renew_till;
--    cc_uint32    is_skey;        /* true if ticket is encrypted in
--                                   another ticket's skey */
--    cc_uint32    ticket_flags;   /* flags in ticket */
--    cc_data**   addresses;      /* addrs in ticket */
--    cc_data     ticket;         /* ticket string itself */
--    cc_data     second_ticket;  /* second ticket, if related to
--                                   ticket (via DUPLICATE-SKEY or
--                                   ENC-TKT-IN-SKEY) */
--    cc_data**   authdata;       /* authorization data */
--} cc_creds;
-- 
-- 
--// use an enumerated type so all callers infer the same meaning
--// these values are what krbv4win uses internally.
--
--enum StringToKey_Type { STK_AFS = 0, STK_DES = 1 };
-- 
--enum { MAX_V4_CRED_LEN = 1250 };
-- 
-- 
--// V4 Credentials
--
--enum {
--  KRB_NAME_SZ = 40,
--  KRB_INSTANCE_SZ = 40,
--  KRB_REALM_SZ = 40
--};
-- 
--typedef struct _V4credential {
--    unsigned char              kversion;
--    char                       principal[KRB_NAME_SZ+1];
--    char                       principal_instance[KRB_INSTANCE_SZ+1];
--    char                       service[KRB_NAME_SZ+1];
--    char                       service_instance[KRB_INSTANCE_SZ+1];
--    char                       realm[KRB_REALM_SZ+1];
--    unsigned char              session_key[8];
--    cc_int32                   kvno;                   // k95 used BYTE skvno
--    cc_int32                   str_to_key;             // k4 infers dynamically, k95 stores; of type enum StringToKey_Type
--    long                       issue_date;             // k95 called this issue_time
--    cc_int32                   lifetime;               // k95 used LONG expiration_time
--    cc_uint32                  address;                // IP Address of local host as an unsigned 32-bit integer
--    cc_int32                   ticket_sz;              // k95 used BYTE, k4 ktext uses int to hold up to 1250
--    unsigned char              ticket[MAX_V4_CRED_LEN];
--    unsigned long              oops;                   // zero to catch runaways
--} V4Cred_type;
-- 
--
--enum cc_cred_vers {  
--    CC_CRED_VUNKNOWN = 0,       // For validation
--    CC_CRED_V4 = 1,
--    CC_CRED_V5 = 2,
--    CC_CRED_VMAX = 3            // For validation
--};
-- 
--
--typedef union cred_ptr_union_type {
--    V4Cred_type* pV4Cred;
--    cc_creds*    pV5Cred;
--} cred_ptr_union;
-- 
--
--typedef struct cred_union_type {
--    cc_int32 cred_type;  // cc_cred_vers
--    cred_ptr_union cred;
--} cred_union;
-- 
--
--typedef struct _infoNC {
--        char*   name;
--        char*   principal;
--        cc_int32 vers;   // cc_cred_vers
--} infoNC;
-- --

The cc_data structure

-- --

The cc_data structure is used to store the following elements: -- --

    --
  • keyblock -- --
  • addresses -- --
  • ticket (and second_ticket) -- --
  • authorization data --
-- --

For cc_creds.ticket and cc_creds.second_ticket, the cc_data.type --field MUST be zero. For the cc_creds.addresses, cc_creds.authdata, --and cc_data.keyblock, the cc_data.type field should be the address --type, authorization data type, and encryption type, as defined by the --Kerberos V5 protocol definition. -- --

cc_time_t

-- --

The cc_time_t fields are used to represent time. The time must be --stored as the number of seconds since midnight GMT on January 1, --1970. -- --

Principal names

-- --

Principal names are stored as C strings in this API. The C strings --may contain UTF-8 encoded strings for internationalization --purposes.
-- -- --

-- -- --

Error Codes Definition

-- --

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
--

0  --

--

CC_NOERROR  --

--

"Successful return"  --

--

1  --

--

CC_BADNAME  --

--

"Bad credential cache name format"  --

--

2  --

--

CC_NOTFOUD  --

--

"Matching credential not found"  --

--

3  --

--

CC_END  --

--

"End of credential cache reached"  --

--

4  --

--

CC_IO  --

--

"Credentials cache I/O operation failed"  --

--

5  --

--

CC_WRITE  --

--

"Error writing to credentials cache file"  --

--

6  --

--

CC_NOMEM  --

--

"No memory"  --

--

7  --

--

CC_FORMAT  --

--

"Corrupted credentials cache"  --

--

8  --

--

CC_LOCKED  --

--

"The credentials cache or NC is locked"  --

--

9  --

--

CC_BAD_API_VERSION  --

--

"Unsupported API version"  --

--

10  --

--

CC_NO_EXIST  --

--

"Credentials cache or NC does not exist"  --

--

11  --

--

CC_NOT_SUPP  --

--

"Function not supported"  --

--

12  --

--

CC_BAD_PARM  --

--

"Bad Paramter Passed"  --

--

13  --

--

CC_ERR_CACHE_ATTACH  --

--

"Failed to attach cache"  --

--

14  --

--

CC_ERR_CACHE_RELEASE  --

--

"Failed to release cache"  --

--

15  --

--

CC_ERR_CACHE_FULL  --

--

"Cache FULL"  --

--

16  --

--

CC_ERR_CRED_VERSION  --

--

"Wrong Cred Version"  --

-- --

--

-- -- --

Implementation Notes

-- --

All functions are atomic

-- --

All Credentials Cache API functions must be atomic. -- --

Windows -- --

DLLs should be named KrbCC16.dll and KrbCC32.dll. -- --

--

-- -- --

Function definitions

-- --

-- --

Main Cache Functions

-- --

-- -- --

-- --

cc_initialize

-- --
cc_int32 cc_initialize(apiCB** cc_ctx, cc_int32 api_version, cc_int32* api_supported, char** vendor)
-- --

This function performs any initialization required by the --API. It must be called before any other function in the --API is called. The cc_ctx returned by this function must be --passed to all other API functions as the first argument. -- --

The application must pass in the maximum version number of the API --it supports in the api_version parameter. -- --

If api_supported non-NULL, then cc_initialize will store --the maximum API version number supported by the library implementing --the API there. -- --

If the version requested by api_version is not equal to the --version supported by the library, CC_BAD_API_VERSION will be returned --as the error code (along with the version the library does support in --api_supported) and cc_initialize should not allocate any --memory. -- --

If the vendor is non-NULL, then cc_initialize will store a --pointer to a read/only C string which contains a string describing --the vendor which implemented the credentials cache API. -- --

Possible error codes: CC_NOERROR, CC_NOMEM, CC_BAD_API_VERSION, --CC_BAD_PARM -- --


-- -- -- --

cc_shutdown

-- --
cc_int32 cc_shutdown(apiCB** cc_ctx)
-- --

This function performs any cleanup required by the API. --cc_ctx will be NULL on return. The application program must call --cc_initialize() again before making any credentials cache API --calls. -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM -- --


-- -- -- --

cc_get_change_time

-- --
cc_int32 cc_get_change_time(apiCB* cc_ctx, cc_time_t* time)
-- --

This function returns the time of the most recent change for the --entire cache. There is ONE timestamp maintained for the entire cache. --By maintaining a local copy the caller can deduce whether "something --changed" or not. -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_NOMEM, --CC_BAD_PARM -- --


-- -- -- --

cc_get_NC_info

-- --
cc_int32 cc_get_NC_info(apiCB* cc_ctx, infoNC*** ppNCi)
-- --

cc_get_NC_info() is a wrapper for cc_seq_fetch_NCs(), --cc_get_name() cc_get_cred_version(), and cc_get_principal(). It --returns all the information needed to uniquely identify each NC in --the cache (name and cred_version) and the associated principal. --Specifically it returns a null terminated list of pointers to infoNC --structs. Each infoNC struct contain a pointer to the NC's name, a --pointer to the the principal associated with the NC, and the version --number (as an enumerated type) of the credentials stored in this NC. -- --

The ppNCi (the entire data structure) aquired by this routine --should be freed with cc_free_NC_info(). -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_NOMEM, --CC_BAD_PARM -- --


-- -- -- --

cc_open

-- --
cc_int32 cc_open(apiCB* cc_ctx, const char* name, cc_int32 cred_vers, cc_uint32 cc_flags,
--                 ccache_p** ccache_pointer)
-- --

Opens an already exising NC identified by both name, and --cred_vers. It fills in the parameter **ccache_pointer with a --pointer to the NC. -- --

The list of cache names, principals, and credentials versions may --be retrieved via cc_seq_fetch_NCs(), cc_get_name(), --cc_get_cred_version(), & cc_get_principal() OR via --cc_get_NC_info(). -- --

Possible error codes: CC_NOERROR, CC_BADNAME, CC_NO_EXIST, --CC_NOMEM, CC_ERR_CRED_VERSION, CC_BAD_PARM -- --


-- -- -- --

cc_create

-- --
cc_int32 cc_create(apiCB* cc_ctx, const char* name, const char* principal,
--                cc_int32 cred_vers, cc_uint32 cc_flags, ccache_p** ccache_pointer)
-- --

Create a new NC. The NC is uniquely identified by the combination --of it's name and the "cc_creds_vers" (i.e. which credentials version --it holds). The principal given is also associated with the NC. A NULL --name is not allowed (and CC_BADNAME should be returned if one --is passed in). If name is non-null and there is already a NC --named name, all credentials in the cache are removed, and --handle for the existing cache is returned. If there is already a NC --named name, all existing handles for this cache remain valid. The NC --is created with a primary principal specified by principal. -- --

(Removed text about the "expected" form of the NC name.) -- --

An NC is intended to hold credentials for a single principal in a --single realm, and for a single credentials version (i.e. V4 or V5). --The cache can contain credentials for other credential versions, --other realms, and even other principals, but each in a separate NC. --This rule will allow callers that can only handle a single principal --in a single realm to continue to work by dealing with only one NC. --Callers that can deal with multiple principals, multiple realms, --and/or multiple credentials versions can do so by dealing with --multiple NCs. By doing it this way, the callers that are able to --handle multiple principals, realms, and/or versions can do so without --interfering with "differently abled" code. -- --

The list of cache names, principals, & cred_versions may be --retrieved via cc_get_NC_info(). -- --

Possible error codes: CC_NOERROR, CC_BADNAME, CC_BAD_PARM, --CC_NO_EXIST, CC_NOMEM, CC_ERR_CRED_VERSION -- --


-- -- -- --

cc_close

-- --
cc_int32 cc_close(apiCB* cc_ctx, ccache_p** ccache_pointer)
-- --

Close the NC. The ccache_pointer related memory is --deallocated, and ccache_pointer is set to NULL before being returned --to caller. -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM -- --


-- -- -- --

cc_destroy

-- --
cc_int32 cc_destroy(apiCB* cc_ctx, ccache_p** ccache_pointer)
-- --

Destroy the NC pointed to by ccache_pointer. The --ccache_pointer related memory is deallocated, and --ccache_pointer is set to NULL before being returned to caller. The --caller does not need to call cc_close() on the cache_pointer --afterwards. -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM -- --


-- -- -- --

-- --

cc_seq_fetch_NCs_begin

-- --
cc_int32 cc_seq_fetch_NCs_begin(apiCB* cc_ctx, ccache_cit** itNCs)
-- --

Used to allocate memory and initialize the iterator *itNCs. Use --cc_seq_fetch_NCs_end() to deallocate the memory used by *itNCs. -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM, --CC_NOMEM -- --

-- --

cc_seq_fetch_NCs_next

-- --
cc_int32 cc_seq_fetch_NCs_next(apiCB* cc_ctx, ccache_p** ccache_pointer, ccache_cit* itNCs)
-- --

Used to sequentially open every NC in the cache. -- --

Ccache_pointer must be a pointer to a ccache_p*. The --ccache_pointer returned may be used to get information about the NC --by calling cc_get_name(), cc_get_cred_version(), and --cc_get_principal(). Ccache_pointer's returned must be freed via --cc_close() between calls to cc_seq_fetch_NCs_next(). -- --

itNCs must be a pointer to a ccache_cit* variable provided by the --calling application and which is used by cc_seq_fetch_NCs_next() to --determine the next NC to return. It must have been initialized by --cc_seq_fetch_NCs_begin(). -- --

If changes are made to the credentials cache while it iterator is --being used, it must return at least the intersection, and at most the --union, of the set of NC's that were in the cache when the iteration --began and the set of NC's that are in the cache when it ends. -- --

When the last NC in the sequence is returned, the return code from --cc_seq_fetch_NCs_next() will be CC_END. -- --

Possible error codes: CC_NOERROR, CC_END, CC_NO_EXIST. --CC_BAD_PARM, CC_NOMEM -- --

 

-- --

-- --

cc_seq_fetch_NCs_end

-- --
cc_int32 cc_seq_fetch_NCs_end(apiCB* cc_ctx, ccache_cit** itNCs)
-- --

Deallocates the memory used by *itNCs, and sets *itNCs to NULL. -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM -- --

  -- --

-- --

NC Functions

-- --

-- -- --

cc_get_name

-- --
cc_int32 cc_get_name(apiCB* cc_ctx, const ccache_p* ccache_pointer, char** name)
-- --

cc_get_name() returns the name of the NC indicated by --ccache_pointer. The name can be used in cc_open() or cc_create(). The --combination of the name and the credentials version uniqeuly identify --an NC. The returned name should be freed via cc_free_name(). -- --

Possible error codes: CC_NOERROR, CC_NOMEM, CC_NO_EXIST, --CC_BAD_PARM -- --


-- -- -- --

cc_get_cred_version

-- --
cc_int32 cc_get_cred_version(apiCB* cc_ctx, const ccache_p* ccache_pointer, cc_int32* cred_vers)
-- --

cc_get_cred_version() returns one of the enumerated type --cc_cred_vers in cred_vers. The expected values are CC_CRED_V4, or --CC_CRED_V5. The combination of the name and the credentials version --uniquely identify an NC. -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM -- --


-- -- -- --

cc_set_principal

-- --
cc_int32 cc_set_principal(apiCB* cc_ctx, const ccache_p* ccache_pointer, const cc_int32 cred_vers,
--                          const char* principal)
-- --

Set the primary principal for the NC indicated by ccache_pointer. --This is the complement to cc_get_principal(). -- --

cred_vers is used as a double check. -- --

principal points to a null terminated string that will be copied --into the NC. This new principal will be returned if you call --cc_get_principal() for this NC. -- --

Possible error codes: CC_NOERROR, CC_NOMEM, CC_NO_EXIST, --CC_ERR_CRED_VERSION, CC_BAD_PARM
-- --  -- --


-- -- -- --

cc_get_principal

-- --
cc_int32 cc_get_principal(apiCB* cc_ctx, const ccache_p* ccache_pointer, char** principal)
-- --

Return the primary principal for the NC that was set via --cc_create() or cc_set_principal(). The returned principal should be --freed via cc_free_principal() . -- --

Possible error codes: CC_NOERROR, CC_NOMEM, CC_NO_EXIST, --CC_BAD_PARM
-- -- -- --


-- -- -- --

cc_store

-- --
cc_int32 cc_store(apiCB* cc_ctx, ccache_p* ccache_pointer, const cred_union cred)
-- --

Store (make a copy of) cred in the NC indicated by --ccache_pointer. -- --

A cred_union contains a cred_type indicator and a cred_ptr_union. --A cred_ptr_union can contain either a V4Cred_type pointer or a --cc_creds (V5 creds) pointer. Cred_type indicates which type of --pointer is in the cred_ptr_union. This also allows the API to --enforce the credentials version declared in cc_create() or cc_open(). -- -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_ERR_CACHE_FULL, --CC_ERR_CRED_VERSION, CC_BAD_PARM -- --


-- -- -- --

cc_remove_cred

-- --
cc_int32 cc_remove_cred(apiCB* cc_ctx, ccache_p* ccache_pointer, const cred_union cred)
-- --

Removes the credential cred from ccache_pointer. The --credentials in the NC indicated by ccache_pointer are searched to --find a matching credential. If found, that credential is removed from --the NC. The cred parameter is not modified and should be freed via --cc_free_creds(). It is legitimate to call this function during a --sequential fetch, and the deletion of a credential already returned --by cc_seq_fetch_creds() should not disturb sequence of credentials --returned by cc_seq_fetch_creds(). -- --

Use of cred_union is the same as is explained in cc_store(). -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_NOTFOUND, --CC_ERR_CRED_VERSION, CC_BAD_PARM -- --


-- -- -- --

cc_seq_fetch_creds_begin

-- --
cc_int32 cc_seq_fetch_creds_begin(apiCB* cc_ctx, const ccache_p* ccache_pointer, ccache_cit** itCreds)
-- --

Allocates memory for and initializes *itCreds. This memory must be --deallocated using cc_seq_fetch_creds_end(). -- --

Ccache_pointer must be a valid pointer to the NC containing the --creds to be returned by the iterator. -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM, --CC_NOMEM -- --

  -- --

-- --

cc_seq_fetch_creds_next

-- --
cc_int32 cc_seq_fetch_creds_next(apiCB* cc_ctx, cred_union** cred, ccache_cit* itCreds)
-- --

cc_seq_fetch_creds_next() is used to sequentially read every set --of credentials in an NC. The NC has been indicated in the call to --cc_seq_fetch_creds_begin(). -- --

itCreds must be a pointer to a ccache_cit* variable provided by --the calling application and which is used by --cc_seq_fetch_creds_next() to determine the next cached credential to --return. The ccache_cit* variable must be initialized by calling --cc_seq_fetch_creds_begin(). -- --

The credentials are filled into the cred_union pointed to by --creds. Note that the cred_union contains elements which are --dynamically allocated, so must be freed using cc_free_creds() between --calls to cc_seq_fetch_creds_next(). -- --

If changes are made to the NC while it iterator is being used, it --must return at least the intersection, and at most the union, of the --set of credentials that were in the NC when the iteration began and --the set of credentials that are in the NC when it ends. -- --

When the last credential in the sequence is returned, the return --code from cc_seq_fetch_creds_next() will be CC_END. -- --

Possible error codes: CC_NOERROR, CC_END, CC_NO_EXIST, --CC_BAD_PARM, CC_NOMEM -- --

  -- --

-- --

cc_seq_fetch_creds_end

-- --
cc_int32 cc_seq_fetch_creds_end(apiCB* cc_ctx, ccache_cit** itCreds)
-- --

Deallocates memory used by *itCreds and sets *itCreds to NULL. -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM -- --


-- -- -- --

cc_lock_request

-- --
cc_int32 cc_lock_request(apiCB* cc_ctx, const ccache_p* ccache_pointer, cc_int32 lock_type)
-- --
--
99/02/11 - smcguire -- --
As of this date there is no locking in the Win NT/95 -- or Machintosh implementations. The description below may not be -- completely accurate as to how this function should be -- implemented. --
-- --

This function is currently NOT IMPLEMENTED. All functions attach --to the cache, take action, and detach from the cache before returning --to the caller. -- --

This function will lock or unlock the NC based on the argument --value of lock_type: -- --

        CC_LOCK_UNLOCK  1       Unlock the NC
--        CC_LOCK_READER  2       Lock the NC for reading
--        CC_LOCK_WRITER  3       Lock the NC for writing
-- 
--        CC_LOCK_NOBLOCK 16      Don't block, but return an error code if
--                                the request cannot be satisfied.
-- 
-- --

Locking is done on a per-thread basis. At most one thread may have --the credentials locked for writing; if so, there must not be any --threads that have the credentials locked for reading. -- --

Multiple threads may have the cache locked for reading, as long as --there is not a writer lock asserted on the cache. -- --

If a thread has a cache locked for reading, that lock may be --upgraded to a writer lock by calling cc_lock_request() with a --lock_type of CC_LOCK_WRITER. If a thread has the cache locked for --reading or writing, a request to cc_lock_request() for a reader or --writer lock, respectively, is a no-op. If a thread does not have the --cache locked, and calls cc_lock_request() with a lock_type of --CC_LOCK_UNLOCK, this is also a no-op. -- --

A request for CC_LOCK_READER and CC_LOCK_WRITER may be made --non-blocking by logical or'ing the value CC_LOCK_NOBLOCK. In that --case, if it is not possible to satisfy the lock request, the error --CC_LOCKED will be returned. -- --

  -- --

-- --

Liberation Functions

-- --

-- -- --

cc_free_principal

-- --
cc_int32 cc_free_principal(apiCB* cc_ctx, char** principal)
-- --

This function frees the principal returned by --cc_get_principal() and sets *principal to NULL. -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM -- --


-- -- -- --

cc_free_name

-- --
cc_int32 cc_free_name(apiCB* cc_ctx, char** name)
-- --

This function frees the name returned by cc_get_name() and --sets *name to NULL. -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM -- --


-- -- -- --

cc_free_creds

-- --
cc_int32 cc_free_creds(apiCB* cc_ctx, cred_union** creds)
-- --

This function frees all storage associated with creds returned by --cc_seq_fetch_creds() and sets the creds pointer to NULL. -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM -- --


-- -- -- --

cc_free_NC_info

-- --
cc_int32 cc_free_NC_info(apiCB* cc_ctx, infoNC*** ppNCi)
-- --

This routine frees all storage aquired by cc_get_NC_info() and --sets ppNCi to NULL. -- --

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM -- -- -- -- -- -diff --git a/doc/ccapi/html/doxygen.css b/doc/ccapi/html/doxygen.css -deleted file mode 100644 -index 05615b2e6..000000000 ---- a/doc/ccapi/html/doxygen.css -+++ /dev/null -@@ -1,310 +0,0 @@ --BODY,H1,H2,H3,H4,H5,H6,P,CENTER,TD,TH,UL,DL,DIV { -- font-family: Geneva, Arial, Helvetica, sans-serif; --} --BODY,TD { -- font-size: 90%; --} --H1 { -- text-align: center; -- font-size: 160%; --} --H2 { -- font-size: 120%; --} --H3 { -- font-size: 100%; --} --CAPTION { font-weight: bold } --DIV.qindex { -- width: 100%; -- background-color: #e8eef2; -- border: 1px solid #84b0c7; -- text-align: center; -- margin: 2px; -- padding: 2px; -- line-height: 140%; --} --DIV.nav { -- width: 100%; -- background-color: #e8eef2; -- border: 1px solid #84b0c7; -- text-align: center; -- margin: 2px; -- padding: 2px; -- line-height: 140%; --} --DIV.navtab { -- background-color: #e8eef2; -- border: 1px solid #84b0c7; -- text-align: center; -- margin: 2px; -- margin-right: 15px; -- padding: 2px; --} --TD.navtab { -- font-size: 70%; --} --A.qindex { -- text-decoration: none; -- font-weight: bold; -- color: #1A419D; --} --A.qindex:visited { -- text-decoration: none; -- font-weight: bold; -- color: #1A419D --} --A.qindex:hover { -- text-decoration: none; -- background-color: #ddddff; --} --A.qindexHL { -- text-decoration: none; -- font-weight: bold; -- background-color: #6666cc; -- color: #ffffff; -- border: 1px double #9295C2; --} --A.qindexHL:hover { -- text-decoration: none; -- background-color: #6666cc; -- color: #ffffff; --} --A.qindexHL:visited { text-decoration: none; background-color: #6666cc; color: #ffffff } --A.el { text-decoration: none; font-weight: bold } --A.elRef { font-weight: bold } --A.code:link { text-decoration: none; font-weight: normal; color: #0000FF} --A.code:visited { text-decoration: none; font-weight: normal; color: #0000FF} --A.codeRef:link { font-weight: normal; color: #0000FF} --A.codeRef:visited { font-weight: normal; color: #0000FF} --A:hover { text-decoration: none; background-color: #f2f2ff } --DL.el { margin-left: -1cm } --.fragment { -- font-family: Fixed, monospace; -- font-size: 95%; --} --PRE.fragment { -- border: 1px solid #CCCCCC; -- background-color: #f5f5f5; -- margin-top: 4px; -- margin-bottom: 4px; -- margin-left: 2px; -- margin-right: 8px; -- padding-left: 6px; -- padding-right: 6px; -- padding-top: 4px; -- padding-bottom: 4px; --} --DIV.ah { background-color: black; font-weight: bold; color: #ffffff; margin-bottom: 3px; margin-top: 3px } --TD.md { background-color: #F4F4FB; font-weight: bold; } --TD.mdPrefix { -- background-color: #F4F4FB; -- color: #606060; -- font-size: 80%; --} --TD.mdname1 { background-color: #F4F4FB; font-weight: bold; color: #602020; } --TD.mdname { background-color: #F4F4FB; font-weight: bold; color: #602020; width: 600px; } --DIV.groupHeader { -- margin-left: 16px; -- margin-top: 12px; -- margin-bottom: 6px; -- font-weight: bold; --} --DIV.groupText { margin-left: 16px; font-style: italic; font-size: 90% } --BODY { -- background: white; -- color: black; -- margin-right: 20px; -- margin-left: 20px; --} --TD.indexkey { -- background-color: #e8eef2; -- font-weight: bold; -- padding-right : 10px; -- padding-top : 2px; -- padding-left : 10px; -- padding-bottom : 2px; -- margin-left : 0px; -- margin-right : 0px; -- margin-top : 2px; -- margin-bottom : 2px; -- border: 1px solid #CCCCCC; --} --TD.indexvalue { -- background-color: #e8eef2; -- font-style: italic; -- padding-right : 10px; -- padding-top : 2px; -- padding-left : 10px; -- padding-bottom : 2px; -- margin-left : 0px; -- margin-right : 0px; -- margin-top : 2px; -- margin-bottom : 2px; -- border: 1px solid #CCCCCC; --} --TR.memlist { -- background-color: #f0f0f0; --} --P.formulaDsp { text-align: center; } --IMG.formulaDsp { } --IMG.formulaInl { vertical-align: middle; } --SPAN.keyword { color: #008000 } --SPAN.keywordtype { color: #604020 } --SPAN.keywordflow { color: #e08000 } --SPAN.comment { color: #800000 } --SPAN.preprocessor { color: #806020 } --SPAN.stringliteral { color: #002080 } --SPAN.charliteral { color: #008080 } --.mdTable { -- border: 1px solid #868686; -- background-color: #F4F4FB; --} --.mdRow { -- padding: 8px 10px; --} --.mdescLeft { -- padding: 0px 8px 4px 8px; -- font-size: 80%; -- font-style: italic; -- background-color: #FAFAFA; -- border-top: 1px none #E0E0E0; -- border-right: 1px none #E0E0E0; -- border-bottom: 1px none #E0E0E0; -- border-left: 1px none #E0E0E0; -- margin: 0px; --} --.mdescRight { -- padding: 0px 8px 4px 8px; -- font-size: 80%; -- font-style: italic; -- background-color: #FAFAFA; -- border-top: 1px none #E0E0E0; -- border-right: 1px none #E0E0E0; -- border-bottom: 1px none #E0E0E0; -- border-left: 1px none #E0E0E0; -- margin: 0px; --} --.memItemLeft { -- padding: 1px 0px 0px 8px; -- margin: 4px; -- border-top-width: 1px; -- border-right-width: 1px; -- border-bottom-width: 1px; -- border-left-width: 1px; -- border-top-color: #E0E0E0; -- border-right-color: #E0E0E0; -- border-bottom-color: #E0E0E0; -- border-left-color: #E0E0E0; -- border-top-style: solid; -- border-right-style: none; -- border-bottom-style: none; -- border-left-style: none; -- background-color: #FAFAFA; -- font-size: 80%; --} --.memItemRight { -- padding: 1px 8px 0px 8px; -- margin: 4px; -- border-top-width: 1px; -- border-right-width: 1px; -- border-bottom-width: 1px; -- border-left-width: 1px; -- border-top-color: #E0E0E0; -- border-right-color: #E0E0E0; -- border-bottom-color: #E0E0E0; -- border-left-color: #E0E0E0; -- border-top-style: solid; -- border-right-style: none; -- border-bottom-style: none; -- border-left-style: none; -- background-color: #FAFAFA; -- font-size: 80%; --} --.memTemplItemLeft { -- padding: 1px 0px 0px 8px; -- margin: 4px; -- border-top-width: 1px; -- border-right-width: 1px; -- border-bottom-width: 1px; -- border-left-width: 1px; -- border-top-color: #E0E0E0; -- border-right-color: #E0E0E0; -- border-bottom-color: #E0E0E0; -- border-left-color: #E0E0E0; -- border-top-style: none; -- border-right-style: none; -- border-bottom-style: none; -- border-left-style: none; -- background-color: #FAFAFA; -- font-size: 80%; --} --.memTemplItemRight { -- padding: 1px 8px 0px 8px; -- margin: 4px; -- border-top-width: 1px; -- border-right-width: 1px; -- border-bottom-width: 1px; -- border-left-width: 1px; -- border-top-color: #E0E0E0; -- border-right-color: #E0E0E0; -- border-bottom-color: #E0E0E0; -- border-left-color: #E0E0E0; -- border-top-style: none; -- border-right-style: none; -- border-bottom-style: none; -- border-left-style: none; -- background-color: #FAFAFA; -- font-size: 80%; --} --.memTemplParams { -- padding: 1px 0px 0px 8px; -- margin: 4px; -- border-top-width: 1px; -- border-right-width: 1px; -- border-bottom-width: 1px; -- border-left-width: 1px; -- border-top-color: #E0E0E0; -- border-right-color: #E0E0E0; -- border-bottom-color: #E0E0E0; -- border-left-color: #E0E0E0; -- border-top-style: solid; -- border-right-style: none; -- border-bottom-style: none; -- border-left-style: none; -- color: #606060; -- background-color: #FAFAFA; -- font-size: 80%; --} --.search { color: #003399; -- font-weight: bold; --} --FORM.search { -- margin-bottom: 0px; -- margin-top: 0px; --} --INPUT.search { font-size: 75%; -- color: #000080; -- font-weight: normal; -- background-color: #e8eef2; --} --TD.tiny { font-size: 75%; --} --a { -- color: #1A41A8; --} --a:visited { -- color: #2A3798; --} --.dirtab { padding: 4px; -- border-collapse: collapse; -- border: 1px solid #84b0c7; --} --TH.dirtab { background: #e8eef2; -- font-weight: bold; --} --HR { height: 1px; -- border: none; -- border-top: 1px solid black; --} -- -diff --git a/doc/ccapi/html/doxygen.png b/doc/ccapi/html/doxygen.png -deleted file mode 100644 -index f0a274bbaffdd67f6d784c894d9cf28729db0e14..0000000000000000000000000000000000000000 -GIT binary patch -literal 0 -HcmV?d00001 - -literal 1281 -zcmaJ>ZA?>F7(Vx-ms?uoS`b@hdRtpo6o^%HU>M$hfGrBvQnk$LE?p^P!kn&ikhyq! -zX~V@&tPF5Qt@V?oTL96Bi%aRiwbe1)9DWQI#?)=HxS7QSw`J`5fAJ*eJbB;uNuKA& -zdERDo*{Y<(If(#(B$Lr#;nB(8Y#ia=ZCeW?JfPLuQY`=@cW$k}Rivq|vbxGrRq1Tl9;+(gNt?}UtVKM2`T5t1jLzuL@0UIs`S#vlhl4)^ -zLgSYrPj@$+`|j?eSbXTmiHGkWxV8V}BzNR?pl9k_s4pDu9vd5a_UzZEPk)}Ad{AV_ -zzddrjrh4=Imr`E06;LY{)YYt?o}L~H@7C}F^WB!Ra=v`Q0bj{>5&$66CWF>mf6vjP -z2N>RRY6ZYa=K`76>+|_)Xdwko+7wv}7cN|btOhWb(*{sta~6b?S8Omrxw}!4`NhGr -zZVpNqpu1@BE`QGWNTpEpcJVW5izu~2B^GlM?1(OPg)zwW;QcP@Ltcclm>XbJL9C|j -z=9!2?ua=uIlf0%AndzHsRC}IyTL$EhAee(fdKB`?27KeS^2M8M_7b~PiCFO&r5LC7 -z7gl1*a<8;SjNaw#h=843_AV9iZbWQOAp5YOC^&_F*9K0> -zB|6%IDb?aM#3viTxkLU4aXg&@+CkNTOnQ1iMP*^?b|^lJy$4C)Zk4isV!|RZ*XhXh -zw8q3$=*0LeGC!XI_Wc?dkT~3+*Gu%%yIqP+Wr3H$=&ROMQU6q}Ag^P~>c5vAEO;a- -z_dK-3PPeKar%)6$j~vI2#*-YH!1h6HYVtwCX5_wM`iF#UKz&&@9Oo5w3%XGYrX -zW>dY~)SG-((Yim%`InwgTvyRC?e=Wh^8KCao!R6Eg&TpVWUY1sN~4G}V?nFnEGo-; -zHZ_$eW9-GnC%^WS9b -z@p;-$oH#MtC0v>Q$HX%4^JdFdO$0cbv-W)Q -TtK}Eh@>>I#ipmV1>S*>q-hkC} - -diff --git a/doc/ccapi/html/group__cc__ccache__iterator__reference.html b/doc/ccapi/html/group__cc__ccache__iterator__reference.html -deleted file mode 100644 -index 2c8bfe27b..000000000 ---- a/doc/ccapi/html/group__cc__ccache__iterator__reference.html -+++ /dev/null -@@ -1,96 +0,0 @@ -- -- --Credentials Cache API : cc_ccache_iterator_t Overview -- -- -- -- --

cc_ccache_iterator_t Overview

Detailed Description

--The cc_ccache_iterator_t type represents an iterator that iterates over a set of ccaches and returns them in all in some order. A new instance of this type can be obtained by calling cc_context_new_ccache_iterator().

--For API function documentation see cc_ccache_iterator_f. --

--

Data Structures

-- --

Typedefs

-- --

Typedef Documentation

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_ccache_iterator_f cc_ccache_iterator_f
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_ccache_iterator_d cc_ccache_iterator_d
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef cc_ccache_iterator_d* cc_ccache_iterator_t
--
-- -- -- -- -- --
--   -- -- --

--

--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/group__cc__ccache__reference.html b/doc/ccapi/html/group__cc__ccache__reference.html -deleted file mode 100644 -index ce47b73c6..000000000 ---- a/doc/ccapi/html/group__cc__ccache__reference.html -+++ /dev/null -@@ -1,96 +0,0 @@ -- -- --Credentials Cache API : cc_ccache_t Overview -- -- -- -- --

cc_ccache_t Overview

Detailed Description

--The cc_ccache_t type represents a reference to a ccache. Callers can access a ccache and the credentials stored in it via a cc_ccache_t. A cc_ccache_t can be acquired via cc_context_open_ccache(), cc_context_open_default_ccache(), or cc_ccache_iterator_next().

--For API function documentation see cc_ccache_f. --

--

Data Structures

-- --

Typedefs

-- --

Typedef Documentation

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_ccache_f cc_ccache_f
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_ccache_d cc_ccache_d
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef cc_ccache_d* cc_ccache_t
--
-- -- -- -- -- --
--   -- -- --

--

--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/group__cc__context__reference.html b/doc/ccapi/html/group__cc__context__reference.html -deleted file mode 100644 -index cd7e6be3d..000000000 ---- a/doc/ccapi/html/group__cc__context__reference.html -+++ /dev/null -@@ -1,161 +0,0 @@ -- -- --Credentials Cache API : cc_context_t Overview -- -- -- -- --

cc_context_t Overview

Detailed Description

--The cc_context_t type gives the caller access to a ccache collection. Before being able to call any functions in the CCache API, the caller needs to acquire an instance of cc_context_t by calling cc_initialize().

--For API function documentation see cc_context_f. --

--

Data Structures

-- --

Typedefs

-- --

Functions

-- --

Typedef Documentation

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_context_f cc_context_f
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_context_d cc_context_d
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef cc_context_d* cc_context_t
--
-- -- -- -- -- --
--   -- -- --

--

--

Function Documentation

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
CCACHE_API cc_int32 cc_initialize cc_context_t out_context,
cc_int32  in_version,
cc_int32 out_supported_version,
char const **  out_vendor
--
-- -- -- -- -- --
--   -- -- --

--Initialize a new cc_context. --

--

Parameters:
-- -- -- -- -- --
out_context on exit, a new context object. Must be free with cc_context_release().
in_version the requested API version. This should be the maximum version the application supports.
out_supported_version if non-NULL, on exit contains the maximum API version supported by the implementation.
out_vendor if non-NULL, on exit contains a pointer to a read-only C string which contains a string describing the vendor which implemented the credentials cache API.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure. May return CCAPI v2 error CC_BAD_API_VERSION if ccapi_version_2 is passed in.
--
--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/group__cc__credentials__iterator__reference.html b/doc/ccapi/html/group__cc__credentials__iterator__reference.html -deleted file mode 100644 -index 41ba42f86..000000000 ---- a/doc/ccapi/html/group__cc__credentials__iterator__reference.html -+++ /dev/null -@@ -1,133 +0,0 @@ -- -- --Credentials Cache API : cc_credentials_iterator_t -- -- -- -- --

cc_credentials_iterator_t

Detailed Description

--The cc_credentials_iterator_t type represents an iterator that iterates over a set of credentials. A new instance of this type can be obtained by calling cc_ccache_new_credentials_iterator().

--For API function documentation see cc_credentials_iterator_f. --

--

Data Structures

-- --

Typedefs

-- --

Variables

-- --

Typedef Documentation

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_credentials_iterator_f cc_credentials_iterator_f
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_credentials_iterator_d cc_credentials_iterator_d
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef cc_credentials_iterator_d* cc_credentials_iterator_t
--
-- -- -- -- -- --
--   -- -- --

--

--

Variable Documentation

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* clone)(cc_credentials_iterator_t in_credentials_iterator, cc_credentials_iterator_t *out_credentials_iterator) [inherited]
--
-- -- -- -- -- --
--   -- -- --

--cc_credentials_iterator_clone(): Make a copy of a credentials iterator. --

--

Parameters:
-- -- -- --
in_credentials_iterator a credentials iterator object.
out_credentials_iterator on exit, a copy of in_credentials_iterator.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/group__cc__credentials__reference.html b/doc/ccapi/html/group__cc__credentials__reference.html -deleted file mode 100644 -index d083e6c07..000000000 ---- a/doc/ccapi/html/group__cc__credentials__reference.html -+++ /dev/null -@@ -1,197 +0,0 @@ -- -- --Credentials Cache API : cc_credentials_t Overview -- -- -- -- --

cc_credentials_t Overview

Detailed Description

--The cc_credentials_t type is used to store a single set of credentials for either Kerberos v4 or Kerberos v5. In addition to its only function, release(), it contains a pointer to a cc_credentials_union structure. A cc_credentials_union structure contains an integer of the enumerator type cc_credentials_version, which is either cc_credentials_v4 or cc_credentials_v5, and a pointer union, which contains either a cc_credentials_v4_t pointer or a cc_credentials_v5_t pointer, depending on the value in version.

--Variables of the type cc_credentials_t are allocated by the CCAPI implementation, and should be released with their release() function. API functions which receive credentials structures from the caller always accept cc_credentials_union, which is allocated by the caller, and accordingly disposed by the caller.

--For API functions see cc_credentials_f. --

--

Data Structures

-- --

Typedefs

-- --

Typedef Documentation

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_credentials_v4_t cc_credentials_v4_t
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_data cc_data
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_credentials_v5_t cc_credentials_v5_t
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_credentials_union cc_credentials_union
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_credentials_f cc_credentials_f
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_credentials_d cc_credentials_d
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef cc_credentials_d* cc_credentials_t
--
-- -- -- -- -- --
--   -- -- --

--

--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/group__cc__string__reference.html b/doc/ccapi/html/group__cc__string__reference.html -deleted file mode 100644 -index 9ce3b7195..000000000 ---- a/doc/ccapi/html/group__cc__string__reference.html -+++ /dev/null -@@ -1,96 +0,0 @@ -- -- --Credentials Cache API : cc_string_t Overview -- -- -- -- --

cc_string_t Overview

Detailed Description

--The cc_string_t represents a C string returned by the API. It has a pointer to the string data and a release() function. This type is used for both principal names and ccache names returned by the API. Principal names may contain UTF-8 encoded strings for internationalization purposes.

--For API function documentation see cc_string_f. --

--

Data Structures

-- --

Typedefs

-- --

Typedef Documentation

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_string_f cc_string_f
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef struct cc_string_d cc_string_d
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
typedef cc_string_d* cc_string_t
--
-- -- -- -- -- --
--   -- -- --

--

--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/group__ccapi__constants__reference.html b/doc/ccapi/html/group__ccapi__constants__reference.html -deleted file mode 100644 -index 87ec30b83..000000000 ---- a/doc/ccapi/html/group__ccapi__constants__reference.html -+++ /dev/null -@@ -1,407 +0,0 @@ -- -- --Credentials Cache API : Constants -- -- -- -- --

Constants

--

--

Enumerations

-- --

Enumeration Type Documentation

--

-- -- -- -- --
-- -- -- -- --
anonymous enum
--
-- -- -- -- -- --
--   -- -- --

--API version numbers

--These constants are passed into cc_initialize() to indicate the version of the API the caller wants to use.

--CCAPI v1 and v2 are deprecated and should not be used.

Enumerator:
-- -- -- -- -- -- -- -- --
ccapi_version_2  --
ccapi_version_3  --
ccapi_version_4  --
ccapi_version_5  --
ccapi_version_6  --
ccapi_version_7  --
ccapi_version_max  --
--
--
--

-- -- -- -- --
-- -- -- -- --
anonymous enum
--
-- -- -- -- -- --
--   -- -- --

--Error codes

Enumerator:
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
ccNoError  --Success.
ccIteratorEnd  --Iterator is done iterating.
ccErrBadParam  --Bad parameter (NULL or invalid pointer where valid pointer expected).
ccErrNoMem  --Not enough memory to complete the operation.
ccErrInvalidContext  --Context is invalid (e.g., it was released).
ccErrInvalidCCache  --CCache is invalid (e.g., it was released or destroyed).
ccErrInvalidString  --String is invalid (e.g., it was released).
ccErrInvalidCredentials  --Credentials are invalid (e.g., they were released), or they have a bad version.
ccErrInvalidCCacheIterator  --CCache iterator is invalid (e.g., it was released).
ccErrInvalidCredentialsIterator  --Credentials iterator is invalid (e.g., it was released).
ccErrInvalidLock  --Lock is invalid (e.g., it was released).
ccErrBadName  --Bad credential cache name format.
ccErrBadCredentialsVersion  --Credentials version is invalid.
ccErrBadAPIVersion  --Unsupported API version.
ccErrContextLocked  --Context is already locked.
ccErrContextUnlocked  --Context is not locked by the caller.
ccErrCCacheLocked  --CCache is already locked.
ccErrCCacheUnlocked  --CCache is not locked by the caller.
ccErrBadLockType  --Bad lock type.
ccErrNeverDefault  --CCache was never default.
ccErrCredentialsNotFound  --Matching credentials not found in the ccache.
ccErrCCacheNotFound  --Matching ccache not found in the collection.
ccErrContextNotFound  --Matching cache collection not found.
ccErrServerUnavailable  --CCacheServer is unavailable.
ccErrServerInsecure  --CCacheServer has detected that it is running as the wrong user.
ccErrServerCantBecomeUID  --CCacheServer failed to start running as the user.
ccErrTimeOffsetNotSet  --KDC time offset not set for this ccache.
ccErrBadInternalMessage  --The client and CCacheServer can't communicate (e.g., a version mismatch).
ccErrNotImplemented  --API function not supported by this implementation.
ccErrClientNotFound  --CCacheServer has no record of the caller's process (e.g., the server crashed).
--
--
--

-- -- -- -- --
-- -- -- -- --
enum cc_credential_versions
--
-- -- -- -- -- --
--   -- -- --

--Credentials versions

--These constants are used in several places in the API to discern between Kerberos v4 and Kerberos v5. Not all values are valid inputs and outputs for all functions; function specifications below detail the allowed values.

--Kerberos version constants will always be a bit-field, and can be tested as such; for example the following test will tell you if a ccacheVersion includes v5 credentials:

--if ((ccacheVersion & cc_credentials_v5) != 0)

Enumerator:
-- -- -- -- --
cc_credentials_v4  --
cc_credentials_v5  --
cc_credentials_v4_v5  --
--
--
--

-- -- -- -- --
-- -- -- -- --
enum cc_lock_types
--
-- -- -- -- -- --
--   -- -- --

--Lock types

--These constants are used in the locking functions to describe the type of lock requested. Note that all CCAPI locks are advisory so only callers using the lock calls will be blocked by each other. This is because locking functions were introduced after the CCAPI came into common use and we did not want to break existing callers.

Enumerator:
-- -- -- -- -- --
cc_lock_read  --
cc_lock_write  --
cc_lock_upgrade  --
cc_lock_downgrade  --
--
--
--

-- -- -- -- --
-- -- -- -- --
enum cc_lock_modes
--
-- -- -- -- -- --
--   -- -- --

--Locking Modes

--These constants are used in the advisory locking functions to describe whether or not the lock function should block waiting for a lock or return an error immediately. For example, attempting to acquire a lock with a non-blocking call will result in an error if the lock cannot be acquired; otherwise, the call will block until the lock can be acquired.

Enumerator:
-- -- -- --
cc_lock_noblock  --
cc_lock_block  --
--
--
--

-- -- -- -- --
-- -- -- -- --
anonymous enum
--
-- -- -- -- -- --
--   -- -- --

--Sizes of fields in cc_credentials_v4_t.

Enumerator:
-- -- -- -- -- -- --
cc_v4_name_size  --
cc_v4_instance_size  --
cc_v4_realm_size  --
cc_v4_ticket_size  --
cc_v4_key_size  --
--
--
--

-- -- -- -- --
-- -- -- -- --
enum cc_string_to_key_type
--
-- -- -- -- -- --
--   -- -- --

--String to key type (Kerberos v4 only)

Enumerator:
-- -- -- -- -- -- --
cc_v4_stk_afs  --
cc_v4_stk_des  --
cc_v4_stk_columbia_special  --
cc_v4_stk_krb5  --
cc_v4_stk_unknown  --
--
--
--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/group__ccapi__types__reference.html b/doc/ccapi/html/group__ccapi__types__reference.html -deleted file mode 100644 -index 9c646b8d9..000000000 ---- a/doc/ccapi/html/group__ccapi__types__reference.html -+++ /dev/null -@@ -1,138 +0,0 @@ -- -- --Credentials Cache API : Basic Types -- -- -- -- --

Basic Types

--

--

Typedefs

-- --

Typedef Documentation

--

-- -- -- -- --
-- -- -- -- --
typedef uint32_t cc_uint32
--
-- -- -- -- -- --
--   -- -- --

--Unsigned 32-bit integer type

--

-- -- -- -- --
-- -- -- -- --
typedef int32_t cc_int32
--
-- -- -- -- -- --
--   -- -- --

--Signed 32-bit integer type

--

-- -- -- -- --
-- -- -- -- --
typedef int64_t cc_int64
--
-- -- -- -- -- --
--   -- -- --

--Unsigned 64-bit integer type

--

-- -- -- -- --
-- -- -- -- --
typedef uint64_t cc_uint64
--
-- -- -- -- -- --
--   -- -- --

--Signed 64-bit integer type

--

-- -- -- -- --
-- -- -- -- --
typedef cc_uint32 cc_time_t
--
-- -- -- -- -- --
--   -- -- --

--The cc_time_t type is used to represent a time in seconds. The time must be stored as the number of seconds since midnight GMT on January 1, 1970.

--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/group__helper__macros.html b/doc/ccapi/html/group__helper__macros.html -deleted file mode 100644 -index cf1c681dc..000000000 ---- a/doc/ccapi/html/group__helper__macros.html -+++ /dev/null -@@ -1,1377 +0,0 @@ -- -- --Credentials Cache API : CCAPI Function Helper Macros -- -- -- -- --

CCAPI Function Helper Macros

--

--

Defines

--
    --
  • #define cc_context_release(context)   ((context) -> functions -> release (context)) --
  • #define cc_context_get_change_time(context, change_time)   ((context) -> functions -> get_change_time (context, change_time)) --
  • #define cc_context_get_default_ccache_name(context, name)   ((context) -> functions -> get_default_ccache_name (context, name)) --
  • #define cc_context_open_ccache(context, name, ccache)   ((context) -> functions -> open_ccache (context, name, ccache)) --
  • #define cc_context_open_default_ccache(context, ccache)   ((context) -> functions -> open_default_ccache (context, ccache)) --
  • #define cc_context_create_ccache(context, name, version, principal, ccache)   ((context) -> functions -> create_ccache (context, name, version, principal, ccache)) --
  • #define cc_context_create_default_ccache(context, version, principal, ccache)   ((context) -> functions -> create_default_ccache (context, version, principal, ccache)) --
  • #define cc_context_create_new_ccache(context, version, principal, ccache)   ((context) -> functions -> create_new_ccache (context, version, principal, ccache)) --
  • #define cc_context_new_ccache_iterator(context, iterator)   ((context) -> functions -> new_ccache_iterator (context, iterator)) --
  • #define cc_context_lock(context, type, block)   ((context) -> functions -> lock (context, type, block)) --
  • #define cc_context_unlock(context)   ((context) -> functions -> unlock (context)) --
  • #define cc_context_compare(context, compare_to, equal)   ((context) -> functions -> compare (context, compare_to, equal)) --
  • #define cc_context_wait_for_change(context)   ((context) -> functions -> wait_for_change (context)) --
  • #define cc_ccache_release(ccache)   ((ccache) -> functions -> release (ccache)) --
  • #define cc_ccache_destroy(ccache)   ((ccache) -> functions -> destroy (ccache)) --
  • #define cc_ccache_set_default(ccache)   ((ccache) -> functions -> set_default (ccache)) --
  • #define cc_ccache_get_credentials_version(ccache, version)   ((ccache) -> functions -> get_credentials_version (ccache, version)) --
  • #define cc_ccache_get_name(ccache, name)   ((ccache) -> functions -> get_name (ccache, name)) --
  • #define cc_ccache_get_principal(ccache, version, principal)   ((ccache) -> functions -> get_principal (ccache, version, principal)) --
  • #define cc_ccache_set_principal(ccache, version, principal)   ((ccache) -> functions -> set_principal (ccache, version, principal)) --
  • #define cc_ccache_store_credentials(ccache, credentials)   ((ccache) -> functions -> store_credentials (ccache, credentials)) --
  • #define cc_ccache_remove_credentials(ccache, credentials)   ((ccache) -> functions -> remove_credentials (ccache, credentials)) --
  • #define cc_ccache_new_credentials_iterator(ccache, iterator)   ((ccache) -> functions -> new_credentials_iterator (ccache, iterator)) --
  • #define cc_ccache_lock(ccache, type, block)   ((ccache) -> functions -> lock (ccache, type, block)) --
  • #define cc_ccache_unlock(ccache)   ((ccache) -> functions -> unlock (ccache)) --
  • #define cc_ccache_get_last_default_time(ccache, last_default_time)   ((ccache) -> functions -> get_last_default_time (ccache, last_default_time)) --
  • #define cc_ccache_get_change_time(ccache, change_time)   ((ccache) -> functions -> get_change_time (ccache, change_time)) --
  • #define cc_ccache_move(source, destination)   ((source) -> functions -> move (source, destination)) --
  • #define cc_ccache_compare(ccache, compare_to, equal)   ((ccache) -> functions -> compare (ccache, compare_to, equal)) --
  • #define cc_ccache_get_kdc_time_offset(ccache, version, time_offset)   ((ccache) -> functions -> get_kdc_time_offset (ccache, version, time_offset)) --
  • #define cc_ccache_set_kdc_time_offset(ccache, version, time_offset)   ((ccache) -> functions -> set_kdc_time_offset (ccache, version, time_offset)) --
  • #define cc_ccache_clear_kdc_time_offset(ccache, version)   ((ccache) -> functions -> clear_kdc_time_offset (ccache, version)) --
  • #define cc_ccache_wait_for_change(ccache)   ((ccache) -> functions -> wait_for_change (ccache)) --
  • #define cc_string_release(string)   ((string) -> functions -> release (string)) --
  • #define cc_credentials_release(credentials)   ((credentials) -> functions -> release (credentials)) --
  • #define cc_credentials_compare(credentials, compare_to, equal)   ((credentials) -> functions -> compare (credentials, compare_to, equal)) --
  • #define cc_ccache_iterator_release(iterator)   ((iterator) -> functions -> release (iterator)) --
  • #define cc_ccache_iterator_next(iterator, ccache)   ((iterator) -> functions -> next (iterator, ccache)) --
  • #define cc_ccache_iterator_clone(iterator, new_iterator)   ((iterator) -> functions -> clone (iterator, new_iterator)) --
  • #define cc_credentials_iterator_release(iterator)   ((iterator) -> functions -> release (iterator)) --
  • #define cc_credentials_iterator_next(iterator, credentials)   ((iterator) -> functions -> next (iterator, credentials)) --
  • #define cc_credentials_iterator_clone(iterator, new_iterator)   ((iterator) -> functions -> clone (iterator, new_iterator)) --
--

Define Documentation

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- --
#define cc_context_release context   )    ((context) -> functions -> release (context))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_context_f release()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_context_get_change_time context,
change_time   )    ((context) -> functions -> get_change_time (context, change_time))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_context_f get_change_time()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_context_get_default_ccache_name context,
name   )    ((context) -> functions -> get_default_ccache_name (context, name))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_context_f get_default_ccache_name()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_context_open_ccache context,
name,
ccache   )    ((context) -> functions -> open_ccache (context, name, ccache))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_context_f open_ccache()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_context_open_default_ccache context,
ccache   )    ((context) -> functions -> open_default_ccache (context, ccache))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_context_f open_default_ccache()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_context_create_ccache context,
name,
version,
principal,
ccache   )    ((context) -> functions -> create_ccache (context, name, version, principal, ccache))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_context_f create_ccache()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_context_create_default_ccache context,
version,
principal,
ccache   )    ((context) -> functions -> create_default_ccache (context, version, principal, ccache))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_context_f create_default_ccache()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_context_create_new_ccache context,
version,
principal,
ccache   )    ((context) -> functions -> create_new_ccache (context, version, principal, ccache))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_context_f create_new_ccache()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_context_new_ccache_iterator context,
iterator   )    ((context) -> functions -> new_ccache_iterator (context, iterator))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_context_f new_ccache_iterator()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_context_lock context,
type,
block   )    ((context) -> functions -> lock (context, type, block))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_context_f lock()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- --
#define cc_context_unlock context   )    ((context) -> functions -> unlock (context))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_context_f unlock()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_context_compare context,
compare_to,
equal   )    ((context) -> functions -> compare (context, compare_to, equal))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_context_f compare()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- --
#define cc_context_wait_for_change context   )    ((context) -> functions -> wait_for_change (context))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_context_f wait_for_change()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- --
#define cc_ccache_release ccache   )    ((ccache) -> functions -> release (ccache))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f release()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- --
#define cc_ccache_destroy ccache   )    ((ccache) -> functions -> destroy (ccache))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f destroy()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- --
#define cc_ccache_set_default ccache   )    ((ccache) -> functions -> set_default (ccache))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f set_default()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_get_credentials_version ccache,
version   )    ((ccache) -> functions -> get_credentials_version (ccache, version))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f get_credentials_version()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_get_name ccache,
name   )    ((ccache) -> functions -> get_name (ccache, name))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f get_name()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_get_principal ccache,
version,
principal   )    ((ccache) -> functions -> get_principal (ccache, version, principal))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f get_principal()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_set_principal ccache,
version,
principal   )    ((ccache) -> functions -> set_principal (ccache, version, principal))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f set_principal()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_store_credentials ccache,
credentials   )    ((ccache) -> functions -> store_credentials (ccache, credentials))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f store_credentials()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_remove_credentials ccache,
credentials   )    ((ccache) -> functions -> remove_credentials (ccache, credentials))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f remove_credentials()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_new_credentials_iterator ccache,
iterator   )    ((ccache) -> functions -> new_credentials_iterator (ccache, iterator))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f new_credentials_iterator()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_lock ccache,
type,
block   )    ((ccache) -> functions -> lock (ccache, type, block))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f lock()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- --
#define cc_ccache_unlock ccache   )    ((ccache) -> functions -> unlock (ccache))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f unlock()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_get_last_default_time ccache,
last_default_time   )    ((ccache) -> functions -> get_last_default_time (ccache, last_default_time))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f get_last_default_time()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_get_change_time ccache,
change_time   )    ((ccache) -> functions -> get_change_time (ccache, change_time))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f get_change_time()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_move source,
destination   )    ((source) -> functions -> move (source, destination))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f move()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_compare ccache,
compare_to,
equal   )    ((ccache) -> functions -> compare (ccache, compare_to, equal))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f compare()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_get_kdc_time_offset ccache,
version,
time_offset   )    ((ccache) -> functions -> get_kdc_time_offset (ccache, version, time_offset))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f get_kdc_time_offset()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_set_kdc_time_offset ccache,
version,
time_offset   )    ((ccache) -> functions -> set_kdc_time_offset (ccache, version, time_offset))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f set_kdc_time_offset()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_clear_kdc_time_offset ccache,
version   )    ((ccache) -> functions -> clear_kdc_time_offset (ccache, version))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f clear_kdc_time_offset()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- --
#define cc_ccache_wait_for_change ccache   )    ((ccache) -> functions -> wait_for_change (ccache))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_f wait_for_change()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- --
#define cc_string_release string   )    ((string) -> functions -> release (string))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_string_f release()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- --
#define cc_credentials_release credentials   )    ((credentials) -> functions -> release (credentials))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_credentials_f release()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_credentials_compare credentials,
compare_to,
equal   )    ((credentials) -> functions -> compare (credentials, compare_to, equal))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_credentials_f compare()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- --
#define cc_ccache_iterator_release iterator   )    ((iterator) -> functions -> release (iterator))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_iterator_f release()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_iterator_next iterator,
ccache   )    ((iterator) -> functions -> next (iterator, ccache))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_iterator_f next()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_ccache_iterator_clone iterator,
new_iterator   )    ((iterator) -> functions -> clone (iterator, new_iterator))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_ccache_iterator_f clone()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- --
#define cc_credentials_iterator_release iterator   )    ((iterator) -> functions -> release (iterator))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_credentials_iterator_f release()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_credentials_iterator_next iterator,
credentials   )    ((iterator) -> functions -> next (iterator, credentials))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_credentials_iterator_f next()

--

-- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --
#define cc_credentials_iterator_clone iterator,
new_iterator   )    ((iterator) -> functions -> clone (iterator, new_iterator))
--
-- -- -- -- -- --
--   -- -- --

--Helper macro for cc_credentials_iterator_f clone()

--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/index.html b/doc/ccapi/html/index.html -deleted file mode 100644 -index bf920052f..000000000 ---- a/doc/ccapi/html/index.html -+++ /dev/null -@@ -1,85 +0,0 @@ -- -- --Credentials Cache API : Credentials Cache API (CCAPI) Documentation -- -- -- -- --

Credentials Cache API (CCAPI) Documentation

--

--

--Table of Contents

-- -- -- -- -- -- -- -- --

--Introduction

--This is the specification for an API which provides Credentials Cache services for both Kerberos v5 and v4. The idea behind this API is that multiple Kerberos implementations can share a single collection of credentials caches, mediated by this API specification. On the Mac OS and Microsoft Windows platforms this will allow single-login, even when more than one Kerberos shared library is in use on a particular system.

--Abstractly, a credentials cache collection contains one or more credentials caches, or ccaches. A ccache is uniquely identified by its name, which is a string internal to the API and not intended to be presented to users. The user presentable identifier of a ccache is its principal.

--Unlike the previous versions of the API, version 3 of the API stores both Kerberos v4 and v5 credentials in the same ccache.

--At any given time, one ccache is the "default" ccache. The exact meaning of a default ccache is OS-specific; refer to implementation requirements for details.

--Error Handling

--All functions of the API return some of the error constants listed FIXME; the exact list of error constants returned by any API function is provided in the function descriptions below.

--When returning an error constant other than ccNoError or ccIteratorEnd, API functions never modify any of the values passed in by reference.

--Synchronization and Atomicity

--Every function in the API is atomic. In order to make a series of calls atomic, callers should lock the ccache or cache collection they are working with to advise other callers not to modify that container. Note that advisory locks are per container so even if you have a read lock on the cache collection other callers can obtain write locks on ccaches in that cache collection.

--Note that iterators do not iterate over ccaches and credentials atomically because locking ccaches and the cache collection over every iteration would degrade performance considerably under high load. However, iterators do guarantee a consistent view of items they are iterating over. Iterators will never return duplicate entries or skip entries when items are removed or added to the container they are iterating over.

--An application can always lock a ccache or the cache collection to guarantee that other callers participating in the advisory locking system do not modify the ccache or cache collection.

--Implementations should not use copy-on-write techniques to implement locks because those techniques imply that same parts of the ccache collection remain visible to some callers even though they are not present in the collection, which is a potential security risk. For example, a copy-on-write technique might make a copy of the entire collection when a read lock is acquired, so as to allow the owner of the lock to access the collection in an apparently unmodified state, while also allowing others to make modifications to the collection. However, this would also enable the owner of the lock to indefinitely (until the expiration time) use credentials that have actually been deleted from the collection.

--Object Memory Management

--The lifetime of an object returned by the API is until release() is called for it. Releasing one object has no effect on existence of any other object. For example, a ccache obtained within a context continue to exist when the context is released.

--Every object returned by the API (cc_context_t, cc_ccache_t, cc_ccache_iterator_t, cc_credentials_t, cc_credentials_iterator_t, cc_string_t) is owned by the caller of the API, and it is the responsibility of the caller to call release() for every object to prevent memory leaks.

--Opaque Types

--All of the opaque high-level types in CCache API are implemented as structures of function pointers and private data. To perform some operation on a type, the caller of the API has to first obtain an instance of that type, and then call the appropriate function pointer from that instance. For example, to call get_change_time() on a cc_context_t, one would call cc_initialize() which creates a new cc_context_t and then call its get_change_time(), like this:

--

 cc_context_t context;
-- cc_int32 err = cc_initialize (&context, ccapi_version_3, nil, nil);
-- if (err == ccNoError)
-- time = context->functions->get_change_time (context)
--

--All API functions also have convenience preprocessor macros, which make the API seem completely function-based. For example, cc_context_get_change_time (context, time) is equivalent to context->functions->get_change_time (context, time). The convenience macros follow the following naming convention:

--The API function some_function() 

 cc_type_t an_object;
-- result = an_object->functions->some_function (opaque_pointer, args)
--

--has an equivalent convenience macro of the form cc_type_some_function(): 

 cc_type_t an_object;
-- result = cc_type_some_function (an_object, args)
--

--The specifications below include the names for both the functions and the convenience macros, in that order. For clarity, it is recommended that clients using the API use the convenience macros, but that is merely a stylistic choice.

--Implementing the API in this manner allows us to extend and change the interface in the future, while preserving compatibility with older clients.

--For example, consider the case when the signature or the semantics of a cc_ccache_t function is changed. The API version number is incremented. The library implementation contains both a function with the old signature and semantics and a function with the new signature and semantics. When a context is created, the API version number used in that context is stored in the context, and therefore it can be used whenever a ccache is created in that context. When a ccache is created in a context with the old API version number, the function pointer structure for the ccache is filled with pointers to functions implementing the old semantics; when a ccache is created in a context with the new API version number, the function pointer structure for the ccache is filled with poitners to functions implementing the new semantics.

--Similarly, if a function is added to the API, the version number in the context can be used to decide whether to include the implementation of the new function in the appropriate function pointer structure or not.

Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__ccache__d.html b/doc/ccapi/html/structcc__ccache__d.html -deleted file mode 100644 -index c19aa2b59..000000000 ---- a/doc/ccapi/html/structcc__ccache__d.html -+++ /dev/null -@@ -1,43 +0,0 @@ -- -- --Credentials Cache API : cc_ccache_d Struct Reference -- -- -- -- --

cc_ccache_d Struct Reference
-- --[cc_ccache_t Overview] --

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
const cc_ccache_f* functions
--
-- -- -- -- -- --
--   -- -- --

--

--

Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__ccache__f.html b/doc/ccapi/html/structcc__ccache__f.html -deleted file mode 100644 -index ddab94ff9..000000000 ---- a/doc/ccapi/html/structcc__ccache__f.html -+++ /dev/null -@@ -1,722 +0,0 @@ -- -- --Credentials Cache API : cc_ccache_f Struct Reference -- -- -- -- --

cc_ccache_f Struct Reference

Detailed Description

--Function pointer table for cc_ccache_t. For more information see cc_ccache_t Overview. --

--

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* release)(cc_ccache_t io_ccache)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_release(): Release memory associated with a cc_ccache_t object. --

--

Parameters:
-- -- --
io_ccache the ccache object to release.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
Note:
Does not modify the ccache. If you wish to remove the ccache see cc_ccache_destroy().
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* destroy)(cc_ccache_t io_ccache)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_destroy(): Destroy a ccache. --

--

Parameters:
-- -- --
io_ccache the ccache object to destroy and release.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--Destroy the ccache referred to by io_ccache and releases memory associated with the io_ccache object. After this call io_ccache becomes invalid. If io_ccache was the default ccache, the next ccache in the cache collection (if any) becomes the new default.
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* set_default)(cc_ccache_t io_ccache)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_set_default(): Make a ccache the default ccache. --

--

Parameters:
-- -- --
io_ccache a ccache object to make the new default ccache.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* get_credentials_version)(cc_ccache_t in_ccache, cc_uint32 *out_credentials_version)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_get_credentials_version(): Get the credentials version of a ccache. --

--

Parameters:
-- -- -- --
in_ccache a ccache object.
out_credentials_version on exit, the credentials version of in_ccache.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--cc_ccache_get_credentials_version() returns one value of the enumerated type cc_credentials_vers. The possible return values are cc_credentials_v4 (if ccache's v4 principal has been set), cc_credentials_v5 (if ccache's v5 principal has been set), or cc_credentials_v4_v5 (if both ccache's v4 and v5 principals have been set). A ccache's principal is set with one of cc_context_create_ccache(), cc_context_create_new_ccache(), cc_context_create_default_ccache(), or cc_ccache_set_principal().
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* get_name)(cc_ccache_t in_ccache, cc_string_t *out_name)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_get_name(): Get the name of a ccache. --

--

Parameters:
-- -- -- --
in_ccache a ccache object.
out_name on exit, a cc_string_t representing the name of in_ccache. out_name must be released with cc_string_release().
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* get_principal)(cc_ccache_t in_ccache, cc_uint32 in_credentials_version, cc_string_t *out_principal)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_get_principal(): Get the principal of a ccache. --

--

Parameters:
-- -- -- -- --
in_ccache a ccache object.
in_credentials_version the credentials version to get the principal for.
out_principal on exit, a cc_string_t representing the principal of in_ccache. out_principal must be released with cc_string_release().
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--Return the principal for the ccache that was set via cc_context_create_ccache(), cc_context_create_default_ccache(), cc_context_create_new_ccache(), or cc_ccache_set_principal(). Principals for v4 and v5 are separate, but should be kept synchronized for each ccache; they can be retrieved by passing cc_credentials_v4 or cc_credentials_v5 in cred_vers. Passing cc_credentials_v4_v5 will result in the error ccErrBadCredentialsVersion.
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* set_principal)(cc_ccache_t io_ccache, cc_uint32 in_credentials_version, const char *in_principal)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_set_principal(): Set the principal of a ccache. --

--

Parameters:
-- -- -- -- --
in_ccache a ccache object.
in_credentials_version the credentials version to set the principal for.
in_principal a C string representing the new principal of in_ccache.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--Set the a principal for ccache. The v4 and v5 principals can be set independently, but they should always be kept equal, up to differences in string representation between v4 and v5. Passing cc_credentials_v4_v5 in cred_vers will result in the error ccErrBadCredentialsVersion.
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* store_credentials)(cc_ccache_t io_ccache, const cc_credentials_union *in_credentials_union)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_store_credentials(): Store credentials in a ccache. --

--

Parameters:
-- -- -- --
io_ccache a ccache object.
in_credentials_union the credentials to store in io_ccache.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--Store a copy of credentials in the ccache.

--See the description of the credentials types for the meaning of cc_credentials_union fields.

--Before credentials of a specific credential type can be stored in a ccache, the corresponding principal version has to be set. For example, before you can store Kerberos v4 credentials in a ccache, the Kerberos v4 principal has to be set either by cc_context_create_ccache(), cc_context_create_default_ccache(), cc_context_create_new_ccache(), or cc_ccache_set_principal(); likewise for Kerberos v5. Otherwise, ccErrBadCredentialsVersion is returned.

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* remove_credentials)(cc_ccache_t io_ccache, cc_credentials_t in_credentials)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_remove_credentials(): Remove credentials from a ccache. --

--

Parameters:
-- -- -- --
io_ccache a ccache object.
in_credentials the credentials to remove from io_ccache.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--Removes credentials from a ccache. Note that credentials must be previously acquired from the CCache API; only exactly matching credentials will be removed. (This places the burden of determining exactly which credentials to remove on the caller, but ensures there is no ambigity about which credentials will be removed.) cc_credentials_t objects can be obtained by iterating over the ccache's credentials with cc_ccache_new_credentials_iterator().

--If found, the credentials are removed from the ccache. The credentials parameter is not modified and should be freed by the caller. It is legitimate to call this function while an iterator is traversing the ccache, and the deletion of a credential already returned by cc_credentials_iterator_next() will not disturb sequence of credentials returned by cc_credentials_iterator_next().

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* new_credentials_iterator)(cc_ccache_t in_ccache, cc_credentials_iterator_t *out_credentials_iterator)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_new_credentials_iterator(): Iterate over credentials in a ccache. --

--

Parameters:
-- -- -- --
in_ccache a ccache object.
out_credentials_iterator a credentials iterator for io_ccache.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--Allocates memory for iterator and initializes it. Successive calls to cc_credentials_iterator_next() will return credentials from the ccache.

--If changes are made to the ccache while an iterator is being used on it, the iterator must return at least the intersection, and at most the union, of the set of credentials that were in the ccache when the iteration began and the set of credentials that are in the ccache when it ends.

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* move)(cc_ccache_t io_source_ccache, cc_ccache_t io_destination_ccache)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_move(): Move the contents of one ccache into another, destroying the source. --

--

Parameters:
-- -- -- --
io_source_ccache a ccache object to move.
io_destination_ccache a ccache object replace with the contents of io_source_ccache.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--cc_ccache_move() atomically copies the credentials, credential versions and principals from one ccache to another. On successful completion io_source_ccache will be released and the ccache it points to will be destroyed. Any credentials previously in io_destination_ccache will be replaced with credentials from io_source_ccache. The only part of io_destination_ccache which remains constant is the name. Any other callers referring to io_destination_ccache will suddenly see new data in it.

--Typically cc_ccache_move() is used when the caller wishes to safely overwrite the contents of a ccache with new data which requires several steps to generate. cc_ccache_move() allows the caller to create a temporary ccache (which can be destroyed if any intermediate step fails) and the atomically copy the temporary cache into the destination.

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* lock)(cc_ccache_t io_ccache, cc_uint32 in_lock_type, cc_uint32 in_block)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_lock(): Lock a ccache. --

--

Parameters:
-- -- -- -- --
io_ccache the ccache object for the ccache you wish to lock.
in_lock_type the type of lock to obtain.
in_block whether or not the function should block if the lock cannot be obtained immediately.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--Attempts to acquire an advisory lock for a ccache. Allowed values for lock_type are:

--

    --
  • cc_lock_read: a read lock.
    • --
  • cc_lock_write: a write lock
    • --
  • cc_lock_upgrade: upgrade an already-obtained read lock to a write lock
    • --
  • cc_lock_downgrade: downgrade an already-obtained write lock to a read lock
    • --
--If block is cc_lock_block, lock() will not return until the lock is acquired. If block is cc_lock_noblock, lock() will return immediately, either acquiring the lock and returning ccNoError, or failing to acquire the lock and returning an error explaining why.

--To avoid having to deal with differences between thread semantics on different platforms, locks are granted per ccache, rather than per thread or per process. That means that different threads of execution have to acquire separate contexts in order to be able to synchronize with each other.

--The lock should be unlocked by using cc_ccache_unlock().

--

Note:
All locks are advisory. For example, callers which do not call cc_ccache_lock() and cc_ccache_unlock() will not be prevented from writing to the ccache when you have a read lock. This is because the CCAPI locking was added after the first release and thus adding mandatory locks would have changed the user experience and performance of existing applications.
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* unlock)(cc_ccache_t io_ccache)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_unlock(): Unlock a ccache. --

--

Parameters:
-- -- --
io_ccache a ccache object.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* get_last_default_time)(cc_ccache_t in_ccache, cc_time_t *out_last_default_time)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_get_change_time(): Get the last time a ccache was the default ccache. --

--

Parameters:
-- -- -- --
in_ccache a cache object.
out_last_default_time on exit, the last time the ccache was default.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--This function returns the last time when the ccache was made the default ccache. This allows clients to sort the ccaches by how recently they were default, which is useful for user listing of ccaches. If the ccache was never default, ccErrNeverDefault is returned.
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* get_change_time)(cc_ccache_t in_ccache, cc_time_t *out_change_time)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_get_change_time(): Get the last time a ccache changed. --

--

Parameters:
-- -- -- --
in_ccache a cache object.
out_change_time on exit, the last time the ccache changed.
--
--
Returns:
On success, ccNoError. If the ccache was never the default ccache, ccErrNeverDefault. Otherwise, an error code representing the failure.
--This function returns the time of the most recent change made to a ccache. By maintaining a local copy the caller can deduce whether or not the ccache has been modified since the previous call to cc_ccache_get_change_time().

--The time returned by cc_ccache_get_change_time() increases whenever:

--

    --
  • a credential is stored
    • --
  • a credential is removed
    • --
  • a ccache principal is changed
    • --
  • the ccache becomes the default ccache
    • --
  • the ccache is no longer the default ccache
    • --
--
Note:
In order to be able to compare two values returned by cc_ccache_get_change_time(), the caller must use the same ccache object to acquire them. Callers should maintain a single ccache object in memory for cc_ccache_get_change_time() calls rather than creating a new ccache object for every call.
--
See also:
wait_for_change
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* compare)(cc_ccache_t in_ccache, cc_ccache_t in_compare_to_ccache, cc_uint32 *out_equal)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_compare(): Compare two ccache objects. --

--

Parameters:
-- -- -- -- --
in_ccache a ccache object.
in_compare_to_ccache a ccache object to compare with in_ccache.
out_equal on exit, whether or not the two ccaches refer to the same ccache.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* get_kdc_time_offset)(cc_ccache_t in_ccache, cc_uint32 in_credentials_version, cc_time_t *out_time_offset)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_get_kdc_time_offset(): Get the KDC time offset for credentials in a ccache. --

--

Parameters:
-- -- -- -- --
in_ccache a ccache object.
in_credentials_version the credentials version to get the time offset for.
out_time_offset on exit, the KDC time offset for in_ccache for credentials version in_credentials_version.
--
--
Returns:
On success, ccNoError if a time offset was obtained or ccErrTimeOffsetNotSet if a time offset has not been set. On failure, an error code representing the failure.
--
See also:
set_kdc_time_offset, clear_kdc_time_offset
--Sometimes the KDC and client's clocks get out of sync. cc_ccache_get_kdc_time_offset() returns the difference between the KDC and client's clocks at the time credentials were acquired. This offset allows callers to figure out how much time is left on a given credential even though the end_time is based on the KDC's clock not the client's clock.
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* set_kdc_time_offset)(cc_ccache_t io_ccache, cc_uint32 in_credentials_version, cc_time_t in_time_offset)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_set_kdc_time_offset(): Set the KDC time offset for credentials in a ccache. --

--

Parameters:
-- -- -- -- --
in_ccache a ccache object.
in_credentials_version the credentials version to get the time offset for.
in_time_offset the new KDC time offset for in_ccache for credentials version in_credentials_version.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
See also:
get_kdc_time_offset, clear_kdc_time_offset
--Sometimes the KDC and client's clocks get out of sync. cc_ccache_set_kdc_time_offset() sets the difference between the KDC and client's clocks at the time credentials were acquired. This offset allows callers to figure out how much time is left on a given credential even though the end_time is based on the KDC's clock not the client's clock.
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* clear_kdc_time_offset)(cc_ccache_t io_ccache, cc_uint32 in_credentials_version)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_clear_kdc_time_offset(): Clear the KDC time offset for credentials in a ccache. --

--

Parameters:
-- -- -- --
in_ccache a ccache object.
in_credentials_version the credentials version to get the time offset for.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
See also:
get_kdc_time_offset, set_kdc_time_offset
--Sometimes the KDC and client's clocks get out of sync. cc_ccache_clear_kdc_time_offset() clears the difference between the KDC and client's clocks at the time credentials were acquired. This offset allows callers to figure out how much time is left on a given credential even though the end_time is based on the KDC's clock not the client's clock.
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* wait_for_change)(cc_ccache_t in_ccache)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_wait_for_change(): Wait for the next change to a ccache. --

--

Parameters:
-- -- --
in_ccache a ccache object.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--This function blocks until the next change is made to the ccache referenced by in_ccache. By repeatedly calling cc_ccache_wait_for_change() from a worker thread the caller can effectively receive callbacks whenever the ccache changes. This is considerably more efficient than polling with cc_ccache_get_change_time().

--cc_ccache_wait_for_change() will return whenever:

--

    --
  • a credential is stored
    • --
  • a credential is removed
    • --
  • the ccache principal is changed
    • --
  • the ccache becomes the default ccache
    • --
  • the ccache is no longer the default ccache
    • --
--
Note:
In order to make sure that the caller doesn't miss any changes, cc_ccache_wait_for_change() always returns immediately after the first time it is called on a new ccache object. Callers must use the same ccache object for successive calls to cc_ccache_wait_for_change() rather than creating a new ccache object for every call.
--
See also:
get_change_time
--
--

Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__ccache__iterator__d.html b/doc/ccapi/html/structcc__ccache__iterator__d.html -deleted file mode 100644 -index 5e85ee2da..000000000 ---- a/doc/ccapi/html/structcc__ccache__iterator__d.html -+++ /dev/null -@@ -1,43 +0,0 @@ -- -- --Credentials Cache API : cc_ccache_iterator_d Struct Reference -- -- -- -- --

cc_ccache_iterator_d Struct Reference
-- --[cc_ccache_iterator_t Overview] --

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
const cc_ccache_iterator_f* functions
--
-- -- -- -- -- --
--   -- -- --

--

--

Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__ccache__iterator__f.html b/doc/ccapi/html/structcc__ccache__iterator__f.html -deleted file mode 100644 -index 333aab8f4..000000000 ---- a/doc/ccapi/html/structcc__ccache__iterator__f.html -+++ /dev/null -@@ -1,117 +0,0 @@ -- -- --Credentials Cache API : cc_ccache_iterator_f Struct Reference -- -- -- -- --

cc_ccache_iterator_f Struct Reference

Detailed Description

--Function pointer table for cc_ccache_iterator_t. For more information see cc_ccache_iterator_t Overview. --

--

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* release)(cc_ccache_iterator_t io_ccache_iterator)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_iterator_release(): Release memory associated with a cc_ccache_iterator_t object. --

--

Parameters:
-- -- --
io_ccache_iterator the ccache iterator object to release.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* next)(cc_ccache_iterator_t in_ccache_iterator, cc_ccache_t *out_ccache)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_iterator_next(): Get the next ccache in the cache collection. --

--

Parameters:
-- -- -- --
in_ccache_iterator a ccache iterator object.
out_ccache on exit, the next ccache in the cache collection.
--
--
Returns:
On success, ccNoError if the next ccache in the cache collection was obtained or ccIteratorEnd if there are no more ccaches. On failure, an error code representing the failure.
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* clone)(cc_ccache_iterator_t in_ccache_iterator, cc_ccache_iterator_t *out_ccache_iterator)
--
-- -- -- -- -- --
--   -- -- --

--cc_ccache_iterator_clone(): Make a copy of a ccache iterator. --

--

Parameters:
-- -- -- --
in_ccache_iterator a ccache iterator object.
out_ccache_iterator on exit, a copy of in_ccache_iterator.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__context__d.html b/doc/ccapi/html/structcc__context__d.html -deleted file mode 100644 -index d3904a2a1..000000000 ---- a/doc/ccapi/html/structcc__context__d.html -+++ /dev/null -@@ -1,43 +0,0 @@ -- -- --Credentials Cache API : cc_context_d Struct Reference -- -- -- -- --

cc_context_d Struct Reference
-- --[cc_context_t Overview] --

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
const cc_context_f* functions
--
-- -- -- -- -- --
--   -- -- --

--

--

Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__context__f.html b/doc/ccapi/html/structcc__context__f.html -deleted file mode 100644 -index fe310518a..000000000 ---- a/doc/ccapi/html/structcc__context__f.html -+++ /dev/null -@@ -1,513 +0,0 @@ -- -- --Credentials Cache API : cc_context_f Struct Reference -- -- -- -- --

cc_context_f Struct Reference

Detailed Description

--Function pointer table for cc_context_t. For more information see cc_context_t Overview. --

--

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* release)(cc_context_t io_context)
--
-- -- -- -- -- --
--   -- -- --

--cc_context_release(): Release memory associated with a cc_context_t. --

--

Parameters:
-- -- --
io_context the context object to free.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* get_change_time)(cc_context_t in_context, cc_time_t *out_time)
--
-- -- -- -- -- --
--   -- -- --

--cc_context_get_change_time(): Get the last time the cache collection changed. --

--

Parameters:
-- -- -- --
in_context the context object for the cache collection to examine.
out_time on exit, the time of the most recent change for the entire ccache collection.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--This function returns the time of the most recent change for the entire ccache collection. By maintaining a local copy the caller can deduce whether or not the ccache collection has been modified since the previous call to cc_context_get_change_time().

--The time returned by cc_context_get_changed_time() increases whenever:

--

    --
  • a ccache is created
    • --
  • a ccache is destroyed
    • --
  • a credential is stored
    • --
  • a credential is removed
    • --
  • a ccache principal is changed
    • --
  • the default ccache is changed
    • --
--
Note:
In order to be able to compare two values returned by cc_context_get_change_time(), the caller must use the same context to acquire them. Callers should maintain a single context in memory for cc_context_get_change_time() calls rather than creating a new context for every call.
--
See also:
wait_for_change
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* get_default_ccache_name)(cc_context_t in_context, cc_string_t *out_name)
--
-- -- -- -- -- --
--   -- -- --

--cc_context_get_default_ccache_name(): Get the name of the default ccache. --

--

Parameters:
-- -- -- --
in_context the context object for the cache collection.
out_name on exit, the name of the default ccache.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--This function returns the name of the default ccache. When the default ccache exists, its name is returned. If there are no ccaches in the collection, and thus there is no default ccache, the name that the default ccache should have is returned. The ccache with that name will be used as the default ccache by all processes which initialized Kerberos libraries before the ccache was created.

--If there is no default ccache, and the client is creating a new ccache, it should be created with the default name. If there already is a default ccache, and the client wants to create a new ccache (as opposed to reusing an existing ccache), it should be created with any unique name; create_new_ccache() can be used to accomplish that more easily.

--If the first ccache is created with a name other than the default name, then the processes already running will not notice the credentials stored in the new ccache, which is normally undesirable.

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* open_ccache)(cc_context_t in_context, const char *in_name, cc_ccache_t *out_ccache)
--
-- -- -- -- -- --
--   -- -- --

--cc_context_open_ccache(): Open a ccache. --

--

Parameters:
-- -- -- -- --
in_context the context object for the cache collection.
in_name the name of the ccache to open.
out_ccache on exit, a ccache object for the ccache
--
--
Returns:
On success, ccNoError. If no ccache named in_name exists, ccErrCCacheNotFound. On failure, an error code representing the failure.
--Opens an already existing ccache identified by its name. It returns a reference to the ccache in out_ccache.

--The list of all ccache names, principals, and credentials versions may be retrieved by calling cc_context_new_cache_iterator(), cc_ccache_get_name(), cc_ccache_get_principal(), and cc_ccache_get_cred_version().

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* open_default_ccache)(cc_context_t in_context, cc_ccache_t *out_ccache)
--
-- -- -- -- -- --
--   -- -- --

--cc_context_open_default_ccache(): Open the default ccache. --

--

Parameters:
-- -- -- --
in_context the context object for the cache collection.
out_ccache on exit, a ccache object for the default ccache
--
--
Returns:
On success, ccNoError. If no default ccache exists, ccErrCCacheNotFound. On failure, an error code representing the failure.
--Opens the default ccache. It returns a reference to the ccache in *ccache.

--This function performs the same function as calling cc_context_get_default_ccache_name followed by cc_context_open_ccache, but it performs it atomically.

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* create_ccache)(cc_context_t in_context, const char *in_name, cc_uint32 in_cred_vers, const char *in_principal, cc_ccache_t *out_ccache)
--
-- -- -- -- -- --
--   -- -- --

--cc_context_create_ccache(): Create a new ccache. --

--

Parameters:
-- -- -- -- -- -- --
in_context the context object for the cache collection.
in_name the name of the new ccache to create
in_cred_vers the version of the credentials the new ccache will hold
in_principal the client principal of the credentials the new ccache will hold
out_ccache on exit, a ccache object for the newly created ccache
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--Create a new credentials cache. The ccache is uniquely identified by its name. The principal given is also associated with the ccache and the credentials version specified. A NULL name is not allowed (and ccErrBadName is returned if one is passed in). Only cc_credentials_v4 and cc_credentials_v5 are valid input values for cred_vers. If you want to create a new ccache that will hold both versions of credentials, call cc_context_create_ccache() with one version, and then cc_ccache_set_principal() with the other version.

--If you want to create a new ccache (with a unique name), you should use cc_context_create_new_ccache() instead. If you want to create or reinitialize the default cache, you should use cc_context_create_default_ccache().

--If name is non-NULL and there is already a ccache named name:

--

    --
  • the credentials in the ccache whose version is cred_vers are removed
    • --
  • the principal (of the existing ccache) associated with cred_vers is set to principal
    • --
  • a handle for the existing ccache is returned and all existing handles for the ccache remain valid
    • --
--If no ccache named name already exists:

--

    --
  • a new empty ccache is created
    • --
  • the principal of the new ccache associated with cred_vers is set to principal
    • --
  • a handle for the new ccache is returned
    • --
--For a new ccache, the name should be any unique string. The name is not intended to be presented to users.

--If the created ccache is the first ccache in the collection, it is made the default ccache. Note that normally it is undesirable to create the first ccache with a name different from the default ccache name (as returned by cc_context_get_default_ccache_name()); see the description of cc_context_get_default_ccache_name() for details.

--The principal should be a C string containing an unparsed Kerberos principal in the format of the appropriate Kerberos version, i.e.

foo.bar/@BAZ 
--      *
for Kerberos v4 and
foo/bar/@BAZ
for Kerberos v5.
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* create_default_ccache)(cc_context_t in_context, cc_uint32 in_cred_vers, const char *in_principal, cc_ccache_t *out_ccache)
--
-- -- -- -- -- --
--   -- -- --

--cc_context_create_default_ccache(): Create a new default ccache. --

--

Parameters:
-- -- -- -- -- --
in_context the context object for the cache collection.
in_cred_vers the version of the credentials the new default ccache will hold
in_principal the client principal of the credentials the new default ccache will hold
out_ccache on exit, a ccache object for the newly created default ccache
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--Create the default credentials cache. The behavior of this function is similar to that of cc_create_ccache(). If there is a default ccache (which is always the case except when there are no ccaches at all in the collection), it is initialized with the specified credentials version and principal, as per cc_create_ccache(); otherwise, a new ccache is created, and its name is the name returned by cc_context_get_default_ccache_name().
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* create_new_ccache)(cc_context_t in_context, cc_uint32 in_cred_vers, const char *in_principal, cc_ccache_t *out_ccache)
--
-- -- -- -- -- --
--   -- -- --

--cc_context_create_new_ccache(): Create a new uniquely named ccache. --

--

Parameters:
-- -- -- -- -- --
in_context the context object for the cache collection.
in_cred_vers the version of the credentials the new ccache will hold
in_principal the client principal of the credentials the new ccache will hold
out_ccache on exit, a ccache object for the newly created ccache
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--Create a new unique credentials cache. The behavior of this function is similar to that of cc_create_ccache(). If there are no ccaches, and therefore no default ccache, the new ccache is created with the default ccache name as would be returned by get_default_ccache_name(). If there are some ccaches, and therefore there is a default ccache, the new ccache is created with a new unique name. Clearly, this function never reinitializes a ccache, since it always uses a unique name.
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* new_ccache_iterator)(cc_context_t in_context, cc_ccache_iterator_t *out_iterator)
--
-- -- -- -- -- --
--   -- -- --

--cc_context_new_ccache_iterator(): Get an iterator for the cache collection. --

--

Parameters:
-- -- -- --
in_context the context object for the cache collection.
out_iterator on exit, a ccache iterator object for the ccache collection.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--Used to allocate memory and initialize iterator. Successive calls to iterator's next() function will return ccaches in the collection.

--If changes are made to the collection while an iterator is being used on it, the iterator must return at least the intersection, and at most the union, of the set of ccaches that were present when the iteration began and the set of ccaches that are present when it ends.

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* lock)(cc_context_t in_context, cc_uint32 in_lock_type, cc_uint32 in_block)
--
-- -- -- -- -- --
--   -- -- --

--cc_context_lock(): Lock the cache collection. --

--

Parameters:
-- -- -- -- --
in_context the context object for the cache collection.
in_lock_type the type of lock to obtain.
in_block whether or not the function should block if the lock cannot be obtained immediately.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--Attempts to acquire an advisory lock for the ccache collection. Allowed values for lock_type are:

--

    --
  • cc_lock_read: a read lock.
    • --
  • cc_lock_write: a write lock
    • --
  • cc_lock_upgrade: upgrade an already-obtained read lock to a write lock
    • --
  • cc_lock_downgrade: downgrade an already-obtained write lock to a read lock
    • --
--If block is cc_lock_block, lock() will not return until the lock is acquired. If block is cc_lock_noblock, lock() will return immediately, either acquiring the lock and returning ccNoError, or failing to acquire the lock and returning an error explaining why.

--Locks apply only to the list of ccaches, not the contents of those ccaches. To prevent callers participating in the advisory locking from changing the credentials in a cache you must also lock that ccache with cc_ccache_lock(). This is so that you can get the list of ccaches without preventing applications from simultaneously obtaining service tickets.

--To avoid having to deal with differences between thread semantics on different platforms, locks are granted per context, rather than per thread or per process. That means that different threads of execution have to acquire separate contexts in order to be able to synchronize with each other.

--The lock should be unlocked by using cc_context_unlock().

--

Note:
All locks are advisory. For example, callers which do not call cc_context_lock() and cc_context_unlock() will not be prevented from writing to the cache collection when you have a read lock. This is because the CCAPI locking was added after the first release and thus adding mandatory locks would have changed the user experience and performance of existing applications.
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* unlock)(cc_context_t in_cc_context)
--
-- -- -- -- -- --
--   -- -- --

--cc_context_unlock(): Unlock the cache collection. --

--

Parameters:
-- -- --
in_context the context object for the cache collection.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* compare)(cc_context_t in_cc_context, cc_context_t in_compare_to_context, cc_uint32 *out_equal)
--
-- -- -- -- -- --
--   -- -- --

--cc_context_compare(): Compare two context objects. --

--

Parameters:
-- -- -- -- --
in_context a context object.
in_compare_to_context a context object to compare with in_context.
out_equal on exit, whether or not the two contexts refer to the same cache collection.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* wait_for_change)(cc_context_t in_cc_context)
--
-- -- -- -- -- --
--   -- -- --

--cc_context_wait_for_change(): Wait for the next change in the cache collection. --

--

Parameters:
-- -- --
in_context a context object.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--This function blocks until the next change is made to the cache collection ccache collection. By repeatedly calling cc_context_wait_for_change() from a worker thread the caller can effectively receive callbacks whenever the cache collection changes. This is considerably more efficient than polling with cc_context_get_change_time().

--cc_context_wait_for_change() will return whenever:

--

    --
  • a ccache is created
    • --
  • a ccache is destroyed
    • --
  • a credential is stored
    • --
  • a credential is removed
    • --
  • a ccache principal is changed
    • --
  • the default ccache is changed
    • --
--
Note:
In order to make sure that the caller doesn't miss any changes, cc_context_wait_for_change() always returns immediately after the first time it is called on a new context object. Callers must use the same context object for successive calls to cc_context_wait_for_change() rather than creating a new context for every call.
--
See also:
get_change_time
--
--

Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__credentials__d.html b/doc/ccapi/html/structcc__credentials__d.html -deleted file mode 100644 -index 8a13251e5..000000000 ---- a/doc/ccapi/html/structcc__credentials__d.html -+++ /dev/null -@@ -1,67 +0,0 @@ -- -- --Credentials Cache API : cc_credentials_d Struct Reference -- -- -- -- --

cc_credentials_d Struct Reference
-- --[cc_credentials_t Overview] --

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
const cc_credentials_union* data
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
const cc_credentials_f* functions
--
-- -- -- -- -- --
--   -- -- --

--

--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__credentials__f.html b/doc/ccapi/html/structcc__credentials__f.html -deleted file mode 100644 -index 91f4b3adb..000000000 ---- a/doc/ccapi/html/structcc__credentials__f.html -+++ /dev/null -@@ -1,85 +0,0 @@ -- -- --Credentials Cache API : cc_credentials_f Struct Reference -- -- -- -- --

cc_credentials_f Struct Reference

Detailed Description

--Function pointer table for cc_credentials_t. For more information see cc_credentials_t Overview. --

--

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* release)(cc_credentials_t io_credentials)
--
-- -- -- -- -- --
--   -- -- --

--cc_credentials_release(): Release memory associated with a cc_credentials_t object. --

--

Parameters:
-- -- --
io_credentials the credentials object to release.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* compare)(cc_credentials_t in_credentials, cc_credentials_t in_compare_to_credentials, cc_uint32 *out_equal)
--
-- -- -- -- -- --
--   -- -- --

--cc_credentials_compare(): Compare two credentials objects. --

--

Parameters:
-- -- -- -- --
in_credentials a credentials object.
in_compare_to_credentials a credentials object to compare with in_credentials.
out_equal on exit, whether or not the two credentials objects refer to the same credentials in the cache collection.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__credentials__iterator__d.html b/doc/ccapi/html/structcc__credentials__iterator__d.html -deleted file mode 100644 -index 5682db0ed..000000000 ---- a/doc/ccapi/html/structcc__credentials__iterator__d.html -+++ /dev/null -@@ -1,43 +0,0 @@ -- -- --Credentials Cache API : cc_credentials_iterator_d Struct Reference -- -- -- -- --

cc_credentials_iterator_d Struct Reference
-- --[cc_credentials_iterator_t] --

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
const cc_credentials_iterator_f* functions
--
-- -- -- -- -- --
--   -- -- --

--

--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__credentials__iterator__f.html b/doc/ccapi/html/structcc__credentials__iterator__f.html -deleted file mode 100644 -index 66aec178a..000000000 ---- a/doc/ccapi/html/structcc__credentials__iterator__f.html -+++ /dev/null -@@ -1,85 +0,0 @@ -- -- --Credentials Cache API : cc_credentials_iterator_f Struct Reference -- -- -- -- --

cc_credentials_iterator_f Struct Reference

Detailed Description

--Function pointer table for cc_credentials_iterator_t. For more information see cc_credentials_iterator_t. --

--

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* release)(cc_credentials_iterator_t io_credentials_iterator)
--
-- -- -- -- -- --
--   -- -- --

--cc_credentials_iterator_release(): Release memory associated with a cc_credentials_iterator_t object. --

--

Parameters:
-- -- --
io_credentials_iterator the credentials iterator object to release.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

-- -- -- -- --
-- -- -- -- --
cc_int32(* next)(cc_credentials_iterator_t in_credentials_iterator, cc_credentials_t *out_credentials)
--
-- -- -- -- -- --
--   -- -- --

--cc_credentials_iterator_next(): Get the next credentials in the ccache. --

--

Parameters:
-- -- -- --
in_credentials_iterator a credentials iterator object.
out_credentials on exit, the next credentials in the ccache.
--
--
Returns:
On success, ccNoError if the next credential in the ccache was obtained or ccIteratorEnd if there are no more credentials. On failure, an error code representing the failure.
--
--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__credentials__union.html b/doc/ccapi/html/structcc__credentials__union.html -deleted file mode 100644 -index 6082346cc..000000000 ---- a/doc/ccapi/html/structcc__credentials__union.html -+++ /dev/null -@@ -1,118 +0,0 @@ -- -- --Credentials Cache API : cc_credentials_union Struct Reference -- -- -- -- --

cc_credentials_union Struct Reference
-- --[cc_credentials_t Overview] --

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
cc_uint32 version
--
-- -- -- -- -- --
--   -- -- --

--The credentials version of this credentials object.

--

-- -- -- -- --
-- -- -- -- --
cc_credentials_v4_t* credentials_v4
--
-- -- -- -- -- --
--   -- -- --

--If version is cc_credentials_v4, a pointer to a cc_credentials_v4_t.

--

-- -- -- -- --
-- -- -- -- --
cc_credentials_v5_t* credentials_v5
--
-- -- -- -- -- --
--   -- -- --

--If version is cc_credentials_v5, a pointer to a cc_credentials_v5_t.

--

-- -- -- -- --
-- -- -- -- --
union { ... } credentials
--
-- -- -- -- -- --
--   -- -- --

--The credentials.

--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__credentials__v4__t.html b/doc/ccapi/html/structcc__credentials__v4__t.html -deleted file mode 100644 -index 086e7fea7..000000000 ---- a/doc/ccapi/html/structcc__credentials__v4__t.html -+++ /dev/null -@@ -1,358 +0,0 @@ -- -- --Credentials Cache API : cc_credentials_v4_t Struct Reference -- -- -- -- --

cc_credentials_v4_t Struct Reference
-- --[cc_credentials_t Overview] --

Detailed Description

--If a cc_credentials_t variable is used to store Kerberos v4 credentials, then credentials.credentials_v4 points to a v4 credentials structure. This structure is similar to a krb4 API CREDENTIALS structure. --

--

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
cc_uint32 version
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
char principal[cc_v4_name_size]
--
-- -- -- -- -- --
--   -- -- --

--A properly quoted string representation of the first component of the client principal

--

-- -- -- -- --
-- -- -- -- --
char principal_instance[cc_v4_instance_size]
--
-- -- -- -- -- --
--   -- -- --

--A properly quoted string representation of the second component of the client principal

--

-- -- -- -- --
-- -- -- -- --
char service[cc_v4_name_size]
--
-- -- -- -- -- --
--   -- -- --

--A properly quoted string representation of the first component of the service principal

--

-- -- -- -- --
-- -- -- -- --
char service_instance[cc_v4_instance_size]
--
-- -- -- -- -- --
--   -- -- --

--A properly quoted string representation of the second component of the service principal

--

-- -- -- -- --
-- -- -- -- --
char realm[cc_v4_realm_size]
--
-- -- -- -- -- --
--   -- -- --

--A properly quoted string representation of the realm

--

-- -- -- -- --
-- -- -- -- --
unsigned char session_key[cc_v4_key_size]
--
-- -- -- -- -- --
--   -- -- --

--Ticket session key

--

-- -- -- -- --
-- -- -- -- --
cc_int32 kvno
--
-- -- -- -- -- --
--   -- -- --

--Key version number

--

-- -- -- -- --
-- -- -- -- --
cc_int32 string_to_key_type
--
-- -- -- -- -- --
--   -- -- --

--String to key type used. See cc_string_to_key_type for valid values

--

-- -- -- -- --
-- -- -- -- --
cc_time_t issue_date
--
-- -- -- -- -- --
--   -- -- --

--Time when the ticket was issued

--

-- -- -- -- --
-- -- -- -- --
cc_int32 lifetime
--
-- -- -- -- -- --
--   -- -- --

--Ticket lifetime in 5 minute units

--

-- -- -- -- --
-- -- -- -- --
cc_uint32 address
--
-- -- -- -- -- --
--   -- -- --

--IPv4 address of the client the ticket was issued for

--

-- -- -- -- --
-- -- -- -- --
cc_int32 ticket_size
--
-- -- -- -- -- --
--   -- -- --

--Ticket size (no greater than cc_v4_ticket_size)

--

-- -- -- -- --
-- -- -- -- --
unsigned char ticket[cc_v4_ticket_size]
--
-- -- -- -- -- --
--   -- -- --

--Ticket data

--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__credentials__v5__t.html b/doc/ccapi/html/structcc__credentials__v5__t.html -deleted file mode 100644 -index ad0996281..000000000 ---- a/doc/ccapi/html/structcc__credentials__v5__t.html -+++ /dev/null -@@ -1,334 +0,0 @@ -- -- --Credentials Cache API : cc_credentials_v5_t Struct Reference -- -- -- -- --

cc_credentials_v5_t Struct Reference
-- --[cc_credentials_t Overview] --

Detailed Description

--If a cc_credentials_t variable is used to store Kerberos v5 c redentials, and then credentials.credentials_v5 points to a v5 credentials structure. This structure is similar to a krb5_creds structure. --

--

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
char* client
--
-- -- -- -- -- --
--   -- -- --

--A properly quoted string representation of the client principal.

--

-- -- -- -- --
-- -- -- -- --
char* server
--
-- -- -- -- -- --
--   -- -- --

--A properly quoted string representation of the service principal.

--

-- -- -- -- --
-- -- -- -- --
cc_data keyblock
--
-- -- -- -- -- --
--   -- -- --

--Session encryption key info.

--

-- -- -- -- --
-- -- -- -- --
cc_time_t authtime
--
-- -- -- -- -- --
--   -- -- --

--The time when the ticket was issued.

--

-- -- -- -- --
-- -- -- -- --
cc_time_t starttime
--
-- -- -- -- -- --
--   -- -- --

--The time when the ticket becomes valid.

--

-- -- -- -- --
-- -- -- -- --
cc_time_t endtime
--
-- -- -- -- -- --
--   -- -- --

--The time when the ticket expires.

--

-- -- -- -- --
-- -- -- -- --
cc_time_t renew_till
--
-- -- -- -- -- --
--   -- -- --

--The time when the ticket becomes no longer renewable (if renewable).

--

-- -- -- -- --
-- -- -- -- --
cc_uint32 is_skey
--
-- -- -- -- -- --
--   -- -- --

--1 if the ticket is encrypted in another ticket's key, or 0 otherwise.

--

-- -- -- -- --
-- -- -- -- --
cc_uint32 ticket_flags
--
-- -- -- -- -- --
--   -- -- --

--Ticket flags, as defined by the Kerberos 5 API.

--

-- -- -- -- --
-- -- -- -- --
cc_data** addresses
--
-- -- -- -- -- --
--   -- -- --

--The the list of network addresses of hosts that are allowed to authenticate using this ticket.

--

-- -- -- -- --
-- -- -- -- --
cc_data ticket
--
-- -- -- -- -- --
--   -- -- --

--Ticket data.

--

-- -- -- -- --
-- -- -- -- --
cc_data second_ticket
--
-- -- -- -- -- --
--   -- -- --

--Second ticket data.

--

-- -- -- -- --
-- -- -- -- --
cc_data** authdata
--
-- -- -- -- -- --
--   -- -- --

--Authorization data.

--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__data.html b/doc/ccapi/html/structcc__data.html -deleted file mode 100644 -index 346f6a41d..000000000 ---- a/doc/ccapi/html/structcc__data.html -+++ /dev/null -@@ -1,94 +0,0 @@ -- -- --Credentials Cache API : cc_data Struct Reference -- -- -- -- --

cc_data Struct Reference
-- --[cc_credentials_t Overview] --

Detailed Description

--The CCAPI data structure. This structure is similar to a krb5_data structure. In a v5 credentials structure, cc_data structures are used to store tagged variable-length binary data. Specifically, for cc_credentials_v5.ticket and cc_credentials_v5.second_ticket, the cc_data.type field must be zero. For the cc_credentials_v5.addresses, cc_credentials_v5.authdata, and cc_credentials_v5.keyblock, the cc_data.type field should be the address type, authorization data type, and encryption type, as defined by the Kerberos v5 protocol definition. --

--

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
cc_uint32 type
--
-- -- -- -- -- --
--   -- -- --

--The type of the data as defined by the krb5_data structure.

--

-- -- -- -- --
-- -- -- -- --
cc_uint32 length
--
-- -- -- -- -- --
--   -- -- --

--The length of data.

--

-- -- -- -- --
-- -- -- -- --
void* data
--
-- -- -- -- -- --
--   -- -- --

--The data buffer.

--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__string__d.html b/doc/ccapi/html/structcc__string__d.html -deleted file mode 100644 -index b38286b3e..000000000 ---- a/doc/ccapi/html/structcc__string__d.html -+++ /dev/null -@@ -1,67 +0,0 @@ -- -- --Credentials Cache API : cc_string_d Struct Reference -- -- -- -- --

cc_string_d Struct Reference
-- --[cc_string_t Overview] --

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
const char* data
--
-- -- -- -- -- --
--   -- -- --

--

--

-- -- -- -- --
-- -- -- -- --
const cc_string_f* functions
--
-- -- -- -- -- --
--   -- -- --

--

--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- -diff --git a/doc/ccapi/html/structcc__string__f.html b/doc/ccapi/html/structcc__string__f.html -deleted file mode 100644 -index d5f738f49..000000000 ---- a/doc/ccapi/html/structcc__string__f.html -+++ /dev/null -@@ -1,51 +0,0 @@ -- -- --Credentials Cache API : cc_string_f Struct Reference -- -- -- -- --

cc_string_f Struct Reference

Detailed Description

--Function pointer table for cc_string_t. For more information see cc_string_t Overview. --

--

Data Fields

-- --

Field Documentation

--

-- -- -- -- --
-- -- -- -- --
cc_int32(* release)(cc_string_t io_string)
--
-- -- -- -- -- --
--   -- -- --

--cc_string_release(): Release memory associated with a cc_string_t object. --

--

Parameters:
-- -- --
io_string the string object to release.
--
--
Returns:
On success, ccNoError. On failure, an error code representing the failure.
--
--

Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  -- --doxygen 1.4.6
-- -- diff --git a/Remove-kadmin-RPC-support-for-setting-v4-key.patch b/Remove-kadmin-RPC-support-for-setting-v4-key.patch deleted file mode 100644 index 3a08ddc..0000000 --- a/Remove-kadmin-RPC-support-for-setting-v4-key.patch +++ /dev/null @@ -1,466 +0,0 @@ -From 620a45acc6ea6c01cce0474883011ed47cb35458 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 4 Apr 2019 16:14:46 -0400 -Subject: [PATCH] Remove kadmin RPC support for setting v4 key - -ticket: 8794 (new) -(cherry picked from commit 752187a441ed0f301f1a8adb1fea843080ac8c97) ---- - src/kadmin/server/kadm_rpc_svc.c | 7 -- - src/kadmin/server/ovsec_kadmd.c | 2 +- - src/kadmin/server/server_stubs.c | 50 --------- - src/lib/kadm5/admin.h | 3 - - src/lib/kadm5/admin_xdr.h | 1 - - src/lib/kadm5/clnt/Makefile.in | 2 +- - src/lib/kadm5/clnt/client_principal.c | 22 ---- - src/lib/kadm5/clnt/client_rpc.c | 8 -- - src/lib/kadm5/clnt/libkadm5clnt_mit.exports | 2 - - src/lib/kadm5/kadm_rpc.h | 16 +-- - src/lib/kadm5/kadm_rpc_xdr.c | 19 ---- - src/lib/kadm5/srv/Makefile.in | 2 +- - src/lib/kadm5/srv/libkadm5srv_mit.exports | 2 - - src/lib/kadm5/srv/svr_principal.c | 118 -------------------- - 14 files changed, 6 insertions(+), 248 deletions(-) - -diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c -index 41fc88ac8..d343e2c25 100644 ---- a/src/kadmin/server/kadm_rpc_svc.c -+++ b/src/kadmin/server/kadm_rpc_svc.c -@@ -53,7 +53,6 @@ void kadm_1(rqstp, transp) - mpol_arg modify_policy_2_arg; - gpol_arg get_policy_2_arg; - setkey_arg setkey_principal_2_arg; -- setv4key_arg setv4key_principal_2_arg; - cprinc3_arg create_principal3_2_arg; - chpass3_arg chpass_principal3_2_arg; - chrand3_arg chrand_principal3_2_arg; -@@ -134,12 +133,6 @@ void kadm_1(rqstp, transp) - local = (bool_t (*)()) chpass_principal_2_svc; - break; - -- case SETV4KEY_PRINCIPAL: -- xdr_argument = xdr_setv4key_arg; -- xdr_result = xdr_generic_ret; -- local = (bool_t (*)()) setv4key_principal_2_svc; -- break; -- - case SETKEY_PRINCIPAL: - xdr_argument = xdr_setkey_arg; - xdr_result = xdr_generic_ret; -diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c -index 6a6b21401..3737791b6 100644 ---- a/src/kadmin/server/ovsec_kadmd.c -+++ b/src/kadmin/server/ovsec_kadmd.c -@@ -227,7 +227,7 @@ log_badverf(gss_name_t client_name, gss_name_t server_name, - {14, "GET_PRINCS"}, - {15, "GET_POLS"}, - {16, "SETKEY_PRINCIPAL"}, -- {17, "SETV4KEY_PRINCIPAL"}, -+ /* 17 was "SETV4KEY_PRINCIPAL" */ - {18, "CREATE_PRINCIPAL3"}, - {19, "CHPASS_PRINCIPAL3"}, - {20, "CHRAND_PRINCIPAL3"}, -diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c -index cfef97fec..d5a25e502 100644 ---- a/src/kadmin/server/server_stubs.c -+++ b/src/kadmin/server/server_stubs.c -@@ -893,56 +893,6 @@ exit_func: - return TRUE; - } - --bool_t --setv4key_principal_2_svc(setv4key_arg *arg, generic_ret *ret, -- struct svc_req *rqstp) --{ -- char *prime_arg = NULL; -- gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; -- gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; -- kadm5_server_handle_t handle; -- const char *errmsg = NULL; -- -- ret->code = stub_setup(arg->api_version, rqstp, arg->princ, &handle, -- &ret->api_version, &client_name, &service_name, -- &prime_arg); -- if (ret->code) -- goto exit_func; -- -- ret->code = check_lockdown_keys(handle, arg->princ); -- if (ret->code != KADM5_OK) { -- if (ret->code == KADM5_PROTECT_KEYS) { -- log_unauth("kadm5_setv4key_principal", prime_arg, &client_name, -- &service_name, rqstp); -- ret->code = KADM5_AUTH_SETKEY; -- } -- } else if (!(CHANGEPW_SERVICE(rqstp)) && -- stub_auth(handle, OP_SETKEY, arg->princ, NULL, NULL, NULL)) { -- ret->code = kadm5_setv4key_principal(handle, arg->princ, -- arg->keyblock); -- } else { -- log_unauth("kadm5_setv4key_principal", prime_arg, -- &client_name, &service_name, rqstp); -- ret->code = KADM5_AUTH_SETKEY; -- } -- -- if (ret->code != KADM5_AUTH_SETKEY) { -- if (ret->code != 0) -- errmsg = krb5_get_error_message(handle->context, ret->code); -- -- log_done("kadm5_setv4key_principal", prime_arg, errmsg, -- &client_name, &service_name, rqstp); -- -- if (errmsg != NULL) -- krb5_free_error_message(handle->context, errmsg); -- } -- --exit_func: -- stub_cleanup(handle, prime_arg, &client_name, &service_name); -- return TRUE; --} -- -- - bool_t - setkey_principal_2_svc(setkey_arg *arg, generic_ret *ret, - struct svc_req *rqstp) -diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h -index b765148b3..7268be44e 100644 ---- a/src/lib/kadm5/admin.h -+++ b/src/lib/kadm5/admin.h -@@ -394,9 +394,6 @@ kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, - krb5_key_salt_tuple *ks_tuple, - krb5_keyblock **keyblocks, - int *n_keys); --kadm5_ret_t kadm5_setv4key_principal(void *server_handle, -- krb5_principal principal, -- krb5_keyblock *keyblock); - - kadm5_ret_t kadm5_setkey_principal(void *server_handle, - krb5_principal principal, -diff --git a/src/lib/kadm5/admin_xdr.h b/src/lib/kadm5/admin_xdr.h -index 2d22611e7..9da98451e 100644 ---- a/src/lib/kadm5/admin_xdr.h -+++ b/src/lib/kadm5/admin_xdr.h -@@ -37,7 +37,6 @@ bool_t xdr_mprinc_arg(XDR *xdrs, mprinc_arg *objp); - bool_t xdr_rprinc_arg(XDR *xdrs, rprinc_arg *objp); - bool_t xdr_chpass_arg(XDR *xdrs, chpass_arg *objp); - bool_t xdr_chpass3_arg(XDR *xdrs, chpass3_arg *objp); --bool_t xdr_setv4key_arg(XDR *xdrs, setv4key_arg *objp); - bool_t xdr_setkey_arg(XDR *xdrs, setkey_arg *objp); - bool_t xdr_setkey3_arg(XDR *xdrs, setkey3_arg *objp); - bool_t xdr_setkey4_arg(XDR *xdrs, setkey4_arg *objp); -diff --git a/src/lib/kadm5/clnt/Makefile.in b/src/lib/kadm5/clnt/Makefile.in -index a180e85cd..2bc385afe 100644 ---- a/src/lib/kadm5/clnt/Makefile.in -+++ b/src/lib/kadm5/clnt/Makefile.in -@@ -3,7 +3,7 @@ BUILDTOP=$(REL)..$(S)..$(S).. - LOCALINCLUDES = -I$(BUILDTOP)/include/kadm5 - - LIBBASE=kadm5clnt_mit --LIBMAJOR=11 -+LIBMAJOR=12 - LIBMINOR=0 - STOBJLISTS=../OBJS.ST OBJS.ST - SHLIB_EXPDEPS=\ -diff --git a/src/lib/kadm5/clnt/client_principal.c b/src/lib/kadm5/clnt/client_principal.c -index 18714bf37..96d9d1932 100644 ---- a/src/lib/kadm5/clnt/client_principal.c -+++ b/src/lib/kadm5/clnt/client_principal.c -@@ -273,28 +273,6 @@ kadm5_chpass_principal_3(void *server_handle, - return r.code; - } - --kadm5_ret_t --kadm5_setv4key_principal(void *server_handle, -- krb5_principal princ, -- krb5_keyblock *keyblock) --{ -- setv4key_arg arg; -- generic_ret r = { 0, 0 }; -- kadm5_server_handle_t handle = server_handle; -- -- CHECK_HANDLE(server_handle); -- -- arg.princ = princ; -- arg.keyblock = keyblock; -- arg.api_version = handle->api_version; -- -- if(princ == NULL || keyblock == NULL) -- return EINVAL; -- if (setv4key_principal_2(&arg, &r, handle->clnt)) -- eret(); -- return r.code; --} -- - kadm5_ret_t - kadm5_setkey_principal(void *server_handle, - krb5_principal princ, -diff --git a/src/lib/kadm5/clnt/client_rpc.c b/src/lib/kadm5/clnt/client_rpc.c -index df5455fd8..d84d158b4 100644 ---- a/src/lib/kadm5/clnt/client_rpc.c -+++ b/src/lib/kadm5/clnt/client_rpc.c -@@ -84,14 +84,6 @@ chpass_principal3_2(chpass3_arg *argp, generic_ret *res, CLIENT *clnt) - (xdrproc_t)xdr_generic_ret, (caddr_t)res, TIMEOUT); - } - --enum clnt_stat --setv4key_principal_2(setv4key_arg *argp, generic_ret *res, CLIENT *clnt) --{ -- return clnt_call(clnt, SETV4KEY_PRINCIPAL, -- (xdrproc_t)xdr_setv4key_arg, (caddr_t)argp, -- (xdrproc_t)xdr_generic_ret, (caddr_t)res, TIMEOUT); --} -- - enum clnt_stat - setkey_principal_2(setkey_arg *argp, generic_ret *res, CLIENT *clnt) - { -diff --git a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports -index f122b31ab..e41c8e4f7 100644 ---- a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports -+++ b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports -@@ -44,7 +44,6 @@ kadm5_set_string - kadm5_setkey_principal - kadm5_setkey_principal_3 - kadm5_setkey_principal_4 --kadm5_setv4key_principal - kadm5_unlock - krb5_aprof_finish - krb5_aprof_get_boolean -@@ -114,6 +113,5 @@ xdr_rprinc_arg - xdr_setkey3_arg - xdr_setkey4_arg - xdr_setkey_arg --xdr_setv4key_arg - xdr_ui_4 - kadm5_init_iprop -diff --git a/src/lib/kadm5/kadm_rpc.h b/src/lib/kadm5/kadm_rpc.h -index 8d7cf3b36..5099c6c14 100644 ---- a/src/lib/kadm5/kadm_rpc.h -+++ b/src/lib/kadm5/kadm_rpc.h -@@ -82,13 +82,6 @@ struct chpass3_arg { - }; - typedef struct chpass3_arg chpass3_arg; - --struct setv4key_arg { -- krb5_ui_4 api_version; -- krb5_principal princ; -- krb5_keyblock *keyblock; --}; --typedef struct setv4key_arg setv4key_arg; -- - struct setkey_arg { - krb5_ui_4 api_version; - krb5_principal princ; -@@ -322,11 +315,9 @@ extern enum clnt_stat setkey_principal_2(setkey_arg *, generic_ret *, - CLIENT *); - extern bool_t setkey_principal_2_svc(setkey_arg *, generic_ret *, - struct svc_req *); --#define SETV4KEY_PRINCIPAL 17 --extern enum clnt_stat setv4key_principal_2(setv4key_arg *, generic_ret *, -- CLIENT *); --extern bool_t setv4key_principal_2_svc(setv4key_arg *, generic_ret *, -- struct svc_req *); -+ -+/* 17 was SETV4KEY_PRINCIPAL (removed in 1.18). */ -+ - #define CREATE_PRINCIPAL3 18 - extern enum clnt_stat create_principal3_2(cprinc3_arg *, generic_ret *, - CLIENT *); -@@ -380,7 +371,6 @@ extern bool_t xdr_gprincs_arg (); - extern bool_t xdr_gprincs_ret (); - extern bool_t xdr_chpass_arg (); - extern bool_t xdr_chpass3_arg (); --extern bool_t xdr_setv4key_arg (); - extern bool_t xdr_setkey_arg (); - extern bool_t xdr_setkey3_arg (); - extern bool_t xdr_setkey4_arg (); -diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c -index 2892d4147..745ee857e 100644 ---- a/src/lib/kadm5/kadm_rpc_xdr.c -+++ b/src/lib/kadm5/kadm_rpc_xdr.c -@@ -710,25 +710,6 @@ xdr_chpass3_arg(XDR *xdrs, chpass3_arg *objp) - return (TRUE); - } - --bool_t --xdr_setv4key_arg(XDR *xdrs, setv4key_arg *objp) --{ -- unsigned int n_keys = 1; -- -- if (!xdr_ui_4(xdrs, &objp->api_version)) { -- return (FALSE); -- } -- if (!xdr_krb5_principal(xdrs, &objp->princ)) { -- return (FALSE); -- } -- if (!xdr_array(xdrs, (caddr_t *) &objp->keyblock, -- &n_keys, ~0, -- sizeof(krb5_keyblock), xdr_krb5_keyblock)) { -- return (FALSE); -- } -- return (TRUE); --} -- - bool_t - xdr_setkey_arg(XDR *xdrs, setkey_arg *objp) - { -diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in -index 617d65666..89e6097cf 100644 ---- a/src/lib/kadm5/srv/Makefile.in -+++ b/src/lib/kadm5/srv/Makefile.in -@@ -9,7 +9,7 @@ DEFINES = @HESIOD_DEFS@ - ##DOSLIBNAME = libkadm5srv.lib - - LIBBASE=kadm5srv_mit --LIBMAJOR=11 -+LIBMAJOR=12 - LIBMINOR=0 - STOBJLISTS=../OBJS.ST OBJS.ST - -diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports -index 64ad5dd69..e3c04e690 100644 ---- a/src/lib/kadm5/srv/libkadm5srv_mit.exports -+++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports -@@ -45,7 +45,6 @@ kadm5_set_string - kadm5_setkey_principal - kadm5_setkey_principal_3 - kadm5_setkey_principal_4 --kadm5_setv4key_principal - kadm5_unlock - kdb_delete_entry - kdb_free_entry -@@ -133,7 +132,6 @@ xdr_rprinc_arg - xdr_setkey3_arg - xdr_setkey4_arg - xdr_setkey_arg --xdr_setv4key_arg - xdr_sstring_arg - xdr_ui_4 - kadm5_init_iprop -diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c -index be0922101..a1ecdbfc4 100644 ---- a/src/lib/kadm5/srv/svr_principal.c -+++ b/src/lib/kadm5/srv/svr_principal.c -@@ -1649,124 +1649,6 @@ done: - return ret; - } - --/* -- * kadm5_setv4key_principal: -- * -- * Set only ONE key of the principal, removing all others. This key -- * must have the DES_CBC_CRC enctype and is entered as having the -- * krb4 salttype. This is to enable things like kadmind4 to work. -- */ --kadm5_ret_t --kadm5_setv4key_principal(void *server_handle, -- krb5_principal principal, -- krb5_keyblock *keyblock) --{ -- krb5_db_entry *kdb; -- osa_princ_ent_rec adb; -- krb5_timestamp now; -- kadm5_policy_ent_rec pol; -- krb5_keysalt keysalt; -- int i, kvno, ret; -- krb5_boolean have_pol = FALSE; -- kadm5_server_handle_t handle = server_handle; -- krb5_key_data tmp_key_data; -- krb5_keyblock *act_mkey; -- -- memset( &tmp_key_data, 0, sizeof(tmp_key_data)); -- -- CHECK_HANDLE(server_handle); -- -- krb5_clear_error_message(handle->context); -- -- if (principal == NULL || keyblock == NULL) -- return EINVAL; -- if (hist_princ && /* this will be NULL when initializing the databse */ -- ((krb5_principal_compare(handle->context, -- principal, hist_princ)) == TRUE)) -- return KADM5_PROTECT_PRINCIPAL; -- -- if (keyblock->enctype != ENCTYPE_DES_CBC_CRC) -- return KADM5_SETV4KEY_INVAL_ENCTYPE; -- -- if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) -- return(ret); -- -- for (kvno = 0, i=0; in_key_data; i++) -- if (kdb->key_data[i].key_data_kvno > kvno) -- kvno = kdb->key_data[i].key_data_kvno; -- -- if (kdb->key_data != NULL) -- cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data); -- -- kdb->key_data = calloc(1, sizeof(krb5_key_data)); -- if (kdb->key_data == NULL) -- return ENOMEM; -- kdb->n_key_data = 1; -- keysalt.type = KRB5_KDB_SALTTYPE_V4; -- /* XXX data.magic? */ -- keysalt.data.length = 0; -- keysalt.data.data = NULL; -- -- ret = kdb_get_active_mkey(handle, NULL, &act_mkey); -- if (ret) -- goto done; -- -- /* use tmp_key_data as temporary location and reallocate later */ -- ret = krb5_dbe_encrypt_key_data(handle->context, act_mkey, keyblock, -- &keysalt, kvno + 1, kdb->key_data); -- if (ret) { -- goto done; -- } -- -- kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; -- -- ret = krb5_timeofday(handle->context, &now); -- if (ret) -- goto done; -- -- if ((adb.aux_attributes & KADM5_POLICY)) { -- ret = get_policy(handle, adb.policy, &pol, &have_pol); -- if (ret) -- goto done; -- } -- if (have_pol) { -- if (pol.pw_max_life) -- kdb->pw_expiration = ts_incr(now, pol.pw_max_life); -- else -- kdb->pw_expiration = 0; -- } else { -- kdb->pw_expiration = 0; -- } -- -- ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now); -- if (ret) -- goto done; -- -- /* unlock principal on this KDC */ -- kdb->fail_auth_count = 0; -- -- /* key data changed, let the database provider know */ -- kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT; -- -- if ((ret = kdb_put_entry(handle, kdb, &adb))) -- goto done; -- -- ret = KADM5_OK; --done: -- for (i = 0; i < tmp_key_data.key_data_ver; i++) { -- if (tmp_key_data.key_data_contents[i]) { -- memset (tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]); -- free (tmp_key_data.key_data_contents[i]); -- } -- } -- -- kdb_free_entry(handle, kdb, &adb); -- if (have_pol) -- kadm5_free_policy_ent(handle->lhandle, &pol); -- -- return ret; --} -- - kadm5_ret_t - kadm5_setkey_principal(void *server_handle, - krb5_principal principal, diff --git a/Remove-krb5int_c_combine_keys.patch b/Remove-krb5int_c_combine_keys.patch deleted file mode 100644 index e78c003..0000000 --- a/Remove-krb5int_c_combine_keys.patch +++ /dev/null @@ -1,479 +0,0 @@ -From 90c702467b0c4373758f235512c67f80f1998e02 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 18 Apr 2019 17:27:07 -0400 -Subject: [PATCH] Remove krb5int_c_combine_keys() - -This method of combining keys was specified by -draft-ietf-krb-wg-kerberos-sam for DES and 3DES enctypes, and is -otherwise unused. Remove it. - -[ghudson@mit.edu: rewrote commit message] - -ticket: 8812 -(cherry picked from commit 925a7df2f486aaa3ff137d2bcdf8ff57186638c6) -[rharwood@redhat.com: conflicts: .gitignore] ---- - src/include/k5-int.h | 7 - - src/lib/crypto/crypto_tests/Makefile.in | 12 +- - src/lib/crypto/crypto_tests/deps | 10 -- - src/lib/crypto/crypto_tests/t_combine.c | 62 ------- - src/lib/crypto/krb/Makefile.in | 3 - - src/lib/crypto/krb/combine_keys.c | 227 ------------------------ - src/lib/crypto/krb/deps | 13 -- - src/lib/crypto/libk5crypto.exports | 1 - - 8 files changed, 3 insertions(+), 332 deletions(-) - delete mode 100644 src/lib/crypto/crypto_tests/t_combine.c - delete mode 100644 src/lib/crypto/krb/combine_keys.c - -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 2bc59e636..0857fd1cc 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -673,13 +673,6 @@ zapfreedata(krb5_data *data) - } - } - --/* -- * Combine two keys (normally used by the hardware preauth mechanism) -- */ --krb5_error_code --krb5int_c_combine_keys(krb5_context context, krb5_keyblock *key1, -- krb5_keyblock *key2, krb5_keyblock *outkey); -- - void krb5int_c_free_keyblock(krb5_context, krb5_keyblock *key); - void krb5int_c_free_keyblock_contents(krb5_context, krb5_keyblock *); - krb5_error_code krb5int_c_init_keyblock(krb5_context, krb5_enctype enctype, -diff --git a/src/lib/crypto/crypto_tests/Makefile.in b/src/lib/crypto/crypto_tests/Makefile.in -index 09feeb50e..0295ee14f 100644 ---- a/src/lib/crypto/crypto_tests/Makefile.in -+++ b/src/lib/crypto/crypto_tests/Makefile.in -@@ -23,8 +23,7 @@ EXTRADEPSRCS=\ - $(srcdir)/t_short.c \ - $(srcdir)/t_str2key.c \ - $(srcdir)/t_derive.c \ -- $(srcdir)/t_fork.c \ -- $(srcdir)/t_combine.c -+ $(srcdir)/t_fork.c - - ##DOS##BUILDTOP = ..\..\.. - -@@ -33,8 +32,7 @@ check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \ - aes-test \ - camellia-test \ - t_mddriver4 t_mddriver \ -- t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2 \ -- t_combine -+ t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2 - $(RUN_TEST) ./t_nfold - $(RUN_TEST) ./t_encrypt - $(RUN_TEST) ./t_decrypt -@@ -59,7 +57,6 @@ check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \ - $(RUN_TEST) ./t_fork - $(RUN_TEST) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output - diff t_cf2.output $(srcdir)/t_cf2.expected -- $(RUN_TEST) ./t_combine - # $(RUN_TEST) ./t_pkcs5 - - t_nfold$(EXEEXT): t_nfold.$(OBJEXT) $(KRB5_BASE_DEPLIBS) -@@ -134,9 +131,6 @@ t_fork$(EXEEXT): t_fork.$(OBJEXT) $(KRB5_BASE_DEPLIBS) - t_cf2$(EXEEXT): t_cf2.$(OBJEXT) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_cf2.$(OBJEXT) $(KRB5_BASE_LIBS) - --t_combine$(EXEEXT): t_combine.$(OBJEXT) $(KRB5_BASE_DEPLIBS) -- $(CC_LINK) -o $@ t_combine.$(OBJEXT) $(KRB5_BASE_LIBS) -- - clean: - $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o \ - t_decrypt.o t_decrypt t_prng.o t_prng t_cmac.o t_cmac \ -@@ -149,7 +143,7 @@ clean: - t_str2key.o t_derive t_derive.o t_fork t_fork.o \ - t_mddriver$(EXEEXT) $(OUTPRE)t_mddriver.$(OBJEXT) \ - camellia-test camellia-test.o camellia-vt.txt \ -- t_cf2 t_cf2.o t_cf2.output t_combine.o t_combine -+ t_cf2 t_cf2.o t_cf2.output - - -$(RM) t_prng.output - -$(RM) t_prf.output -diff --git a/src/lib/crypto/crypto_tests/deps b/src/lib/crypto/crypto_tests/deps -index 19fef2582..0d10d4a1a 100644 ---- a/src/lib/crypto/crypto_tests/deps -+++ b/src/lib/crypto/crypto_tests/deps -@@ -226,13 +226,3 @@ $(OUTPRE)t_fork.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h t_fork.c --$(OUTPRE)t_combine.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ -- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ -- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ -- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ -- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ -- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ -- $(top_srcdir)/include/socket-utils.h t_combine.c -diff --git a/src/lib/crypto/crypto_tests/t_combine.c b/src/lib/crypto/crypto_tests/t_combine.c -deleted file mode 100644 -index ba0622bcf..000000000 ---- a/src/lib/crypto/crypto_tests/t_combine.c -+++ /dev/null -@@ -1,62 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* lib/crypto/crypto_tests/t_combine.c - krb5int_c_combine_keys tests */ --/* -- * Copyright (C) 2014 by the Massachusetts Institute of Technology. -- * All rights reserved. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions -- * are met: -- * -- * * Redistributions of source code must retain the above copyright -- * notice, this list of conditions and the following disclaimer. -- * -- * * Redistributions in binary form must reproduce the above copyright -- * notice, this list of conditions and the following disclaimer in -- * the documentation and/or other materials provided with the -- * distribution. -- * -- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -- * OF THE POSSIBILITY OF SUCH DAMAGE. -- */ -- --#include "k5-int.h" -- --unsigned char des3_key1[] = "\x10\xB6\x75\xD5\x5B\xD9\x6E\x73" -- "\xFD\x54\xB3\x3D\x37\x52\xC1\x2A\xF7\x43\x91\xFE\x1C\x02\x37\x13"; --unsigned char des3_key2[] = "\xC8\xDA\x3E\xA7\xB6\x64\xAE\x7A" -- "\xB5\x70\x2A\x29\xB3\xBF\x9B\xA8\x46\x7C\x5B\xA8\x8A\x46\x70\x10"; --unsigned char des3_result[] = "\x2F\x79\x97\x3E\x3E\xA4\x73\x1A" -- "\xB9\x3D\xEF\x5E\x7C\x29\xFB\x2A\x68\x86\x1F\xC1\x85\x0E\x79\x92"; -- --int --main(int argc, char **argv) --{ -- krb5_keyblock kb1, kb2, result; -- -- kb1.enctype = ENCTYPE_DES3_CBC_SHA1; -- kb1.contents = des3_key1; -- kb1.length = 24; -- kb2.enctype = ENCTYPE_DES3_CBC_SHA1; -- kb2.contents = des3_key2; -- kb2.length = 24; -- memset(&result, 0, sizeof(result)); -- if (krb5int_c_combine_keys(NULL, &kb1, &kb2, &result) != 0) -- abort(); -- if (result.enctype != ENCTYPE_DES3_CBC_SHA1 || result.length != 24 || -- memcmp(result.contents, des3_result, 24) != 0) -- abort(); -- krb5_free_keyblock_contents(NULL, &result); -- -- return 0; --} -diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in -index c0e0b791b..536bacb6e 100644 ---- a/src/lib/crypto/krb/Makefile.in -+++ b/src/lib/crypto/krb/Makefile.in -@@ -22,7 +22,6 @@ STLIBOBJS=\ - cksumtypes.o \ - cmac.o \ - coll_proof_cksum.o \ -- combine_keys.o \ - crypto_length.o \ - crypto_libinit.o \ - default_state.o \ -@@ -84,7 +83,6 @@ OBJS=\ - $(OUTPRE)cksumtypes.$(OBJEXT) \ - $(OUTPRE)cmac.$(OBJEXT) \ - $(OUTPRE)coll_proof_cksum.$(OBJEXT) \ -- $(OUTPRE)combine_keys.$(OBJEXT) \ - $(OUTPRE)crypto_length.$(OBJEXT) \ - $(OUTPRE)crypto_libinit.$(OBJEXT) \ - $(OUTPRE)default_state.$(OBJEXT) \ -@@ -146,7 +144,6 @@ SRCS=\ - $(srcdir)/cksumtypes.c \ - $(srcdir)/cmac.c \ - $(srcdir)/coll_proof_cksum.c \ -- $(srcdir)/combine_keys.c \ - $(srcdir)/crypto_length.c \ - $(srcdir)/crypto_libinit.c \ - $(srcdir)/default_state.c \ -diff --git a/src/lib/crypto/krb/combine_keys.c b/src/lib/crypto/krb/combine_keys.c -deleted file mode 100644 -index c36434e17..000000000 ---- a/src/lib/crypto/krb/combine_keys.c -+++ /dev/null -@@ -1,227 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* Copyright (c) 2002 Naval Research Laboratory (NRL/CCS) */ --/* -- * Permission to use, copy, modify and distribute this software and its -- * documentation is hereby granted, provided that both the copyright -- * notice and this permission notice appear in all copies of the software, -- * derivative works or modified versions, and any portions thereof. -- * -- * NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" CONDITION AND -- * DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER -- * RESULTING FROM THE USE OF THIS SOFTWARE. -- */ -- --/* -- * Key combination function. -- * -- * If Key1 and Key2 are two keys to be combined, the algorithm to combine -- * them is as follows. -- * -- * Definitions: -- * -- * k-truncate is defined as truncating to the key size the input. -- * -- * DR is defined as the generate "random" data from a key -- * (defined in crypto draft) -- * -- * DK is defined as the key derivation function (krb5int_derive_key()) -- * -- * (note: | means "concatenate") -- * -- * Combine key algorithm: -- * -- * R1 = DR(Key1, n-fold(Key2)) [ Output is length of Key1 ] -- * R2 = DR(Key2, n-fold(Key1)) [ Output is length of Key2 ] -- * -- * rnd = n-fold(R1 | R2) [ Note: output size of nfold must be appropriately -- * sized for random-to-key function ] -- * tkey = random-to-key(rnd) -- * Combine-Key(Key1, Key2) = DK(tkey, CombineConstant) -- * -- * CombineConstant is defined as the byte string: -- * -- * { 0x63 0x6f 0x6d 0x62 0x69 0x6e 0x65 }, which corresponds to the -- * ASCII encoding of the string "combine" -- */ -- --#include "crypto_int.h" -- --static krb5_error_code dr(const struct krb5_enc_provider *enc, -- const krb5_keyblock *inkey, unsigned char *outdata, -- const krb5_data *in_constant); -- --/* -- * We only support this combine_keys algorithm for des and 3des keys. -- * Everything else should use the PRF defined in the crypto framework. -- * We don't implement that yet. -- */ -- --static krb5_boolean --enctype_ok(krb5_enctype e) --{ -- switch (e) { -- case ENCTYPE_DES3_CBC_SHA1: -- return TRUE; -- default: -- return FALSE; -- } --} -- --krb5_error_code --krb5int_c_combine_keys(krb5_context context, krb5_keyblock *key1, -- krb5_keyblock *key2, krb5_keyblock *outkey) --{ -- unsigned char *r1 = NULL, *r2 = NULL, *combined = NULL, *rnd = NULL; -- unsigned char *output = NULL; -- size_t keybytes, keylength; -- const struct krb5_enc_provider *enc; -- krb5_data input, randbits; -- krb5_keyblock tkeyblock; -- krb5_key tkey = NULL; -- krb5_error_code ret; -- const struct krb5_keytypes *ktp; -- krb5_boolean myalloc = FALSE; -- -- if (!enctype_ok(key1->enctype) || !enctype_ok(key2->enctype)) -- return KRB5_CRYPTO_INTERNAL; -- -- if (key1->length != key2->length || key1->enctype != key2->enctype) -- return KRB5_CRYPTO_INTERNAL; -- -- /* Find our encryption algorithm. */ -- ktp = find_enctype(key1->enctype); -- if (ktp == NULL) -- return KRB5_BAD_ENCTYPE; -- enc = ktp->enc; -- -- keybytes = enc->keybytes; -- keylength = enc->keylength; -- -- /* Allocate and set up buffers. */ -- r1 = k5alloc(keybytes, &ret); -- if (ret) -- goto cleanup; -- r2 = k5alloc(keybytes, &ret); -- if (ret) -- goto cleanup; -- rnd = k5alloc(keybytes, &ret); -- if (ret) -- goto cleanup; -- combined = k5calloc(2, keybytes, &ret); -- if (ret) -- goto cleanup; -- output = k5alloc(keylength, &ret); -- if (ret) -- goto cleanup; -- -- /* -- * Get R1 and R2 (by running the input keys through the DR algorithm. -- * Note this is most of derive-key, but not all. -- */ -- -- input.length = key2->length; -- input.data = (char *) key2->contents; -- ret = dr(enc, key1, r1, &input); -- if (ret) -- goto cleanup; -- -- input.length = key1->length; -- input.data = (char *) key1->contents; -- ret = dr(enc, key2, r2, &input); -- if (ret) -- goto cleanup; -- -- /* -- * Concatenate the two keys together, and then run them through -- * n-fold to reduce them to a length appropriate for the random-to-key -- * operation. Note here that krb5int_nfold() takes sizes in bits, hence -- * the multiply by 8. -- */ -- -- memcpy(combined, r1, keybytes); -- memcpy(combined + keybytes, r2, keybytes); -- -- krb5int_nfold((keybytes * 2) * 8, combined, keybytes * 8, rnd); -- -- /* -- * Run the "random" bits through random-to-key to produce a encryption -- * key. -- */ -- -- randbits.length = keybytes; -- randbits.data = (char *) rnd; -- tkeyblock.length = keylength; -- tkeyblock.contents = output; -- tkeyblock.enctype = key1->enctype; -- -- ret = (*ktp->rand2key)(&randbits, &tkeyblock); -- if (ret) -- goto cleanup; -- -- ret = krb5_k_create_key(NULL, &tkeyblock, &tkey); -- if (ret) -- goto cleanup; -- -- /* -- * Run through derive-key one more time to produce the final key. -- * Note that the input to derive-key is the ASCII string "combine". -- */ -- -- input.length = 7; -- input.data = "combine"; -- -- /* -- * Just FYI: _if_ we have space here in the key, then simply use it -- * without modification. But if the key is blank (no allocated storage) -- * then allocate some memory for it. This allows programs to use one of -- * the existing keys as the output key, _or_ pass in a blank keyblock -- * for us to allocate. It's easier for us to allocate it since we already -- * know the crypto library internals -- */ -- -- if (outkey->length == 0 || outkey->contents == NULL) { -- outkey->contents = k5alloc(keylength, &ret); -- if (ret) -- goto cleanup; -- outkey->length = keylength; -- outkey->enctype = key1->enctype; -- myalloc = TRUE; -- } -- -- ret = krb5int_derive_keyblock(enc, NULL, tkey, outkey, &input, -- DERIVE_RFC3961); -- if (ret) { -- if (myalloc) { -- free(outkey->contents); -- outkey->contents = NULL; -- } -- goto cleanup; -- } -- --cleanup: -- zapfree(r1, keybytes); -- zapfree(r2, keybytes); -- zapfree(rnd, keybytes); -- zapfree(combined, keybytes * 2); -- zapfree(output, keylength); -- krb5_k_free_key(NULL, tkey); -- return ret; --} -- --/* Our DR function, a simple wrapper around krb5int_derive_random(). */ --static krb5_error_code --dr(const struct krb5_enc_provider *enc, const krb5_keyblock *inkey, -- unsigned char *out, const krb5_data *in_constant) --{ -- krb5_data outdata = make_data(out, enc->keybytes); -- krb5_key key = NULL; -- krb5_error_code ret; -- -- ret = krb5_k_create_key(NULL, inkey, &key); -- if (ret != 0) -- return ret; -- ret = krb5int_derive_random(enc, NULL, key, &outdata, in_constant, -- DERIVE_RFC3961); -- krb5_k_free_key(NULL, key); -- return ret; --} -diff --git a/src/lib/crypto/krb/deps b/src/lib/crypto/krb/deps -index f9a740860..2f4af1906 100644 ---- a/src/lib/crypto/krb/deps -+++ b/src/lib/crypto/krb/deps -@@ -191,19 +191,6 @@ coll_proof_cksum.so coll_proof_cksum.po $(OUTPRE)coll_proof_cksum.$(OBJEXT): \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h coll_proof_cksum.c \ - crypto_int.h --combine_keys.so combine_keys.po $(OUTPRE)combine_keys.$(OBJEXT): \ -- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ -- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h $(srcdir)/../builtin/crypto_mod.h \ -- $(srcdir)/../builtin/sha2/sha2.h $(top_srcdir)/include/k5-buf.h \ -- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ -- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ -- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ -- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ -- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ -- $(top_srcdir)/include/socket-utils.h combine_keys.c \ -- crypto_int.h - crypto_length.so crypto_length.po $(OUTPRE)crypto_length.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports -index 63804299f..451d5e035 100644 ---- a/src/lib/crypto/libk5crypto.exports -+++ b/src/lib/crypto/libk5crypto.exports -@@ -58,7 +58,6 @@ krb5_c_prf_length - krb5int_c_mandatory_cksumtype - krb5_c_fx_cf2_simple - krb5int_c_weak_enctype --krb5int_c_combine_keys - krb5_encrypt_data - krb5int_c_copy_keyblock - krb5int_c_copy_keyblock_contents diff --git a/Remove-more-dead-code.patch b/Remove-more-dead-code.patch deleted file mode 100644 index b0f04ab..0000000 --- a/Remove-more-dead-code.patch +++ /dev/null @@ -1,276 +0,0 @@ -From e470fc217b19f6d958cc891910527e43651167a3 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 9 May 2019 14:07:24 -0400 -Subject: [PATCH] Remove more dead code - -(cherry picked from commit 0269810b1aec6c554fb746433f045d59fd34ab3a) ---- - src/clients/klist/klist.c | 5 --- - src/kadmin/dbutil/kdb5_mkey.c | 2 -- - src/kadmin/server/ipropd_svc.c | 4 --- - src/lib/gssapi/krb5/gssapi_krb5.c | 2 +- - src/lib/gssapi/krb5/k5sealv3.c | 5 ++- - src/lib/gssapi/krb5/k5sealv3iov.c | 5 ++- - src/lib/kdb/kdb_convert.c | 36 +++---------------- - .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 4 --- - .../kdb/ldap/libkdb_ldap/ldap_create.c | 10 ------ - src/plugins/preauth/pkinit/pkinit_srv.c | 8 ----- - src/tests/hammer/kdc5_hammer.c | 4 +-- - 11 files changed, 10 insertions(+), 75 deletions(-) - -diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c -index 8c307151a..4261ac96c 100644 ---- a/src/clients/klist/klist.c -+++ b/src/clients/klist/klist.c -@@ -720,11 +720,6 @@ show_credential(krb5_creds *cred) - extra_field += 2; - } - -- if (extra_field > 3) { -- fputs("\n", stdout); -- extra_field = 0; -- } -- - if (show_flags) { - flags = flags_string(cred); - if (flags && *flags) { -diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c -index 19796c202..aceb0a9b8 100644 ---- a/src/kadmin/dbutil/kdb5_mkey.c -+++ b/src/kadmin/dbutil/kdb5_mkey.c -@@ -1240,7 +1240,6 @@ kdb5_purge_mkeys(int argc, char *argv[]) - if (actkvno_entry == actkvno_list) { - /* remove from head */ - actkvno_list = actkvno_entry->next; -- prev_actkvno_entry = actkvno_list; - } else if (actkvno_entry->next == NULL) { - /* remove from tail */ - prev_actkvno_entry->next = NULL; -@@ -1263,7 +1262,6 @@ kdb5_purge_mkeys(int argc, char *argv[]) - if (mkey_aux_entry->mkey_kvno == args.kvnos[j].kvno) { - if (mkey_aux_entry == mkey_aux_list) { - mkey_aux_list = mkey_aux_entry->next; -- prev_mkey_aux_entry = mkey_aux_list; - } else if (mkey_aux_entry->next == NULL) { - prev_mkey_aux_entry->next = NULL; - } else { -diff --git a/src/kadmin/server/ipropd_svc.c b/src/kadmin/server/ipropd_svc.c -index dc9984c2c..56e9b90b2 100644 ---- a/src/kadmin/server/ipropd_svc.c -+++ b/src/kadmin/server/ipropd_svc.c -@@ -263,8 +263,6 @@ ipropx_resync(uint32_t vers, struct svc_req *rqstp) - int pret, fret; - FILE *p; - kadm5_server_handle_t handle = global_server_handle; -- OM_uint32 min_stat; -- gss_name_t name = NULL; - char *client_name = NULL, *service_name = NULL; - char *whoami = "iprop_full_resync_1"; - -@@ -440,8 +438,6 @@ out: - debprret(whoami, ret.ret, 0); - free(client_name); - free(service_name); -- if (name) -- gss_release_name(&min_stat, &name); - free(ubuf); - return (&ret); - } -diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c -index 79b83e0c6..f09cda007 100644 ---- a/src/lib/gssapi/krb5/gssapi_krb5.c -+++ b/src/lib/gssapi/krb5/gssapi_krb5.c -@@ -780,7 +780,7 @@ krb5_gss_localname(OM_uint32 *minor, - localname->value = gssalloc_strdup(lname); - localname->length = strlen(lname); - -- return (code == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE; -+ return GSS_S_COMPLETE; - } - - -diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c -index 25d9f2711..3b4f8cb83 100644 ---- a/src/lib/gssapi/krb5/k5sealv3.c -+++ b/src/lib/gssapi/krb5/k5sealv3.c -@@ -145,9 +145,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, - /* TOK_ID */ - store_16_be(KG2_TOK_WRAP_MSG, outbuf); - /* flags */ -- outbuf[2] = (acceptor_flag -- | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0) -- | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0)); -+ outbuf[2] = (acceptor_flag | FLAG_WRAP_CONFIDENTIAL | -+ (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0)); - /* filler */ - outbuf[3] = 0xff; - /* EC */ -diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c -index a73edb6a4..333ee124d 100644 ---- a/src/lib/gssapi/krb5/k5sealv3iov.c -+++ b/src/lib/gssapi/krb5/k5sealv3iov.c -@@ -144,9 +144,8 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context, - /* TOK_ID */ - store_16_be(KG2_TOK_WRAP_MSG, outbuf); - /* flags */ -- outbuf[2] = (acceptor_flag -- | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0) -- | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0)); -+ outbuf[2] = (acceptor_flag | FLAG_WRAP_CONFIDENTIAL | -+ (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0)); - /* filler */ - outbuf[3] = 0xFF; - /* EC */ -diff --git a/src/lib/kdb/kdb_convert.c b/src/lib/kdb/kdb_convert.c -index 76140732f..e1bf1919f 100644 ---- a/src/lib/kdb/kdb_convert.c -+++ b/src/lib/kdb/kdb_convert.c -@@ -305,8 +305,6 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry, - krb5_error_code ret; - kdbe_attr_type_t *attr_types; - int kadm_data_yes; -- /* always exclude non-replicated attributes, for now */ -- krb5_boolean exclude_nra = TRUE; - - nattrs = tmpint = 0; - final = -1; -@@ -356,7 +354,8 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry, - nattrs++; - } - } else { -- find_changed_attrs(curr, entry, exclude_nra, attr_types, &nattrs); -+ /* Always exclude non-replicated attributes for now. */ -+ find_changed_attrs(curr, entry, TRUE, attr_types, &nattrs); - krb5_db_free_principal(context, curr); - } - -@@ -402,31 +401,6 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry, - } - break; - -- case AT_LAST_SUCCESS: -- if (!exclude_nra && entry->last_success >= 0) { -- ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LAST_SUCCESS; -- ULOG_ENTRY(update, final).av_last_success = -- (uint32_t)entry->last_success; -- } -- break; -- -- case AT_LAST_FAILED: -- if (!exclude_nra && entry->last_failed >= 0) { -- ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LAST_FAILED; -- ULOG_ENTRY(update, final).av_last_failed = -- (uint32_t)entry->last_failed; -- } -- break; -- -- case AT_FAIL_AUTH_COUNT: -- if (!exclude_nra) { -- ULOG_ENTRY_TYPE(update, ++final).av_type = -- AT_FAIL_AUTH_COUNT; -- ULOG_ENTRY(update, final).av_fail_auth_count = -- (uint32_t)entry->fail_auth_count; -- } -- break; -- - case AT_PRINC: - if (entry->princ->length > 0) { - ULOG_ENTRY_TYPE(update, ++final).av_type = AT_PRINC; -@@ -552,10 +526,8 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry, - /* END CSTYLED */ - - case AT_LEN: -- if (entry->len >= 0) { -- ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LEN; -- ULOG_ENTRY(update, final).av_len = (int16_t)entry->len; -- } -+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LEN; -+ ULOG_ENTRY(update, final).av_len = (int16_t)entry->len; - break; - - default: -diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -index ce038fc3d..0a95101ad 100644 ---- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -135,10 +135,6 @@ kdb5_ldap_stash_service_password(int argc, char **argv) - print_usage = TRUE; - goto cleanup; - } -- if (file_name == NULL) { -- com_err(me, ENOMEM, _("while setting service object password")); -- goto cleanup; -- } - } else { /* argc == 2 */ - service_object = strdup (argv[1]); - if (service_object == NULL) { -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c -index 1e6fffee5..5b57c799a 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c -@@ -56,7 +56,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args) - krb5_ldap_realm_params *rparams = NULL; - krb5_ldap_context *ldap_context=NULL; - krb5_boolean realm_obj_created = FALSE; -- krb5_boolean krbcontainer_obj_created = FALSE; - int mask = 0; - - /* Clear the global error string */ -@@ -121,15 +120,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args) - goto cleanup; - - cleanup: -- /* If the krbcontainer/realm creation is not complete, do the roll-back here */ -- if ((krbcontainer_obj_created) && (!realm_obj_created)) { -- int rc; -- rc = krb5_ldap_delete_krbcontainer(context, -- ldap_context->container_dn); -- k5_setmsg(context, rc, _("could not complete roll-back, error " -- "deleting Kerberos Container")); -- } -- - if (rparams) - krb5_ldap_free_realm_params(rparams); - -diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c -index 27e6ef4d2..6aa646cc6 100644 ---- a/src/plugins/preauth/pkinit/pkinit_srv.c -+++ b/src/plugins/preauth/pkinit/pkinit_srv.c -@@ -258,15 +258,7 @@ verify_client_san(krb5_context context, - } - pkiDebug("%s: no upn san match found\n", __FUNCTION__); - -- /* We found no match */ -- if (princs != NULL || upns != NULL) { -- *valid_san = 0; -- /* XXX ??? If there was one or more name in the cert, but -- * none matched the client name, then return mismatch? */ -- retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; -- } - retval = 0; -- - out: - if (princs != NULL) { - for (i = 0; princs[i] != NULL; i++) -diff --git a/src/tests/hammer/kdc5_hammer.c b/src/tests/hammer/kdc5_hammer.c -index 086c21d1c..8220fd97b 100644 ---- a/src/tests/hammer/kdc5_hammer.c -+++ b/src/tests/hammer/kdc5_hammer.c -@@ -439,7 +439,6 @@ int get_tgt (context, p_client_str, p_client, ccache) - krb5_principal *p_client; - krb5_ccache ccache; - { -- char *cache_name = NULL; /* -f option */ - long lifetime = KRB5_DEFAULT_LIFE; /* -l option */ - krb5_error_code code; - krb5_creds my_creds; -@@ -464,8 +463,7 @@ int get_tgt (context, p_client_str, p_client, ccache) - - code = krb5_cc_initialize (context, ccache, *p_client); - if (code != 0) { -- com_err (prog, code, "when initializing cache %s", -- cache_name?cache_name:""); -+ com_err (prog, code, "when initializing cache"); - return(-1); - } - diff --git a/Remove-now-unused-checksum-functions.patch b/Remove-now-unused-checksum-functions.patch deleted file mode 100644 index 5a8dd90..0000000 --- a/Remove-now-unused-checksum-functions.patch +++ /dev/null @@ -1,335 +0,0 @@ -From e9cc0b8762266ed368cb50e7ba48d6196db54da5 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 28 Jun 2019 13:09:47 -0400 -Subject: [PATCH] Remove now-unused checksum functions - -fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8 removed all call sites of -krb5int_cbc_checksum(), krb5int_confounder_verify(), and -krb5int_confounder_checksum(), but neglected the functions themselves. - -ticket: 8808 -(cherry picked from commit 2063ff09b384d466c15aca8970c01d074230c815) ---- - src/lib/crypto/krb/Makefile.in | 6 - - src/lib/crypto/krb/checksum_cbc.c | 41 ------ - src/lib/crypto/krb/checksum_confounder.c | 159 ----------------------- - src/lib/crypto/krb/crypto_int.h | 16 --- - src/lib/crypto/krb/deps | 26 ---- - 5 files changed, 248 deletions(-) - delete mode 100644 src/lib/crypto/krb/checksum_cbc.c - delete mode 100644 src/lib/crypto/krb/checksum_confounder.c - -diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in -index b587f7e19..2b0c4163d 100644 ---- a/src/lib/crypto/krb/Makefile.in -+++ b/src/lib/crypto/krb/Makefile.in -@@ -10,8 +10,6 @@ STLIBOBJS=\ - aead.o \ - block_size.o \ - cf2.o \ -- checksum_cbc.o \ -- checksum_confounder.o \ - checksum_dk_cmac.o \ - checksum_dk_hmac.o \ - checksum_etm.o \ -@@ -70,8 +68,6 @@ OBJS=\ - $(OUTPRE)aead.$(OBJEXT) \ - $(OUTPRE)block_size.$(OBJEXT) \ - $(OUTPRE)cf2.$(OBJEXT) \ -- $(OUTPRE)checksum_cbc.$(OBJEXT) \ -- $(OUTPRE)checksum_confounder.$(OBJEXT) \ - $(OUTPRE)checksum_dk_cmac.$(OBJEXT) \ - $(OUTPRE)checksum_dk_hmac.$(OBJEXT) \ - $(OUTPRE)checksum_etm.$(OBJEXT) \ -@@ -130,8 +126,6 @@ SRCS=\ - $(srcdir)/aead.c \ - $(srcdir)/block_size.c \ - $(srcdir)/cf2.c \ -- $(srcdir)/checksum_cbc.c \ -- $(srcdir)/checksum_confounder.c \ - $(srcdir)/checksum_dk_cmac.c \ - $(srcdir)/checksum_dk_hmac.c \ - $(srcdir)/checksum_etm.c \ -diff --git a/src/lib/crypto/krb/checksum_cbc.c b/src/lib/crypto/krb/checksum_cbc.c -deleted file mode 100644 -index 48afeb0e5..000000000 ---- a/src/lib/crypto/krb/checksum_cbc.c -+++ /dev/null -@@ -1,41 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* lib/crypto/krb/checksum_cbc.c */ --/* -- * Copyright (C) 2009 by the Massachusetts Institute of Technology. -- * All rights reserved. -- * -- * Export of this software from the United States of America may -- * require a specific license from the United States Government. -- * It is the responsibility of any person or organization contemplating -- * export to obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of M.I.T. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. Furthermore if you modify this software you must label -- * your software as modified software and not distribute it in such a -- * fashion that it might be confused with the original M.I.T. software. -- * M.I.T. makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- */ -- --/* CBC checksum, which computes the ivec resulting from CBC encryption of the -- * input. */ -- --#include "crypto_int.h" -- --krb5_error_code --krb5int_cbc_checksum(const struct krb5_cksumtypes *ctp, -- krb5_key key, krb5_keyusage usage, -- const krb5_crypto_iov *data, size_t num_data, -- krb5_data *output) --{ -- if (ctp->enc->cbc_mac == NULL) -- return KRB5_CRYPTO_INTERNAL; -- return ctp->enc->cbc_mac(key, data, num_data, NULL, output); --} -diff --git a/src/lib/crypto/krb/checksum_confounder.c b/src/lib/crypto/krb/checksum_confounder.c -deleted file mode 100644 -index 34941562c..000000000 ---- a/src/lib/crypto/krb/checksum_confounder.c -+++ /dev/null -@@ -1,159 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* lib/crypto/krb/checksum_confounder.c */ --/* -- * Copyright (C) 2009 by the Massachusetts Institute of Technology. -- * All rights reserved. -- * -- * Export of this software from the United States of America may -- * require a specific license from the United States Government. -- * It is the responsibility of any person or organization contemplating -- * export to obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of M.I.T. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. Furthermore if you modify this software you must label -- * your software as modified software and not distribute it in such a -- * fashion that it might be confused with the original M.I.T. software. -- * M.I.T. makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- */ -- --/* -- * Confounder checksum implementation, using tokens of the form: -- * enc(xorkey, confounder | hash(confounder | data)) -- * where xorkey is the key XOR'd with 0xf0 bytes. -- */ -- --#include "crypto_int.h" -- --/* Derive a key by XOR with 0xF0 bytes. */ --static krb5_error_code --mk_xorkey(krb5_key origkey, krb5_key *xorkey) --{ -- krb5_error_code retval = 0; -- unsigned char *xorbytes; -- krb5_keyblock xorkeyblock; -- size_t i = 0; -- -- xorbytes = k5memdup(origkey->keyblock.contents, origkey->keyblock.length, -- &retval); -- if (xorbytes == NULL) -- return retval; -- for (i = 0; i < origkey->keyblock.length; i++) -- xorbytes[i] ^= 0xf0; -- -- /* Do a shallow copy here. */ -- xorkeyblock = origkey->keyblock; -- xorkeyblock.contents = xorbytes; -- -- retval = krb5_k_create_key(0, &xorkeyblock, xorkey); -- zapfree(xorbytes, origkey->keyblock.length); -- return retval; --} -- --krb5_error_code --krb5int_confounder_checksum(const struct krb5_cksumtypes *ctp, -- krb5_key key, krb5_keyusage usage, -- const krb5_crypto_iov *data, size_t num_data, -- krb5_data *output) --{ -- krb5_error_code ret; -- krb5_data conf, hashval; -- krb5_key xorkey = NULL; -- krb5_crypto_iov *hash_iov, iov; -- size_t blocksize = ctp->enc->block_size, hashsize = ctp->hash->hashsize; -- -- /* Partition the output buffer into confounder and hash. */ -- conf = make_data(output->data, blocksize); -- hashval = make_data(output->data + blocksize, hashsize); -- -- /* Create the confounder. */ -- ret = krb5_c_random_make_octets(NULL, &conf); -- if (ret != 0) -- return ret; -- -- ret = mk_xorkey(key, &xorkey); -- if (ret) -- return ret; -- -- /* Hash the confounder, then the input data. */ -- hash_iov = k5calloc(num_data + 1, sizeof(krb5_crypto_iov), &ret); -- if (hash_iov == NULL) -- goto cleanup; -- hash_iov[0].flags = KRB5_CRYPTO_TYPE_DATA; -- hash_iov[0].data = conf; -- memcpy(hash_iov + 1, data, num_data * sizeof(krb5_crypto_iov)); -- ret = ctp->hash->hash(hash_iov, num_data + 1, &hashval); -- if (ret != 0) -- goto cleanup; -- -- /* Confounder and hash are in output buffer; encrypt them in place. */ -- iov.flags = KRB5_CRYPTO_TYPE_DATA; -- iov.data = *output; -- ret = ctp->enc->encrypt(xorkey, NULL, &iov, 1); -- --cleanup: -- free(hash_iov); -- krb5_k_free_key(NULL, xorkey); -- return ret; --} -- --krb5_error_code krb5int_confounder_verify(const struct krb5_cksumtypes *ctp, -- krb5_key key, krb5_keyusage usage, -- const krb5_crypto_iov *data, -- size_t num_data, -- const krb5_data *input, -- krb5_boolean *valid) --{ -- krb5_error_code ret; -- unsigned char *plaintext = NULL; -- krb5_key xorkey = NULL; -- krb5_data computed = empty_data(); -- krb5_crypto_iov *hash_iov = NULL, iov; -- size_t blocksize = ctp->enc->block_size, hashsize = ctp->hash->hashsize; -- -- plaintext = k5memdup(input->data, input->length, &ret); -- if (plaintext == NULL) -- return ret; -- -- ret = mk_xorkey(key, &xorkey); -- if (ret != 0) -- goto cleanup; -- -- /* Decrypt the input checksum. */ -- iov.flags = KRB5_CRYPTO_TYPE_DATA; -- iov.data = make_data(plaintext, input->length); -- ret = ctp->enc->decrypt(xorkey, NULL, &iov, 1); -- if (ret != 0) -- goto cleanup; -- -- /* Hash the confounder, then the input data. */ -- hash_iov = k5calloc(num_data + 1, sizeof(krb5_crypto_iov), &ret); -- if (hash_iov == NULL) -- goto cleanup; -- hash_iov[0].flags = KRB5_CRYPTO_TYPE_DATA; -- hash_iov[0].data = make_data(plaintext, blocksize); -- memcpy(hash_iov + 1, data, num_data * sizeof(krb5_crypto_iov)); -- ret = alloc_data(&computed, hashsize); -- if (ret != 0) -- goto cleanup; -- ret = ctp->hash->hash(hash_iov, num_data + 1, &computed); -- if (ret != 0) -- goto cleanup; -- -- /* Compare the decrypted hash to the computed one. */ -- *valid = (k5_bcmp(plaintext + blocksize, computed.data, hashsize) == 0); -- --cleanup: -- zapfree(plaintext, input->length); -- zapfree(computed.data, hashsize); -- free(hash_iov); -- krb5_k_free_key(NULL, xorkey); -- return ret; --} -diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h -index 1b4324d71..5cc1f8e43 100644 ---- a/src/lib/crypto/krb/crypto_int.h -+++ b/src/lib/crypto/krb/crypto_int.h -@@ -299,11 +299,6 @@ krb5_error_code krb5int_unkeyed_checksum(const struct krb5_cksumtypes *ctp, - const krb5_crypto_iov *data, - size_t num_data, - krb5_data *output); --krb5_error_code krb5int_cbc_checksum(const struct krb5_cksumtypes *ctp, -- krb5_key key, krb5_keyusage usage, -- const krb5_crypto_iov *data, -- size_t num_data, -- krb5_data *output); - krb5_error_code krb5int_hmacmd5_checksum(const struct krb5_cksumtypes *ctp, - krb5_key key, krb5_keyusage usage, - const krb5_crypto_iov *data, -@@ -317,17 +312,6 @@ krb5_error_code krb5int_dk_cmac_checksum(const struct krb5_cksumtypes *ctp, - krb5_key key, krb5_keyusage usage, - const krb5_crypto_iov *data, - size_t num_data, krb5_data *output); --krb5_error_code krb5int_confounder_checksum(const struct krb5_cksumtypes *ctp, -- krb5_key key, krb5_keyusage usage, -- const krb5_crypto_iov *data, -- size_t num_data, -- krb5_data *output); --krb5_error_code krb5int_confounder_verify(const struct krb5_cksumtypes *ctp, -- krb5_key key, krb5_keyusage usage, -- const krb5_crypto_iov *data, -- size_t num_data, -- const krb5_data *input, -- krb5_boolean *valid); - krb5_error_code krb5int_etm_checksum(const struct krb5_cksumtypes *ctp, - krb5_key key, krb5_keyusage usage, - const krb5_crypto_iov *data, -diff --git a/src/lib/crypto/krb/deps b/src/lib/crypto/krb/deps -index 2f4af1906..883d12c56 100644 ---- a/src/lib/crypto/krb/deps -+++ b/src/lib/crypto/krb/deps -@@ -37,32 +37,6 @@ cf2.so cf2.po $(OUTPRE)cf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - cf2.c crypto_int.h --checksum_cbc.so checksum_cbc.po $(OUTPRE)checksum_cbc.$(OBJEXT): \ -- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ -- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h $(srcdir)/../builtin/crypto_mod.h \ -- $(srcdir)/../builtin/sha2/sha2.h $(top_srcdir)/include/k5-buf.h \ -- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ -- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ -- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ -- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ -- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ -- $(top_srcdir)/include/socket-utils.h checksum_cbc.c \ -- crypto_int.h --checksum_confounder.so checksum_confounder.po $(OUTPRE)checksum_confounder.$(OBJEXT): \ -- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ -- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h $(srcdir)/../builtin/crypto_mod.h \ -- $(srcdir)/../builtin/sha2/sha2.h $(top_srcdir)/include/k5-buf.h \ -- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ -- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ -- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ -- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ -- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ -- $(top_srcdir)/include/socket-utils.h checksum_confounder.c \ -- crypto_int.h - checksum_dk_cmac.so checksum_dk_cmac.po $(OUTPRE)checksum_dk_cmac.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ diff --git a/Remove-null-check-in-krb5_gss_duplicate_name.patch b/Remove-null-check-in-krb5_gss_duplicate_name.patch deleted file mode 100644 index 4d65cbd..0000000 --- a/Remove-null-check-in-krb5_gss_duplicate_name.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 61855503e579611b2bb2f322070c2e1e0ca36ce8 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 30 Aug 2019 11:19:52 -0400 -Subject: [PATCH] Remove null check in krb5_gss_duplicate_name() - -Within the krb5 mechanism, we require minor_status to be writable -without checking. Remove the null check in krb5_gss_duplicate_name() -to squash a forward-null defect. - -(cherry picked from commit 9fd7bc179f0bd74fc83c1edf0247dcfd87fc73e6) ---- - src/lib/gssapi/krb5/duplicate_name.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/src/lib/gssapi/krb5/duplicate_name.c b/src/lib/gssapi/krb5/duplicate_name.c -index b88d97d9d..ea53e9c0d 100644 ---- a/src/lib/gssapi/krb5/duplicate_name.c -+++ b/src/lib/gssapi/krb5/duplicate_name.c -@@ -34,8 +34,7 @@ krb5_gss_duplicate_name(OM_uint32 *minor_status, const gss_name_t input_name, - krb5_error_code code; - krb5_gss_name_t princ, outprinc; - -- if (minor_status) -- *minor_status = 0; -+ *minor_status = 0; - - code = krb5_gss_init_context(&context); - if (code) { diff --git a/Remove-ovsec_adm_export-dump-format-support.patch b/Remove-ovsec_adm_export-dump-format-support.patch deleted file mode 100644 index 466aea0..0000000 --- a/Remove-ovsec_adm_export-dump-format-support.patch +++ /dev/null @@ -1,386 +0,0 @@ -From e4c75d01bfdedfe77068a641e0053eef227dc22b Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 22 Jan 2019 18:34:58 -0500 -Subject: [PATCH] Remove ovsec_adm_export dump format support - -Dumping only suported single-DES principals. While importing still -functioned, it would only have been useful for extremely old (1.3-era) -KDCs. - -ticket: 8798 (new) -(cherry picked from commit 23b93fd48bc445005436c5be98a7269b599b1800) -[rharwood@redhat.com: release version conflict in man pages] ---- - doc/admin/admin_commands/kdb5_util.rst | 11 +-- - doc/admin/database.rst | 14 ---- - src/kadmin/dbutil/dump.c | 109 ++----------------------- - src/kadmin/dbutil/kdb5_util.c | 4 +- - src/man/kdb5_util.man | 13 +-- - src/tests/Makefile.in | 6 -- - src/tests/t_dump.py | 8 -- - 7 files changed, 13 insertions(+), 152 deletions(-) - -diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst -index fee68261a..7dd54f797 100644 ---- a/doc/admin/admin_commands/kdb5_util.rst -+++ b/doc/admin/admin_commands/kdb5_util.rst -@@ -136,7 +136,7 @@ dump - - .. _kdb5_util_dump: - -- **dump** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**] -+ **dump** [**-b7**\|\ **-r13**\|\ **-r18**] - [**-verbose**] [**-mkey_convert**] [**-new_mkey_file** - *mkey_file*] [**-rev**] [**-recurse**] [*filename* - [*principals*...]] -@@ -151,9 +151,6 @@ load_dump version 7". If filename is not specified, or is the string - load_dump version 4"). This was the dump format produced on - releases prior to 1.2.2. - --**-ov** -- causes the dump to be in "ovsec_adm_export" format. -- - **-r13** - causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util - load_dump version 5"). This was the dump format produced on -@@ -204,7 +201,7 @@ load - - .. _kdb5_util_load: - -- **load** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**] [**-hash**] -+ **load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**] - [**-verbose**] [**-update**] *filename* - - Loads a database dump from the named file into the named database. If -@@ -222,10 +219,6 @@ Options: - ("kdb5_util load_dump version 4"). This was the dump format - produced on releases prior to 1.2.2. - --**-ov** -- requires the database to be in "ovsec_adm_import" format. Must be -- used with the **-update** option. -- - **-r13** - requires the database to be in Kerberos 5 1.3 format ("kdb5_util - load_dump version 5"). This was the dump format produced on -diff --git a/doc/admin/database.rst b/doc/admin/database.rst -index d0be455f8..33895b857 100644 ---- a/doc/admin/database.rst -+++ b/doc/admin/database.rst -@@ -393,20 +393,6 @@ To dump a single principal and later load it, updating the database: - If the database file exists, and the *-update* flag was not - given, *kdb5_util* will overwrite the existing database. - --Using kdb5_util to upgrade a master KDC from krb5 1.1.x: -- --:: -- -- shell% kdb5_util dump old-kdb-dump -- shell% kdb5_util dump -ov old-kdb-dump.ov -- [Create a new KDC installation, using the old stash file/master password] -- shell% kdb5_util load old-kdb-dump -- shell% kdb5_util load -update old-kdb-dump.ov -- --The use of old-kdb-dump.ov for an extra dump and load is necessary --to preserve per-principal policy information, which is not included in --the default dump format of krb5 1.1.x. -- - .. note:: - - Using kdb5_util to dump and reload the principal database is -diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c -index 8301a33d0..19f2cc230 100644 ---- a/src/kadmin/dbutil/dump.c -+++ b/src/kadmin/dbutil/dump.c -@@ -484,83 +484,6 @@ dump_r1_11_policy(void *data, osa_policy_ent_t entry) - fprintf(arg->ofile, "\n"); - } - --static void --print_key_data(FILE *f, krb5_key_data *kd) --{ -- int c; -- -- fprintf(f, "%d\t%d\t", kd->key_data_type[0], kd->key_data_length[0]); -- for (c = 0; c < kd->key_data_length[0]; c++) -- fprintf(f, "%02x ", kd->key_data_contents[0][c]); --} -- --/* Output osa_adb_princ_ent data in a printable serialized format, suitable for -- * ovsec_adm_import consumption. */ --static krb5_error_code --dump_ov_princ(krb5_context context, krb5_db_entry *entry, const char *name, -- FILE *fp, krb5_boolean verbose, krb5_boolean omit_nra) --{ -- char *princstr; -- unsigned int x; -- int y, foundcrc; -- krb5_tl_data tl_data; -- osa_princ_ent_rec adb; -- XDR xdrs; -- krb5_key_data *key_data; -- -- tl_data.tl_data_type = KRB5_TL_KADM_DATA; -- if (krb5_dbe_lookup_tl_data(context, entry, &tl_data) || -- tl_data.tl_data_length == 0) -- return 0; -- -- memset(&adb, 0, sizeof(adb)); -- xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents, -- tl_data.tl_data_length, XDR_DECODE); -- if (!xdr_osa_princ_ent_rec(&xdrs, &adb)) { -- xdr_destroy(&xdrs); -- return KADM5_XDR_FAILURE; -- } -- xdr_destroy(&xdrs); -- -- krb5_unparse_name(context, entry->princ, &princstr); -- fprintf(fp, "princ\t%s\t", princstr); -- if (adb.policy == NULL) -- fputc('\t', fp); -- else -- fprintf(fp, "%s\t", adb.policy); -- fprintf(fp, "%lx\t%d\t%d\t%d", adb.aux_attributes, adb.old_key_len, -- adb.old_key_next, adb.admin_history_kvno); -- -- for (x = 0; x < adb.old_key_len; x++) { -- foundcrc = 0; -- for (y = 0; y < adb.old_keys[x].n_key_data; y++) { -- key_data = &adb.old_keys[x].key_data[y]; -- if (key_data->key_data_type[0] != ENCTYPE_DES_CBC_CRC) -- continue; -- if (foundcrc) { -- fprintf(stderr, _("Warning! Multiple DES-CBC-CRC keys for " -- "principal %s; skipping duplicates.\n"), -- princstr); -- continue; -- } -- foundcrc++; -- -- fputc('\t', fp); -- print_key_data(fp, key_data); -- } -- if (!foundcrc) { -- fprintf(stderr, _("Warning! No DES-CBC-CRC key for principal %s, " -- "cannot generate OV-compatible record; " -- "skipping\n"), princstr); -- } -- } -- -- fputc('\n', fp); -- free(princstr); -- xdr_free(xdr_osa_princ_ent_rec, &adb); -- return 0; --} -- - static krb5_error_code - dump_iterator(void *ptr, krb5_db_entry *entry) - { -@@ -1101,14 +1024,6 @@ process_k5beta7_record(krb5_context context, const char *fname, FILE *filep, - process_k5beta7_princ, process_k5beta7_policy); - } - --static int --process_ov_record(krb5_context context, const char *fname, FILE *filep, -- krb5_boolean verbose, int *linenop) --{ -- return process_tagged(context, fname, filep, verbose, linenop, -- process_ov_principal, process_k5beta7_policy); --} -- - static int - process_r1_8_record(krb5_context context, const char *fname, FILE *filep, - krb5_boolean verbose, int *linenop) -@@ -1135,16 +1050,6 @@ dump_version beta7_version = { - dump_k5beta7_policy, - process_k5beta7_record, - }; --dump_version ov_version = { -- "OpenV*Secure V1.0", -- "OpenV*Secure V1.0\t", -- 1, -- 0, -- 0, -- dump_ov_princ, -- dump_k5beta7_policy, -- process_ov_record --}; - dump_version r1_3_version = { - "Kerberos version 5 release 1.3", - "kdb5_util load_dump version 5\n", -@@ -1267,7 +1172,7 @@ current_dump_sno_in_ulog(krb5_context context, const char *ifile) - - /* - * usage is: -- * dump_db [-b7] [-ov] [-r13] [-r18] [-verbose] [-mkey_convert] -+ * dump_db [-b7] [-r13] [-r18] [-verbose] [-mkey_convert] - * [-new_mkey_file mkey_file] [-rev] [-recurse] - * [filename [principals...]] - */ -@@ -1302,7 +1207,8 @@ dump_db(int argc, char **argv) - if (!strcmp(argv[aindex], "-b7")) { - dump = &beta7_version; - } else if (!strcmp(argv[aindex], "-ov")) { -- dump = &ov_version; -+ fprintf(stderr, _("OV dump format not supported\n")); -+ goto error; - } else if (!strcmp(argv[aindex], "-r13")) { - dump = &r1_3_version; - } else if (!strcmp(argv[aindex], "-r18")) { -@@ -1515,8 +1421,7 @@ restore_dump(krb5_context context, char *dumpfile, FILE *f, - } - - /* -- * Usage: load_db [-ov] [-b7] [-r13] [-r18] [-verbose] [-update] [-hash] -- * filename -+ * Usage: load_db [-b7] [-r13] [-r18] [-verbose] [-update] [-hash] filename - */ - void - load_db(int argc, char **argv) -@@ -1540,7 +1445,8 @@ load_db(int argc, char **argv) - if (!strcmp(argv[aindex], "-b7")){ - load = &beta7_version; - } else if (!strcmp(argv[aindex], "-ov")) { -- load = &ov_version; -+ fprintf(stderr, _("OV dump format not supported\n")); -+ goto error; - } else if (!strcmp(argv[aindex], "-r13")) { - load = &r1_3_version; - } else if (!strcmp(argv[aindex], "-r18")){ -@@ -1605,9 +1511,6 @@ load_db(int argc, char **argv) - load = &r1_8_version; - } else if (strcmp(buf, r1_11_version.header) == 0) { - load = &r1_11_version; -- } else if (strncmp(buf, ov_version.header, -- strlen(ov_version.header)) == 0) { -- load = &ov_version; - } else { - fprintf(stderr, _("%s: dump header bad in %s\n"), progname, - dumpfile); -diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c -index accc959e0..e73e2c68e 100644 ---- a/src/kadmin/dbutil/kdb5_util.c -+++ b/src/kadmin/dbutil/kdb5_util.c -@@ -85,10 +85,10 @@ void usage() - "\tcreate [-s]\n" - "\tdestroy [-f]\n" - "\tstash [-f keyfile]\n" -- "\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n" -+ "\tdump [-old|-b6|-b7|-r13|-r18] [-verbose]\n" - "\t [-mkey_convert] [-new_mkey_file mkey_file]\n" - "\t [-rev] [-recurse] [filename [princs...]]\n" -- "\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] " -+ "\tload [-old|-b6|-b7|-r13|-r18] [-verbose] [-update] " - "filename\n" - "\tark [-e etype_list] principal\n" - "\tadd_mkey [-e etype] [-s]\n" -diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man -index 9c48c32fb..9a36ef0df 100644 ---- a/src/man/kdb5_util.man -+++ b/src/man/kdb5_util.man -@@ -1,6 +1,6 @@ - .\" Man page generated from reStructuredText. - . --.TH "KDB5_UTIL" "8" " " "1.17.1" "MIT Kerberos" -+.TH "KDB5_UTIL" "8" " " "1.18" "MIT Kerberos" - .SH NAME - kdb5_util \- Kerberos database maintenance utility - . -@@ -136,7 +136,7 @@ kdc.conf(5)\&. - .SS dump - .INDENT 0.0 - .INDENT 3.5 --\fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP] -+\fBdump\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP] - [\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP - \fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP - [\fIprincipals\fP\&...]] -@@ -154,9 +154,6 @@ causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util - load_dump version 4"). This was the dump format produced on - releases prior to 1.2.2. - .TP --\fB\-ov\fP --causes the dump to be in "ovsec_adm_export" format. --.TP - \fB\-r13\fP - causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util - load_dump version 5"). This was the dump format produced on -@@ -203,7 +200,7 @@ doing a normal dump instead of a recursive traversal. - .SS load - .INDENT 0.0 - .INDENT 3.5 --\fBload\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP] -+\fBload\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP] - [\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP - .UNINDENT - .UNINDENT -@@ -224,10 +221,6 @@ requires the database to be in the Kerberos 5 Beta 7 format - ("kdb5_util load_dump version 4"). This was the dump format - produced on releases prior to 1.2.2. - .TP --\fB\-ov\fP --requires the database to be in "ovsec_adm_import" format. Must be --used with the \fB\-update\fP option. --.TP - \fB\-r13\fP - requires the database to be in Kerberos 5 1.3 format ("kdb5_util - load_dump version 5"). This was the dump format produced on -diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in -index e27617ee2..c96c5d6b7 100644 ---- a/src/tests/Makefile.in -+++ b/src/tests/Makefile.in -@@ -97,7 +97,6 @@ kdb_check: kdc.conf krb5.conf - $(RUN_DB_TEST) ../tests/create/kdb5_mkdums $(KTEST_OPTS) - $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS) - $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump -- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump - $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f - @echo "====> NOTE!" - @echo "The following 'create' command is needed due to a change" -@@ -105,16 +104,11 @@ kdb_check: kdc.conf krb5.conf - @echo ==== - $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W - $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load $(TEST_DB).dump -- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load -update -ov $(TEST_DB).ovdump - $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS) - $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump2 -- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump2 - sort $(TEST_DB).dump > $(TEST_DB).sort - sort $(TEST_DB).dump2 > $(TEST_DB).sort2 -- sort $(TEST_DB).ovdump > $(TEST_DB).ovsort -- sort $(TEST_DB).ovdump2 > $(TEST_DB).ovsort2 - cmp $(TEST_DB).sort $(TEST_DB).sort2 -- cmp $(TEST_DB).ovsort $(TEST_DB).ovsort2 - $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f - $(RM) $(TEST_DB)* stash_file - -diff --git a/src/tests/t_dump.py b/src/tests/t_dump.py -index d803d5602..5d692df99 100755 ---- a/src/tests/t_dump.py -+++ b/src/tests/t_dump.py -@@ -73,7 +73,6 @@ for realm in multidb_realms(start_kdc=False): - srcdump_r18 = os.path.join(srcdumpdir, 'dump.r18') - srcdump_r13 = os.path.join(srcdumpdir, 'dump.r13') - srcdump_b7 = os.path.join(srcdumpdir, 'dump.b7') -- srcdump_ov = os.path.join(srcdumpdir, 'dump.ov') - - # Load a dump file from the source directory. - realm.run([kdb5_util, 'destroy', '-f']) -@@ -86,17 +85,10 @@ for realm in multidb_realms(start_kdc=False): - dump_compare(realm, ['-r18'], srcdump_r18) - dump_compare(realm, ['-r13'], srcdump_r13) - dump_compare(realm, ['-b7'], srcdump_b7) -- dump_compare(realm, ['-ov'], srcdump_ov) - - # Load each format of dump, check it, re-dump it, and compare. - load_dump_check_compare(realm, ['-r18'], srcdump_r18) - load_dump_check_compare(realm, ['-r13'], srcdump_r13) - load_dump_check_compare(realm, ['-b7'], srcdump_b7) - -- # Loading the last (-b7 format) dump won't have loaded the -- # per-principal kadm data. Load that incrementally with -ov. -- realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: [none]') -- realm.run([kdb5_util, 'load', '-update', '-ov', srcdump_ov]) -- realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: testpol') -- - success('Dump/load tests') diff --git a/Remove-srvtab-support.patch b/Remove-srvtab-support.patch deleted file mode 100644 index e175243..0000000 --- a/Remove-srvtab-support.patch +++ /dev/null @@ -1,1411 +0,0 @@ -From ecf80eb7a536c2d78812482d9c974120725ca609 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 9 Oct 2017 15:58:33 -0400 -Subject: [PATCH] Remove srvtab support - -Also change internal names from "srvtab" to "keytab" where the old -name was used. - -ticket: 8793 (new) -(cherry picked from commit a23e670b40f69b6be0024f8a60d2afaf7f7a005a) -[rharwood@redhat.com: release version conflict in man pages] ---- - doc/admin/admin_commands/ktutil.rst | 22 +- - doc/basic/keytab_def.rst | 6 +- - src/kadmin/ktutil/ktutil.c | 11 +- - src/kadmin/ktutil/ktutil.h | 4 - - src/kadmin/ktutil/ktutil_ct.ct | 4 +- - src/kadmin/ktutil/ktutil_funcs.c | 19 - - src/kadmin/testing/proto/krb5.conf.proto | 2 +- - src/kadmin/testing/scripts/env-setup.shin | 2 +- - src/kadmin/testing/scripts/init_db | 2 +- - .../testing/scripts/make-host-keytab.plin | 2 +- - .../testing/scripts/start_servers_local | 3 - - src/kprop/kprop.c | 10 +- - src/kprop/kpropd.c | 12 +- - src/lib/kadm5/unit-test/api.current/init.exp | 4 +- - src/lib/krb5/keytab/Makefile.in | 3 - - src/lib/krb5/keytab/deps | 11 - - src/lib/krb5/keytab/kt_srvtab.c | 435 ------------------ - src/lib/krb5/keytab/ktbase.c | 7 +- - src/lib/krb5/krb/in_tkt_sky.c | 6 +- - src/lib/krb5/libkrb5.exports | 1 - - src/lib/rpc/unit-test/Makefile.in | 6 +- - src/lib/rpc/unit-test/config/unix.exp | 2 +- - src/lib/rpc/unit-test/lib/helpers.exp | 4 +- - src/lib/rpc/unit-test/rpc_test_setup.sh | 6 +- - src/man/ktutil.man | 26 +- - src/tests/dejagnu/config/default.exp | 58 ++- - src/tests/dejagnu/krb-standalone/gssapi.exp | 8 +- - src/tests/dejagnu/krb-standalone/kadmin.exp | 48 +- - src/tests/dejagnu/krb-standalone/kprop.exp | 6 +- - src/tests/dejagnu/krb-standalone/sample.exp | 8 +- - src/tests/dejagnu/krb-standalone/simple.exp | 6 +- - .../dejagnu/krb-standalone/standalone.exp | 4 +- - src/tests/dejagnu/krb-standalone/tcp.exp | 5 - - 33 files changed, 86 insertions(+), 667 deletions(-) - delete mode 100644 src/lib/krb5/keytab/kt_srvtab.c - -diff --git a/doc/admin/admin_commands/ktutil.rst b/doc/admin/admin_commands/ktutil.rst -index 0dbc08f60..0897c7757 100644 ---- a/doc/admin/admin_commands/ktutil.rst -+++ b/doc/admin/admin_commands/ktutil.rst -@@ -13,8 +13,8 @@ DESCRIPTION - ----------- - - The ktutil command invokes a command interface from which an --administrator can read, write, or edit entries in a keytab or Kerberos --V4 srvtab file. -+administrator can read, write, or edit entries in a keytab. (Kerberos -+V4 srvtab files are no longer supported.) - - - COMMANDS -@@ -38,15 +38,6 @@ Read the Kerberos V5 keytab file *keytab* into the current keylist. - - Alias: **rkt** - --read_st --~~~~~~~ -- -- **read_st** *srvtab* -- --Read the Kerberos V4 srvtab file *srvtab* into the current keylist. -- --Alias: **rst** -- - write_kt - ~~~~~~~~ - -@@ -56,15 +47,6 @@ Write the current keylist into the Kerberos V5 keytab file *keytab*. - - Alias: **wkt** - --write_st --~~~~~~~~ -- -- **write_st** *srvtab* -- --Write the current keylist into the Kerberos V4 srvtab file *srvtab*. -- --Alias: **wst** -- - clear_list - ~~~~~~~~~~ - -diff --git a/doc/basic/keytab_def.rst b/doc/basic/keytab_def.rst -index 33ae67c6c..6c7fcc3b0 100644 ---- a/doc/basic/keytab_def.rst -+++ b/doc/basic/keytab_def.rst -@@ -12,10 +12,8 @@ credentials for client applications. - - Keytabs are named using the format *type*\ ``:``\ *value*. Usually - *type* is ``FILE`` and *value* is the absolute pathname of the file. --Other possible values for *type* are ``SRVTAB``, which indicates a --file in the deprecated Kerberos 4 srvtab format, and ``MEMORY``, which --indicates a temporary keytab stored in the memory of the current --process. -+The other possible value for *type* is ``MEMORY``, which indicates a -+temporary keytab stored in the memory of the current process. - - A keytab contains one or more entries, where each entry consists of a - timestamp (indicating when the entry was written to the keytab), a -diff --git a/src/kadmin/ktutil/ktutil.c b/src/kadmin/ktutil/ktutil.c -index 196f20786..92d7023a4 100644 ---- a/src/kadmin/ktutil/ktutil.c -+++ b/src/kadmin/ktutil/ktutil.c -@@ -98,15 +98,8 @@ void ktutil_read_v4(argc, argv) - int argc; - char *argv[]; - { -- krb5_error_code retval; -- -- if (argc != 2) { -- fprintf(stderr, _("%s: must specify the srvtab to read\n"), argv[0]); -- return; -- } -- retval = ktutil_read_srvtab(kcontext, argv[1], &ktlist); -- if (retval) -- com_err(argv[0], retval, _("while reading srvtab \"%s\""), argv[1]); -+ fprintf(stderr, _("%s: reading srvtabs is no longer supported\n"), -+ argv[0]); - } - - void ktutil_write_v5(argc, argv) -diff --git a/src/kadmin/ktutil/ktutil.h b/src/kadmin/ktutil/ktutil.h -index ddb754bae..acaf0239a 100644 ---- a/src/kadmin/ktutil/ktutil.h -+++ b/src/kadmin/ktutil/ktutil.h -@@ -50,10 +50,6 @@ krb5_error_code ktutil_write_keytab (krb5_context, - krb5_kt_list, - char *); - --krb5_error_code ktutil_read_srvtab (krb5_context, -- char *, -- krb5_kt_list *); -- - void ktutil_add_entry (int, char *[]); - - void ktutil_clear_list (int, char *[]); -diff --git a/src/kadmin/ktutil/ktutil_ct.ct b/src/kadmin/ktutil/ktutil_ct.ct -index 0c7ccb689..2061ef9d0 100644 ---- a/src/kadmin/ktutil/ktutil_ct.ct -+++ b/src/kadmin/ktutil/ktutil_ct.ct -@@ -32,13 +32,13 @@ request ktutil_clear_list, "Clear the current keylist.", - request ktutil_read_v5, "Read a krb5 keytab into the current keylist.", - read_kt, rkt; - --request ktutil_read_v4, "Read a krb4 srvtab into the current keylist.", -+request ktutil_read_v4, "Deprecated and removed.", - read_st, rst; - - request ktutil_write_v5, "Write the current keylist to a krb5 keytab.", - write_kt, wkt; - --request ktutil_write_v4, "Write the current keylist to a krb4 srvtab.", -+request ktutil_write_v4, "Deprecated and removed.", - write_st, wst; - - request ktutil_add_entry, "Add an entry to the current keylist.", -diff --git a/src/kadmin/ktutil/ktutil_funcs.c b/src/kadmin/ktutil/ktutil_funcs.c -index 6d119a2b6..e2e005d22 100644 ---- a/src/kadmin/ktutil/ktutil_funcs.c -+++ b/src/kadmin/ktutil/ktutil_funcs.c -@@ -368,22 +368,3 @@ krb5_error_code ktutil_write_keytab(context, list, name) - krb5_kt_close(context, kt); - return retval; - } -- --/* -- * Read in a named krb4 srvtab and append to list. Allocate new list -- * if needed. -- */ --krb5_error_code ktutil_read_srvtab(context, name, list) -- krb5_context context; -- char *name; -- krb5_kt_list *list; --{ -- char *ktname; -- krb5_error_code result; -- -- if (asprintf(&ktname, "SRVTAB:%s", name) < 0) -- return ENOMEM; -- result = ktutil_read_keytab(context, ktname, list); -- free(ktname); -- return result; --} -diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto -index 00c442978..e710852d4 100644 ---- a/src/kadmin/testing/proto/krb5.conf.proto -+++ b/src/kadmin/testing/proto/krb5.conf.proto -@@ -1,6 +1,6 @@ - [libdefaults] - default_realm = __REALM__ -- default_keytab_name = FILE:__K5ROOT__/v5srvtab -+ default_keytab_name = FILE:__K5ROOT__/keytab - dns_fallback = no - plugin_base_dir = __PLUGIN_DIR__ - allow_weak_crypto = true -diff --git a/src/kadmin/testing/scripts/env-setup.shin b/src/kadmin/testing/scripts/env-setup.shin -index 273cf6954..8c29bb996 100755 ---- a/src/kadmin/testing/scripts/env-setup.shin -+++ b/src/kadmin/testing/scripts/env-setup.shin -@@ -79,7 +79,7 @@ export QUALNAME - - KRB5_CONFIG=$K5ROOT/krb5.conf; export KRB5_CONFIG - KRB5_KDC_PROFILE=$K5ROOT/kdc.conf; export KRB5_KDC_PROFILE --KRB5_KTNAME=$K5ROOT/ovsec_adm.srvtab; export KRB5_KTNAME -+KRB5_KTNAME=$K5ROOT/ovsec_adm.keytab; export KRB5_KTNAME - KRB5_CLIENT_KTNAME=$K5ROOT/client_keytab; export KRB5_CLIENT_KTNAME - KRB5CCNAME=$K5ROOT/krb5cc_unit-test; export KRB5CCNAME - -diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db -index c41d290d1..2496be2ab 100755 ---- a/src/kadmin/testing/scripts/init_db -+++ b/src/kadmin/testing/scripts/init_db -@@ -216,7 +216,7 @@ changepw/kerberos@$REALM cil - - EOF - --eval $LOCAL_MAKE_KEYTAB -princ kadmin/admin -princ kadmin/changepw -princ ovsec_adm/admin -princ ovsec_adm/changepw $K5ROOT/ovsec_adm.srvtab $REDIRECT -+eval $LOCAL_MAKE_KEYTAB -princ kadmin/admin -princ kadmin/changepw -princ ovsec_adm/admin -princ ovsec_adm/changepw $K5ROOT/ovsec_adm.keytab $REDIRECT - - # Create $K5ROOT/setup.csh to make it easy to run other programs against - # the test db -diff --git a/src/kadmin/testing/scripts/make-host-keytab.plin b/src/kadmin/testing/scripts/make-host-keytab.plin -index dfe0b3a01..c77d61c70 100755 ---- a/src/kadmin/testing/scripts/make-host-keytab.plin -+++ b/src/kadmin/testing/scripts/make-host-keytab.plin -@@ -11,7 +11,7 @@ $usage = "Usage: $whoami [ -server server ] [ -princ principal ] - Default principals are host/hostname\@SECURE-TEST.OV.COM and - test/hostname\@SECURE-TEST.OV.COM. - If any principals are specified, the default principals are -- not added to the srvtab. -+ not added to the keytab. - The string \"xCANONHOSTx\" in a principal specification will be - replaced by the canonical host name of the local host."; - -diff --git a/src/kadmin/testing/scripts/start_servers_local b/src/kadmin/testing/scripts/start_servers_local -index f34444ee8..e502a6a0b 100755 ---- a/src/kadmin/testing/scripts/start_servers_local -+++ b/src/kadmin/testing/scripts/start_servers_local -@@ -96,9 +96,6 @@ x=$? - rm /tmp/start_servers_local$$ - if test $x != 0 ; then exit 1 ; fi - --# rm -f /etc/v5srvtab --# eval $LOCAL_MAKE_KEYTAB -princ host/xCANONHOSTx /etc/v5srvtab $REDIRECT -- - # run the servers (from the build tree) - - adm_start_file=/tmp/adm_server_start.$$ -diff --git a/src/kprop/kprop.c b/src/kprop/kprop.c -index b7fb63777..0b53aae7e 100644 ---- a/src/kprop/kprop.c -+++ b/src/kprop/kprop.c -@@ -49,7 +49,7 @@ static char *kprop_version = KPROP_PROT_VERSION; - - static char *progname = NULL; - static int debug = 0; --static char *srvtab = NULL; -+static char *keytab_path = NULL; - static char *replica_host; - static char *realm = NULL; - static char *def_realm = NULL; -@@ -83,7 +83,7 @@ static void update_last_prop_file(char *hostname, char *file_name); - static void usage() - { - fprintf(stderr, _("\nUsage: %s [-r realm] [-f file] [-d] [-P port] " -- "[-s srvtab] replica_host\n\n"), progname); -+ "[-s keytab] replica_host\n\n"), progname); - exit(1); - } - -@@ -140,7 +140,7 @@ parse_args(krb5_context context, int argc, char **argv) - port = optarg; - break; - case 's': -- srvtab = optarg; -+ keytab_path = optarg; - break; - default: - usage(); -@@ -191,8 +191,8 @@ get_tickets(krb5_context context) - exit(1); - } - -- if (srvtab != NULL) { -- retval = krb5_kt_resolve(context, srvtab, &keytab); -+ if (keytab_path != NULL) { -+ retval = krb5_kt_resolve(context, keytab_path, &keytab); - if (retval) { - com_err(progname, retval, _("while resolving keytab")); - exit(1); -diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c -index 0c7bffa24..e4aaf553c 100644 ---- a/src/kprop/kpropd.c -+++ b/src/kprop/kpropd.c -@@ -117,7 +117,7 @@ static kadm5_config_params params; - static char *progname; - static int debug = 0; - static int nodaemon = 0; --static char *srvtab = NULL; -+static char *keytab_path = NULL; - static int standalone = 0; - static const char *pid_file = NULL; - -@@ -168,7 +168,7 @@ static void - usage() - { - fprintf(stderr, -- _("\nUsage: %s [-r realm] [-s srvtab] [-dS] [-f replica_file]\n"), -+ _("\nUsage: %s [-r realm] [-s keytab] [-dS] [-f replica_file]\n"), - progname); - fprintf(stderr, _("\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n")); - fprintf(stderr, _("\t[-x db_args]* [-P port] [-a acl_file]\n")); -@@ -701,7 +701,7 @@ reinit: - iprop_svc_princstr); - } - retval = kadm5_init_with_skey(kpropd_context, iprop_svc_princstr, -- srvtab, -+ keytab_path, - master_svc_princstr, - ¶ms, - KADM5_STRUCT_VERSION, -@@ -1092,7 +1092,7 @@ parse_args(int argc, char **argv) - realm = optarg; - break; - case 's': -- srvtab = optarg; -+ keytab_path = optarg; - break; - case 'D': - nodaemon++; -@@ -1246,8 +1246,8 @@ kerberos_authenticate(krb5_context context, int fd, krb5_principal *clientp, - exit(1); - } - -- if (srvtab != NULL) { -- retval = krb5_kt_resolve(context, srvtab, &keytab); -+ if (keytab_path != NULL) { -+ retval = krb5_kt_resolve(context, keytab_path, &keytab); - if (retval) { - syslog(LOG_ERR, _("Error in krb5_kt_resolve: %s"), - error_message(retval)); -diff --git a/src/lib/kadm5/unit-test/api.current/init.exp b/src/lib/kadm5/unit-test/api.current/init.exp -index d9ae3fbd8..f78261376 100644 ---- a/src/lib/kadm5/unit-test/api.current/init.exp -+++ b/src/lib/kadm5/unit-test/api.current/init.exp -@@ -695,10 +695,10 @@ if {$RPC} { - test45_46 ovsec_adm/changepw - - # re-extract the keytab so it is right -- exec rm $env(K5ROOT)/ovsec_adm.srvtab -+ exec rm $env(K5ROOT)/ovsec_adm.keytab - exec $env(MAKE_KEYTAB) -princ ovsec_adm/admin -princ ovsec_adm/changepw \ - -princ kadmin/admin -princ kadmin/changepw \ -- $env(K5ROOT)/ovsec_adm.srvtab -+ $env(K5ROOT)/ovsec_adm.keytab - } - - return "" -diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in -index 2a8fceb00..4621bf714 100644 ---- a/src/lib/krb5/keytab/Makefile.in -+++ b/src/lib/krb5/keytab/Makefile.in -@@ -14,7 +14,6 @@ STLIBOBJS= \ - ktfns.o \ - kt_file.o \ - kt_memory.o \ -- kt_srvtab.o \ - read_servi.o - - OBJS= \ -@@ -26,7 +25,6 @@ OBJS= \ - $(OUTPRE)ktfns.$(OBJEXT) \ - $(OUTPRE)kt_file.$(OBJEXT) \ - $(OUTPRE)kt_memory.$(OBJEXT) \ -- $(OUTPRE)kt_srvtab.$(OBJEXT) \ - $(OUTPRE)read_servi.$(OBJEXT) - - SRCS= \ -@@ -38,7 +36,6 @@ SRCS= \ - $(srcdir)/ktfns.c \ - $(srcdir)/kt_file.c \ - $(srcdir)/kt_memory.c \ -- $(srcdir)/kt_srvtab.c \ - $(srcdir)/read_servi.c - - EXTRADEPSRCS= \ -diff --git a/src/lib/krb5/keytab/deps b/src/lib/krb5/keytab/deps -index 4c98188ca..522cad0e8 100644 ---- a/src/lib/krb5/keytab/deps -+++ b/src/lib/krb5/keytab/deps -@@ -87,17 +87,6 @@ kt_memory.so kt_memory.po $(OUTPRE)kt_memory.$(OBJEXT): \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - kt-int.h kt_memory.c --kt_srvtab.so kt_srvtab.po $(OUTPRE)kt_srvtab.$(OBJEXT): \ -- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ -- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- kt_srvtab.c - read_servi.so read_servi.po $(OUTPRE)read_servi.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -diff --git a/src/lib/krb5/keytab/kt_srvtab.c b/src/lib/krb5/keytab/kt_srvtab.c -deleted file mode 100644 -index bbfaadfc2..000000000 ---- a/src/lib/krb5/keytab/kt_srvtab.c -+++ /dev/null -@@ -1,435 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* lib/krb5/keytab/kt_srvtab.c */ --/* -- * Copyright 1990,1991,2002,2007,2008 by the Massachusetts Institute of Technology. -- * All Rights Reserved. -- * -- * Export of this software from the United States of America may -- * require a specific license from the United States Government. -- * It is the responsibility of any person or organization contemplating -- * export to obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of M.I.T. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. Furthermore if you modify this software you must label -- * your software as modified software and not distribute it in such a -- * fashion that it might be confused with the original M.I.T. software. -- * M.I.T. makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- */ --/* -- * Copyright (c) Hewlett-Packard Company 1991 -- * Released to the Massachusetts Institute of Technology for inclusion -- * in the Kerberos source code distribution. -- * -- * Copyright 1990,1991 by the Massachusetts Institute of Technology. -- * All Rights Reserved. -- * -- * Export of this software from the United States of America may -- * require a specific license from the United States Government. -- * It is the responsibility of any person or organization contemplating -- * export to obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of M.I.T. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. Furthermore if you modify this software you must label -- * your software as modified software and not distribute it in such a -- * fashion that it might be confused with the original M.I.T. software. -- * M.I.T. makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- */ -- --#include "k5-int.h" --#include -- --#ifndef LEAN_CLIENT -- --/* -- * Constants -- */ -- --#define KRB5_KT_VNO_1 0x0501 /* krb v5, keytab version 1 (DCE compat) */ --#define KRB5_KT_VNO 0x0502 /* krb v5, keytab version 2 (standard) */ -- --#define KRB5_KT_DEFAULT_VNO KRB5_KT_VNO -- --/* -- * Types -- */ --typedef struct _krb5_ktsrvtab_data { -- char *name; /* Name of the file */ -- FILE *openf; /* open file, if any. */ --} krb5_ktsrvtab_data; -- --/* -- * Macros -- */ --#define KTPRIVATE(id) ((krb5_ktsrvtab_data *)(id)->data) --#define KTFILENAME(id) (((krb5_ktsrvtab_data *)(id)->data)->name) --#define KTFILEP(id) (((krb5_ktsrvtab_data *)(id)->data)->openf) -- --extern const struct _krb5_kt_ops krb5_kts_ops; -- --static krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_resolve(krb5_context, const char *, krb5_keytab *); -- --static krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_get_name(krb5_context, krb5_keytab, char *, unsigned int); -- --static krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_close(krb5_context, krb5_keytab); -- --static krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_get_entry(krb5_context, krb5_keytab, krb5_const_principal, -- krb5_kvno, krb5_enctype, krb5_keytab_entry *); -- --static krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_start_seq_get(krb5_context, krb5_keytab, krb5_kt_cursor *); -- --static krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_get_next(krb5_context, krb5_keytab, krb5_keytab_entry *, -- krb5_kt_cursor *); -- --static krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_end_get(krb5_context, krb5_keytab, krb5_kt_cursor *); -- --static krb5_error_code --krb5_ktsrvint_open(krb5_context, krb5_keytab); -- --static krb5_error_code --krb5_ktsrvint_close(krb5_context, krb5_keytab); -- --static krb5_error_code --krb5_ktsrvint_read_entry(krb5_context, krb5_keytab, krb5_keytab_entry *); -- --/* -- * This is an implementation specific resolver. It returns a keytab id -- * initialized with srvtab keytab routines. -- */ -- --static krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_resolve(krb5_context context, const char *name, krb5_keytab *id) --{ -- krb5_ktsrvtab_data *data; -- -- if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL) -- return(ENOMEM); -- -- (*id)->ops = &krb5_kts_ops; -- data = (krb5_ktsrvtab_data *)malloc(sizeof(krb5_ktsrvtab_data)); -- if (data == NULL) { -- free(*id); -- return(ENOMEM); -- } -- -- data->name = strdup(name); -- if (data->name == NULL) { -- free(data); -- free(*id); -- return(ENOMEM); -- } -- -- data->openf = 0; -- -- (*id)->data = (krb5_pointer)data; -- (*id)->magic = KV5M_KEYTAB; -- return(0); --} -- --/* -- * "Close" a file-based keytab and invalidate the id. This means -- * free memory hidden in the structures. -- */ -- --krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_close(krb5_context context, krb5_keytab id) --/* -- * This routine is responsible for freeing all memory allocated -- * for this keytab. There are no system resources that need -- * to be freed nor are there any open files. -- * -- * This routine should undo anything done by krb5_ktsrvtab_resolve(). -- */ --{ -- free(KTFILENAME(id)); -- free(id->data); -- id->ops = 0; -- free(id); -- return (0); --} -- --/* -- * This is the get_entry routine for the file based keytab implementation. -- * It opens the keytab file, and either retrieves the entry or returns -- * an error. -- */ -- --krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_get_entry(krb5_context context, krb5_keytab id, krb5_const_principal principal, krb5_kvno kvno, krb5_enctype enctype, krb5_keytab_entry *entry) --{ -- krb5_keytab_entry best_entry, ent; -- krb5_error_code kerror = 0; -- int found_wrong_kvno = 0; -- -- /* Open the srvtab. */ -- if ((kerror = krb5_ktsrvint_open(context, id))) -- return(kerror); -- -- /* srvtab files only have DES_CBC_CRC keys. */ -- switch (enctype) { -- case ENCTYPE_DES_CBC_CRC: -- case ENCTYPE_DES_CBC_MD5: -- case ENCTYPE_DES_CBC_MD4: -- case ENCTYPE_DES_CBC_RAW: -- case IGNORE_ENCTYPE: -- break; -- default: -- return KRB5_KT_NOTFOUND; -- } -- -- best_entry.principal = 0; -- best_entry.vno = 0; -- best_entry.key.contents = 0; -- while ((kerror = krb5_ktsrvint_read_entry(context, id, &ent)) == 0) { -- ent.key.enctype = enctype; -- if (krb5_principal_compare(context, principal, ent.principal)) { -- if (kvno == IGNORE_VNO || ent.vno == IGNORE_VNO) { -- if (!best_entry.principal || (best_entry.vno < ent.vno)) { -- krb5_kt_free_entry(context, &best_entry); -- best_entry = ent; -- } -- } else { -- if (ent.vno == kvno) { -- best_entry = ent; -- break; -- } else { -- found_wrong_kvno = 1; -- } -- } -- } else { -- krb5_kt_free_entry(context, &ent); -- } -- } -- if (kerror == KRB5_KT_END) { -- if (best_entry.principal) -- kerror = 0; -- else if (found_wrong_kvno) -- kerror = KRB5_KT_KVNONOTFOUND; -- else -- kerror = KRB5_KT_NOTFOUND; -- } -- if (kerror) { -- (void) krb5_ktsrvint_close(context, id); -- krb5_kt_free_entry(context, &best_entry); -- return kerror; -- } -- if ((kerror = krb5_ktsrvint_close(context, id)) != 0) { -- krb5_kt_free_entry(context, &best_entry); -- return kerror; -- } -- *entry = best_entry; -- return 0; --} -- --/* -- * Get the name of the file containing a srvtab-based keytab. -- */ -- --krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_get_name(krb5_context context, krb5_keytab id, char *name, unsigned int len) --/* -- * This routine returns the name of the name of the file associated with -- * this srvtab-based keytab. The name is prefixed with PREFIX:, so that -- * trt will happen if the name is passed back to resolve. -- */ --{ -- int result; -- -- memset(name, 0, len); -- result = snprintf(name, len, "%s:%s", id->ops->prefix, KTFILENAME(id)); -- if (SNPRINTF_OVERFLOW(result, len)) -- return(KRB5_KT_NAME_TOOLONG); -- return(0); --} -- --/* -- * krb5_ktsrvtab_start_seq_get() -- */ -- --krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursorp) --{ -- krb5_error_code retval; -- long *fileoff; -- -- if ((retval = krb5_ktsrvint_open(context, id))) -- return retval; -- -- if (!(fileoff = (long *)malloc(sizeof(*fileoff)))) { -- krb5_ktsrvint_close(context, id); -- return ENOMEM; -- } -- *fileoff = ftell(KTFILEP(id)); -- *cursorp = (krb5_kt_cursor)fileoff; -- -- return 0; --} -- --/* -- * krb5_ktsrvtab_get_next() -- */ -- --krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry, krb5_kt_cursor *cursor) --{ -- long *fileoff = (long *)*cursor; -- krb5_keytab_entry cur_entry; -- krb5_error_code kerror; -- -- if (fseek(KTFILEP(id), *fileoff, 0) == -1) -- return KRB5_KT_END; -- if ((kerror = krb5_ktsrvint_read_entry(context, id, &cur_entry))) -- return kerror; -- *fileoff = ftell(KTFILEP(id)); -- *entry = cur_entry; -- return 0; --} -- --/* -- * krb5_ktsrvtab_end_get() -- */ -- --krb5_error_code KRB5_CALLCONV --krb5_ktsrvtab_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) --{ -- free(*cursor); -- return krb5_ktsrvint_close(context, id); --} -- --/* -- * krb5_kts_ops -- */ -- --const struct _krb5_kt_ops krb5_kts_ops = { -- 0, -- "SRVTAB", /* Prefix -- this string should not appear anywhere else! */ -- krb5_ktsrvtab_resolve, -- krb5_ktsrvtab_get_name, -- krb5_ktsrvtab_close, -- krb5_ktsrvtab_get_entry, -- krb5_ktsrvtab_start_seq_get, -- krb5_ktsrvtab_get_next, -- krb5_ktsrvtab_end_get, -- 0, -- 0, -- 0 --}; -- --/* formerly: lib/krb5/keytab/srvtab/kts_util.c */ -- --#include -- --/* The maximum sizes for V4 aname, realm, sname, and instance +1 */ --/* Taken from krb.h */ --#define ANAME_SZ 40 --#define REALM_SZ 40 --#define SNAME_SZ 40 --#define INST_SZ 40 -- --static krb5_error_code --read_field(FILE *fp, char *s, int len) --{ -- int c; -- -- while ((c = getc(fp)) != 0) { -- if (c == EOF || len <= 1) -- return KRB5_KT_END; -- *s = c; -- s++; -- len--; -- } -- *s = 0; -- return 0; --} -- --krb5_error_code --krb5_ktsrvint_open(krb5_context context, krb5_keytab id) --{ -- KTFILEP(id) = fopen(KTFILENAME(id), "rb"); -- if (!KTFILEP(id)) -- return errno; -- set_cloexec_file(KTFILEP(id)); -- return 0; --} -- --krb5_error_code --krb5_ktsrvint_close(krb5_context context, krb5_keytab id) --{ -- if (!KTFILEP(id)) -- return 0; -- (void) fclose(KTFILEP(id)); -- KTFILEP(id) = 0; -- return 0; --} -- --krb5_error_code --krb5_ktsrvint_read_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *ret_entry) --{ -- FILE *fp; -- char name[SNAME_SZ], instance[INST_SZ], realm[REALM_SZ]; -- unsigned char key[8]; -- int vno; -- krb5_error_code kerror; -- -- /* Read in an entry from the srvtab file. */ -- fp = KTFILEP(id); -- kerror = read_field(fp, name, sizeof(name)); -- if (kerror != 0) -- return kerror; -- kerror = read_field(fp, instance, sizeof(instance)); -- if (kerror != 0) -- return kerror; -- kerror = read_field(fp, realm, sizeof(realm)); -- if (kerror != 0) -- return kerror; -- vno = getc(fp); -- if (vno == EOF) -- return KRB5_KT_END; -- if (fread(key, 1, sizeof(key), fp) != sizeof(key)) -- return KRB5_KT_END; -- -- /* Fill in ret_entry with the data we read. Everything maps well -- * except for the timestamp, which we don't have a value for. For -- * now we just set it to 0. */ -- memset(ret_entry, 0, sizeof(*ret_entry)); -- ret_entry->magic = KV5M_KEYTAB_ENTRY; -- kerror = krb5_425_conv_principal(context, name, instance, realm, -- &ret_entry->principal); -- if (kerror != 0) -- return kerror; -- ret_entry->vno = vno; -- ret_entry->timestamp = 0; -- ret_entry->key.enctype = ENCTYPE_DES_CBC_CRC; -- ret_entry->key.magic = KV5M_KEYBLOCK; -- ret_entry->key.length = sizeof(key); -- ret_entry->key.contents = k5memdup(key, sizeof(key), &kerror); -- if (ret_entry->key.contents == NULL) { -- krb5_free_principal(context, ret_entry->principal); -- return kerror; -- } -- -- return 0; --} --#endif /* LEAN_CLIENT */ -diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c -index 0d39b2940..25752245a 100644 ---- a/src/lib/krb5/keytab/ktbase.c -+++ b/src/lib/krb5/keytab/ktbase.c -@@ -55,20 +55,15 @@ - - extern const krb5_kt_ops krb5_ktf_ops; - extern const krb5_kt_ops krb5_ktf_writable_ops; --extern const krb5_kt_ops krb5_kts_ops; - extern const krb5_kt_ops krb5_mkt_ops; - - struct krb5_kt_typelist { - const krb5_kt_ops *ops; - const struct krb5_kt_typelist *next; - }; --const static struct krb5_kt_typelist krb5_kt_typelist_srvtab = { -- &krb5_kts_ops, -- NULL --}; - const static struct krb5_kt_typelist krb5_kt_typelist_memory = { - &krb5_mkt_ops, -- &krb5_kt_typelist_srvtab -+ NULL - }; - const static struct krb5_kt_typelist krb5_kt_typelist_wrfile = { - &krb5_ktf_writable_ops, -diff --git a/src/lib/krb5/krb/in_tkt_sky.c b/src/lib/krb5/krb/in_tkt_sky.c -index 7a8922623..342fe18dc 100644 ---- a/src/lib/krb5/krb/in_tkt_sky.c -+++ b/src/lib/krb5/krb/in_tkt_sky.c -@@ -56,9 +56,9 @@ get_as_key_skey(krb5_context context, krb5_principal client, - If addrs is non-NULL, it is used for the addresses requested. If it is - null, the system standard addresses are used. - -- If keyblock is NULL, an appropriate key for creds->client is retrieved -- from the system key store (e.g. /etc/srvtab). If keyblock is non-NULL, -- it is used as the decryption key. -+ If keyblock is NULL, an appropriate key for creds->client is retrieved from -+ the system key store (e.g. /etc/krb5.keytab). If keyblock is non-NULL, it -+ is used as the decryption key. - - A succesful call will place the ticket in the credentials cache ccache. - -diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports -index dfdb72daf..038e4de4b 100644 ---- a/src/lib/krb5/libkrb5.exports -+++ b/src/lib/krb5/libkrb5.exports -@@ -459,7 +459,6 @@ krb5_kt_resolve - krb5_kt_start_seq_get - krb5_ktf_ops - krb5_ktf_writable_ops --krb5_kts_ops - krb5_kuserok - krb5_lock_file - krb5_make_authdata_kdc_issued -diff --git a/src/lib/rpc/unit-test/Makefile.in b/src/lib/rpc/unit-test/Makefile.in -index 6f29e33c9..46f2f1d4b 100644 ---- a/src/lib/rpc/unit-test/Makefile.in -+++ b/src/lib/rpc/unit-test/Makefile.in -@@ -45,8 +45,8 @@ PASS=@PASS@ - unit-test-body: - $(RM) krb5cc_rpc_test_* - $(ENV_SETUP) $(VALGRIND) $(START_SERVERS) -- RPC_TEST_SRVTAB=/tmp/rpc_test_v5srvtab.$$$$ ; export RPC_TEST_SRVTAB ; \ -- trap "echo Failed, cleaning up... ; rm -f $$RPC_TEST_SRVTAB ; $(ENV_SETUP) $(STOP_SERVERS) ; trap '' 0 ; exit 1" 0 1 2 3 14 15 ; \ -+ RPC_TEST_KEYTAB=/tmp/rpc_test_keytab.$$$$ ; export RPC_TEST_KEYTAB ; \ -+ trap "echo Failed, cleaning up... ; rm -f $$RPC_TEST_KEYTAB ; $(ENV_SETUP) $(STOP_SERVERS) ; trap '' 0 ; exit 1" 0 1 2 3 14 15 ; \ - if $(ENV_SETUP) \ - $(RUNTEST) SERVER=./server CLIENT=./client \ - KINIT=$(BUILDTOP)/clients/kinit/kinit \ -@@ -55,7 +55,7 @@ unit-test-body: - PASS="$(PASS)" --tool rpc_test $(RUNTESTFLAGS) ; \ - then \ - echo Cleaning up... ; \ -- rm -f $$RPC_TEST_SRVTAB krb5cc_rpc_test_* ; \ -+ rm -f $$RPC_TEST_KEYTAB krb5cc_rpc_test_* ; \ - $(ENV_SETUP) $(STOP_SERVERS) ; \ - trap 0 ; exit 0 ; \ - else exit 1 ; fi -diff --git a/src/lib/rpc/unit-test/config/unix.exp b/src/lib/rpc/unit-test/config/unix.exp -index ba57b703e..ed179bbe3 100644 ---- a/src/lib/rpc/unit-test/config/unix.exp -+++ b/src/lib/rpc/unit-test/config/unix.exp -@@ -139,7 +139,7 @@ proc rpc_test_start { } { - - if [info exists server_pid] { rpc_test_exit } - -- set env(KRB5_KTNAME) FILE:$env(RPC_TEST_SRVTAB) -+ set env(KRB5_KTNAME) FILE:$env(RPC_TEST_KEYTAB) - - verbose "% $SERVER" 1 - set server_pid [spawn $SERVER $PROT] -diff --git a/src/lib/rpc/unit-test/lib/helpers.exp b/src/lib/rpc/unit-test/lib/helpers.exp -index a7f89f636..f08c73201 100644 ---- a/src/lib/rpc/unit-test/lib/helpers.exp -+++ b/src/lib/rpc/unit-test/lib/helpers.exp -@@ -121,8 +121,8 @@ proc setup_database {} { - if ![info exists CANON_HOST] { - set CANON_HOST $env(QUALNAME) - setup_database -- file delete $env(RPC_TEST_SRVTAB) -- exec $env(MAKE_KEYTAB) -princ "server/$CANON_HOST" $env(RPC_TEST_SRVTAB) -+ file delete $env(RPC_TEST_KEYTAB) -+ exec $env(MAKE_KEYTAB) -princ "server/$CANON_HOST" $env(RPC_TEST_KEYTAB) - } - - -diff --git a/src/lib/rpc/unit-test/rpc_test_setup.sh b/src/lib/rpc/unit-test/rpc_test_setup.sh -index d147a337e..d7df0eb2b 100755 ---- a/src/lib/rpc/unit-test/rpc_test_setup.sh -+++ b/src/lib/rpc/unit-test/rpc_test_setup.sh -@@ -1,7 +1,7 @@ - #!/bin/sh - # - # This script performs additional setup for the RPC unit test. It --# assumes that gmake has put TOP and RPC_TEST_SRVTAB into the -+# assumes that gmake has put TOP and RPC_TEST_KEYTAB into the - # environment. - # - # $Id$ -@@ -39,9 +39,9 @@ if test $? != 0 ; then - fi - rm /tmp/rpc_test_setup$$ - --rm -f $RPC_TEST_SRVTAB -+rm -f $RPC_TEST_KEYTAB - --eval $MAKE_KEYTAB -princ server/$CANON_HOST $RPC_TEST_SRVTAB $REDIRECT -+eval $MAKE_KEYTAB -princ server/$CANON_HOST $RPC_TEST_KEYTAB $REDIRECT - - # grep -s "$CANON_HOST SECURE-TEST.OV.COM" /etc/krb.realms - # if [ $? != 0 ]; then -diff --git a/src/man/ktutil.man b/src/man/ktutil.man -index 711a0ed2c..233329468 100644 ---- a/src/man/ktutil.man -+++ b/src/man/ktutil.man -@@ -1,6 +1,6 @@ - .\" Man page generated from reStructuredText. - . --.TH "KTUTIL" "1" " " "1.17.1" "MIT Kerberos" -+.TH "KTUTIL" "1" " " "1.18" "MIT Kerberos" - .SH NAME - ktutil \- Kerberos keytab file maintenance utility - . -@@ -36,8 +36,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - .SH DESCRIPTION - .sp - The ktutil command invokes a command interface from which an --administrator can read, write, or edit entries in a keytab or Kerberos --V4 srvtab file. -+administrator can read, write, or edit entries in a keytab. (Kerberos -+V4 srvtab files are no longer supported.) - .SH COMMANDS - .SS list - .INDENT 0.0 -@@ -59,16 +59,6 @@ Alias: \fBl\fP - Read the Kerberos V5 keytab file \fIkeytab\fP into the current keylist. - .sp - Alias: \fBrkt\fP --.SS read_st --.INDENT 0.0 --.INDENT 3.5 --\fBread_st\fP \fIsrvtab\fP --.UNINDENT --.UNINDENT --.sp --Read the Kerberos V4 srvtab file \fIsrvtab\fP into the current keylist. --.sp --Alias: \fBrst\fP - .SS write_kt - .INDENT 0.0 - .INDENT 3.5 -@@ -79,16 +69,6 @@ Alias: \fBrst\fP - Write the current keylist into the Kerberos V5 keytab file \fIkeytab\fP\&. - .sp - Alias: \fBwkt\fP --.SS write_st --.INDENT 0.0 --.INDENT 3.5 --\fBwrite_st\fP \fIsrvtab\fP --.UNINDENT --.UNINDENT --.sp --Write the current keylist into the Kerberos V4 srvtab file \fIsrvtab\fP\&. --.sp --Alias: \fBwst\fP - .SS clear_list - .INDENT 0.0 - .INDENT 3.5 -diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp -index d7b296516..ea9bedd45 100644 ---- a/src/tests/dejagnu/config/default.exp -+++ b/src/tests/dejagnu/config/default.exp -@@ -440,8 +440,8 @@ proc delete_db {} { - $tmppwd/kdc-db.ulog \ - $tmppwd/replica-db $tmppwd/replica-db.ok $tmppwd/replica-db.kadm5 $tmppwd/replica-db.kadm5.lock \ - $tmppwd/replica-db~ $tmppwd/replica-db~.ok $tmppwd/replica-db~.kadm5 $tmppwd/replica-db~.kadm5.lock -- # Creating a new database means we need a new srvtab. -- file delete $tmppwd/srvtab $tmppwd/cpw_srvtab -+ # Creating a new database means we need a new keytab. -+ file delete $tmppwd/keytab $tmppwd/cpw_keytab - } - - delete_db -@@ -1510,11 +1510,9 @@ proc start_kpropd {} { - - envstack_push - setup_kerberos_env replica -- spawn $KPROPD -S -d -t -P [expr 10 + $portbase] -s $tmppwd/srvtab -f $tmppwd/incoming-replica-datatrans -p $KDB5_UTIL -a $tmppwd/kpropd-acl -+ spawn $KPROPD -S -d -t -P [expr 10 + $portbase] -s $tmppwd/keytab -f $tmppwd/incoming-replica-datatrans -p $KDB5_UTIL -a $tmppwd/kpropd-acl - set kpropd_pid [exp_pid] - set kpropd_spawn_id $spawn_id --# send_user [list $KPROPD -S -d -P [expr 10 + $portbase] -s $tmppwd/srvtab -f $tmppwd/incoming-replica-datatrans -p $KDB5_UTIL -a $tmppwd/kpropd-acl]\n --# spawn_shell - envstack_pop - } - -@@ -1859,13 +1857,13 @@ proc add_random_key { kkey standalone } { - } - } - --# setup_srvtab --# Set up a srvtab file. start_kerberos_daemons and add_random_key -+# setup_keytab -+# Set up a keytab file. start_kerberos_daemons and add_random_key - # $id/$hostname must be called before this procedure. If the - # argument is non-zero, call pass at relevant points. Returns 1 on - # success, 0 on failure. If the id field is not provided, host is used. - --proc setup_srvtab { standalone {id host} } { -+proc setup_keytab { standalone {id host} } { - global REALMNAME - global KADMIN_LOCAL - global KEY -@@ -1874,17 +1872,17 @@ proc setup_srvtab { standalone {id host} } { - global spawn_id - global last_service - -- if {!$standalone && [file exists $tmppwd/srvtab] && $last_service == $id} { -+ if {!$standalone && [file exists $tmppwd/keytab] && $last_service == $id} { - return 1 - } - -- file delete $tmppwd/srvtab $tmppwd/srvtab.old -+ file delete $tmppwd/keytab $tmppwd/keytab.old - - if ![get_hostname] { - return 0 - } - -- file delete $hostname-new-srvtab -+ file delete $hostname-new-keytab - - envstack_push - setup_kerberos_env kdc -@@ -1892,40 +1890,40 @@ proc setup_srvtab { standalone {id host} } { - envstack_pop - expect_after { - -re "(.*)\r\nkadmin.local: " { -- fail "kadmin.local srvtab (unmatched output: $expect_out(1,string))" -+ fail "kadmin.local keytab (unmatched output: $expect_out(1,string))" - if {!$standalone} { -- file delete $tmppwd/srvtab -+ file delete $tmppwd/keytab - } - catch "expect_after" - return 0 - } - timeout { -- fail "kadmin.local srvtab" -+ fail "kadmin.local keytab" - if {!$standalone} { -- file delete $tmppwd/srvtab -+ file delete $tmppwd/keytab - } - catch "expect_after" - return 0 - } - eof { -- fail "kadmin.local srvtab" -+ fail "kadmin.local keytab" - if {!$standalone} { -- file delete $tmppwd/srvtab -+ file delete $tmppwd/keytab - } - catch "expect_after" - return 0 - } - } - expect "kadmin.local: " -- send "xst -k $hostname-new-srvtab $id/$hostname kiprop/$hostname\r" -- expect "xst -k $hostname-new-srvtab $id/$hostname kiprop/$hostname\r\n" -+ send "xst -k $hostname-new-keytab $id/$hostname kiprop/$hostname\r" -+ expect "xst -k $hostname-new-keytab $id/$hostname kiprop/$hostname\r\n" - expect { -- -re ".*Entry for principal $id/$hostname.* added to keytab WRFILE:$hostname-new-srvtab." { } -+ -re ".*Entry for principal $id/$hostname.* added to keytab WRFILE:$hostname-new-keytab." { } - -re "\r\nkadmin.local: " { - if {$standalone} { -- fail "kadmin.local srvtab" -+ fail "kadmin.local keytab" - } else { -- file delete $tmppwd/srvtab -+ file delete $tmppwd/keytab - } - catch expect_after - return 0 -@@ -1935,27 +1933,27 @@ proc setup_srvtab { standalone {id host} } { - send "quit\r" - expect eof - catch expect_after -- if ![check_exit_status "kadmin.local srvtab"] { -+ if ![check_exit_status "kadmin.local keytab"] { - if {!$standalone} { -- file delete $tmppwd/srvtab -+ file delete $tmppwd/keytab - } - return 0 - } - -- catch "exec mv -f $hostname-new-srvtab $tmppwd/srvtab" exec_output -+ catch "exec mv -f $hostname-new-keytab $tmppwd/keytab" exec_output - if ![string match "" $exec_output] { - verbose -log "$exec_output" -- perror "can't mv new srvtab" -+ perror "can't mv new keytab" - return 0 - } - - if {$standalone} { -- pass "kadmin.local srvtab" -+ pass "kadmin.local keytab" - } - -- # Make the srvtab file globally readable in case we are using a -- # root shell and the srvtab is NFS mounted. -- catch "exec chmod a+r $tmppwd/srvtab" -+ # Make the keytab file globally readable in case we are using a -+ # root shell and the keytab is NFS mounted. -+ catch "exec chmod a+r $tmppwd/keytab" - - # Remember what we just extracted - set last_service $id -diff --git a/src/tests/dejagnu/krb-standalone/gssapi.exp b/src/tests/dejagnu/krb-standalone/gssapi.exp -index 582e08719..e3357e769 100644 ---- a/src/tests/dejagnu/krb-standalone/gssapi.exp -+++ b/src/tests/dejagnu/krb-standalone/gssapi.exp -@@ -238,9 +238,9 @@ proc doit { } { - perror "failed to set up gssservice/$hostname key" - } - -- # Use kdb5_edit to create a srvtab entry for gssservice -- if ![setup_srvtab 0 gssservice] { -- perror "failed to set up gssservice srvtab" -+ # Use kdb5_edit to create a keytab entry for gssservice -+ if ![setup_keytab 0 gssservice] { -+ perror "failed to set up gssservice keytab" - } - - catch "exec rm -f $tmppwd/gss_tk_0 $tmppwd/gss_tk_1 $tmppwd/gss_tk_2 $tmppwd/gss_tk_3" -@@ -278,7 +278,7 @@ proc doit { } { - # - # set KRB5CCNAME and KRB5_KTNAME - # -- set env(KRB5_KTNAME) FILE:$tmppwd/srvtab -+ set env(KRB5_KTNAME) FILE:$tmppwd/keytab - verbose "KRB5_KTNAME=$env(KRB5_KTNAME)" - - # Now start the gss-server. -diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp -index 33fc34a7b..36a345258 100644 ---- a/src/tests/dejagnu/krb-standalone/kadmin.exp -+++ b/src/tests/dejagnu/krb-standalone/kadmin.exp -@@ -457,62 +457,16 @@ proc kadmin_extract { instance name } { - expect -re "assword\[^\r\n\]*: *" { - send "adminpass$KEY\r" - } --# expect -re "kadmin: Entry for principal $name/$instance with kvno [0-9], encryption type .* added to keytab WRFILE:$tmppwd/keytab." - expect_after - expect eof - set k_stat [wait -i $spawn_id] - verbose "wait -i $spawn_id returned $k_stat (kadmin xst)" - catch "close -i $spawn_id" -- catch "exec rm -f $instance-new-srvtab" -+ catch "exec rm -f $instance-new-keytab" - pass "kadmin xst $instance $name" - return 1 - } - --#++ --# kadmin_extractv4 - Test extract service key in v4 format function of --# kadmin. --# --# Extracts service key for service name $name instance $instance in version --# 4 format. Returns 1 on success. --#-- --#proc kadmin_extractv4 { instance name } { --# global REALMNAME --# global KADMIN --# global KEY --# global spawn_id --# --# spawn $KADMIN -p krbtest/admin@$REALMNAME -q "xst4 $instance $name" --# expect_after { --# "Cannot contact any KDC" { --# fail "kadmin xst4 $instance $name lost KDC" --# catch "expect_after" --# return 0 --# } --# timeout { --# fail "kadmin xst4 $instance $name" --# catch "expect_after" --# return 0 --# } --# eof { --# fail "kadmin xst4 $instance $name" --# catch "expect_after" --# return 0 --# } --# } --# expect -re "assword\[^\r\n\]*: *" { --# send "adminpass$KEY\r" --# } --# expect "extracted entry $name to key table $instance-new-v4-srvtab" --# expect_after --# expect eof --# set k_stat [wait -i $spawn_id] --# verbose "wait -i $spawn_id returned $k_stat (kadmin xst4)" --# catch "close -i $spawn_id" --# catch "exec rm -f $instance-new-v4-srvtab" --# pass "kadmin xst4 $instance $name" --# return 1 --#} -- - #++ - # kadmin_delete - Test delete principal function of kadmin. - # -diff --git a/src/tests/dejagnu/krb-standalone/kprop.exp b/src/tests/dejagnu/krb-standalone/kprop.exp -index 2221a65e4..f71ee8638 100644 ---- a/src/tests/dejagnu/krb-standalone/kprop.exp -+++ b/src/tests/dejagnu/krb-standalone/kprop.exp -@@ -72,8 +72,8 @@ proc doit { } { - fail "kprop (host key)" - return - } -- if ![setup_srvtab 0] { -- fail "kprop (srvtab)" -+ if ![setup_keytab 0] { -+ fail "kprop (keytab)" - return - } - -@@ -99,7 +99,7 @@ proc doit { } { - sleep 1 - - # Try a propagation. -- spawn $KPROP -f $tmppwd/replica_datatrans -P [expr 10 + $portbase] -s $tmppwd/srvtab $hostname -+ spawn $KPROP -f $tmppwd/replica_datatrans -P [expr 10 + $portbase] -s $tmppwd/keytab $hostname - expect eof - set kprop_exit [check_exit_status "kprop (exit status)"] - # log output for debugging -diff --git a/src/tests/dejagnu/krb-standalone/sample.exp b/src/tests/dejagnu/krb-standalone/sample.exp -index 326f1848d..93a75f1d0 100644 ---- a/src/tests/dejagnu/krb-standalone/sample.exp -+++ b/src/tests/dejagnu/krb-standalone/sample.exp -@@ -42,7 +42,7 @@ proc start_sserver_daemon { inetd } { - # if inetd = 0, then we are running stand-alone - if !{$inetd} { - # Start the sserver -- spawn $SSERVER -p [expr 8 + $portbase] -S $tmppwd/srvtab -+ spawn $SSERVER -p [expr 8 + $portbase] -S $tmppwd/keytab - set sserver_pid [exp_pid] - set sserver_spawn_id $spawn_id - -@@ -52,7 +52,7 @@ proc start_sserver_daemon { inetd } { - sleep 2 - } else { - # Start the sserver -- spawn $T_INETD [expr 8 + $portbase] $SSERVER sserver -S $tmppwd/srvtab -+ spawn $T_INETD [expr 8 + $portbase] $SSERVER sserver -S $tmppwd/keytab - set sserver_pid [exp_pid] - set sserver_spawn_id $spawn_id - -@@ -166,8 +166,8 @@ proc doit { } { - return - } - -- # Use ksrvutil to create a srvtab entry for sample -- if ![setup_srvtab 1 sample] { -+ # Use ksrvutil to create a keytab entry for sample -+ if ![setup_keytab 1 sample] { - return - } - -diff --git a/src/tests/dejagnu/krb-standalone/simple.exp b/src/tests/dejagnu/krb-standalone/simple.exp -index fa749035f..d8b218248 100644 ---- a/src/tests/dejagnu/krb-standalone/simple.exp -+++ b/src/tests/dejagnu/krb-standalone/simple.exp -@@ -40,7 +40,7 @@ proc start_sim_server_daemon { } { - global portbase - - # Start the sim_server -- spawn $SIM_SERVER -p [expr 8 + $portbase] -S $tmppwd/srvtab -+ spawn $SIM_SERVER -p [expr 8 + $portbase] -S $tmppwd/keytab - set sim_server_pid [exp_pid] - set sim_server_spawn_id $spawn_id - -@@ -179,8 +179,8 @@ proc doit { } { - return - } - -- # Use ksrvutil to create a srvtab entry for sample -- if ![setup_srvtab 1 sample] { -+ # Use ksrvutil to create a keytab entry for sample -+ if ![setup_keytab 1 sample] { - return - } - -diff --git a/src/tests/dejagnu/krb-standalone/standalone.exp b/src/tests/dejagnu/krb-standalone/standalone.exp -index 5b5970fba..d284297e8 100644 ---- a/src/tests/dejagnu/krb-standalone/standalone.exp -+++ b/src/tests/dejagnu/krb-standalone/standalone.exp -@@ -166,8 +166,8 @@ proc doit { } { - verbose "wait -i $spawn_id returned $k_stat (kadmin addpol)" - catch "close -i $spawn_id" - -- # Use ksrvutil to create a srvtab entry. -- if ![setup_srvtab 1] { -+ # Use ksrvutil to create a keytab entry. -+ if ![setup_keytab 1] { - return - } - -diff --git a/src/tests/dejagnu/krb-standalone/tcp.exp b/src/tests/dejagnu/krb-standalone/tcp.exp -index db09b895e..df3195bb6 100644 ---- a/src/tests/dejagnu/krb-standalone/tcp.exp -+++ b/src/tests/dejagnu/krb-standalone/tcp.exp -@@ -33,11 +33,6 @@ proc doit { } { - return - } - -- # Use ksrvutil to create a srvtab entry. --# if ![setup_srvtab 1] { --# return --# } -- - # Use kinit to get a ticket. - if ![kinit krbtest/admin adminpass$KEY 1] { - return diff --git a/Remove-strerror-calls-from-k5_get_error.patch b/Remove-strerror-calls-from-k5_get_error.patch deleted file mode 100644 index a46ccdc..0000000 --- a/Remove-strerror-calls-from-k5_get_error.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 128098be731775ecc2a5de6308868fae78059db9 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 6 Jun 2019 11:46:58 -0400 -Subject: [PATCH] Remove strerror() calls from k5_get_error() - -Coverity models strerror() as a function which cannot accept negative -values, even though it has defined behavior on all integers. -k5_get_error() contains code to call strerror_r() and strerror() if -its fptr global is unset, which isn't an expected case in practice. -To silence a large number of Coverity false positives, just return a -fixed string if fptr is null. - -(cherry picked from commit 2d400bea7a81a5a834a1be6ded439f18e0afa5ba) ---- - src/util/support/errors.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/util/support/errors.c b/src/util/support/errors.c -index 70e1d59d0..f8bea07a3 100644 ---- a/src/util/support/errors.c -+++ b/src/util/support/errors.c -@@ -78,10 +78,9 @@ k5_get_error(struct errinfo *ep, long code) - - lock(); - if (fptr == NULL) { -+ /* Should be rare; fptr should be set whenever libkrb5 is loaded. */ - unlock(); -- if (strerror_r(code, buf, sizeof(buf)) == 0) -- return oom_check(strdup(buf)); -- return oom_check(strdup(strerror(code))); -+ return oom_check(strdup(_("Error code translation unavailable"))); - } - r = fptr(code); - #ifndef HAVE_COM_ERR_INTL diff --git a/Remove-support-for-no-flags-SAM-2-preauth.patch b/Remove-support-for-no-flags-SAM-2-preauth.patch deleted file mode 100644 index c7c1afb..0000000 --- a/Remove-support-for-no-flags-SAM-2-preauth.patch +++ /dev/null @@ -1,73 +0,0 @@ -From c00274de6de883d74ae231405b6ae5e1486712c9 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Wed, 17 Apr 2019 17:07:46 -0400 -Subject: [PATCH] Remove support for no-flags SAM-2 preauth - -When neither the send-encrypted-sad nor the use-sad-as-key flag is set -in the SAM-2 challenge, the protocol calls for the AS key to be -combined with the string-to-key of the SAD using a key combination -method which has only been implemented for DES and 3DES enctypes. -Rather than extending key combination, remove support for this case. - -[ghudson@mit.edu: rewrote commit message, added comment] - -ticket: 8812 (new) -(cherry picked from commit c30e0af224ef3716513744fd86aec3eeea90abf9) ---- - src/lib/krb5/krb/preauth_sam2.c | 40 +++++++++------------------------ - 1 file changed, 11 insertions(+), 29 deletions(-) - -diff --git a/src/lib/krb5/krb/preauth_sam2.c b/src/lib/krb5/krb/preauth_sam2.c -index c7484c47e..fda86bee2 100644 ---- a/src/lib/krb5/krb/preauth_sam2.c -+++ b/src/lib/krb5/krb/preauth_sam2.c -@@ -211,38 +211,20 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata, - /* Get encryption key to be used for checksum and sam_response */ - if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { - /* Retain as_key from above gak_fct call. */ -- -- if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) { -- /* as_key = combine_key (as_key, string_to_key(SAD)) */ -- krb5_keyblock tmp_kb; -- -- retval = krb5_c_string_to_key(context, sc2b->sam_etype, -- &response_data, salt, &tmp_kb); -- -- if (retval) { -- krb5_free_sam_challenge_2(context, sc2); -- krb5_free_sam_challenge_2_body(context, sc2b); -- if (defsalt.length) free(defsalt.data); -- return(retval); -- } -- -- /* This should be a call to the crypto library some day */ -- /* key types should already match the sam_etype */ -- retval = krb5int_c_combine_keys(context, &ctx->as_key, &tmp_kb, -- &ctx->as_key); -- -- if (retval) { -- krb5_free_sam_challenge_2(context, sc2); -- krb5_free_sam_challenge_2_body(context, sc2b); -- if (defsalt.length) free(defsalt.data); -- return(retval); -- } -- krb5_free_keyblock_contents(context, &tmp_kb); -- } -- - if (defsalt.length) - free(defsalt.data); - -+ if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) { -+ /* -+ * If no flags are set, the protocol calls for us to combine the -+ * initial reply key with the SAD, using a method which is only -+ * specified for DES and 3DES enctypes. We no longer support this -+ * case. -+ */ -+ krb5_free_sam_challenge_2(context, sc2); -+ krb5_free_sam_challenge_2_body(context, sc2b); -+ return(KRB5_SAM_UNSUPPORTED); -+ } - } else { - /* as_key = string_to_key(SAD) */ - diff --git a/Remove-support-for-single-DES-and-CRC.patch b/Remove-support-for-single-DES-and-CRC.patch deleted file mode 100644 index 156e09a..0000000 --- a/Remove-support-for-single-DES-and-CRC.patch +++ /dev/null @@ -1,3340 +0,0 @@ -From e73ed142bd5baf15943069346202fe3b1a4d96d6 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 24 May 2019 13:12:03 -0400 -Subject: [PATCH] Remove support for single-DES and CRC - -Single-DES removal brings us closer to compliance with RFC 6649. -Single-DES was disabled by default starting in release 1.8, and -user-visible deprecation warnings were issued starting in release -1.17. - -ticket: 8808 -(cherry picked from commit fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8) -[rharwood@redhat.com: .gitignore removal] -[rharwood@redhat.com: In this branch, supported_enctypes changes landed -first] ---- - doc/admin/advanced/retiring-des.rst | 5 + - doc/admin/conf_files/kdc_conf.rst | 17 +- - doc/admin/conf_files/krb5_conf.rst | 17 +- - doc/admin/enctypes.rst | 38 +- - doc/appdev/refs/macros/index.rst | 1 + - doc/conf.py | 4 +- - doc/mitK5features.rst | 2 +- - src/include/k5-int.h | 1 - - src/include/krb5/krb5.hin | 10 +- - src/include/win-mac.h | 12 - - src/kdc/kdc_util.c | 14 - - src/kdc/main.c | 6 - - src/kdc/realm_data.h | 1 - - src/lib/crypto/builtin/des/des_int.h | 1 - - .../crypto/builtin/enc_provider/Makefile.in | 3 - - src/lib/crypto/builtin/enc_provider/deps | 12 - - src/lib/crypto/builtin/enc_provider/des.c | 120 --- - .../crypto/builtin/hash_provider/Makefile.in | 7 +- - src/lib/crypto/builtin/hash_provider/deps | 13 - - .../crypto/builtin/hash_provider/hash_crc32.c | 56 -- - src/lib/crypto/krb/Makefile.in | 9 - - src/lib/crypto/krb/cksumtypes.c | 24 - - src/lib/crypto/krb/combine_keys.c | 3 - - src/lib/crypto/krb/crc32.c | 165 ----- - src/lib/crypto/krb/crypto_int.h | 16 - - src/lib/crypto/krb/default_state.c | 4 - - src/lib/crypto/krb/deps | 36 - - src/lib/crypto/krb/enc_old.c | 181 ----- - src/lib/crypto/krb/etypes.c | 46 -- - src/lib/crypto/krb/s2k_des.c | 691 ------------------ - src/lib/crypto/libk5crypto.exports | 1 - - .../crypto/openssl/enc_provider/Makefile.in | 3 - - src/lib/crypto/openssl/enc_provider/deps | 11 - - src/lib/crypto/openssl/enc_provider/des.c | 218 ------ - .../crypto/openssl/hash_provider/Makefile.in | 10 +- - src/lib/crypto/openssl/hash_provider/deps | 12 - - .../crypto/openssl/hash_provider/hash_crc32.c | 56 -- - src/lib/gssapi/krb5/accept_sec_context.c | 3 - - src/lib/gssapi/krb5/gssapiP_krb5.h | 20 +- - src/lib/gssapi/krb5/k5seal.c | 28 +- - src/lib/gssapi/krb5/k5sealiov.c | 20 - - src/lib/gssapi/krb5/k5unseal.c | 112 --- - src/lib/gssapi/krb5/k5unsealiov.c | 34 +- - src/lib/gssapi/krb5/util_crypt.c | 41 -- - src/lib/kadm5/kadm_rpc_xdr.c | 10 - - src/lib/krb5/ccache/cc_mslsa.c | 11 +- - src/lib/krb5/krb/auth_con.c | 23 +- - src/lib/krb5/krb/gic_keytab.c | 4 - - src/lib/krb5/krb/init_ctx.c | 9 - - src/lib/krb5/krb/mk_req_ext.c | 43 +- - src/lib/krb5/krb/s4u_creds.c | 3 - - src/lib/krb5/krb/ser_ctx.c | 2 +- - src/man/kdc.conf.man | 47 +- - src/man/krb5.conf.man | 6 +- - .../leash/htmlhelp/html/Encryption_Types.htm | 14 +- - 55 files changed, 75 insertions(+), 2181 deletions(-) - delete mode 100644 src/lib/crypto/builtin/enc_provider/des.c - delete mode 100644 src/lib/crypto/builtin/hash_provider/hash_crc32.c - delete mode 100644 src/lib/crypto/krb/crc32.c - delete mode 100644 src/lib/crypto/krb/enc_old.c - delete mode 100644 src/lib/crypto/krb/s2k_des.c - delete mode 100644 src/lib/crypto/openssl/enc_provider/des.c - delete mode 100644 src/lib/crypto/openssl/hash_provider/hash_crc32.c - -diff --git a/doc/admin/advanced/retiring-des.rst b/doc/admin/advanced/retiring-des.rst -index ebac95f24..4a964c15c 100644 ---- a/doc/admin/advanced/retiring-des.rst -+++ b/doc/admin/advanced/retiring-des.rst -@@ -22,6 +22,11 @@ However, deployments of krb5 using Kerberos databases created with older - versions of krb5 will not necessarily start using strong crypto for - ordinary operation without administrator intervention. - -+MIT krb5 began flagging deprecated encryption types with release 1.17, -+and removed DES (single-DES) support in release 1.18. As a -+consequence, a release prior to 1.18 is required to perform these -+migrations. -+ - Types of keys - ------------- - -diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst -index 7fbc8eb79..9759756a2 100644 ---- a/doc/admin/conf_files/kdc_conf.rst -+++ b/doc/admin/conf_files/kdc_conf.rst -@@ -381,13 +381,6 @@ The following tags may be specified in a [realms] subsection: - listed in **host_based_services**. ``no_host_referral = *`` will - disable referral processing altogether. - --**des_crc_session_supported** -- (Boolean value). If set to true, the KDC will assume that service -- principals support des-cbc-crc for session key enctype negotiation -- purposes. If **allow_weak_crypto** in :ref:`libdefaults` is -- false, or if des-cbc-crc is not a permitted enctype, then this -- variable has no effect. Defaults to true. New in release 1.11. -- - **reject_bad_transit** - (Boolean value.) If set to true, the KDC will check the list of - transited realms for cross-realm tickets against the transit path -@@ -850,13 +843,8 @@ Encryption types marked as "weak" are available for compatibility but - not recommended for use. - - ==================================================== ========================================================= --des-cbc-crc DES cbc mode with CRC-32 (weak) --des-cbc-md4 DES cbc mode with RSA-MD4 (weak) --des-cbc-md5 DES cbc mode with RSA-MD5 (weak) --des-cbc-raw DES cbc mode raw (weak) - des3-cbc-raw Triple DES cbc mode raw (weak) - des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1 --des-hmac-sha1 DES with HMAC/sha1 (weak) - aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC - aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC - aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC -@@ -865,7 +853,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 - arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) - camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC - camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC --des The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak) - des3 The triple DES family: des3-cbc-sha1 - aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 - rc4 The RC4 family: arcfour-hmac -@@ -877,8 +864,8 @@ types for the variable in question. Types or families can be removed - from the current list by prefixing them with a minus sign ("-"). - Types or families can be prefixed with a plus sign ("+") for symmetry; - it has the same meaning as just listing the type or family. For --example, "``DEFAULT -des``" would be the default set of encryption --types with DES types removed, and "``des3 DEFAULT``" would be the -+example, "``DEFAULT -rc4``" would be the default set of encryption -+types with RC4 types removed, and "``des3 DEFAULT``" would be the - default set of encryption types with triple DES types moved to the - front. - -diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index a3fb5d9f2..d5c498c89 100644 ---- a/doc/admin/conf_files/krb5_conf.rst -+++ b/doc/admin/conf_files/krb5_conf.rst -@@ -100,10 +100,7 @@ The libdefaults section may contain any of the following relations: - in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered - out of the lists **default_tgs_enctypes**, - **default_tkt_enctypes**, and **permitted_enctypes**. The default -- value for this tag is false, which may cause authentication -- failures in existing Kerberos infrastructures that do not support -- strong crypto. Users in affected environments should set this tag -- to true until their infrastructure adopts stronger ciphers. -+ value for this tag is false. - - **canonicalize** - If this flag is set to true, initial ticket requests to the KDC -@@ -157,9 +154,7 @@ The libdefaults section may contain any of the following relations: - preference from highest to lowest. The list may be delimited with - commas or whitespace. See :ref:`Encryption_types` in - :ref:`kdc.conf(5)` for a list of the accepted values for this tag. -- The default value is |defetypes|, but single-DES encryption types -- will be implicitly removed from this list if the value of -- **allow_weak_crypto** is false. -+ The default value is |defetypes|. - - Do not set this unless required for specific backward - compatibility purposes; stale values of this setting can prevent -@@ -171,9 +166,7 @@ The libdefaults section may contain any of the following relations: - the client should request when making an AS-REQ, in order of - preference from highest to lowest. The format is the same as for - default_tgs_enctypes. The default value for this tag is -- |defetypes|, but single-DES encryption types will be implicitly -- removed from this list if the value of **allow_weak_crypto** is -- false. -+ |defetypes|. - - Do not set this unless required for specific backward - compatibility purposes; stale values of this setting can prevent -@@ -291,9 +284,7 @@ The libdefaults section may contain any of the following relations: - **permitted_enctypes** - Identifies all encryption types that are permitted for use in - session key encryption. The default value for this tag is -- |defetypes|, but single-DES encryption types will be implicitly -- removed from this list if the value of **allow_weak_crypto** is -- false. -+ |defetypes|. - - **plugin_base_dir** - If set, determines the base directory where krb5 plugins are -diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst -index 3cdfc92cf..84183a53c 100644 ---- a/doc/admin/enctypes.rst -+++ b/doc/admin/enctypes.rst -@@ -48,17 +48,12 @@ Session key selection - The KDC chooses the session key enctype by taking the intersection of - its **permitted_enctypes** list, the list of long-term keys for the - most recent kvno of the service, and the client's requested list of --enctypes. If **allow_weak_crypto** is true, all services are assumed --to support des-cbc-crc. -+enctypes. - --Starting in krb5-1.11, **des_crc_session_supported** in --:ref:`kdc.conf(5)` allows additional control over whether the KDC --issues des-cbc-crc session keys. -- --Also starting in krb5-1.11, it is possible to set a string attribute --on a service principal to control what session key enctypes the KDC --may issue for service tickets for that principal. See --:ref:`set_string` in :ref:`kadmin(1)` for details. -+Starting in krb5-1.11, it is possible to set a string attribute on a -+service principal to control what session key enctypes the KDC may -+issue for service tickets for that principal. See :ref:`set_string` -+in :ref:`kadmin(1)` for details. - - - Choosing enctypes for a service -@@ -86,11 +81,11 @@ affect how enctypes are chosen. - - **allow_weak_crypto** - defaults to *false* starting with krb5-1.8. When *false*, removes -- single-DES enctypes (and other weak enctypes) from -- **permitted_enctypes**, **default_tkt_enctypes**, and -- **default_tgs_enctypes**. Do not set this to *true* unless the -- use of weak enctypes is an acceptable risk for your environment -- and the weak enctypes are required for backward compatibility. -+ weak enctypes from **permitted_enctypes**, -+ **default_tkt_enctypes**, and **default_tgs_enctypes**. Do not -+ set this to *true* unless the use of weak enctypes is an -+ acceptable risk for your environment and the weak enctypes are -+ required for backward compatibility. - - **permitted_enctypes** - controls the set of enctypes that a service will accept as session -@@ -127,9 +122,9 @@ See :ref:`Encryption_types` for additional information about enctypes. - ========================== ===== ======== ======= - enctype weak? krb5 Windows - ========================== ===== ======== ======= --des-cbc-crc weak all >=2000 --des-cbc-md4 weak all ? --des-cbc-md5 weak all >=2000 -+des-cbc-crc weak <1.18 >=2000 -+des-cbc-md4 weak <1.18 ? -+des-cbc-md5 weak <1.18 >=2000 - des3-cbc-sha1 >=1.1 none - arcfour-hmac >=1.3 >=2000 - arcfour-hmac-exp weak >=1.3 >=2000 -@@ -141,6 +136,7 @@ camellia128-cts-cmac >=1.9 none - camellia256-cts-cmac >=1.9 none - ========================== ===== ======== ======= - --krb5 releases 1.8 and later disable the single-DES enctypes by --default. Microsoft Windows releases Windows 7 and later disable --single-DES enctypes by default. -+krb5 releases 1.18 and later do not support single-DES. krb5 releases -+1.8 and later disable the single-DES enctypes by default. Microsoft -+Windows releases Windows 7 and later disable single-DES enctypes by -+default. -diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst -index 47c6d4413..534795d15 100644 ---- a/doc/appdev/refs/macros/index.rst -+++ b/doc/appdev/refs/macros/index.rst -@@ -55,6 +55,7 @@ Public - ENCTYPE_DES3_CBC_RAW.rst - ENCTYPE_DES3_CBC_SHA.rst - ENCTYPE_DES3_CBC_SHA1.rst -+ ENCTYPE_DES3_CBC_SHA1.rst - ENCTYPE_DES_CBC_CRC.rst - ENCTYPE_DES_CBC_MD4.rst - ENCTYPE_DES_CBC_MD5.rst -diff --git a/doc/conf.py b/doc/conf.py -index 7c688d871..759367c21 100644 ---- a/doc/conf.py -+++ b/doc/conf.py -@@ -271,8 +271,8 @@ else: - rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab - rst_epilog += ''' - .. |krb5conf| replace:: ``/etc/krb5.conf`` --.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` --.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4`` -+.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal`` -+.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac`` - .. |defmkey| replace:: ``aes256-cts-hmac-sha1-96`` - .. |copy| unicode:: U+000A9 - ''' -diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst -index 584f7b893..a19068e26 100644 ---- a/doc/mitK5features.rst -+++ b/doc/mitK5features.rst -@@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB - - krb4 support: Kerberos 5 release < 1.8 - --DES support: configurable (See :ref:`retiring-des`) -+DES support: Kerberos 5 release < 1.18 (See :ref:`retiring-des`) - - Interoperability - ---------------- -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 1a78fd7a9..e0c557554 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -200,7 +200,6 @@ typedef unsigned char u_char; - #define KRB5_CONF_DEFAULT_REALM "default_realm" - #define KRB5_CONF_DEFAULT_TGS_ENCTYPES "default_tgs_enctypes" - #define KRB5_CONF_DEFAULT_TKT_ENCTYPES "default_tkt_enctypes" --#define KRB5_CONF_DES_CRC_SESSION_SUPPORTED "des_crc_session_supported" - #define KRB5_CONF_DICT_FILE "dict_file" - #define KRB5_CONF_DISABLE "disable" - #define KRB5_CONF_DISABLE_ENCRYPTED_TIMESTAMP "disable_encrypted_timestamp" -diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index 346e796a5..5f596d1fc 100644 ---- a/src/include/krb5/krb5.hin -+++ b/src/include/krb5/krb5.hin -@@ -422,13 +422,13 @@ typedef struct _krb5_crypto_iov { - - /* per Kerberos v5 protocol spec */ - #define ENCTYPE_NULL 0x0000 --#define ENCTYPE_DES_CBC_CRC 0x0001 /**< DES cbc mode with CRC-32 */ --#define ENCTYPE_DES_CBC_MD4 0x0002 /**< DES cbc mode with RSA-MD4 */ --#define ENCTYPE_DES_CBC_MD5 0x0003 /**< DES cbc mode with RSA-MD5 */ --#define ENCTYPE_DES_CBC_RAW 0x0004 /**< @deprecated DES cbc mode raw */ -+#define ENCTYPE_DES_CBC_CRC 0x0001 /**< @deprecated no longer supported */ -+#define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */ -+#define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */ -+#define ENCTYPE_DES_CBC_RAW 0x0004 /**< @deprecated no longer supported */ - #define ENCTYPE_DES3_CBC_SHA 0x0005 /**< @deprecated DES-3 cbc with SHA1 */ - #define ENCTYPE_DES3_CBC_RAW 0x0006 /**< @deprecated DES-3 cbc mode raw */ --#define ENCTYPE_DES_HMAC_SHA1 0x0008 /**< @deprecated */ -+#define ENCTYPE_DES_HMAC_SHA1 0x0008 /**< @deprecated no longer supported */ - /* PKINIT */ - #define ENCTYPE_DSA_SHA1_CMS 0x0009 /**< DSA with SHA1, CMS signature */ - #define ENCTYPE_MD5_RSA_CMS 0x000a /**< MD5 with RSA, CMS signature */ -diff --git a/src/include/win-mac.h b/src/include/win-mac.h -index c3744ed14..dc0f2a1ae 100644 ---- a/src/include/win-mac.h -+++ b/src/include/win-mac.h -@@ -176,18 +176,6 @@ typedef _W64 int ssize_t; - #define HAVE_STDLIB_H - #endif - --/* This controls which encryption routines libcrypto will provide */ --#define PROVIDE_DES_CBC_MD5 --#define PROVIDE_DES_CBC_CRC --#define PROVIDE_DES_CBC_RAW --#define PROVIDE_DES_CBC_CKSUM --#define PROVIDE_CRC32 --#define PROVIDE_RSA_MD4 --#define PROVIDE_RSA_MD5 --/* #define PROVIDE_DES3_CBC_SHA */ --/* #define PROVIDE_DES3_CBC_RAW */ --/* #define PROVIDE_NIST_SHA */ -- - /* Ugly. Microsoft, in stdc mode, doesn't support the low-level i/o - * routines directly. Rather, they only export the _ version. - * The following defines works around this problem. -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index f2741090e..df1ba6acf 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -991,17 +991,6 @@ dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, - free(etypes_str); - free(etypes); - -- /* If configured to, assume every server without a session_enctypes -- * attribute supports DES_CBC_CRC. */ -- if (kdc_active_realm->realm_assume_des_crc_sess && -- enctype == ENCTYPE_DES_CBC_CRC) -- return TRUE; -- -- /* Due to an ancient interop problem, assume nothing supports des-cbc-md5 -- * unless there's a session_enctypes explicitly saying that it does. */ -- if (enctype == ENCTYPE_DES_CBC_MD5) -- return FALSE; -- - /* Assume the server supports any enctype it has a long-term key for. */ - return !krb5_dbe_find_enctype(kdc_context, server, enctype, -1, 0, &datap); - } -@@ -1752,9 +1741,6 @@ krb5_boolean - enctype_requires_etype_info_2(krb5_enctype enctype) - { - switch(enctype) { -- case ENCTYPE_DES_CBC_CRC: -- case ENCTYPE_DES_CBC_MD4: -- case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES3_CBC_SHA1: - case ENCTYPE_DES3_CBC_RAW: - case ENCTYPE_ARCFOUR_HMAC: -diff --git a/src/kdc/main.c b/src/kdc/main.c -index 1596c1c5b..8d4df4d6a 100644 ---- a/src/kdc/main.c -+++ b/src/kdc/main.c -@@ -307,12 +307,6 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm, - &rdp->realm_reject_bad_transit)) - rdp->realm_reject_bad_transit = TRUE; - -- /* Handle assume des-cbc-crc is supported for session keys */ -- hierarchy[2] = KRB5_CONF_DES_CRC_SESSION_SUPPORTED; -- if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, -- &rdp->realm_assume_des_crc_sess)) -- rdp->realm_assume_des_crc_sess = TRUE; -- - /* Handle ticket maximum life */ - hierarchy[2] = KRB5_CONF_MAX_LIFE; - if (krb5_aprof_get_deltat(aprof, hierarchy, TRUE, &rdp->realm_maxlife)) -diff --git a/src/kdc/realm_data.h b/src/kdc/realm_data.h -index 859daf159..8d698dcb8 100644 ---- a/src/kdc/realm_data.h -+++ b/src/kdc/realm_data.h -@@ -73,7 +73,6 @@ typedef struct __kdc_realm_data { - krb5_deltat realm_maxrlife; /* Maximum renewable life for realm */ - krb5_boolean realm_reject_bad_transit; /* Accept unverifiable transited_realm ? */ - krb5_boolean realm_restrict_anon; /* Anon to local TGT only */ -- krb5_boolean realm_assume_des_crc_sess; /* Assume princs support des-cbc-crc for session keys */ - } kdc_realm_t; - - struct server_handle { -diff --git a/src/lib/crypto/builtin/des/des_int.h b/src/lib/crypto/builtin/des/des_int.h -index 67e40a19c..f8dc6b296 100644 ---- a/src/lib/crypto/builtin/des/des_int.h -+++ b/src/lib/crypto/builtin/des/des_int.h -@@ -131,7 +131,6 @@ typedef struct mit_des_ran_key_seed { - /* the first byte of the key is already in the keyblock */ - - #define MIT_DES_BLOCK_LENGTH (8*sizeof(krb5_octet)) --#define MIT_DES_CBC_CRC_PAD_MINIMUM CRC32_CKSUM_LENGTH - /* This used to be 8*sizeof(krb5_octet) */ - #define MIT_DES_KEYSIZE 8 - -diff --git a/src/lib/crypto/builtin/enc_provider/Makefile.in b/src/lib/crypto/builtin/enc_provider/Makefile.in -index 4fd3311b4..3459e1d0e 100644 ---- a/src/lib/crypto/builtin/enc_provider/Makefile.in -+++ b/src/lib/crypto/builtin/enc_provider/Makefile.in -@@ -11,21 +11,18 @@ LOCALINCLUDES = -I$(srcdir)/../des \ - ##DOS##OBJFILE = ..\..\$(OUTPRE)enc_provider.lst - - STLIBOBJS= \ -- des.o \ - des3.o \ - rc4.o \ - aes.o \ - camellia.o - - OBJS= \ -- $(OUTPRE)des.$(OBJEXT) \ - $(OUTPRE)des3.$(OBJEXT) \ - $(OUTPRE)aes.$(OBJEXT) \ - $(OUTPRE)camellia.$(OBJEXT) \ - $(OUTPRE)rc4.$(OBJEXT) - - SRCS= \ -- $(srcdir)/des.c \ - $(srcdir)/des3.c \ - $(srcdir)/aes.c \ - $(srcdir)/camellia.c \ -diff --git a/src/lib/crypto/builtin/enc_provider/deps b/src/lib/crypto/builtin/enc_provider/deps -index 72e340766..7a3324c44 100644 ---- a/src/lib/crypto/builtin/enc_provider/deps -+++ b/src/lib/crypto/builtin/enc_provider/deps -@@ -1,18 +1,6 @@ - # - # Generated makefile dependencies follow. - # --des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ -- $(srcdir)/../aes/aes.h $(srcdir)/../crypto_mod.h $(srcdir)/../des/des_int.h \ -- $(srcdir)/../sha2/sha2.h $(top_srcdir)/include/k5-buf.h \ -- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ -- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ -- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ -- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ -- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ -- $(top_srcdir)/include/socket-utils.h des.c - des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ -diff --git a/src/lib/crypto/builtin/enc_provider/des.c b/src/lib/crypto/builtin/enc_provider/des.c -deleted file mode 100644 -index 30b8229f8..000000000 ---- a/src/lib/crypto/builtin/enc_provider/des.c -+++ /dev/null -@@ -1,120 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* -- * Copyright (C) 1998 by the FundsXpress, INC. -- * -- * All rights reserved. -- * -- * Export of this software from the United States of America may require -- * a specific license from the United States Government. It is the -- * responsibility of any person or organization contemplating export to -- * obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of FundsXpress. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. FundsXpress makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- * -- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -- */ -- --#include "crypto_int.h" --#include "des_int.h" -- --static krb5_error_code --validate_and_schedule(krb5_key key, const krb5_data *ivec, -- const krb5_crypto_iov *data, size_t num_data, -- mit_des_key_schedule schedule) --{ -- if (key->keyblock.length != 8) -- return KRB5_BAD_KEYSIZE; -- if (iov_total_length(data, num_data, FALSE) % 8 != 0) -- return KRB5_BAD_MSIZE; -- if (ivec != NULL && ivec->length != 8) -- return KRB5_BAD_MSIZE; -- -- switch (mit_des_key_sched(key->keyblock.contents, schedule)) { -- case -1: -- return(KRB5DES_BAD_KEYPAR); -- case -2: -- return(KRB5DES_WEAK_KEY); -- } -- return 0; --} -- --static krb5_error_code --des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, -- size_t num_data) --{ -- mit_des_key_schedule schedule; -- krb5_error_code err; -- -- err = validate_and_schedule(key, ivec, data, num_data, schedule); -- if (err) -- return err; -- -- krb5int_des_cbc_encrypt(data, num_data, schedule, -- ivec != NULL ? (unsigned char *) ivec->data : -- NULL); -- -- zap(schedule, sizeof(schedule)); -- return 0; --} -- --static krb5_error_code --des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, -- size_t num_data) --{ -- mit_des_key_schedule schedule; -- krb5_error_code err; -- -- err = validate_and_schedule(key, ivec, data, num_data, schedule); -- if (err) -- return err; -- -- krb5int_des_cbc_decrypt(data, num_data, schedule, -- ivec != NULL ? (unsigned char *) ivec->data : -- NULL); -- -- zap(schedule, sizeof(schedule)); -- return 0; --} -- --static krb5_error_code --des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data, -- const krb5_data *ivec, krb5_data *output) --{ -- mit_des_key_schedule schedule; -- krb5_error_code err; -- -- err = validate_and_schedule(key, ivec, data, num_data, schedule); -- if (err) -- return err; -- -- if (output->length != 8) -- return KRB5_CRYPTO_INTERNAL; -- -- krb5int_des_cbc_mac(data, num_data, schedule, -- ivec != NULL ? (unsigned char *) ivec->data : NULL, -- (unsigned char *) output->data); -- -- zap(schedule, sizeof(schedule)); -- return 0; --} -- --const struct krb5_enc_provider krb5int_enc_des = { -- 8, -- 7, 8, -- des_encrypt, -- des_decrypt, -- des_cbc_mac, -- krb5int_des_init_state, -- krb5int_default_free_state --}; -diff --git a/src/lib/crypto/builtin/hash_provider/Makefile.in b/src/lib/crypto/builtin/hash_provider/Makefile.in -index 2f587a497..ceebf9380 100644 ---- a/src/lib/crypto/builtin/hash_provider/Makefile.in -+++ b/src/lib/crypto/builtin/hash_provider/Makefile.in -@@ -8,20 +8,17 @@ LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../krb -I$(srcdir)/../md4 \ - ##DOS##OBJFILE = ..\..\$(OUTPRE)hash_provider.lst - - STLIBOBJS= \ -- hash_crc32.o \ - hash_md4.o \ - hash_md5.o \ - hash_sha1.o \ - hash_sha2.o - --OBJS= $(OUTPRE)hash_crc32.$(OBJEXT) \ -- $(OUTPRE)hash_md4.$(OBJEXT) \ -+OBJS= $(OUTPRE)hash_md4.$(OBJEXT) \ - $(OUTPRE)hash_md5.$(OBJEXT) \ - $(OUTPRE)hash_sha1.$(OBJEXT) \ - $(OUTPRE)hash_sha2.$(OBJEXT) - --SRCS= $(srcdir)/hash_crc32.c \ -- $(srcdir)/hash_md4.c \ -+SRCS= $(srcdir)/hash_md4.c \ - $(srcdir)/hash_md5.c \ - $(srcdir)/hash_sha1.c \ - $(srcdir)/hash_sha2.c -diff --git a/src/lib/crypto/builtin/hash_provider/deps b/src/lib/crypto/builtin/hash_provider/deps -index 18f89b383..fb65a44be 100644 ---- a/src/lib/crypto/builtin/hash_provider/deps -+++ b/src/lib/crypto/builtin/hash_provider/deps -@@ -1,19 +1,6 @@ - # - # Generated makefile dependencies follow. - # --hash_crc32.so hash_crc32.po $(OUTPRE)hash_crc32.$(OBJEXT): \ -- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ -- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../aes/aes.h \ -- $(srcdir)/../crypto_mod.h $(srcdir)/../sha2/sha2.h \ -- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- hash_crc32.c - hash_md4.so hash_md4.po $(OUTPRE)hash_md4.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -diff --git a/src/lib/crypto/builtin/hash_provider/hash_crc32.c b/src/lib/crypto/builtin/hash_provider/hash_crc32.c -deleted file mode 100644 -index 1d0be5563..000000000 ---- a/src/lib/crypto/builtin/hash_provider/hash_crc32.c -+++ /dev/null -@@ -1,56 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* -- * Copyright (C) 1998 by the FundsXpress, INC. -- * -- * All rights reserved. -- * -- * Export of this software from the United States of America may require -- * a specific license from the United States Government. It is the -- * responsibility of any person or organization contemplating export to -- * obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of FundsXpress. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. FundsXpress makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- * -- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -- */ -- --#include "crypto_int.h" -- --static krb5_error_code --k5_crc32_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) --{ -- unsigned long c; -- unsigned int i; -- -- if (output->length != CRC32_CKSUM_LENGTH) -- return KRB5_CRYPTO_INTERNAL; -- -- c = 0; -- for (i = 0; i < num_data; i++) { -- const krb5_crypto_iov *iov = &data[i]; -- -- if (SIGN_IOV(iov)) -- mit_crc32(iov->data.data, iov->data.length, &c); -- } -- -- store_32_le(c, output->data); -- return 0; --} -- --const struct krb5_hash_provider krb5int_hash_crc32 = { -- "CRC32", -- CRC32_CKSUM_LENGTH, -- 1, -- k5_crc32_hash --}; -diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in -index fc01a2ced..c0e0b791b 100644 ---- a/src/lib/crypto/krb/Makefile.in -+++ b/src/lib/crypto/krb/Makefile.in -@@ -23,7 +23,6 @@ STLIBOBJS=\ - cmac.o \ - coll_proof_cksum.o \ - combine_keys.o \ -- crc32.o \ - crypto_length.o \ - crypto_libinit.o \ - default_state.o \ -@@ -37,7 +36,6 @@ STLIBOBJS=\ - enc_dk_cmac.o \ - enc_dk_hmac.o \ - enc_etm.o \ -- enc_old.o \ - enc_raw.o \ - enc_rc4.o \ - etypes.o \ -@@ -61,7 +59,6 @@ STLIBOBJS=\ - prng.o \ - prng_$(PRNG_ALG).o \ - random_to_key.o \ -- s2k_des.o \ - s2k_pbkdf2.o \ - s2k_rc4.o \ - state.o \ -@@ -88,7 +85,6 @@ OBJS=\ - $(OUTPRE)cmac.$(OBJEXT) \ - $(OUTPRE)coll_proof_cksum.$(OBJEXT) \ - $(OUTPRE)combine_keys.$(OBJEXT) \ -- $(OUTPRE)crc32.$(OBJEXT) \ - $(OUTPRE)crypto_length.$(OBJEXT) \ - $(OUTPRE)crypto_libinit.$(OBJEXT) \ - $(OUTPRE)default_state.$(OBJEXT) \ -@@ -102,7 +98,6 @@ OBJS=\ - $(OUTPRE)enc_dk_cmac.$(OBJEXT) \ - $(OUTPRE)enc_dk_hmac.$(OBJEXT) \ - $(OUTPRE)enc_etm.$(OBJEXT) \ -- $(OUTPRE)enc_old.$(OBJEXT) \ - $(OUTPRE)enc_raw.$(OBJEXT) \ - $(OUTPRE)enc_rc4.$(OBJEXT) \ - $(OUTPRE)etypes.$(OBJEXT) \ -@@ -126,7 +121,6 @@ OBJS=\ - $(OUTPRE)prng.$(OBJEXT) \ - $(OUTPRE)prng_$(PRNG_ALG).$(OBJEXT) \ - $(OUTPRE)random_to_key.$(OBJEXT) \ -- $(OUTPRE)s2k_des.$(OBJEXT) \ - $(OUTPRE)s2k_pbkdf2.$(OBJEXT) \ - $(OUTPRE)s2k_rc4.$(OBJEXT) \ - $(OUTPRE)state.$(OBJEXT) \ -@@ -153,7 +147,6 @@ SRCS=\ - $(srcdir)/cmac.c \ - $(srcdir)/coll_proof_cksum.c \ - $(srcdir)/combine_keys.c \ -- $(srcdir)/crc32.c \ - $(srcdir)/crypto_length.c \ - $(srcdir)/crypto_libinit.c \ - $(srcdir)/default_state.c \ -@@ -167,7 +160,6 @@ SRCS=\ - $(srcdir)/enc_dk_cmac.c \ - $(srcdir)/enc_dk_hmac.c \ - $(srcdir)/enc_etm.c \ -- $(srcdir)/enc_old.c \ - $(srcdir)/enc_raw.c \ - $(srcdir)/enc_rc4.c \ - $(srcdir)/etypes.c \ -@@ -192,7 +184,6 @@ SRCS=\ - $(srcdir)/prng_$(PRNG_ALG).c \ - $(srcdir)/cf2.c \ - $(srcdir)/random_to_key.c \ -- $(srcdir)/s2k_des.c \ - $(srcdir)/s2k_pbkdf2.c \ - $(srcdir)/s2k_rc4.c \ - $(srcdir)/state.c \ -diff --git a/src/lib/crypto/krb/cksumtypes.c b/src/lib/crypto/krb/cksumtypes.c -index 85967f9aa..ecc2e08c9 100644 ---- a/src/lib/crypto/krb/cksumtypes.c -+++ b/src/lib/crypto/krb/cksumtypes.c -@@ -28,42 +28,18 @@ - #include "crypto_int.h" - - const struct krb5_cksumtypes krb5int_cksumtypes_list[] = { -- { CKSUMTYPE_CRC32, -- "crc32", { 0 }, "CRC-32", -- NULL, &krb5int_hash_crc32, -- krb5int_unkeyed_checksum, NULL, -- 4, 4, CKSUM_UNKEYED | CKSUM_NOT_COLL_PROOF }, -- - { CKSUMTYPE_RSA_MD4, - "md4", { 0 }, "RSA-MD4", - NULL, &krb5int_hash_md4, - krb5int_unkeyed_checksum, NULL, - 16, 16, CKSUM_UNKEYED }, - -- { CKSUMTYPE_RSA_MD4_DES, -- "md4-des", { 0 }, "RSA-MD4 with DES cbc mode", -- &krb5int_enc_des, &krb5int_hash_md4, -- krb5int_confounder_checksum, krb5int_confounder_verify, -- 24, 24, 0 }, -- -- { CKSUMTYPE_DESCBC, -- "des-cbc", { 0 }, "DES cbc mode", -- &krb5int_enc_des, NULL, -- krb5int_cbc_checksum, NULL, -- 8, 8, 0 }, -- - { CKSUMTYPE_RSA_MD5, - "md5", { 0 }, "RSA-MD5", - NULL, &krb5int_hash_md5, - krb5int_unkeyed_checksum, NULL, - 16, 16, CKSUM_UNKEYED }, - -- { CKSUMTYPE_RSA_MD5_DES, -- "md5-des", { 0 }, "RSA-MD5 with DES cbc mode", -- &krb5int_enc_des, &krb5int_hash_md5, -- krb5int_confounder_checksum, krb5int_confounder_verify, -- 24, 24, 0 }, -- - { CKSUMTYPE_NIST_SHA, - "sha", { 0 }, "NIST-SHA", - NULL, &krb5int_hash_sha1, -diff --git a/src/lib/crypto/krb/combine_keys.c b/src/lib/crypto/krb/combine_keys.c -index 90905c5ae..c36434e17 100644 ---- a/src/lib/crypto/krb/combine_keys.c -+++ b/src/lib/crypto/krb/combine_keys.c -@@ -60,9 +60,6 @@ static krb5_boolean - enctype_ok(krb5_enctype e) - { - switch (e) { -- case ENCTYPE_DES_CBC_CRC: -- case ENCTYPE_DES_CBC_MD4: -- case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES3_CBC_SHA1: - return TRUE; - default: -diff --git a/src/lib/crypto/krb/crc32.c b/src/lib/crypto/krb/crc32.c -deleted file mode 100644 -index 11fe312da..000000000 ---- a/src/lib/crypto/krb/crc32.c -+++ /dev/null -@@ -1,165 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* lib/crypto/krb/crc32.c */ --/* -- * Copyright 1990, 2002 by the Massachusetts Institute of Technology. -- * All Rights Reserved. -- * -- * Export of this software from the United States of America may -- * require a specific license from the United States Government. -- * It is the responsibility of any person or organization contemplating -- * export to obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of M.I.T. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. Furthermore if you modify this software you must label -- * your software as modified software and not distribute it in such a -- * fashion that it might be confused with the original M.I.T. software. -- * M.I.T. makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- */ --/* -- * Copyright (C) 1986 Gary S. Brown. You may use this program, or -- * code or tables extracted from it, as desired without restriction. -- */ -- --/* -- * -- * CRC-32/AUTODIN-II routines -- */ -- --#include "crypto_int.h" -- --/* First, the polynomial itself and its table of feedback terms. The */ --/* polynomial is */ --/* X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0 */ --/* Note that we take it "backwards" and put the highest-order term in */ --/* the lowest-order bit. The X^32 term is "implied"; the LSB is the */ --/* X^31 term, etc. The X^0 term (usually shown as "+1") results in */ --/* the MSB being 1. */ -- --/* Note that the usual hardware shift register implementation, which */ --/* is what we're using (we're merely optimizing it by doing eight-bit */ --/* chunks at a time) shifts bits into the lowest-order term. In our */ --/* implementation, that means shifting towards the right. Why do we */ --/* do it this way? Because the calculated CRC must be transmitted in */ --/* order from highest-order term to lowest-order term. UARTs transmit */ --/* characters in order from LSB to MSB. By storing the CRC this way, */ --/* we hand it to the UART in the order low-byte to high-byte; the UART */ --/* sends each low-bit to hight-bit; and the result is transmission bit */ --/* by bit from highest- to lowest-order term without requiring any bit */ --/* shuffling on our part. Reception works similarly. */ -- --/* The feedback terms table consists of 256, 32-bit entries. Notes: */ --/* */ --/* 1. The table can be generated at runtime if desired; code to do so */ --/* is shown later. It might not be obvious, but the feedback */ --/* terms simply represent the results of eight shift/xor opera- */ --/* tions for all combinations of data and CRC register values. */ --/* */ --/* 2. The CRC accumulation logic is the same for all CRC polynomials, */ --/* be they sixteen or thirty-two bits wide. You simply choose the */ --/* appropriate table. Alternatively, because the table can be */ --/* generated at runtime, you can start by generating the table for */ --/* the polynomial in question and use exactly the same "updcrc", */ --/* if your application needn't simultaneously handle two CRC */ --/* polynomials. (Note, however, that XMODEM is strange.) */ --/* */ --/* 3. For 16-bit CRCs, the table entries need be only 16 bits wide; */ --/* of course, 32-bit entries work OK if the high 16 bits are zero. */ --/* */ --/* 4. The values must be right-shifted by eight bits by the "updcrc" */ --/* logic; the shift must be unsigned (bring in zeroes). On some */ --/* hardware you could probably optimize the shift in assembler by */ --/* using byte-swap instructions. */ -- --static u_long const crc_table[256] = { -- 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, -- 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, -- 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, -- 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, -- 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, -- 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, -- 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, -- 0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5, -- 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, -- 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, -- 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, -- 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, -- 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, -- 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f, -- 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, -- 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, -- 0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a, -- 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, -- 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, -- 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, -- 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, -- 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, -- 0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c, -- 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, -- 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, -- 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, -- 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, -- 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, -- 0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086, -- 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, -- 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, -- 0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, -- 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, -- 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, -- 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, -- 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, -- 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, -- 0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7, -- 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, -- 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, -- 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, -- 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, -- 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, -- 0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79, -- 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, -- 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, -- 0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, -- 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, -- 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, -- 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, -- 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, -- 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, -- 0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e, -- 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, -- 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, -- 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, -- 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, -- 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, -- 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0, -- 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, -- 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, -- 0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf, -- 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, -- 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d --}; -- --void --mit_crc32(krb5_pointer in, size_t in_length, unsigned long *cksum) --{ -- u_char *data; -- u_long c = *cksum; -- int idx; -- size_t i; -- -- data = (u_char *)in; -- for (i = 0; i < in_length; i++) { -- idx = (int) (data[i] ^ c); -- idx &= 0xff; -- c >>= 8; -- c ^= crc_table[idx]; -- } -- -- *cksum = c; --} -diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h -index 6c1c77cac..b18d5e2e3 100644 ---- a/src/lib/crypto/krb/crypto_int.h -+++ b/src/lib/crypto/krb/crypto_int.h -@@ -180,8 +180,6 @@ extern const size_t krb5int_cksumtypes_length; - /*** Prototypes for enctype table functions ***/ - - /* Length */ --unsigned int krb5int_old_crypto_length(const struct krb5_keytypes *ktp, -- krb5_cryptotype type); - unsigned int krb5int_raw_crypto_length(const struct krb5_keytypes *ktp, - krb5_cryptotype type); - unsigned int krb5int_arcfour_crypto_length(const struct krb5_keytypes *ktp, -@@ -196,10 +194,6 @@ unsigned int krb5int_aes2_crypto_length(const struct krb5_keytypes *ktp, - krb5_cryptotype type); - - /* Encrypt */ --krb5_error_code krb5int_old_encrypt(const struct krb5_keytypes *ktp, -- krb5_key key, krb5_keyusage usage, -- const krb5_data *ivec, -- krb5_crypto_iov *data, size_t num_data); - krb5_error_code krb5int_raw_encrypt(const struct krb5_keytypes *ktp, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, -@@ -224,10 +218,6 @@ krb5_error_code krb5int_etm_encrypt(const struct krb5_keytypes *ktp, - krb5_crypto_iov *data, size_t num_data); - - /* Decrypt */ --krb5_error_code krb5int_old_decrypt(const struct krb5_keytypes *ktp, -- krb5_key key, krb5_keyusage usage, -- const krb5_data *ivec, -- krb5_crypto_iov *data, size_t num_data); - krb5_error_code krb5int_raw_decrypt(const struct krb5_keytypes *ktp, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, -@@ -388,10 +378,6 @@ krb5_error_code krb5int_cmac_checksum(const struct krb5_enc_provider *enc, - size_t num_data, - krb5_data *output); - --/* Compute a CRC-32 checksum. c is in-out to allow chaining; init to 0. */ --#define CRC32_CKSUM_LENGTH 4 --void mit_crc32(krb5_pointer in, size_t in_length, unsigned long *c); -- - /* Translate an RFC 3961 key usage to a Microsoft RC4 usage. */ - krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage); - -@@ -455,7 +441,6 @@ void k5_iov_cursor_put(struct iov_cursor *cursor, unsigned char *block); - /* Modules must implement the k5_sha256() function prototyped in k5-int.h. */ - - /* Modules must implement the following enc_providers and hash_providers: */ --extern const struct krb5_enc_provider krb5int_enc_des; - extern const struct krb5_enc_provider krb5int_enc_des3; - extern const struct krb5_enc_provider krb5int_enc_arcfour; - extern const struct krb5_enc_provider krb5int_enc_aes128; -@@ -465,7 +450,6 @@ extern const struct krb5_enc_provider krb5int_enc_aes256_ctr; - extern const struct krb5_enc_provider krb5int_enc_camellia128; - extern const struct krb5_enc_provider krb5int_enc_camellia256; - --extern const struct krb5_hash_provider krb5int_hash_crc32; - extern const struct krb5_hash_provider krb5int_hash_md4; - extern const struct krb5_hash_provider krb5int_hash_md5; - extern const struct krb5_hash_provider krb5int_hash_sha1; -diff --git a/src/lib/crypto/krb/default_state.c b/src/lib/crypto/krb/default_state.c -index c7bfe323f..0757c8b02 100644 ---- a/src/lib/crypto/krb/default_state.c -+++ b/src/lib/crypto/krb/default_state.c -@@ -39,10 +39,6 @@ krb5int_des_init_state(const krb5_keyblock *key, krb5_keyusage usage, - if (alloc_data(state_out, 8)) - return ENOMEM; - -- /* des-cbc-crc uses the key as the initial ivec. */ -- if (key->enctype == ENCTYPE_DES_CBC_CRC) -- memcpy(state_out->data, key->contents, state_out->length); -- - return 0; - } - -diff --git a/src/lib/crypto/krb/deps b/src/lib/crypto/krb/deps -index 2a7f9b0ef..f9a740860 100644 ---- a/src/lib/crypto/krb/deps -+++ b/src/lib/crypto/krb/deps -@@ -204,18 +204,6 @@ combine_keys.so combine_keys.po $(OUTPRE)combine_keys.$(OBJEXT): \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h combine_keys.c \ - crypto_int.h --crc32.so crc32.po $(OUTPRE)crc32.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \ -- $(srcdir)/../builtin/crypto_mod.h $(srcdir)/../builtin/sha2/sha2.h \ -- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- crc32.c crypto_int.h - crypto_length.so crypto_length.po $(OUTPRE)crypto_length.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -@@ -372,18 +360,6 @@ enc_etm.so enc_etm.po $(OUTPRE)enc_etm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - crypto_int.h enc_etm.c --enc_old.so enc_old.po $(OUTPRE)enc_old.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \ -- $(srcdir)/../builtin/crypto_mod.h $(srcdir)/../builtin/sha2/sha2.h \ -- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- crypto_int.h enc_old.c - enc_raw.so enc_raw.po $(OUTPRE)enc_raw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \ -@@ -660,18 +636,6 @@ random_to_key.so random_to_key.po $(OUTPRE)random_to_key.$(OBJEXT): \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h crypto_int.h random_to_key.c --s2k_des.so s2k_des.po $(OUTPRE)s2k_des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \ -- $(srcdir)/../builtin/crypto_mod.h $(srcdir)/../builtin/sha2/sha2.h \ -- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- crypto_int.h s2k_des.c - s2k_pbkdf2.so s2k_pbkdf2.po $(OUTPRE)s2k_pbkdf2.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -diff --git a/src/lib/crypto/krb/enc_old.c b/src/lib/crypto/krb/enc_old.c -deleted file mode 100644 -index 1b02a5915..000000000 ---- a/src/lib/crypto/krb/enc_old.c -+++ /dev/null -@@ -1,181 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* lib/crypto/krb/enc_old.c */ --/* -- * Copyright 2008 by the Massachusetts Institute of Technology. -- * All Rights Reserved. -- * -- * Export of this software from the United States of America may -- * require a specific license from the United States Government. -- * It is the responsibility of any person or organization contemplating -- * export to obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of M.I.T. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. Furthermore if you modify this software you must label -- * your software as modified software and not distribute it in such a -- * fashion that it might be confused with the original M.I.T. software. -- * M.I.T. makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- */ -- --#include "crypto_int.h" -- --unsigned int --krb5int_old_crypto_length(const struct krb5_keytypes *ktp, -- krb5_cryptotype type) --{ -- switch (type) { -- case KRB5_CRYPTO_TYPE_HEADER: -- return ktp->enc->block_size + ktp->hash->hashsize; -- case KRB5_CRYPTO_TYPE_PADDING: -- return ktp->enc->block_size; -- case KRB5_CRYPTO_TYPE_TRAILER: -- return 0; -- case KRB5_CRYPTO_TYPE_CHECKSUM: -- return ktp->hash->hashsize; -- default: -- assert(0 && "invalid cryptotype passed to krb5int_old_crypto_length"); -- return 0; -- } --} -- --krb5_error_code --krb5int_old_encrypt(const struct krb5_keytypes *ktp, krb5_key key, -- krb5_keyusage usage, const krb5_data *ivec, -- krb5_crypto_iov *data, size_t num_data) --{ -- const struct krb5_enc_provider *enc = ktp->enc; -- const struct krb5_hash_provider *hash = ktp->hash; -- krb5_error_code ret; -- krb5_crypto_iov *header, *trailer, *padding; -- krb5_data checksum, confounder, crcivec = empty_data(); -- unsigned int plainlen, padsize; -- size_t i; -- -- /* E(Confounder | Checksum | Plaintext | Pad) */ -- -- plainlen = enc->block_size + hash->hashsize; -- for (i = 0; i < num_data; i++) { -- krb5_crypto_iov *iov = &data[i]; -- -- if (iov->flags == KRB5_CRYPTO_TYPE_DATA) -- plainlen += iov->data.length; -- } -- -- header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER); -- if (header == NULL || -- header->data.length < enc->block_size + hash->hashsize) -- return KRB5_BAD_MSIZE; -- -- /* Trailer may be absent. */ -- trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER); -- if (trailer != NULL) -- trailer->data.length = 0; -- -- /* Check that the input data is correctly padded. */ -- padsize = krb5_roundup(plainlen, enc->block_size) - plainlen; -- padding = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_PADDING); -- if (padsize > 0 && (padding == NULL || padding->data.length < padsize)) -- return KRB5_BAD_MSIZE; -- if (padding) { -- padding->data.length = padsize; -- memset(padding->data.data, 0, padsize); -- } -- -- /* Generate a confounder in the header block. */ -- confounder = make_data(header->data.data, enc->block_size); -- ret = krb5_c_random_make_octets(0, &confounder); -- if (ret != 0) -- goto cleanup; -- checksum = make_data(header->data.data + enc->block_size, hash->hashsize); -- memset(checksum.data, 0, hash->hashsize); -- -- /* Checksum the plaintext with zeroed checksum and padding. */ -- ret = hash->hash(data, num_data, &checksum); -- if (ret != 0) -- goto cleanup; -- -- /* Use the key as the ivec for des-cbc-crc if none was provided. */ -- if (key->keyblock.enctype == ENCTYPE_DES_CBC_CRC && ivec == NULL) { -- ret = alloc_data(&crcivec, key->keyblock.length); -- if (ret != 0) -- goto cleanup; -- memcpy(crcivec.data, key->keyblock.contents, key->keyblock.length); -- ivec = &crcivec; -- } -- -- ret = enc->encrypt(key, ivec, data, num_data); -- if (ret != 0) -- goto cleanup; -- --cleanup: -- zapfree(crcivec.data, crcivec.length); -- return ret; --} -- --krb5_error_code --krb5int_old_decrypt(const struct krb5_keytypes *ktp, krb5_key key, -- krb5_keyusage usage, const krb5_data *ivec, -- krb5_crypto_iov *data, size_t num_data) --{ -- const struct krb5_enc_provider *enc = ktp->enc; -- const struct krb5_hash_provider *hash = ktp->hash; -- krb5_error_code ret; -- krb5_crypto_iov *header, *trailer; -- krb5_data checksum, crcivec = empty_data(); -- char *saved_checksum = NULL; -- -- /* Check that the input data is correctly padded. */ -- if (iov_total_length(data, num_data, FALSE) % enc->block_size != 0) -- return KRB5_BAD_MSIZE; -- -- header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER); -- if (header == NULL || -- header->data.length != enc->block_size + hash->hashsize) -- return KRB5_BAD_MSIZE; -- -- trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER); -- if (trailer != NULL && trailer->data.length != 0) -- return KRB5_BAD_MSIZE; -- -- /* Use the key as the ivec for des-cbc-crc if none was provided. */ -- if (key->keyblock.enctype == ENCTYPE_DES_CBC_CRC && ivec == NULL) { -- ret = alloc_data(&crcivec, key->keyblock.length); -- memcpy(crcivec.data, key->keyblock.contents, key->keyblock.length); -- ivec = &crcivec; -- } -- -- /* Decrypt the ciphertext. */ -- ret = enc->decrypt(key, ivec, data, num_data); -- if (ret != 0) -- goto cleanup; -- -- /* Save the checksum, then zero it out in the plaintext. */ -- checksum = make_data(header->data.data + enc->block_size, hash->hashsize); -- saved_checksum = k5memdup(checksum.data, checksum.length, &ret); -- if (saved_checksum == NULL) -- goto cleanup; -- memset(checksum.data, 0, checksum.length); -- -- /* -- * Checksum the plaintext (with zeroed checksum field), storing the result -- * back into the plaintext field we just zeroed out. Then compare it to -- * the saved checksum. -- */ -- ret = hash->hash(data, num_data, &checksum); -- if (k5_bcmp(checksum.data, saved_checksum, checksum.length) != 0) { -- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; -- goto cleanup; -- } -- --cleanup: -- zapfree(crcivec.data, crcivec.length); -- zapfree(saved_checksum, hash->hashsize); -- return ret; --} -diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c -index 8f44c37e7..fc278783b 100644 ---- a/src/lib/crypto/krb/etypes.c -+++ b/src/lib/crypto/krb/etypes.c -@@ -35,42 +35,6 @@ - - /* Deprecations come from RFC 6649 and RFC 8249. */ - const struct krb5_keytypes krb5int_enctypes_list[] = { -- { ENCTYPE_DES_CBC_CRC, -- "des-cbc-crc", { 0 }, "DES cbc mode with CRC-32", -- &krb5int_enc_des, &krb5int_hash_crc32, -- 16, -- krb5int_old_crypto_length, krb5int_old_encrypt, krb5int_old_decrypt, -- krb5int_des_string_to_key, k5_rand2key_des, -- krb5int_des_prf, -- CKSUMTYPE_RSA_MD5_DES, -- ETYPE_WEAK | ETYPE_DEPRECATED, 56 }, -- { ENCTYPE_DES_CBC_MD4, -- "des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4", -- &krb5int_enc_des, &krb5int_hash_md4, -- 16, -- krb5int_old_crypto_length, krb5int_old_encrypt, krb5int_old_decrypt, -- krb5int_des_string_to_key, k5_rand2key_des, -- krb5int_des_prf, -- CKSUMTYPE_RSA_MD4_DES, -- ETYPE_WEAK | ETYPE_DEPRECATED, 56 }, -- { ENCTYPE_DES_CBC_MD5, -- "des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5", -- &krb5int_enc_des, &krb5int_hash_md5, -- 16, -- krb5int_old_crypto_length, krb5int_old_encrypt, krb5int_old_decrypt, -- krb5int_des_string_to_key, k5_rand2key_des, -- krb5int_des_prf, -- CKSUMTYPE_RSA_MD5_DES, -- ETYPE_WEAK | ETYPE_DEPRECATED, 56 }, -- { ENCTYPE_DES_CBC_RAW, -- "des-cbc-raw", { 0 }, "DES cbc mode raw", -- &krb5int_enc_des, NULL, -- 16, -- krb5int_raw_crypto_length, krb5int_raw_encrypt, krb5int_raw_decrypt, -- krb5int_des_string_to_key, k5_rand2key_des, -- krb5int_des_prf, -- 0, -- ETYPE_WEAK | ETYPE_DEPRECATED, 56 }, - { ENCTYPE_DES3_CBC_RAW, - "des3-cbc-raw", { 0 }, "Triple DES cbc mode raw", - &krb5int_enc_des3, NULL, -@@ -92,16 +56,6 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { - CKSUMTYPE_HMAC_SHA1_DES3, - ETYPE_DEPRECATED, 112 }, - -- { ENCTYPE_DES_HMAC_SHA1, -- "des-hmac-sha1", { 0 }, "DES with HMAC/sha1", -- &krb5int_enc_des, &krb5int_hash_sha1, -- 8, -- krb5int_dk_crypto_length, krb5int_dk_encrypt, krb5int_dk_decrypt, -- krb5int_dk_string_to_key, k5_rand2key_des, -- NULL, /*PRF*/ -- 0, -- ETYPE_WEAK | ETYPE_DEPRECATED, 56 }, -- - /* rc4-hmac uses a 128-bit key, but due to weaknesses in the RC4 cipher, we - * consider its strength degraded and assign it an SSF value of 64. */ - { ENCTYPE_ARCFOUR_HMAC, -diff --git a/src/lib/crypto/krb/s2k_des.c b/src/lib/crypto/krb/s2k_des.c -deleted file mode 100644 -index d5c29befc..000000000 ---- a/src/lib/crypto/krb/s2k_des.c -+++ /dev/null -@@ -1,691 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* -- * Copyright (C) 1998 by the FundsXpress, INC. -- * -- * All rights reserved. -- * -- * Export of this software from the United States of America may require -- * a specific license from the United States Government. It is the -- * responsibility of any person or organization contemplating export to -- * obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of FundsXpress. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. FundsXpress makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- * -- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -- */ -- --/* -- * RFC 3961 and AFS string to key. These are not standard crypto primitives -- * (RFC 3961 string-to-key is implemented in OpenSSL for historical reasons but -- * it doesn't get weak keys right), so we have to implement them here. -- */ -- --#include --#include "crypto_int.h" -- --#undef min --#define min(a,b) ((a)>(b)?(b):(a)) -- --/* Compute a CBC checksum of in (with length len) using the specified key and -- * ivec. The result is written into out. */ --static krb5_error_code --des_cbc_mac(const unsigned char *keybits, const unsigned char *ivec, -- const unsigned char *in, size_t len, unsigned char *out) --{ -- krb5_error_code ret; -- krb5_keyblock kb; -- krb5_key key; -- krb5_crypto_iov iov[2]; -- unsigned char zero[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; -- krb5_data outd, ivecd; -- -- /* Make a key from keybits. */ -- kb.magic = KV5M_KEYBLOCK; -- kb.enctype = ENCTYPE_DES_CBC_CRC; -- kb.length = 8; -- kb.contents = (unsigned char *)keybits; -- ret = krb5_k_create_key(NULL, &kb, &key); -- if (ret) -- return ret; -- -- /* Make iovs for the input data, padding it out to the block size. */ -- iov[0].flags = KRB5_CRYPTO_TYPE_DATA; -- iov[0].data = make_data((unsigned char *)in, len); -- iov[1].flags = KRB5_CRYPTO_TYPE_DATA; -- iov[1].data = make_data(zero, krb5_roundup(len, 8) - len); -- -- /* Make krb5_data structures for the ivec and output. */ -- ivecd = make_data((unsigned char *)ivec, 8); -- outd = make_data(out, 8); -- -- /* Call the cbc_mac operation of the module's DES enc-provider. */ -- ret = krb5int_enc_des.cbc_mac(key, iov, 2, &ivecd, &outd); -- krb5_k_free_key(NULL, key); -- return ret; --} -- --/*** AFS string-to-key constants ***/ -- --/* Initial permutation */ --static const char IP[] = { -- 58,50,42,34,26,18,10, 2, -- 60,52,44,36,28,20,12, 4, -- 62,54,46,38,30,22,14, 6, -- 64,56,48,40,32,24,16, 8, -- 57,49,41,33,25,17, 9, 1, -- 59,51,43,35,27,19,11, 3, -- 61,53,45,37,29,21,13, 5, -- 63,55,47,39,31,23,15, 7, --}; -- --/* Final permutation, FP = IP^(-1) */ --static const char FP[] = { -- 40, 8,48,16,56,24,64,32, -- 39, 7,47,15,55,23,63,31, -- 38, 6,46,14,54,22,62,30, -- 37, 5,45,13,53,21,61,29, -- 36, 4,44,12,52,20,60,28, -- 35, 3,43,11,51,19,59,27, -- 34, 2,42,10,50,18,58,26, -- 33, 1,41, 9,49,17,57,25, --}; -- --/* -- * Permuted-choice 1 from the key bits to yield C and D. -- * Note that bits 8,16... are left out: They are intended for a parity check. -- */ --static const char PC1_C[] = { -- 57,49,41,33,25,17, 9, -- 1,58,50,42,34,26,18, -- 10, 2,59,51,43,35,27, -- 19,11, 3,60,52,44,36, --}; -- --static const char PC1_D[] = { -- 63,55,47,39,31,23,15, -- 7,62,54,46,38,30,22, -- 14, 6,61,53,45,37,29, -- 21,13, 5,28,20,12, 4, --}; -- --/* Sequence of shifts used for the key schedule */ --static const char shifts[] = { -- 1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1, --}; -- --/* Permuted-choice 2, to pick out the bits from the CD array that generate the -- * key schedule */ --static const char PC2_C[] = { -- 14,17,11,24, 1, 5, -- 3,28,15, 6,21,10, -- 23,19,12, 4,26, 8, -- 16, 7,27,20,13, 2, --}; -- --static const char PC2_D[] = { -- 41,52,31,37,47,55, -- 30,40,51,45,33,48, -- 44,49,39,56,34,53, -- 46,42,50,36,29,32, --}; -- --/* The E bit-selection table */ --static const char e[] = { -- 32, 1, 2, 3, 4, 5, -- 4, 5, 6, 7, 8, 9, -- 8, 9,10,11,12,13, -- 12,13,14,15,16,17, -- 16,17,18,19,20,21, -- 20,21,22,23,24,25, -- 24,25,26,27,28,29, -- 28,29,30,31,32, 1, --}; -- --/* P is a permutation on the selected combination of the current L and key. */ --static const char P[] = { -- 16, 7,20,21, -- 29,12,28,17, -- 1,15,23,26, -- 5,18,31,10, -- 2, 8,24,14, -- 32,27, 3, 9, -- 19,13,30, 6, -- 22,11, 4,25, --}; -- --/* -- * The 8 selection functions. -- * For some reason, they give a 0-origin -- * index, unlike everything else. -- */ --static const char S[8][64] = { -- {14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7, -- 0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8, -- 4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0, -- 15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13}, -- -- {15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10, -- 3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5, -- 0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15, -- 13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9}, -- -- {10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8, -- 13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1, -- 13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7, -- 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12}, -- -- { 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15, -- 13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9, -- 10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4, -- 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14}, -- -- { 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9, -- 14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6, -- 4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14, -- 11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3}, -- -- {12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11, -- 10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8, -- 9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6, -- 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13}, -- -- { 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1, -- 13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6, -- 1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2, -- 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12}, -- -- {13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7, -- 1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2, -- 7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8, -- 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11}, --}; -- -- --/* Set up the key schedule from the key. */ --static void --afs_crypt_setkey(char *key, char *E, char (*KS)[48]) --{ -- int i, j, k, t; -- char C[28], D[28]; /* Used to calculate key schedule. */ -- -- /* -- * First, generate C and D by permuting -- * the key. The low order bit of each -- * 8-bit char is not used, so C and D are only 28 -- * bits apiece. -- */ -- for (i = 0; i < 28; i++) { -- C[i] = key[PC1_C[i] - 1]; -- D[i] = key[PC1_D[i] - 1]; -- } -- /* -- * To generate Ki, rotate C and D according -- * to schedule and pick up a permutation -- * using PC2. -- */ -- for (i = 0; i < 16; i++) { -- /* Rotate. */ -- for (k = 0; k < shifts[i]; k++) { -- t = C[0]; -- for (j = 0; j < 28 - 1; j++) -- C[j] = C[j + 1]; -- C[27] = t; -- t = D[0]; -- for (j = 0; j < 28 - 1; j++) -- D[j] = D[j + 1]; -- D[27] = t; -- } -- /* Get Ki. Note C and D are concatenated. */ -- for (j = 0; j < 24; j++) { -- KS[i][j] = C[PC2_C[j]-1]; -- KS[i][j+24] = D[PC2_D[j]-28-1]; -- } -- } -- -- memcpy(E, e, 48); --} -- --/* -- * The payoff: encrypt a block. -- */ -- --static void --afs_encrypt_block(char *block, char *E, char (*KS)[48]) --{ -- const long edflag = 0; -- int i, ii; -- int t, j, k; -- char tempL[32]; -- char f[32]; -- char L[64]; /* Current block divided into two halves */ -- char *const R = &L[32]; -- /* The combination of the key and the input, before selection. */ -- char preS[48]; -- -- /* First, permute the bits in the input. */ -- for (j = 0; j < 64; j++) -- L[j] = block[IP[j] - 1]; -- /* Perform an encryption operation 16 times. */ -- for (ii = 0; ii < 16; ii++) { -- /* Set direction. */ -- i = (edflag) ? 15 - ii : ii; -- /* Save the R array, which will be the new L. */ -- memcpy(tempL, R, 32); -- /* Expand R to 48 bits using the E selector; exclusive-or with the -- * current key bits. */ -- for (j = 0; j < 48; j++) -- preS[j] = R[E[j] - 1] ^ KS[i][j]; -- /* -- * The pre-select bits are now considered in 8 groups of 6 bits each. -- * The 8 selection functions map these 6-bit quantities into 4-bit -- * quantities and the results permuted to make an f(R, K). The -- * indexing into the selection functions is peculiar; it could be -- * simplified by rewriting the tables. -- */ -- for (j = 0; j < 8; j++) { -- t = 6 * j; -- k = S[j][(preS[t + 0] << 5) + -- (preS[t + 1] << 3) + -- (preS[t + 2] << 2) + -- (preS[t + 3] << 1) + -- (preS[t + 4] << 0) + -- (preS[t + 5] << 4)]; -- t = 4 * j; -- f[t + 0] = (k >> 3) & 1; -- f[t + 1] = (k >> 2) & 1; -- f[t + 2] = (k >> 1) & 1; -- f[t + 3] = (k >> 0) & 1; -- } -- /* The new R is L ^ f(R, K). The f here has to be permuted first, -- * though. */ -- for (j = 0; j < 32; j++) -- R[j] = L[j] ^ f[P[j] - 1]; -- /* Finally, the new L (the original R) is copied back. */ -- memcpy(L, tempL, 32); -- } -- /* The output L and R are reversed. */ -- for (j = 0; j < 32; j++) { -- t = L[j]; -- L[j] = R[j]; -- R[j] = t; -- } -- /* The final output gets the inverse permutation of the very original. */ -- for (j = 0; j < 64; j++) -- block[j] = L[FP[j] - 1]; --} -- --/* iobuf must be at least 16 bytes */ --static char * --afs_crypt(const char *pw, const char *salt, char *iobuf) --{ -- int i, j, c; -- int temp; -- char block[66]; -- char E[48]; -- char KS[16][48]; /* Key schedule, generated from key */ -- -- for (i = 0; i < 66; i++) -- block[i] = 0; -- for (i = 0; (c = *pw) != '\0' && i < 64; pw++){ -- for(j = 0; j < 7; j++, i++) -- block[i] = (c >> (6 - j)) & 01; -- i++; -- } -- -- afs_crypt_setkey(block, E, KS); -- -- for (i = 0; i < 66; i++) -- block[i] = 0; -- -- for (i = 0; i < 2; i++) { -- c = *salt++; -- iobuf[i] = c; -- if (c > 'Z') -- c -= 6; -- if (c > '9') -- c -= 7; -- c -= '.'; -- for (j = 0; j < 6; j++) { -- if ((c >> j) & 01) { -- temp = E[6 * i + j]; -- E[6 * i + j] = E[6 * i + j + 24]; -- E[6 * i + j + 24] = temp; -- } -- } -- } -- -- for (i = 0; i < 25; i++) -- afs_encrypt_block(block, E, KS); -- -- for (i = 0; i < 11; i++) { -- c = 0; -- for (j = 0; j < 6; j++) { -- c <<= 1; -- c |= block[6 * i + j]; -- } -- c += '.'; -- if (c > '9') -- c += 7; -- if (c > 'Z') -- c += 6; -- iobuf[i + 2] = c; -- } -- iobuf[i + 2] = 0; -- if (iobuf[1] == 0) -- iobuf[1] = iobuf[0]; -- return iobuf; --} -- --static krb5_error_code --afs_s2k_oneblock(const krb5_data *data, const krb5_data *salt, -- unsigned char *key_out) --{ -- unsigned int i; -- unsigned char password[9]; /* trailing nul for crypt() */ -- char afs_crypt_buf[16]; -- -- /* -- * Run afs_crypt and use the first eight returned bytes after the copy of -- * the (fixed) salt. -- * -- * Since the returned bytes are alphanumeric, the output is limited to -- * 2**48 possibilities; for each byte, only 64 possible values can be used. -- */ -- -- memset(password, 0, sizeof(password)); -- if (salt->length > 0) -- memcpy(password, salt->data, min(salt->length, 8)); -- for (i = 0; i < 8; i++) { -- if (isupper(password[i])) -- password[i] = tolower(password[i]); -- } -- for (i = 0; i < data->length; i++) -- password[i] ^= data->data[i]; -- for (i = 0; i < 8; i++) { -- if (password[i] == '\0') -- password[i] = 'X'; -- } -- password[8] = '\0'; -- /* Out-of-bounds salt characters are equivalent to a salt string -- * of "p1". */ -- strncpy((char *)key_out, -- (char *)afs_crypt((char *)password, "#~", afs_crypt_buf) + 2, 8); -- for (i = 0; i < 8; i++) -- key_out[i] <<= 1; -- /* Fix up key parity again. */ -- k5_des_fixup_key_parity(key_out); -- zap(password, sizeof(password)); -- return 0; --} -- --static krb5_error_code --afs_s2k_multiblock(const krb5_data *data, const krb5_data *salt, -- unsigned char *key_out) --{ -- krb5_error_code ret; -- unsigned char ivec[8], tkey[8], *password; -- size_t pw_len = salt->length + data->length; -- unsigned int i, j; -- -- /* Do a CBC checksum, twice, and use the result as the new key. */ -- -- password = malloc(pw_len); -- if (!password) -- return ENOMEM; -- -- if (data->length > 0) -- memcpy(password, data->data, data->length); -- for (i = data->length, j = 0; j < salt->length; i++, j++) { -- password[i] = salt->data[j]; -- if (isupper(password[i])) -- password[i] = tolower(password[i]); -- } -- -- memcpy(ivec, "kerberos", sizeof(ivec)); -- memcpy(tkey, ivec, sizeof(tkey)); -- k5_des_fixup_key_parity(tkey); -- ret = des_cbc_mac(tkey, ivec, password, pw_len, tkey); -- if (ret) -- goto cleanup; -- -- memcpy(ivec, tkey, sizeof(ivec)); -- k5_des_fixup_key_parity(tkey); -- ret = des_cbc_mac(tkey, ivec, password, pw_len, key_out); -- if (ret) -- goto cleanup; -- k5_des_fixup_key_parity(key_out); -- --cleanup: -- zapfree(password, pw_len); -- return ret; --} -- --static krb5_error_code --afs_s2k(const krb5_data *data, const krb5_data *salt, unsigned char *key_out) --{ -- if (data->length <= 8) -- return afs_s2k_oneblock(data, salt, key_out); -- else -- return afs_s2k_multiblock(data, salt, key_out); --} -- --static krb5_error_code --des_s2k(const krb5_data *pw, const krb5_data *salt, unsigned char *key_out) --{ -- union { -- /* 8 "forward" bytes, 8 "reverse" bytes */ -- unsigned char uc[16]; -- krb5_ui_4 ui[4]; -- } temp; -- unsigned int i; -- krb5_ui_4 x, y, z; -- unsigned char *p, *copy; -- size_t copylen; -- krb5_error_code ret; -- -- /* As long as the architecture is big-endian or little-endian, it -- doesn't matter which it is. Think of it as reversing the -- bytes, and also reversing the bits within each byte. But this -- current algorithm is dependent on having four 8-bit char values -- exactly overlay a 32-bit integral type. */ -- if (sizeof(temp.uc) != sizeof(temp.ui) -- || (unsigned char)~0 != 0xFF -- || (krb5_ui_4)~(krb5_ui_4)0 != 0xFFFFFFFF -- || (temp.uc[0] = 1, temp.uc[1] = 2, temp.uc[2] = 3, temp.uc[3] = 4, -- !(temp.ui[0] == 0x01020304 -- || temp.ui[0] == 0x04030201))) -- abort(); --#define FETCH4(VAR, IDX) VAR = temp.ui[IDX/4] --#define PUT4(VAR, IDX) temp.ui[IDX/4] = VAR -- -- copylen = pw->length + salt->length; -- /* Don't need NUL termination, at this point we're treating it as -- a byte array, not a string. */ -- copy = malloc(copylen); -- if (copy == NULL) -- return ENOMEM; -- if (pw->length > 0) -- memcpy(copy, pw->data, pw->length); -- if (salt->length > 0) -- memcpy(copy + pw->length, salt->data, salt->length); -- -- memset(&temp, 0, sizeof(temp)); -- p = temp.uc; -- /* Handle the fan-fold xor operation by splitting the data into -- forward and reverse sections, and combine them later, rather -- than having to do the reversal over and over again. */ -- for (i = 0; i < copylen; i++) { -- *p++ ^= copy[i]; -- if (p == temp.uc+16) { -- p = temp.uc; --#ifdef PRINT_TEST_VECTORS -- { -- int j; -- printf("after %d input bytes:\nforward block:\t", i+1); -- for (j = 0; j < 8; j++) -- printf(" %02x", temp.uc[j] & 0xff); -- printf("\nreverse block:\t"); -- for (j = 8; j < 16; j++) -- printf(" %02x", temp.uc[j] & 0xff); -- printf("\n"); -- } --#endif -- } -- } -- --#ifdef PRINT_TEST_VECTORS -- if (p != temp.uc) { -- int j; -- printf("at end, after %d input bytes:\nforward block:\t", i); -- for (j = 0; j < 8; j++) -- printf(" %02x", temp.uc[j] & 0xff); -- printf("\nreverse block:\t"); -- for (j = 8; j < 16; j++) -- printf(" %02x", temp.uc[j] & 0xff); -- printf("\n"); -- } --#endif --#define REVERSE(VAR) \ -- { \ -- krb5_ui_4 old = VAR, temp1 = 0; \ -- int j; \ -- for (j = 0; j < 32; j++) { \ -- temp1 = (temp1 << 1) | (old & 1); \ -- old >>= 1; \ -- } \ -- VAR = temp1; \ -- } -- -- FETCH4 (x, 8); -- FETCH4 (y, 12); -- /* Ignore high bits of each input byte. */ -- x &= 0x7F7F7F7F; -- y &= 0x7F7F7F7F; -- /* Reverse the bit strings -- after this, y is "before" x. */ -- REVERSE (x); -- REVERSE (y); --#ifdef PRINT_TEST_VECTORS -- { -- int j; -- union { unsigned char uc[4]; krb5_ui_4 ui; } t2; -- printf("after reversal, reversed block:\n\t\t"); -- t2.ui = y; -- for (j = 0; j < 4; j++) -- printf(" %02x", t2.uc[j] & 0xff); -- t2.ui = x; -- for (j = 0; j < 4; j++) -- printf(" %02x", t2.uc[j] & 0xff); -- printf("\n"); -- } --#endif -- /* Ignored bits are now at the bottom of each byte, where we'll -- * put the parity bits. Good. */ -- FETCH4 (z, 0); -- z &= 0x7F7F7F7F; -- /* Ignored bits for z are at the top of each byte; fix that. */ -- z <<= 1; -- /* Finish the fan-fold xor for these four bytes. */ -- z ^= y; -- PUT4 (z, 0); -- /* Now do the second four bytes. */ -- FETCH4 (z, 4); -- z &= 0x7F7F7F7F; -- /* Ignored bits for z are at the top of each byte; fix that. */ -- z <<= 1; -- /* Finish the fan-fold xor for these four bytes. */ -- z ^= x; -- PUT4 (z, 4); -- --#ifdef PRINT_TEST_VECTORS -- { -- int j; -- printf("after reversal, combined block:\n\t\t"); -- for (j = 0; j < 8; j++) -- printf(" %02x", temp.uc[j] & 0xff); -- printf("\n"); -- } --#endif -- --#define FIXUP(k) (k5_des_fixup_key_parity(k), \ -- k5_des_is_weak_key(k) ? (k[7] ^= 0xF0) : 0) -- -- /* Now temp.cb is the temporary key, with invalid parity. */ -- FIXUP(temp.uc); -- --#ifdef PRINT_TEST_VECTORS -- { -- int j; -- printf("after fixing parity and weak keys:\n\t\t"); -- for (j = 0; j < 8; j++) -- printf(" %02x", temp.uc[j] & 0xff); -- printf("\n"); -- } --#endif -- -- ret = des_cbc_mac(temp.uc, temp.uc, copy, copylen, temp.uc); -- if (ret) -- goto cleanup; -- --#ifdef PRINT_TEST_VECTORS -- { -- int j; -- printf("cbc checksum:\n\t\t"); -- for (j = 0; j < 8; j++) -- printf(" %02x", temp.uc[j] & 0xff); -- printf("\n"); -- } --#endif -- -- FIXUP(temp.uc); -- --#ifdef PRINT_TEST_VECTORS -- { -- int j; -- printf("after fixing parity and weak keys:\n\t\t"); -- for (j = 0; j < 8; j++) -- printf(" %02x", temp.uc[j] & 0xff); -- printf("\n"); -- } --#endif -- -- memcpy(key_out, temp.uc, 8); -- --cleanup: -- zap(&temp, sizeof(temp)); -- zapfree(copy, copylen); -- return ret; --} -- --krb5_error_code --krb5int_des_string_to_key(const struct krb5_keytypes *ktp, -- const krb5_data *string, const krb5_data *salt, -- const krb5_data *parm, krb5_keyblock *keyblock) --{ -- int type; -- -- if (parm != NULL) { -- if (parm->length != 1) -- return KRB5_ERR_BAD_S2K_PARAMS; -- type = parm->data[0]; -- if (type != 0 && type != 1) -- return KRB5_ERR_BAD_S2K_PARAMS; -- } else -- type = 0; -- -- /* Use AFS string to key if we were told to. */ -- if (type == 1) -- return afs_s2k(string, salt, keyblock->contents); -- -- return des_s2k(string, salt, keyblock->contents); --} -diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports -index 90afdf5f7..63804299f 100644 ---- a/src/lib/crypto/libk5crypto.exports -+++ b/src/lib/crypto/libk5crypto.exports -@@ -85,7 +85,6 @@ krb5_k_prf - krb5_k_reference_key - krb5_k_verify_checksum - krb5_k_verify_checksum_iov --mit_crc32 - krb5int_aes_encrypt - krb5int_aes_decrypt - krb5int_enc_des3 -diff --git a/src/lib/crypto/openssl/enc_provider/Makefile.in b/src/lib/crypto/openssl/enc_provider/Makefile.in -index b9e28c9cd..a9069d22d 100644 ---- a/src/lib/crypto/openssl/enc_provider/Makefile.in -+++ b/src/lib/crypto/openssl/enc_provider/Makefile.in -@@ -3,21 +3,18 @@ BUILDTOP=$(REL)..$(S)..$(S)..$(S).. - LOCALINCLUDES = -I$(srcdir)/../../krb -I$(srcdir)/.. - - STLIBOBJS= \ -- des.o \ - des3.o \ - rc4.o \ - aes.o \ - camellia.o - - OBJS= \ -- $(OUTPRE)des.$(OBJEXT) \ - $(OUTPRE)des3.$(OBJEXT) \ - $(OUTPRE)aes.$(OBJEXT) \ - $(OUTPRE)camellia.$(OBJEXT) \ - $(OUTPRE)rc4.$(OBJEXT) - - SRCS= \ -- $(srcdir)/des.c \ - $(srcdir)/des3.c \ - $(srcdir)/aes.c \ - $(srcdir)/camellia.c \ -diff --git a/src/lib/crypto/openssl/enc_provider/deps b/src/lib/crypto/openssl/enc_provider/deps -index 428fcf6f5..1c28cc842 100644 ---- a/src/lib/crypto/openssl/enc_provider/deps -+++ b/src/lib/crypto/openssl/enc_provider/deps -@@ -1,17 +1,6 @@ - # - # Generated makefile dependencies follow. - # --des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ -- $(srcdir)/../crypto_mod.h $(top_srcdir)/include/k5-buf.h \ -- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ -- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ -- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ -- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ -- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ -- $(top_srcdir)/include/socket-utils.h des.c - des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ -diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c -deleted file mode 100644 -index a662db512..000000000 ---- a/src/lib/crypto/openssl/enc_provider/des.c -+++ /dev/null -@@ -1,218 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* lib/crypto/openssl/enc_provider/des.c */ --/* -- * Copyright (C) 2009 by the Massachusetts Institute of Technology. -- * All rights reserved. -- * -- * Export of this software from the United States of America may -- * require a specific license from the United States Government. -- * It is the responsibility of any person or organization contemplating -- * export to obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of M.I.T. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. Furthermore if you modify this software you must label -- * your software as modified software and not distribute it in such a -- * fashion that it might be confused with the original M.I.T. software. -- * M.I.T. makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- */ -- --/* -- * Copyright (C) 1998 by the FundsXpress, INC. -- * -- * All rights reserved. -- * -- * Export of this software from the United States of America may require -- * a specific license from the United States Government. It is the -- * responsibility of any person or organization contemplating export to -- * obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of FundsXpress. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. FundsXpress makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- * -- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -- */ -- --#include "crypto_int.h" --#include --#include -- --#define DES_BLOCK_SIZE 8 --#define DES_KEY_SIZE 8 --#define DES_KEY_BYTES 7 -- --static krb5_error_code --validate(krb5_key key, const krb5_data *ivec, const krb5_crypto_iov *data, -- size_t num_data, krb5_boolean *empty) --{ -- size_t input_length = iov_total_length(data, num_data, FALSE); -- -- if (key->keyblock.length != DES_KEY_SIZE) -- return(KRB5_BAD_KEYSIZE); -- if ((input_length%DES_BLOCK_SIZE) != 0) -- return(KRB5_BAD_MSIZE); -- if (ivec && (ivec->length != 8)) -- return(KRB5_BAD_MSIZE); -- -- *empty = (input_length == 0); -- return 0; --} -- --static krb5_error_code --k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, -- size_t num_data) --{ -- int ret, olen = DES_BLOCK_SIZE; -- unsigned char iblock[DES_BLOCK_SIZE], oblock[DES_BLOCK_SIZE]; -- struct iov_cursor cursor; -- EVP_CIPHER_CTX *ctx; -- krb5_boolean empty; -- -- ret = validate(key, ivec, data, num_data, &empty); -- if (ret != 0 || empty) -- return ret; -- -- ctx = EVP_CIPHER_CTX_new(); -- if (ctx == NULL) -- return ENOMEM; -- -- ret = EVP_EncryptInit_ex(ctx, EVP_des_cbc(), NULL, -- key->keyblock.contents, (ivec && ivec->data) ? (unsigned char*)ivec->data : NULL); -- if (!ret) { -- EVP_CIPHER_CTX_free(ctx); -- return KRB5_CRYPTO_INTERNAL; -- } -- -- EVP_CIPHER_CTX_set_padding(ctx, 0); -- -- k5_iov_cursor_init(&cursor, data, num_data, DES_BLOCK_SIZE, FALSE); -- while (k5_iov_cursor_get(&cursor, iblock)) { -- ret = EVP_EncryptUpdate(ctx, oblock, &olen, iblock, DES_BLOCK_SIZE); -- if (!ret) -- break; -- k5_iov_cursor_put(&cursor, oblock); -- } -- -- if (ivec != NULL) -- memcpy(ivec->data, oblock, DES_BLOCK_SIZE); -- -- EVP_CIPHER_CTX_free(ctx); -- -- zap(iblock, sizeof(iblock)); -- zap(oblock, sizeof(oblock)); -- -- if (ret != 1) -- return KRB5_CRYPTO_INTERNAL; -- return 0; --} -- --static krb5_error_code --k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, -- size_t num_data) --{ -- int ret, olen = DES_BLOCK_SIZE; -- unsigned char iblock[DES_BLOCK_SIZE], oblock[DES_BLOCK_SIZE]; -- struct iov_cursor cursor; -- EVP_CIPHER_CTX *ctx; -- krb5_boolean empty; -- -- ret = validate(key, ivec, data, num_data, &empty); -- if (ret != 0 || empty) -- return ret; -- -- ctx = EVP_CIPHER_CTX_new(); -- if (ctx == NULL) -- return ENOMEM; -- -- ret = EVP_DecryptInit_ex(ctx, EVP_des_cbc(), NULL, -- key->keyblock.contents, -- (ivec) ? (unsigned char*)ivec->data : NULL); -- if (!ret) { -- EVP_CIPHER_CTX_free(ctx); -- return KRB5_CRYPTO_INTERNAL; -- } -- -- EVP_CIPHER_CTX_set_padding(ctx,0); -- -- k5_iov_cursor_init(&cursor, data, num_data, DES_BLOCK_SIZE, FALSE); -- while (k5_iov_cursor_get(&cursor, iblock)) { -- ret = EVP_DecryptUpdate(ctx, oblock, &olen, iblock, DES_BLOCK_SIZE); -- if (!ret) -- break; -- k5_iov_cursor_put(&cursor, oblock); -- } -- -- if (ivec != NULL) -- memcpy(ivec->data, iblock, DES_BLOCK_SIZE); -- -- EVP_CIPHER_CTX_free(ctx); -- -- zap(iblock, sizeof(iblock)); -- zap(oblock, sizeof(oblock)); -- -- if (ret != 1) -- return KRB5_CRYPTO_INTERNAL; -- return 0; --} -- --static krb5_error_code --k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data, -- const krb5_data *ivec, krb5_data *output) --{ -- int ret; -- struct iov_cursor cursor; -- DES_cblock blockY, blockB; -- DES_key_schedule sched; -- krb5_boolean empty; -- -- ret = validate(key, ivec, data, num_data, &empty); -- if (ret != 0) -- return ret; -- -- if (output->length != DES_BLOCK_SIZE) -- return KRB5_BAD_MSIZE; -- -- if (DES_set_key((DES_cblock *)key->keyblock.contents, &sched) != 0) -- return KRB5_CRYPTO_INTERNAL; -- -- if (ivec != NULL) -- memcpy(blockY, ivec->data, DES_BLOCK_SIZE); -- else -- memset(blockY, 0, DES_BLOCK_SIZE); -- -- k5_iov_cursor_init(&cursor, data, num_data, DES_BLOCK_SIZE, FALSE); -- while (k5_iov_cursor_get(&cursor, blockB)) { -- store_64_n(load_64_n(blockB) ^ load_64_n(blockY), blockB); -- DES_ecb_encrypt(&blockB, &blockY, &sched, 1); -- } -- -- memcpy(output->data, blockY, DES_BLOCK_SIZE); -- return 0; --} -- --const struct krb5_enc_provider krb5int_enc_des = { -- DES_BLOCK_SIZE, -- DES_KEY_BYTES, DES_KEY_SIZE, -- k5_des_encrypt, -- k5_des_decrypt, -- k5_des_cbc_mac, -- krb5int_des_init_state, -- krb5int_default_free_state --}; -diff --git a/src/lib/crypto/openssl/hash_provider/Makefile.in b/src/lib/crypto/openssl/hash_provider/Makefile.in -index 7762e20a5..f7245fbd1 100644 ---- a/src/lib/crypto/openssl/hash_provider/Makefile.in -+++ b/src/lib/crypto/openssl/hash_provider/Makefile.in -@@ -2,15 +2,11 @@ mydir=lib$(S)crypto$(S)openssl$(S)hash_provider - BUILDTOP=$(REL)..$(S)..$(S)..$(S).. - LOCALINCLUDES = -I$(srcdir)/../../krb -I$(srcdir)/.. - --STLIBOBJS= \ -- hash_crc32.o \ -- hash_evp.o -+STLIBOBJS= hash_evp.o - --OBJS= $(OUTPRE)hash_crc32.$(OBJEXT) \ -- $(OUTPRE)hash_evp.$(OBJEXT) -+OBJS= $(OUTPRE)hash_evp.$(OBJEXT) - --SRCS= $(srcdir)/hash_crc32.c \ -- $(srcdir)/hash_evp.c -+SRCS= $(srcdir)/hash_evp.c - - all-unix: all-libobjs - -diff --git a/src/lib/crypto/openssl/hash_provider/deps b/src/lib/crypto/openssl/hash_provider/deps -index 87dd02012..690574cab 100644 ---- a/src/lib/crypto/openssl/hash_provider/deps -+++ b/src/lib/crypto/openssl/hash_provider/deps -@@ -1,18 +1,6 @@ - # - # Generated makefile dependencies follow. - # --hash_crc32.so hash_crc32.po $(OUTPRE)hash_crc32.$(OBJEXT): \ -- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ -- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \ -- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- hash_crc32.c - hash_evp.so hash_evp.po $(OUTPRE)hash_evp.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -diff --git a/src/lib/crypto/openssl/hash_provider/hash_crc32.c b/src/lib/crypto/openssl/hash_provider/hash_crc32.c -deleted file mode 100644 -index 4013843ed..000000000 ---- a/src/lib/crypto/openssl/hash_provider/hash_crc32.c -+++ /dev/null -@@ -1,56 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* -- * Copyright (C) 1998 by the FundsXpress, INC. -- * -- * All rights reserved. -- * -- * Export of this software from the United States of America may require -- * a specific license from the United States Government. It is the -- * responsibility of any person or organization contemplating export to -- * obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of FundsXpress. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. FundsXpress makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- * -- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -- */ -- --#include "crypto_int.h" -- --static krb5_error_code --k5_crc32_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) --{ -- unsigned long c; -- unsigned int i; -- -- if (output->length != CRC32_CKSUM_LENGTH) -- return(KRB5_CRYPTO_INTERNAL); -- -- c = 0; -- for (i = 0; i < num_data; i++) { -- const krb5_crypto_iov *iov = &data[i]; -- -- if (SIGN_IOV(iov)) -- mit_crc32(iov->data.data, iov->data.length, &c); -- } -- -- store_32_le(c, output->data); -- return(0); --} -- --const struct krb5_hash_provider krb5int_hash_crc32 = { -- "CRC32", -- CRC32_CKSUM_LENGTH, -- 1, -- k5_crc32_hash --}; -diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c -index 5baa6cecf..439ae6aeb 100644 ---- a/src/lib/gssapi/krb5/accept_sec_context.c -+++ b/src/lib/gssapi/krb5/accept_sec_context.c -@@ -1011,9 +1011,6 @@ kg_accept_krb5(minor_status, context_handle, - } - - switch (negotiated_etype) { -- case ENCTYPE_DES_CBC_MD5: -- case ENCTYPE_DES_CBC_MD4: -- case ENCTYPE_DES_CBC_CRC: - case ENCTYPE_DES3_CBC_SHA1: - case ENCTYPE_ARCFOUR_HMAC: - case ENCTYPE_ARCFOUR_HMAC_EXP: -diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index e92be88b4..2647434ba 100644 ---- a/src/lib/gssapi/krb5/gssapiP_krb5.h -+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h -@@ -120,17 +120,17 @@ extern const gss_OID_set kg_all_mechs; - /* These are to be stored in little-endian order, i.e., des-mac is - stored as 02 00. */ - enum sgn_alg { -- SGN_ALG_DES_MAC_MD5 = 0x0000, -- SGN_ALG_MD2_5 = 0x0001, -- SGN_ALG_DES_MAC = 0x0002, -- SGN_ALG_3 = 0x0003, /* not published */ -+ /* SGN_ALG_DES_MAC_MD5 = 0x0000, */ -+ /* SGN_ALG_MD2_5 = 0x0001, */ -+ /* SGN_ALG_DES_MAC = 0x0002, */ -+ /* SGN_ALG_3 = 0x0003, /\* not published *\/ */ - SGN_ALG_HMAC_MD5 = 0x0011, /* microsoft w2k; */ - SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004 - }; - enum seal_alg { - SEAL_ALG_NONE = 0xffff, -- SEAL_ALG_DES = 0x0000, -- SEAL_ALG_1 = 0x0001, /* not published */ -+ /* SEAL_ALG_DES = 0x0000, */ -+ /* SEAL_ALG_1 = 0x0001, /\* not published *\/ */ - SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */ - SEAL_ALG_DES3KD = 0x0002 - }; -@@ -147,12 +147,12 @@ enum seal_alg { - #define KG_USAGE_INITIATOR_SIGN 25 - - enum qop { -- GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, /* *partial* MD5 = "MD2.5" */ -- GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002, -- GSS_KRB5_INTEG_C_QOP_DES_MAC = 0x0003, -+ /* GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, */ -+ /* GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002, */ -+ /* GSS_KRB5_INTEG_C_QOP_DES_MAC = 0x0003, */ - GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004, - GSS_KRB5_INTEG_C_QOP_MASK = 0x00ff, -- GSS_KRB5_CONF_C_QOP_DES = 0x0100, -+ /* GSS_KRB5_CONF_C_QOP_DES = 0x0100, */ - GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200, - GSS_KRB5_CONF_C_QOP_MASK = 0xff00 - }; -diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c -index 4da531b58..d1cdce486 100644 ---- a/src/lib/gssapi/krb5/k5seal.c -+++ b/src/lib/gssapi/krb5/k5seal.c -@@ -71,7 +71,6 @@ make_seal_token_v1 (krb5_context context, - char *data_ptr; - krb5_data plaind; - krb5_checksum md5cksum; -- krb5_checksum cksum; - /* msglen contains the message length - * we are signing/encrypting. tmsglen - * contains the length of the message -@@ -137,12 +136,8 @@ make_seal_token_v1 (krb5_context context, - - /* pad the plaintext, encrypt if needed, and stick it in the token */ - -- /* initialize the the cksum */ -+ /* initialize the the checksum */ - switch (signalg) { -- case SGN_ALG_DES_MAC_MD5: -- case SGN_ALG_MD2_5: -- md5cksum.checksum_type = CKSUMTYPE_RSA_MD5; -- break; - case SGN_ALG_HMAC_SHA1_DES3_KD: - md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3; - break; -@@ -152,7 +147,6 @@ make_seal_token_v1 (krb5_context context, - sign_usage = 15; - break; - default: -- case SGN_ALG_DES_MAC: - abort (); - } - -@@ -203,26 +197,6 @@ make_seal_token_v1 (krb5_context context, - return(code); - } - switch(signalg) { -- case SGN_ALG_DES_MAC_MD5: -- case 3: -- -- code = kg_encrypt_inplace(context, seq, KG_USAGE_SEAL, -- (g_OID_equal(oid, gss_mech_krb5_old) ? -- seq->keyblock.contents : NULL), -- md5cksum.contents, 16); -- if (code) { -- krb5_free_checksum_contents(context, &md5cksum); -- xfree (plain); -- gssalloc_free(t); -- return code; -- } -- -- cksum.length = cksum_size; -- cksum.contents = md5cksum.contents + 16 - cksum.length; -- -- memcpy(ptr+14, cksum.contents, cksum.length); -- break; -- - case SGN_ALG_HMAC_SHA1_DES3_KD: - /* - * Using key derivation, the call to krb5_c_make_checksum -diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c -index 88caa856f..9bb2ee109 100644 ---- a/src/lib/gssapi/krb5/k5sealiov.c -+++ b/src/lib/gssapi/krb5/k5sealiov.c -@@ -145,10 +145,6 @@ make_seal_token_v1_iov(krb5_context context, - - /* initialize the checksum */ - switch (ctx->signalg) { -- case SGN_ALG_DES_MAC_MD5: -- case SGN_ALG_MD2_5: -- md5cksum.checksum_type = CKSUMTYPE_RSA_MD5; -- break; - case SGN_ALG_HMAC_SHA1_DES3_KD: - md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3; - break; -@@ -158,7 +154,6 @@ make_seal_token_v1_iov(krb5_context context, - sign_usage = 15; - break; - default: -- case SGN_ALG_DES_MAC: - abort (); - } - -@@ -183,21 +178,6 @@ make_seal_token_v1_iov(krb5_context context, - goto cleanup; - - switch (ctx->signalg) { -- case SGN_ALG_DES_MAC_MD5: -- case SGN_ALG_3: -- code = kg_encrypt_inplace(context, ctx->seq, KG_USAGE_SEAL, -- (g_OID_equal(ctx->mech_used, -- gss_mech_krb5_old) ? -- ctx->seq->keyblock.contents : NULL), -- md5cksum.contents, 16); -- if (code != 0) -- goto cleanup; -- -- cksum.length = ctx->cksum_size; -- cksum.contents = md5cksum.contents + 16 - cksum.length; -- -- memcpy(ptr + 14, cksum.contents, cksum.length); -- break; - case SGN_ALG_HMAC_SHA1_DES3_KD: - assert(md5cksum.length == ctx->cksum_size); - memcpy(ptr + 14, md5cksum.contents, md5cksum.length); -diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c -index 57720c2ea..9b183bc33 100644 ---- a/src/lib/gssapi/krb5/k5unseal.c -+++ b/src/lib/gssapi/krb5/k5unseal.c -@@ -76,7 +76,6 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, - int sealalg; - int bad_pad = 0; - gss_buffer_desc token; -- krb5_checksum cksum; - krb5_checksum md5cksum; - krb5_data plaind; - char *data_ptr; -@@ -132,7 +131,6 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, - but few enough that we can try them all. */ - - if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) || -- (ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) || - (ctx->sealalg == SEAL_ALG_DES3KD && - signalg != SGN_ALG_HMAC_SHA1_DES3_KD)|| - (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4 && -@@ -142,16 +140,11 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, - } - - switch (signalg) { -- case SGN_ALG_DES_MAC_MD5: -- case SGN_ALG_MD2_5: - case SGN_ALG_HMAC_MD5: - cksum_len = 8; - if (toktype != KG_TOK_SEAL_MSG) - sign_usage = 15; - break; -- case SGN_ALG_3: -- cksum_len = 16; -- break; - case SGN_ALG_HMAC_SHA1_DES3_KD: - cksum_len = 20; - break; -@@ -260,12 +253,6 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, - - /* initialize the the cksum */ - switch (signalg) { -- case SGN_ALG_DES_MAC_MD5: -- case SGN_ALG_MD2_5: -- case SGN_ALG_DES_MAC: -- case SGN_ALG_3: -- md5cksum.checksum_type = CKSUMTYPE_RSA_MD5; -- break; - case SGN_ALG_HMAC_MD5: - md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; - break; -@@ -282,105 +269,6 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, - md5cksum.length = sumlen; - - switch (signalg) { -- case SGN_ALG_DES_MAC_MD5: -- case SGN_ALG_3: -- /* compute the checksum of the message */ -- -- /* 8 = bytes of token body to be checksummed according to spec */ -- -- if (! (data_ptr = xmalloc(8 + plainlen))) { -- if (sealalg != 0xffff) -- xfree(plain); -- if (toktype == KG_TOK_SEAL_MSG) -- gssalloc_free(token.value); -- *minor_status = ENOMEM; -- return(GSS_S_FAILURE); -- } -- -- (void) memcpy(data_ptr, ptr-2, 8); -- -- (void) memcpy(data_ptr+8, plain, plainlen); -- -- plaind.length = 8 + plainlen; -- plaind.data = data_ptr; -- code = krb5_k_make_checksum(context, md5cksum.checksum_type, -- ctx->seq, sign_usage, -- &plaind, &md5cksum); -- xfree(data_ptr); -- -- if (code) { -- if (toktype == KG_TOK_SEAL_MSG) -- gssalloc_free(token.value); -- *minor_status = code; -- return(GSS_S_FAILURE); -- } -- -- code = kg_encrypt_inplace(context, ctx->seq, KG_USAGE_SEAL, -- (g_OID_equal(ctx->mech_used, -- gss_mech_krb5_old) ? -- ctx->seq->keyblock.contents : NULL), -- md5cksum.contents, 16); -- if (code) { -- krb5_free_checksum_contents(context, &md5cksum); -- if (toktype == KG_TOK_SEAL_MSG) -- gssalloc_free(token.value); -- *minor_status = code; -- return GSS_S_FAILURE; -- } -- -- if (signalg == 0) -- cksum.length = 8; -- else -- cksum.length = 16; -- cksum.contents = md5cksum.contents + 16 - cksum.length; -- -- code = k5_bcmp(cksum.contents, ptr + 14, cksum.length); -- break; -- -- case SGN_ALG_MD2_5: -- if (!ctx->seed_init && -- (code = kg_make_seed(context, ctx->subkey, ctx->seed))) { -- krb5_free_checksum_contents(context, &md5cksum); -- if (sealalg != 0xffff) -- xfree(plain); -- if (toktype == KG_TOK_SEAL_MSG) -- gssalloc_free(token.value); -- *minor_status = code; -- return GSS_S_FAILURE; -- } -- -- if (! (data_ptr = xmalloc(sizeof(ctx->seed) + 8 + plainlen))) { -- krb5_free_checksum_contents(context, &md5cksum); -- if (sealalg == 0) -- xfree(plain); -- if (toktype == KG_TOK_SEAL_MSG) -- gssalloc_free(token.value); -- *minor_status = ENOMEM; -- return(GSS_S_FAILURE); -- } -- (void) memcpy(data_ptr, ptr-2, 8); -- (void) memcpy(data_ptr+8, ctx->seed, sizeof(ctx->seed)); -- (void) memcpy(data_ptr+8+sizeof(ctx->seed), plain, plainlen); -- plaind.length = 8 + sizeof(ctx->seed) + plainlen; -- plaind.data = data_ptr; -- krb5_free_checksum_contents(context, &md5cksum); -- code = krb5_k_make_checksum(context, md5cksum.checksum_type, -- ctx->seq, sign_usage, -- &plaind, &md5cksum); -- xfree(data_ptr); -- -- if (code) { -- if (sealalg == 0) -- xfree(plain); -- if (toktype == KG_TOK_SEAL_MSG) -- gssalloc_free(token.value); -- *minor_status = code; -- return(GSS_S_FAILURE); -- } -- -- code = k5_bcmp(md5cksum.contents, ptr + 14, 8); -- /* Falls through to defective-token?? */ -- - default: - *minor_status = 0; - return(GSS_S_DEFECTIVE_TOKEN); -diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c -index f15d2db69..85a9574f3 100644 ---- a/src/lib/gssapi/krb5/k5unsealiov.c -+++ b/src/lib/gssapi/krb5/k5unsealiov.c -@@ -44,7 +44,6 @@ kg_unseal_v1_iov(krb5_context context, - unsigned char *ptr; - int sealalg; - int signalg; -- krb5_checksum cksum; - krb5_checksum md5cksum; - size_t cksum_len = 0; - size_t conflen = 0; -@@ -54,8 +53,8 @@ kg_unseal_v1_iov(krb5_context context, - size_t sumlen; - krb5_keyusage sign_usage = KG_USAGE_SIGN; - -- md5cksum.length = cksum.length = 0; -- md5cksum.contents = cksum.contents = NULL; -+ md5cksum.length = 0; -+ md5cksum.contents = NULL; - - header = kg_locate_header_iov(iov, iov_count, toktype); - assert(header != NULL); -@@ -103,7 +102,6 @@ kg_unseal_v1_iov(krb5_context context, - } - - if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) || -- (ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) || - (ctx->sealalg == SEAL_ALG_DES3KD && - signalg != SGN_ALG_HMAC_SHA1_DES3_KD)|| - (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4 && -@@ -113,16 +111,11 @@ kg_unseal_v1_iov(krb5_context context, - } - - switch (signalg) { -- case SGN_ALG_DES_MAC_MD5: -- case SGN_ALG_MD2_5: - case SGN_ALG_HMAC_MD5: - cksum_len = 8; - if (toktype != KG_TOK_WRAP_MSG) - sign_usage = 15; - break; -- case SGN_ALG_3: -- cksum_len = 16; -- break; - case SGN_ALG_HMAC_SHA1_DES3_KD: - cksum_len = 20; - break; -@@ -189,12 +182,6 @@ kg_unseal_v1_iov(krb5_context context, - /* initialize the checksum */ - - switch (signalg) { -- case SGN_ALG_DES_MAC_MD5: -- case SGN_ALG_MD2_5: -- case SGN_ALG_DES_MAC: -- case SGN_ALG_3: -- md5cksum.checksum_type = CKSUMTYPE_RSA_MD5; -- break; - case SGN_ALG_HMAC_MD5: - md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; - break; -@@ -223,23 +210,6 @@ kg_unseal_v1_iov(krb5_context context, - } - - switch (signalg) { -- case SGN_ALG_DES_MAC_MD5: -- case SGN_ALG_3: -- code = kg_encrypt_inplace(context, ctx->seq, KG_USAGE_SEAL, -- (g_OID_equal(ctx->mech_used, -- gss_mech_krb5_old) ? -- ctx->seq->keyblock.contents : NULL), -- md5cksum.contents, 16); -- if (code != 0) { -- retval = GSS_S_FAILURE; -- goto cleanup; -- } -- -- cksum.length = cksum_len; -- cksum.contents = md5cksum.contents + 16 - cksum.length; -- -- code = k5_bcmp(cksum.contents, ptr + 14, cksum.length); -- break; - case SGN_ALG_HMAC_SHA1_DES3_KD: - case SGN_ALG_HMAC_MD5: - code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len); -diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c -index 0cebde12a..80954aff7 100644 ---- a/src/lib/gssapi/krb5/util_crypt.c -+++ b/src/lib/gssapi/krb5/util_crypt.c -@@ -74,27 +74,6 @@ kg_copy_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, krb5_key subkey) - return 0; - } - --static krb5_error_code --kg_derive_des_enc_key(krb5_context context, krb5_key subkey, krb5_key *out) --{ -- krb5_error_code code; -- krb5_keyblock *keyblock; -- unsigned int i; -- -- *out = NULL; -- -- code = krb5_k_key_keyblock(context, subkey, &keyblock); -- if (code != 0) -- return code; -- -- for (i = 0; i < keyblock->length; i++) -- keyblock->contents[i] ^= 0xF0; -- -- code = krb5_k_create_key(context, keyblock, out); -- krb5_free_keyblock(context, keyblock); -- return code; --} -- - krb5_error_code - kg_setup_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, krb5_key subkey, - krb5_cksumtype *cksumtype) -@@ -118,26 +97,6 @@ kg_setup_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, krb5_key subkey, - return code; - - switch (subkey->keyblock.enctype) { -- case ENCTYPE_DES_CBC_MD5: -- case ENCTYPE_DES_CBC_MD4: -- case ENCTYPE_DES_CBC_CRC: -- krb5_k_free_key(context, ctx->seq); -- code = krb5_k_create_key(context, &subkey->keyblock, &ctx->seq); -- if (code != 0) -- return code; -- -- krb5_k_free_key(context, ctx->enc); -- code = kg_derive_des_enc_key(context, subkey, &ctx->enc); -- if (code != 0) -- return code; -- -- ctx->enc->keyblock.enctype = ENCTYPE_DES_CBC_RAW; -- ctx->seq->keyblock.enctype = ENCTYPE_DES_CBC_RAW; -- ctx->signalg = SGN_ALG_DES_MAC_MD5; -- ctx->cksum_size = 8; -- ctx->sealalg = SEAL_ALG_DES; -- -- break; - case ENCTYPE_DES3_CBC_SHA1: - code = kg_copy_keys(context, ctx, subkey); - if (code != 0) -diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c -index 745ee857e..f22ea7f1f 100644 ---- a/src/lib/kadm5/kadm_rpc_xdr.c -+++ b/src/lib/kadm5/kadm_rpc_xdr.c -@@ -1109,16 +1109,6 @@ xdr_krb5_octet(XDR *xdrs, krb5_octet *objp) - bool_t - xdr_krb5_enctype(XDR *xdrs, krb5_enctype *objp) - { -- /* -- * This used to be xdr_krb5_keytype, but keytypes and enctypes have -- * been merged into only enctypes. However, randkey_principal -- * already ensures that only a key of ENCTYPE_DES_CBC_CRC will be -- * returned to v1 clients, and ENCTYPE_DES_CBC_CRC has the same -- * value as KEYTYPE_DES used too, which is what all v1 clients -- * expect. Therefore, IMHO, just encoding whatever enctype we get -- * is safe. -- */ -- - if (!xdr_int32(xdrs, (int32_t *) objp)) - return (FALSE); - return (TRUE); -diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c -index 0d00c86d4..4367322b7 100644 ---- a/src/lib/krb5/ccache/cc_mslsa.c -+++ b/src/lib/krb5/ccache/cc_mslsa.c -@@ -1103,13 +1103,14 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA - } - - if (krb5_get_tgs_ktypes(context, NULL, &etype_list)) { -- ptr = etype_list = NULL; -- etype = ENCTYPE_DES_CBC_CRC; -- } else { -- ptr = etype_list + 1; -- etype = *etype_list; -+ /* No enctypes - nothing we can do. */ -+ bIsLsaError = TRUE; -+ goto cleanup; - } - -+ ptr = etype_list + 1; -+ etype = *etype_list; -+ - while ( etype ) { - // Try once more but this time specify the Encryption Type - // (This will not store the retrieved tickets in the LSA cache unless -diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c -index 1dfce631c..aa90454f3 100644 ---- a/src/lib/krb5/krb/auth_con.c -+++ b/src/lib/krb5/krb/auth_con.c -@@ -313,28 +313,11 @@ krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_co - krb5_error_code KRB5_CALLCONV - krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context) - { -- krb5_error_code ret; -- krb5_enctype enctype; -- - if (auth_context->key == NULL) - return EINVAL; -- ret = krb5_c_init_state(context, &auth_context->key->keyblock, -- KRB5_KEYUSAGE_KRB_PRIV_ENCPART, -- &auth_context->cstate); -- if (ret) -- return ret; -- -- /* -- * Historically we used a zero-filled buffer of the enctype block size. -- * This matches every existing enctype except RC4 (which has a block size -- * of 1) and des-cbc-crc (which uses the key instead of a zero-filled -- * buffer). Special-case des-cbc-crc to remain interoperable. -- */ -- enctype = krb5_k_key_enctype(context, auth_context->key); -- if (enctype == ENCTYPE_DES_CBC_CRC) -- zap(auth_context->cstate.data, auth_context->cstate.length); -- -- return 0; -+ return krb5_c_init_state(context, &auth_context->key->keyblock, -+ KRB5_KEYUSAGE_KRB_PRIV_ENCPART, -+ &auth_context->cstate); - } - - krb5_error_code -diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c -index e82f42581..1d70cf46f 100644 ---- a/src/lib/krb5/krb/gic_keytab.c -+++ b/src/lib/krb5/krb/gic_keytab.c -@@ -130,10 +130,6 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab, - } - etypes = p; - etypes[count++] = etype; -- /* All DES key types work with des-cbc-crc, which is more likely to be -- * accepted by the KDC (since MIT KDCs refuse des-cbc-md5). */ -- if (etype == ENCTYPE_DES_CBC_MD5 || etype == ENCTYPE_DES_CBC_MD4) -- etypes[count++] = ENCTYPE_DES_CBC_CRC; - etypes[count] = 0; - } - if (ret != KRB5_KT_END) -diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c -index 37405728c..b597dda54 100644 ---- a/src/lib/krb5/krb/init_ctx.c -+++ b/src/lib/krb5/krb/init_ctx.c -@@ -56,17 +56,12 @@ - #include "brand.c" - #include "../krb5_libinit.h" - --/* The des-mdX entries are last for now, because it's easy to -- configure KDCs to issue TGTs with des-mdX keys and then not accept -- them. This'll be fixed, but for better compatibility, let's prefer -- des-crc for now. */ - static krb5_enctype default_enctype_list[] = { - ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, - ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128, - ENCTYPE_DES3_CBC_SHA1, - ENCTYPE_ARCFOUR_HMAC, - ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC, -- ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4, - 0 - }; - -@@ -483,10 +478,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey, - /* Set all enctypes in the default list. */ - for (i = 0; default_list[i]; i++) - mod_list(default_list[i], sel, weak, &list); -- } else if (strcasecmp(token, "des") == 0) { -- mod_list(ENCTYPE_DES_CBC_CRC, sel, weak, &list); -- mod_list(ENCTYPE_DES_CBC_MD5, sel, weak, &list); -- mod_list(ENCTYPE_DES_CBC_MD4, sel, weak, &list); - } else if (strcasecmp(token, "des3") == 0) { - mod_list(ENCTYPE_DES3_CBC_SHA1, sel, weak, &list); - } else if (strcasecmp(token, "aes") == 0) { -diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c -index dce092781..9fc6a0e52 100644 ---- a/src/lib/krb5/krb/mk_req_ext.c -+++ b/src/lib/krb5/krb/mk_req_ext.c -@@ -82,36 +82,6 @@ generate_authenticator(krb5_context, - krb5_enctype *desired_etypes, - krb5_enctype tkt_enctype); - --/* Return the checksum type for the AP request, or 0 to use the enctype's -- * mandatory checksum. */ --static krb5_cksumtype --ap_req_cksum(krb5_context context, krb5_auth_context auth_context, -- krb5_enctype enctype) --{ -- /* Use the configured checksum type if one was set. */ -- if (auth_context->req_cksumtype) -- return auth_context->req_cksumtype; -- -- /* -- * Otherwise choose based on the enctype. For interoperability with very -- * old implementations, use unkeyed MD4 or MD5 checkums for DES enctypes. -- * (The authenticator checksum does not have to be keyed since it is -- * contained within an encrypted blob.) -- */ -- switch (enctype) { -- case ENCTYPE_DES_CBC_CRC: -- case ENCTYPE_DES_CBC_MD5: -- return CKSUMTYPE_RSA_MD5; -- break; -- case ENCTYPE_DES_CBC_MD4: -- return CKSUMTYPE_RSA_MD4; -- break; -- default: -- /* Use the mandatory checksum type for the enctype. */ -- return 0; -- } --} -- - krb5_error_code KRB5_CALLCONV - krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, - krb5_flags ap_req_options, krb5_data *in_data, -@@ -198,15 +168,10 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, - checksum.length = in_data->length; - checksum.contents = (krb5_octet *) in_data->data; - } else { -- krb5_enctype enctype = krb5_k_key_enctype(context, -- (*auth_context)->key); -- krb5_cksumtype cksumtype = ap_req_cksum(context, *auth_context, -- enctype); -- if ((retval = krb5_k_make_checksum(context, -- cksumtype, -- (*auth_context)->key, -- KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, -- in_data, &checksum))) -+ retval = krb5_k_make_checksum(context, 0, (*auth_context)->key, -+ KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, -+ in_data, &checksum); -+ if (retval) - goto cleanup_cksum; - } - checksump = &checksum; -diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c -index 614ed4190..d8015c64a 100644 ---- a/src/lib/krb5/krb/s4u_creds.c -+++ b/src/lib/krb5/krb/s4u_creds.c -@@ -341,9 +341,6 @@ verify_s4u2self_reply(krb5_context context, - assert(req_s4u_user != NULL); - - switch (subkey->enctype) { -- case ENCTYPE_DES_CBC_CRC: -- case ENCTYPE_DES_CBC_MD4: -- case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES3_CBC_SHA1: - case ENCTYPE_DES3_CBC_RAW: - case ENCTYPE_ARCFOUR_HMAC: -diff --git a/src/lib/krb5/krb/ser_ctx.c b/src/lib/krb5/krb/ser_ctx.c -index 39f656322..55491428b 100644 ---- a/src/lib/krb5/krb/ser_ctx.c -+++ b/src/lib/krb5/krb/ser_ctx.c -@@ -400,7 +400,7 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet * - } else - context->tgs_etypes = NULL; - -- /* Allowable checksum */ -+ /* Allowable clockskew */ - if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) - goto cleanup; - context->clockskew = (krb5_deltat) ibuf; -diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man -index fd4dbb2e2..527d5d697 100644 ---- a/src/man/kdc.conf.man -+++ b/src/man/kdc.conf.man -@@ -441,13 +441,6 @@ marks the server principal as host\-based or the service is also - listed in \fBhost_based_services\fP\&. \fBno_host_referral = *\fP will - disable referral processing altogether. - .TP --\fBdes_crc_session_supported\fP --(Boolean value). If set to true, the KDC will assume that service --principals support des\-cbc\-crc for session key enctype negotiation --purposes. If \fBallow_weak_crypto\fP in libdefaults is --false, or if des\-cbc\-crc is not a permitted enctype, then this --variable has no effect. Defaults to true. New in release 1.11. --.TP - \fBreject_bad_transit\fP - (Boolean value.) If set to true, the KDC will check the list of - transited realms for cross\-realm tickets against the transit path -@@ -970,30 +963,6 @@ center; - |l|l|. - _ - T{ --des\-cbc\-crc --T} T{ --DES cbc mode with CRC\-32 (weak) --T} --_ --T{ --des\-cbc\-md4 --T} T{ --DES cbc mode with RSA\-MD4 (weak) --T} --_ --T{ --des\-cbc\-md5 --T} T{ --DES cbc mode with RSA\-MD5 (weak) --T} --_ --T{ --des\-cbc\-raw --T} T{ --DES cbc mode raw (weak) --T} --_ --T{ - des3\-cbc\-raw - T} T{ - Triple DES cbc mode raw (weak) -@@ -1006,12 +975,6 @@ Triple DES cbc mode with HMAC/sha1 - T} - _ - T{ --des\-hmac\-sha1 --T} T{ --DES with HMAC/sha1 (weak) --T} --_ --T{ - aes256\-cts\-hmac\-sha1\-96 aes256\-cts aes256\-sha1 - T} T{ - AES\-256 CTS mode with 96\-bit SHA\-1 HMAC -@@ -1060,12 +1023,6 @@ Camellia\-128 CTS mode with CMAC - T} - _ - T{ --des --T} T{ --The DES family: des\-cbc\-crc, des\-cbc\-md5, and des\-cbc\-md4 (weak) --T} --_ --T{ - des3 - T} T{ - The triple DES family: des3\-cbc\-sha1 -@@ -1096,8 +1053,8 @@ types for the variable in question. Types or families can be removed - from the current list by prefixing them with a minus sign ("\-"). - Types or families can be prefixed with a plus sign ("+") for symmetry; - it has the same meaning as just listing the type or family. For --example, "\fBDEFAULT \-des\fP" would be the default set of encryption --types with DES types removed, and "\fBdes3 DEFAULT\fP" would be the -+example, "\fBDEFAULT \-rc4\fP" would be the default set of encryption -+types with RC4 types removed, and "\fBdes3 DEFAULT\fP" would be the - default set of encryption types with triple DES types moved to the - front. - .sp -diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man -index 433f38d71..4bc190e32 100644 ---- a/src/man/krb5.conf.man -+++ b/src/man/krb5.conf.man -@@ -240,7 +240,7 @@ the client should request when making a TGS\-REQ, in order of - preference from highest to lowest. The list may be delimited with - commas or whitespace. See Encryption_types in - kdc.conf(5) for a list of the accepted values for this tag. --The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types -+The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP, but weak encryption types - will be implicitly removed from this list if the value of - \fBallow_weak_crypto\fP is false. - .sp -@@ -254,7 +254,7 @@ Identifies the supported list of session key encryption types that - the client should request when making an AS\-REQ, in order of - preference from highest to lowest. The format is the same as for - default_tgs_enctypes. The default value for this tag is --\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly -+\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP, but weak encryption types will be implicitly - removed from this list if the value of \fBallow_weak_crypto\fP is - false. - .sp -@@ -374,7 +374,7 @@ used across NATs. The default value is true. - \fBpermitted_enctypes\fP - Identifies all encryption types that are permitted for use in - session key encryption. The default value for this tag is --\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly -+\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP, but weak encryption types will be implicitly - removed from this list if the value of \fBallow_weak_crypto\fP is - false. - .TP -diff --git a/src/windows/leash/htmlhelp/html/Encryption_Types.htm b/src/windows/leash/htmlhelp/html/Encryption_Types.htm -index aad42a389..1aebdd0b4 100644 ---- a/src/windows/leash/htmlhelp/html/Encryption_Types.htm -+++ b/src/windows/leash/htmlhelp/html/Encryption_Types.htm -@@ -79,18 +79,6 @@ will have an entry in the Encryption type column.
- Description - - -- des- -- The DES (Data Encryption Standard) --family is a symmetric block cipher. It was designed to handle only --56-bit keys which is not enough for modern computing power. It is now --considered to be weak encryption.
    --
  • des-cbc-crc (weak)
    • --
  • des-cbc-md5 (weak)
    • --
  • des-cbc-md4 (weak)
    • -- --
-- -- - des3- - The triple DES family improves on - the original DES (Data Encryption Standard) by using 3 separate 56-bit -@@ -106,7 +94,7 @@ keys. Some modes of 3DES are considered weak while others are strong - - aes - The AES Advanced Encryption Standard --family, like DES and 3DES, is a symmetric block cipher and was designed -+family, like 3DES, is a symmetric block cipher and was designed - to replace them. It can use multiple key sizes. Kerberos specifies use - for 256-bit and 128-bit keys. -
    diff --git a/Remove-the-v4-and-afs3-salt-types.patch b/Remove-the-v4-and-afs3-salt-types.patch deleted file mode 100644 index e135f2e..0000000 --- a/Remove-the-v4-and-afs3-salt-types.patch +++ /dev/null @@ -1,509 +0,0 @@ -From 111e528c68393435be41f71f22f41b7a04ccad1e Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 24 May 2019 13:11:44 -0400 -Subject: [PATCH] Remove the v4 and afs3 salt types - -In preparation for removing single-DES support, remove the v4 and afs3 -salt types. The afs3 salt type could only be used with single-DES -keys, and the v4 salt type was only useful for single-DES keys from -krb4 databases. - -[ghudson@mit.edu: wrote commit message] - -ticket: 8808 -(cherry picked from commit e0a35ff48c09a26ebb9aefd7e98855a84574b8be) -[rharwood@redhat.com: release version conflict in man pages] ---- - doc/admin/conf_files/kdc_conf.rst | 2 - - src/include/kdb.h | 4 +- - src/kadmin/testing/proto/kdc.conf.proto | 2 +- - src/kdc/kdc_preauth.c | 40 +++++-------------- - .../api.current/chpass-principal-v2.exp | 8 ++-- - .../api.current/get-principal-v2.exp | 4 +- - src/lib/kdb/kdb5.c | 4 -- - src/lib/kdb/kdb_cpw.c | 16 +------- - src/lib/krb5/krb/str_conv.c | 2 - - src/lib/krb5/krb/t_get_etype_info.py | 7 ---- - src/man/kdc.conf.man | 14 +------ - src/tests/dejagnu/config/default.exp | 17 -------- - src/tests/t_etype_info.py | 24 +---------- - src/tests/t_keytab.py | 5 --- - src/tests/t_renprinc.py | 2 +- - src/tests/t_salt.py | 26 +----------- - src/util/k5test.py | 11 ----- - 17 files changed, 24 insertions(+), 164 deletions(-) - -diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst -index 72f002d4d..7fbc8eb79 100644 ---- a/doc/admin/conf_files/kdc_conf.rst -+++ b/doc/admin/conf_files/kdc_conf.rst -@@ -919,10 +919,8 @@ follows: - - ================= ============================================ - normal default for Kerberos Version 5 --v4 the only type used by Kerberos Version 4 (no salt) - norealm same as the default, without using realm information - onlyrealm uses only realm information as the salt --afs3 AFS version 3, only used for compatibility with Kerberos 4 in AFS - special generate a random salt - ================= ============================================ - -diff --git a/src/include/kdb.h b/src/include/kdb.h -index 9812a35e6..7749cfc99 100644 ---- a/src/include/kdb.h -+++ b/src/include/kdb.h -@@ -73,11 +73,11 @@ - - /* Salt types */ - #define KRB5_KDB_SALTTYPE_NORMAL 0 --#define KRB5_KDB_SALTTYPE_V4 1 -+/* #define KRB5_KDB_SALTTYPE_V4 1 */ - #define KRB5_KDB_SALTTYPE_NOREALM 2 - #define KRB5_KDB_SALTTYPE_ONLYREALM 3 - #define KRB5_KDB_SALTTYPE_SPECIAL 4 --#define KRB5_KDB_SALTTYPE_AFS3 5 -+/* #define KRB5_KDB_SALTTYPE_AFS3 5 */ - #define KRB5_KDB_SALTTYPE_CERTHASH 6 - - /* Attributes */ -diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto -index 61283ac77..45df78b91 100644 ---- a/src/kadmin/testing/proto/kdc.conf.proto -+++ b/src/kadmin/testing/proto/kdc.conf.proto -@@ -12,5 +12,5 @@ - kadmind_port = 1751 - kpasswd_port = 1752 - master_key_type = des3-hmac-sha1 -- supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-md5:normal des-cbc-raw:normal -+ supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-raw:normal - } -diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c -index caf133c14..508a5cf89 100644 ---- a/src/kdc/kdc_preauth.c -+++ b/src/kdc/kdc_preauth.c -@@ -781,8 +781,8 @@ add_etype_info(krb5_context context, krb5_kdcpreauth_rock rock, - return add_pa_data_element(pa_list, pa); - } - --/* Add PW-SALT or AFS3-SALT entries to pa_list as appropriate for the request -- * and client principal. */ -+/* Add PW-SALT entries to pa_list as appropriate for the request and client -+ * principal. */ - static krb5_error_code - add_pw_salt(krb5_context context, krb5_kdcpreauth_rock rock, - krb5_pa_data ***pa_list) -@@ -801,21 +801,13 @@ add_pw_salt(krb5_context context, krb5_kdcpreauth_rock rock, - if (ret) - return 0; - -- if (salttype == KRB5_KDB_SALTTYPE_AFS3) { -- ret = alloc_pa_data(KRB5_PADATA_AFS3_SALT, salt->length + 1, &pa); -- if (ret) -- goto cleanup; -- memcpy(pa->contents, salt->data, salt->length); -- pa->contents[salt->length] = '\0'; -- } else { -- /* Steal memory from salt to make the pa-data entry. */ -- ret = alloc_pa_data(KRB5_PADATA_PW_SALT, 0, &pa); -- if (ret) -- goto cleanup; -- pa->length = salt->length; -- pa->contents = (uint8_t *)salt->data; -- salt->data = NULL; -- } -+ /* Steal memory from salt to make the pa-data entry. */ -+ ret = alloc_pa_data(KRB5_PADATA_PW_SALT, 0, &pa); -+ if (ret) -+ goto cleanup; -+ pa->length = salt->length; -+ pa->contents = (uint8_t *)salt->data; -+ salt->data = NULL; - - /* add_pa_data_element() claims pa on success or failure. */ - ret = add_pa_data_element(pa_list, pa); -@@ -1545,20 +1537,6 @@ _make_etype_info_entry(krb5_context context, - &salttype, &salt); - if (retval) - goto cleanup; -- if (etype_info2 && salttype == KRB5_KDB_SALTTYPE_AFS3) { -- switch (etype) { -- case ENCTYPE_DES_CBC_CRC: -- case ENCTYPE_DES_CBC_MD4: -- case ENCTYPE_DES_CBC_MD5: -- retval = alloc_data(&entry->s2kparams, 1); -- if (retval) -- goto cleanup; -- entry->s2kparams.data[0] = 1; -- break; -- default: -- break; -- } -- } - - entry->length = salt->length; - entry->salt = (unsigned char *)salt->data; -diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp -index 8361fb085..db899a1dc 100644 ---- a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp -+++ b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp -@@ -18,8 +18,8 @@ proc test200 {} { - - # I'd like to specify a long list of keysalt tuples and make sure - # that chpass does the right thing, but we can only use those -- # enctypes that krbtgt has a key for: des-cbc-crc:normal and -- # des-cbc-crc:v4, according to the prototype kdc.conf. -+ # enctypes that krbtgt has a key for: des-cbc-crc:normal -+ # according to the prototype kdc.conf. - if {! [cmd [format { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ -@@ -53,10 +53,10 @@ proc test200 {} { - } - - # XXX Perhaps I should actually check the key type returned. -- if {$num_keys == 3} { -+ if {$num_keys == 2} { - pass "$test" - } else { -- fail "$test: $num_keys keys, should be 3" -+ fail "$test: $num_keys keys, should be 2" - } - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" -diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp -index 86c45f49e..8526897ed 100644 ---- a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp -+++ b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp -@@ -143,8 +143,8 @@ proc test101_102 {rpc} { - } - - set failed 0 -- if {$num_keys != 3} { -- fail "$test: num_keys $num_keys should be 3" -+ if {$num_keys != 2} { -+ fail "$test: num_keys $num_keys should be 2" - set failed 1 - } - for {set i 0} {$i < $num_keys} {incr i} { -diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c -index da5332217..b81a44312 100644 ---- a/src/lib/kdb/kdb5.c -+++ b/src/lib/kdb/kdb5.c -@@ -2312,15 +2312,11 @@ krb5_dbe_compute_salt(krb5_context context, const krb5_key_data *key, - if (retval) - return retval; - break; -- case KRB5_KDB_SALTTYPE_V4: -- sdata = empty_data(); -- break; - case KRB5_KDB_SALTTYPE_NOREALM: - retval = krb5_principal2salt_norealm(context, princ, &sdata); - if (retval) - return retval; - break; -- case KRB5_KDB_SALTTYPE_AFS3: - case KRB5_KDB_SALTTYPE_ONLYREALM: - return krb5_copy_data(context, &princ->realm, salt_out); - case KRB5_KDB_SALTTYPE_SPECIAL: -diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c -index 03efc28ed..450860f47 100644 ---- a/src/lib/kdb/kdb_cpw.c -+++ b/src/lib/kdb/kdb_cpw.c -@@ -260,7 +260,6 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, - krb5_keysalt key_salt; - krb5_keyblock key; - krb5_data pwd; -- krb5_data afs_params = string2data("\1"), *s2k_params; - int i, j; - krb5_key_data *kd_slot; - -@@ -268,7 +267,6 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, - krb5_boolean similar; - - similar = 0; -- s2k_params = NULL; - - /* - * We could use krb5_keysalt_iterate to replace this loop, or use -@@ -316,18 +314,6 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, - &key_salt.data))) - return(retval); - break; -- case KRB5_KDB_SALTTYPE_V4: -- key_salt.data.length = 0; -- key_salt.data.data = 0; -- break; -- case KRB5_KDB_SALTTYPE_AFS3: -- retval = krb5int_copy_data_contents(context, -- &db_entry->princ->realm, -- &key_salt.data); -- if (retval) -- return retval; -- s2k_params = &afs_params; -- break; - case KRB5_KDB_SALTTYPE_SPECIAL: - retval = make_random_salt(context, &key_salt); - if (retval) -@@ -342,7 +328,7 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, - retval = krb5_c_string_to_key_with_params(context, - ks_tuple[i].ks_enctype, - &pwd, &key_salt.data, -- s2k_params, &key); -+ NULL, &key); - if (retval) { - free(key_salt.data.data); - return retval; -diff --git a/src/lib/krb5/krb/str_conv.c b/src/lib/krb5/krb/str_conv.c -index 3d057241b..c8421a8c1 100644 ---- a/src/lib/krb5/krb/str_conv.c -+++ b/src/lib/krb5/krb/str_conv.c -@@ -61,11 +61,9 @@ struct salttype_lookup_entry { - #include "kdb.h" - static const struct salttype_lookup_entry salttype_table[] = { - { KRB5_KDB_SALTTYPE_NORMAL, "normal" }, -- { KRB5_KDB_SALTTYPE_V4, "v4", }, - { KRB5_KDB_SALTTYPE_NOREALM, "norealm", }, - { KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm", }, - { KRB5_KDB_SALTTYPE_SPECIAL, "special", }, -- { KRB5_KDB_SALTTYPE_AFS3, "afs3", }, - }; - static const int salttype_table_nents = sizeof(salttype_table)/ - sizeof(salttype_table[0]); -diff --git a/src/lib/krb5/krb/t_get_etype_info.py b/src/lib/krb5/krb/t_get_etype_info.py -index 7c400be86..3c9168591 100644 ---- a/src/lib/krb5/krb/t_get_etype_info.py -+++ b/src/lib/krb5/krb/t_get_etype_info.py -@@ -9,9 +9,6 @@ realm.run([kadminl, 'ank', '-nokey', '+preauth', 'pnokey']) - realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp']) - realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth', - 'pexp']) --realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', 'afs']) --realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', '+preauth', -- 'pafs']) - - # Extract the explicit salt values from the database. - out = realm.run([kdb5_util, 'tabdump', 'keyinfo']) -@@ -56,8 +53,4 @@ realm.run(['./t_get_etype_info', 'exp'], - realm.run(['./t_get_etype_info', 'pexp'], - expected_msg='etype: aes256-cts\nsalt: ' + pexp_salt + '\n') - --msg = 'etype: des-cbc-crc\nsalt: KRBTEST.COM\ns2kparams: 01\n' --realm.run(['./t_get_etype_info', 'afs'], expected_msg=msg) --realm.run(['./t_get_etype_info', 'pafs'], expected_msg=msg) -- - success('krb5_get_etype_info() tests') -diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man -index 959f00de5..fd4dbb2e2 100644 ---- a/src/man/kdc.conf.man -+++ b/src/man/kdc.conf.man -@@ -1,6 +1,6 @@ - .\" Man page generated from reStructuredText. - . --.TH "KDC.CONF" "5" " " "1.17.1" "MIT Kerberos" -+.TH "KDC.CONF" "5" " " "1.18" "MIT Kerberos" - .SH NAME - kdc.conf \- Kerberos V5 KDC configuration file - . -@@ -1149,12 +1149,6 @@ default for Kerberos Version 5 - T} - _ - T{ --v4 --T} T{ --the only type used by Kerberos Version 4 (no salt) --T} --_ --T{ - norealm - T} T{ - same as the default, without using realm information -@@ -1167,12 +1161,6 @@ uses only realm information as the salt - T} - _ - T{ --afs3 --T} T{ --AFS version 3, only used for compatibility with Kerberos 4 in AFS --T} --_ --T{ - special - T} T{ - generate a random salt -diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp -index ea9bedd45..c061d764e 100644 ---- a/src/tests/dejagnu/config/default.exp -+++ b/src/tests/dejagnu/config/default.exp -@@ -238,22 +238,6 @@ set passes { - {master_key_type=aes256-cts-hmac-sha1-96} - {dummy=[verbose -log "AES + DES enctypes, DES3 TGT"]} - } -- { -- des-v4 -- mode=udp -- des3_krbtgt=0 -- {supported_enctypes=des-cbc-crc:v4} -- {default_tkt_enctypes(client)=des-cbc-crc} -- {dummy=[verbose -log "DES TGT, DES-CRC enctype, V4 salt"]} -- } -- { -- des-md5-v4 -- mode=udp -- des3_krbtgt=0 -- {supported_enctypes=des-cbc-md5:v4 des-cbc-crc:v4} -- {default_tkt_enctypes(client)=des-cbc-md5 des-cbc-crc} -- {dummy=[verbose -log "DES TGT, DES-MD5 and -CRC enctypes, V4 salt"]} -- } - { - all-enctypes - mode=udp -@@ -356,7 +340,6 @@ set unused_passes { - aes128-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:norealm \ - des3-cbc-sha1:normal des3-cbc-sha1:none \ - des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \ -- des-cbc-md5:v4 des-cbc-md4:v4 des-cbc-crc:v4 \ - } - {dummy=[verbose -log "DES3 TGT, default enctypes"]} - } -diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py -index 2026e7876..c21d054f1 100644 ---- a/src/tests/t_etype_info.py -+++ b/src/tests/t_etype_info.py -@@ -1,6 +1,6 @@ - from k5test import * - --supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac des-cbc-crc:afs3' -+supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac' - conf = {'libdefaults': {'allow_weak_crypto': 'true'}, - 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} - realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) -@@ -43,28 +43,6 @@ test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4 des-cbc-crc', - test_etinfo('preauthuser', 'rc4 aes256-cts', - ['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser']) - --# AFS3 salt for DES enctypes is conveyed using s2kparams in --# PA-ETYPE-INFO2, not at all in PA-ETYPE-INFO, and with a special padata --# type instead of PA-PW-SALT. --test_etinfo('user', 'des-cbc-crc rc4', -- ['asrep etype_info2 des-cbc-crc KRBTEST.COM 01', -- 'asrep etype_info des-cbc-crc KRBTEST.COM', -- 'asrep afs3_salt KRBTEST.COM']) --test_etinfo('preauthuser', 'des-cbc-crc rc4', -- ['error etype_info2 des-cbc-crc KRBTEST.COM 01', -- 'error etype_info des-cbc-crc KRBTEST.COM']) -- --# DES keys can be used with other DES enctypes. The requested enctype --# shows up in the etype-info, not the database key enctype. --test_etinfo('user', 'des-cbc-md4 rc4', -- ['asrep etype_info2 des-cbc-md4 KRBTEST.COM 01', -- 'asrep etype_info des-cbc-md4 KRBTEST.COM', -- 'asrep afs3_salt KRBTEST.COM']) --test_etinfo('user', 'des-cbc-md5 rc4', -- ['asrep etype_info2 des KRBTEST.COM 01', -- 'asrep etype_info des KRBTEST.COM', -- 'asrep afs3_salt KRBTEST.COM']) -- - # If no keys are found matching the request enctypes, a - # preauth-required error can be generated with no etype-info at all - # (to allow for preauth mechs which don't depend on long-term keys). -diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py -index 72e09daac..633f7c7ef 100755 ---- a/src/tests/t_keytab.py -+++ b/src/tests/t_keytab.py -@@ -155,9 +155,6 @@ realm.run([kadminl, 'ank', '-pw', 'pw', 'default']) - realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp']) - realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth', - 'pexp']) --realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', 'afs']) --realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', '+preauth', -- 'pafs']) - - # Extract one of the explicit salt values from the database. - out = realm.run([kdb5_util, 'tabdump', 'keyinfo']) -@@ -187,8 +184,6 @@ test_addent(realm, 'default', '-f') - test_addent(realm, 'default', '-f -e aes128-cts') - test_addent(realm, 'exp', '-f') - test_addent(realm, 'pexp', '-f') --test_addent(realm, 'afs', '-f') --test_addent(realm, 'pafs', '-f') - - success('Keytab-related tests') - success('Keytab-related tests') -diff --git a/src/tests/t_renprinc.py b/src/tests/t_renprinc.py -index 46cbed441..3dbb3e77e 100755 ---- a/src/tests/t_renprinc.py -+++ b/src/tests/t_renprinc.py -@@ -25,7 +25,7 @@ from k5test import * - enctype = "aes128-cts" - - realm = K5Realm(create_host=False, create_user=False) --salttypes = ('normal', 'v4', 'norealm', 'onlyrealm') -+salttypes = ('normal', 'norealm', 'onlyrealm') - - # For a variety of salt types, test that we can rename a principal and - # still get tickets with the same password. -diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py -index 278911a22..008efcb03 100755 ---- a/src/tests/t_salt.py -+++ b/src/tests/t_salt.py -@@ -15,13 +15,9 @@ def test_salt(realm, e1, salt, e2): - realm.run([kadminl, 'delprinc', 'user']) - - # Enctype/salt pairs chosen with non-default salt types. --# The enctypes are mostly arbitrary, though afs3 must only be used with des. --# We do not enforce that v4 salts must only be used with des, but it seems --# like a good idea. --salts = [('des-cbc-crc', 'afs3'), -- ('des3-cbc-sha1', 'norealm'), -+# The enctypes are mostly arbitrary. -+salts = [('des3-cbc-sha1', 'norealm'), - ('arcfour-hmac', 'onlyrealm'), -- ('des-cbc-crc', 'v4'), - ('aes128-cts-hmac-sha1-96', 'special')] - # These enctypes are chosen to cover the different string-to-key routines. - # Omit ":normal" from aes256 to check that salttype defaulting works. -@@ -56,22 +52,4 @@ dup_kstypes = ['arcfour-hmac-md5:normal,rc4-hmac:normal', - for ks in dup_kstypes: - test_dup(realm, ks) - --# Attempt to create a principal with a non-des enctype and the afs3 salt, --# verifying that the expected error is received and the principal creation --# fails. --def test_reject_afs3(realm, etype): -- query = 'ank -e ' + etype + ':afs3 -pw password princ1' -- realm.run([kadminl, 'ank', '-e', etype + ':afs3', '-pw', 'password', -- 'princ1'], expected_code=1, -- expected_msg='Invalid key generation parameters from KDC') -- realm.run([kadminl, 'getprinc', 'princ1'], expected_code=1, -- expected_msg='Principal does not exist') -- --# Verify that the afs3 salt is rejected for arcfour and pbkdf2 enctypes. --# We do not currently do any verification on the key-generation parameters --# for the triple-DES enctypes, so that test is commented out. --test_reject_afs3(realm, 'arcfour-hmac') --test_reject_afs3(realm, 'aes256-cts-hmac-sha1-96') --#test_reject_afs3(realm, 'des3-cbc-sha1') -- - success("Salt types") -diff --git a/src/util/k5test.py b/src/util/k5test.py -index 3aec1ef92..b6d93f1d8 100644 ---- a/src/util/k5test.py -+++ b/src/util/k5test.py -@@ -1246,17 +1246,6 @@ _passes = [ - # No special settings; exercises AES256. - ('default', None, None, None), - -- # Exercise a DES enctype and the v4 salt type. -- ('desv4', None, -- {'libdefaults': { -- 'default_tgs_enctypes': 'des-cbc-crc', -- 'default_tkt_enctypes': 'des-cbc-crc', -- 'permitted_enctypes': 'des-cbc-crc', -- 'allow_weak_crypto': 'true'}}, -- {'realms': {'$realm': { -- 'supported_enctypes': 'des-cbc-crc:v4', -- 'master_key_type': 'des-cbc-crc'}}}), -- - # Exercise the DES3 enctype. - ('des3', None, - {'libdefaults': { diff --git a/Set-a-more-modern-default-ksu-CMD_PATH.patch b/Set-a-more-modern-default-ksu-CMD_PATH.patch deleted file mode 100644 index 47defd5..0000000 --- a/Set-a-more-modern-default-ksu-CMD_PATH.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 3d8b0bb1469295bd09f8ba81d3fb059a9ef372f2 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 23 Aug 2016 16:32:09 -0400 -Subject: [PATCH] Set a more modern default ksu CMD_PATH - -ksu uses CMD_PATH to expand command names in .k5users. Include the /usr -tree and .../sbin variants. Drop nonstandard /local. - -ticket: 8807 (new) -(cherry picked from commit 9eb937a6e1f740d323221813e5da096d30bd68de) ---- - src/clients/ksu/Makefile.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in -index 5755bb58a..9d58f29b5 100644 ---- a/src/clients/ksu/Makefile.in -+++ b/src/clients/ksu/Makefile.in -@@ -1,6 +1,6 @@ - mydir=clients$(S)ksu - BUILDTOP=$(REL)..$(S).. --DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' -+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' - - KSU_LIBS=@KSU_LIBS@ - PAM_LIBS=@PAM_LIBS@ diff --git a/Simplify-SAM-2-as_key-handling.patch b/Simplify-SAM-2-as_key-handling.patch deleted file mode 100644 index 1930a5d..0000000 --- a/Simplify-SAM-2-as_key-handling.patch +++ /dev/null @@ -1,76 +0,0 @@ -From f7fb525d762ba42f62f1044f07f38a243980a2ba Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Sun, 5 May 2019 18:53:27 -0400 -Subject: [PATCH] Simplify SAM-2 as_key handling - -The ctx->gak_fct() call in sam2_process() used an empty salt instead -of the default salt when the KDC did not supply an explicit salt. -This bug arose when commit bc096a77ffdab283d77c2e0fc1fdd15b9f77eb41 -changed the internal contracts around salts but did not adjust the -SAM-2 code. Commit e9aa891fcdb4c08d39902ab89afb268042b60c86 fixed the -resulting bug, but mistakenly did not adjust the gak_fct call to use -the correct salt. - -Later on, the code contains a redundant call to krb5_c_string_to_key() -in the non-USE_SAD_AS_KEY modes, replacing ctx->as_key. This call was -properly adjusted by commit e9aa891fcdb4c08d39902ab89afb268042b60c86, -so the improper gak_fct call did not manifest as a bug. - -Fix the gak_fct call to supply the correct salt, and remove the -redundant string_to_key operation. - -(cherry picked from commit d48670c51460e9a74b4f4a9966f85ca6f77c1d8b) ---- - src/lib/krb5/krb/preauth_sam2.c | 25 +++---------------------- - 1 file changed, 3 insertions(+), 22 deletions(-) - -diff --git a/src/lib/krb5/krb/preauth_sam2.c b/src/lib/krb5/krb/preauth_sam2.c -index 4c70021a9..c7484c47e 100644 ---- a/src/lib/krb5/krb/preauth_sam2.c -+++ b/src/lib/krb5/krb/preauth_sam2.c -@@ -95,7 +95,6 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata, - krb5_prompt kprompt; - krb5_prompt_type prompt_type; - krb5_data defsalt, *salt; -- struct gak_password *gakpw; - krb5_checksum **cksum; - krb5_data *scratch = NULL; - krb5_boolean valid_cksum = 0; -@@ -152,9 +151,8 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata, - - salt = ctx->default_salt ? NULL : &ctx->salt; - retval = ctx->gak_fct(context, request->client, sc2b->sam_etype, -- prompter, prompter_data, &ctx->salt, -- &ctx->s2kparams, &ctx->as_key, -- ctx->gak_data, ctx->rctx.items); -+ prompter, prompter_data, salt, &ctx->s2kparams, -+ &ctx->as_key, ctx->gak_data, ctx->rctx.items); - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); -@@ -212,24 +210,7 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata, - - /* Get encryption key to be used for checksum and sam_response */ - if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { -- /* as_key = string_to_key(password) */ -- -- if (ctx->as_key.length) { -- krb5_free_keyblock_contents(context, &ctx->as_key); -- ctx->as_key.length = 0; -- } -- -- /* generate a key using the supplied password */ -- gakpw = ctx->gak_data; -- retval = krb5_c_string_to_key(context, sc2b->sam_etype, -- gakpw->password, salt, &ctx->as_key); -- -- if (retval) { -- krb5_free_sam_challenge_2(context, sc2); -- krb5_free_sam_challenge_2_body(context, sc2b); -- if (defsalt.length) free(defsalt.data); -- return(retval); -- } -+ /* Retain as_key from above gak_fct call. */ - - if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) { - /* as_key = combine_key (as_key, string_to_key(SAD)) */ diff --git a/Simplify-krb5_dbe_def_search_enctype.patch b/Simplify-krb5_dbe_def_search_enctype.patch deleted file mode 100644 index aefeeed..0000000 --- a/Simplify-krb5_dbe_def_search_enctype.patch +++ /dev/null @@ -1,162 +0,0 @@ -From a7cd60bc97b4d9b171eddae391cf9ecd84c58d31 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 22 Aug 2019 16:19:12 -0400 -Subject: [PATCH] Simplify krb5_dbe_def_search_enctype() - -Key data is now sorted in descending kvno order (since commit -44ad57d8d38efc944f64536354435f5b721c0ee0) and key enctypes can be -compared with a simple equality test (since single-DES support was -removed in commit fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8). Use -these assumptions to simplify krb5_dbe_def_search_enctype(). - -The rewrite contains one probably-unnoticeable bugfix: if enctype, -salttype, and kvno are all given as -1 in a repeated search, yield all -key entries of permitted enctype, not just entries of the maximum -kvno. - -(cherry picked from commit fcfb0e47c995a7e9f956c3716be3175f44ad26e0) ---- - src/lib/kdb/kdb_default.c | 111 +++++++++++++++----------------------- - 1 file changed, 42 insertions(+), 69 deletions(-) - -diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c -index a1021f13a..231a0d8b4 100644 ---- a/src/lib/kdb/kdb_default.c -+++ b/src/lib/kdb/kdb_default.c -@@ -37,94 +37,67 @@ - - - /* -- * Given a particular enctype and optional salttype and kvno, find the -- * most appropriate krb5_key_data entry of the database entry. -- * -- * If stype or kvno is negative, it is ignored. -- * If kvno is 0 get the key which is maxkvno for the princ and matches -- * the other attributes. -+ * Set *kd_out to the key data entry matching kvno, enctype, and salttype. If -+ * any of those three parameters are -1, ignore them. If kvno is 0, match only -+ * the highest kvno. Begin searching at the index *start and set *start to the -+ * index after the match. Do not return keys of non-permitted enctypes; return -+ * KRB5_KDB_NO_PERMITTED_KEY if the whole list was searched and only -+ * non-permitted matches were found. - */ - krb5_error_code --krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) -- krb5_context kcontext; -- krb5_db_entry *dbentp; -- krb5_int32 *start; -- krb5_int32 ktype; -- krb5_int32 stype; -- krb5_int32 kvno; -- krb5_key_data **kdatap; -+krb5_dbe_def_search_enctype(krb5_context context, krb5_db_entry *ent, -+ krb5_int32 *start, krb5_int32 enctype, -+ krb5_int32 salttype, krb5_int32 kvno, -+ krb5_key_data **kd_out) - { -- int i, idx; -- int maxkvno; -- krb5_key_data *datap; -- krb5_error_code ret; -- krb5_boolean saw_non_permitted = FALSE; -+ krb5_key_data *kd; -+ krb5_int32 db_salttype; -+ krb5_boolean saw_non_permitted = FALSE; -+ int i; - -- ret = 0; -- if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype)) -+ *kd_out = NULL; -+ -+ if (enctype != -1 && !krb5_is_permitted_enctype(context, enctype)) - return KRB5_KDB_NO_PERMITTED_KEY; -+ if (ent->n_key_data == 0) -+ return KRB5_KDB_NO_MATCHING_KEY; - -- if (kvno == -1 && stype == -1 && ktype == -1) -- kvno = 0; -+ /* Match the highest kvno if kvno is 0. Key data is sorted in descending -+ * order of kvno. */ -+ if (kvno == 0) -+ kvno = ent->key_data[0].key_data_kvno; - -- if (kvno == 0) { -- /* Get the max key version */ -- for (i = 0; i < dbentp->n_key_data; i++) { -- if (kvno < dbentp->key_data[i].key_data_kvno) { -- kvno = dbentp->key_data[i].key_data_kvno; -- } -- } -- } -+ for (i = *start; i < ent->n_key_data; i++) { -+ kd = &ent->key_data[i]; -+ db_salttype = (kd->key_data_ver > 1) ? kd->key_data_type[1] : -+ KRB5_KDB_SALTTYPE_NORMAL; - -- maxkvno = -1; -- idx = -1; -- datap = (krb5_key_data *) NULL; -- for (i = *start; i < dbentp->n_key_data; i++) { -- krb5_boolean similar; -- krb5_int32 db_stype; -- -- ret = 0; -- if (dbentp->key_data[i].key_data_ver > 1) { -- db_stype = dbentp->key_data[i].key_data_type[1]; -- } else { -- db_stype = KRB5_KDB_SALTTYPE_NORMAL; -- } -- -- /* Match this entry against the arguments. */ -- if (ktype != -1) { -- ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype, -- dbentp->key_data[i].key_data_type[0], -- &similar); -- if (ret != 0 || !similar) -- continue; -- } -- if (stype >= 0 && db_stype != stype) -+ /* Match this entry against the arguments. Stop searching if we have -+ * passed the entries for the requested kvno. */ -+ if (enctype != -1 && kd->key_data_type[0] != enctype) - continue; -- if (kvno >= 0 && dbentp->key_data[i].key_data_kvno != kvno) -+ if (salttype >= 0 && db_salttype != salttype) -+ continue; -+ if (kvno >= 0 && kd->key_data_kvno < kvno) -+ break; -+ if (kvno >= 0 && kd->key_data_kvno != kvno) - continue; - - /* Filter out non-permitted enctypes. */ -- if (!krb5_is_permitted_enctype(kcontext, -- dbentp->key_data[i].key_data_type[0])) { -+ if (!krb5_is_permitted_enctype(context, kd->key_data_type[0])) { - saw_non_permitted = TRUE; - continue; - } - -- if (dbentp->key_data[i].key_data_kvno > maxkvno) { -- maxkvno = dbentp->key_data[i].key_data_kvno; -- datap = &dbentp->key_data[i]; -- idx = i; -- } -+ *start = i + 1; -+ *kd_out = kd; -+ return 0; - } -+ - /* If we scanned the whole set of keys and matched only non-permitted - * enctypes, indicate that. */ -- if (maxkvno < 0 && *start == 0 && saw_non_permitted) -- ret = KRB5_KDB_NO_PERMITTED_KEY; -- if (maxkvno < 0) -- return ret ? ret : KRB5_KDB_NO_MATCHING_KEY; -- *kdatap = datap; -- *start = idx+1; -- return 0; -+ return (*start == 0 && saw_non_permitted) ? KRB5_KDB_NO_PERMITTED_KEY : -+ KRB5_KDB_NO_MATCHING_KEY; - } - - /* diff --git a/Simply-OpenSSL-PKCS7-decryption-code.patch b/Simply-OpenSSL-PKCS7-decryption-code.patch deleted file mode 100644 index 4190846..0000000 --- a/Simply-OpenSSL-PKCS7-decryption-code.patch +++ /dev/null @@ -1,301 +0,0 @@ -From db62fe97a56f8f8476e3202a492d1c3d784d52b2 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 6 May 2019 13:13:06 -0400 -Subject: [PATCH] Simply OpenSSL PKCS7 decryption code - -Fold pkcs7_decrypt() and pkcs7_dataDecode() into a single function, -and make it output the plaintext rather than a BIO. - -[ghudson@mit.edu: continued a modernization of pkcs7_dataDecode() into -a larger refactoring] - -(cherry picked from commit 210356653a2f963ffe9a8a1b1627c64fb8ca7a3d) ---- - .../preauth/pkinit/pkinit_crypto_openssl.c | 213 ++++++------------ - 1 file changed, 63 insertions(+), 150 deletions(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 5ff81d8cf..8aa2c5257 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -81,12 +81,8 @@ static int openssl_callback (int, X509_STORE_CTX *); - static int openssl_callback_ignore_crls (int, X509_STORE_CTX *); - - static int pkcs7_decrypt --(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, -- PKCS7 *p7, BIO *bio); -- --static BIO * pkcs7_dataDecode --(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, -- PKCS7 *p7); -+(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, PKCS7 *p7, -+ unsigned char **data_out, unsigned int *len_out); - - static ASN1_OBJECT * pkinit_pkcs7type2oid - (pkinit_plg_crypto_context plg_cryptoctx, int pkcs7_type); -@@ -1964,9 +1960,6 @@ cms_envelopeddata_verify(krb5_context context, - { - krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; - PKCS7 *p7 = NULL; -- BIO *out = NULL; -- int i = 0; -- unsigned int size = 0; - const unsigned char *p = enveloped_data; - unsigned int tmp_buf_len = 0, tmp_buf2_len = 0, vfy_buf_len = 0; - unsigned char *tmp_buf = NULL, *tmp_buf2 = NULL, *vfy_buf = NULL; -@@ -1991,26 +1984,13 @@ cms_envelopeddata_verify(krb5_context context, - } - - /* decrypt received PKCS7 message */ -- out = BIO_new(BIO_s_mem()); -- if (pkcs7_decrypt(context, id_cryptoctx, p7, out)) { -+ if (pkcs7_decrypt(context, id_cryptoctx, p7, &tmp_buf, &tmp_buf_len)) { - pkiDebug("PKCS7 decryption successful\n"); - } else { - retval = oerr(context, 0, _("Failed to decrypt PKCS7 message")); - goto cleanup; - } - -- /* transfer the decoded PKCS7 SignedData message into a separate buffer */ -- for (;;) { -- if ((tmp_buf = realloc(tmp_buf, size + 1024 * 10)) == NULL) -- goto cleanup; -- i = BIO_read(out, &(tmp_buf[size]), 1024 * 10); -- if (i <= 0) -- break; -- else -- size += i; -- } -- tmp_buf_len = size; -- - #ifdef DEBUG_ASN1 - print_buffer_bin(tmp_buf, tmp_buf_len, "/tmp/client_enc_keypack"); - #endif -@@ -2072,8 +2052,6 @@ cleanup: - - if (p7 != NULL) - PKCS7_free(p7); -- if (out != NULL) -- BIO_free(out); - free(tmp_buf); - free(tmp_buf2); - -@@ -5714,39 +5692,6 @@ cleanup: - return retval; - } - --static int --pkcs7_decrypt(krb5_context context, -- pkinit_identity_crypto_context id_cryptoctx, -- PKCS7 *p7, -- BIO *data) --{ -- BIO *tmpmem = NULL; -- int retval = 0, i = 0; -- char buf[4096]; -- -- if(p7 == NULL) -- return 0; -- -- if(!PKCS7_type_is_enveloped(p7)) { -- pkiDebug("wrong pkcs7 content type\n"); -- return 0; -- } -- -- if(!(tmpmem = pkcs7_dataDecode(context, id_cryptoctx, p7))) { -- pkiDebug("unable to decrypt pkcs7 object\n"); -- return 0; -- } -- -- for(;;) { -- i = BIO_read(tmpmem, buf, sizeof(buf)); -- if (i <= 0) break; -- BIO_write(data, buf, i); -- BIO_free_all(tmpmem); -- return 1; -- } -- return retval; --} -- - krb5_error_code - pkinit_process_td_trusted_certifiers( - krb5_context context, -@@ -5827,118 +5772,86 @@ cleanup: - return retval; - } - --static BIO * --pkcs7_dataDecode(krb5_context context, -- pkinit_identity_crypto_context id_cryptoctx, -- PKCS7 *p7) -+/* Originally based on OpenSSL's PKCS7_dataDecode(), now modified to remove the -+ * use of BIO objects and to fit the PKINIT internal interfaces. */ -+static int -+pkcs7_decrypt(krb5_context context, -+ pkinit_identity_crypto_context id_cryptoctx, PKCS7 *p7, -+ unsigned char **data_out, unsigned int *len_out) - { -- unsigned int eklen=0, tkeylen=0; -- BIO *out=NULL,*etmp=NULL,*bio=NULL; -- unsigned char *ek=NULL, *tkey=NULL; -- ASN1_OCTET_STRING *data_body=NULL; -- const EVP_CIPHER *evp_cipher=NULL; -- EVP_CIPHER_CTX *evp_ctx=NULL; -- X509_ALGOR *enc_alg=NULL; -- STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; -- PKCS7_RECIP_INFO *ri=NULL; -+ krb5_error_code ret; -+ int ok = 0, plaintext_len = 0, final_len; -+ unsigned int keylen = 0, eklen = 0, blocksize; -+ unsigned char *ek = NULL, *tkey = NULL, *plaintext = NULL, *use_key; -+ ASN1_OCTET_STRING *data_body = p7->d.enveloped->enc_data->enc_data; -+ const EVP_CIPHER *evp_cipher; -+ EVP_CIPHER_CTX *evp_ctx = NULL; -+ X509_ALGOR *enc_alg = p7->d.enveloped->enc_data->algorithm; -+ STACK_OF(PKCS7_RECIP_INFO) *rsk = p7->d.enveloped->recipientinfo; -+ PKCS7_RECIP_INFO *ri = NULL; - -- p7->state=PKCS7_S_HEADER; -+ *data_out = NULL; -+ *len_out = 0; - -- rsk=p7->d.enveloped->recipientinfo; -- enc_alg=p7->d.enveloped->enc_data->algorithm; -- data_body=p7->d.enveloped->enc_data->enc_data; -- evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); -- if (evp_cipher == NULL) { -- PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); -- goto cleanup; -- } -- -- if ((etmp=BIO_new(BIO_f_cipher())) == NULL) { -- PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB); -- goto cleanup; -- } -- -- /* It was encrypted, we need to decrypt the secret key -- * with the private key */ -+ p7->state = PKCS7_S_HEADER; - - /* RFC 4556 section 3.2.3.2 requires that there be exactly one - * recipientInfo. */ - if (sk_PKCS7_RECIP_INFO_num(rsk) != 1) { - pkiDebug("invalid number of EnvelopedData RecipientInfos\n"); -- goto cleanup; -+ return 0; - } -- - ri = sk_PKCS7_RECIP_INFO_value(rsk, 0); -- (void)pkinit_decode_data(context, id_cryptoctx, -- ASN1_STRING_get0_data(ri->enc_key), -- ASN1_STRING_length(ri->enc_key), &ek, &eklen); - -- evp_ctx=NULL; -- BIO_get_cipher_ctx(etmp,&evp_ctx); -- if (EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0) <= 0) -+ evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); -+ if (evp_cipher == NULL) - goto cleanup; -- if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0) -+ keylen = EVP_CIPHER_key_length(evp_cipher); -+ blocksize = EVP_CIPHER_block_size(evp_cipher); -+ -+ evp_ctx = EVP_CIPHER_CTX_new(); -+ if (evp_ctx == NULL) -+ goto cleanup; -+ if (!EVP_DecryptInit(evp_ctx, evp_cipher, NULL, NULL) || -+ EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) <= 0) - goto cleanup; - - /* Generate a random symmetric key to avoid exposing timing data if RSA - * decryption fails the padding check. */ -- tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx); -- tkey = OPENSSL_malloc(tkeylen); -- if (tkey == NULL) -- goto cleanup; -- if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0) -- goto cleanup; -- if (ek == NULL) { -- ek = tkey; -- eklen = tkeylen; -- tkey = NULL; -- } -- -- if (eklen != (unsigned)EVP_CIPHER_CTX_key_length(evp_ctx)) { -- /* Some S/MIME clients don't use the same key -- * and effective key length. The key length is -- * determined by the size of the decrypted RSA key. -- */ -- if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, (int)eklen)) { -- ek = tkey; -- eklen = tkeylen; -- tkey = NULL; -- } -- } -- if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,ek,NULL,0) <= 0) -+ tkey = malloc(keylen); -+ if (tkey == NULL || !EVP_CIPHER_CTX_rand_key(evp_ctx, tkey)) - goto cleanup; - -- if (out == NULL) -- out=etmp; -- else -- BIO_push(out,etmp); -- etmp=NULL; -+ /* Decrypt the secret key with the private key. */ -+ ret = pkinit_decode_data(context, id_cryptoctx, -+ ASN1_STRING_get0_data(ri->enc_key), -+ ASN1_STRING_length(ri->enc_key), &ek, &eklen); -+ use_key = (ret || eklen != keylen) ? tkey : ek; - -- if (data_body->length > 0) -- bio = BIO_new_mem_buf(data_body->data, data_body->length); -- else { -- bio=BIO_new(BIO_s_mem()); -- BIO_set_mem_eof_return(bio,0); -- } -- BIO_push(out,bio); -- bio=NULL; -+ /* Allocate a plaintext buffer and decrypt data_body into it. */ -+ plaintext = malloc(data_body->length + blocksize); -+ if (plaintext == NULL) -+ goto cleanup; -+ if (!EVP_DecryptInit(evp_ctx, NULL, use_key, NULL)) -+ goto cleanup; -+ if (!EVP_DecryptUpdate(evp_ctx, plaintext, &plaintext_len, -+ data_body->data, data_body->length)) -+ goto cleanup; -+ if (!EVP_DecryptFinal(evp_ctx, plaintext + plaintext_len, &final_len)) -+ goto cleanup; -+ plaintext_len += final_len; - -- if (0) { -- cleanup: -- if (out != NULL) BIO_free_all(out); -- if (etmp != NULL) BIO_free_all(etmp); -- if (bio != NULL) BIO_free_all(bio); -- out=NULL; -- } -- if (ek != NULL) { -- OPENSSL_cleanse(ek, eklen); -- OPENSSL_free(ek); -- } -- if (tkey != NULL) { -- OPENSSL_cleanse(tkey, tkeylen); -- OPENSSL_free(tkey); -- } -- return(out); -+ *len_out = plaintext_len; -+ *data_out = plaintext; -+ plaintext = NULL; -+ ok = 1; -+ -+cleanup: -+ EVP_CIPHER_CTX_free(evp_ctx); -+ zapfree(plaintext, plaintext_len); -+ zapfree(ek, eklen); -+ zapfree(tkey, keylen); -+ return ok; - } - - #ifdef DEBUG_DH diff --git a/Skip-URI-tests-when-using-asan.patch b/Skip-URI-tests-when-using-asan.patch deleted file mode 100644 index 05d68db..0000000 --- a/Skip-URI-tests-when-using-asan.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c58dbf05938b57a729d1b3811424866296f11998 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Sat, 3 Aug 2019 13:30:28 -0400 -Subject: [PATCH] Skip URI tests when using asan - -resolve_wrapper uses RTLD_DEEPBIND to load libresolv, triggering a -failure in the asan runtime. - -(cherry picked from commit dbcec74b277952adf6e49d087932d2d0ea5393d1) ---- - src/lib/krb5/os/Makefile.in | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in -index 91b0486b8..f523a5ac8 100644 ---- a/src/lib/krb5/os/Makefile.in -+++ b/src/lib/krb5/os/Makefile.in -@@ -232,12 +232,16 @@ check-unix-locate: t_locate_kdc - echo 'Skipped t_locate_kdc test: OFFLINE' >> $(SKIPTESTS); \ - fi - -+ASAN = @ASAN@ - check-unix-uri: t_locate_kdc -- if [ $(HAVE_RESOLV_WRAPPER) = 1 ]; then \ -- $(RUNPYTEST) $(srcdir)/t_discover_uri.py $(PYTESTFLAGS); \ -- else \ -+ if [ $(HAVE_RESOLV_WRAPPER) = 0 ]; then \ - echo '*** WARNING: skipped t_discover_uri.py due to not using resolv_wrapper'; \ - echo 'Skipped URI discovery tests: resolv_wrapper 1.1.5 not found' >> $(SKIPTESTS); \ -+ elif [ $(ASAN) = yes ]; then \ -+ echo '*** Skipping URI discovery tests: resolv_wrapper is incompatible with asan'; \ -+ echo 'Skipped URI discovery tests: incompatible with asan' >> $(SKIPTESTS); \ -+ else \ -+ $(RUNPYTEST) $(srcdir)/t_discover_uri.py $(PYTESTFLAGS); \ - fi - - check-unix-trace: t_trace diff --git a/Squash-apparent-forward-null-in-clnttcp_create.patch b/Squash-apparent-forward-null-in-clnttcp_create.patch deleted file mode 100644 index fe55a52..0000000 --- a/Squash-apparent-forward-null-in-clnttcp_create.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 566fa44c8f53b3c558791bef29d01fb6a02ff559 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 30 Aug 2019 11:16:58 -0400 -Subject: [PATCH] Squash apparent forward-null in clnttcp_create() - -clnttcp_create() only allows raddr to be NULL if *sockp is set. -Static analyzers cannot know this, so can report a forward null -defect. Add an raddr check before calling connect() to squash the -defect. - -[ghudson@mit.edu: rewrote commit message] - -(cherry picked from commit b2f688eedd4bcca525201ef9485749a8c20b808a) ---- - src/lib/rpc/clnt_tcp.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/lib/rpc/clnt_tcp.c b/src/lib/rpc/clnt_tcp.c -index 87761906c..dbd62d0a7 100644 ---- a/src/lib/rpc/clnt_tcp.c -+++ b/src/lib/rpc/clnt_tcp.c -@@ -168,9 +168,9 @@ clnttcp_create( - if (*sockp < 0) { - *sockp = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); - (void)bindresvport_sa(*sockp, NULL); -- if ((*sockp < 0) -- || (connect(*sockp, (struct sockaddr *)raddr, -- sizeof(*raddr)) < 0)) { -+ if (*sockp < 0 || raddr == NULL || -+ connect(*sockp, (struct sockaddr *)raddr, -+ sizeof(*raddr)) < 0) { - rpc_createerr.cf_stat = RPC_SYSTEMERROR; - rpc_createerr.cf_error.re_errno = errno; - (void)closesocket(*sockp); diff --git a/Support-389ds-s-lockout-model.patch b/Support-389ds-s-lockout-model.patch deleted file mode 100644 index b8f4d02..0000000 --- a/Support-389ds-s-lockout-model.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a9c73bc1078dc6287a3838220ef1bd435273506e Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 23 Aug 2016 16:47:44 -0400 -Subject: [PATCH] Support 389ds's lockout model - -Handle the attribute 'nsAccountLock' from Netscape derivatives. Based -on a patch by Nalin Dahyabhai and Simo Sorce. - -ticket: 5891 -(cherry picked from commit 6ad061e24eca41a61eebed61db39768bfa51a084) ---- - src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 18 ++++++++++++++++++ - .../kdb/ldap/libkdb_ldap/ldap_principal.c | 1 + - 2 files changed, 19 insertions(+) - -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -index 5b9d1e9fa..2ade63719 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -@@ -1420,6 +1420,7 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, - struct berval **ber_key_data = NULL, **ber_tl_data = NULL; - krb5_tl_data userinfo_tl_data = { NULL }, **endp, *tl; - osa_princ_ent_rec princ_ent; -+ char *is_login_disabled = NULL; - - memset(&princ_ent, 0, sizeof(princ_ent)); - -@@ -1653,6 +1654,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, - if (ret) - goto cleanup; - -+ /* -+ * 389ds and other Netscape directory server derivatives support an -+ * attribute "nsAccountLock" which functions similarly to eDirectory's -+ * "loginDisabled". When the user's account object is also a -+ * krbPrincipalAux object, the kdb entry should be treated as if -+ * DISALLOW_ALL_TIX has been set. -+ */ -+ ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled, -+ &attr_present); -+ if (ret) -+ goto cleanup; -+ if (attr_present == TRUE) { -+ if (strcasecmp(is_login_disabled, "TRUE") == 0) -+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; -+ free(is_login_disabled); -+ } -+ - ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname); - if (ret) - goto cleanup; -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c -index d722dbfa6..a5180c73f 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c -@@ -54,6 +54,7 @@ char *principal_attributes[] = { "krbprincipalname", - "krbLastFailedAuth", - "krbLoginFailedCount", - "krbLastSuccessfulAuth", -+ "nsAccountLock", - "krbLastPwdChange", - "krbLastAdminUnlock", - "krbPrincipalAuthInd", diff --git a/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch b/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch deleted file mode 100644 index be73cc3..0000000 --- a/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 5e7c6ac2f9ee4dfe182f28c0801811910b63be1d Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 16 Apr 2019 14:16:39 -0400 -Subject: [PATCH] Update ASN.1 SAM tests to use a modern enctype - -(cherry picked from commit 3e94e53febc6d5636272f31ae9dba8e3babe9263) ---- - src/tests/asn.1/krb5_decode_test.c | 2 +- - src/tests/asn.1/ktest.c | 4 ++-- - src/tests/asn.1/reference_encode.out | 4 ++-- - src/tests/asn.1/trval_reference.out | 4 ++-- - 4 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c -index ee70fa4b9..cbd99ba63 100644 ---- a/src/tests/asn.1/krb5_decode_test.c -+++ b/src/tests/asn.1/krb5_decode_test.c -@@ -934,7 +934,7 @@ int main(argc, argv) - /* decode_sam_challenge_2_body */ - { - setup(krb5_sam_challenge_2_body,ktest_make_sample_sam_challenge_2_body); -- decode_run("sam_challenge_2_body","","30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 01",decode_krb5_sam_challenge_2_body,ktest_equal_sam_challenge_2_body,krb5_free_sam_challenge_2_body); -+ decode_run("sam_challenge_2_body","","30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 14",decode_krb5_sam_challenge_2_body,ktest_equal_sam_challenge_2_body,krb5_free_sam_challenge_2_body); - ktest_empty_sam_challenge_2_body(&ref); - - } -diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c -index 5bfdc5be2..6bf6e54ac 100644 ---- a/src/tests/asn.1/ktest.c -+++ b/src/tests/asn.1/ktest.c -@@ -507,7 +507,7 @@ ktest_make_sample_sam_challenge_2_body(krb5_sam_challenge_2_body *p) - krb5_data_parse(&p->sam_response_prompt, "response_prompt ipse"); - p->sam_pk_for_sad = empty_data(); - p->sam_nonce = 0x543210; -- p->sam_etype = ENCTYPE_DES_CBC_CRC; -+ p->sam_etype = ENCTYPE_AES256_CTS_HMAC_SHA384_192; - } - - void -@@ -518,7 +518,7 @@ ktest_make_sample_sam_response_2(krb5_sam_response_2 *p) - p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* KRB5_SAM_* values */ - krb5_data_parse(&p->sam_track_id, "track data"); - krb5_data_parse(&p->sam_enc_nonce_or_sad.ciphertext, "nonce or sad"); -- p->sam_enc_nonce_or_sad.enctype = ENCTYPE_DES_CBC_CRC; -+ p->sam_enc_nonce_or_sad.enctype = ENCTYPE_AES256_CTS_HMAC_SHA384_192; - p->sam_enc_nonce_or_sad.kvno = 3382; - p->sam_nonce = 0x543210; - } -diff --git a/src/tests/asn.1/reference_encode.out b/src/tests/asn.1/reference_encode.out -index a76deead2..80b18a2fb 100644 ---- a/src/tests/asn.1/reference_encode.out -+++ b/src/tests/asn.1/reference_encode.out -@@ -49,8 +49,8 @@ encode_krb5_enc_data: 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 4 - encode_krb5_enc_data(MSB-set kvno): 30 26 A0 03 02 01 00 A1 06 02 04 FF 00 00 00 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 - encode_krb5_enc_data(kvno=-1): 30 23 A0 03 02 01 00 A1 03 02 01 FF A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 - encode_krb5_sam_challenge_2: 30 22 A0 0D 30 0B 04 09 63 68 61 6C 6C 65 6E 67 65 A1 11 30 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 --encode_krb5_sam_challenge_2_body: 30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 01 --encode_krb5_sam_response_2: 30 42 A0 03 02 01 2B A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 1D 30 1B A0 03 02 01 01 A1 04 02 02 0D 36 A2 0E 04 0C 6E 6F 6E 63 65 20 6F 72 20 73 61 64 A4 05 02 03 54 32 10 -+encode_krb5_sam_challenge_2_body: 30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 14 -+encode_krb5_sam_response_2: 30 42 A0 03 02 01 2B A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 1D 30 1B A0 03 02 01 14 A1 04 02 02 0D 36 A2 0E 04 0C 6E 6F 6E 63 65 20 6F 72 20 73 61 64 A4 05 02 03 54 32 10 - encode_krb5_enc_sam_response_enc_2: 30 1F A0 03 02 01 58 A1 18 04 16 65 6E 63 5F 73 61 6D 5F 72 65 73 70 6F 6E 73 65 5F 65 6E 63 5F 32 - encode_krb5_pa_for_user: 30 4B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A3 0A 1B 08 6B 72 62 35 64 61 74 61 - encode_krb5_pa_s4u_x509_user: 30 68 A0 55 30 53 A0 06 02 04 00 CA 14 9A A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 12 04 10 70 61 5F 73 34 75 5F 78 35 30 39 5F 75 73 65 72 A4 07 03 05 00 80 00 00 00 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 -diff --git a/src/tests/asn.1/trval_reference.out b/src/tests/asn.1/trval_reference.out -index e5c715924..432fdcebb 100644 ---- a/src/tests/asn.1/trval_reference.out -+++ b/src/tests/asn.1/trval_reference.out -@@ -1180,7 +1180,7 @@ encode_krb5_sam_challenge_2_body: - . [5] [Octet String] "challenge ipse" - . [6] [Octet String] "response_prompt ipse" - . [8] [Integer] 5517840 --. [9] [Integer] 1 -+. [9] [Integer] 20 - - encode_krb5_sam_response_2: - -@@ -1189,7 +1189,7 @@ encode_krb5_sam_response_2: - . [1] [Bit String] 0x80000000 - . [2] [Octet String] "track data" - . [3] [Sequence/Sequence Of] --. . [0] [Integer] 1 -+. . [0] [Integer] 20 - . . [1] [Integer] 3382 - . . [2] [Octet String] "nonce or sad" - . [4] [Integer] 5517840 diff --git a/Update-default-krb5kdc-mkey-manual-entry-enctype.patch b/Update-default-krb5kdc-mkey-manual-entry-enctype.patch deleted file mode 100644 index 7954dcb..0000000 --- a/Update-default-krb5kdc-mkey-manual-entry-enctype.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 04ce158f626a683d60914f464bac24a1bd5687e3 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 20 May 2019 16:52:57 -0400 -Subject: [PATCH] Update default krb5kdc mkey manual-entry enctype - -Change from the legacy des-cbc-crc to the default for kdb5_util and -kadmind, which is currently aes256-cts-hmac-sha1-96. - -(cherry picked from commit 512f5cde625253cba1e6f87e037a00ef88178882) ---- - doc/admin/admin_commands/krb5kdc.rst | 2 +- - src/kdc/main.c | 2 +- - src/man/krb5kdc.man | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/doc/admin/admin_commands/krb5kdc.rst b/doc/admin/admin_commands/krb5kdc.rst -index 08d40cc0d..631a0de84 100644 ---- a/doc/admin/admin_commands/krb5kdc.rst -+++ b/doc/admin/admin_commands/krb5kdc.rst -@@ -41,7 +41,7 @@ LDAP database. - - The **-k** *keytype* option specifies the key type of the master key - to be entered manually as a password when **-m** is given; the default --is ``des-cbc-crc``. -+is |defmkey|. - - The **-M** *mkeyname* option specifies the principal name for the - master key in the database (usually ``K/M`` in the KDC's realm). -diff --git a/src/kdc/main.c b/src/kdc/main.c -index 60092a0df..04393772f 100644 ---- a/src/kdc/main.c -+++ b/src/kdc/main.c -@@ -777,7 +777,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv, - case 'm': /* manual type-in of master key */ - manual = TRUE; - if (menctype == ENCTYPE_UNKNOWN) -- menctype = ENCTYPE_DES_CBC_CRC; -+ menctype = DEFAULT_KDC_ENCTYPE; - break; - case 'M': /* master key name in DB */ - mkey_name = optarg; -diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man -index 9c9b816b3..100f371c4 100644 ---- a/src/man/krb5kdc.man -+++ b/src/man/krb5kdc.man -@@ -61,7 +61,7 @@ LDAP database. - .sp - The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key - to be entered manually as a password when \fB\-m\fP is given; the default --is \fBdes\-cbc\-crc\fP\&. -+is \fBaes256\-cts\-hmac\-sha1\-96\fP\&. - .sp - The \fB\-M\fP \fImkeyname\fP option specifies the principal name for the - master key in the database (usually \fBK/M\fP in the KDC\(aqs realm). diff --git a/Update-test-suite-cert-message-digest-to-sha256.patch b/Update-test-suite-cert-message-digest-to-sha256.patch deleted file mode 100644 index ec7c9df..0000000 --- a/Update-test-suite-cert-message-digest-to-sha256.patch +++ /dev/null @@ -1,638 +0,0 @@ -From 8c38e6a1cef9bee050e42f591a530d077bb11f17 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 12 Nov 2019 13:38:59 -0500 -Subject: [PATCH] Update test suite cert message digest to sha256 - -Certain openssl configurations (such as Debian testing) will fail out -the sha1 certificates with errors like "ssl.SSLError: [SSL: -CA_MD_TOO_WEAK] ca md too weak (_ssl.c:3833)" or similar. Also update -the certs in question. - -(cherry picked from commit b1c258c6aab95198bdc340b86ca67cbd531464f8) ---- - src/tests/dejagnu/proxy-certs/ca.pem | 52 +++++----- - src/tests/dejagnu/proxy-certs/make-certs.sh | 2 +- - .../dejagnu/proxy-certs/proxy-badsig.pem | 96 +++++++++--------- - src/tests/dejagnu/proxy-certs/proxy-ideal.pem | 98 +++++++++---------- - .../dejagnu/proxy-certs/proxy-no-match.pem | 98 +++++++++---------- - src/tests/dejagnu/proxy-certs/proxy-san.pem | 98 +++++++++---------- - .../dejagnu/proxy-certs/proxy-subject.pem | 98 +++++++++---------- - 7 files changed, 271 insertions(+), 271 deletions(-) - -diff --git a/src/tests/dejagnu/proxy-certs/ca.pem b/src/tests/dejagnu/proxy-certs/ca.pem -index e0f8dc73c..ee24cba81 100644 ---- a/src/tests/dejagnu/proxy-certs/ca.pem -+++ b/src/tests/dejagnu/proxy-certs/ca.pem -@@ -1,28 +1,28 @@ - -----BEGIN CERTIFICATE----- --MIIEuzCCA6OgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx --FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG --A1UEChMDTUlUMSIwIAYDVQQLExlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww --KgYDVQQDFCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x --NDA1MDIxOTA2MDhaFw0yNTA0MTQxOTA2MDhaMIGZMQswCQYDVQQGEwJVUzEWMBQG --A1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQK --EwNNSVQxIjAgBgNVBAsTGUluc2VjdXJlIEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNV --BAMUI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlMIIBIjANBgkq --hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zudnpN8FP7iLn1vgkyTSn/RQxXx1yt6 --zikHaMrVPjkjXPPUoCFpWS3eeI4aQFoj93L5MwZDmSxOflBAqLwV2AMAacrYnNPJ --IkHtbYKdVsvw9b4INTWqV9/DOODO7UowyMppmO35/pUXaLL+AjHjLw1/EhQ3ZYtq --fpAMOkf5TnS5GtqZFlrYgZKE8vTC8BxDKM7FYhWYz7kp/tG3S8O/RTnP7Nd+h1Yd --pmlHBGfuwIRIJz5xNw6KIcCy3Q0NNoKnh00WVwLmR+x11BGSkMjiZZkwJ5D0RObS --g13QD/itrGoV2gtPzjQgNPfTrjsMvyOWAAFrWVR3QLTxnnmXsqnXvwIDAQABo4IB --CjCCAQYwHQYDVR0OBBYEFHO5+DSYzq8rvQhUldyvn0y4AqlHMIHGBgNVHSMEgb4w --gbuAFHO5+DSYzq8rvQhUldyvn0y4AqlHoYGfpIGcMIGZMQswCQYDVQQGEwJVUzEW --MBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMQwwCgYD --VQQKEwNNSVQxIjAgBgNVBAsTGUluc2VjdXJlIEtlcmJlcm9zIHRlc3QgQ0ExLDAq --BgNVBAMUI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsG --A1UdDwQEAwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAM --Mf4ptC6WoQBH3GoTfgBL0WlIeYeSFmLO7IaSjpK0FV6F/yF7iPFSXcpmu23m6USY --LRSxnAvxFTi+h1S5Za9O2Pjq88R9nHmesg4v8HJqOw4HpkDowYo2lumjIMfAutyR --MQUOujYJW1WyZ2PidN5M1exDeMgQN9nVjUCx/WKD9fnzOjOOR1Sc8Us2KpoyccIi --A+ABHubCvSO3cln0Sp7qjkssJScZtouzPu8FYiroTIR+1oSIKTpJiik1EptlsTea --L6fHTMHspFhZaiUJFHWTBAgn/dT+UkFntHdHGI6HWBThFVW05hKoarBA7N25W7FN --AHyfC0lKds4qFiBQkpdi -+MIIEuzCCA6OgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx -+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG -+A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww -+KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x -+OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaMIGZMQswCQYDVQQGEwJVUzEWMBQG -+A1UECAwNTWFzc2FjaHVzZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQK -+DANNSVQxIjAgBgNVBAsMGUluc2VjdXJlIEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNV -+BAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlMIIBIjANBgkq -+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWK -+KayH5NmqOqnwnzRHkZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9 -+uXnBb6AZog7hh9wMe//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTH -+EO4lLqusPQM16lRDSdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9 -+B3PKs374N9kOPsgcj+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd -+3TLWHLhW9F7rzEcvzn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABo4IB -+CjCCAQYwHQYDVR0OBBYEFPf/vJvFMCwrABeCC0sq7RGfYeIiMIHGBgNVHSMEgb4w -+gbuAFPf/vJvFMCwrABeCC0sq7RGfYeIioYGfpIGcMIGZMQswCQYDVQQGEwJVUzEW -+MBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYD -+VQQKDANNSVQxIjAgBgNVBAsMGUluc2VjdXJlIEtlcmJlcm9zIHRlc3QgQ0ExLDAq -+BgNVBAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsG -+A1UdDwQEAwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBz -+q/t9amz4ahTFNc0v69NZrfCBgo7DWBHxXuE0Gov2/RBPwP/+Efrd4+1Tl5fSv6We -+N/cttEUTTM3Z7wtof3mkSQwkozwWpaHXm31St+0FbTuHNpN4i0Uae5lsO8/pTz/L -+VqsVLjGGpkZKP831BO9oJJbwUASNc2dpLs94pojlSlSZzf/u/T+k0wltgZexnQpU -+5IrdPIqteB32ym2XjZWSCS29jL3zoZ/y8UAPIOR/Zi77wNCehOuBx2bzc/P6RNLa -+CuuPMhDu8PPYVB3rfJInmF5wT5jQ9YX4UUb0qYXDRff5/l26fEjLHQSrA/iMqdIW -+dsDwkqTcy1lOjcP3xOMq - -----END CERTIFICATE----- -diff --git a/src/tests/dejagnu/proxy-certs/make-certs.sh b/src/tests/dejagnu/proxy-certs/make-certs.sh -index 24ef91bde..7a40e2b98 100755 ---- a/src/tests/dejagnu/proxy-certs/make-certs.sh -+++ b/src/tests/dejagnu/proxy-certs/make-certs.sh -@@ -25,7 +25,7 @@ private_key = $PWD/privkey.pem - default_days = $DAYS - x509_extensions = exts_proxy - policy = proxyname --default_md = sha1 -+default_md = sha256 - unique_subject = no - email_in_dn = no - -diff --git a/src/tests/dejagnu/proxy-certs/proxy-badsig.pem b/src/tests/dejagnu/proxy-certs/proxy-badsig.pem -index 2b31f7d6a..40001d974 100644 ---- a/src/tests/dejagnu/proxy-certs/proxy-badsig.pem -+++ b/src/tests/dejagnu/proxy-certs/proxy-badsig.pem -@@ -1,56 +1,56 @@ - -----BEGIN RSA PRIVATE KEY----- --MIIEpQIBAAKCAQEA1zudnpN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPU --oCFpWS3eeI4aQFoj93L5MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4I --NTWqV9/DOODO7UowyMppmO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZ --FlrYgZKE8vTC8BxDKM7FYhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5x --Nw6KIcCy3Q0NNoKnh00WVwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtP --zjQgNPfTrjsMvyOWAAFrWVR3QLTxnnmXsqnXvwIDAQABAoIBAQCqvhpeMDXhGgoo --Q03wmfrGwPsrMv91aIK1hYrhMPdVs1JAbRYiKh8+pcq07FYa8udRaB4UwkVh/+oM --/nEs6niRsl/jjQ2l68TFrnNByroynvr6l9Q/EeGecF6Ygo7lY1OsFhcLQM5vjarS --XhxvdU/6hcRmfS8tGRpUaMWqfmpiN3YgJcgt8SoYhiwAYDTMJjNyWC61lO7IqNVR --4kntiM24sfAu1sdZynX8Gp2GrpNChapEuhilQ8RayjuStEYr2abcSIjfZFHQXN7o --TnjL+AQUzc/ZTXDGnIe9ZzZeFz8UCueeoN6KPxfrq9UUWRL6qt7gOIMdhYR6lFxt --6pj6kLhxAoGBAO5DTnTKDfCMY2/AsTzCJvMGSY0bT1rsdDxrpqjrbUSeMHV3s5Lm --vEPnnm+05FD/vi99+HZjHXAZFkhA3ubij2qWFPBnQ5YUoh17IW/Ae4bzY2uXikgL --tLZ+R+OrcGYQQlvPn//PLsxbfdk5vraqzm08kIX0T4o4Iz8ST5NFJ8hVAoGBAOdB --ahXr14563Cjeu0pSQ1nXoz3IXdnDwePXasYhxQHl8Ayk8qZS5pt7r07H3dqq6pvn --e09gZINJe47B9UhkR3H5bPyz/kujKS4zqo3Zlbryzm3V0BWqjNj+j8E2YuQKNQr+ --c480jn2FzwW66w0i3n4U4KUn1w2/iq5AnVzyNkPDAoGAWLYEsyU79XE/4K79DqM3 --P0r6/afKbw8U5B4syj4FzAOeBU6RNMPmGt5VNkBCtgnSdPpRFTsoDcG5cyN8GrkG --Lug8WZoJJwr9pT5gH6yqEX/zZ27f1J1PJpd0CsedLNMm8eonJ2arhPkXrVZ7tKV6 --AGAJa2agatUmAmi96hZYjpUCgYEA32abJEgsedEIhFb/GYI03ELryRCaUXfCA+gj --lvoihn3qE1z5qGGns4adyX5dPRQmBqxtvDXDg+zl9vg6i0+MkXdCqTD8tXcOnjp9 --RgFvmyVa9FI8beHPpQTuPNncWK3fpho/6pT8Hhi48LEsxwjrZWOnzQSaxQZH46Q6 --IQNAFt8CgYEAkflxXvA2/2naix+riaBzv5EVJB7ilbfWiWtq2LEAtwrQ5XNFjrtK --g45jKrZ/ezAzTfPa5Dwn4xcImd0MIavnJhDu2ATxMGB0GATLlDH2HZvU7UwKLpTW --6Hlol4yRcX4GSEOxJ2ZpWYNIOYH0yDf1qLJXs1j8Fi3zWRe+V1kff4w= -+MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH -+kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM -+e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD -+SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc -+j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv -+zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu -+HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv -+q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc -+zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9 -+ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b -+21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5 -+YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp -+1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP -+AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr -+47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT -+RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f -+lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz -+tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69 -+hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO -+5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9 -+yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0 -+vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY -+CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y -+X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr -+Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg== - -----END RSA PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIE3TCCA8WgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx --FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG --A1UEChMDTUlUMSIwIAYDVQQLExlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww --KgYDVQQDFCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x --NDA1MDIxOTA2MDlaFw0yNTA0MTQxOTA2MDlaME8xCzAJBgNVBAYTAlVTMRYwFAYD --VQQIEw1NYXNzYWNodXNldHRzMRQwEgYDVQQKEwtLUkJURVNULkNPTTESMBAGA1UE --AxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zud --npN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPUoCFpWS3eeI4aQFoj93L5 --MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4INTWqV9/DOODO7UowyMpp --mO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZFlrYgZKE8vTC8BxDKM7F --YhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5xNw6KIcCy3Q0NNoKnh00W --VwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtPzjQgNPfTrjsMvyOWAAFr --WVR3QLTxnnmXsqnXvwIDAQABo4IBdzCCAXMwHQYDVR0OBBYEFHO5+DSYzq8rvQhU --ldyvn0y4AqlHMIHGBgNVHSMEgb4wgbuAFHO5+DSYzq8rvQhUldyvn0y4AqlHoYGf --pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAG --A1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxIjAgBgNVBAsTGUluc2VjdXJl --IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMUI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v -+MIIE3TCCA8WgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx -+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG -+A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww -+KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x -+OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaME8xCzAJBgNVBAYTAlVTMRYwFAYD -+VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTESMBAGA1UE -+AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA54HC -+eTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRHkZE5UjkazQ/h97S6LZ6Y -+b8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wMe//g9a7PpKanfw69fSVg -+Ar49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRDSdoXg42udAh3uBY+QDs2 -+3snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgcj+8kyR/M+q+RfK5biqS3 -+ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcvzn1Mfck35s0XDDRlGxRG -+GDy+ZCKmxf8Zu/8SwwIDAQABo4IBdzCCAXMwHQYDVR0OBBYEFPf/vJvFMCwrABeC -+C0sq7RGfYeIiMIHGBgNVHSMEgb4wgbuAFPf/vJvFMCwrABeCC0sq7RGfYeIioYGf -+pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAG -+A1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxIjAgBgNVBAsMGUluc2VjdXJl -+IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v - dCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQEAwID6DAMBgNVHRMBAf8EAjAAMFkG - A1UdEQRSMFCCFnByb3h5xaB1YmplY3TDhGx0w5FhbWWCE3Byb3h5U3ViamVjdEFs - dE5hbWWHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCCWxvY2FsaG9zdDATBgNVHSUE --DDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAfTctgFjQSaevBi64q7yh --GNsK3PqeNEALZz4pSXRbOwm0E4RpYIS7uqg1C4zJ5Zbd4V/dOX7q+T/iBS7gErzS --rj21jH3Ggc92TmXzcFxMDCxLV0hO8xFkqg3P4sslJESOHxvEMTTf5s893yUb8vJ/ --DCvZXXRoRwPot9MFozkmcQcaTNunREWFvn4i4JXcMCSAfWTd+/VkpVsy69u3tj68 --7G2/K5nalvZikutEC+DyfyBuvDAoxIYzCi3VtQxCalW28Q5hzWV21QsvKTP5QBsh --RaU2r0O58lZPPvrOrtWQBCudUgsnoraVLrjJshEQ4z/ZAAAAAAAAAAAAAAAAAAAA -+DDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAsMRJnxdbnpm5VlCFwNyU -+8ra1wCjj+ZH0POVCM4iXQ77bV6UBpcqlaQUvR7R/H1Bt5t3Cp0ycN/dy+RcXtj+5 -+FA84bRM767rsakxTEwjOjWw6GiK6bGjBfQ4F6Q97ELmiM0OZgmW8D56UHZxrI+o7 -+QrKWBpFf1UA8n/BmupHBtyW3gudtJS9a71u6lBRydPFqJ4l8YxHckbgPFceSRbRj -+x7E2pQVQ0p2nvG/NVyuC+2L29p81KAsG3vPzwOOfr1Tnpl1/B4R0+XEIy33KHpbz -+Ceyitz6k16fOVNxMI59W2OACPTQ/s99kygh+cARRPfEUAAAAAAAAAAAAAAAAAAAA - AA== - -----END CERTIFICATE----- -diff --git a/src/tests/dejagnu/proxy-certs/proxy-ideal.pem b/src/tests/dejagnu/proxy-certs/proxy-ideal.pem -index 4588f7d4e..3bb09dc94 100644 ---- a/src/tests/dejagnu/proxy-certs/proxy-ideal.pem -+++ b/src/tests/dejagnu/proxy-certs/proxy-ideal.pem -@@ -1,56 +1,56 @@ - -----BEGIN RSA PRIVATE KEY----- --MIIEpQIBAAKCAQEA1zudnpN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPU --oCFpWS3eeI4aQFoj93L5MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4I --NTWqV9/DOODO7UowyMppmO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZ --FlrYgZKE8vTC8BxDKM7FYhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5x --Nw6KIcCy3Q0NNoKnh00WVwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtP --zjQgNPfTrjsMvyOWAAFrWVR3QLTxnnmXsqnXvwIDAQABAoIBAQCqvhpeMDXhGgoo --Q03wmfrGwPsrMv91aIK1hYrhMPdVs1JAbRYiKh8+pcq07FYa8udRaB4UwkVh/+oM --/nEs6niRsl/jjQ2l68TFrnNByroynvr6l9Q/EeGecF6Ygo7lY1OsFhcLQM5vjarS --XhxvdU/6hcRmfS8tGRpUaMWqfmpiN3YgJcgt8SoYhiwAYDTMJjNyWC61lO7IqNVR --4kntiM24sfAu1sdZynX8Gp2GrpNChapEuhilQ8RayjuStEYr2abcSIjfZFHQXN7o --TnjL+AQUzc/ZTXDGnIe9ZzZeFz8UCueeoN6KPxfrq9UUWRL6qt7gOIMdhYR6lFxt --6pj6kLhxAoGBAO5DTnTKDfCMY2/AsTzCJvMGSY0bT1rsdDxrpqjrbUSeMHV3s5Lm --vEPnnm+05FD/vi99+HZjHXAZFkhA3ubij2qWFPBnQ5YUoh17IW/Ae4bzY2uXikgL --tLZ+R+OrcGYQQlvPn//PLsxbfdk5vraqzm08kIX0T4o4Iz8ST5NFJ8hVAoGBAOdB --ahXr14563Cjeu0pSQ1nXoz3IXdnDwePXasYhxQHl8Ayk8qZS5pt7r07H3dqq6pvn --e09gZINJe47B9UhkR3H5bPyz/kujKS4zqo3Zlbryzm3V0BWqjNj+j8E2YuQKNQr+ --c480jn2FzwW66w0i3n4U4KUn1w2/iq5AnVzyNkPDAoGAWLYEsyU79XE/4K79DqM3 --P0r6/afKbw8U5B4syj4FzAOeBU6RNMPmGt5VNkBCtgnSdPpRFTsoDcG5cyN8GrkG --Lug8WZoJJwr9pT5gH6yqEX/zZ27f1J1PJpd0CsedLNMm8eonJ2arhPkXrVZ7tKV6 --AGAJa2agatUmAmi96hZYjpUCgYEA32abJEgsedEIhFb/GYI03ELryRCaUXfCA+gj --lvoihn3qE1z5qGGns4adyX5dPRQmBqxtvDXDg+zl9vg6i0+MkXdCqTD8tXcOnjp9 --RgFvmyVa9FI8beHPpQTuPNncWK3fpho/6pT8Hhi48LEsxwjrZWOnzQSaxQZH46Q6 --IQNAFt8CgYEAkflxXvA2/2naix+riaBzv5EVJB7ilbfWiWtq2LEAtwrQ5XNFjrtK --g45jKrZ/ezAzTfPa5Dwn4xcImd0MIavnJhDu2ATxMGB0GATLlDH2HZvU7UwKLpTW --6Hlol4yRcX4GSEOxJ2ZpWYNIOYH0yDf1qLJXs1j8Fi3zWRe+V1kff4w= -+MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH -+kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM -+e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD -+SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc -+j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv -+zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu -+HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv -+q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc -+zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9 -+ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b -+21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5 -+YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp -+1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP -+AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr -+47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT -+RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f -+lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz -+tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69 -+hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO -+5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9 -+yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0 -+vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY -+CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y -+X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr -+Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg== - -----END RSA PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIE3TCCA8WgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx --FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG --A1UEChMDTUlUMSIwIAYDVQQLExlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww --KgYDVQQDFCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x --NDA1MDIxOTA2MDlaFw0yNTA0MTQxOTA2MDlaME8xCzAJBgNVBAYTAlVTMRYwFAYD --VQQIEw1NYXNzYWNodXNldHRzMRQwEgYDVQQKEwtLUkJURVNULkNPTTESMBAGA1UE --AxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zud --npN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPUoCFpWS3eeI4aQFoj93L5 --MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4INTWqV9/DOODO7UowyMpp --mO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZFlrYgZKE8vTC8BxDKM7F --YhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5xNw6KIcCy3Q0NNoKnh00W --VwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtPzjQgNPfTrjsMvyOWAAFr --WVR3QLTxnnmXsqnXvwIDAQABo4IBdzCCAXMwHQYDVR0OBBYEFHO5+DSYzq8rvQhU --ldyvn0y4AqlHMIHGBgNVHSMEgb4wgbuAFHO5+DSYzq8rvQhUldyvn0y4AqlHoYGf --pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAG --A1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxIjAgBgNVBAsTGUluc2VjdXJl --IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMUI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v -+MIIE3TCCA8WgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx -+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG -+A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww -+KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x -+OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaME8xCzAJBgNVBAYTAlVTMRYwFAYD -+VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTESMBAGA1UE -+AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA54HC -+eTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRHkZE5UjkazQ/h97S6LZ6Y -+b8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wMe//g9a7PpKanfw69fSVg -+Ar49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRDSdoXg42udAh3uBY+QDs2 -+3snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgcj+8kyR/M+q+RfK5biqS3 -+ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcvzn1Mfck35s0XDDRlGxRG -+GDy+ZCKmxf8Zu/8SwwIDAQABo4IBdzCCAXMwHQYDVR0OBBYEFPf/vJvFMCwrABeC -+C0sq7RGfYeIiMIHGBgNVHSMEgb4wgbuAFPf/vJvFMCwrABeCC0sq7RGfYeIioYGf -+pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAG -+A1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxIjAgBgNVBAsMGUluc2VjdXJl -+IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v - dCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQEAwID6DAMBgNVHRMBAf8EAjAAMFkG - A1UdEQRSMFCCFnByb3h5xaB1YmplY3TDhGx0w5FhbWWCE3Byb3h5U3ViamVjdEFs - dE5hbWWHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCCWxvY2FsaG9zdDATBgNVHSUE --DDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAfTctgFjQSaevBi64q7yh --GNsK3PqeNEALZz4pSXRbOwm0E4RpYIS7uqg1C4zJ5Zbd4V/dOX7q+T/iBS7gErzS --rj21jH3Ggc92TmXzcFxMDCxLV0hO8xFkqg3P4sslJESOHxvEMTTf5s893yUb8vJ/ --DCvZXXRoRwPot9MFozkmcQcaTNunREWFvn4i4JXcMCSAfWTd+/VkpVsy69u3tj68 --7G2/K5nalvZikutEC+DyfyBuvDAoxIYzCi3VtQxCalW28Q5hzWV21QsvKTP5QBsh --RaU2r0O58lZPPvrOrtWQBCudUgsnoraVLrjJshEQ4z/ZA9fVtX2ndCSIoyWpWk01 --gQ== -+DDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAsMRJnxdbnpm5VlCFwNyU -+8ra1wCjj+ZH0POVCM4iXQ77bV6UBpcqlaQUvR7R/H1Bt5t3Cp0ycN/dy+RcXtj+5 -+FA84bRM767rsakxTEwjOjWw6GiK6bGjBfQ4F6Q97ELmiM0OZgmW8D56UHZxrI+o7 -+QrKWBpFf1UA8n/BmupHBtyW3gudtJS9a71u6lBRydPFqJ4l8YxHckbgPFceSRbRj -+x7E2pQVQ0p2nvG/NVyuC+2L29p81KAsG3vPzwOOfr1Tnpl1/B4R0+XEIy33KHpbz -+Ceyitz6k16fOVNxMI59W2OACPTQ/s99kygh+cARRPfEUPjDcJpS1gRZ6kDKRh6Np -+ig== - -----END CERTIFICATE----- -diff --git a/src/tests/dejagnu/proxy-certs/proxy-no-match.pem b/src/tests/dejagnu/proxy-certs/proxy-no-match.pem -index a97c1c77b..7464e40db 100644 ---- a/src/tests/dejagnu/proxy-certs/proxy-no-match.pem -+++ b/src/tests/dejagnu/proxy-certs/proxy-no-match.pem -@@ -1,54 +1,54 @@ - -----BEGIN RSA PRIVATE KEY----- --MIIEpQIBAAKCAQEA1zudnpN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPU --oCFpWS3eeI4aQFoj93L5MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4I --NTWqV9/DOODO7UowyMppmO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZ --FlrYgZKE8vTC8BxDKM7FYhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5x --Nw6KIcCy3Q0NNoKnh00WVwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtP --zjQgNPfTrjsMvyOWAAFrWVR3QLTxnnmXsqnXvwIDAQABAoIBAQCqvhpeMDXhGgoo --Q03wmfrGwPsrMv91aIK1hYrhMPdVs1JAbRYiKh8+pcq07FYa8udRaB4UwkVh/+oM --/nEs6niRsl/jjQ2l68TFrnNByroynvr6l9Q/EeGecF6Ygo7lY1OsFhcLQM5vjarS --XhxvdU/6hcRmfS8tGRpUaMWqfmpiN3YgJcgt8SoYhiwAYDTMJjNyWC61lO7IqNVR --4kntiM24sfAu1sdZynX8Gp2GrpNChapEuhilQ8RayjuStEYr2abcSIjfZFHQXN7o --TnjL+AQUzc/ZTXDGnIe9ZzZeFz8UCueeoN6KPxfrq9UUWRL6qt7gOIMdhYR6lFxt --6pj6kLhxAoGBAO5DTnTKDfCMY2/AsTzCJvMGSY0bT1rsdDxrpqjrbUSeMHV3s5Lm --vEPnnm+05FD/vi99+HZjHXAZFkhA3ubij2qWFPBnQ5YUoh17IW/Ae4bzY2uXikgL --tLZ+R+OrcGYQQlvPn//PLsxbfdk5vraqzm08kIX0T4o4Iz8ST5NFJ8hVAoGBAOdB --ahXr14563Cjeu0pSQ1nXoz3IXdnDwePXasYhxQHl8Ayk8qZS5pt7r07H3dqq6pvn --e09gZINJe47B9UhkR3H5bPyz/kujKS4zqo3Zlbryzm3V0BWqjNj+j8E2YuQKNQr+ --c480jn2FzwW66w0i3n4U4KUn1w2/iq5AnVzyNkPDAoGAWLYEsyU79XE/4K79DqM3 --P0r6/afKbw8U5B4syj4FzAOeBU6RNMPmGt5VNkBCtgnSdPpRFTsoDcG5cyN8GrkG --Lug8WZoJJwr9pT5gH6yqEX/zZ27f1J1PJpd0CsedLNMm8eonJ2arhPkXrVZ7tKV6 --AGAJa2agatUmAmi96hZYjpUCgYEA32abJEgsedEIhFb/GYI03ELryRCaUXfCA+gj --lvoihn3qE1z5qGGns4adyX5dPRQmBqxtvDXDg+zl9vg6i0+MkXdCqTD8tXcOnjp9 --RgFvmyVa9FI8beHPpQTuPNncWK3fpho/6pT8Hhi48LEsxwjrZWOnzQSaxQZH46Q6 --IQNAFt8CgYEAkflxXvA2/2naix+riaBzv5EVJB7ilbfWiWtq2LEAtwrQ5XNFjrtK --g45jKrZ/ezAzTfPa5Dwn4xcImd0MIavnJhDu2ATxMGB0GATLlDH2HZvU7UwKLpTW --6Hlol4yRcX4GSEOxJ2ZpWYNIOYH0yDf1qLJXs1j8Fi3zWRe+V1kff4w= -+MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH -+kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM -+e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD -+SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc -+j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv -+zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu -+HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv -+q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc -+zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9 -+ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b -+21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5 -+YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp -+1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP -+AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr -+47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT -+RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f -+lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz -+tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69 -+hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO -+5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9 -+yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0 -+vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY -+CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y -+X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr -+Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg== - -----END RSA PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIEhzCCA2+gAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx --FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG --A1UEChMDTUlUMSIwIAYDVQQLExlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww --KgYDVQQDFCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x --NDA1MDIxOTA2MDhaFw0yNTA0MTQxOTA2MDhaMFQxCzAJBgNVBAYTAlVTMRYwFAYD --VQQIEw1NYXNzYWNodXNldHRzMRQwEgYDVQQKEwtLUkJURVNULkNPTTEXMBUGA1UE --AxMOUFJPWFlpblN1YmplY3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB --AQDXO52ek3wU/uIufW+CTJNKf9FDFfHXK3rOKQdoytU+OSNc89SgIWlZLd54jhpA --WiP3cvkzBkOZLE5+UECovBXYAwBpytic08kiQe1tgp1Wy/D1vgg1NapX38M44M7t --SjDIymmY7fn+lRdosv4CMeMvDX8SFDdli2p+kAw6R/lOdLka2pkWWtiBkoTy9MLw --HEMozsViFZjPuSn+0bdLw79FOc/s136HVh2maUcEZ+7AhEgnPnE3DoohwLLdDQ02 --gqeHTRZXAuZH7HXUEZKQyOJlmTAnkPRE5tKDXdAP+K2sahXaC0/ONCA099OuOwy/ --I5YAAWtZVHdAtPGeeZeyqde/AgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQUc7n4NJjO --ryu9CFSV3K+fTLgCqUcwgcYGA1UdIwSBvjCBu4AUc7n4NJjOryu9CFSV3K+fTLgC --qUehgZ+kgZwwgZkxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRz --MRIwEAYDVQQHEwlDYW1icmlkZ2UxDDAKBgNVBAoTA01JVDEiMCAGA1UECxMZSW5z --ZWN1cmUgS2VyYmVyb3MgdGVzdCBDQTEsMCoGA1UEAxQjdGVzdCBzdWl0ZSBDQTsg -+MIIEhzCCA2+gAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx -+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG -+A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww -+KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x -+OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaMFQxCzAJBgNVBAYTAlVTMRYwFAYD -+VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTEXMBUGA1UE -+AwwOUFJPWFlpblN1YmplY3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB -+AQDngcJ5NNR7XbumqMryvbw0YzDavbH6FYoprIfk2ao6qfCfNEeRkTlSORrND+H3 -+tLotnphvzDeYkTJfU91w0BEPDaZs48WTk325ecFvoBmiDuGH3Ax7/+D1rs+kpqd/ -+Dr19JWACvj1MUWIugq7JOAeIk4HtiA/RtMcQ7iUuq6w9AzXqVENJ2heDja50CHe4 -+Fj5AOzbeyctKIH72+3yC3qBeJphvcEE5az0Hc8qzfvg32Q4+yByP7yTJH8z6r5F8 -+rluKpLdx7+zG89XQqx6H//W4nGVtALA6IF3dMtYcuFb0XuvMRy/OfUx9yTfmzRcM -+NGUbFEYYPL5kIqbF/xm7/xLDAgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQU9/+8m8Uw -+LCsAF4ILSyrtEZ9h4iIwgcYGA1UdIwSBvjCBu4AU9/+8m8UwLCsAF4ILSyrtEZ9h -+4iKhgZ+kgZwwgZkxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRz -+MRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEiMCAGA1UECwwZSW5z -+ZWN1cmUgS2VyYmVyb3MgdGVzdCBDQTEsMCoGA1UEAwwjdGVzdCBzdWl0ZSBDQTsg - ZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0PBAQDAgPoMAwGA1UdEwEB/wQC --MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAMsP++r4 --vki0mBJg3POpp0i+H6zNMimoYLLtM5NvwXinfFuFQKbwLm8QWuHVifjfCYxMUm+l --iL5cS/bq+SUWGDmrlOhsuu4+aYaxgNiEyki5Rol6miSOHbfOhzX8yp0EBPpq08dg --SEdrTd/FIl4qgkkb1A4RJYZRErn/fbsyjJN66KIfSOXJuC8XMBf03Vw9f2rdrHJa --r5lVGvqa4wjO2MPq9vVK52VFrbU/zuyyCUtggyIOwGLGSY0Axtbci+IHToDBQes+ --6W4WwSUCssWfIZXQDLjFw1oRHnN43fXmX5vsVLi7YvOFHOAa1BDnDtCTZit26xVA --Mdic66hR2jHP0TE= -+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAI0Ons8g -+6aXdZsKSmp1hbwNUvsY5GNl/QHVJIMQbe9zNVkW9Hp286fzkMar6peTB9MEnhzJ5 -+5mbJM9DkugzgJeG0+HwsSdjAQCOcG4jSQ3SaASETOo58LsaG/yssIaZiZdJBrzNb -+1D5fJVVpopZMZ/mKUNB/2ofUVGVBZCdfyOoIbVSkkm1UHJ9liLFK1ZNPDTX60613 -+YNl4BydTiXtEg+IOYgmFXuZj310dDZUMHuYdzAM5j+6i2JaIcK4PgDE+yG9Oj9N+ -+uKjj0iHWyoZW49y9Hq/oiMegi2X4XZBtbZlEUu4OkpBJ1QG0MTaz/vN94sHiLOzS -+81b7+2BMgHd51+E= - -----END CERTIFICATE----- -diff --git a/src/tests/dejagnu/proxy-certs/proxy-san.pem b/src/tests/dejagnu/proxy-certs/proxy-san.pem -index ac8bbaa16..8eaeceece 100644 ---- a/src/tests/dejagnu/proxy-certs/proxy-san.pem -+++ b/src/tests/dejagnu/proxy-certs/proxy-san.pem -@@ -1,56 +1,56 @@ - -----BEGIN RSA PRIVATE KEY----- --MIIEpQIBAAKCAQEA1zudnpN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPU --oCFpWS3eeI4aQFoj93L5MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4I --NTWqV9/DOODO7UowyMppmO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZ --FlrYgZKE8vTC8BxDKM7FYhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5x --Nw6KIcCy3Q0NNoKnh00WVwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtP --zjQgNPfTrjsMvyOWAAFrWVR3QLTxnnmXsqnXvwIDAQABAoIBAQCqvhpeMDXhGgoo --Q03wmfrGwPsrMv91aIK1hYrhMPdVs1JAbRYiKh8+pcq07FYa8udRaB4UwkVh/+oM --/nEs6niRsl/jjQ2l68TFrnNByroynvr6l9Q/EeGecF6Ygo7lY1OsFhcLQM5vjarS --XhxvdU/6hcRmfS8tGRpUaMWqfmpiN3YgJcgt8SoYhiwAYDTMJjNyWC61lO7IqNVR --4kntiM24sfAu1sdZynX8Gp2GrpNChapEuhilQ8RayjuStEYr2abcSIjfZFHQXN7o --TnjL+AQUzc/ZTXDGnIe9ZzZeFz8UCueeoN6KPxfrq9UUWRL6qt7gOIMdhYR6lFxt --6pj6kLhxAoGBAO5DTnTKDfCMY2/AsTzCJvMGSY0bT1rsdDxrpqjrbUSeMHV3s5Lm --vEPnnm+05FD/vi99+HZjHXAZFkhA3ubij2qWFPBnQ5YUoh17IW/Ae4bzY2uXikgL --tLZ+R+OrcGYQQlvPn//PLsxbfdk5vraqzm08kIX0T4o4Iz8ST5NFJ8hVAoGBAOdB --ahXr14563Cjeu0pSQ1nXoz3IXdnDwePXasYhxQHl8Ayk8qZS5pt7r07H3dqq6pvn --e09gZINJe47B9UhkR3H5bPyz/kujKS4zqo3Zlbryzm3V0BWqjNj+j8E2YuQKNQr+ --c480jn2FzwW66w0i3n4U4KUn1w2/iq5AnVzyNkPDAoGAWLYEsyU79XE/4K79DqM3 --P0r6/afKbw8U5B4syj4FzAOeBU6RNMPmGt5VNkBCtgnSdPpRFTsoDcG5cyN8GrkG --Lug8WZoJJwr9pT5gH6yqEX/zZ27f1J1PJpd0CsedLNMm8eonJ2arhPkXrVZ7tKV6 --AGAJa2agatUmAmi96hZYjpUCgYEA32abJEgsedEIhFb/GYI03ELryRCaUXfCA+gj --lvoihn3qE1z5qGGns4adyX5dPRQmBqxtvDXDg+zl9vg6i0+MkXdCqTD8tXcOnjp9 --RgFvmyVa9FI8beHPpQTuPNncWK3fpho/6pT8Hhi48LEsxwjrZWOnzQSaxQZH46Q6 --IQNAFt8CgYEAkflxXvA2/2naix+riaBzv5EVJB7ilbfWiWtq2LEAtwrQ5XNFjrtK --g45jKrZ/ezAzTfPa5Dwn4xcImd0MIavnJhDu2ATxMGB0GATLlDH2HZvU7UwKLpTW --6Hlol4yRcX4GSEOxJ2ZpWYNIOYH0yDf1qLJXs1j8Fi3zWRe+V1kff4w= -+MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH -+kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM -+e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD -+SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc -+j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv -+zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu -+HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv -+q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc -+zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9 -+ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b -+21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5 -+YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp -+1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP -+AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr -+47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT -+RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f -+lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz -+tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69 -+hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO -+5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9 -+yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0 -+vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY -+CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y -+X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr -+Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg== - -----END RSA PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIE4jCCA8qgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx --FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG --A1UEChMDTUlUMSIwIAYDVQQLExlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww --KgYDVQQDFCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x --NDA1MDIxOTA2MDhaFw0yNTA0MTQxOTA2MDhaMFQxCzAJBgNVBAYTAlVTMRYwFAYD --VQQIEw1NYXNzYWNodXNldHRzMRQwEgYDVQQKEwtLUkJURVNULkNPTTEXMBUGA1UE --AxMOUFJPWFlpblN1YmplY3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB --AQDXO52ek3wU/uIufW+CTJNKf9FDFfHXK3rOKQdoytU+OSNc89SgIWlZLd54jhpA --WiP3cvkzBkOZLE5+UECovBXYAwBpytic08kiQe1tgp1Wy/D1vgg1NapX38M44M7t --SjDIymmY7fn+lRdosv4CMeMvDX8SFDdli2p+kAw6R/lOdLka2pkWWtiBkoTy9MLw --HEMozsViFZjPuSn+0bdLw79FOc/s136HVh2maUcEZ+7AhEgnPnE3DoohwLLdDQ02 --gqeHTRZXAuZH7HXUEZKQyOJlmTAnkPRE5tKDXdAP+K2sahXaC0/ONCA099OuOwy/ --I5YAAWtZVHdAtPGeeZeyqde/AgMBAAGjggF3MIIBczAdBgNVHQ4EFgQUc7n4NJjO --ryu9CFSV3K+fTLgCqUcwgcYGA1UdIwSBvjCBu4AUc7n4NJjOryu9CFSV3K+fTLgC --qUehgZ+kgZwwgZkxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRz --MRIwEAYDVQQHEwlDYW1icmlkZ2UxDDAKBgNVBAoTA01JVDEiMCAGA1UECxMZSW5z --ZWN1cmUgS2VyYmVyb3MgdGVzdCBDQTEsMCoGA1UEAxQjdGVzdCBzdWl0ZSBDQTsg -+MIIE4jCCA8qgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx -+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG -+A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww -+KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x -+OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaMFQxCzAJBgNVBAYTAlVTMRYwFAYD -+VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTEXMBUGA1UE -+AwwOUFJPWFlpblN1YmplY3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB -+AQDngcJ5NNR7XbumqMryvbw0YzDavbH6FYoprIfk2ao6qfCfNEeRkTlSORrND+H3 -+tLotnphvzDeYkTJfU91w0BEPDaZs48WTk325ecFvoBmiDuGH3Ax7/+D1rs+kpqd/ -+Dr19JWACvj1MUWIugq7JOAeIk4HtiA/RtMcQ7iUuq6w9AzXqVENJ2heDja50CHe4 -+Fj5AOzbeyctKIH72+3yC3qBeJphvcEE5az0Hc8qzfvg32Q4+yByP7yTJH8z6r5F8 -+rluKpLdx7+zG89XQqx6H//W4nGVtALA6IF3dMtYcuFb0XuvMRy/OfUx9yTfmzRcM -+NGUbFEYYPL5kIqbF/xm7/xLDAgMBAAGjggF3MIIBczAdBgNVHQ4EFgQU9/+8m8Uw -+LCsAF4ILSyrtEZ9h4iIwgcYGA1UdIwSBvjCBu4AU9/+8m8UwLCsAF4ILSyrtEZ9h -+4iKhgZ+kgZwwgZkxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRz -+MRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEiMCAGA1UECwwZSW5z -+ZWN1cmUgS2VyYmVyb3MgdGVzdCBDQTEsMCoGA1UEAwwjdGVzdCBzdWl0ZSBDQTsg - ZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0PBAQDAgPoMAwGA1UdEwEB/wQC - MAAwWQYDVR0RBFIwUIIWcHJveHnFoHViamVjdMOEbHTDkWFtZYITcHJveHlTdWJq - ZWN0QWx0TmFtZYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAAYIJbG9jYWxob3N0MBMG --A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQAH6AWuyRLzMbKq --MUlyg9ZIar8p0Ms0/UEaa6Xm3/cfm6HSujtgcYlDN3M86Z3zWzWdTrOHsRr/YSG3 --H3YDhJToKqxcjgho+1xdBPm0xuFsJcypRqGj/mIaJSoa+wC2AdY1EdE+URsh87XC --SHYNbxAVo8qBHMjtROm6AKb2YusYqHnkT+U6nc4Pn9UnIzmu4wfoSB+X1vtY24TP --AtXNYQEG4BkgSrcsgoL+z/+wtZLU8QFk6JRO7Bedq711Oh/taEasZHjRAmnqC5TB --Ab2fnwWuoVZHqz2qydeywXUKrZlctuRVdjE++wOt9xuMPKFGo0PKDw/SymCe61Q8 --Nc/d2mhz -+A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQDQI1/zeNAWvXAG -+CTJk+hFLNx7xzd28/vWGkumK60rSmLVLZNDlvfmNJZ/kd7d0YZFvZDvbzhugXigI -+5N54664XreRwXA7QkgD2laFd/Rzq+6NdhyMCno7V6j1VZUm6/FWgfYjfGEBvbGNv -+Ue50fyRSQBmFv3p87Av/Zc0OMjted0zOYUxUPH0OL+2e4BL/suo05Q5DZq+J8Dni -+7SJbDC0fp5mKVLQ500zIRwUF2y5TE4olBsYBoaMDxQl+HoG6XpzaVslTKXAvzFMk -+8beI2BmqUId1OSLa3TOKnbsK8K/MPnSnB5StINt1+ZtTjjV+dY3xB6ZC+G1Pl6Ta -+00C7EWul - -----END CERTIFICATE----- -diff --git a/src/tests/dejagnu/proxy-certs/proxy-subject.pem b/src/tests/dejagnu/proxy-certs/proxy-subject.pem -index e17918f2b..3846aece6 100644 ---- a/src/tests/dejagnu/proxy-certs/proxy-subject.pem -+++ b/src/tests/dejagnu/proxy-certs/proxy-subject.pem -@@ -1,54 +1,54 @@ - -----BEGIN RSA PRIVATE KEY----- --MIIEpQIBAAKCAQEA1zudnpN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPU --oCFpWS3eeI4aQFoj93L5MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4I --NTWqV9/DOODO7UowyMppmO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZ --FlrYgZKE8vTC8BxDKM7FYhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5x --Nw6KIcCy3Q0NNoKnh00WVwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtP --zjQgNPfTrjsMvyOWAAFrWVR3QLTxnnmXsqnXvwIDAQABAoIBAQCqvhpeMDXhGgoo --Q03wmfrGwPsrMv91aIK1hYrhMPdVs1JAbRYiKh8+pcq07FYa8udRaB4UwkVh/+oM --/nEs6niRsl/jjQ2l68TFrnNByroynvr6l9Q/EeGecF6Ygo7lY1OsFhcLQM5vjarS --XhxvdU/6hcRmfS8tGRpUaMWqfmpiN3YgJcgt8SoYhiwAYDTMJjNyWC61lO7IqNVR --4kntiM24sfAu1sdZynX8Gp2GrpNChapEuhilQ8RayjuStEYr2abcSIjfZFHQXN7o --TnjL+AQUzc/ZTXDGnIe9ZzZeFz8UCueeoN6KPxfrq9UUWRL6qt7gOIMdhYR6lFxt --6pj6kLhxAoGBAO5DTnTKDfCMY2/AsTzCJvMGSY0bT1rsdDxrpqjrbUSeMHV3s5Lm --vEPnnm+05FD/vi99+HZjHXAZFkhA3ubij2qWFPBnQ5YUoh17IW/Ae4bzY2uXikgL --tLZ+R+OrcGYQQlvPn//PLsxbfdk5vraqzm08kIX0T4o4Iz8ST5NFJ8hVAoGBAOdB --ahXr14563Cjeu0pSQ1nXoz3IXdnDwePXasYhxQHl8Ayk8qZS5pt7r07H3dqq6pvn --e09gZINJe47B9UhkR3H5bPyz/kujKS4zqo3Zlbryzm3V0BWqjNj+j8E2YuQKNQr+ --c480jn2FzwW66w0i3n4U4KUn1w2/iq5AnVzyNkPDAoGAWLYEsyU79XE/4K79DqM3 --P0r6/afKbw8U5B4syj4FzAOeBU6RNMPmGt5VNkBCtgnSdPpRFTsoDcG5cyN8GrkG --Lug8WZoJJwr9pT5gH6yqEX/zZ27f1J1PJpd0CsedLNMm8eonJ2arhPkXrVZ7tKV6 --AGAJa2agatUmAmi96hZYjpUCgYEA32abJEgsedEIhFb/GYI03ELryRCaUXfCA+gj --lvoihn3qE1z5qGGns4adyX5dPRQmBqxtvDXDg+zl9vg6i0+MkXdCqTD8tXcOnjp9 --RgFvmyVa9FI8beHPpQTuPNncWK3fpho/6pT8Hhi48LEsxwjrZWOnzQSaxQZH46Q6 --IQNAFt8CgYEAkflxXvA2/2naix+riaBzv5EVJB7ilbfWiWtq2LEAtwrQ5XNFjrtK --g45jKrZ/ezAzTfPa5Dwn4xcImd0MIavnJhDu2ATxMGB0GATLlDH2HZvU7UwKLpTW --6Hlol4yRcX4GSEOxJ2ZpWYNIOYH0yDf1qLJXs1j8Fi3zWRe+V1kff4w= -+MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH -+kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM -+e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD -+SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc -+j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv -+zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu -+HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv -+q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc -+zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9 -+ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b -+21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5 -+YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp -+1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP -+AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr -+47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT -+RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f -+lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz -+tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69 -+hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO -+5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9 -+yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0 -+vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY -+CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y -+X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr -+Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg== - -----END RSA PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIEgjCCA2qgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx --FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG --A1UEChMDTUlUMSIwIAYDVQQLExlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww --KgYDVQQDFCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x --NDA1MDIxOTA2MDhaFw0yNTA0MTQxOTA2MDhaME8xCzAJBgNVBAYTAlVTMRYwFAYD --VQQIEw1NYXNzYWNodXNldHRzMRQwEgYDVQQKEwtLUkJURVNULkNPTTESMBAGA1UE --AxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zud --npN8FP7iLn1vgkyTSn/RQxXx1yt6zikHaMrVPjkjXPPUoCFpWS3eeI4aQFoj93L5 --MwZDmSxOflBAqLwV2AMAacrYnNPJIkHtbYKdVsvw9b4INTWqV9/DOODO7UowyMpp --mO35/pUXaLL+AjHjLw1/EhQ3ZYtqfpAMOkf5TnS5GtqZFlrYgZKE8vTC8BxDKM7F --YhWYz7kp/tG3S8O/RTnP7Nd+h1YdpmlHBGfuwIRIJz5xNw6KIcCy3Q0NNoKnh00W --VwLmR+x11BGSkMjiZZkwJ5D0RObSg13QD/itrGoV2gtPzjQgNPfTrjsMvyOWAAFr --WVR3QLTxnnmXsqnXvwIDAQABo4IBHDCCARgwHQYDVR0OBBYEFHO5+DSYzq8rvQhU --ldyvn0y4AqlHMIHGBgNVHSMEgb4wgbuAFHO5+DSYzq8rvQhUldyvn0y4AqlHoYGf --pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAG --A1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxIjAgBgNVBAsTGUluc2VjdXJl --IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMUI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v -+MIIEgjCCA2qgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx -+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG -+A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww -+KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x -+OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaME8xCzAJBgNVBAYTAlVTMRYwFAYD -+VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTESMBAGA1UE -+AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA54HC -+eTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRHkZE5UjkazQ/h97S6LZ6Y -+b8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wMe//g9a7PpKanfw69fSVg -+Ar49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRDSdoXg42udAh3uBY+QDs2 -+3snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgcj+8kyR/M+q+RfK5biqS3 -+ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcvzn1Mfck35s0XDDRlGxRG -+GDy+ZCKmxf8Zu/8SwwIDAQABo4IBHDCCARgwHQYDVR0OBBYEFPf/vJvFMCwrABeC -+C0sq7RGfYeIiMIHGBgNVHSMEgb4wgbuAFPf/vJvFMCwrABeCC0sq7RGfYeIioYGf -+pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAG -+A1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxIjAgBgNVBAsMGUluc2VjdXJl -+IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v - dCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQEAwID6DAMBgNVHRMBAf8EAjAAMBMG --A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQCzGPT+QOrl9mbJ --nsGlPlLUOF+PYz0a/9V/iznlofxwCXiRi2ryMpLFbjLeOvjLJ3UzyNKtmEeudTBM --yfR4i8tb9WA7Oh0BjK1+kD4688bAUXiIDhueKBjonmPvMd9kq3MDd4vDLkcZk6R4 --4IcbdwhzSBmnJH8ha2J82XShPpRq5CZNR9+vTyFwGdGWdPDjTMiXoXAmpRemcEgO --iO4Gxvcrg/Z06Ys3eLze7QHNMAEwXhC4rUR34j5I2zgU7CEhff3AktLmnKVa8go8 --4BJT/n3XGB+3gdAEihQmgCEZetHH+YxAR0Ppn3ty7fpAlOnbRJqpeu6TMN8x/lL8 --c6JtDWRG -+A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQBdg7Gk/RqQpTfD -+vyFB1GPWRcLYpYW4GQh3e/dcesmwjwT8Nsd4Mzq9mA9TzJIXwffUQ8de85L5+9Oh -+k4yiwRS3vDCP0fr+GZMpBqkBVunJIHQnm+RWxT42+0kBxxmO/fqp5ztND8gGBLiW -+QPHb+mSCFgmgwnRuW+UI3TZ965oZfd2oRjjHjr51cgxcXndqnNws/kakMpxSM+KT -++ICHNz5og79nC7zpVqu0Cd56stPXbrFeU+bnN5UT9sOZNOYstWZmS8u+ddDuJwhS -+ijJZgtQNOIuBfD2TLfDmg/QfLeh5hhgBVyXC5o8g6KEtjPgm+44OF3vNZeuwVPaf -+L58YyPcO - -----END CERTIFICATE----- diff --git a/Update-test-suite-to-avoid-single-DES-enctypes.patch b/Update-test-suite-to-avoid-single-DES-enctypes.patch deleted file mode 100644 index 042bc1b..0000000 --- a/Update-test-suite-to-avoid-single-DES-enctypes.patch +++ /dev/null @@ -1,2328 +0,0 @@ -From 99077dd3855832912df7563086cd615ba430e440 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 24 May 2019 13:11:55 -0400 -Subject: [PATCH] Update test suite to avoid single-DES enctypes - -Remove the CRC exercise code, since CRC is DES-only. - -ticket: 8808 -(cherry picked from commit 50588db5d26e81f3d564d1f69435af34ae80d9b2) ---- - src/kadmin/testing/proto/kdc.conf.proto | 2 +- - src/kadmin/testing/util/tcl_kadm5.c | 2 - - src/lib/crypto/crypto_tests/CRC.pm | 156 ---------- - src/lib/crypto/crypto_tests/Makefile.in | 31 +- - src/lib/crypto/crypto_tests/crc.pl | 111 ------- - src/lib/crypto/crypto_tests/deps | 24 -- - src/lib/crypto/crypto_tests/t_cf2.expected | 1 - - src/lib/crypto/crypto_tests/t_cf2.in | 5 - - src/lib/crypto/crypto_tests/t_cksum.c | 160 ---------- - src/lib/crypto/crypto_tests/t_cksums.c | 8 +- - src/lib/crypto/crypto_tests/t_combine.c | 18 -- - src/lib/crypto/crypto_tests/t_crc.c | 148 ---------- - src/lib/crypto/crypto_tests/t_decrypt.c | 148 ---------- - src/lib/crypto/crypto_tests/t_encrypt.c | 3 - - src/lib/crypto/crypto_tests/t_short.c | 3 - - src/lib/crypto/crypto_tests/t_str2key.c | 274 ------------------ - src/lib/crypto/crypto_tests/vectors.c | 3 +- - .../api.current/chpass-principal-v2.exp | 8 +- - .../api.current/get-principal-v2.exp | 4 +- - .../api.current/randkey-principal-v2.exp | 11 +- - src/lib/kadm5/unit-test/setkey-test.c | 6 +- - src/lib/krb5/keytab/t_keytab.c | 40 +-- - src/lib/krb5/krb/t_etypes.c | 67 +---- - src/lib/krb5/krb/t_ser.c | 2 +- - src/lib/krb5/os/t_trace.c | 2 +- - src/lib/krb5/os/t_trace.ref | 2 +- - src/tests/asn.1/ktest.c | 2 +- - src/tests/asn.1/pkinit_encode.out | 2 +- - src/tests/asn.1/pkinit_trval.out | 2 +- - src/tests/dejagnu/config/default.exp | 226 ++------------- - src/tests/gssapi/t_invalid.c | 20 +- - src/tests/gssapi/t_pcontok.c | 17 +- - src/tests/gssapi/t_prf.c | 7 - - src/tests/t_etype_info.py | 4 +- - src/tests/t_keyrollover.py | 6 +- - src/tests/t_salt.py | 2 +- - src/tests/t_sesskeynego.py | 18 +- - src/util/k5test.py | 2 +- - 38 files changed, 88 insertions(+), 1459 deletions(-) - delete mode 100644 src/lib/crypto/crypto_tests/CRC.pm - delete mode 100644 src/lib/crypto/crypto_tests/crc.pl - delete mode 100644 src/lib/crypto/crypto_tests/t_cksum.c - delete mode 100644 src/lib/crypto/crypto_tests/t_crc.c - -diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto -index 45df78b91..8a4b87de1 100644 ---- a/src/kadmin/testing/proto/kdc.conf.proto -+++ b/src/kadmin/testing/proto/kdc.conf.proto -@@ -12,5 +12,5 @@ - kadmind_port = 1751 - kpasswd_port = 1752 - master_key_type = des3-hmac-sha1 -- supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-raw:normal -+ supported_enctypes = des3-hmac-sha1:normal aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal - } -diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c -index 9dde579ef..4d3114b11 100644 ---- a/src/kadmin/testing/util/tcl_kadm5.c -+++ b/src/kadmin/testing/util/tcl_kadm5.c -@@ -1514,8 +1514,6 @@ static Tcl_DString *unparse_keytype(krb5_enctype enctype) - switch (enctype) { - /* XXX is this right? */ - case ENCTYPE_NULL: Tcl_DStringAppend(str, "ENCTYPE_NULL", -1); break; -- case ENCTYPE_DES_CBC_CRC: -- Tcl_DStringAppend(str, "ENCTYPE_DES_CBC_CRC", -1); break; - default: - sprintf(buf, "UNKNOWN KEYTYPE (0x%x)", enctype); - Tcl_DStringAppend(str, buf, -1); -diff --git a/src/lib/crypto/crypto_tests/CRC.pm b/src/lib/crypto/crypto_tests/CRC.pm -deleted file mode 100644 -index ee2ab2ae8..000000000 ---- a/src/lib/crypto/crypto_tests/CRC.pm -+++ /dev/null -@@ -1,156 +0,0 @@ --# Copyright 2002 by the Massachusetts Institute of Technology. --# All Rights Reserved. --# --# Export of this software from the United States of America may --# require a specific license from the United States Government. --# It is the responsibility of any person or organization contemplating --# export to obtain such a license before exporting. --# --# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and --# distribute this software and its documentation for any purpose and --# without fee is hereby granted, provided that the above copyright --# notice appear in all copies and that both that copyright notice and --# this permission notice appear in supporting documentation, and that --# the name of M.I.T. not be used in advertising or publicity pertaining --# to distribution of the software without specific, written prior --# permission. Furthermore if you modify this software you must label --# your software as modified software and not distribute it in such a --# fashion that it might be confused with the original M.I.T. software. --# M.I.T. makes no representations about the suitability of --# this software for any purpose. It is provided "as is" without express --# or implied warranty. -- --package CRC; -- --# CRC: implement a CRC using the Poly package (yes this is slow) --# --# message M(x) = m_0 * x^0 + m_1 * x^1 + ... + m_(k-1) * x^(k-1) --# generator P(x) = p_0 * x^0 + p_1 * x^1 + ... + p_n * x^n --# remainder R(x) = r_0 * x^0 + r_1 * x^1 + ... + r_(n-1) * x^(n-1) --# --# R(x) = (x^n * M(x)) % P(x) --# --# Note that if F(x) = x^n * M(x) + R(x), then F(x) = 0 mod P(x) . --# --# In MIT Kerberos 5, R(x) is taken as the CRC, as opposed to what --# ISO 3309 does. --# --# ISO 3309 adds a precomplement and a postcomplement. --# --# The ISO 3309 postcomplement is of the form --# --# A(x) = x^0 + x^1 + ... + x^(n-1) . --# --# The ISO 3309 precomplement is of the form --# --# B(x) = x^k * A(x) . --# --# The ISO 3309 FCS is then --# --# (x^n * M(x)) % P(x) + B(x) % P(x) + A(x) , --# --# which is equivalent to --# --# (x^n * M(x) + B(x)) % P(x) + A(x) . --# --# In ISO 3309, the transmitted frame is --# --# F'(x) = x^n * M(x) + R(x) + R'(x) + A(x) , --# --# where --# --# R'(x) = B(x) % P(x) . --# --# Note that this means that if a new remainder is computed over the --# frame F'(x) (treating F'(x) as the new M(x)), it will be equal to a --# constant. --# --# F'(x) = 0 + R'(x) + A(x) mod P(x) , --# --# then --# --# (F'(x) + x^k * A(x)) * x^n --# --# = ((R'(x) + A(x)) + x^k * A(x)) * x^n mod P(x) --# --# = (x^k * A(x) + A(x) + x^k * A(x)) * x^n mod P(x) --# --# = (0 + A(x)) * x^n mod P(x) --# --# Note that (A(x) * x^n) % P(x) is a constant, and that this result --# depends on B(x) being x^k * A(x). -- --use Carp; --use Poly; -- --sub new { -- my $self = shift; -- my $class = ref($self) || $self; -- my %args = @_; -- $self = {bitsendian => "little"}; -- bless $self, $class; -- $self->setpoly($args{"Poly"}) if exists $args{"Poly"}; -- $self->bitsendian($args{"bitsendian"}) -- if exists $args{"bitsendian"}; -- $self->{precomp} = $args{precomp} if exists $args{precomp}; -- $self->{postcomp} = $args{postcomp} if exists $args{postcomp}; -- return $self; --} -- --sub setpoly { -- my $self = shift; -- my($arg) = @_; -- croak "need a polynomial" if !$arg->isa("Poly"); -- $self->{Poly} = $arg; -- return $self; --} -- --sub crc { -- my $self = shift; -- my $msg = Poly->new(@_); -- my($order, $r, $precomp); -- $order = $self->{Poly}->order; -- # B(x) = x^k * precomp -- $precomp = $self->{precomp} ? -- $self->{precomp} * Poly->powers2poly(scalar(@_)) : Poly->new; -- # R(x) = (x^n * M(x)) % P(x) -- $r = ($msg * Poly->powers2poly($order)) % $self->{Poly}; -- # B(x) % P(x) -- $r += $precomp % $self->{Poly}; -- $r += $self->{postcomp} if exists $self->{postcomp}; -- return $r; --} -- --# endianness of bits of each octet --# --# Note that the message is always treated as being sent in big-endian --# octet order. --# --# Usually, the message will be treated as bits being little-endian, --# since that is the common case for serial implementations that --# present data in octets; e.g., most UARTs shift octets onto the line --# in little-endian order, and protocols such as ISO 3309, V.42, --# etc. treat individual octets as being sent LSB-first. -- --sub bitsendian { -- my $self = shift; -- my($arg) = @_; -- croak "bad bit endianness" if $arg !~ /big|little/; -- $self->{bitsendian} = $arg; -- return $self; --} -- --sub crcstring { -- my $self = shift; -- my($arg) = @_; -- my($packstr, @m); -- { -- $packstr = "B*", last if $self->{bitsendian} =~ /big/; -- $packstr = "b*", last if $self->{bitsendian} =~ /little/; -- croak "bad bit endianness"; -- }; -- @m = split //, unpack $packstr, $arg; -- return $self->crc(@m); --} -- --1; -diff --git a/src/lib/crypto/crypto_tests/Makefile.in b/src/lib/crypto/crypto_tests/Makefile.in -index c5eba1b10..09feeb50e 100644 ---- a/src/lib/crypto/crypto_tests/Makefile.in -+++ b/src/lib/crypto/crypto_tests/Makefile.in -@@ -16,9 +16,7 @@ EXTRADEPSRCS=\ - $(srcdir)/aes-test.c \ - $(srcdir)/camellia-test.c \ - $(srcdir)/t_cf2.c \ -- $(srcdir)/t_cksum.c \ - $(srcdir)/t_cksums.c \ -- $(srcdir)/t_crc.c \ - $(srcdir)/t_mddriver.c \ - $(srcdir)/t_kperf.c \ - $(srcdir)/t_sha2.c \ -@@ -30,15 +28,12 @@ EXTRADEPSRCS=\ - - ##DOS##BUILDTOP = ..\..\.. - --# NOTE: The t_cksum known checksum values are primarily for regression --# testing. They are not derived a priori, but are known to produce --# checksums that interoperate. - check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \ -- t_cksum4 t_cksum5 t_cksums \ -+ t_cksums \ - aes-test \ - camellia-test \ - t_mddriver4 t_mddriver \ -- t_crc t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2 \ -+ t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2 \ - t_combine - $(RUN_TEST) ./t_nfold - $(RUN_TEST) ./t_encrypt -@@ -47,10 +42,7 @@ check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \ - $(RUN_TEST) ./t_cmac - $(RUN_TEST) ./t_hmac - $(RUN_TEST) ./t_prf -- $(RUN_TEST) ./t_cksum4 "this is a test" e3f76a07f3401e3536b43a3f54226c39422c35682c354835 -- $(RUN_TEST) ./t_cksum5 "this is a test" e3f76a07f3401e351143ee6f4c09be1edb4264d55015db53 - $(RUN_TEST) ./t_cksums -- $(RUN_TEST) ./t_crc - $(RUN_TEST) ./t_cts - $(RUN_TEST) ./aes-test -k > vk.txt - cmp vk.txt $(srcdir)/expect-vk.txt -@@ -109,24 +101,9 @@ t_short$(EXEEXT): t_short.$(OBJEXT) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_short.$(OBJEXT) \ - $(KRB5_BASE_LIBS) - --t_cksum4.o: $(srcdir)/t_cksum.c -- $(CC) -DMD=4 $(ALL_CFLAGS) -o t_cksum4.o -c $(srcdir)/t_cksum.c -- --t_cksum5.o: $(srcdir)/t_cksum.c -- $(CC) -DMD=5 $(ALL_CFLAGS) -o t_cksum5.o -c $(srcdir)/t_cksum.c -- --t_cksum4: t_cksum4.o $(CRYTPO_DEPLIB) -- $(CC_LINK) -o t_cksum4 t_cksum4.o $(KRB5_BASE_LIBS) -- --t_cksum5: t_cksum5.o $(CRYPTO_DEPLIB) -- $(CC_LINK) -o t_cksum5 t_cksum5.o $(KRB5_BASE_LIBS) -- - t_cksums: t_cksums.o $(CRYTPO_DEPLIB) - $(CC_LINK) -o t_cksums t_cksums.o -lkrb5 $(KRB5_BASE_LIBS) - --t_crc: t_crc.o $(KRB5_BASE_DEPLIBS) -- $(CC_LINK) -o $@ t_crc.o $(KRB5_BASE_LIBS) -- - aes-test: aes-test.$(OBJEXT) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o aes-test aes-test.$(OBJEXT) $(KRB5_BASE_LIBS) - -@@ -165,9 +142,9 @@ clean: - t_decrypt.o t_decrypt t_prng.o t_prng t_cmac.o t_cmac \ - t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \ - aes-test.o aes-test vt.txt vk.txt kresults.out \ -- t_crc.o t_crc t_cts.o t_cts \ -+ t_cts.o t_cts \ - t_mddriver4.o t_mddriver4 t_mddriver.o t_mddriver \ -- t_cksum4 t_cksum4.o t_cksum5 t_cksum5.o t_cksums t_cksums.o \ -+ t_cksums t_cksums.o \ - t_kperf.o t_kperf t_sha2.o t_sha2 t_short t_short.o t_str2key \ - t_str2key.o t_derive t_derive.o t_fork t_fork.o \ - t_mddriver$(EXEEXT) $(OUTPRE)t_mddriver.$(OBJEXT) \ -diff --git a/src/lib/crypto/crypto_tests/crc.pl b/src/lib/crypto/crypto_tests/crc.pl -deleted file mode 100644 -index b21b6b15d..000000000 ---- a/src/lib/crypto/crypto_tests/crc.pl -+++ /dev/null -@@ -1,111 +0,0 @@ --# Copyright 2002 by the Massachusetts Institute of Technology. --# All Rights Reserved. --# --# Export of this software from the United States of America may --# require a specific license from the United States Government. --# It is the responsibility of any person or organization contemplating --# export to obtain such a license before exporting. --# --# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and --# distribute this software and its documentation for any purpose and --# without fee is hereby granted, provided that the above copyright --# notice appear in all copies and that both that copyright notice and --# this permission notice appear in supporting documentation, and that --# the name of M.I.T. not be used in advertising or publicity pertaining --# to distribution of the software without specific, written prior --# permission. Furthermore if you modify this software you must label --# your software as modified software and not distribute it in such a --# fashion that it might be confused with the original M.I.T. software. --# M.I.T. makes no representations about the suitability of --# this software for any purpose. It is provided "as is" without express --# or implied warranty. -- --use CRC; -- --print "*** crudely testing polynomial functions ***\n"; -- --$x = Poly->new(1,1,1,1); --$y = Poly->new(1,1); --print "x = @{[$x->pretty]}\ny = @{[$y->pretty]}\n"; --$q = $x / $y; --$r = $x % $y; --print $x->pretty, " = (", $y->pretty , ") * (", $q->pretty, -- ") + ", $r->pretty, "\n"; --$q = $y / $x; --$r = $y % $x; --print "y / x = @{[$q->pretty]}\ny % x = @{[$r->pretty]}\n"; -- --# ISO 3309 32-bit FCS polynomial --$fcs32 = Poly->powers2poly(32,26,23,22,16,12,11,10,8,7,5,4,2,1,0); --print "fcs32 = ", $fcs32->pretty, "\n"; -- --$crc = CRC->new(Poly => $fcs32, bitsendian => "little"); -- --print "\n"; -- --print "*** little endian, no complementation ***\n"; --for ($i = 0; $i < 256; $i++) { -- $r = $crc->crcstring(pack "C", $i); -- printf ("%02x: ", $i) if !($i % 8); -- print ($r->revhex, ($i % 8 == 7) ? "\n" : " "); --} -- --print "\n"; -- --print "*** little endian, 4 bits, no complementation ***\n"; --for ($i = 0; $i < 16; $i++) { -- @m = (split //, unpack "b*", pack "C", $i)[0..3]; -- $r = $crc->crc(@m); -- printf ("%02x: ", $i) if !($i % 8); -- print ($r->revhex, ($i % 8 == 7) ? "\n" : " "); --} -- --print "\n"; -- --print "*** test vectors for t_crc.c, little endian ***\n"; --for ($i = 1; $i <= 4; $i *=2) { -- for ($j = 0; $j < $i * 8; $j++) { -- @m = split //, unpack "b*", pack "V", 1 << $j; -- splice @m, $i * 8; -- $r = $crc->crc(@m); -- $m = unpack "H*", pack "b*", join("", @m); -- print "{HEX, \"$m\", 0x", $r->revhex, "},\n"; -- } --} --@m = ("foo", "test0123456789", -- "MASSACHVSETTS INSTITVTE OF TECHNOLOGY"); --foreach $m (@m) { -- $r = $crc->crcstring($m); -- print "{STR, \"$m\", 0x", $r->revhex, "},\n"; --} --__END__ -- --print "*** big endian, no complementation ***\n"; --for ($i = 0; $i < 256; $i++) { -- $r = $crc->crcstring(pack "C", $i); -- printf ("%02x: ", $i) if !($i % 8); -- print ($r->hex, ($i % 8 == 7) ? "\n" : " "); --} -- --# all ones polynomial of order 31 --$ones = Poly->new((1) x 32); -- --print "*** big endian, ISO-3309 style\n"; --$crc = CRC->new(Poly => $fcs32, -- bitsendian => "little", -- precomp => $ones, -- postcomp => $ones); --for ($i = 0; $i < 256; $i++) { -- $r = $crc->crcstring(pack "C", $i); -- print ($r->hex, ($i % 8 == 7) ? "\n" : " "); --} -- --for ($i = 0; $i < 0; $i++) { -- $x = Poly->new((1) x 32, (0) x $i); -- $y = Poly->new((1) x 32); -- $f = ($x % $fcs32) + $y; -- $r = (($f + $x) * Poly->powers2poly(32)) % $fcs32; -- @out = @$r; -- unshift @out, 0 while @out < 32; -- print @out, "\n"; --} -diff --git a/src/lib/crypto/crypto_tests/deps b/src/lib/crypto/crypto_tests/deps -index 5d94a593d..19fef2582 100644 ---- a/src/lib/crypto/crypto_tests/deps -+++ b/src/lib/crypto/crypto_tests/deps -@@ -140,17 +140,6 @@ $(OUTPRE)camellia-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(top_srcdir)/include/socket-utils.h camellia-test.c - $(OUTPRE)t_cf2.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h t_cf2.c --$(OUTPRE)t_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ -- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ -- $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- t_cksum.c - $(OUTPRE)t_cksums.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ -@@ -161,19 +150,6 @@ $(OUTPRE)t_cksums.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h t_cksums.c --$(OUTPRE)t_crc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \ -- $(srcdir)/../builtin/crypto_mod.h $(srcdir)/../builtin/sha2/sha2.h \ -- $(srcdir)/../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ -- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ -- $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- t_crc.c - $(OUTPRE)t_mddriver.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \ -diff --git a/src/lib/crypto/crypto_tests/t_cf2.expected b/src/lib/crypto/crypto_tests/t_cf2.expected -index 11a24b800..f8251a16c 100644 ---- a/src/lib/crypto/crypto_tests/t_cf2.expected -+++ b/src/lib/crypto/crypto_tests/t_cf2.expected -@@ -1,6 +1,5 @@ - 97df97e4b798b29eb31ed7280287a92a - 4d6ca4e629785c1f01baf55e2e548566b9617ae3a96868c337cb93b5e72b1c7b --43bae3738c9467e6 - e58f9eb643862c13ad38e529313462a7f73e62834fe54a01 - 24d7f6b6bae4e5c00d2082c5ebab3672 - edd02a39d2dbde31611c16e610be062c -diff --git a/src/lib/crypto/crypto_tests/t_cf2.in b/src/lib/crypto/crypto_tests/t_cf2.in -index e62ead7d8..73e2f8fbc 100644 ---- a/src/lib/crypto/crypto_tests/t_cf2.in -+++ b/src/lib/crypto/crypto_tests/t_cf2.in -@@ -8,11 +8,6 @@ key1 - key2 - a - b --1 --key1 --key2 --a --b - 16 - key1 - key2 -diff --git a/src/lib/crypto/crypto_tests/t_cksum.c b/src/lib/crypto/crypto_tests/t_cksum.c -deleted file mode 100644 -index 0edaeb850..000000000 ---- a/src/lib/crypto/crypto_tests/t_cksum.c -+++ /dev/null -@@ -1,160 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* lib/crypto/crypto_tests/t_cksum.c */ --/* -- * Copyright 1995 by the Massachusetts Institute of Technology. -- * All Rights Reserved. -- * -- * Export of this software from the United States of America may -- * require a specific license from the United States Government. -- * It is the responsibility of any person or organization contemplating -- * export to obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of M.I.T. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. Furthermore if you modify this software you must label -- * your software as modified software and not distribute it in such a -- * fashion that it might be confused with the original M.I.T. software. -- * M.I.T. makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- */ -- --/* Test checksum and checksum compatability for rsa-md[4,5]-des. */ -- --#include "k5-int.h" --#include "k5-hex.h" -- --#define MD5_K5BETA_COMPAT --#define MD4_K5BETA_COMPAT -- --#if MD == 4 --#define CKTYPE CKSUMTYPE_RSA_MD4_DES --#endif -- --#if MD == 5 --#define CKTYPE CKSUMTYPE_RSA_MD5_DES --#endif -- --static void --print_checksum(char *text, int number, char *message, krb5_checksum *checksum) --{ -- unsigned int i; -- -- printf("%s MD%d checksum(\"%s\") = ", text, number, message); -- for (i=0; ilength; i++) -- printf("%02x", (unsigned char) checksum->contents[i]); -- printf("\n"); --} -- --/* -- * Test the checksum verification of Old Style (tm) and correct RSA-MD[4,5]-DES -- * checksums. -- */ -- --krb5_octet testkey[8] = { 0x45, 0x01, 0x49, 0x61, 0x58, 0x19, 0x1a, 0x3d }; -- --int --main(argc, argv) -- int argc; -- char **argv; --{ -- int msgindex; -- size_t len; -- krb5_boolean valid; -- krb5_keyblock keyblock; -- krb5_key key; -- krb5_error_code kret=0; -- krb5_data plaintext; -- krb5_checksum checksum, knowncksum; -- -- /* this is a terrible seed, but that's ok for the test. */ -- -- plaintext.length = 8; -- plaintext.data = (char *) testkey; -- -- krb5_c_random_seed(/* XXX */ 0, &plaintext); -- -- keyblock.enctype = ENCTYPE_DES_CBC_CRC; -- keyblock.length = sizeof(testkey); -- keyblock.contents = testkey; -- -- krb5_k_create_key(NULL, &keyblock, &key); -- -- for (msgindex = 1; msgindex + 1 < argc; msgindex += 2) { -- plaintext.length = strlen(argv[msgindex]); -- plaintext.data = argv[msgindex]; -- -- /* Create a checksum. */ -- kret = krb5_k_make_checksum(NULL, CKTYPE, key, 0, &plaintext, -- &checksum); -- if (kret != 0) { -- printf("krb5_calculate_checksum choked with %d\n", kret); -- break; -- } -- print_checksum("correct", MD, argv[msgindex], &checksum); -- -- /* Verify it. */ -- kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &checksum, -- &valid); -- if (kret != 0) { -- printf("verify on new checksum choked with %d\n", kret); -- break; -- } -- if (!valid) { -- printf("verify on new checksum failed\n"); -- kret = 1; -- break; -- } -- printf("Verify succeeded for \"%s\"\n", argv[msgindex]); -- -- /* Corrupt the checksum and see if it still verifies. */ -- checksum.contents[0]++; -- kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &checksum, -- &valid); -- if (kret != 0) { -- printf("verify on new checksum choked with %d\n", kret); -- break; -- } -- if (valid) { -- printf("verify on new checksum succeeded, but shouldn't have\n"); -- kret = 1; -- break; -- } -- printf("Verify of bad checksum OK for \"%s\"\n", argv[msgindex]); -- free(checksum.contents); -- -- /* Verify a known-good checksum for this plaintext. */ -- kret = k5_hex_decode(argv[msgindex + 1], &knowncksum.contents, &len); -- if (kret) { -- printf("k5_hex_decode failed\n"); -- break; -- } -- knowncksum.length = len; -- knowncksum.checksum_type = CKTYPE; -- knowncksum.magic = KV5M_CHECKSUM; -- kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &knowncksum, -- &valid); -- if (kret != 0) { -- printf("verify on known checksum choked with %d\n", kret); -- break; -- } -- if (!valid) { -- printf("verify on known checksum failed\n"); -- kret = 1; -- break; -- } -- printf("Verify on known checksum succeeded\n"); -- free(knowncksum.contents); -- } -- if (!kret) -- printf("%d tests passed successfully for MD%d checksum\n", (argc-1)/2, MD); -- -- krb5_k_free_key(NULL, key); -- -- return(kret); --} -diff --git a/src/lib/crypto/crypto_tests/t_cksums.c b/src/lib/crypto/crypto_tests/t_cksums.c -index 5afc90ed8..4da14ea43 100644 ---- a/src/lib/crypto/crypto_tests/t_cksums.c -+++ b/src/lib/crypto/crypto_tests/t_cksums.c -@@ -27,7 +27,7 @@ - /* - * This harness tests checksum results against known values. With the -v flag, - * results for all tests are displayed. This harness only works for -- * deterministic checksums; for rsa-md4-des and rsa-md5-des, see t_cksum.c. -+ * deterministic checksums. - */ - - #include "k5-int.h" -@@ -40,12 +40,6 @@ struct test { - krb5_data keybits; - krb5_data cksum; - } test_cases[] = { -- { -- { KV5M_DATA, 3, "abc" }, -- CKSUMTYPE_CRC32, 0, 0, { KV5M_DATA, 0, "" }, -- { KV5M_DATA, 4, -- "\xD0\x98\x65\xCA" } -- }, - { - { KV5M_DATA, 3, "one" }, - CKSUMTYPE_RSA_MD4, 0, 0, { KV5M_DATA, 0, "" }, -diff --git a/src/lib/crypto/crypto_tests/t_combine.c b/src/lib/crypto/crypto_tests/t_combine.c -index 89219c762..ba0622bcf 100644 ---- a/src/lib/crypto/crypto_tests/t_combine.c -+++ b/src/lib/crypto/crypto_tests/t_combine.c -@@ -32,10 +32,6 @@ - - #include "k5-int.h" - --unsigned char des_key1[] = "\x04\x86\xCD\x97\x61\xDF\xD6\x29"; --unsigned char des_key2[] = "\x1A\x54\x9B\x7F\xDC\x20\x83\x0E"; --unsigned char des_result[] = "\xC2\x13\x01\x52\x89\x26\xC4\xF7"; -- - unsigned char des3_key1[] = "\x10\xB6\x75\xD5\x5B\xD9\x6E\x73" - "\xFD\x54\xB3\x3D\x37\x52\xC1\x2A\xF7\x43\x91\xFE\x1C\x02\x37\x13"; - unsigned char des3_key2[] = "\xC8\xDA\x3E\xA7\xB6\x64\xAE\x7A" -@@ -48,20 +44,6 @@ main(int argc, char **argv) - { - krb5_keyblock kb1, kb2, result; - -- kb1.enctype = ENCTYPE_DES_CBC_CRC; -- kb1.contents = des_key1; -- kb1.length = 8; -- kb2.enctype = ENCTYPE_DES_CBC_CRC; -- kb2.contents = des_key2; -- kb2.length = 8; -- memset(&result, 0, sizeof(result)); -- if (krb5int_c_combine_keys(NULL, &kb1, &kb2, &result) != 0) -- abort(); -- if (result.enctype != ENCTYPE_DES_CBC_CRC || result.length != 8 || -- memcmp(result.contents, des_result, 8) != 0) -- abort(); -- krb5_free_keyblock_contents(NULL, &result); -- - kb1.enctype = ENCTYPE_DES3_CBC_SHA1; - kb1.contents = des3_key1; - kb1.length = 24; -diff --git a/src/lib/crypto/crypto_tests/t_crc.c b/src/lib/crypto/crypto_tests/t_crc.c -deleted file mode 100644 -index 8cd1d36cb..000000000 ---- a/src/lib/crypto/crypto_tests/t_crc.c -+++ /dev/null -@@ -1,148 +0,0 @@ --/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ --/* lib/crypto/crypto_tests/t_crc.c */ --/* -- * Copyright 2002,2005 by the Massachusetts Institute of Technology. -- * All Rights Reserved. -- * -- * Export of this software from the United States of America may -- * require a specific license from the United States Government. -- * It is the responsibility of any person or organization contemplating -- * export to obtain such a license before exporting. -- * -- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- * distribute this software and its documentation for any purpose and -- * without fee is hereby granted, provided that the above copyright -- * notice appear in all copies and that both that copyright notice and -- * this permission notice appear in supporting documentation, and that -- * the name of M.I.T. not be used in advertising or publicity pertaining -- * to distribution of the software without specific, written prior -- * permission. Furthermore if you modify this software you must label -- * your software as modified software and not distribute it in such a -- * fashion that it might be confused with the original M.I.T. software. -- * M.I.T. makes no representations about the suitability of -- * this software for any purpose. It is provided "as is" without express -- * or implied warranty. -- */ -- --/* -- * Sanity checks for CRC32. -- */ --#include --#include --#include --#include --#include --#include --#include "crypto_int.h" -- --#define HEX 1 --#define STR 2 --struct crc_trial { -- int type; -- char *data; -- unsigned long sum; --}; -- --struct crc_trial trials[] = { -- {HEX, "01", 0x77073096}, -- {HEX, "02", 0xee0e612c}, -- {HEX, "04", 0x076dc419}, -- {HEX, "08", 0x0edb8832}, -- {HEX, "10", 0x1db71064}, -- {HEX, "20", 0x3b6e20c8}, -- {HEX, "40", 0x76dc4190}, -- {HEX, "80", 0xedb88320}, -- {HEX, "0100", 0x191b3141}, -- {HEX, "0200", 0x32366282}, -- {HEX, "0400", 0x646cc504}, -- {HEX, "0800", 0xc8d98a08}, -- {HEX, "1000", 0x4ac21251}, -- {HEX, "2000", 0x958424a2}, -- {HEX, "4000", 0xf0794f05}, -- {HEX, "8000", 0x3b83984b}, -- {HEX, "0001", 0x77073096}, -- {HEX, "0002", 0xee0e612c}, -- {HEX, "0004", 0x076dc419}, -- {HEX, "0008", 0x0edb8832}, -- {HEX, "0010", 0x1db71064}, -- {HEX, "0020", 0x3b6e20c8}, -- {HEX, "0040", 0x76dc4190}, -- {HEX, "0080", 0xedb88320}, -- {HEX, "01000000", 0xb8bc6765}, -- {HEX, "02000000", 0xaa09c88b}, -- {HEX, "04000000", 0x8f629757}, -- {HEX, "08000000", 0xc5b428ef}, -- {HEX, "10000000", 0x5019579f}, -- {HEX, "20000000", 0xa032af3e}, -- {HEX, "40000000", 0x9b14583d}, -- {HEX, "80000000", 0xed59b63b}, -- {HEX, "00010000", 0x01c26a37}, -- {HEX, "00020000", 0x0384d46e}, -- {HEX, "00040000", 0x0709a8dc}, -- {HEX, "00080000", 0x0e1351b8}, -- {HEX, "00100000", 0x1c26a370}, -- {HEX, "00200000", 0x384d46e0}, -- {HEX, "00400000", 0x709a8dc0}, -- {HEX, "00800000", 0xe1351b80}, -- {HEX, "00000100", 0x191b3141}, -- {HEX, "00000200", 0x32366282}, -- {HEX, "00000400", 0x646cc504}, -- {HEX, "00000800", 0xc8d98a08}, -- {HEX, "00001000", 0x4ac21251}, -- {HEX, "00002000", 0x958424a2}, -- {HEX, "00004000", 0xf0794f05}, -- {HEX, "00008000", 0x3b83984b}, -- {HEX, "00000001", 0x77073096}, -- {HEX, "00000002", 0xee0e612c}, -- {HEX, "00000004", 0x076dc419}, -- {HEX, "00000008", 0x0edb8832}, -- {HEX, "00000010", 0x1db71064}, -- {HEX, "00000020", 0x3b6e20c8}, -- {HEX, "00000040", 0x76dc4190}, -- {HEX, "00000080", 0xedb88320}, -- {STR, "foo", 0x7332bc33}, -- {STR, "test0123456789", 0xb83e88d6}, -- {STR, "MASSACHVSETTS INSTITVTE OF TECHNOLOGY", 0xe34180f7} --}; -- --#define NTRIALS (sizeof(trials) / sizeof(trials[0])) -- -- --int --main(void) --{ -- unsigned int i; -- struct crc_trial trial; -- uint8_t *bytes; -- size_t len; -- unsigned long cksum; -- char *typestr; -- -- for (i = 0; i < NTRIALS; i++) { -- trial = trials[i]; -- switch (trial.type) { -- case STR: -- len = strlen(trial.data); -- typestr = "STR"; -- cksum = 0; -- mit_crc32(trial.data, len, &cksum); -- break; -- case HEX: -- typestr = "HEX"; -- if (k5_hex_decode(trial.data, &bytes, &len) != 0) -- abort(); -- cksum = 0; -- mit_crc32(bytes, len, &cksum); -- free(bytes); -- break; -- default: -- typestr = "BOGUS"; -- fprintf(stderr, "bad trial type %d\n", trial.type); -- exit(1); -- } -- printf("%s: %s \"%s\" = 0x%08lx\n", -- (trial.sum == cksum) ? "OK" : "***BAD***", -- typestr, trial.data, cksum); -- } -- exit(0); --} -diff --git a/src/lib/crypto/crypto_tests/t_decrypt.c b/src/lib/crypto/crypto_tests/t_decrypt.c -index 4ae0256cc..a40a85500 100644 ---- a/src/lib/crypto/crypto_tests/t_decrypt.c -+++ b/src/lib/crypto/crypto_tests/t_decrypt.c -@@ -39,151 +39,6 @@ struct test { - krb5_data keybits; - krb5_data ciphertext; - } test_cases[] = { -- { -- ENCTYPE_DES_CBC_CRC, -- { KV5M_DATA, 0, "" }, 0, -- { KV5M_DATA, 8, -- "\x45\xE6\x08\x7C\xDF\x13\x8F\xB5" }, -- { KV5M_DATA, 16, -- "\x28\xF6\xB0\x9A\x01\x2B\xCC\xF7\x2F\xB0\x51\x22\xB2\x83\x9E\x6E" } -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- { KV5M_DATA, 1, "1" }, 1, -- { KV5M_DATA, 8, -- "\x92\xA7\x15\x58\x10\x58\x6B\x2F" }, -- { KV5M_DATA, 16, -- "\xB4\xC8\x71\xC2\xF3\xE7\xBF\x76\x05\xEF\xD6\x2F\x2E\xEE\xC2\x05" } -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- { KV5M_DATA, 9, "9 bytesss" }, 2, -- { KV5M_DATA, 8, -- "\xA4\xB9\x51\x4A\x61\x64\x64\x23" }, -- { KV5M_DATA, 24, -- "\x5F\x14\xC3\x51\x78\xD3\x3D\x7C\xDE\x0E\xC1\x69\xC6\x23\xCC\x83" -- "\x21\xB7\xB8\xBD\x34\xEA\x7E\xFE" } -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- { KV5M_DATA, 13, "13 bytes byte", }, 3, -- { KV5M_DATA, 8, -- "\x2F\x16\xA2\xA7\xFD\xB0\x57\x68" }, -- { KV5M_DATA, 32, -- "\x0B\x58\x8E\x38\xD9\x71\x43\x3C\x9D\x86\xD8\xBA\xEB\xF6\x3E\x4C" -- "\x1A\x01\x66\x6E\x76\xD8\xA5\x4A\x32\x93\xF7\x26\x79\xED\x88\xC9" } -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4, -- { KV5M_DATA, 8, -- "\xBC\x8F\x70\xFD\x20\x97\xD6\x7C" }, -- { KV5M_DATA, 48, -- "\x38\xD6\x32\xD2\xC2\x0A\x7C\x2E\xA2\x50\xFC\x8E\xCE\x42\x93\x8E" -- "\x92\xA9\xF5\xD3\x02\x50\x26\x65\xC1\xA3\x37\x29\xC1\x05\x0D\xC2" -- "\x05\x62\x98\xFB\xFB\x16\x82\xCE\xEB\x65\xE5\x92\x04\xFD\xA7\xDF" } -- }, -- -- { -- ENCTYPE_DES_CBC_MD4, -- { KV5M_DATA, 0, "", }, 0, -- { KV5M_DATA, 8, -- "\x13\xEF\x45\xD0\xD6\xD9\xA1\x5D" }, -- { KV5M_DATA, 24, -- "\x1F\xB2\x02\xBF\x07\xAF\x30\x47\xFB\x78\x01\xE5\x88\x56\x86\x86" -- "\xBA\x63\xD7\x8B\xE3\xE8\x7D\xC7" } -- }, -- { -- ENCTYPE_DES_CBC_MD4, -- { KV5M_DATA, 1, "1", }, 1, -- { KV5M_DATA, 8, -- "\x64\x68\x86\x54\xDC\x26\x9E\x67" }, -- { KV5M_DATA, 32, -- "\x1F\x6C\xB9\xCE\xCB\x73\xF7\x55\xAB\xFD\xB3\xD5\x65\xBD\x31\xD5" -- "\xA2\xE6\x4B\xFE\x44\xC4\x91\xE2\x0E\xEB\xE5\xBD\x20\xE4\xD2\xA9" } -- }, -- { -- ENCTYPE_DES_CBC_MD4, -- { KV5M_DATA, 9, "9 bytesss", }, 2, -- { KV5M_DATA, 8, -- "\x68\x04\xFB\x26\xDF\x8A\x4C\x32" }, -- { KV5M_DATA, 40, -- "\x08\xA5\x3D\x62\xFE\xC3\x33\x8A\xD1\xD2\x18\xE6\x0D\xBD\xD3\xB2" -- "\x12\x94\x06\x79\xD1\x25\xE0\x62\x1B\x3B\xAB\x46\x80\xCE\x03\x67" -- "\x6A\x2C\x42\x0E\x9B\xE7\x84\xEB" } -- }, -- { -- ENCTYPE_DES_CBC_MD4, -- { KV5M_DATA, 13, "13 bytes byte", }, 3, -- { KV5M_DATA, 8, -- "\x23\x4A\x43\x6E\xC7\x2F\xA8\x0B" }, -- { KV5M_DATA, 40, -- "\x17\xCD\x45\xE1\x4F\xF0\x6B\x28\x40\xA6\x03\x6E\x9A\xA7\xA4\x14" -- "\x4E\x29\x76\x81\x44\xA0\xC1\x82\x7D\x8C\x4B\xC7\xC9\x90\x6E\x72" -- "\xCD\x4D\xC3\x28\xF6\x64\x8C\x99" } -- }, -- { -- ENCTYPE_DES_CBC_MD4, -- { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4, -- { KV5M_DATA, 8, -- "\x1F\xD5\xF7\x43\x34\xC4\xFB\x8C" }, -- { KV5M_DATA, 56, -- "\x51\x13\x4C\xD8\x95\x1E\x9D\x57\xC0\xA3\x60\x53\xE0\x4C\xE0\x3E" -- "\xCB\x84\x22\x48\x8F\xDD\xC5\xC0\x74\xC4\xD8\x5E\x60\xA2\xAE\x42" -- "\x3C\x3C\x70\x12\x01\x31\x4F\x36\x2C\xB0\x74\x48\x09\x16\x79\xC6" -- "\xA4\x96\xC1\x1D\x7B\x93\xC7\x1B" } -- }, -- -- { -- ENCTYPE_DES_CBC_MD5, -- { KV5M_DATA, 0, "", }, 0, -- { KV5M_DATA, 8, -- "\x4A\x54\x5E\x0B\xF7\xA2\x26\x31" }, -- { KV5M_DATA, 24, -- "\x78\x4C\xD8\x15\x91\xA0\x34\xBE\x82\x55\x6F\x56\xDC\xA3\x22\x4B" -- "\x62\xD9\x95\x6F\xA9\x0B\x1B\x93" } -- }, -- { -- ENCTYPE_DES_CBC_MD5, -- { KV5M_DATA, 1, "1", }, 1, -- { KV5M_DATA, 8, -- "\xD5\x80\x4A\x26\x9D\xC4\xE6\x45" }, -- { KV5M_DATA, 32, -- "\xFF\xA2\x5C\x7B\xE2\x87\x59\x6B\xFE\x58\x12\x6E\x90\xAA\xA0\xF1" -- "\x2D\x9A\x82\xA0\xD8\x6D\xF6\xD5\xF9\x07\x4B\x6B\x39\x9E\x7F\xF1" } -- }, -- { -- ENCTYPE_DES_CBC_MD5, -- { KV5M_DATA, 9, "9 bytesss", }, 2, -- { KV5M_DATA, 8, -- "\xC8\x31\x2F\x7F\x83\xEA\x46\x40" }, -- { KV5M_DATA, 40, -- "\xE7\x85\x03\x37\xF2\xCC\x5E\x3F\x35\xCE\x3D\x69\xE2\xC3\x29\x86" -- "\x38\xA7\xAA\x44\xB8\x78\x03\x1E\x39\x85\x1E\x47\xC1\x5B\x5D\x0E" -- "\xE7\xE7\xAC\x54\xDE\x11\x1D\x80" } -- }, -- { -- ENCTYPE_DES_CBC_MD5, -- { KV5M_DATA, 13, "13 bytes byte", }, 3, -- { KV5M_DATA, 8, -- "\x7F\xDA\x3E\x62\xAD\x8A\xF1\x8C" }, -- { KV5M_DATA, 40, -- "\xD7\xA8\x03\x2E\x19\x99\x4C\x92\x87\x77\x50\x65\x95\xFB\xDA\x98" -- "\x83\x15\x8A\x85\x14\x54\x8E\x29\x6E\x91\x1C\x29\xF4\x65\xC6\x72" -- "\x36\x60\x00\x55\x8B\xFC\x2E\x88" } -- }, -- { -- ENCTYPE_DES_CBC_MD5, -- { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4, -- { KV5M_DATA, 8, -- "\xD3\xD6\x83\x29\x70\xA7\x37\x52" }, -- { KV5M_DATA, 56, -- "\x8A\x48\x16\x6A\x4C\x6F\xEA\xE6\x07\xA8\xCF\x68\xB3\x81\xC0\x75" -- "\x5E\x40\x2B\x19\xDB\xC0\xF8\x1A\x7D\x7C\xA1\x9A\x25\xE0\x52\x23" -- "\xF6\x06\x44\x09\xBF\x5A\x4F\x50\xAC\xD8\x26\x63\x9F\xFA\x76\x73" -- "\xFD\x32\x4E\xC1\x9E\x42\x95\x02" } -- }, -- - { - ENCTYPE_DES3_CBC_SHA1, - { KV5M_DATA, 0, "", }, 0, -@@ -669,9 +524,6 @@ printhex(const char *head, void *data, size_t len) - - static krb5_enctype - enctypes[] = { -- ENCTYPE_DES_CBC_CRC, -- ENCTYPE_DES_CBC_MD4, -- ENCTYPE_DES_CBC_MD5, - ENCTYPE_DES3_CBC_SHA1, - ENCTYPE_ARCFOUR_HMAC, - ENCTYPE_ARCFOUR_HMAC_EXP, -diff --git a/src/lib/crypto/crypto_tests/t_encrypt.c b/src/lib/crypto/crypto_tests/t_encrypt.c -index 4afbddedb..bd9b94691 100644 ---- a/src/lib/crypto/crypto_tests/t_encrypt.c -+++ b/src/lib/crypto/crypto_tests/t_encrypt.c -@@ -37,9 +37,6 @@ - - /* What enctypes should we test?*/ - krb5_enctype interesting_enctypes[] = { -- ENCTYPE_DES_CBC_CRC, -- ENCTYPE_DES_CBC_MD4, -- ENCTYPE_DES_CBC_MD5, - ENCTYPE_DES3_CBC_SHA1, - ENCTYPE_ARCFOUR_HMAC, - ENCTYPE_ARCFOUR_HMAC_EXP, -diff --git a/src/lib/crypto/crypto_tests/t_short.c b/src/lib/crypto/crypto_tests/t_short.c -index 40fa2821f..d4c2b97df 100644 ---- a/src/lib/crypto/crypto_tests/t_short.c -+++ b/src/lib/crypto/crypto_tests/t_short.c -@@ -34,9 +34,6 @@ - #include "k5-int.h" - - krb5_enctype interesting_enctypes[] = { -- ENCTYPE_DES_CBC_CRC, -- ENCTYPE_DES_CBC_MD4, -- ENCTYPE_DES_CBC_MD5, - ENCTYPE_DES3_CBC_SHA1, - ENCTYPE_ARCFOUR_HMAC, - ENCTYPE_ARCFOUR_HMAC_EXP, -diff --git a/src/lib/crypto/crypto_tests/t_str2key.c b/src/lib/crypto/crypto_tests/t_str2key.c -index 27896e61e..cdb1acc6d 100644 ---- a/src/lib/crypto/crypto_tests/t_str2key.c -+++ b/src/lib/crypto/crypto_tests/t_str2key.c -@@ -35,280 +35,6 @@ struct test { - krb5_error_code expected_err; - krb5_boolean allow_weak; - } test_cases[] = { -- /* AFS string-to-key tests from old t_afss2k.c. */ -- { -- ENCTYPE_DES_CBC_CRC, -- "", -- { KV5M_DATA, 15, "Sodium Chloride" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xA4\xD0\xD0\x9B\x86\x92\xB0\xC2" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "M", -- { KV5M_DATA, 15, "Sodium Chloride" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xF1\xF2\x9E\xAB\xD0\xEF\xDF\x73" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My", -- { KV5M_DATA, 15, "Sodium Chloride" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xD6\x85\x61\xC4\xF2\x94\xF4\xA1" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My ", -- { KV5M_DATA, 15, "Sodium Chloride" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xD0\xE3\xA7\x83\x94\x61\xE0\xD0" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My P", -- { KV5M_DATA, 15, "Sodium Chloride" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xD5\x62\xCD\x94\x61\xCB\x97\xDF" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Pa", -- { KV5M_DATA, 15, "Sodium Chloride" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\x9E\xA2\xA2\xEC\xA8\x8C\x6B\x8F" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Pas", -- { KV5M_DATA, 15, "Sodium Chloride" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xE3\x91\x6D\xD3\x85\xF1\x67\xC4" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Pass", -- { KV5M_DATA, 15, "Sodium Chloride" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xF4\xC4\x73\xC8\x8A\xE9\x94\x6D" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Passw", -- { KV5M_DATA, 15, "Sodium Chloride" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xA1\x9E\xB3\xAD\x6B\xE3\xAB\xD9" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Passwo", -- { KV5M_DATA, 15, "Sodium Chloride" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xAD\xA1\xCE\x10\x37\x83\xA7\x8C" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Passwor", -- { KV5M_DATA, 15, "Sodium Chloride" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xD3\x01\xD0\xF7\x3E\x7A\x49\x0B" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Password", -- { KV5M_DATA, 15, "Sodium Chloride" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xB6\x2A\x4A\xEC\x9D\x4C\x68\xDF" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "", -- { KV5M_DATA, 4, "NaCl" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\x61\xEF\xE6\x83\xE5\x8A\x6B\x98" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "M", -- { KV5M_DATA, 4, "NaCl" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\x68\xCD\x68\xAD\xC4\x86\xCD\xE5" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My", -- { KV5M_DATA, 4, "NaCl" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\x83\xA1\xC8\x86\x8F\x67\xD0\x62" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My ", -- { KV5M_DATA, 4, "NaCl" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\x9E\xC7\x8F\xA4\xA4\xB3\xE0\xD5" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My P", -- { KV5M_DATA, 4, "NaCl" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xD9\x92\x86\x8F\x9D\x8C\x85\xE6" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Pa", -- { KV5M_DATA, 4, "NaCl" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xDA\xF2\x92\x83\xF4\x9B\xA7\xAD" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Pas", -- { KV5M_DATA, 4, "NaCl" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\x91\xCD\xAD\xEF\x86\xDF\xD3\xA2" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Pass", -- { KV5M_DATA, 4, "NaCl" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\x73\xD3\x67\x68\x8F\x6E\xE3\x73" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Passw", -- { KV5M_DATA, 4, "NaCl" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xC4\x61\x85\x9D\xAD\xF4\xDC\xB0" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Passwo", -- { KV5M_DATA, 4, "NaCl" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\xE9\x02\x83\x16\x2C\xEC\xE0\x08" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Passwor", -- { KV5M_DATA, 4, "NaCl" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\x61\xC8\x26\x29\xD9\x73\x6E\xB6" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "My Password", -- { KV5M_DATA, 4, "NaCl" }, -- { KV5M_DATA, 1, "\1" }, -- { KV5M_DATA, 8, "\x8C\xA8\x9E\xC4\xA8\xDC\x31\x73" }, -- 0, -- FALSE -- }, -- -- /* Test vectors from RFC 3961 appendix A.2. */ -- { -- ENCTYPE_DES_CBC_CRC, -- "password", -- { KV5M_DATA, 21, "ATHENA.MIT.EDUraeburn" }, -- { KV5M_DATA, 1, "\0" }, -- { KV5M_DATA, 8, "\xCB\xC2\x2F\xAE\x23\x52\x98\xE3" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "potatoe", -- { KV5M_DATA, 19, "WHITEHOUSE.GOVdanny" }, -- { KV5M_DATA, 1, "\0" }, -- { KV5M_DATA, 8, "\xDF\x3D\x32\xA7\x4F\xD9\x2A\x01" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "\xF0\x9D\x84\x9E", -- { KV5M_DATA, 18, "EXAMPLE.COMpianist" }, -- { KV5M_DATA, 1, "\0" }, -- { KV5M_DATA, 8, "\x4F\xFB\x26\xBA\xB0\xCD\x94\x13" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "\xC3\x9F", -- { KV5M_DATA, 23, "ATHENA.MIT.EDUJuri\xC5\xA1\x69\xC4\x87" }, -- { KV5M_DATA, 1, "\0" }, -- { KV5M_DATA, 8, "\x62\xC8\x1A\x52\x32\xB5\xE6\x9D" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "11119999", -- { KV5M_DATA, 8, "AAAAAAAA" }, -- { KV5M_DATA, 1, "\0" }, -- { KV5M_DATA, 8, "\x98\x40\x54\xd0\xf1\xa7\x3e\x31" }, -- 0, -- FALSE -- }, -- { -- ENCTYPE_DES_CBC_CRC, -- "NNNN6666", -- { KV5M_DATA, 8, "FFFFAAAA" }, -- { KV5M_DATA, 1, "\0" }, -- { KV5M_DATA, 8, "\xC4\xBF\x6B\x25\xAD\xF7\xA4\xF8" }, -- 0, -- FALSE -- }, -- - /* Test vectors from RFC 3961 appendix A.4. */ - { - ENCTYPE_DES3_CBC_SHA1, -diff --git a/src/lib/crypto/crypto_tests/vectors.c b/src/lib/crypto/crypto_tests/vectors.c -index c1a765732..bcf5c9106 100644 ---- a/src/lib/crypto/crypto_tests/vectors.c -+++ b/src/lib/crypto/crypto_tests/vectors.c -@@ -30,7 +30,8 @@ - * - * N.B.: Doesn't compile -- this file uses some routines internal to our - * crypto library which are declared "static" and thus aren't accessible -- * without modifying the other sources. -+ * without modifying the other sources. Additionally, some ciphers have been -+ * removed. - */ - - #include -diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp -index db899a1dc..740425c69 100644 ---- a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp -+++ b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp -@@ -18,8 +18,8 @@ proc test200 {} { - - # I'd like to specify a long list of keysalt tuples and make sure - # that chpass does the right thing, but we can only use those -- # enctypes that krbtgt has a key for: des-cbc-crc:normal -- # according to the prototype kdc.conf. -+ # enctypes that krbtgt has a key for: the AES enctypes, according to -+ # the prototype kdc.conf. - if {! [cmd [format { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ -@@ -53,10 +53,10 @@ proc test200 {} { - } - - # XXX Perhaps I should actually check the key type returned. -- if {$num_keys == 2} { -+ if {$num_keys == 5} { - pass "$test" - } else { -- fail "$test: $num_keys keys, should be 2" -+ fail "$test: $num_keys keys, should be 5" - } - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" -diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp -index 8526897ed..3ea1ba29b 100644 ---- a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp -+++ b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp -@@ -143,8 +143,8 @@ proc test101_102 {rpc} { - } - - set failed 0 -- if {$num_keys != 2} { -- fail "$test: num_keys $num_keys should be 2" -+ if {$num_keys != 5} { -+ fail "$test: num_keys $num_keys should be 5" - set failed 1 - } - for {set i 0} {$i < $num_keys} {incr i} { -diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp -index ee652cbd3..2925c1c43 100644 ---- a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp -+++ b/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp -@@ -16,10 +16,9 @@ proc test100 {} { - return - } - -- # I'd like to specify a long list of keysalt tuples and make sure -- # that randkey does the right thing, but we can only use those -- # enctypes that krbtgt has a key for: des-cbc-crc:normal and -- # des-cbc-crc:v4, according to the prototype kdc.conf. -+ # I'd like to specify a long list of keysalt tuples and make sure that -+ # randkey does the right thing, but we can only use those enctypes that -+ # krbtgt has a key for: 3DES and AES, according to the prototype kdc.conf. - if {! [cmd [format { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ -@@ -47,10 +46,10 @@ proc test100 {} { - } - - # XXX Perhaps I should actually check the key type returned. -- if {$num_keys == 2} { -+ if {$num_keys == 5} { - pass "$test" - } else { -- fail "$test: $num_keys keys, should be 2" -+ fail "$test: $num_keys keys, should be 5" - } - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" -diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c -index fa2392f81..8e7df96e9 100644 ---- a/src/lib/kadm5/unit-test/setkey-test.c -+++ b/src/lib/kadm5/unit-test/setkey-test.c -@@ -19,15 +19,15 @@ need a random number generator - #endif /* no random */ - - krb5_keyblock test1[] = { -- {0, ENCTYPE_DES_CBC_CRC, 0, 0}, -+ {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0}, - {-1}, - }; - krb5_keyblock test2[] = { -- {0, ENCTYPE_DES_CBC_CRC, 0, 0}, -+ {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0}, - {-1}, - }; - krb5_keyblock test3[] = { -- {0, ENCTYPE_DES_CBC_CRC, 0, 0}, -+ {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0}, - {-1}, - }; - -diff --git a/src/lib/krb5/keytab/t_keytab.c b/src/lib/krb5/keytab/t_keytab.c -index c845596d6..ea4ce6819 100644 ---- a/src/lib/krb5/keytab/t_keytab.c -+++ b/src/lib/krb5/keytab/t_keytab.c -@@ -96,6 +96,8 @@ kt_test(krb5_context context, const char *name) - krb5_principal princ; - krb5_kt_cursor cursor, cursor2; - int cnt; -+ krb5_enctype e1 = ENCTYPE_AES128_CTS_HMAC_SHA256_128, -+ e2 = ENCTYPE_AES256_CTS_HMAC_SHA384_192; - - kret = krb5_kt_resolve(context, name, &kt); - CHECK(kret, "resolve"); -@@ -139,9 +141,9 @@ kt_test(krb5_context context, const char *name) - /* =================== Add entries to keytab ================= */ - /* - * Add the following for this principal -- * enctype 1, kvno 1, key = "1" -- * enctype 2, kvno 1, key = "1" -- * enctype 1, kvno 2, key = "2" -+ * enctype e1, kvno 1, key = "1" -+ * enctype e2, kvno 1, key = "1" -+ * enctype e1, kvno 2, key = "2" - */ - memset(&kent, 0, sizeof(kent)); - kent.magic = KV5M_KEYTAB_ENTRY; -@@ -149,7 +151,7 @@ kt_test(krb5_context context, const char *name) - kent.timestamp = 327689; - kent.vno = 1; - kent.key.magic = KV5M_KEYBLOCK; -- kent.key.enctype = 1; -+ kent.key.enctype = e1; - kent.key.length = 1; - kent.key.contents = (krb5_octet *) "1"; - -@@ -157,11 +159,11 @@ kt_test(krb5_context context, const char *name) - kret = krb5_kt_add_entry(context, kt, &kent); - CHECK(kret, "Adding initial entry"); - -- kent.key.enctype = 2; -+ kent.key.enctype = e2; - kret = krb5_kt_add_entry(context, kt, &kent); - CHECK(kret, "Adding second entry"); - -- kent.key.enctype = 1; -+ kent.key.enctype = e1; - kent.vno = 2; - kent.key.contents = (krb5_octet *) "2"; - kret = krb5_kt_add_entry(context, kt, &kent); -@@ -183,7 +185,7 @@ kt_test(krb5_context context, const char *name) - cnt = 0; - while((kret = krb5_kt_next_entry(context, kt, &kent, &cursor)) == 0) { - if(((kent.vno != 1) && (kent.vno != 2)) || -- ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || -+ ((kent.key.enctype != e1) && (kent.key.enctype != e2)) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Error in read contents\n"); -@@ -231,7 +233,7 @@ kt_test(krb5_context context, const char *name) - /* Ensure a valid answer - we did not specify an enctype or kvno */ - if (!krb5_principal_compare(context, princ, kent.principal) || - ((kent.vno != 1) && (kent.vno != 2)) || -- ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || -+ ((kent.key.enctype != e1) && (kent.key.enctype != e2)) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); -@@ -243,12 +245,12 @@ kt_test(krb5_context context, const char *name) - /* Try to lookup a specific enctype - but unspecified kvno - should give - * max kvno - */ -- kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); -+ kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent); - CHECK(kret, "looking up principal"); - - /* Ensure a valid answer - we did specified an enctype */ - if (!krb5_principal_compare(context, princ, kent.principal) || -- (kent.vno != 2) || (kent.key.enctype != 1) || -+ (kent.vno != 2) || (kent.key.enctype != e1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); -@@ -266,7 +268,7 @@ kt_test(krb5_context context, const char *name) - - /* Ensure a valid answer - we did not specify a kvno */ - if (!krb5_principal_compare(context, princ, kent.principal) || -- (kent.vno != 2) || (kent.key.enctype != 1) || -+ (kent.vno != 2) || (kent.key.enctype != e1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); -@@ -281,11 +283,11 @@ kt_test(krb5_context context, const char *name) - - /* Try to lookup specified enctype and kvno */ - -- kret = krb5_kt_get_entry(context, kt, princ, 1, 1, &kent); -+ kret = krb5_kt_get_entry(context, kt, princ, 1, e1, &kent); - CHECK(kret, "looking up principal"); - - if (!krb5_principal_compare(context, princ, kent.principal) || -- (kent.vno != 1) || (kent.key.enctype != 1) || -+ (kent.vno != 1) || (kent.key.enctype != e1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); -@@ -334,7 +336,7 @@ kt_test(krb5_context context, const char *name) - - /* Try to lookup specified enctype and kvno - that does not exist*/ - -- kret = krb5_kt_get_entry(context, kt, princ, 3, 1, &kent); -+ kret = krb5_kt_get_entry(context, kt, princ, 3, e1, &kent); - CHECK_ERR(kret, KRB5_KT_KVNONOTFOUND, - "looking up specific principal, kvno, enctype"); - -@@ -347,12 +349,12 @@ kt_test(krb5_context context, const char *name) - kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); - CHECK(kret, "parsing principal"); - -- kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); -+ kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent); - CHECK(kret, "looking up principal"); - -- /* Ensure a valid answer - we are looking for max(kvno) and enc=1 */ -+ /* Ensure a valid answer - we are looking for max(kvno) and enc=e1 */ - if (!krb5_principal_compare(context, princ, kent.principal) || -- (kent.vno != 2) || (kent.key.enctype != 1) || -+ (kent.vno != 2) || (kent.key.enctype != e1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); -@@ -368,12 +370,12 @@ kt_test(krb5_context context, const char *name) - krb5_free_keytab_entry_contents(context, &kent); - /* And ensure gone */ - -- kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); -+ kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent); - CHECK(kret, "looking up principal"); - - /* Ensure a valid answer - kvno should now be 1 - we deleted 2 */ - if (!krb5_principal_compare(context, princ, kent.principal) || -- (kent.vno != 1) || (kent.key.enctype != 1) || -+ (kent.vno != 1) || (kent.key.enctype != e1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Delete principal check failed\n"); -diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c -index 317637684..f609e938a 100644 ---- a/src/lib/krb5/krb/t_etypes.c -+++ b/src/lib/krb5/krb/t_etypes.c -@@ -36,20 +36,6 @@ static struct { - krb5_error_code expected_err_noweak; - krb5_error_code expected_err_weak; - } tests[] = { -- /* Empty string, unused default list */ -- { "", -- { ENCTYPE_DES_CBC_CRC, 0 }, -- { 0 }, -- { 0 }, -- 0, 0 -- }, -- /* Single weak enctype */ -- { "des-cbc-md4", -- { 0 }, -- { 0 }, -- { ENCTYPE_DES_CBC_MD4, 0 }, -- 0, 0 -- }, - /* Single non-weak enctype */ - { "aes128-cts-hmac-sha1-96", - { 0 }, -@@ -57,35 +43,11 @@ static struct { - { ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 }, - 0, 0 - }, -- /* Two enctypes, one an alias, one weak */ -- { "rc4-hmac des-cbc-md5", -- { 0 }, -- { ENCTYPE_ARCFOUR_HMAC, 0 }, -- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES_CBC_MD5, 0 }, -- 0, 0 -- }, -- /* Three enctypes, all weak, case variation, funky separators */ -- { " deS-HMac-shA1 , arCFour-hmaC-mD5-exp\tdeS3-Cbc-RAw\n", -- { 0 }, -- { 0 }, -- { ENCTYPE_DES_HMAC_SHA1, ENCTYPE_ARCFOUR_HMAC_EXP, -- ENCTYPE_DES3_CBC_RAW, 0 }, -- 0, 0 -- }, -- /* Default set with enctypes added (one weak in each pair) */ -- { "DEFAULT des-cbc-raw +des3-hmac-sha1", -- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP, 0 }, -- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 }, -- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP, -- ENCTYPE_DES_CBC_RAW, ENCTYPE_DES3_CBC_SHA1, 0 }, -- 0, 0 -- }, - /* Default set with enctypes removed */ - { "default -aes128-cts -des-hmac-sha1", -- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, -- ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_HMAC_SHA1, 0 }, -+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 }, -+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }, - { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }, -- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_MD5, 0 }, - 0, 0 - }, - /* Family followed by enctype */ -@@ -105,31 +67,22 @@ static struct { - { ENCTYPE_CAMELLIA128_CTS_CMAC, 0 }, - { ENCTYPE_CAMELLIA128_CTS_CMAC, 0 } - }, -- /* Enctype followed by two families */ -- { "+rc4-hmAC des3 +des", -- { 0 }, -- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 }, -- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC, -- ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4 }, -- 0, 0 -- }, - /* Default set with family added and enctype removed */ - { "DEFAULT +aes -arcfour-hmac-md5", -- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC, 0 }, -+ { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 }, - { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES256_CTS_HMAC_SHA1_96, - ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192, - ENCTYPE_AES128_CTS_HMAC_SHA256_128, 0 }, -- { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC, -+ { ENCTYPE_DES3_CBC_SHA1, - ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, - ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128, - 0 }, - 0, 0 - }, - /* Default set with families removed and enctypes added (one redundant) */ -- { "DEFAULT -des -des3 rc4-hmac rc4-hmac-exp", -+ { "DEFAULT -des3 rc4-hmac rc4-hmac-exp", - { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, -- ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, -- ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4, 0 }, -+ ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, 0 }, - { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, - ENCTYPE_ARCFOUR_HMAC, 0 }, - { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, -@@ -158,17 +111,17 @@ static struct { - }, - /* Test krb5_set_default_in_tkt_ktypes */ - { NULL, -- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_CRC, 0 }, - { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }, -- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_CRC, 0 }, -+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }, -+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }, - 0, 0 - }, - /* Should get KRB5_CONFIG_ETYPE_NOSUPP if app-provided list has no strong - * enctypes and allow_weak_crypto=false. */ - { NULL, -- { ENCTYPE_DES_CBC_CRC, 0 }, -+ { ENCTYPE_ARCFOUR_HMAC_EXP, 0 }, - { 0 }, -- { ENCTYPE_DES_CBC_CRC, 0 }, -+ { ENCTYPE_ARCFOUR_HMAC_EXP, 0 }, - KRB5_CONFIG_ETYPE_NOSUPP, 0 - }, - /* Should get EINVAL if app provides an empty list. */ -diff --git a/src/lib/krb5/krb/t_ser.c b/src/lib/krb5/krb/t_ser.c -index 1d6cceaa2..f1a8c2553 100644 ---- a/src/lib/krb5/krb/t_ser.c -+++ b/src/lib/krb5/krb/t_ser.c -@@ -272,7 +272,7 @@ ser_acontext_test(krb5_context kcontext, int verbose) - KV5M_AUTH_CONTEXT))) { - memset(&ukeyblock, 0, sizeof(ukeyblock)); - memset(keydata, 0, sizeof(keydata)); -- ukeyblock.enctype = ENCTYPE_DES_CBC_MD5; -+ ukeyblock.enctype = ENCTYPE_AES128_CTS_HMAC_SHA256_128; - ukeyblock.length = sizeof(keydata); - ukeyblock.contents = keydata; - keydata[0] = 0xde; -diff --git a/src/lib/krb5/os/t_trace.c b/src/lib/krb5/os/t_trace.c -index 5aea68e8d..10ba8d0ac 100644 ---- a/src/lib/krb5/os/t_trace.c -+++ b/src/lib/krb5/os/t_trace.c -@@ -204,7 +204,7 @@ main (int argc, char *argv[]) - padatap = NULL; - - TRACE(ctx, "krb5_enctype, display shortest name of enctype: {etype}", -- ENCTYPE_DES_CBC_CRC); -+ ENCTYPE_AES128_CTS_HMAC_SHA1_96); - TRACE(ctx, "krb5_enctype *, display list of enctypes: {etypes}", enctypes); - TRACE(ctx, "krb5_enctype *, display list of enctypes: {etypes}", NULL); - -diff --git a/src/lib/krb5/os/t_trace.ref b/src/lib/krb5/os/t_trace.ref -index bd5d9b6b6..044a66999 100644 ---- a/src/lib/krb5/os/t_trace.ref -+++ b/src/lib/krb5/os/t_trace.ref -@@ -40,7 +40,7 @@ int, krb5_principal type: NT 4 style name and SID - int, krb5_principal type: ? - krb5_pa_data **, display list of padata type numbers: PA-PW-SALT (3), 0 - krb5_pa_data **, display list of padata type numbers: (empty) --krb5_enctype, display shortest name of enctype: des-cbc-crc -+krb5_enctype, display shortest name of enctype: aes128-cts - krb5_enctype *, display list of enctypes: 5, rc4-hmac-exp, 511 - krb5_enctype *, display list of enctypes: (empty) - krb5_ccache, display type:name: FILE:/path/to/ccache -diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c -index 6bf6e54ac..258377299 100644 ---- a/src/tests/asn.1/ktest.c -+++ b/src/tests/asn.1/ktest.c -@@ -893,7 +893,7 @@ ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p) - void - ktest_make_sample_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p) - { -- p->enctype = ENCTYPE_DES_CBC_CRC; -+ p->enctype = ENCTYPE_AES256_CTS_HMAC_SHA384_192; - ktest_make_sample_data(&p->as_req); - ktest_make_sample_data(&p->pk_as_rep); - } -diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out -index 3b0f7190a..55a60bbef 100644 ---- a/src/tests/asn.1/pkinit_encode.out -+++ b/src/tests/asn.1/pkinit_encode.out -@@ -10,4 +10,4 @@ encode_krb5_kdc_dh_key_info: 30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03 - encode_krb5_reply_key_pack: 30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 - encode_krb5_reply_key_pack_draft9: 30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A - encode_krb5_sp80056a_other_info: 30 81 81 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A0 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 0A 04 08 6B 72 62 35 64 61 74 61 --encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 01 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61 -+encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 14 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61 -diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out -index f9edbe154..9557188a8 100644 ---- a/src/tests/asn.1/pkinit_trval.out -+++ b/src/tests/asn.1/pkinit_trval.out -@@ -145,6 +145,6 @@ encode_krb5_sp80056a_other_info: - encode_krb5_pkinit_supp_pub_info: - - [Sequence/Sequence Of] --. [0] [Integer] 1 -+. [0] [Integer] 20 - . [1] [Octet String] "krb5data" - . [2] [Octet String] "krb5data" -diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp -index c061d764e..e8adee234 100644 ---- a/src/tests/dejagnu/config/default.exp -+++ b/src/tests/dejagnu/config/default.exp -@@ -16,21 +16,6 @@ set stty_init {erase \^h kill \^u} - set env(TERM) dumb - - set des3_krbtgt 0 --set tgt_support_desmd5 0 -- --# The names of the individual passes must be unique; lots of things --# depend on it. The PASSES variable may not contain comments; only --# small pieces get evaluated, so comments will do strange things. -- --# Most of the purpose of using multiple passes is to exercise the --# dependency of various bugs on configuration file settings, --# particularly with regards to encryption types. -- --# The des.no-kdc-md5 pass will fail if the KDC does not constrain --# session key enctypes to those in its permitted_enctypes list. It --# works by assuming enctype similarity, thus allowing the client to --# request a des-cbc-md4 session key. Since only des-cbc-crc is in the --# KDC's permitted_enctypes list, the TGT will be unusable. - - if { [string length $VALGRIND] } { - rename spawn valgrind_aux_spawn -@@ -111,47 +96,21 @@ if { $PRIOCNTL_HACK } { - } - } - --# The des.des3-tgt.no-kdc-des3 pass will fail if the KDC doesn't --# constrain ticket key enctypes to those in permitted_enctypes. It --# does this by not putting des3 in the permitted_enctypes, while --# creating a TGT princpal that has a des3 key as well as a des key. -+# The names of the individual passes must be unique; lots of things -+# depend on it. The PASSES variable may not contain comments; only -+# small pieces get evaluated, so comments will do strange things. - --# XXX -- master_key_type is fragile w.r.t. permitted_enctypes; it is --# possible to configure things such that you have a master_key_type --# that is not permitted, and the error message used to be cryptic. -+# Most of the purpose of using multiple passes is to exercise the -+# dependency of various bugs on configuration file settings, -+# particularly with regards to encryption types. - - set passes { -- { -- des -- mode=udp -- des3_krbtgt=0 -- {supported_enctypes=des-cbc-crc:normal} -- {dummy=[verbose -log "DES TGT, DES enctype"]} -- } -- { -- des.des3tgt -- mode=udp -- des3_krbtgt=1 -- {supported_enctypes=des-cbc-crc:normal} -- {dummy=[verbose -log "DES3 TGT, DES enctype"]} -- } - { - des3 - mode=udp - des3_krbtgt=1 -- {supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal} -- {dummy=[verbose -log "DES3 TGT, DES3 + DES enctypes"]} -- } -- { -- aes-des -- mode=udp -- des3_krbtgt=0 -- {supported_enctypes=aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal} -- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des-cbc-crc} -- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des-cbc-crc} -- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des-cbc-crc} -- {master_key_type=aes256-cts-hmac-sha1-96} -- {dummy=[verbose -log "AES + DES enctypes"]} -+ {supported_enctypes=des3-cbc-sha1:normal} -+ {dummy=[verbose -log "DES3 TGT, DES3 enctype"]} - } - { - aes-only -@@ -220,10 +179,10 @@ set passes { - aes-des3 - mode=udp - des3_krbtgt=0 -- {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal} -- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} -- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} -- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} -+ {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal} -+ {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} -+ {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} -+ {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} - {master_key_type=aes256-cts-hmac-sha1-96} - {dummy=[verbose -log "AES + DES3 + DES enctypes"]} - } -@@ -231,12 +190,12 @@ set passes { - aes-des3tgt - mode=udp - des3_krbtgt=1 -- {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal} -- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} -- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} -- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} -+ {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal} -+ {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} -+ {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} -+ {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} - {master_key_type=aes256-cts-hmac-sha1-96} -- {dummy=[verbose -log "AES + DES enctypes, DES3 TGT"]} -+ {dummy=[verbose -log "AES enctypes, DES3 TGT"]} - } - { - all-enctypes -@@ -248,115 +207,8 @@ set passes { - {allow_weak_crypto(server)=false} - {dummy=[verbose -log "all default enctypes"]} - } -- { -- des.no-kdc-md5 -- mode=udp -- des3_krbtgt=0 -- tgt_support_desmd5=0 -- {permitted_enctypes(kdc)=des-cbc-crc} -- {default_tgs_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc} -- {default_tkt_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc} -- {supported_enctypes=des-cbc-crc:normal} -- {master_key_type=des-cbc-crc} -- {dummy=[verbose -log \ -- "DES TGT, KDC permitting only des-cbc-crc"]} -- } -- { -- des.des3-tgt.no-kdc-des3 -- mode=udp -- tgt_support_desmd5=0 -- {permitted_enctypes(kdc)=des-cbc-crc} -- {default_tgs_enctypes(client)=des-cbc-crc} -- {default_tkt_enctypes(client)=des-cbc-crc} -- {supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal} -- {master_key_type=des-cbc-crc} -- {dummy=[verbose -log \ -- "DES3 TGT, KDC permitting only des-cbc-crc"]} -- } - } - --# des.md5-tgt is set as unused, since it won't trigger the error case --# if SUPPORT_DESMD5 isn't honored. -- --# The des.md5-tgt pass will fail if enctype similarity is inconsisent; --# between 1.0.x and 1.1, the decrypt functions became more strict --# about matching enctypes, while the KDB retrieval functions didn't --# coerce the enctype to match what was requested. It works by setting --# SUPPORT_DESMD5 on the TGT principal, forcing an enctype of --# des-cbc-md5 on the TGT key. Since the database only contains a --# des-cbc-crc key, the decrypt will fail if enctypes are not coerced. -- --# des.no-kdc-md5.client-md4-skey is retained in unsed_passes, even --# though des.no-kdc-md5 is roughly equivalent, since the associated --# comment needs additional investigation at some point re the kadmin --# client. -- --# The des.no-kdc-md5.client-md4-skey will fail on TGS requests due to --# the KDC issuing session keys that it won't accept. It will also --# fail for a kadmin client, but for different reasons, since the kadm5 --# library does some curious filtering of enctypes, and also uses --# get_in_tkt() rather than get_init_creds(); the former does an --# intersection of the enctypes provided by the caller and those listed --# in the config file! -- --set unused_passes { -- { -- des.md5-tgt -- des3_krbtgt=0 -- tgt_support_desmd5=1 -- supported_enctypes=des-cbc-crc:normal -- {permitted_enctypes(kdc)=des-cbc-md5 des-cbc-md4 des-cbc-crc} -- {permitted_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc} -- {dummy=[verbose -log "DES TGT, SUPPORTS_DESMD5"]} -- } -- { -- des.md5-tgt.no-kdc-md5 -- des3_krbtgt=0 -- tgt_support_desmd5=1 -- {permitted_enctypes(kdc)=des-cbc-crc} -- {default_tgs_enctypes(client)=des-cbc-crc} -- {default_tkt_enctypes(client)=des-cbc-crc} -- {supported_enctypes=des-cbc-crc:normal} -- {master_key_type=des-cbc-crc} -- {dummy=[verbose -log \ -- "DES TGT, SUPPORTS_DESMD5, KDC permitting only des-cbc-crc"]} -- } -- { -- des.no-kdc-md5.client-md4-skey -- des3_krbtgt=0 -- {permitted_enctypes(kdc)=des-cbc-crc} -- {permitted_enctypes(client)=des-cbc-crc des-cbc-md4} -- {default_tgs_enctypes(client)=des-cbc-crc des-cbc-md4} -- {default_tkt_enctypes(client)=des-cbc-md4} -- {supported_enctypes=des-cbc-crc:normal} -- {dummy=[verbose -log \ -- "DES TGT, DES enctype, KDC permitting only des-cbc-crc, client requests des-cbc-md4 session key"]} -- } -- { -- all-enctypes -- des3_krbtgt=1 -- {supported_enctypes=\ -- aes256-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:norealm \ -- aes128-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:norealm \ -- des3-cbc-sha1:normal des3-cbc-sha1:none \ -- des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \ -- } -- {dummy=[verbose -log "DES3 TGT, default enctypes"]} -- } -- { -- aes-tcp -- mode=tcp -- des3_krbtgt=0 -- {supported_enctypes=aes256-cts-hmac-sha1-96:normal} -- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96} -- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96} -- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96} -- {master_key_type=aes256-cts-hmac-sha1-96} -- {dummy=[verbose -log "AES via TCP"]} -- } --} --# {supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal } -- - # This shouldn't be necessary on dejagnu-1.4 and later, but 1.3 seems - # to need it because its runtest.exp doesn't deal with PASS at all. - if [info exists PASS] { -@@ -1095,7 +947,7 @@ proc setup_kerberos_db { standalone } { - global REALMNAME KDB5_UTIL KADMIN_LOCAL KEY - global tmppwd hostname - global spawn_id -- global des3_krbtgt tgt_support_desmd5 -+ global des3_krbtgt - global multipass_name last_passname_db - - set failall 0 -@@ -1334,48 +1186,6 @@ proc setup_kerberos_db { standalone } { - } - } - } -- if $tgt_support_desmd5 { -- # Make TGT support des-cbc-md5 -- set test "kadmin.local TGT to SUPPORT_DESMD5" -- set body { -- if $failall { -- break -- } -- spawn $KADMIN_LOCAL -r $REALMNAME -- verbose "starting $test" -- expect_after $def_exp_after -- -- expect "kadmin.local: " -- send "modprinc +support_desmd5 krbtgt/$REALMNAME@$REALMNAME\r" -- # It echos... -- expect "modprinc +support_desmd5 krbtgt/$REALMNAME@$REALMNAME\r" -- expect { -- "Principal \"krbtgt/$REALMNAME@$REALMNAME\" modified.\r\n" { } -- } -- expect "kadmin.local: " -- send "quit\r" -- expect eof -- catch expect_after -- if ![check_exit_status kadmin_local] { -- break -- } -- } -- set ret [catch $body] -- catch "expect eof" -- catch expect_after -- if $ret { -- set failall 1 -- if $standalone { -- fail $test -- } else { -- delete_db -- } -- } else { -- if $standalone { -- pass $test -- } -- } -- } - envstack_pop - - # create the admin database lock file -diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c -index 2a332a8ae..9876a11e6 100644 ---- a/src/tests/gssapi/t_invalid.c -+++ b/src/tests/gssapi/t_invalid.c -@@ -84,17 +84,6 @@ struct test { - size_t toklen; - const char *token; - } tests[] = { -- { -- ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_RAW, -- SEAL_ALG_DES, SGN_ALG_DES_MAC_MD5, 8, -- 8, -- "\x26\xEC\xBA\xB6\xFE\xBA\x91\xCE", -- 53, -- "\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x00" -- "\x00\x00\x00\xFF\xFF\xF0\x0B\x90\x7B\xC4\xFC\xEB\xF4\x84\x9C\x5A" -- "\xA8\x56\x41\x3E\xE1\x62\xEE\x38\xD1\x34\x9A\xE3\xFB\xC9\xFD\x0A" -- "\xDC\x83\xE1\x4A\xE4" -- }, - { - ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES3_CBC_RAW, - SEAL_ALG_DES3KD, SGN_ALG_HMAC_SHA1_DES3_KD, 20, -@@ -160,8 +149,6 @@ make_fake_context(const struct test *test) - gss_union_ctx_id_t uctx; - krb5_gss_ctx_id_t kgctx; - krb5_keyblock kb; -- unsigned char encbuf[8]; -- size_t i; - - kgctx = calloc(1, sizeof(*kgctx)); - if (kgctx == NULL) -@@ -184,11 +171,6 @@ make_fake_context(const struct test *test) - if (krb5_k_create_key(NULL, &kb, &kgctx->seq) != 0) - abort(); - -- if (kb.enctype == ENCTYPE_DES_CBC_RAW) { -- for (i = 0; i < 8; i++) -- encbuf[i] = kb.contents[i] ^ 0xF0; -- kb.contents = encbuf; -- } - if (krb5_k_create_key(NULL, &kb, &kgctx->enc) != 0) - abort(); - -@@ -248,7 +230,7 @@ test_bogus_1964_token(gss_ctx_id_t ctx) - gss_iov_buffer_desc iov; - - store_16_be(KG_TOK_SIGN_MSG, tokbuf); -- store_16_le(SGN_ALG_DES_MAC_MD5, tokbuf + 2); -+ store_16_le(SGN_ALG_HMAC_MD5, tokbuf + 2); - store_16_le(SEAL_ALG_NONE, tokbuf + 4); - store_16_le(0xFFFF, tokbuf + 6); - memset(tokbuf + 8, 0, 16); -diff --git a/src/tests/gssapi/t_pcontok.c b/src/tests/gssapi/t_pcontok.c -index c40ea434c..7368f752f 100644 ---- a/src/tests/gssapi/t_pcontok.c -+++ b/src/tests/gssapi/t_pcontok.c -@@ -43,7 +43,6 @@ - #include "k5-int.h" - #include "common.h" - --#define SGN_ALG_DES_MAC_MD5 0x00 - #define SGN_ALG_HMAC_SHA1_DES3_KD 0x04 - #define SGN_ALG_HMAC_MD5 0x11 - -@@ -78,11 +77,7 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out) - ret = krb5_k_create_key(context, &seqkb, &seq); - check_k5err(context, "krb5_k_create_key", ret); - -- if (signalg == SGN_ALG_DES_MAC_MD5) { -- cktype = CKSUMTYPE_RSA_MD5; -- cksize = 8; -- ckusage = 0; -- } else if (signalg == SGN_ALG_HMAC_SHA1_DES3_KD) { -+ if (signalg == SGN_ALG_HMAC_SHA1_DES3_KD) { - cktype = CKSUMTYPE_HMAC_SHA1_DES3; - cksize = 20; - ckusage = 23; -@@ -122,15 +117,7 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out) - d = make_data(ptr - 8, 8); - ret = krb5_k_make_checksum(context, cktype, seq, ckusage, &d, &cksum); - check_k5err(context, "krb5_k_make_checksum", ret); -- if (signalg == SGN_ALG_DES_MAC_MD5) { -- iov.flags = KRB5_CRYPTO_TYPE_DATA; -- iov.data = make_data(cksum.contents, 16); -- ret = krb5_k_encrypt_iov(context, seq, 0, NULL, &iov, 1); -- check_k5err(context, "krb5_k_encrypt_iov", ret); -- memcpy(ptr + 8, cksum.contents + 8, 8); -- } else { -- memcpy(ptr + 8, cksum.contents, cksize); -- } -+ memcpy(ptr + 8, cksum.contents, cksize); - - /* Create the sequence number (8 bytes). */ - iov.flags = KRB5_CRYPTO_TYPE_DATA; -diff --git a/src/tests/gssapi/t_prf.c b/src/tests/gssapi/t_prf.c -index 6a698ce0f..f71774cdc 100644 ---- a/src/tests/gssapi/t_prf.c -+++ b/src/tests/gssapi/t_prf.c -@@ -41,13 +41,6 @@ static struct { - const char *key2; - const char *out2; - } tests[] = { -- { ENCTYPE_DES_CBC_CRC, -- "E607FE9DABB57AE0", -- "803C4121379FC4B87CE413B67707C4632EBED2C6D6B7" -- "2A55E878836E35E21600D915D590DED5B6D77BB30A1F", -- "54758316B6257A75", -- "279E4105F7ADC9BD6EF28ABE31D89B442FE0058388BA" -- "33264ACB5729562DC637950F6BD144B654BE7700B2D6" }, - { ENCTYPE_DES3_CBC_SHA1, - "70378A19CD64134580C27C0115D6B34A1CF2FEECEF9886A2", - "9F8D127C520BB826BFF3E0FE5EF352389C17E0C073D9" -diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py -index c21d054f1..2a052fc17 100644 ---- a/src/tests/t_etype_info.py -+++ b/src/tests/t_etype_info.py -@@ -24,7 +24,7 @@ def test_etinfo(princ, enctypes, expected_lines): - # With no newer enctypes in the request, PA-ETYPE-INFO2, - # PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one - # key for the most preferred matching enctype. --test_etinfo('user', 'rc4-hmac-exp des3 rc4 des-cbc-crc', -+test_etinfo('user', 'rc4-hmac-exp des3 rc4', - ['asrep etype_info2 des3-cbc-sha1 KRBTEST.COMuser', - 'asrep etype_info des3-cbc-sha1 KRBTEST.COMuser', - 'asrep pw_salt KRBTEST.COMuser']) -@@ -37,7 +37,7 @@ test_etinfo('user', 'rc4 aes256-cts', - - # In preauth-required errors, PA-PW-SALT does not appear, but the same - # etype-info2 values are expected. --test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4 des-cbc-crc', -+test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4', - ['error etype_info2 des3-cbc-sha1 KRBTEST.COMpreauthuser', - 'error etype_info des3-cbc-sha1 KRBTEST.COMpreauthuser']) - test_etinfo('preauthuser', 'rc4 aes256-cts', -diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py -index 4af6804f2..2c825a692 100755 ---- a/src/tests/t_keyrollover.py -+++ b/src/tests/t_keyrollover.py -@@ -2,7 +2,7 @@ from k5test import * - - rollover_krb5_conf = {'libdefaults': {'allow_weak_crypto': 'true'}} - --realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal', -+realm = K5Realm(krbtgt_keysalt='aes128-cts-hmac-sha256-128:normal', - krb5_conf=rollover_krb5_conf) - - princ1 = 'host/test1@%s' % (realm.realm,) -@@ -22,9 +22,9 @@ realm.run([kvno, princ1]) - realm.run([kadminl, 'purgekeys', realm.krbtgt_princ]) - # Make sure an old TGT fails after purging old TGS key. - realm.run([kvno, princ2], expected_code=1) --ddes = "DEPRECATED:des-cbc-crc" -+et = "aes128-cts-hmac-sha256-128" - msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \ -- (realm.realm, realm.realm, ddes, ddes) -+ (realm.realm, realm.realm, et, et) - realm.run([klist, '-e'], expected_msg=msg) - - # Check that new key actually works. -diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py -index 008efcb03..65084bbf3 100755 ---- a/src/tests/t_salt.py -+++ b/src/tests/t_salt.py -@@ -22,7 +22,7 @@ salts = [('des3-cbc-sha1', 'norealm'), - # These enctypes are chosen to cover the different string-to-key routines. - # Omit ":normal" from aes256 to check that salttype defaulting works. - second_kstypes = ['aes256-cts-hmac-sha1-96', 'arcfour-hmac:normal', -- 'des3-cbc-sha1:normal', 'des-cbc-crc:normal'] -+ 'des3-cbc-sha1:normal'] - - # Test using different salt types in a principal's key list. - # Parameters from one key in the list must not leak over to later ones. -diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py -index da02f224a..621b27156 100755 ---- a/src/tests/t_sesskeynego.py -+++ b/src/tests/t_sesskeynego.py -@@ -23,13 +23,7 @@ conf2 = {'libdefaults': {'default_tgs_enctypes': 'aes256-cts,aes128-cts'}} - conf3 = {'libdefaults': { - 'allow_weak_crypto': 'true', - 'default_tkt_enctypes': 'aes128-cts', -- 'default_tgs_enctypes': 'rc4-hmac,aes128-cts,des-cbc-crc'}} --conf4 = {'libdefaults': { -- 'allow_weak_crypto': 'true', -- 'default_tkt_enctypes': 'aes256-cts', -- 'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts'}, -- 'realms': {'$realm': {'des_crc_session_supported': 'false'}}} -- -+ 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}} - # Test with client request and session_enctypes preferring aes128, but - # aes256 long-term key. - realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) -@@ -63,16 +57,6 @@ test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') - realm.run([kadminl, 'setstr', 'server', 'session_enctypes', - 'rc4-hmac,aes128-cts,aes256-cts']) - test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') -- --# 3c: Test des-cbc-crc default assumption. --realm.run([kadminl, 'delstr', 'server', 'session_enctypes']) --test_kvno(realm, 'DEPRECATED:des-cbc-crc', 'aes256-cts-hmac-sha1-96') --realm.stop() -- --# Last go: test that we can disable the des-cbc-crc assumption --realm = K5Realm(krb5_conf=conf4, get_creds=False) --realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) --test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') - realm.stop() - - success('sesskeynego') -diff --git a/src/util/k5test.py b/src/util/k5test.py -index b6d93f1d8..da2782e15 100644 ---- a/src/util/k5test.py -+++ b/src/util/k5test.py -@@ -1307,7 +1307,7 @@ _passes = [ - 'master_key_type': 'aes256-sha2'}}}), - - # Test a setup with modern principal keys but an old TGT key. -- ('aes256.destgt', 'des-cbc-crc:normal', -+ ('aes256.destgt', 'arcfour-hmac:normal', - {'libdefaults': {'allow_weak_crypto': 'true'}}, - None) - ] diff --git a/Use-backported-version-of-OpenSSL-3-KDF-interface.patch b/Use-backported-version-of-OpenSSL-3-KDF-interface.patch index 28bd9f9..d0f57c8 100644 --- a/Use-backported-version-of-OpenSSL-3-KDF-interface.patch +++ b/Use-backported-version-of-OpenSSL-3-KDF-interface.patch @@ -1,19 +1,19 @@ -From bdb78f9d3fbf9abccec9b41709bb0131e9ec28d6 Mon Sep 17 00:00:00 2001 +From 9d887898571744f5ea0a523c7fba9d86d9cf8588 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 15 Nov 2019 20:05:16 +0000 Subject: [PATCH] Use backported version of OpenSSL-3 KDF interface --- - src/configure.in | 4 + + src/configure.ac | 4 + src/lib/crypto/krb/derive.c | 356 +++++++++++++----- .../preauth/pkinit/pkinit_crypto_openssl.c | 257 ++++++++----- 3 files changed, 428 insertions(+), 189 deletions(-) -diff --git a/src/configure.in b/src/configure.in -index 1df6f18fc..3bd5e683d 100644 ---- a/src/configure.in -+++ b/src/configure.in -@@ -269,6 +269,10 @@ AC_SUBST(CRYPTO_IMPL) +diff --git a/src/configure.ac b/src/configure.ac +index d4e4da525..29be532cb 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -282,6 +282,10 @@ AC_SUBST(CRYPTO_IMPL) AC_SUBST(CRYPTO_IMPL_CFLAGS) AC_SUBST(CRYPTO_IMPL_LIBS) diff --git a/Use-imported-soft-pkcs11-for-tests.patch b/Use-imported-soft-pkcs11-for-tests.patch deleted file mode 100644 index 96dd953..0000000 --- a/Use-imported-soft-pkcs11-for-tests.patch +++ /dev/null @@ -1,471 +0,0 @@ -From 923cafe924fa08c1b35ca11d5473a255d629592d Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 20 Jun 2019 13:41:57 -0400 -Subject: [PATCH] Use imported soft-pkcs11 for tests - -Update the soft-pkcs11 code for OpenSSL 1.1, fix some warnings, -integrate it into the build system, and use it for the PKINIT tests. - -(cherry picked from commit e5ef7b69765353ea62ad8712a229ed4e90a8fe17) ---- - src/configure.in | 1 + - src/tests/Makefile.in | 2 +- - src/tests/softpkcs11/Makefile.in | 21 ++++ - src/tests/softpkcs11/deps | 6 ++ - src/tests/softpkcs11/main.c | 124 +++++++++++++++++------- - src/tests/softpkcs11/softpkcs11.exports | 39 ++++++++ - src/tests/t_pkinit.py | 18 +--- - 7 files changed, 162 insertions(+), 49 deletions(-) - create mode 100644 src/tests/softpkcs11/Makefile.in - create mode 100644 src/tests/softpkcs11/deps - create mode 100644 src/tests/softpkcs11/softpkcs11.exports - -diff --git a/src/configure.in b/src/configure.in -index 3e3b95e49..1df6f18fc 100644 ---- a/src/configure.in -+++ b/src/configure.in -@@ -1086,6 +1086,7 @@ int i = 1; - fi - if test "$k5_cv_openssl_version_okay" = yes && (test "$enable_pkinit" = yes || test "$enable_pkinit" = try); then - K5_GEN_MAKEFILE(plugins/preauth/pkinit) -+ K5_GEN_MAKEFILE(tests/softpkcs11) - PKINIT=yes - AC_CHECK_LIB(crypto, CMS_get0_content, [AC_DEFINE([HAVE_OPENSSL_CMS], 1, [Define if OpenSSL supports cms.])]) - elif test "$k5_cv_openssl_version_okay" = no && test "$enable_pkinit" = yes; then -diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in -index d2a37c616..8fa44fb59 100644 ---- a/src/tests/Makefile.in -+++ b/src/tests/Makefile.in -@@ -1,7 +1,7 @@ - mydir=tests - BUILDTOP=$(REL).. - SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \ -- gss-threads misc threads -+ gss-threads misc threads softpkcs11 - - RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \ - LC_ALL=C $(VALGRIND) -diff --git a/src/tests/softpkcs11/Makefile.in b/src/tests/softpkcs11/Makefile.in -new file mode 100644 -index 000000000..e89678154 ---- /dev/null -+++ b/src/tests/softpkcs11/Makefile.in -@@ -0,0 +1,21 @@ -+mydir=tests$(S)softpkcs11 -+BUILDTOP=$(REL)..$(S).. -+ -+LOCALINCLUDES = -I$(top_srcdir)/plugins/preauth/pkinit -+ -+LIBBASE=softpkcs11 -+LIBMAJOR=0 -+LIBMINOR=0 -+ -+SHLIB_EXPLIBS=$(SUPPORT_LIB) -lcrypto -+SHLIB_EXPDEPS=$(SUPPORT_DEPLIB) -+ -+STLIBOBJS=main.o -+ -+SRCS=$(srcdir)/main.c -+ -+all-unix: all-libs -+clean-unix:: clean-libs clean-libobjs -+ -+@libnover_frag@ -+@libobj_frag@ -diff --git a/src/tests/softpkcs11/deps b/src/tests/softpkcs11/deps -new file mode 100644 -index 000000000..1e82d9572 ---- /dev/null -+++ b/src/tests/softpkcs11/deps -@@ -0,0 +1,6 @@ -+# -+# Generated makefile dependencies follow. -+# -+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ -+ $(top_srcdir)/plugins/preauth/pkinit/pkcs11.h main.c -diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c -index 2acec5169..5255323d3 100644 ---- a/src/tests/softpkcs11/main.c -+++ b/src/tests/softpkcs11/main.c -@@ -1,3 +1,4 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ - /* - * Copyright (c) 2004-2006, Stockholms universitet - * (Stockholm University, Stockholm Sweden) -@@ -31,7 +32,57 @@ - * POSSIBILITY OF SUCH DAMAGE. - */ - --#include "locl.h" -+#include "k5-platform.h" -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+ -+#include -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define EVP_PKEY_get0_RSA(key) ((key)->pkey.rsa) -+#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay -+#define RSA_get0_key compat_rsa_get0_key -+static void -+compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e, -+ const BIGNUM **d) -+{ -+ if (n != NULL) -+ *n = rsa->n; -+ if (e != NULL) -+ *e = rsa->e; -+ if (d != NULL) -+ *d = rsa->d; -+} -+#endif -+ -+#define OPENSSL_ASN1_MALLOC_ENCODE(T, B, BL, S, R) \ -+ { \ -+ unsigned char *p; \ -+ (BL) = i2d_##T((S), NULL); \ -+ if ((BL) <= 0) { \ -+ (R) = EINVAL; \ -+ } else { \ -+ (B) = malloc((BL)); \ -+ if ((B) == NULL) { \ -+ (R) = ENOMEM; \ -+ } else { \ -+ p = (B); \ -+ (R) = 0; \ -+ (BL) = i2d_##T((S), &p); \ -+ if ((BL) <= 0) { \ -+ free((B)); \ -+ (R) = EINVAL; \ -+ } \ -+ } \ -+ } \ -+ } - - /* RCSID("$Id: main.c,v 1.24 2006/01/11 12:42:53 lha Exp $"); */ - -@@ -124,7 +175,7 @@ st_logf(const char *fmt, ...) - } - - static void --snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...) -+snprintf_fill(char *str, int size, char fillchar, const char *fmt, ...) - { - int len; - va_list ap; -@@ -141,19 +192,19 @@ snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...) - #endif - - #define VERIFY_SESSION_HANDLE(s, state) \ --{ \ -- CK_RV ret; \ -- ret = verify_session_handle(s, state); \ -- if (ret != CKR_OK) { \ -- /* return CKR_OK */; \ -- } \ --} -+ { \ -+ CK_RV vshret; \ -+ vshret = verify_session_handle(s, state); \ -+ if (vshret != CKR_OK) { \ -+ /* return CKR_OK */; \ -+ } \ -+ } - - static CK_RV - verify_session_handle(CK_SESSION_HANDLE hSession, - struct session_state **state) - { -- int i; -+ size_t i; - - for (i = 0; i < MAX_NUM_SESSION; i++){ - if (soft_token.state[i].session_handle == hSession) -@@ -361,16 +412,20 @@ add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key) - CK_ULONG modulus_bits = 0; - CK_BYTE *exponent = NULL; - size_t exponent_len = 0; -+ RSA *rsa; -+ const BIGNUM *n, *e; - -- modulus_bits = BN_num_bits(key->pkey.rsa->n); -+ rsa = EVP_PKEY_get0_RSA(key); -+ RSA_get0_key(rsa, &n, &e, NULL); -+ modulus_bits = BN_num_bits(n); - -- modulus_len = BN_num_bytes(key->pkey.rsa->n); -+ modulus_len = BN_num_bytes(n); - modulus = malloc(modulus_len); -- BN_bn2bin(key->pkey.rsa->n, modulus); -+ BN_bn2bin(n, modulus); - -- exponent_len = BN_num_bytes(key->pkey.rsa->e); -+ exponent_len = BN_num_bytes(e); - exponent = malloc(exponent_len); -- BN_bn2bin(key->pkey.rsa->e, exponent); -+ BN_bn2bin(e, exponent); - - add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len); - add_object_attribute(o, 0, CKA_MODULUS_BITS, -@@ -378,7 +433,7 @@ add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key) - add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT, - exponent, exponent_len); - -- RSA_set_method(key->pkey.rsa, RSA_PKCS1_SSLeay()); -+ RSA_set_method(rsa, RSA_PKCS1_OpenSSL()); - - free(modulus); - free(exponent); -@@ -474,7 +529,7 @@ add_certificate(char *label, - o->u.cert = cert; - public_key = X509_get_pubkey(o->u.cert); - -- switch (EVP_PKEY_type(public_key->type)) { -+ switch (EVP_PKEY_base_id(public_key)) { - case EVP_PKEY_RSA: - key_type = CKK_RSA; - break; -@@ -604,8 +659,8 @@ add_certificate(char *label, - /* XXX verify keytype */ - - if (key_type == CKK_RSA) -- RSA_set_method(o->u.private_key.key->pkey.rsa, -- RSA_PKCS1_SSLeay()); -+ RSA_set_method(EVP_PKEY_get0_RSA(o->u.private_key.key), -+ RSA_PKCS1_OpenSSL()); - - if (X509_check_private_key(cert, o->u.private_key.key) != 1) { - EVP_PKEY_free(o->u.private_key.key); -@@ -755,8 +810,9 @@ CK_RV - C_Initialize(CK_VOID_PTR a) - { - CK_C_INITIALIZE_ARGS_PTR args = a; -+ size_t i; -+ - st_logf("Initialize\n"); -- int i; - - OpenSSL_add_all_algorithms(); - ERR_load_crypto_strings(); -@@ -825,7 +881,7 @@ C_Initialize(CK_VOID_PTR a) - CK_RV - C_Finalize(CK_VOID_PTR args) - { -- int i; -+ size_t i; - - st_logf("Finalize\n"); - -@@ -1008,7 +1064,7 @@ C_OpenSession(CK_SLOT_ID slotID, - CK_NOTIFY Notify, - CK_SESSION_HANDLE_PTR phSession) - { -- int i; -+ size_t i; - - st_logf("OpenSession: slot: %d\n", (int)slotID); - -@@ -1050,7 +1106,7 @@ C_CloseSession(CK_SESSION_HANDLE hSession) - CK_RV - C_CloseAllSessions(CK_SLOT_ID slotID) - { -- int i; -+ size_t i; - - st_logf("CloseAllSessions\n"); - -@@ -1127,7 +1183,8 @@ C_Login(CK_SESSION_HANDLE hSession, - } - - /* XXX check keytype */ -- RSA_set_method(o->u.private_key.key->pkey.rsa, RSA_PKCS1_SSLeay()); -+ RSA_set_method(EVP_PKEY_get0_RSA(o->u.private_key.key), -+ RSA_PKCS1_OpenSSL()); - - if (X509_check_private_key(o->u.private_key.cert, o->u.private_key.key) != 1) { - EVP_PKEY_free(o->u.private_key.key); -@@ -1226,7 +1283,6 @@ C_FindObjectsInit(CK_SESSION_HANDLE hSession, - } - if (ulCount) { - CK_ULONG i; -- size_t len; - - print_attributes(pTemplate, ulCount); - -@@ -1415,7 +1471,7 @@ C_Encrypt(CK_SESSION_HANDLE hSession, - return CKR_ARGUMENTS_BAD; - } - -- rsa = o->u.public_key->pkey.rsa; -+ rsa = EVP_PKEY_get0_RSA(o->u.public_key); - - if (rsa == NULL) - return CKR_ARGUMENTS_BAD; -@@ -1445,7 +1501,7 @@ C_Encrypt(CK_SESSION_HANDLE hSession, - goto out; - } - -- if (buffer_len + padding_len < ulDataLen) { -+ if ((CK_ULONG)buffer_len + padding_len < ulDataLen) { - ret = CKR_ARGUMENTS_BAD; - goto out; - } -@@ -1566,7 +1622,7 @@ C_Decrypt(CK_SESSION_HANDLE hSession, - return CKR_ARGUMENTS_BAD; - } - -- rsa = o->u.private_key.key->pkey.rsa; -+ rsa = EVP_PKEY_get0_RSA(o->u.private_key.key); - - if (rsa == NULL) - return CKR_ARGUMENTS_BAD; -@@ -1596,7 +1652,7 @@ C_Decrypt(CK_SESSION_HANDLE hSession, - goto out; - } - -- if (buffer_len + padding_len < ulEncryptedDataLen) { -+ if ((CK_ULONG)buffer_len + padding_len < ulEncryptedDataLen) { - ret = CKR_ARGUMENTS_BAD; - goto out; - } -@@ -1725,7 +1781,7 @@ C_Sign(CK_SESSION_HANDLE hSession, - return CKR_ARGUMENTS_BAD; - } - -- rsa = o->u.private_key.key->pkey.rsa; -+ rsa = EVP_PKEY_get0_RSA(o->u.private_key.key); - - if (rsa == NULL) - return CKR_ARGUMENTS_BAD; -@@ -1754,7 +1810,7 @@ C_Sign(CK_SESSION_HANDLE hSession, - goto out; - } - -- if (buffer_len < ulDataLen + padding_len) { -+ if ((CK_ULONG)buffer_len < ulDataLen + padding_len) { - ret = CKR_ARGUMENTS_BAD; - goto out; - } -@@ -1872,7 +1928,7 @@ C_Verify(CK_SESSION_HANDLE hSession, - return CKR_ARGUMENTS_BAD; - } - -- rsa = o->u.public_key->pkey.rsa; -+ rsa = EVP_PKEY_get0_RSA(o->u.public_key); - - if (rsa == NULL) - return CKR_ARGUMENTS_BAD; -@@ -1900,7 +1956,7 @@ C_Verify(CK_SESSION_HANDLE hSession, - goto out; - } - -- if (buffer_len < ulDataLen) { -+ if ((CK_ULONG)buffer_len < ulDataLen) { - ret = CKR_ARGUMENTS_BAD; - goto out; - } -@@ -1926,7 +1982,7 @@ C_Verify(CK_SESSION_HANDLE hSession, - if (len > buffer_len) - abort(); - -- if (len != ulSignatureLen) { -+ if ((CK_ULONG)len != ulSignatureLen) { - ret = CKR_GENERAL_ERROR; - goto out; - } -diff --git a/src/tests/softpkcs11/softpkcs11.exports b/src/tests/softpkcs11/softpkcs11.exports -new file mode 100644 -index 000000000..aa7284511 ---- /dev/null -+++ b/src/tests/softpkcs11/softpkcs11.exports -@@ -0,0 +1,39 @@ -+C_CloseAllSessions -+C_CloseSession -+C_Decrypt -+C_DecryptFinal -+C_DecryptInit -+C_DecryptUpdate -+C_DigestInit -+C_Encrypt -+C_EncryptFinal -+C_EncryptInit -+C_EncryptUpdate -+C_Finalize -+C_FindObjects -+C_FindObjectsFinal -+C_FindObjectsInit -+C_GenerateRandom -+C_GetAttributeValue -+C_GetFunctionList -+C_GetInfo -+C_GetMechanismInfo -+C_GetMechanismList -+C_GetObjectSize -+C_GetSessionInfo -+C_GetSlotInfo -+C_GetSlotList -+C_GetTokenInfo -+C_Initialize -+C_InitToken -+C_Login -+C_Logout -+C_OpenSession -+C_Sign -+C_SignFinal -+C_SignInit -+C_SignUpdate -+C_Verify -+C_VerifyFinal -+C_VerifyInit -+C_VerifyUpdate -diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py -index 93f0f2632..69daf4987 100755 ---- a/src/tests/t_pkinit.py -+++ b/src/tests/t_pkinit.py -@@ -4,14 +4,7 @@ from k5test import * - if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')): - skip_rest('PKINIT tests', 'PKINIT module not built') - --# Check if soft-pkcs11.so is available. --try: -- import ctypes -- lib = ctypes.LibraryLoader(ctypes.CDLL).LoadLibrary('soft-pkcs11.so') -- del lib -- have_soft_pkcs11 = True --except: -- have_soft_pkcs11 = False -+soft_pkcs11 = os.path.join(buildtop, 'tests', 'softpkcs11', 'softpkcs11.so') - - # Construct a krb5.conf fragment configuring pkinit. - certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs') -@@ -69,9 +62,9 @@ p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12 - p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12 - p12_generic_identity = 'PKCS12:%s' % generic_p12 - p12_enc_identity = 'PKCS12:%s' % user_enc_p12 --p11_identity = 'PKCS11:soft-pkcs11.so' --p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:' -- 'slotid=1:token=SoftToken (token)') -+p11_identity = 'PKCS11:' + soft_pkcs11 -+p11_token_identity = ('PKCS11:module_name=' + soft_pkcs11 + -+ ':slotid=1:token=SoftToken (token)') - - # Start a realm with the test kdb module for the following UPN SAN tests. - realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=alias_kdc_conf, -@@ -398,9 +391,6 @@ realm.klist(realm.user_princ) - realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=,'], - expected_code=1, expected_msg='Preauthentication failed while') - --if not have_soft_pkcs11: -- skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found') -- - softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc') - realm.env['SOFTPKCS11RC'] = softpkcs11rc - diff --git a/Use-secure_getenv-where-appropriate.patch b/Use-secure_getenv-where-appropriate.patch deleted file mode 100644 index d8f5832..0000000 --- a/Use-secure_getenv-where-appropriate.patch +++ /dev/null @@ -1,240 +0,0 @@ -From a41dc78bd3a879870eece3bf0a7c66196c90e7e8 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Wed, 24 Apr 2019 16:19:50 -0400 -Subject: [PATCH] Use secure_getenv() where appropriate - -ticket: 8800 -(cherry picked from commit d439e370b70f7af4ed2da9c692a3be7dcf7b4ac6) ---- - src/lib/kadm5/alt_prof.c | 2 +- - src/lib/krb5/ccache/ccselect_k5identity.c | 2 +- - src/lib/krb5/os/ccdefname.c | 2 +- - src/lib/krb5/os/expand_path.c | 2 +- - src/lib/krb5/os/init_os_ctx.c | 6 +++--- - src/lib/krb5/os/ktdefname.c | 4 ++-- - src/lib/krb5/os/trace.c | 2 +- - src/lib/krb5/rcache/rc_base.c | 4 ++-- - src/lib/krb5/rcache/rc_io.c | 4 ++-- - src/plugins/preauth/pkinit/pkinit_identity.c | 13 ++++--------- - src/plugins/tls/k5tls/openssl.c | 2 +- - src/util/profile/prof_file.c | 2 +- - 12 files changed, 20 insertions(+), 25 deletions(-) - -diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c -index 3f6b53651..5531a10fb 100644 ---- a/src/lib/kadm5/alt_prof.c -+++ b/src/lib/kadm5/alt_prof.c -@@ -73,7 +73,7 @@ krb5_aprof_init(char *fname, char *envname, krb5_pointer *acontextp) - ret = krb5_get_default_config_files(&filenames); - if (ret) - return ret; -- if (envname == NULL || (kdc_config = getenv(envname)) == NULL) -+ if (envname == NULL || (kdc_config = secure_getenv(envname)) == NULL) - kdc_config = fname; - k5_buf_init_dynamic(&buf); - if (kdc_config) -diff --git a/src/lib/krb5/ccache/ccselect_k5identity.c b/src/lib/krb5/ccache/ccselect_k5identity.c -index bee541658..b2dbf8a09 100644 ---- a/src/lib/krb5/ccache/ccselect_k5identity.c -+++ b/src/lib/krb5/ccache/ccselect_k5identity.c -@@ -135,7 +135,7 @@ get_homedir(krb5_context context) - struct passwd pwx, *pwd; - - if (!context->profile_secure) -- homedir = getenv("HOME"); -+ homedir = secure_getenv("HOME"); - - if (homedir == NULL) { - if (k5_getpwuid_r(geteuid(), &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) -diff --git a/src/lib/krb5/os/ccdefname.c b/src/lib/krb5/os/ccdefname.c -index e5cb3e44c..233173d35 100644 ---- a/src/lib/krb5/os/ccdefname.c -+++ b/src/lib/krb5/os/ccdefname.c -@@ -300,7 +300,7 @@ krb5_cc_default_name(krb5_context context) - return os_ctx->default_ccname; - - /* Try the environment variable first. */ -- envstr = getenv(KRB5_ENV_CCNAME); -+ envstr = secure_getenv(KRB5_ENV_CCNAME); - if (envstr != NULL) { - os_ctx->default_ccname = strdup(envstr); - return os_ctx->default_ccname; -diff --git a/src/lib/krb5/os/expand_path.c b/src/lib/krb5/os/expand_path.c -index 61fb23459..4ce466c19 100644 ---- a/src/lib/krb5/os/expand_path.c -+++ b/src/lib/krb5/os/expand_path.c -@@ -280,7 +280,7 @@ expand_temp_folder(krb5_context context, PTYPE param, const char *postfix, - const char *p = NULL; - - if (context == NULL || !context->profile_secure) -- p = getenv("TMPDIR"); -+ p = secure_getenv("TMPDIR"); - *ret = strdup((p != NULL) ? p : "/tmp"); - if (*ret == NULL) - return ENOMEM; -diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c -index 09809b932..3aa86f4ad 100644 ---- a/src/lib/krb5/os/init_os_ctx.c -+++ b/src/lib/krb5/os/init_os_ctx.c -@@ -243,7 +243,7 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure) - char *name = 0; - - if (!secure) { -- char *env = getenv("KRB5_CONFIG"); -+ char *env = secure_getenv("KRB5_CONFIG"); - if (env) { - name = strdup(env); - if (!name) return ENOMEM; -@@ -298,7 +298,7 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure) - if (secure) { - filepath = DEFAULT_SECURE_PROFILE_PATH; - } else { -- filepath = getenv("KRB5_CONFIG"); -+ filepath = secure_getenv("KRB5_CONFIG"); - if (!filepath) filepath = DEFAULT_PROFILE_PATH; - } - -@@ -344,7 +344,7 @@ add_kdc_config_file(profile_filespec_t **pfiles) - size_t count = 0; - profile_filespec_t *newfiles; - -- file = getenv(KDC_PROFILE_ENV); -+ file = secure_getenv(KDC_PROFILE_ENV); - if (file == NULL) - file = DEFAULT_KDC_PROFILE; - -diff --git a/src/lib/krb5/os/ktdefname.c b/src/lib/krb5/os/ktdefname.c -index ffbd14d51..fbe4e98b4 100644 ---- a/src/lib/krb5/os/ktdefname.c -+++ b/src/lib/krb5/os/ktdefname.c -@@ -42,7 +42,7 @@ kt_default_name(krb5_context context, char **name_out) - *name_out = strdup(krb5_overridekeyname); - return (*name_out == NULL) ? ENOMEM : 0; - } else if (context->profile_secure == FALSE && -- (str = getenv("KRB5_KTNAME")) != NULL) { -+ (str = secure_getenv("KRB5_KTNAME")) != NULL) { - *name_out = strdup(str); - return (*name_out == NULL) ? ENOMEM : 0; - } else if (profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, -@@ -63,7 +63,7 @@ k5_kt_client_default_name(krb5_context context, char **name_out) - char *str; - - if (context->profile_secure == FALSE && -- (str = getenv("KRB5_CLIENT_KTNAME")) != NULL) { -+ (str = secure_getenv("KRB5_CLIENT_KTNAME")) != NULL) { - *name_out = strdup(str); - return (*name_out == NULL) ? ENOMEM : 0; - } else if (profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, -diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c -index 40a9e7b10..85dbfeb47 100644 ---- a/src/lib/krb5/os/trace.c -+++ b/src/lib/krb5/os/trace.c -@@ -389,7 +389,7 @@ k5_init_trace(krb5_context context) - { - const char *filename; - -- filename = getenv("KRB5_TRACE"); -+ filename = secure_getenv("KRB5_TRACE"); - if (filename) - (void) krb5_set_trace_filename(context, filename); - } -diff --git a/src/lib/krb5/rcache/rc_base.c b/src/lib/krb5/rcache/rc_base.c -index 373ac3046..9fa46432d 100644 ---- a/src/lib/krb5/rcache/rc_base.c -+++ b/src/lib/krb5/rcache/rc_base.c -@@ -107,7 +107,7 @@ char * - krb5_rc_default_type(krb5_context context) - { - char *s; -- if ((s = getenv("KRB5RCACHETYPE"))) -+ if ((s = secure_getenv("KRB5RCACHETYPE"))) - return s; - else - return "dfl"; -@@ -117,7 +117,7 @@ char * - krb5_rc_default_name(krb5_context context) - { - char *s; -- if ((s = getenv("KRB5RCACHENAME"))) -+ if ((s = secure_getenv("KRB5RCACHENAME"))) - return s; - else - return (char *) 0; -diff --git a/src/lib/krb5/rcache/rc_io.c b/src/lib/krb5/rcache/rc_io.c -index 35fa14a1f..1800460b2 100644 ---- a/src/lib/krb5/rcache/rc_io.c -+++ b/src/lib/krb5/rcache/rc_io.c -@@ -48,13 +48,13 @@ getdir(void) - { - char *dir; - -- if (!(dir = getenv("KRB5RCACHEDIR"))) { -+ if (!(dir = secure_getenv("KRB5RCACHEDIR"))) { - #if defined(_WIN32) - if (!(dir = getenv("TEMP"))) - if (!(dir = getenv("TMP"))) - dir = "C:"; - #else -- if (!(dir = getenv("TMPDIR"))) { -+ if (!(dir = secure_getenv("TMPDIR"))) { - #ifdef RCTMPDIR - dir = RCTMPDIR; - #else -diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c -index 8cd3fc640..b89c5d015 100644 ---- a/src/plugins/preauth/pkinit/pkinit_identity.c -+++ b/src/plugins/preauth/pkinit/pkinit_identity.c -@@ -29,15 +29,9 @@ - * SUCH DAMAGES. - */ - --#include --#include --#include --#include --#include --#include --#include -- - #include "pkinit.h" -+#include -+#include - - static void - free_list(char **list) -@@ -430,7 +424,8 @@ process_option_identity(krb5_context context, - switch (idtype) { - case IDTYPE_ENVVAR: - return process_option_identity(context, plg_cryptoctx, req_cryptoctx, -- idopts, id_cryptoctx, getenv(residual)); -+ idopts, id_cryptoctx, -+ secure_getenv(residual)); - break; - case IDTYPE_FILE: - retval = parse_fs_options(context, idopts, residual); -diff --git a/src/plugins/tls/k5tls/openssl.c b/src/plugins/tls/k5tls/openssl.c -index 822632c90..76a43b3cd 100644 ---- a/src/plugins/tls/k5tls/openssl.c -+++ b/src/plugins/tls/k5tls/openssl.c -@@ -399,7 +399,7 @@ load_anchor(SSL_CTX *ctx, const char *location) - } else if (strncmp(location, "DIR:", 4) == 0) { - return load_anchor_dir(store, location + 4); - } else if (strncmp(location, "ENV:", 4) == 0) { -- envloc = getenv(location + 4); -+ envloc = secure_getenv(location + 4); - if (envloc == NULL) - return ENOENT; - return load_anchor(ctx, envloc); -diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c -index 0dcb6b543..79f9500f6 100644 ---- a/src/util/profile/prof_file.c -+++ b/src/util/profile/prof_file.c -@@ -183,7 +183,7 @@ errcode_t profile_open_file(const_profile_filespec_t filespec, - prf->magic = PROF_MAGIC_FILE; - - if (filespec[0] == '~' && filespec[1] == '/') { -- home_env = getenv("HOME"); -+ home_env = secure_getenv("HOME"); - #ifdef HAVE_PWD_H - if (home_env == NULL) { - uid_t uid; diff --git a/krb5-1.15-beta1-buildconf.patch b/krb5-1.15-beta1-buildconf.patch index e074e10..5ad5500 100644 --- a/krb5-1.15-beta1-buildconf.patch +++ b/krb5-1.15-beta1-buildconf.patch @@ -1,4 +1,4 @@ -From ab2b67102127e448cc1a266fbbe2c738a1a3a158 Mon Sep 17 00:00:00 2001 +From e07920163e88a538e73b4d72db26b74c951b8256 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:45:26 -0400 Subject: [PATCH] krb5-1.15-beta1-buildconf.patch diff --git a/krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch index 89b9e2f..58a7118 100644 --- a/krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +++ b/krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch @@ -1,4 +1,4 @@ -From c874aa2c7ec16203c0be91e9e789b21221689de2 Mon Sep 17 00:00:00 2001 +From ad14cab8d35e6c7edee196708ce5b5516b9bb1f8 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 Subject: [PATCH] krb5-1.17post6 FIPS with PRNG and RADIUS and MD4 @@ -541,7 +541,7 @@ index 00734a13b..a3ce22b70 100644 vt->name = "spake"; vt->pa_type_list = pa_types; diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c -index 59e88409e..1b3e569e9 100644 +index 88c964ce1..c7df0392f 100644 --- a/src/plugins/preauth/spake/spake_kdc.c +++ b/src/plugins/preauth/spake/spake_kdc.c @@ -41,6 +41,8 @@ @@ -553,7 +553,7 @@ index 59e88409e..1b3e569e9 100644 /* * The SPAKE kdcpreauth module uses a secure cookie containing the following * concatenated fields (all integer fields are big-endian): -@@ -578,6 +580,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, +@@ -571,6 +573,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, if (maj_ver != 1) return KRB5_PLUGIN_VER_NOTSUPP; diff --git a/Remove-3des-support.patch b/krb5-1.18-beta1-Remove-3des-support.patch similarity index 99% rename from Remove-3des-support.patch rename to krb5-1.18-beta1-Remove-3des-support.patch index dd68008..1b88923 100644 --- a/Remove-3des-support.patch +++ b/krb5-1.18-beta1-Remove-3des-support.patch @@ -1,25 +1,22 @@ -From 98db8d2582b72fb75023c43c5bee435be960247f Mon Sep 17 00:00:00 2001 +From d042a0d6ea28c70e87ae342255a0af2bab631ec1 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 26 Mar 2019 18:51:10 -0400 -Subject: [PATCH] Remove 3des support +Subject: [PATCH] krb5-1.18-beta1-Remove-3des-support Completely remove support for all DES3 enctypes (des3-cbc-raw, des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain their constants. - -(cherry picked from commit 57a8a84e035000b515ca9efd56e5cbe1568b95e7) -[rharwood@redhat.com: supported enctypes docs landed first] --- doc/admin/advanced/retiring-des.rst | 11 + doc/admin/conf_files/kdc_conf.rst | 7 +- doc/admin/enctypes.rst | 13 +- doc/admin/troubleshoot.rst | 9 +- doc/appdev/refs/macros/index.rst | 1 - - doc/conf.py | 4 +- + doc/conf.py | 2 +- doc/mitK5features.rst | 2 +- src/Makefile.in | 4 +- - src/configure.in | 1 - + src/configure.ac | 1 - src/include/krb5/krb5.hin | 10 +- src/kadmin/testing/proto/kdc.conf.proto | 4 +- src/kdc/kdc_util.c | 4 - @@ -107,7 +104,7 @@ their constants. src/tests/t_salt.py | 5 +- src/util/k5test.py | 10 - .../leash/htmlhelp/html/Encryption_Types.htm | 13 - - 96 files changed, 164 insertions(+), 4838 deletions(-) + 96 files changed, 163 insertions(+), 4837 deletions(-) delete mode 100644 src/lib/crypto/builtin/des/ISSUES delete mode 100644 src/lib/crypto/builtin/des/Makefile.in delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c @@ -245,7 +242,7 @@ index 6a0c7f89b..263fc9c97 100644 .. _err_cert_chain_cert_expired: diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst -index 534795d15..9542611ea 100644 +index 68debe714..788d094bf 100644 --- a/doc/appdev/refs/macros/index.rst +++ b/doc/appdev/refs/macros/index.rst @@ -36,7 +36,6 @@ Public @@ -257,22 +254,20 @@ index 534795d15..9542611ea 100644 CKSUMTYPE_NIST_SHA.rst CKSUMTYPE_RSA_MD4.rst diff --git a/doc/conf.py b/doc/conf.py -index 759367c21..37eda67fa 100644 +index fc5662767..37eda67fa 100644 --- a/doc/conf.py +++ b/doc/conf.py -@@ -271,8 +271,8 @@ else: - rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab +@@ -272,7 +272,7 @@ else: rst_epilog += ''' .. |krb5conf| replace:: ``/etc/krb5.conf`` --.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal`` + .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` -.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac`` -+.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` +.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac`` .. |defmkey| replace:: ``aes256-cts-hmac-sha1-96`` .. |copy| unicode:: U+000A9 ''' diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst -index a19068e26..5bfdc3936 100644 +index d58c71898..8655e257d 100644 --- a/doc/mitK5features.rst +++ b/doc/mitK5features.rst @@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB @@ -285,10 +280,10 @@ index a19068e26..5bfdc3936 100644 Interoperability ---------------- diff --git a/src/Makefile.in b/src/Makefile.in -index 91a5f4bf8..0197e5b6d 100644 +index 56c7a4e6f..70db82a30 100644 --- a/src/Makefile.in +++ b/src/Makefile.in -@@ -129,7 +129,7 @@ WINMAKEFILES=Makefile \ +@@ -130,7 +130,7 @@ WINMAKEFILES=Makefile \ lib\Makefile lib\crypto\Makefile lib\crypto\krb\Makefile \ lib\crypto\builtin\Makefile lib\crypto\builtin\aes\Makefile \ lib\crypto\builtin\enc_provider\Makefile \ @@ -297,7 +292,7 @@ index 91a5f4bf8..0197e5b6d 100644 lib\crypto\builtin\camellia\Makefile lib\crypto\builtin\md4\Makefile \ lib\crypto\builtin\hash_provider\Makefile \ lib\crypto\builtin\sha2\Makefile lib\crypto\builtin\sha1\Makefile \ -@@ -201,8 +201,6 @@ WINMAKEFILES=Makefile \ +@@ -202,8 +202,6 @@ WINMAKEFILES=Makefile \ ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\builtin\enc_provider\Makefile: lib\crypto\builtin\enc_provider\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ @@ -306,11 +301,11 @@ index 91a5f4bf8..0197e5b6d 100644 ##DOS##lib\crypto\builtin\md5\Makefile: lib\crypto\builtin\md5\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP) -diff --git a/src/configure.in b/src/configure.in -index 9d6825b78..3e3b95e49 100644 ---- a/src/configure.in -+++ b/src/configure.in -@@ -1443,7 +1443,6 @@ V5_AC_OUTPUT_MAKEFILE(. +diff --git a/src/configure.ac b/src/configure.ac +index 440a22bd9..d4e4da525 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1481,7 +1481,6 @@ V5_AC_OUTPUT_MAKEFILE(. lib/crypto lib/crypto/krb lib/crypto/$CRYPTO_IMPL lib/crypto/$CRYPTO_IMPL/enc_provider lib/crypto/$CRYPTO_IMPL/hash_provider @@ -319,7 +314,7 @@ index 9d6825b78..3e3b95e49 100644 lib/crypto/$CRYPTO_IMPL/sha1 lib/crypto/$CRYPTO_IMPL/sha2 lib/crypto/$CRYPTO_IMPL/aes lib/crypto/$CRYPTO_IMPL/camellia diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index 5f596d1fc..9a05ce32d 100644 +index d1f5661bf..26a3b6ec8 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov { @@ -368,10 +363,10 @@ index 8a4b87de1..d7f1d076b 100644 + supported_enctypes = aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal } diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index df1ba6acf..23ad6c584 100644 +index d0fd5d7e1..050672840 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c -@@ -1077,8 +1077,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) +@@ -1103,8 +1103,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) name = "rsaEncryption-EnvOID"; else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV) name = "id-RSAES-OAEP-EnvOID"; @@ -380,7 +375,7 @@ index df1ba6acf..23ad6c584 100644 else return krb5_enctype_to_name(ktype, FALSE, buf, buflen); -@@ -1741,8 +1739,6 @@ krb5_boolean +@@ -1839,8 +1837,6 @@ krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype) { switch(enctype) { @@ -4551,10 +4546,10 @@ index cdb1acc6d..ef4c4a7d3 100644 { ENCTYPE_AES128_CTS_HMAC_SHA1_96, diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in -index 536bacb6e..b587f7e19 100644 +index b74e6f7cc..2b0c4163d 100644 --- a/src/lib/crypto/krb/Makefile.in +++ b/src/lib/crypto/krb/Makefile.in -@@ -52,7 +52,6 @@ STLIBOBJS=\ +@@ -50,7 +50,6 @@ STLIBOBJS=\ prf.o \ prf_aes2.o \ prf_cmac.o \ @@ -4562,7 +4557,7 @@ index 536bacb6e..b587f7e19 100644 prf_dk.o \ prf_rc4.o \ prng.o \ -@@ -113,7 +112,6 @@ OBJS=\ +@@ -109,7 +108,6 @@ OBJS=\ $(OUTPRE)prf.$(OBJEXT) \ $(OUTPRE)prf_aes2.$(OBJEXT) \ $(OUTPRE)prf_cmac.$(OBJEXT) \ @@ -4570,7 +4565,7 @@ index 536bacb6e..b587f7e19 100644 $(OUTPRE)prf_dk.$(OBJEXT) \ $(OUTPRE)prf_rc4.$(OBJEXT) \ $(OUTPRE)prng.$(OBJEXT) \ -@@ -174,7 +172,6 @@ SRCS=\ +@@ -168,7 +166,6 @@ SRCS=\ $(srcdir)/prf.c \ $(srcdir)/prf_aes2.c \ $(srcdir)/prf_cmac.c \ @@ -4596,7 +4591,7 @@ index ecc2e08c9..f5fbe8a2a 100644 "hmac-md5-rc4", { "hmac-md5-enc", "hmac-md5-earcfour" }, "Microsoft HMAC MD5", diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h -index b18d5e2e3..1b4324d71 100644 +index ba693f8a4..5cc1f8e43 100644 --- a/src/lib/crypto/krb/crypto_int.h +++ b/src/lib/crypto/krb/crypto_int.h @@ -276,10 +276,6 @@ krb5_error_code krb5int_aes2_string_to_key(const struct krb5_keytypes *enc, @@ -4610,7 +4605,7 @@ index b18d5e2e3..1b4324d71 100644 /* Pseudo-random function */ krb5_error_code krb5int_des_prf(const struct krb5_keytypes *ktp, -@@ -384,11 +380,6 @@ krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage); +@@ -368,11 +364,6 @@ krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage); /* Ensure library initialization has occurred. */ int krb5int_crypto_init(void); @@ -4622,7 +4617,7 @@ index b18d5e2e3..1b4324d71 100644 /* Default state cleanup handler (used by module enc providers). */ void krb5int_default_free_state(krb5_data *state); -@@ -441,7 +432,6 @@ void k5_iov_cursor_put(struct iov_cursor *cursor, unsigned char *block); +@@ -425,7 +416,6 @@ void k5_iov_cursor_put(struct iov_cursor *cursor, unsigned char *block); /* Modules must implement the k5_sha256() function prototyped in k5-int.h. */ /* Modules must implement the following enc_providers and hash_providers: */ @@ -4630,7 +4625,7 @@ index b18d5e2e3..1b4324d71 100644 extern const struct krb5_enc_provider krb5int_enc_arcfour; extern const struct krb5_enc_provider krb5int_enc_aes128; extern const struct krb5_enc_provider krb5int_enc_aes256; -@@ -458,12 +448,6 @@ extern const struct krb5_hash_provider krb5int_hash_sha384; +@@ -442,12 +432,6 @@ extern const struct krb5_hash_provider krb5int_hash_sha384; /* Modules must implement the following functions. */ @@ -5196,10 +5191,10 @@ index 1c439c2cd..000000000 - krb5int_default_free_state -}; diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c -index 439ae6aeb..d8e0f93a1 100644 +index c821cc830..c5bddb1e8 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c -@@ -1011,7 +1011,6 @@ kg_accept_krb5(minor_status, context_handle, +@@ -1010,7 +1010,6 @@ kg_accept_krb5(minor_status, context_handle, } switch (negotiated_etype) { @@ -5208,7 +5203,7 @@ index 439ae6aeb..d8e0f93a1 100644 case ENCTYPE_ARCFOUR_HMAC_EXP: /* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index 2647434ba..1cdd23cc8 100644 +index 2e2c775d6..f5b0fede6 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -125,14 +125,14 @@ enum sgn_alg { @@ -5626,7 +5621,7 @@ index 2925c1c43..2f76c8b43 100644 if { ! [cmd {kadm5_destroy $server_handle}]} { perror "$test: unexpected failure in destroy" diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c -index b597dda54..ed52987a0 100644 +index 0fad90389..316c2b40b 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -59,7 +59,6 @@ @@ -5637,7 +5632,7 @@ index b597dda54..ed52987a0 100644 ENCTYPE_ARCFOUR_HMAC, ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC, 0 -@@ -478,8 +477,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey, +@@ -479,8 +478,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey, /* Set all enctypes in the default list. */ for (i = 0; default_list[i]; i++) mod_list(default_list[i], sel, weak, &list); @@ -5647,10 +5642,10 @@ index b597dda54..ed52987a0 100644 mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, &list); mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, &list); diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c -index d8015c64a..005cfd468 100644 +index 8202fe9d3..731281938 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c -@@ -341,8 +341,6 @@ verify_s4u2self_reply(krb5_context context, +@@ -287,8 +287,6 @@ verify_s4u2self_reply(krb5_context context, assert(req_s4u_user != NULL); switch (subkey->enctype) { @@ -5660,10 +5655,10 @@ index d8015c64a..005cfd468 100644 case ENCTYPE_ARCFOUR_HMAC_EXP : not_newer = TRUE; diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c -index 22be2198b..d489b78f9 100644 +index 2970a8cea..fb82daf19 100644 --- a/src/lib/krb5/krb/t_copy_context.c +++ b/src/lib/krb5/krb/t_copy_context.c -@@ -114,7 +114,7 @@ main(int argc, char **argv) +@@ -113,7 +113,7 @@ main(int argc, char **argv) { krb5_context ctx, ctx2; krb5_plugin_initvt_fn *mods; @@ -5773,7 +5768,7 @@ index 044a66999..98fb14f3f 100644 krb5_ccache, display type:name: FILE:/path/to/ccache krb5_keytab, display name: FILE:/etc/krb5.keytab diff --git a/src/plugins/preauth/pkinit/pkcs11.h b/src/plugins/preauth/pkinit/pkcs11.h -index 28ded4a89..47f4727bd 100644 +index e3d284631..586661bb7 100644 --- a/src/plugins/preauth/pkinit/pkcs11.h +++ b/src/plugins/preauth/pkinit/pkcs11.h @@ -339,9 +339,9 @@ typedef unsigned long ck_key_type_t; @@ -5966,7 +5961,7 @@ index 2279202d3..96b0307d7 100644 /* initial key, w, x, y, T, S, K */ "8846F7EAEE8FB117AD06BDD830B7586C", diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp -index e8adee234..30a2c0967 100644 +index c24651737..9ef2af745 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -15,8 +15,6 @@ set timeout 100 @@ -6045,7 +6040,7 @@ index e8adee234..30a2c0967 100644 {allow_weak_crypto(kdc)=false} {allow_weak_crypto(replica)=false} {allow_weak_crypto(client)=false} -@@ -947,7 +912,6 @@ proc setup_kerberos_db { standalone } { +@@ -962,7 +927,6 @@ proc setup_kerberos_db { standalone } { global REALMNAME KDB5_UTIL KADMIN_LOCAL KEY global tmppwd hostname global spawn_id @@ -6053,7 +6048,7 @@ index e8adee234..30a2c0967 100644 global multipass_name last_passname_db set failall 0 -@@ -1144,48 +1108,6 @@ proc setup_kerberos_db { standalone } { +@@ -1159,48 +1123,6 @@ proc setup_kerberos_db { standalone } { } } @@ -6261,7 +6256,7 @@ index f71774cdc..d1857c433 100644 "3BB3AE288C12B3B9D06B208A4151B3B6", "9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28" diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py -index d98974b36..84153d9cf 100644 +index 9b41bc0c1..5e6d31302 100644 --- a/src/tests/t_authdata.py +++ b/src/tests/t_authdata.py @@ -172,7 +172,7 @@ realm.run([kvno, 'restricted']) @@ -6424,10 +6419,10 @@ index 65084bbf3..55ca89745 100755 # Test using different salt types in a principal's key list. # Parameters from one key in the list must not leak over to later ones. diff --git a/src/util/k5test.py b/src/util/k5test.py -index da2782e15..feb6df7a0 100644 +index e3614d735..94ab1e71e 100644 --- a/src/util/k5test.py +++ b/src/util/k5test.py -@@ -1246,16 +1246,6 @@ _passes = [ +@@ -1297,16 +1297,6 @@ _passes = [ # No special settings; exercises AES256. ('default', None, None, None), diff --git a/krb5-1.17-beta1-selinux-label.patch b/krb5-1.18-beta1-selinux-label.patch similarity index 92% rename from krb5-1.17-beta1-selinux-label.patch rename to krb5-1.18-beta1-selinux-label.patch index c82350f..cce5f21 100644 --- a/krb5-1.17-beta1-selinux-label.patch +++ b/krb5-1.18-beta1-selinux-label.patch @@ -1,7 +1,7 @@ -From b50a43ef1f09694298ec043104a59082d6f37c8c Mon Sep 17 00:00:00 2001 +From 49a03b8bff8399b9259b51da1e034f67878bfad4 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 -Subject: [PATCH] krb5-1.17-beta1-selinux-label.patch +Subject: [PATCH] krb5-1.18-beta1-selinux-label.patch SELinux bases access to files on the domain of the requesting process, the operation being performed, and the context applied to the file. @@ -36,10 +36,10 @@ The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. --- - src/aclocal.m4 | 49 +++ + src/aclocal.m4 | 48 +++ src/build-tools/krb5-config.in | 3 +- src/config/pre.in | 3 +- - src/configure.in | 2 + + src/configure.ac | 2 + src/include/k5-int.h | 1 + src/include/k5-label.h | 32 ++ src/include/krb5/krb5.hin | 6 + @@ -51,7 +51,6 @@ which we used earlier, is some improvement. src/lib/krb5/ccache/cc_dir.c | 26 +- src/lib/krb5/keytab/kt_file.c | 4 +- src/lib/krb5/os/trace.c | 2 +- - src/lib/krb5/rcache/rc_dfl.c | 13 + src/plugins/kdb/db2/adb_openclose.c | 2 +- src/plugins/kdb/db2/kdb_db2.c | 4 +- src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +- @@ -61,12 +60,12 @@ which we used earlier, is some improvement. src/util/profile/prof_file.c | 3 +- src/util/support/Makefile.in | 3 +- src/util/support/selinux.c | 406 ++++++++++++++++++ - 25 files changed, 587 insertions(+), 21 deletions(-) + 24 files changed, 573 insertions(+), 21 deletions(-) create mode 100644 src/include/k5-label.h create mode 100644 src/util/support/selinux.c diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 340546d80..a7afec09e 100644 +index 830203683..6796fec53 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag) @@ -77,7 +76,7 @@ index 340546d80..a7afec09e 100644 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1764,3 +1765,51 @@ AC_SUBST(PAM_LIBS) +@@ -1743,4 +1744,51 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -100,7 +99,7 @@ index 340546d80..a7afec09e 100644 + AC_MSG_ERROR([Unable to locate selinux/selinux.h.]) + fi + fi -+ + + LIBS= + unset ac_cv_func_setfscreatecon + AC_CHECK_FUNCS(setfscreatecon selabel_open) @@ -171,11 +170,11 @@ index ce87e21ca..917357df9 100644 KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on macOS! -diff --git a/src/configure.in b/src/configure.in -index cd8ccabcd..feae21c3e 100644 ---- a/src/configure.in -+++ b/src/configure.in -@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff) +diff --git a/src/configure.ac b/src/configure.ac +index d1f576124..440a22bd9 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1392,6 +1392,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -185,7 +184,7 @@ index cd8ccabcd..feae21c3e 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 652242207..8f9329c59 100644 +index 9616b24bf..0d9af3d95 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -128,6 +128,7 @@ typedef unsigned char u_char; @@ -235,7 +234,7 @@ index 000000000..dfaaa847c +#endif +#endif diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index c40a6cca8..3ff86d7ff 100644 +index d48685357..d1f5661bf 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ @@ -252,7 +251,7 @@ index c40a6cca8..3ff86d7ff 100644 #include diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c -index c9574c6e1..8301a33d0 100644 +index 301e3476d..19f2cc230 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) @@ -287,10 +286,10 @@ index c9574c6e1..8301a33d0 100644 com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); goto cleanup; diff --git a/src/kdc/main.c b/src/kdc/main.c -index 408c723f5..663fd6303 100644 +index fdcd694d7..1ede4bf2f 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c -@@ -858,7 +858,7 @@ write_pid_file(const char *path) +@@ -872,7 +872,7 @@ write_pid_file(const char *path) FILE *file; unsigned long pid; @@ -300,10 +299,10 @@ index 408c723f5..663fd6303 100644 return errno; pid = (unsigned long) getpid(); diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c -index 68323dd0f..4cc035dc6 100644 +index 5622d56e1..356e3e0e6 100644 --- a/src/kprop/kpropd.c +++ b/src/kprop/kpropd.c -@@ -488,6 +488,9 @@ doit(int fd) +@@ -487,6 +487,9 @@ doit(int fd) krb5_enctype etype; int database_fd; char host[INET6_ADDRSTRLEN + 1]; @@ -313,7 +312,7 @@ index 68323dd0f..4cc035dc6 100644 signal_wrapper(SIGALRM, alarm_handler); alarm(params.iprop_resync_timeout); -@@ -543,9 +546,15 @@ doit(int fd) +@@ -542,9 +545,15 @@ doit(int fd) free(name); exit(1); } @@ -365,7 +364,7 @@ index 2659a2501..e9b95fce5 100644 retval = errno; goto cleanup; diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c -index bba64e516..73f0fe62d 100644 +index 7b100a0ec..5683a0433 100644 --- a/src/lib/krb5/ccache/cc_dir.c +++ b/src/lib/krb5/ccache/cc_dir.c @@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents) @@ -415,10 +414,10 @@ index bba64e516..73f0fe62d 100644 _("Credential cache directory %s does not exist"), dirname); diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c -index 89cb68680..21c80d419 100644 +index 021c94398..aaf573439 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c -@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) +@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) KTCHECKLOCK(id); errno = 0; @@ -436,7 +435,7 @@ index 89cb68680..21c80d419 100644 goto report_errno; writevno = 1; diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c -index 4fff8f38c..40a9e7b10 100644 +index 2a03ae980..85dbfeb47 100644 --- a/src/lib/krb5/os/trace.c +++ b/src/lib/krb5/os/trace.c @@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) @@ -448,38 +447,6 @@ index 4fff8f38c..40a9e7b10 100644 if (*fd == -1) { free(fd); return errno; -diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c -index 1e0cb22c9..f5e93b1ab 100644 ---- a/src/lib/krb5/rcache/rc_dfl.c -+++ b/src/lib/krb5/rcache/rc_dfl.c -@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) - krb5_error_code retval = 0; - krb5_rcache tmp; - krb5_deltat lifespan = t->lifespan; /* save original lifespan */ -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (! t->recovering) { - name = t->name; -@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) - retval = krb5_rc_resolve(context, tmp, 0); - if (retval) - goto cleanup; -+#ifdef USE_SELINUX -+ if (t->d.fn != NULL) -+ selabel = krb5int_push_fscreatecon_for(t->d.fn); -+ else -+ selabel = NULL; -+#endif - retval = krb5_rc_initialize(context, tmp, lifespan); -+#ifdef USE_SELINUX -+ if (selabel != NULL) -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (retval) - goto cleanup; - for (q = t->a; q; q = q->na) { diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c index 7db30a33b..2b9d01921 100644 --- a/src/plugins/kdb/db2/adb_openclose.c @@ -573,10 +540,10 @@ index d8b26e701..b0daa7c02 100644 if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -index 1ed72afe9..ce038fc3d 100644 +index b92cb58c7..0a95101ad 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -194,7 +194,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) +@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) /* set password in the file */ old_mode = umask(0177); @@ -585,7 +552,7 @@ index 1ed72afe9..ce038fc3d 100644 if (pfile == NULL) { com_err(me, errno, _("Failed to open file %s: %s"), file_name, strerror (errno)); -@@ -235,6 +235,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv) +@@ -231,6 +231,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv) * Delete the existing entry and add the new entry */ FILE *newfile; @@ -595,7 +562,7 @@ index 1ed72afe9..ce038fc3d 100644 mode_t omask; -@@ -246,7 +249,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv) +@@ -242,7 +245,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv) } omask = umask(077); @@ -610,7 +577,7 @@ index 1ed72afe9..ce038fc3d 100644 if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c -index 24e41fb80..0dcb6b543 100644 +index aa951df05..79f9500f6 100644 --- a/src/util/profile/prof_file.c +++ b/src/util/profile/prof_file.c @@ -33,6 +33,7 @@ @@ -631,10 +598,10 @@ index 24e41fb80..0dcb6b543 100644 retval = errno; if (retval == 0) diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in -index db7b030b8..321672bcb 100644 +index 86d5a950a..1052d53a1 100644 --- a/src/util/support/Makefile.in +++ b/src/util/support/Makefile.in -@@ -69,6 +69,7 @@ IPC_SYMS= \ +@@ -74,6 +74,7 @@ IPC_SYMS= \ STLIBOBJS= \ threads.o \ @@ -642,7 +609,7 @@ index db7b030b8..321672bcb 100644 init-addrinfo.o \ plugins.o \ errors.o \ -@@ -160,7 +161,7 @@ SRCS=\ +@@ -168,7 +169,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. diff --git a/krb5-1.12.1-pam.patch b/krb5-1.18beta1-pam.patch similarity index 96% rename from krb5-1.12.1-pam.patch rename to krb5-1.18beta1-pam.patch index 2ce2a57..c785c7c 100644 --- a/krb5-1.12.1-pam.patch +++ b/krb5-1.18beta1-pam.patch @@ -1,7 +1,7 @@ -From 5e2837a56bb6bb1fbaf371377dbffa35aa81b3f1 Mon Sep 17 00:00:00 2001 +From 9d77eb513f95821f01f12e233e16d4ce50da7d23 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 -Subject: [PATCH] krb5-1.12.1-pam.patch +Subject: [PATCH] krb5-1.18beta1-pam.patch Modify ksu so that it performs account and session management on behalf of the target user account, mimicking the action of regular su. The default @@ -17,24 +17,25 @@ Originally RT#5939, though it's changed since then to perform the account and session management before dropping privileges, and to apply on top of changes we're proposing for how it handles cache collections. --- - src/aclocal.m4 | 67 +++++++ + src/aclocal.m4 | 69 +++++++ src/clients/ksu/Makefile.in | 8 +- src/clients/ksu/main.c | 88 +++++++- src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++ src/clients/ksu/pam.h | 57 ++++++ - src/configure.in | 2 + - 6 files changed, 608 insertions(+), 3 deletions(-) + src/configure.ac | 2 + + 6 files changed, 610 insertions(+), 3 deletions(-) create mode 100644 src/clients/ksu/pam.c create mode 100644 src/clients/ksu/pam.h diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 3752d9bd5..340546d80 100644 +index 2394f7e33..830203683 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -1697,3 +1697,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[ - ])) +@@ -1675,3 +1675,72 @@ if test "$with_ldap" = yes; then + OPENLDAP_PLUGIN=yes + fi ])dnl - dnl ++dnl +dnl +dnl Use PAM instead of local crypt() compare for checking local passwords, +dnl and perform PAM account, session management, and password-changing where @@ -102,12 +103,13 @@ index 3752d9bd5..340546d80 100644 +AC_SUBST(PAM_MAN) +AC_SUBST(NON_PAM_MAN) +])dnl ++ diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in -index b2fcbf240..5755bb58a 100644 +index 8b4edce4d..9d58f29b5 100644 --- a/src/clients/ksu/Makefile.in +++ b/src/clients/ksu/Makefile.in @@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. - DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' + DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' KSU_LIBS=@KSU_LIBS@ +PAM_LIBS=@PAM_LIBS@ @@ -141,7 +143,7 @@ index b2fcbf240..5755bb58a 100644 clean: $(RM) ksu diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index d9596d948..ec06788bc 100644 +index 4f03dd8ed..21a4d02bb 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -26,6 +26,7 @@ @@ -171,7 +173,7 @@ index d9596d948..ec06788bc 100644 /***********/ #define KS_TEMPORARY_CACHE "MEMORY:_ksu" -@@ -528,6 +534,23 @@ main (argc, argv) +@@ -535,6 +541,23 @@ main (argc, argv) prog_name,target_user,client_name, source_user,ontty()); @@ -195,7 +197,7 @@ index d9596d948..ec06788bc 100644 /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " -@@ -588,6 +611,24 @@ main (argc, argv) +@@ -595,6 +618,24 @@ main (argc, argv) exit(1); } @@ -220,7 +222,7 @@ index d9596d948..ec06788bc 100644 } if( some_rest_copy){ -@@ -645,6 +686,30 @@ main (argc, argv) +@@ -652,6 +693,30 @@ main (argc, argv) exit(1); } @@ -251,7 +253,7 @@ index d9596d948..ec06788bc 100644 /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -742,7 +807,7 @@ main (argc, argv) +@@ -749,7 +814,7 @@ main (argc, argv) fprintf(stderr, "program to be execed %s\n",params[0]); } @@ -260,7 +262,7 @@ index d9596d948..ec06788bc 100644 execv(params[0], params); com_err(prog_name, errno, _("while trying to execv %s"), params[0]); sweep_up(ksu_context, cc_target); -@@ -772,16 +837,35 @@ main (argc, argv) +@@ -779,16 +844,35 @@ main (argc, argv) if (ret_pid == -1) { com_err(prog_name, errno, _("while calling waitpid")); } @@ -755,11 +757,11 @@ index 000000000..0ab76569c +int appl_pam_cred_init(void); +void appl_pam_cleanup(void); +#endif -diff --git a/src/configure.in b/src/configure.in -index 36df71fa9..cd8ccabcd 100644 ---- a/src/configure.in -+++ b/src/configure.in -@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION]) +diff --git a/src/configure.ac b/src/configure.ac +index 234f4281c..d1f576124 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1390,6 +1390,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) diff --git a/krb5-1.3.1-dns.patch b/krb5-1.3.1-dns.patch index ec0e306..2ae1f8e 100644 --- a/krb5-1.3.1-dns.patch +++ b/krb5-1.3.1-dns.patch @@ -1,4 +1,4 @@ -From 35cd8e40a35ce4546eaffada2f401a7f0f6a83b3 Mon Sep 17 00:00:00 2001 +From fe90cb8f915e7f43899437e5e2d9a3aebf23ed82 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:46:21 -0400 Subject: [PATCH] krb5-1.3.1-dns.patch @@ -9,10 +9,10 @@ We want to be able to use --with-netlib and --enable-dns at the same time. 1 file changed, 1 insertion(+) diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index a7afec09e..db18226ed 100644 +index 6796fec53..c4358988a 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -726,6 +726,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library), +@@ -724,6 +724,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library), LIBS="$LIBS $withval" AC_MSG_RESULT("netlib will use \'$withval\'") fi diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index a5046d0..adb6219 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -1,4 +1,4 @@ -From e0391c7071741e6d59025d8b4a26119f2998d90c Mon Sep 17 00:00:00 2001 +From c26cf6cc3507ba63cb458094b9237ad2231ca5eb Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] krb5-1.9-debuginfo.patch diff --git a/krb5.spec b/krb5.spec index c7f4735..9ea18f5 100644 --- a/krb5.spec +++ b/krb5.spec @@ -9,16 +9,16 @@ %global configured_default_ccache_name KEYRING:persistent:%%{uid} # leave empty or set to e.g., -beta2 -%global prerelease %{nil} +%global prerelease -beta1 # Should be in form 5.0, 6.1, etc. -%global kdbversion 7.0 +%global kdbversion 8.0 Summary: The Kerberos network authentication system Name: krb5 -Version: 1.17.1 +Version: 1.18 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 5%{?dist} +Release: 0.beta1.1%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz @@ -42,85 +42,14 @@ Source39: krb5-krb5kdc.conf # Carry this locally until it's available in a packaged form. Source100: noport.c -Patch26: krb5-1.12.1-pam.patch -Patch27: krb5-1.17-beta1-selinux-label.patch +Patch1: krb5-1.18beta1-pam.patch +Patch2: krb5-1.18-beta1-selinux-label.patch Patch30: krb5-1.15-beta1-buildconf.patch Patch31: krb5-1.3.1-dns.patch Patch34: krb5-1.9-debuginfo.patch -Patch90: Add-tests-for-KCM-ccache-type.patch -Patch92: Address-some-optimized-out-memset-calls.patch -Patch94: Avoid-allocating-a-register-in-zap-assembly.patch -Patch95: In-rd_req_dec-always-log-non-permitted-enctypes.patch -Patch96: In-kpropd-debug-log-proper-ticket-enctype-names.patch -Patch97: Add-function-and-enctype-flag-for-deprecations.patch -Patch98: Make-etype-names-in-KDC-logs-human-readable.patch -Patch99: Mark-deprecated-enctypes-when-used.patch -Patch100: Properly-size-ifdef-in-k5_cccol_lock.patch -Patch104: Clarify-header-comment-for-krb5_cc_start_seq_get.patch -Patch105: Implement-krb5_cc_remove_cred-for-remaining-types.patch -Patch106: Remove-srvtab-support.patch -Patch107: Remove-kadmin-RPC-support-for-setting-v4-key.patch -Patch108: Remove-ccapi-related-comments-in-configure.ac.patch -Patch109: Remove-doxygen-generated-HTML-output-for-ccapi.patch -Patch110: Remove-Kerberos-v4-support-vestiges-from-ccapi.patch -Patch111: Fix-config-realm-change-logic-in-FILE-remove_cred.patch -Patch112: Remove-confvalidator-utility.patch -Patch113: Remove-ovsec_adm_export-dump-format-support.patch -Patch114: Fix-potential-close-1-in-cc_file.c.patch -Patch115: Check-more-errors-in-OpenSSL-crypto-backend.patch -Patch116: Clear-forwardable-flag-instead-of-denying-request.patch -Patch117: Add-dns_canonicalize_hostname-fallback-support.patch -Patch118: Use-secure_getenv-where-appropriate.patch -Patch119: Initialize-some-data-structure-magic-fields.patch -Patch121: Modernize-exit-path-in-gss_krb5int_copy_ccache.patch -Patch122: Simplify-SAM-2-as_key-handling.patch -Patch123: Avoid-alignment-warnings-in-openssl-rc4.c.patch -Patch124: Simply-OpenSSL-PKCS7-decryption-code.patch -Patch125: Improve-error-messages-from-kadmin-change_password.patch -Patch126: Remove-more-dead-code.patch -Patch128: Remove-checksum-type-profile-variables.patch -Patch129: Remove-dead-variable-def_kslist-from-two-files.patch -Patch130: Mark-the-doc-kadm5-tex-files-as-historic.patch -Patch131: Modernize-example-enctypes-in-documentation.patch -Patch132: Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch -Patch133: Update-default-krb5kdc-mkey-manual-entry-enctype.patch -Patch134: Support-389ds-s-lockout-model.patch -Patch135: Add-missing-newlines-to-deprecation-warnings.patch -Patch136: Set-a-more-modern-default-ksu-CMD_PATH.patch -Patch137: Remove-the-v4-and-afs3-salt-types.patch -Patch138: Update-test-suite-to-avoid-single-DES-enctypes.patch -Patch139: Remove-support-for-single-DES-and-CRC.patch -Patch140: Display-unsupported-enctype-names.patch -Patch142: Add-zapfreedata-convenience-function.patch -Patch143: Remove-support-for-no-flags-SAM-2-preauth.patch -Patch144: Remove-krb5int_c_combine_keys.patch -Patch147: Remove-strerror-calls-from-k5_get_error.patch -Patch148: Remove-PKINIT-draft-9-support.patch -Patch149: Remove-PKINIT-draft-9-ASN.1-code-and-types.patch -Patch150: Remove-3des-support.patch -Patch151: Remove-now-unused-checksum-functions.patch -Patch152: Don-t-error-on-invalid-enctypes-in-keytab.patch -Patch153: Filter-enctypes-in-gss_set_allowable_enctypes.patch -Patch154: Add-soft-pkcs11-source-code.patch -Patch155: Use-imported-soft-pkcs11-for-tests.patch -Patch156: Fix-Coverity-defects-in-soft-pkcs11-test-code.patch -Patch157: Skip-URI-tests-when-using-asan.patch -Patch158: Fix-memory-leaks-in-soft-pkcs11-code.patch -Patch162: Simplify-krb5_dbe_def_search_enctype.patch -Patch163: Squash-apparent-forward-null-in-clnttcp_create.patch -Patch164: Remove-null-check-in-krb5_gss_duplicate_name.patch -Patch165: Fix-KDC-crash-when-logging-PKINIT-enctypes.patch -Patch166: Log-unknown-enctypes-as-unsupported-in-KDC.patch -Patch167: Fix-minor-errors-in-softpkcs11.patch -Patch168: Update-test-suite-cert-message-digest-to-sha256.patch +Patch35: krb5-1.18-beta1-Remove-3des-support.patch Patch169: Use-backported-version-of-OpenSSL-3-KDF-interface.patch Patch170: krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch -Patch171: Don-t-warn-in-kadmin-when-no-policy-is-specified.patch -Patch172: Allow-client-canonicalization-in-non-krbtgt-AS-REP.patch -Patch173: Do-not-always-canonicalize-enterprise-principals.patch -Patch174: Fix-xdr_bytes-strict-aliasing-violations.patch -Patch175: Fix-handling-of-invalid-CAMMAC-service-verifier.patch -Patch176: Fix-LDAP-policy-enforcement-of-pw_expiration.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -694,6 +623,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Fri Jan 10 2020 Robbie Harwood - 1.18-0beta1.1 +- New upstream beta release - 1.18-beta1 + * Wed Jan 08 2020 Robbie Harwood - 1.17.1-5 - Fix LDAP policy enforcement of pw_expiration - Fix handling of invalid CAMMAC service verifier diff --git a/sources b/sources index 01f775d..3b304f6 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (krb5-1.17.1.tar.gz) = e0c3dc0a6554ab3105ac32f3f01519f56064500213aa743816235d83250abc1db9a9ca38a2ba93a938d562b4af135a013017ce96346d6742bca0c812b842ceef -SHA512 (krb5-1.17.1.tar.gz.asc) = 9665c0b83cc5e8fafbb7f47c383c6bf00e498befa305ab7ed8b867ff6f54a09b6b1f3b7a7f007ceb6dfbc1ebfb797be21cb97ac51c1c8fc8e956d83ce30aa7b1 +SHA512 (krb5-1.18-beta1.tar.gz) = e9e622350c9d07bca573d1e416a7277377e85c0f3eab605d3f551f96c5ddc7eb21e8ef2cfadddbac7d9da99a204d738fd22939cfb23d7fcc8166e8ae35a679a4 +SHA512 (krb5-1.18-beta1.tar.gz.asc) = b8542e317db89d11ad29bba9bc55f4d294e649b0e8c28b37dde398fed64fa3da394af262225ebefda5e5f3224ba108df21af460837e72a4349ae7e6469e21e43